I canceled the OnStar subscription on my new GMC vehicle today after receiving an email from the company about their new terms and conditions. While most people, I imagine, would hit the delete button when receiving something as exciting as new terms and conditions, being the nerd sort, I decided to have a personal drooling session and read it instead. I’m glad I did. OnStar’s latest T&C has some very unsettling updates to it, which include the ability to now collect your GPS location information and speed “for any purpose, at any time”. They also have apparently granted themselves the ability to sell this personal information, and other information to third parties, including law enforcement. To add insult to a slap in the face, the company insists they will continue collecting and selling this personal information even after you cancel your service, unless you specifically shut down the data connection to the vehicle after canceling. This could mean that if you buy a used car with OnStar, or even a new one that already has been activated by the dealer, your location and other information may get tracked by OnStar without your knowledge, even if you’ve never done business with OnStar.
The complete update can be found here. Not surprisingly, I even had to scrub the link as it included my vehicle’s VIN number, to tell OnStar just what customers were actually reading the new terms and conditions.
The first section explains the information that’s collected from the vehicle. No big deal. Sounds rather innocuous and boring. I imagine most people probably drool out and close the window by the time they get this far. Your contact information, billing information, etc. is collected. Nobody cares about tire pressure and crash information being collected – after all, that’s what OnStar is there for. Toward the end, you’ll read about how GPS data is collected, including vehicle speed and seat belt status. Again, in an emergency, this is very useful and most customers want an emergency services business to collect this information – when necessary. And the old 2010 terms and conditions only allowed OnStar to collect this information for legitimate purposes, such as recovering a stolen vehicle, or when needed to provide other OnStar services to customers on demand. As you scroll down the list of information collected, you see that once you get past important emergency services (what we pay OnStar for), OnStar now has given themselves the right to also use this information for seemingly profitable purposes. OnStar has granted themselves the right to collect this information “for any purpose, at any time, provided that following collection of such location and speed information identifiable to your Vehicle, it is shared only on an anonymized basis.” – This provides carte blanche authority for OnStar to now track and collect information about your current GPS position and speed any time and anywhere, instead of only in the rare, limited circumstances the old contract outlined.
Anonymized GPS data? There’s no such thing! We’ve all seen this before – anonymized searches, for example, that were not-so-quite anonymized. But in this case, it’s impossible to anonymize GPS data! If your vehicle is consistently parked at your home, driving down your driveway, or taking a left or right turn onto your street every single day, its pretty obvious that this is where you live! It’s like trying to say that someone’s Google Map lookup from their home is “anonymized” because it doesn’t have their name on it. It still shows where they live! That can sometimes be even more telling about your identity than your full name. What’s unique even more-so to OnStar is that the data they claim they sell as part of their business model is useless unless it’s specific; that is, not diluted to the nearest 10 mile radius, for example. This combination of analytics, and their prospective customers (law enforcement, marketers, etc) requires the data be disturbingly precise. Anyone armed with Google can easily do a phone book or public records search to find the name and address that resides at any given GPS coordinate.
So the GPS location of your vehicle and your vehicle’s speed are likely going to be collected by OnStar and sold to third parties. What kind of companies are interested in this data? OnStar would have you believe that respectable agencies, like departments of transportation and various law enforcement agencies (for purposes of “public safety or traffic services“). TomTom recently had a run-in with so-called “public safety” and “traffic services” use when their data was used by the police to create a number of speed traps. I can imagine this data COULD be used for good, to create traffic based analytics to improve future road construction or even emergency response. But given that those types of decisions are only made once a decade in most cities, OnStar isn’t likely to benefit much financially from “respectable” companies.
What is more profitable to OnStar that your personal GPS data could be used for? Hmm, well how about the obvious – tracking you and your vehicle. It would be extremely profitable to be able to identify all vehicles within OnStar’s network that frequently speed, and provide law enforcement “traffic services” the ability to trace them back to their homes or businesses, as well as tell them where to set up speed traps. Or perhaps insurance companies who want to check and make sure you’re wearing your seat belt, or automatically give you rate increases if you speed, even if you’re never in an accident? How about identifying all individuals who shop at certain stores, and using that to determine whose back yard to put the next God-awful Wal-Mart store? How about employers who purchase these records from these third parties to see where their employees (or prospective employees) travel to (and how fast), sleaze bag lawyers who want to subpoena these records to use against you if you’re ever sued, government agencies who want to monitor you, marketing firms who want to spam you, and a long list of other not-so-squeaky-clean people who use (and abuse) existing online, credit card, financial, credit, and other analytics to destroy our privacy?
