OnStar recently announced its new Privacy Statement which can be read here. For most people, this is a non-event. If you don’t own an OnStar-equipped General Motors vehicle, you may not have seen anything at all about their latest changes. But it has raised the eyebrows of quite a few people, especially watchdogs in the privacy/security world.
OnStar has been collecting data about its subscriber base since “day 1″. If you have an OnStar-equipped vehicle and you pay your monthly fee, then you get emails reminding you of maintenance schedules and such. Actually this is a very nice service, especially since it will let you know that your left front tire is slightly below the recommended tire pressure. In addition to this service related data, OnStar also collects Global Positioning System (GPS) data that shows where you are in the event that you place a request for service (where’s the nearest Starbucks?), need driving directions, or if you are involved in an accident that results in the deployment of one or more airbags. All good stuff.
Now OnStar is changing their policy (effective December 2011) to allow for the collection of this, and other GPS-related data (both location and speed), as well as seatbelt usage data, even if you don’t subscribe to the OnStar service. What this means is that unless you physically deactivate your OnStar system (which can be done in different ways), the aforementioned data will continuously be collected by OnStar and used in several different ways.
As one can imagine, this is causing some concerns among the privacy community – especially OnStar’s position on the use of “anonymized data”. OnStar’s new privacy statement states: “We may share or sell anonymized data (including location, speed, and safety belt usage) with third parties for any purpose…” So if the data is anonymized, why should OnStar-equipped vehicle owners be concerned? As forensic scientist Jonathan Zdziarski shares, anonymized data might not be so anonymous.
The backlash from the new privacy statement seems to be centered around two areas. First, that GM is using this and the other data mentioned above, for their own profit. An associate, Gordon Housworth, brought up some interesting points on this subject that he coined as his new general rule for usage of this type of personal data:
- Those in possession of data — any data, will attempt to monetize it. Full stop.
- Monetization will be resale, internal consumption for competitive advantage, or both.
- Permissions will be forward leaning, i.e., assumed given rather than assumed off.
- Privacy terms will be continuously rewritten to accommodate.
The corollary being:
- All firms will become Facebook in their continuous, shielded intrusion of privacy.
Wow, that last statement is pretty compelling. What it says is that the traditional role of targeted marketing analytics, which was traditionally viewed as a valid model for radio, TV and the internet is becoming very invasive in the sense that companies will assume by default that they have a right to data about your behavior and habits, and will stop at almost nothing (or make it very hard for you to prevent) to capture it.
The second big concern about the use of this “anonymized” data is that it can eventually be tracked back to you as an individual (according to Mr. Zdziarski) and can be used by insurance companies and law enforcement agencies for purposes for which we would never voluntarily provide such information. I think this is a stretch and may be the view of the minority, but given the notion that there is “money in data”, it is not hard to see how companies such as OnStar and others may see this as a “justifiable” revenue stream.
Odds are that the vast majority of people affected by these changes didn’t even bother to read the notices sent by Onstar. After all, we have a tendency not to read the terms of service and privacy statements when signing up for stuff, and even less so when we get an email about them after the fact. As my good friend Harry Quackenboss offered, “If you can’t tell what the product is, you are the product”. Unless our mindset and practices with respect to privacy and terms of services change, we have nobody to blame but ourselves for the outcomes. Until then, OnStar, Facebook and others will continue to define our behavior, and we will be the product.