Attention : *Confidentialité non incluse avec ce produit
Buick is an American car brand owned by parent company General Motors. Started back in 1899, Buick was once famous for their wood paneled station wagons that took families on epic road trips in the 1970s and 80s. Today's Buick models include the Encore, Enclave, and Envista. The myBuick app lets users do remote car things like start and stop, lock and unlock your car, honk the horn, and check and see how much gas you have left in the tank. General Motors and Buick also offer OnStar connected services (OnStar is the OG connected car service, first offered way back in 1996) for things like automatic crash response and stole vehicle assistance. So, how is Buick, their OnStar connected services, and General Motors at privacy? Not very good, unfortunately.
Que pourrait-il se passer en cas de problème ?
If your idea of a good time is to search out and read many, many, many various privacy statements, well, Buick's parent company General Motors' privacy landscape is for you! (At least for folks in the US, you Europeans have it a bit easier). At least six separate privacy statements for folks in the US was our count. That includes their General Privacy Statement, their OnStar Privacy Statement, their US Connected Services Privacy Statement, their Privacy Statement for Application Services, the OnStar Guardian Privacy Statement, and their California Privacy Statement (which, pro tip for folks who don't read privacy policies for a living: if you only have time to read one privacy statement, read the California one as California's strong privacy law known as CCPA, requires companies to disclose more of what they are collecting on you, who they are sharing it with, and for what purposes than anywhere else). Yeesh GM! Maybe take a little of that money you have and build folks a nice, easy to navigate privacy hub. Just a suggestion. (Also, we linked to all these privacy documents below so you don't have to search for them)
Anyway, after reading though all those lovely privacy statements, what did we learn about GM's privacy? Well, we learned it's not great.
Here's the thing. GM really, really wants you to connect to their cars with your phone and use their connected services. It makes them money, so of course they want that. In fact, earlier in 2023 they started adding $1,500 onto the sticker price of some GM cars for three years of their OnStar and Connected Services Premium Plan. They call this an "option" on the sticker, but turns out, it's really not much of an option. Car buyers don't have a choice but to pay that $1,500 for the OnStar connected services "option" and even if they choose not connect and use the OnStar connected service, they still have to pay that $1,500. One article we read called this a "forced option" and well, that doesn't sound like much of an option to us. On top of that, OnStar's privacy policy says they collect a whole lot of personal information and car data on you and use it for things like marketing and more. Even worse, it seems GM and OnStar have a fairly close relationship with law enforcement and government, including the US's ICE (Immigration Customs Enforcement) agency. It has been reported they turn over location data to law enforcement often.
And GM does say they can collect a whole lot of data on your through your car, the myBuick app, and those OnStar connected services. Their privacy policies say they can collect everything from your name, address, geolocation data, characteristics such as age, race, color religion, medical conditions, physical or mental disabilities, sex, gender identify, pregnancy, medical conditions, sexual orientation, genetic, physiological, behavioral, and biological characteristics such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data, audio, electronic, visual, thermal, olfactory, or similar information. Sooo much information. And that's just the information they say they might collect about you. Then there's the information they say they can collect on your car and driving habits, including license plate number, vehicle identification number (VIN), geolocation, route history, driving schedule, speed, vehicle direction (heading), audio or video information such as information collected from camera images and sensor data, voice command information, and infotainment (including radio and rear-seat infotainment) system and WiFi data usage. Like we said, sooo much information.
But wait! There's more (there's always more). They add (as nearly all car companies do) that they can take the personal information they collect on you and us it to draw inferences about you "reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, or aptitudes" for things like marketing purposes. Yikes! Do we really need GM drawing inferences about our intelligence and abilities to determine how to market things to us? Sounds like a bad idea.
Another thing that concerns us is the issue of consent. Just when do you consent for GM to collect all this data? Is it when you buy the car (because we're pretty sure no one is reading privacy policies then). Perhaps when you connect your phone to your car? Yeah, most people probably aren't reading privacy policies then either. We read an article where a GM executive states, "Nothing happens without customer consent." But what does that consent really look like? Remember, it took your intrepid privacy researchers a full day to try and sort through GM's many, many privacy policies. Are consumers really understanding what they sign up for when the buy a car with OnStar or download and connect the app? We'd sure like to see GM (and all car companies) make sure consumers actually understand all the personal information and car data they are collecting and give consumers more ways to. opt-out, control, and change what data is collected on them from these connected computers on wheels.
