How GM Tricked Millions of Drivers Into Being Spied On

General Motors (GM) has been selling data about the driving behavior of millions of people to insurance companies, leading to higher premiums for some drivers, according to a recent investigation. The affected drivers were not informed about the tracking, which was carried out through GM's OnStar connected services plan and the Smart Driver program. The New York Times reporter who broke the story discovered that her own driving data had been shared with data brokers working with the insurance industry, despite not being enrolled in the program. GM has since discontinued the Smart Driver product and stopped sharing data with LexisNexis and Verisk, following customer feedback and federal lawsuits filed by drivers across the country.

Paywall

[RitchCraft]

No paywall or it didn't happen.

Re:

[colonslash]

Is that the new tits or GTFO?

Re:Paywall

[Gravis Zero]

No paywall here: https://archive.is/5Y7DF [archive.is]

Lack of regulation, that is how

[sinij]

What they did was not illegal, and fine print at the bottom on TL;DR user agreement is what legally constitutes informed consent.

Re:Lack of regulation, that is how

[gweihir]

In Europe, this is illegal to do under the GDPR and would land them in very hot water. And "fine print" does not create "informed consent" here either.

Re:Lack of regulation, that is how

[Big Hairy Gorilla]

Do they sell Japanese cars in Europe?
https://www.nissanusa.com/privacy.html
I'm guessing they do.
Nissan Connect Terms of Service is a real eye opener. (pdf file, see if you can find it)

Ok, I admit that is to Nissan USA... and this amounts to a single anecdotal source.... But I'm not expecting it to different, in EU, nor am I expecting that any other company won't make same claims to your data. You don't actually own a car anymore, you really just have a licence to drive it, afaict. Hey! Nobody seems to be paying attention, so ... just do like Google and say right up front, we own your data.

I think this is the key: Go ahead, try to stop me.

I've made a little hobby out of reading TOS's. Needless to say, it's horrifying to see, essentially, every and all service provider claim they own your data. OWN... and claim unrestricted copyrights. There are minor variations, and often, like Apple, they just buzzword the legal terms up to a maximum level, so, you really don't know what it really means. Usually, it comes down to you knowing or not knowing that to operate legally in {country:USA, China, etc} you must offer the local law enforcement access to the data. So cars are basically just cellphones with wheels that collect .... LOTS and LOTS of really valuable data.

Find a good mechanic and keep your 10 year old car until it's illegal.

Re:

[HiThere]

That was the reason I switched to Linux. Of course, I could have switched to BSD, but Debian potato was easier to install.

Re:

[gweihir]

I expect Nissan USA has quite different conditions than Nissan Europe.

Re:

[geekmux]

I expect Nissan USA has quite different conditions than Nissan Europe.

I more expect Nissan to have different car models entirely outside of the US. As many makers do.

Car companies are notorious for not spending for an extra screw on the assembly line if they can prove that penny savings per unit is cheaper than any lawsuit that could come from not having that extra screw. They’re not just gonna install all that fancy-yet-legal American tech on their GDPR-certified cars and simply leave it disabled while eating all the cost.

Re:

[gweihir]

Quite possibly. Cars are large enough investments that some customization is already baked into the manufacturing process.

Re:

[Big Hairy Gorilla]

There are lots of minor variations and regional parts sourcing. And the regulations will be worded somewhat differently. I think we're living in a "catch me if you can" type of world... there's really nothing they aren't claiming ownership of. Credit card number happens to be listed in as being captured .. Sure no problem? The cell phone companies, Apple, Google, the hardware people are in a very good position to collect ie. system level. GMS. The Samsung phones are full of gata gathering mechanisms... apps

Re:

[mjwx]

I expect Nissan USA has quite different conditions than Nissan Europe.

Different software, even different cars.

Nissan is also, not that popular in Europe. Especially since they got rid of their decent cars like the Lancer EVO and just started selling hideous SUVs like the Juke. Europe makes it's own hideous cars (see: Fiat Multipla). Pretty sure the Juke isn't even sold in the US.

Re:

[geekmux]

Nobody seems to be paying attention, so ... just do like Google and say right up front, we own your data. I think this is the key: Go ahead, try to stop me.

I find it quite funny that you chose Nissan as your example of can’t-touch-this corporate arrogance, since there’s a valid reason they were forced to add “usa” to the end of “nissan” in their domain name. Mr. Uzi Nissan made quite the effort to ultimately prove what ownership means to corporations who assume.

