OnStar Begins Spying On Customers’ GPS Location For Profit?

I canceled the OnStar subscription on my new GMC vehicle today after receiving an email from the company about their new terms and conditions. While most people, I imagine, would hit the delete button when receiving something as exciting as new terms and conditions, being the nerd sort, I decided to have a personal drooling session and read it instead. I’m glad I did. OnStar’s latest T&C has some very unsettling updates to it, which include the ability to now collect your GPS location information and speed “for any purpose, at any time”. They also have apparently granted themselves the ability to sell this personal information, and other information to third parties, including law enforcement. To add insult to a slap in the face, the company insists they will continue collecting and selling this personal information even after you cancel your service, unless you specifically shut down the data connection to the vehicle after canceling. This could mean that if you buy a used car with OnStar, or even a new one that already has been activated by the dealer, your location and other information may get tracked by OnStar without your knowledge, even if you’ve never done business with OnStar.

The complete update can be found here. Not surprisingly, I even had to scrub the link as it included my vehicle’s VIN number, to tell OnStar just what customers were actually reading the new terms and conditions.

The first section explains the information that’s collected from the vehicle. No big deal. Sounds rather innocuous and boring. I imagine most people probably drool out and close the window by the time they get this far. Your contact information, billing information, etc. is collected. Nobody cares about tire pressure and crash information being collected – after all, that’s what OnStar is there for. Toward the end, you’ll read about how GPS data is collected, including vehicle speed and seat belt status. Again, in an emergency, this is very useful and most customers want an emergency services business to collect this information – when necessary. And the old 2010 terms and conditions only allowed OnStar to collect this information for legitimate purposes, such as recovering a stolen vehicle, or when needed to provide other OnStar services to customers on demand. As you scroll down the list of information collected, you see that once you get past important emergency services (what we pay OnStar for), OnStar now has given themselves the right to also use this information for seemingly profitable purposes. OnStar has granted themselves the right to collect this information “for any purpose, at any time, provided that following collection of such location and speed information identifiable to your Vehicle, it is shared only on an anonymized basis.” – This provides carte blanche authority for OnStar to now track and collect information about your current GPS position and speed any time and anywhere, instead of only in the rare, limited circumstances the old contract outlined.

Anonymized GPS data? There’s no such thing! We’ve all seen this before – anonymized searches, for example, that were not-so-quite anonymized. But in this case, it’s impossible to anonymize GPS data! If your vehicle is consistently parked at your home, driving down your driveway, or taking a left or right turn onto your street every single day, its pretty obvious that this is where you live! It’s like trying to say that someone’s Google Map lookup from their home is “anonymized” because it doesn’t have their name on it. It still shows where they live! That can sometimes be even more telling about your identity than your full name. What’s unique even more-so to OnStar is that the data they claim they sell as part of their business model is useless unless it’s specific; that is, not diluted to the nearest 10 mile radius, for example. This combination of analytics, and their prospective customers (law enforcement, marketers, etc) requires the data be disturbingly precise. Anyone armed with Google can easily do a phone book or public records search to find the name and address that resides at any given GPS coordinate.

So the GPS location of your vehicle and your vehicle’s speed are likely going to be collected by OnStar and sold to third parties. What kind of companies are interested in this data? OnStar would have you believe that respectable agencies, like departments of transportation and  various law enforcement agencies (for purposes of “public safety or traffic services“). TomTom recently had a run-in with so-called “public safety” and “traffic services” use when their data was used by the police to create a number of speed traps. I can imagine this data COULD be used for good, to create traffic based analytics to improve future road construction or even emergency response. But given that those types of decisions are only made once a decade in most cities, OnStar isn’t likely to benefit much financially from “respectable” companies.

What is more profitable to OnStar that your personal GPS data could be used for? Hmm, well how about the obvious – tracking you and your vehicle. It would be extremely profitable to be able to identify all vehicles within OnStar’s network that frequently speed, and provide law enforcement “traffic services” the ability to trace them back to their homes or businesses, as well as tell them where to set up speed traps. Or perhaps insurance companies who want to check and make sure you’re wearing your seat belt, or automatically give you rate increases if you speed, even if you’re never in an accident? How about identifying all individuals who shop at certain stores, and using that to determine whose back yard to put the next God-awful Wal-Mart store? How about employers who purchase these records from these third parties to see where their employees (or prospective employees) travel to (and how fast), sleaze bag lawyers who want to subpoena these records to use against you if you’re ever sued, government agencies who want to monitor you, marketing firms who want to spam you, and a long list of other not-so-squeaky-clean people who use (and abuse) existing online, credit card, financial, credit, and other analytics to destroy our privacy?

