OnStar Tracks Your Car Even When You Cancel Service


Navigation-and-emergency-services company OnStar is notifying its six million account holders that it will keep a complete accounting of the speed and location of OnStar-equipped vehicles, even for drivers who discontinue monthly service.

OnStar began e-mailing customers Monday about its update to the privacy policy, which grants OnStar the right to sell that GPS-derived data in an anonymized format.

Adam Denison, a spokesman for the General Motors subsidiary, said OnStar does not currently sell customer data, but it reserves that right. He said both the new and old privacy policies allow OnStar to chronicle a vehicle’s every movement and its speed, though it’s not clear where that’s stated in the old policy.

“What’s changed [is that if] you want to cancel your OnStar service, we are going to maintain a two-way connection to your vehicle unless the customer says otherwise,” Denison said in a telephone interview.

The connection will continue, he said, to make it “easier to re-enroll” in the program, which charges plans from $19 to $29 monthly for help with navigation and emergencies. Canceling customers must opt out of the continued surveillance monitoring program, according to the privacy policy.

The privacy changes take effect in December, Denison said, adding that the policy reinforces the company’s right to sell anonymized data.

“We hear from organizations periodically requesting our information,” he said.

He said an example of how the data might be used would be for the Michigan Department of Transportation “to get a feel for traffic usage on a specific section of freeway.” The policy also allows the data to be used for marketing purposes by OnStar and vehicle manufacturers.

Collecting location and speed data via GPS might also create a treasure trove of data that could be used in criminal and civil cases. One could also imagine an eager police chief acquiring the data to issue speeding tickets en masse.

Jonathan Zdziarski, an Ohio forensics scientist, blogged about the new terms Tuesday. In a telephone interview, he said he was canceling his service and making sure he was being disconnected from OnStar’s network.

He said the new privacy policy goes too far.

“They added a bullet point allowing them to collect any data for any purpose,” he said.

Photo: OnStar Command Center in Detroit, Michigan. Associated Press/Gary Malerba

Canada mulls warrantless internet info-gathering powers for police

Yesterday, I wrote up my take on the recent Australian bomb-hoax story, in which a suspect was tracked from Sydney to Kentucky through a mixture of old-fashioned detective legwork and cyberinvestigation.

I suggested that making this sort of investigation as easy as it seems on crass TV cop shows would be a bad idea:

There are many hoops which the cops have to jump through to be able to pursue an enquiry of this sort - a due process which means they can't always and immediately get access to anything they want.

And that is exactly as it should be. Most of us are law-abiding, and our privacy and security is too important to be eroded merely to make the Orwellian nonsense of Hawaii-Five-O into a reality.

Today, someone pointed out to me the text of Bill C-52, currently under consideration by the Canadian federal parliament.

Amongst the many proposals in this Bill are two specific clauses to reduce the ‘due process’ imposed upon Canadian law enforcers when they wish to acquire information about internet subscribers from Canadian ISPs.

This information includes:

any information in the service provider's possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider's telecommunications services and the Internet protocol (IP) address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber's service and equipment.

The first sort of investigator authorised to acquire this information merely by asking (actually, the second listed in the Bill, as it is a special exception to the main proposal) is, broadly speaking, any police officer.

But there are restrictions on this power which make it much less unreasonable than it sounds. It is for “exceptional circumstances only”, and it applies only if:

(a) the officer believes on reasonable grounds that the urgency of the situation is such that the request cannot, with reasonable diligence, be made under that subsection;

(b) the officer believes on reasonable grounds that the information requested is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property; and

(c) the information directly concerns either the person who would perform the act that is likely to cause the harm or is the victim, or intended victim, of the harm.

You can probably quickly think up a number of scenarios in which this regulation might be a lifesaver. And the Bill requires any police officer who takes advantage of these special powers to declare that he has done so to a superior, who is, in turn, required to re-confirm the request with the service provider. So there is at least some bilateral oversight involved.

Of greater interest to privacy advocates, however, is the proposal in the Bill that each law enforcement agency would be able to designate up to five percent of its staff to request precisely the same information pretty much at will, about any subscriber.

This makes ‘fishing expeditions’ possible. The Bill doesn’t appear to place any limit, other than perhaps common sense, on the number of subscribers whose data can be sucked from an ISP at any time.

The Bill doesn’t even seem to propose that the requests be based on any sort of specific identifier, such as a name or an email address.

This suggests, in the worst case, that an ISP might be compelled simply to hand over information about all subscribers. No warrant needed, and thus no proactive oversight by the judiciary.

I’ll leave it to the Canadian legislature to debate whether this is really a change which Canada needs; to Canadian privacy advocates to argue the pros and cons as visibly as they can (I’m OK with legal street protests, but no Anonymous-style ‘hacking’, please!); and to the voters to make amends next time if the Bill passes but is deemed a step too far.

My concerns go beyond just those about our right to be free, as far as possible, from surveillance and intrusion by law enforcement. I’m just as worried about the safety of having information about our internet identities routinely duplicated into multiple databases.

If you are Canadian, I urge you to oppose Bill C-52 as a matter of public safety, at least until you can be sure that every agency and every officer who might request information about your internet identity will protect it at least as well as your ISP.

Recent data breaches and data leakages haven’t just been happening to commercial organisations, but to law enforcement, too.

(Global examples of law enforcement security lapses include San Francisco, Arizona and Manchester, UK.)

