General Motors' OnStar onboard navigation and emergency system is set to collect drivers' GPS locations and other personal data, even for customers who discontinue the monthly service, a policy change that some see as a gross and unnecessary invasion of privacy.
OnStar, a subsidiary of GM, began emailing customers Monday (Sept. 19) about the updated privacy policy, which gives it the right to collect and share customers' information, including name, address, telephone and email address, billing information (including credit card number), vehicle identification number and make, model and year along with diagnostic information such as tire pressure and odometer readings.
These details, along with the car's GPS coordinates, are collected in the event of an emergency and to improve vehicle maintenance. But OnStar's revised policy grants the company the right to share customers' information with "law enforcement or other public safety officials, credit card processors and/or third parties we contract with who conduct joint marketing initiatives with OnStar," including roadside assistance companies, satellite radio providers and data management companies.
[Hackers' Text Message Unlocks, Starts Car]
The company will continue to collect and share this data on OnStar-equipped vehicles even if the car's owner doesn't sign up for, or cancels, the monthly service. Customers must specifically ask to opt out of the tracking service, Wired reported. The policy is set to go into effect in December.
OnStar informed customers in the notice that it anonymizes drivers' location data as well, and reserves the right to sell that data to third parties "for any purpose."
This is troublesome to security researcher Jonathan Zdziarski, who believes GPS location, even anonymized, contains details that could make pinpointing a person's exact location far too easy.
"It's impossible to anonymize GPS data!" Zdziarski wrote on his personal blog. "If your vehicle is consistently parked at your home, driving down your driveway, or taking a left or right turn onto your street, it's pretty obvious that this is where you live!"
Zdziarski added, "It's like trying to say that someone's Google Map lookup from their home is 'anonymized' because it doesn't have their name on it. It still shows where they live!"
As Wired wrote, "Collecting location and speed data via GPS might also create a treasure trove of data that could be used in criminal and civil cases. One could also imagine an eager police chief acquiring the data to issue speeding tickets en masse."
All this stored data would also be valuable to insurance companies seeking to challenge customers' claims. For example, they could see whether a car was speeding, or look for signs of erratic driving.
There's also the issue of data storage, and what could happen if OnStar customers' data fell into the wrong hands.
OnStar writes: "OnStar and its Service Providers may process and store information about you or your Vehicle in the United States, Canada, or other jurisdictions from which the Services or Data Connection will be provided and where the privacy laws may differ from those in the United States. Information may be available to government or its law agencies in the country where the data is processed or stored under a lawful requirement in that country."
Though OnStar said credit and debit card information will be encrypted "When transmitted between your computer and our website servers via the Internet," this isn't exactly a foolproof solution; a digital safe storing millions of credit card numbers is a very attractive target for a cybercriminal.