Mastodawn

Kee Hinckley Sep 6, 2023

“The worst offender was Nissan, Mozilla said. The carmaker’s privacy policy suggests the manufacturer collects information including sexual activity, health diagnosis data, and genetic data, though there’s no details about how exactly that data is gathered. Nissan reserves the right to share and sell “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” to data brokers, law enforcement, and other third parties.”

https://gizmodo.com/mozilla-new-cars-data-privacy-report-1850805416

If You’ve Got a New Car, It’s a Data Privacy Nightmare

Bad news: your car is a spy. Every major car brand's new internet-connected models flunked privacy and security tests conducted by Mozilla.

Gizmodo

Show thread

RevK

Sep 6, 2023

@nazgul surely, legally, most, if not all, of that needs consent. So how the hell does that work for passengers, or other people driving than the owner (who may have agreed)?

Show thread

Reinder Dijkhuis Does Art Sep 6, 2023

@revk @nazgul This is mentioned in one of the articles. Nissan puts the task of informing passengers and borrowers about privacy issues on the owner, making them complicit in their abuses.

Show thread

RevK

@reinderdijkhuis @nazgul But if the owner does not, then Nissan would be in breach of GDPR. What do they do - sue the owner for breach of contract when they get charged/fined? Is it a reasonable consumer contract term? And if the owner sells the car, how does the new owner come in to such a deal?

Show thread

Reinder Dijkhuis Does Art Sep 6, 2023

@revk @nazgul I think they were sort of counting on nobody asking these questions until now. From the look of it, it seems they were in breach of the GDPR from the start because most of the stuff they collect has no legitimate purpose. But IANAL and I hope an actual GDPR lawyer will make this their personal project.

Show thread

Paul L Sep 6, 2023

@revk @reinderdijkhuis @nazgul

On a more basic level a company saying it "reserves a right to X" if it was never theirs in the first place - I don't accept them self-assigning themselves info about another person by the simple act of writing it into their own policy.

Info beyond directly related being able to buy/own/drive a car should be on company to demonstrate the relevance as well as the permission.

"I'd like to share your info with …"
you'd like to but it isn't a legitimate interest.

Show thread

Steve Hill 🏴󠁧󠁢󠁷󠁬󠁳󠁿🇪🇺Sep 7, 2023

@prlzx @revk @reinderdijkhuis @nazgul Unfortunately, "legitimate interest" is so broadly defined in the legislation, that someone needs to put up some legal fees and take a gamble that a court will agree that the vendor has failed the balancing tests - it's certainly not a clear cut thing that you can almost guarantee which way a court will decide.

Show thread

Steve Hill 🏴󠁧󠁢󠁷󠁬󠁳󠁿🇪🇺Sep 7, 2023

@revk @reinderdijkhuis @nazgul Given that the car has probably already been purchased by the time the owner is asked to accept the privacy policy (and no doubt they reserve the right to revise the privacy policy at any point in the future), I'd venture that it isn't a valid contract since it was never "freely entered into". That's assuming you can even prove the owner was the one to agree.

But then, these are the same problems as smart TVs, smart speakers, etc.