The more people who acquire and store your Personally Identifiable Information (PII), the more points of security failure, and thus the more likely it will end up in the hands of cybercriminals.

So if law enforcement in your country wants to become more aggressive at acquiring your PII, I think it ought first to show you that it sets unstinting standards for protecting it. For example, any police force which lets its officers use unencrypted laptops in the field ought, ipso facto, to be disqualified from collecting information about you other than in the most exceptional circumstances.

And please note that I didn’t make that last remark because I work for a company that has a range of encryption products to sell. Actually, it’s the other way around. I work for such a company because I believe that privacy and security are incredibly important.

Work E-Mail Not Protected by Attorney-Client Privilege, Court Says

E-mails between a client and attorney are no longer considered privileged and confidential if the client writes the messages from a work e-mail account, a California court of appeals has ruled.

The 3-0 decision Thursday by the Sacramento Third Appellate District means that if you intend to sue your employer, don’t discuss the suit with an attorney using company e-mail. The company has a right to access it and use it against you in a court.

“… [T]he e-mails sent via company computer under the circumstances of this case were akin to consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard,” (.pdf) the court wrote.

Case law on electronic privacy in the workplace is slowly evolving, and not always for the best.

The U.S. Supreme Court in July ruled that a police officer’s texts on department pagers were not private. But that ruling was based on grounds other than the Ontario Police Department’s policy that said text messages on work pagers were not private.

The New Jersey Supreme Court said e-mail messages on a personal web-based e-mail account accessed from an employer’s computer were private. But that decision was contingent on the fact that use of such an account was not clearly covered by the company’s policy, and the e-mails in question contained a standard warning that the communications were personal, confidential, attorney-client communications.

In this most recent California appeals case, a secretary claimed her small-business employer became hostile when it found out she was pregnant shortly after being hired in 2004.

The company, Petrovich Development of Sacramento, California, introduced the e-mail at trial “to show Holmes did not suffer severe emotional distress, was only frustrated and annoyed, and filed the action at the urging of her attorney,” the court noted. On appeal, Holmes claimed the lower courts erred in allowing the e-mail into the case, which the developer had won.

The appeals court said Gina Holmes’ e-mails to her lawyer were not confidential because her employer had a written policy that company e-mail was not private and subject to audit.

The court said Holmes “used her employer’s company e-mail account after being warned that it was to be used only for company business, that e-mails were not private, and that the company would randomly and periodically monitor its technology resources to ensure compliance with the policy.”

Photo: Jeff Hitchcock/Flickr

Security Researcher, Cybercrime Foe Goes Missing

A well-known security researcher and cybercrime foe appears to have gone missing in Bulgaria and is feared harmed, according to a news organization that hosts a blog the researcher co-writes.

Bulgarian researcher Dancho Danchev, who writes for ZDNet’s Zero Day blog, is an independent security consultant who’s garnered the enmity of cybercriminals for his work tracking and exposing their malicious activity. He has often provided insightful analysis of East European criminal activity and online scams.

His last blog entry was a compilation of his research into the cyberjihad activity of terrorist groups. He was also particularly focused on monitoring the group believed to be behind the Koobface worm, which targets users of Facebook and other social networking sites.

Danchev has reportedly been missing since at least September, when he sent a mysterious letter to a friend in the malware-research community revealing concerns that his apartment was being bugged by Bulgarian law enforcement and intelligence services.

The letter, sent to the friend as “insurance in case things get ugly, ” included photos that Danchev purportedly took of a device that he believed was planted in his bathroom by government agents to monitor him. The device appears to be a transformer.

The letter said:

I’m attaching you photos of the “current situation in my bathroom”, courtesy of Bulgarian Law enforcement+intell services who’ve been building a case trying to damage my reputation, for 1.5 years due to my clear pro-Western views+the fact that a few months ago, the FBI Attache in Sofia, Bulgaria recommended me as an expert to Bulgarian CERT -> clearly you can see how they say “You’re Welcome”.

ZDNet, which has been trying unsuccessfully to contact Danchev since August, published the letter and photos Friday in the hope that someone with information about Danchev’s whereabouts would come forward.

ZDNet blogger Ryan Naraine, who blogs at Zero Day with Danchev, reported that Danchev had contributed his last blog entry Aug. 18 and that his personal blog was last updated Sept. 11. The letter Danchev apparently sent to his friend about the surveillance on him was received Sept. 9.

Subsequent attempts to contact Danchev by phone, e-mail and postal mail have been unsuccessful, ZDNet reports. A knock on the door at his residence in Bulgaria also went unanswered.

“Last month, we finally got a mysterious message from a local source in Bulgaria that ‘Dancho’s alive but he’s in a lot of trouble,’” Naraine wrote. “We were told that he’s in the kind of trouble to keep him away from a computer and telephone, so it would be impossible to make contact with him.”

Naraine told Threat Level that Danchev was an active participant on a mailing list where ZDNet’s bloggers discuss their stories and would generally contact editors and fellow bloggers once a week to let them know what he was working on. That communication stopped in August. Naraine said that he also hasn’t seen Danchev logged into his Skype, Google Talk or instant messaging account for months.

“I’ve been hearing from a lot of people on private lists saying that Dancho is alive,” Naraine said. “But no one can say where he is or why he has disappeared off the grid. He was not the kind of guy to just disappear.”