Re:

[Big Hairy Gorilla]

by no means am I picking on Nissan, it just happened to be a weblink I kept as an example. The Korean stuff like the high end sedans... Genesis?... They also assume rights to your political opinions, sexual habits and preferences, they know if you're doing the deed in the backseat.. weight sensors... so from what I can see ALL companies are doing this. It's not that hard to do. Grocery stores, drugstores, Couch Tard, slap a bit of boilerplate legal stuff in your TOS and you're now in the data gathering busi

Re:Lack of regulation, that is how

[JustNiz]

Welcome to the so-called "land of the free (TM)".
Big businesses in the US can get away with just about anything because the politicians are blatantly for sale to the highest bidder here.
You should see the shit they still allow in our food, and how much we have to pay for medicine and medical care compared to the EU.

Re:

[strikethree]

You should see the shit they still allow in our food

More specifically, do not look up "fillers". Oh my god.

Re:

[bugs2squash]

I need to get my bank to include some Ts and Cs of my own on each automatic payment.

Maybe "by accepting this payment you agree not to be a douche..."

Re:Lack of regulation, that is how

[fropenn]

Except in many instances the salesperson clicked "accept", rather than the buyer of the car.

Buyers were also not aware of the depth of the tracking and how it would dramatically affect their insurance rates.

That's not consent.

Re:

[ThurstonMoore]

The last time I bought a car the "paperwork" was on an iPad. The signature box was in the middle of the screen and covered up what I was signing.

Re:

[Linux Torvalds]

Fortunately you walked out of the dealership at that point, right?

Re:

[sinij]

That's not consent.

I fully agree. My point was that we need legislation to make it harder to do something like this.

Re:

[strikethree]

Buyers were also not aware of the depth of the tracking and how it would dramatically affect their insurance rates.

You are correct; however, a little skepticism goes a long way. Asking questions like: Why does my car need a constant Internet connection? What data is being passed through that connection? Why are you collecting all of this "telemetry" data? What do you intend to do with that data?

Of course, none of the sales people would offer real answers, so at that point, cycnicism should have set in. Duh, of fucking COURSE they were going to sell all of that data. It was NEVER in question. They are doing even worse th

Re:Lack of regulation, that is how

[fahrbot-bot]

What they did was not illegal, and fine print at the bottom on TL;DR user agreement is what legally constitutes informed consent.

TFA notes that, in some (many?) cases, the sales agent at the dealership was signing customers up for services during the vehicle sale, despite GM policy that the customer must do this themselves, w/o telling the customer exactly what was done.

According to G.M., our car was enrolled in Smart Driver when we bought it at a Chevrolet dealership in New York, during the flurry of document-signing that accompanies the purchase of a new vehicle.

I called our dealership, a franchise of General Motors, and talked to the salesman who had sold us the car. He confirmed that he had enrolled us for OnStar, noting that his pay is docked if he fails to do so. He said that was a mandate from G.M., which sends the dealership a report card each month tracking the percentage of sign-ups.

G.M. doesn’t just want dealers selling cars; it wants them selling connected cars.

[A] G.M. spokeswoman, said that dealers are not permitted to sign customers up and that the customer must be the one to accept the terms. At my request, she provided the series of screens that dealers are instructed to show customers during the enrollment for OnStar and Smart Driver. There is a message at the top of each screen: “The customer must personally review and accept (or decline) the terms below. This action is legally binding and cannot be done by dealer personnel.”

What I can say is that, regardless of who pushed the consent button, this screen about enrolling in notifications and Smart Driver doesn’t say anything about risk-profiling or insurance companies.

Re:

[JustNiz]

Yep the way they get around this is to provide you with 6 or 12 months "free" OnStar, whether you want it or not.
Basically your car comes from the dealer preactivated.

Re: Lack of regulation, that is how

[madbrain]

I had free Onstar for 3 years with my 2015 Volt and 2017 Bolt for 1 year. Neither had Smart Driver enabled. I even got the Lexis Nexis report. No driving data there. We still have both cars.