Add to this OnStar’s use policy of your personal information – the stuff that does identify who you are and ties it to your GPS records. While I have no problem using my personal information in events of an emergency, OnStar also uses my information to “allow us, and our affiliates, your Vehicle Maker, and Vehicle dealers, to offer you new or additional products or services; and for other purposes“. So not only is OnStar now able to sell my vehicle’s GPS location data to a number of third parties, but they’re also able to use it and my personal information for marketing purposes. Imagine your personal data being sold to any number of their “affiliates”, and a few months later, you start to receive targeted, location-specific advertising based on where you’ve traveled. Go to Weight Watchers every week? Expect an increase in the amount of weight loss advertising phone calls. Go to the bar frequently? Anticipate a number of sleazy liquor ads to show up in your mailbox. Sneak out to Victoria Secret for something special for your lover? You might soon be inundated with adult advertising in your mailbox.

OnStar’s new T&C continues, explaining that part of the company may at some point be sold, and all of your information with it. It sounds as though OnStar is poising part of their analytics department to be purchased by a large data warehousing or analytics company. Or at least, perhaps they’re throwing the hook out there for anyone interested. Do you trust such companies with unfettered access to the entire GPS history of your vehicle?

This is too shady, especially for a company that you’re supposed to trust your family to. My vehicle’s location is my life, it’s where I go on a daily basis. It’s private. It’s mine. I shouldn’t have to have a company like OnStar steal my personal and private life just to purchase an emergency response service. Taking my private life and selling it to third party advertisers, law enforcement, and God knows who else is morally inept. Shame on you, OnStar, for even giving yourselves the right to do this.

To make matters even more insulting, it was difficult to ensure the data connection was shut down after canceling. I still have no guarantee OnStar did what they were supposed to. I had to request the data connection be shut down repeatedly, after the OnStar rep attempted to leave it on and ignore my requests.

When will our congress pass legislation that stops the American people’s privacy from being raped by large data warehousing interests? Companies like OnStar, Google, Apple, and the other large abusive data warehousing companies desperately need to be investigated.

These terms don’t go into effect until December 2011, and it takes up to 10 days to have the account fully cancel, and another 14 days for the data connection to be shut down… so if you want to get out of these new terms and conditions, you’ll need to do it soon.

 

Update:

Since writing this article, OnStar has reportedly told a few individuals that the contract requires them to obtain the customer’s consent in order to provide this information to anyone. Not true. In fact, the only mention of the word consent in their updated T&C is below:

We will comply with all laws regarding notifying you and obtaining your consent before we collect, use or share information about you or your Vehicle in any other way than has been described in this privacy statement. 

Two points to make: first, this clause only applies to collecting and sharing information in any way that is not described in the privacy statement. All of the nefarious uses for your personal data are, quite clearly, described in the privacy statement, and so no consent would be required. Secondly, this paragraph makes it clear that they will only comply with all laws requiring consent, not that they will actually obtain your consent. I’m not a lawyer, but as far as I know, there are no such laws on the books in most (if not all) states that protect the consumer from having their private information shared or sold to third parties, especially when such sharing is disclosed in a contract. In other words, the above paragraph seems to do nothing to require OnStar to obtain your consent to do any of this – and it’s my firm belief that OnStar’s only real interest is in OnStar. If you doubt this, the older version of the terms and conditions had two more consent clauses that are no longer part of the new terms and conditions.

Old Consent Clauses – Now Removed:

In General, we do not share your personal information with third-party marketers, unless we have asked for and obtained your explicit consent.

Of course, we will notify you, and where required, ask for your prior consent if our collection, use, or disclosure of your personal information materially changes.

While I am in no way suggesting OnStar is evil, or would be evil, with this information, lawyers were paid to develop the verbiage that comprised significant enough changes to their privacy statement to issue a new one. As one poster said in a discussion, you don’t create a weapon you don’t intend to use. If OnStar’s verbal claims to the contrary are true, the best thing the company can do for themselves is to reflect these verbal intentions in a less empowering version of their T&C.