And what if you want to get all that data GM has on you deleted? Well, you're probably out of luck. Unless you live somewhere with strong privacy laws like California's CCPA or Europe's GDPR. If you don't live there, you probably won't have much success getting GM to delete your data. In fact, on the myBuick app Google Play Store Data Safety page, they admit, "Data can’t be deleted: The developer doesn't provide a way for you to request that your data be deleted." Not cool GM, not cool.
All this, and GM's track record of protecting and respecting all that personal information isn't exactly spotless (which you kinda want to see when a company collects so much personal information on you). In 2022, GM reported a significant data breach that exposed the personal information, including name, address, saved favorite location, and search and destination information, of some of their customers. So yeah, they collect a ton of data, might not let you delete that data they collect on your, hold onto that data for likely as long as they want, and then might not even do a great job of protecting that data. Nice!
What's the worst that could happen as you drive around in your Buick with OnStar and the myBuick app? Well, based on reports of how OnStar location and other information is shared with law enforcement and government to track people, that gets kinda scary to think about if you live in a US state that bans abortion and wants to track people traveling to other states for their reproductive health care. That's bad. Or if you live in a country where the government could decide they want to track you down for any reason at all. That's also bad. Thinking about the potential for government tracking and controlling of any connected car -- not just GM's -- can get scary fast. Here's hoping regulators step up soon and work to put measures in place to protect people from all this data collection and potential tracking.
Conseils pour vous protéger
- Opt out of the 'Sale' of your personal information. To do it, visit consumerprivacy.gm.com
- Opt out of the “Sharing” of Your Personal Information for cross-contextual
behavior advertising. To do it, visit consumerprivacy.gm.com - Opt out of Automated Decision-Making Technology. To do it, visit consumerprivacy.gm.com
- Do not give consent to tailored advertisement.
- Opt out from selling of your personal information, as well as from Cross-context Behavioral Advertising.
- Always do a factory reset on your car before selling or trading it away to wipe your data clean and disconnect the app.
- Before reselling your car, make sure to notify the company
- When buying a used car, always make the previous owner removed their connected account and performed a factory reset.
- Always use strong passwords and set up two-factor authentication for apps and services that connect to your car
- Only give access to your data to trusted third-parties
- When connecting a mobile app to the car, make sure to minimize the amount of data collected through this app. You can use iOS or Android settings to limit the data collected through your phone.
- Opt out from your mobile device's location sharing.
- Do not use Amazon Alexa in your car if you are concerned about Amazon collecting that voice request information, IP address, and geolocation information and using it to target you with advertising.
Ce produit peut-il m’espionner ?
Caméra
Appareil : Oui
Application : Oui
Microphone
Appareil : Oui
Application : Oui
Piste la géolocalisation
Appareil : Oui
Application : Oui
Que peut-on utiliser pour s’inscrire ?
Adresse e-mail
Oui
Téléphone
Oui
Compte tiers
Ne s’applique pas
Quelles données l’entreprise collecte-t-elle ?
Personnelles
"Your name, postal address, telephone number, date of birth, e-mail address, screen name, account ID, customer number, login information, demographic data or protected classification information, gender, password, PIN, emergency contact information, information about the acquisition and financing of your vehicle, voice biometric information as described in the Biometric Technology Section below, whether or not you have financed or leased your vehicle, the lease/financing term, and billing information, your credit card number, CVV code and expiration date. We may also collect information related to My Rewards and the My GM Rewards Card Program (“GM Card”) including rewards points, account type, tier status, enrollment, and redemption. In limited circumstances, we may collect a Social Security Number, for example if you win a sweepstakes or receive compensation that must be reported for government tax purposes Vehicle- and driving-related Information: license plate number, vehicle identification number (VIN), mileage, vehicle status (such as oil/battery status, ignition, window, and door/trunk lock status), fuel or charging/discharging history, electrical system function, gear status, battery diagnostic and health, and diagnostic trouble codes, operational and safety related information: such as geolocation, route history, driving schedule, speed, air bag deployments, crash avoidance alerts, impact data, safety system status, breaking and swerving/cornering events, event data recorder (EDR) data, seat belt settings, vehicle direction (heading), audio or video information such as information collected from camera images and sensor data, voice command information, stability control or anti-lock events, security/theft alerts, and infotainment (including radio and rear-seat infotainment) system and WiFi data usage."