Re:

[JustNiz]

Sorry but I wouldn't believe what LexisNexis claims for a moment. Even if they just know your car's GPS location, (which is always enabled, not just with Smart Driver) they also can extrapolate a whole lot about you, such as where you live, where you go, who you see, what your purchasing habits are, and how you drive.
It's a fact that GM at least have been selling all your data.right up until this year.
https://www.theverge.com/2024/... [theverge.com]

Re:

[madbrain]

The story you linked to does not support your claim that GM sold the data of customers who didn't opt in to Smart Driver.
Of course GM has access to location data, because the car has GPS. So do most cars being sold nowadays of any brand, regardless of Onstar service.
Just because the location data was accessible to GM doesn't mean it was necessarily shared or sold, or even stored.
Many people have requested their LexisNexis report. Plenty are finding a lot of location data. We did not, and I believe this is b

Re:

[JustNiz]

>> The story you linked to does not support your claim that GM sold the data of customers who didn't opt in to Smart Driver.

Even assuming a giant corporation would ignore their legal responsibilities to their shareholders and not automatically capitalize on effectively free money, I for one wouldn't even want GM having that data.

Re:

[madbrain]

They have legal responsibilities to their customers as well, not only to the shareholders. And what they did with the data of those who unknowingly consented has backfired spectacularly. That is not a positive for shareholders. It certainly wasn't free money.
Companies are under no obligation to monetize data they have access to. Some even advertise the fact that they don't - Apple for one, and before you ask, I'm not an Apple fanboy. I don't recall shareholders trying to oust management for not monetizing a

Re:

[msauve]

>fine print at the bottom on TL;DR user agreement is what legally constitutes informed consent.

Exactly how is a consumer bound to a user agreement they haven't signed ("driving data had been shared ... despite not being enrolled in the program.")? And, what about someone who buys a used car? Do you think the manufacturer has some kind of hold over them?

Re:

[cayenne8]

I just assumed that OnStar was being used to track drivers. It's promising to see that after lawsuits that they stopped selling the data to insurance companies, because as life gets more modern and connected, tracking seems inevitable. I'm cynical and I expect, after some lobbying, that the government will mandate sharing of location info.

I'd hope that as part of any settlement, that GM be forced to offer to completely disconnect and disable OnStar upon demand, AND...provide literature on how to do it for

Re:

[ctilsie242]

When I saw OnStar, especially when it was used to disable vehicles for theft, I knew where that was headed. Especially during a recent video where a car owner's vehicle was disabled during a car chase. At the risk of slippery slope arguments, once a vehicle is disabled without an owner's permission, that means the vehicle is effectively not belonging to the owner, and someone else is dictating the terms of the vehicle's use.

One can say, "yes, it stopped a dangerous car chase", but where does this end? So

Nobody was tricked!

[MobyDisk]

Who thought that the tracking device was not being used to track them?!?

how about "selling" instead of "sharing" ?

[shakah]

...discovered that her own driving data had been shared with data brokers working with the insurance industry, despite not being enrolled in the program. GM has since discontinued the Smart Driver product and stopped sharing data with LexisNexis and Verisk

Can we safely replace "sharing" with "selling" ?

Re:

[kackle]

I'm on it...

:s/sharing/s/g
:wq

(Realizes what I did) Aw, dammit.

Re:

[geekmux]

...discovered that her own driving data had been shared with data brokers working with the insurance industry, despite not being enrolled in the program. GM has since discontinued the Smart Driver product and stopped sharing data with LexisNexis and Verisk

Can we safely replace "sharing" with "selling" ?

Sure, but when do you want to replace “credible” with “bullshit”?

Ill believe Nissan “stopped” selling that data when the next class-action lawsuit or two validates it with a nine-figure penalty. Until then, the amount of consumers who don’t read a EULA, remains the same. And therefore so does Nissans capability to abuse.

Re:

[Waccoon]

No. By legal definition, you can't sell something you don't own. If a company collects your data or metrics, they don't own your data, they merely have copies of it.

This is why many EULAs confidently state the company will never "sell" your data, to make you feel more comfortable. Then, they immediately turn around and "share" your data with their business partners in exchange for money. Totally different. Since they're not technically lying, it's totally legit.

OnStar was designed to be evil

[gabrieltss]

OnStar was designed to be evil. I know a guy who helped build it originally and he told me back in the early 90's "NEVER buy a vehicle with OnStar in it. This thing is scary as F!"

Cells

[JBMcB]

This was before everyone was putting a tracking device in their pocket.

Re:

[geekmux]

This was before everyone was putting a tracking device in their pocket.

This was before a planet stopped associating the concept of addiction, with technology.

It’s different now. When everyone is an addict, no one technically is.

You can get away with fucking anything when lawmakers are junkies too.

Re:

[strikethree]

The fact that it can remotely disable the vehicle is a complete violation of a person's free will. Such a device should not be sold in a country that has Freedom as one of its founding principles.

