OnStar Tracks Your Car Even When You Cancel Service


Navigation-and-emergency-services company OnStar is notifying its six million account holders that it will keep a complete accounting of the speed and location of OnStar-equipped vehicles, even for drivers who discontinue monthly service.

OnStar began e-mailing customers Monday about its update to the privacy policy, which grants OnStar the right to sell that GPS-derived data in an anonymized format.

Adam Denison, a spokesman for the General Motors subsidiary, said OnStar does not currently sell customer data, but it reserves that right. He said both the new and old privacy policies allow OnStar to chronicle a vehicle’s every movement and its speed, though it’s not clear where that’s stated in the old policy.

“What’s changed [is that if] you want to cancel your OnStar service, we are going to maintain a two-way connection to your vehicle unless the customer says otherwise,” Denison said in a telephone interview.

The connection will continue, he said, to make it “easier to re-enroll” in the program, which charges plans from $19 to $29 monthly for help with navigation and emergencies. Canceling customers must opt out of the continued surveillance monitoring program, according to the privacy policy.

The privacy changes take effect in December, Denison said, adding that the policy reinforces the company’s right to sell anonymized data.

“We hear from organizations periodically requesting our information,” he said.

He said an example of how the data might be used would be for the Michigan Department of Transportation “to get a feel for traffic usage on a specific section of freeway.” The policy also allows the data to be used for marketing purposes by OnStar and vehicle manufacturers.

Collecting location and speed data via GPS might also create a treasure trove of data that could be used in criminal and civil cases. One could also imagine an eager police chief acquiring the data to issue speeding tickets en masse.

Jonathan Zdziarski, an Ohio forensics scientist, blogged about the new terms Tuesday. In a telephone interview, he said he was canceling his service and making sure he was being disconnected from OnStar’s network.

He said the new privacy policy goes too far.

“They added a bullet point allowing them to collect any data for any purpose,” he said.

Photo: OnStar Command Center in Detroit, Michigan. Associated Press/Gary Malerba

Full Tilt Poker is an Online Ponzi Scheme, Feds Say

Federal prosecutors alleged Tuesday that an online gambling site whose internet domain the United States seized in April was a scam, and executives lined their pockets with millions of dollars purloined from players’ wagering accounts.

“Full Tilt was not a legitimate poker company, but a global Ponzi scheme,” Preet Bharara, the U.S. attorney in Manhattan, said in a statement.

The allegations come five months after Bharara seized the finances and domains of the world’s largest offshore, online gambling sites, including Full Tilt Poker of Ireland. Bharara initially charged Isai Scheinberg, the founder of PokerStars, and Raymond Bitar, the founder of Full Tilt Poker, and nine others of fraudulently scheming to thwart a 2006 anti-gaming law that prohibits U.S. banks from processing internet wagers and payments.

The latest allegations (.pdf) could serve as ammunition against renewed efforts by state and federal lawmakers to legalize online gaming in the United States. One of the reasons it was outlawed in 2006 was the perception that gamblers could be taken to the cleaners by criminal online gaming operations, Patrick Fleming, an attorney for the Poker Players Alliance, said in a July interview.

When the government seized the domains on April 15, tens of thousands of gamblers were frozen out of their accounts. In a deal with federal prosecutors, PokerStars, headquartered in the Isle of Man, is refunding to U.S. gamblers the $120 million they lost when the government seized its U.S. domain.

But Full Tilt Poker had not refunded the $150 million that federal authorities claim is owed to U.S. gamblers, a mystery perhaps solved by the fed’s Ponzi scheme allegations.

All told, according to the government’s complaint, Full Tilt Poker owed $390 million to players worldwide, but had about $60 million in cash. Since 2007, the government claims Full Tilt Poker enriched its board members and owners with $443 million in payouts, while telling players they could withdraw from their accounts at will.

“Not only did the firm orchestrate a massive fraud against the U.S. banking system, as previously alleged, Full Tilt also cheated and abused its own players to the tune of hundreds of millions of dollars,” Bharara said. “Full Tilt insiders lined their own pockets with funds picked from the pockets of their most loyal customers while blithely lying to both players and the public alike about the safety and security of the money deposited with the company.”

The Unlawful Internet Gambling Enforcement Act of 2006 (.pdf) was passed in part to combat terrorism by controlling money laundering. In response to the law, many overseas internet gambling sites blocked access to players in the United States, though others, including PokerStars and Full Tilt Poker, did not. On Black Friday, as April 15 has come to be known in the gambling community, the government blocked the online casinos that did not deny access to players from the United States, seizing their assets in the process.

The government’s Tuesday complaint alleges that Full Tilt Poker’s board members, including Bitar, Howard Lederer, Christopher Ferguson and Rafael Furst, defrauded players to make themselves rich.

Bitar received approximately $41 million, Lederer $42 million, Furst $11.7 million and Ferguson at least $25 million, the government said.

Welcome to ‘Security 101′

When I started working at McAfee, I noticed that many of the terms commonly used here were completely unknown to me. Fortunately I had no problems understanding them, but I’m sure that more than one person has read a McAfee security update and thought “What does this mean?” This question is more likely when a report contains only minimal information, which is never enough to understand what is going on if you don’t already know this issue, and sometimes even when you do know it.

At that point I got the idea of a blog for beginners, for those who are just starting in the security world or whose curiosity or work requires them to pay attention. I offer these lessons as a way to help others understand—with not too technical explanations—the basic concepts used in our updates and reports.

I’ve decided to call these posts Security 101 because I shall focus on the basic definitions in four big topics: Vulnerabilities, Attack Vectors, Malware, and Defense Mechanisms. I’ll cover each topic in a couple to several posts, and I plan to update them twice a month, my workload permitting.

I don’t expect that those who read this blog will become security experts. That takes years of experience to achieve. Just a fair warning.

So, welcome to Security 101, and enjoy the blog! :)