OnStar Reverses Privacy Decision: Or Did They?

OnStar today announced the reversal of their original decision to keep the customer’s data connection active to their vehicle after canceling service. The verbiage in the press release is ambiguous, however, and poses the question of whether OnStar is going to amend that specific portion of their new terms and conditions, or if they’re scrapping their new terms of conditions entirely.

If OnStar is only modifying this portion of their updated terms and conditions, then a major problem still exists: namely, the updated T&C, scheduled to go into effect in December 2011, would still grant OnStar broad new rights to collect the GPS positioning information about active customers, “for any purpose, at any time” and would still reserve OnStar the rights to sell access to this data to third parties.

The offending portion of the new terms and conditions adds a new clause which formerly restricted OnStar to only collect this information when providing specific services, such as emergency response. The new clause dramatically alters when OnStar can collect your GPS data:

for any purpose, at any time, provided that following collection of such location and speed information identifiable to your Vehicle, it is shared only on an anonymized basis.

This provides carte blanche authority for OnStar to now track and collect information about your current GPS position and speed any time and anywhere, instead of only in the rare, limited circumstances the old contract outlined. You can read my previous blog post to gain an understanding of why there is no real such thing as anonymized GPS data.

I’m glad to see OnStar responding to its customers, however simply amending their terms and conditions to stop monitoring a vehicle after the user cancels is not enough to satisfy the level of privacy OnStar customers received prior to these updates. To win back the respect of the many customers who must have canceled over the new terms, OnStar will need to make a full 180 and agree not to collect customer GPS information “for any purpose, at any time”, but only when the customer would expect it to be collected, as the old contract enforced.

About Jonathan Zdziarski

Respected in his community as an iOS forensics expert, Jonathan is a noted security researcher, penetration tester, and hacker. Author of many books ranging from machine learning to iPhone hacking and software development, Jonathan frequently trains many federal and state law enforcement agencies in digital forensic techniques and assists law enforcement and the military in high profile cases. Jonathan is also inventor on several US patent applications, father of DSPAM and other language classification technology, and an App Store developer. All opinions expressed on this website are the author's own. Follow Jonathan on Twitter: @JZdziarski
This entry was posted in General. Bookmark the permalink.

Leave a Reply