Nothing really to add except

[strike6]

I hope they get burned for as much as allowed by law in these lawsuits.

Re:

[schwit1]

The new-car buyers may be bound by an arbitration clause. Used car buyers maybe also IF they signed up for OnStar.

Re:

[geekmux]

I hope they get burned for as much as allowed by law in these lawsuits.

Lawsuits were a pre-calculated risk when the abuse started. And even by aggressive standards they probably didn’t figure they would get away with it for THIS long, even with adding consumer ignorance into the math. No penalty will even come close to the profits.

On top of all that, this is GM. Those that are Too Big To Fail don’t worry about stupid shit like being “profitable” anymore. Wouldn’t be surprised if taxpayers end up paying for all this. Again.

Re:

[mea_culpa]

We are in the post accountability era now. Nothing is going to happen.

Re:

[strikethree]

I hope they get burned for as much as allowed by law in these lawsuits.

Eh? There will be no burning. The Powers That Be REALLY want this data. TPTB are the ones who do the burning. There is zero chance of any burning here. There is also zero chance that this will stop. It will just be buried and hidden but otherwise fully operational.

And Baron_Yam smiles

[Baron_Yam]

I ripped the OnStar out of my GM as soon as it was in my driveway. Google still tracks my phone and knows way too much about me even after I rooted it and removed a bunch of 'unremoveable,' Google apps, but I'll be damned if I'll give up one more bit of data than I have to in order to get the functionality i want.

It's a car. Get me from a to b safely, that is not only all I ask, it's all I want.

Re:

[JustNiz]

I've seen many posts from people saying that they did that too, then their vehicles started experiencing all sorts of different faults, including some that you would think logically couldn't possibly have anything to do with the lack of OnStar, such as engine warning lights and even the vehicle not starting, Did you experience anything like that?

Re:

[Baron_Yam]

The dash brightness is computer-controlled and flaky, but I really don't think that's due to the OnStar removal. That's it.

But I was worried about issues, so I unplugged it and tested for a while before I actually threw out the unit.

So more proof OnStar sucks? Got it.

[King_TJ]

When I bought my Chevy Bolt, my GM dealer kept harassing me at each visit to get my OnStar activated. They even left a sticky note on my horn when it was in for a recall. I flat out refused, but it's interesting how hard they push for a paid subscription service that should obviously be optional.....

I'm not even sure how that service offers drivers much of anything, these days? The big sales pitch for it used to be its ability to call 911 for you in case of a bad accident where you might be unconscious, or at least where you didn't have your phone handy. All the modern smartphone can do this automatically when they detect a large impact, making it unnecessary to pay for some special service to duplicate the functionality. (And if you don't bring your cellphone with you while driving, in 2024, you're really an outlier.... Most people are already relying on it for things like streaming their music in the car or using it for the GPS functionality.)

And yeah, I know OnStar also advertises the ability to track your car down if it's stolen and to even shut it off remotely if needed. But that proposition is disturbing to me, in and of itself. Why give some other entity the ability to do a remote kill of my engine? Who knows how that could go wrong? Seeing what most people do to vehicles they steal, I'd rather they just wreck the thing so my auto insurance will replace it. I don't really WANT it back.

Re:

[Oh really now]

When I bought a Pontiac G8 GT way back in 2009, I refused to activate OnStar. On the drive home I got a welcome call, seems the dealer "did it for me." So I got home, popped the trunk, pushed the retainer clips on the cellular module to drop it down from the package tray, unplugged the harnesses and antennae, and tossed it on the floor of the trunk. Thankfully that year/model didn't loop anything through the module and the only "feature" I lost was bluetooth integration.

Duped again!

[jenningsthecat]

A month ago, almost to the day: https://yro.slashdot.org/story... [slashdot.org]

Obvious

[Currently_Defacating]

Please don't reproduce if you purchased an onStar equipped vehicle and didn't realize it was spying on you.

Not just GM

[bobjr94]

I drove a Escape that said something like... location and data sharing is active you and any passengers will be agreeing to it..... But it wasn't so hidden and popped up when the car was turned on.

OnStar Hacking

[Canberra1]

Use keywords OnStar module hacking. Seriously there should be much much more on this. I would add a relay to present a dummy load on the antenna after disconnection. Worse there seem to be two antenna's. This is a bit rich, considering they wanted to removed AM and hazard alerts. I also like the idea of taking a trace, randomly flipping bits and transmitting garbage to HQ.