Corporelles
Voice biometric data, voiceprints, physiological or biological characteristics, such as medical information collected to provide OnStar emergency services that you have requested
Sociales
Comment l’entreprise utilise-t-elle les données ?
Comment pouvez-vous contrôler vos données ?
Quel est l’historique de l’entreprise en matière de protection des données des utilisateurs et utilisatrices ?
In April 2022, GM suffered a credential stuffing attack.
"The personal information of affected customers included first and last names, personal email addresses, home addresses, usernames and phone numbers for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members' avatars and photos (if uploaded), profile pictures and search and destination information. Other information available to hackers included car mileage history, service history, emergency contacts and Wi-Fi hotspot settings (including passwords). Apart from resetting their passwords, GM advised affected individuals to request credit reports from their banks and place a security freeze if required."
Informations liées à la vie privée des enfants
Ce produit peut-il être utilisé hors connexion ?
Informations relatives à la vie privée accessibles et compréhensibles ?
Liens vers les informations concernant la vie privée
- Privacy Statement
- Privacy Statement for Application Services
- US Connected Services Privacy Statement
- Privacy Statement for OnStar Guardian
- Privacy Hub for OnStar
- General Motors U.S. Connected Services Privacy Statement
- California Privacy Statement
- RECHTLICHE HINWEISE, NUTZUNGSBEDINGUNGEN DER WEBSITE, DATENSCHUTZ- UND COOKIE-RICHTLINIE
Ce produit respecte-t-il nos critères élémentaires de sécurité ?
Chiffrement
We cannot determine if all data sitting on the car, including telematic data the car collects as well as data shared when you connect your phone sits encrypted, and if all collected data is encrypted in transit. We reached out to the company to attempt to determine this multiple times and received no response.
Mot de passe robuste
Mises à jour de sécurité
Gestion des vulnérabilités
GM runs a bug bounty on HackerOne.
Politique de confidentialité
Cette IA est-elle non digne de confiance ?
Quel genre de décisions l’IA prend-elle à votre sujet ou pour vous ?
L’entreprise est-elle transparente sur le fonctionnement de l’IA ?
Les fonctionnalités de l’IA peuvent-elles être contrôlées par l’utilisateur ou l’utilisatrice ?
Pour aller plus loin
-
GM calls $1,500 OnStar plan optional — but new car buyers are being forced into itDetroit Free Press
-
Car buyers balk at monthly fees for add-on featuresAxios
-
GM confirms it’s dropping Apple CarPlay and Android Auto from 2024 EVsArs Technica
-
GM Confirms It's Making $1500 Option Mandatory on Some New ModelsCar and Driver
-
GM Vowed To Make Money Out of Connected Services and It Now Forces OnStar on Its CustomersAutoEvolution
-
This California agency wants to know what happens to all that connected car dataTechCrunch
-
What does your car know about you? We hacked a Chevy to find out.The Washington Post
-
GM studying artificial intelligence assistant that could answer driver questionsDetroit Free Press
-
General Motors credential stuffing attack exposes car owners infoBleeping Computer
-
US Car Giant General Motors Hit by Cyber-Attack Exposing Car Owners' Personal InfoInfosecurity Magazine
-
Privacy Battles: OnStar Says GM May Record Car's Use, Even if You Cancel ServiceABC News
-
Hackers Accessed Car Owners’ Personal Information in General Motors Credential Stuffing AttackCPO Magazine
Commentaires
Vous avez un commentaire ? Dites-nous tout.