Add to this OnStar’s use policy of your personal information – the stuff that does identify who you are and ties it to your GPS records. While I have no problem using my personal information in events of an emergency, OnStar also uses my information to “allow us, and our affiliates, your Vehicle Maker, and Vehicle dealers, to offer you new or additional products or services; and for other purposes“. So not only is OnStar now able to sell my vehicle’s GPS location data to a number of third parties, but they’re also able to use it and my personal information for marketing purposes. Imagine your personal data being sold to any number of their “affiliates”, and a few months later, you start to receive targeted, location-specific advertising based on where you’ve traveled. Go to Weight Watchers every week? Expect an increase in the amount of weight loss advertising phone calls. Go to the bar frequently? Anticipate a number of sleazy liquor ads to show up in your mailbox. Sneak out to Victoria Secret for something special for your lover? You might soon be inundated with adult advertising in your mailbox.
OnStar’s new T&C continues, explaining that part of the company may at some point be sold, and all of your information with it. It sounds as though OnStar is poising part of their analytics department to be purchased by a large data warehousing or analytics company. Or at least, perhaps they’re throwing the hook out there for anyone interested. Do you trust such companies with unfettered access to the entire GPS history of your vehicle?
This is too shady, especially for a company that you’re supposed to trust your family to. My vehicle’s location is my life, it’s where I go on a daily basis. It’s private. It’s mine. I shouldn’t have to have a company like OnStar steal my personal and private life just to purchase an emergency response service. Taking my private life and selling it to third party advertisers, law enforcement, and God knows who else is morally inept. Shame on you, OnStar, for even giving yourselves the right to do this.
To make matters even more insulting, it was difficult to ensure the data connection was shut down after canceling. I still have no guarantee OnStar did what they were supposed to. I had to request the data connection be shut down repeatedly, after the OnStar rep attempted to leave it on and ignore my requests.
When will our congress pass legislation that stops the American people’s privacy from being raped by large data warehousing interests? Companies like OnStar, Google, Apple, and the other large abusive data warehousing companies desperately need to be investigated.
These terms don’t go into effect until December 2011, and it takes up to 10 days to have the account fully cancel, and another 14 days for the data connection to be shut down… so if you want to get out of these new terms and conditions, you’ll need to do it soon.
Since writing this article, OnStar has reportedly told a few individuals that the contract requires them to obtain the customer’s consent in order to provide this information to anyone. Not true. In fact, the only mention of the word consent in their updated T&C is below:
We will comply with all laws regarding notifying you and obtaining your consent before we collect, use or share information about you or your Vehicle in any other way than has been described in this privacy statement.
Two points to make: first, this clause only applies to collecting and sharing information in any way that is not described in the privacy statement. All of the nefarious uses for your personal data are, quite clearly, described in the privacy statement, and so no consent would be required. Secondly, this paragraph makes it clear that they will only comply with all laws requiring consent, not that they will actually obtain your consent. I’m not a lawyer, but as far as I know, there are no such laws on the books in most (if not all) states that protect the consumer from having their private information shared or sold to third parties, especially when such sharing is disclosed in a contract. In other words, the above paragraph seems to do nothing to require OnStar to obtain your consent to do any of this – and it’s my firm belief that OnStar’s only real interest is in OnStar. If you doubt this, the older version of the terms and conditions had two more consent clauses that are no longer part of the new terms and conditions. The old consent clause is now removed:
In General, we do not share your personal information with third-party marketers, unless we have asked for and obtained your explicit consent.
Of course, we will notify you, and where required, ask for your prior consent if our collection, use, or disclosure of your personal information materially changes.
While I am in no way suggesting OnStar is evil, or would be evil, with this information, lawyers were paid to develop the verbiage that comprised significant enough changes to their privacy statement to issue a new one. As one poster said in a discussion, you don’t create a weapon you don’t intend to use. If OnStar’s verbal claims to the contrary are true, the best thing the company can do for themselves is to reflect these verbal intentions in a less empowering version of their T&C.