About Jonathan Zdziarski

Respected in his community as an iOS forensics expert, Jonathan is a noted security researcher, penetration tester, and hacker. Author of many books ranging from machine learning to iPhone hacking and software development, Jonathan frequently trains many federal and state law enforcement agencies in digital forensic techniques and assists law enforcement and the military in high profile cases. Jonathan is also inventor on several US patent applications, father of DSPAM and other language classification technology, and an App Store developer. All opinions expressed on this website are the author's own. Follow Jonathan on Twitter: @JZdziarski
This entry was posted in Politics, Security. Bookmark the permalink.

17 Responses to OnStar Begins Spying On Customers’ GPS Location For Profit?

  1. carterson2 says:

    If you would like, we could work on a gps-off button. I think people would buy that. It would let them feel disconnected without having to maim the antenna…

    When companies act like this, they are looking to get sold. You are right on that.

    Jim Pruett, Director
    WikiSPEEDia.org
    A TN Charity

  2. AdamDenison says:

    Hi Jonathan,

    Sorry to hear you canceled your OnStar subscription.

    Just to clarify, we will not continuously monitor or track the location of people’s vehicles nor will we be collecting any data about them or their vehicle. OnStar will provide you with prior notice if we plan to collect data from your vehicle, and we will obtain your express consent. OnStar values our subscribers’ privacy. We understand your need to protect your information.

    We strive to provide all the information in a clear and conspicuous manner in the Terms and Conditions. However, if you have additional questions please feel free to contact our Privacy Manager at [email protected] or 1.877.299.1372.

    Adam Denison
    OnStar Communications

  3. gannas says:

    A few years back we bought our first GM vehicle with On Star. When I got it home I pulled the fuse for the system. A few weeks later I found the antenna connection location online and disconnected the antenna from the system entirely. Since this was an older model On Star system (2003) I was also able to disconnect power to the GPS unit since it was a separate box.

    If you don’t have a dedicated fuse for the On Star radio (ours was 5A and clearly labeled) there are usually guides online for major models that outline where the antenna connection is made to the system. If you are an intrepid owner or have a shop/friend you trust you can disconnect the On Star system from the antenna mast and disable the GPS.

    I like to believe that I am just being paranoid, and that these steps were unwarranted. However, as the years tick by I see more evidence that it was a prudent move.

  4. nickganga says:

    It’s super easy to truly prevent this from happening to your vehicle, just remove the telematics unit. In the Envoy/Trailblazer/etc. platform, the Onstar Telematics unit is located under the second row folding seats, under a plastic cover. Simply pop the cover off and disconnect the system from the vehicle. Pretty easy to spot, just look for the coaxial antenna cables and disconnect everything going to that box!

    Obviously you’ll loose your OnStar capabilities, but were you really using them anyway?

  5. gmc_gps says:

    It’s interesting, my company is also GMC, but we will not spy On Customers’ GPS Location For Profit ^_^

  6. Thinkerer says:

    per @nickganga, this screams for general/open source modding. Imagine what mayhem would result from junkyard-transmitter GPS data indicating that the vehicle was in Bagdad one day and Omaha the next while the actual vehicle had been reduced to razor blades.

  7. Whatifitistoday says:

    Thanks for this important information. I haven’t had my Onstar hooked up since the first “free” year of use because I had concerns about privacy. Now I realize that I have to disable the system, not just have it unavailable due to lack of payment.

  8. savingpuppies says:

    Thanks for uncovering this information and publishing. I found your blog via Slashdot. One of the largest clients for this personal information that OnStar collects will be the insurance industry. Driving certain routes? at certain times? then you might find they pigeon-hole your lifestyle to a different risk index resulting in your car and health premiums taking a jump, if they decide to insure you at all.

  9. 123Presto says:

    I think the author forgot who owns the company – Uncle Sam. They might, therefore, already have some kind of a claim to the information without your consent.

    Think about this the next time someone gushes out about how wonderful Obamacare is going to be. Worried about them finding out where & how fast you drive? You ain’t seen nothing yet – wait till they get access to your medical records, fanboys.

  10. rms says:

    OnStar works through a cell phone built into the car. Having OnStar
    turn off your service is not enough to protect your privacy, because
    the cell phone continues broadcasting signals to the phone company,
    including GPS information when requested, even when you don’t have
    OnStar service. To prevent that, you need to deactivate the cell
    phone — perhaps by cutting its power wires. Is that feasible to do?

