AUTOMOBILE MONITORING SERVICE Onstar has changed its terms and conditions to give it the right to pass on information about its customers to law enforcement agencies and others.
The firm, which is part of General Motors, has been sending its customers notification of a change to their T&C's that one user said includes some "unsettling updates".
"OnStar's latest T&Cs has some very unsettling updates to it, which include the ability to sell your personal GPS location information, speed, safety belt usage, and other information to third parties, including law enforcement," writes hacker, author and scientist Jonathan Zdziarski.
"To add insult to a slap in the face, the company insists they will continue collecting and selling this personal information even after you cancel your service, unless you specifically shutdown the data connection to the vehicle after canceling."
The post was noticed by F-Secure's Mikko Hypponen, who has pegged this as an information disclosure episode to watch. "Tip of the day: follow @OnStar to see how well they are able to do PR damage control. #GPSGate #BringThePopCorn," tweeted the security pro.
Although Onstar has promised that it will sell the data only anonymously, this is perhaps the most controversial part of the arrangement.
"Anonymized GPS data? There's no such thing! We've all seen this before - anonymized searches, for example, that were not-so-quite anonymized. But in this case, it's impossible to anonymize GPS data!", added Zdziarski. "If your vehicle is consistently parked at your home, driving down your driveway, or taking a left or right turn onto your street, its pretty obvious that this is where you live!"
We've seen this before, of course. In April 2011 Tomtom admitted inadvertently giving Dutch police data collected from its devices in order to set speed traps. It was quite some mistake, and quite the PR disaster.
"It turns out the police have used traffic information that you have helped to create to place speed cameras where the average speed is higher than the legally allowed speed limit. We did not foresee in this type of usage," said the firm in an apologetic blog post.
"TomTom fully understands some of customers do not like this and we will amend the licensing conditions to stop this type of usage in near future."
Onstar has responded to criticism, but merely told users that it was important to inform them about the changes.
"At OnStar, we are sensitive to our customers' privacy and are committed to be transparent in our business practices. Therefore, it was important to us to inform existing subscribers in the United States and Canada of these changes, which will go into effect Dec. 1, 2011," it said, claiming that it would use the extra information to provide better service.
Although it did not comment on selling data to third parties it did try to explain why it will continue to monitor vehicles even after a customer cancelled an agreement with it.
"Some of the key changes made to the Terms and Conditions relate to the provision that, in case a customer chooses to cancel the OnStar Services, we will maintain the two-way connection with the vehicle and may continue to collect data unless instructed otherwise by the customer," it explained.
Onstar will explain further in a web cast set for later this week. µ
Is restoring from backup really the better than prevention?
Allowed anyone to pinpoint locations visited by customers of SVR Tracking
Hackers gained access to systems using unsecured administrator's account
But Canonical's Mark Shuttleworth doesn't agree