  11. texmaster says:

    I for one really appreciate this information. I hope this gets to the national press so OnStar has to rewrite their rules.

    Please keep us updated as I will cancel my service if this goes into effect.

  12. btinchs says:

    This does not surprise me in the least.
    A few months ago I read about GPS units being used to assist Law Enforcement for speed trap locations.
    http://www.thenewspaper.com/news/34/3466.asp
    Beware of the technologies you are trusting, its only going to get more invasive.

  13. becker7991 says:

    Thank you for researching this for us. Could you explain the differences between this and the “gps” that is in a cell phone. Can’t this same information be collected right off of your cell phone: your location, your speed (the change in location over time). Are the cell phone companies any more to be trusted than ONStar?? Your cell phone is just not linked to a specific car. Any comments??

  14. f9pro says:

    It looks like ADAMDENISON needs to read the NEW terms of service where it clearly states “A. We share selected information with the following third parties:
    • • •
    roadside assistance providers; emergency Service Providers; law enforcement or other public safety officials;
    4
    • our wireless Service Providers; • your satellite radio provider; • credit card processors; • data management companies; and • others as may be required to provide Service, to manage or operate
    the Data Connection, to protect the safety of you or others, or as required by law.”

    I personally don’t want my information tracked or sold for profit by someone else.

    I TOO CANCELLED MY ONSTAR SUBSCRIPTION AND PER TERMS OF SERVICE REQUESTED THE DATA CONNECTION BE DEACTIVATED WHICH IS REQUIRED TO CEASE TRACKING, SUBSCRIBER OR NOT.

    I can’t help but wonder how many customers Onstar will lose because of such a stupid decision.

  15. ChetZ says:

    I have been buying GM cars since I bought a new ’65 Corvette. My current car has On-Star, which I never continued the subscription, as where I live (Montana) On-Star service is poor because of either mountains cutting off cell service, or areas of the state just not having cell service. I have been against On-Star for years, mainly because of having to pay (even thought it is standard) for something I don’t want. The only reason I bought the car was an $8,000 savings at a year end model clearance. I have long ago removed the antenna, and now will definitely contact On-Star to Opt Out. Never again will I ever buy another GM vehicle. Talk about an invasion of privacy. One of my hobbies is restoring classic cars. Looks like I’ll be driving a classic for daily use in the future. No unwanted electronics.

  16. jjg1234567890 says:

    “Hi Jonathan,

    Sorry to hear you canceled your OnStar subscription.

    Just to clarify, we will not continuously monitor or track the location of people’s vehicles nor will we be collecting any data about them or their vehicle. OnStar will provide you with prior notice if we plan to collect data from your vehicle, and we will obtain your express consent. OnStar values our subscribers’ privacy. We understand your need to protect your information.

    We strive to provide all the information in a clear and conspicuous manner in the Terms and Conditions. However, if you have additional questions please feel free to contact our Privacy Manager at [email protected] or 1.877.299.1372.

    Adam Denison
    OnStar Communications”

    …so you guys tracked him in the web of cyberspace? Creepy.

  17. hammerbill says:

    Another point that I never see in complaints about Onstar is the initial cost of building in the unit-as well as any free services they give away. Let’s face it: YOU are paying for this unit when you buy the new car-not Onstar! How much does it cost? The unit, the engineering cost of making an indentation in the car and installing it. Then there is the interest on the loan. If say, the total added costs were even a mere 500 dollars, that is two extra car payments and interest on a 4-5 year loan on 500 dollars more would be at least 200 or so dollars.
    I consider the Onstar unit in my car to be ugly, especially since it just sits there like a zit not being used. I had to pay all that money to buy this thing that makes me feel uncomfortable as I never really know for sure if it is tracking me or not. I would have to waste countless hours studying its circuitry and reviewing and keeping informed of its privacy policies and I just don’t need that kind of complication in my life. A GPS unit can be purchased and its services are mostly free from then on. It has no transmitter and can be moved from car to car on the fly.
    Statistically speaking, the chances of most people going off road unspotted and unable to call for help are so ridiculously low that Onstar’s selling point is borderline absurd. Surely if I were called paranoid for not wanting to be tracked but a subscriber were not called paranoid for being afraid of this one-in-a-million chance occurrence then someone needs to get a grip on perspective. Perhaps they could increase subscribers by providing meteorite detection technologies.

Leave a Reply