Amending the ECPA: 2017 technology versus 1986 law

From the about-damned-time department:

TechCrunch recently reported that a long-needed update to the Electronic Communications Privacy Act (ECPA) has passed the House of Representatives, a good sign that the bill may actually be signed into law this year.

Unfortunately, the roadblock to passing this bill in 2016 was that the Senate wanted to water down the bill, crippling the gain in privacy that is the whole reason why the bill exists. It is only common sense, in the era of providers like Gmail offering quotas that are effectively infinite thus allowing people to keep everything, that email is just as protected from warrantless searches as any other personal electronic data.

I can’t think of a good reason why emails over 180 days old should be legally obtainable with just a subpoena instead of an actual warrant. This is one reason I have not kept emails on other servers for anything approaching the 180 days in the ECPA. (Interestingly, the other big reason is space: I currently only have emails going back to 2016 November 22 and later, and I’m at 76% quota used. As much as I get right now, I could not keep 180 days’ worth of email on the server I’m using if I wanted to.)

The ECPA is now over three decades old. Its effective date of 1986 October 21 predates widespread public access to the Internet by almost a full decade. The laws which amended it did nothing to amend the 180 day subpoena rule, which is ass-backwards and patently devoid of sense. Even if it did make sense in late 1986, the world has changed a lot in the three decades since. For example: in 1986 UUCP and FidoNet were the predominant forms of exchanging email (unless one was emailing someone on the same BBS that one was dialed into), and today, both are extinct for practical purposes with the impending death of analog telephone lines (though FidoNet still technically exists, most of its traffic now goes across the Internet). The sooner we can get a law that is tuned to the reality of living in 2017 with a connection to the Internet, the better.

Officer doesn’t like your car? Go to jail, no drugs required

If you were partying hard during the last week of 2013, you may well have missed this story. It’s understandable as I missed it the first time through myself, but it’s fresh enough that I don’t feel terribly awkward doing a post on it.

The Daily Caller reports an Ohio man was arrested not for possessing drugs, but simply for having a car which had been modified to have a compartment which could theoretically store and transport drugs covertly at some future date. Ohio revised section 2923.241 effective 2012 September 28, but only now have they found someone they can charge under the relatively new law.

If this sounds outrageous to you, it should. In essence, it’s a license for Ohio’s law enforcement officers to detain anyone they don’t like if there’s been any modification to the interior of a vehicle at all, maybe even if there hasn’t. John Whitehead, president of the civil liberties group the Rutherford Institute, seems to concur (as quoted in this article on dailyprogress.com):

Although Norman Gurley had no drugs on his person, nor in his car, nor could it be proven that he intended to conceal drugs, he was still arrested for the ‘crime’ of having a hidden compartment in the trunk of his car… This is what a world without the Fourth Amendment looks like.

I’ve spoken many times on the absurdity of drug prohibition. It took almost 14 years for us, as a country, to figure out Prohibition (of alcohol) was a failure (1920 January 17 – 1933 December 5). How long must the so-called “war on drugs” go on before we admit it’s a lost cause and all the “war” has done is make more crime?

GM/OnStar “spy car” T&C update: followup 1

Oh, the things I find out by reading.

The thoughts that I were left with when finishing the earlier post about GM/OnStar were along the lines of “people really should not have to disconnect OnStar to preserve their privacy, there has to be something I am missing”. And in addition to being incorrect about being able to disconnect OnStar by just pulling a fuse (sometimes you disconnect more than just OnStar that way, unless you go straight to the OnStar box and disconnect power there), I also had no idea, until today, that Texas law actually forbids some of what GM is doing.

I was looking up something in the Texas Transportation Code researching an unrelated matter, and happened to notice http://www.statutes.legis.state.tx.us/Docs/TN/htm/TN.547.htm#547.615 entited “Recording Devices” which appears to address services such as OnStar. I have reproduced the section in its entirety below:

Sec. 547.615.  RECORDING DEVICES. (a) In this
section:

(1)  "Owner" means a person who:

(A)  has all the incidents of ownership of a motor
vehicle, including legal title, regardless of
whether the person lends, rents, or creates a
security interest in the vehicle;

(B)  is entitled to possession of a motor vehicle
as a purchaser under a security agreement; or

(C)  is entitled to possession of a motor vehicle
as a lessee under a written lease agreement if the
agreement is for a period of not less than three
months.

(2)  "Recording device" means a feature that is
installed by the manufacturer in a motor vehicle
and that does any of the following for the purpose
of retrieving information from the vehicle after
an accident in which the vehicle has been
involved:

(A)  records the speed and direction the vehicle
is traveling;

(B)  records vehicle location data;

(C)  records steering performance;

(D)  records brake performance, including
information on whether brakes were applied before
an accident;

(E)  records the driver's safety belt status; or

(F)  transmits information concerning the accident
to a central communications system when the
accident occurs.

(b)  A manufacturer of a new motor vehicle that is
sold or leased in this state and that is equipped
with a recording device shall disclose that fact
in the owner's manual of the vehicle.

(c)  Information recorded or transmitted by a
recording device may not be retrieved by a person
other than the owner of the motor vehicle in which
the recording device is installed except:

(1)  on court order;

(2)  with the consent of the owner for any
purpose, including for the purpose of diagnosing,
servicing, or repairing the motor vehicle;

(3)  for the purpose of improving motor vehicle
safety, including for medical research on the
human body's reaction to motor vehicle accidents,
if the identity of the owner or driver of the
vehicle is not disclosed in connection with the
retrieved information; or

(4)  for the purpose of determining the need for
or facilitating emergency medical response in the
event of a motor vehicle accident.

(d)  For information recorded or transmitted by a
recording device described by Subsection
(a)(2)(B), a court order may be obtained only
after a showing that:

(1)  retrieval of the information is necessary to
protect the public safety; or

(2)  the information is evidence of an offense or
constitutes evidence that a particular person
committed an offense.

(e)  For the purposes of Subsection (c)(3):

(1)  disclosure of a motor vehicle's vehicle
identification number with the last six digits
deleted or redacted is not disclosure of the
identity of the owner or driver; and

(2)  retrieved information may be disclosed only:

(A)  for the purposes of motor vehicle safety and
medical research communities to advance the
purposes described in Subsection (c)(3); or

(B)  to a data processor solely for the purposes
described in Subsection (c)(3).

(f)  If a recording device is used as part of a
subscription service, the subscription service
agreement must disclose that the device may record
or transmit information as described by Subsection
(a)(2).  Subsection (c) does not apply to a
subscription service under this subsection.

Added by Acts 2005, 79th Leg., Ch. 910, Sec. 1,
eff. September 1, 2006.

So, according to my interpretation of the law, it would appear that GM/OnStar can’t do what they plan to do with non-subscriber info. It is unfortunate that the law, as written, has a loophole in it that’s (pardon the awful pun) big enough to drive a truck through. Subscribers should be protected from undesired privacy invasion such as that which GM/OnStar is effecting with their change in terms and conditions.

I’d like to know what the official GM/OnStar line is regarding Texas Transportation Code section 547.615. Shouldn’t Federal law also prohibit what GM/OnStar is changing the T&C to allow? I think it should, and I doubt I am the only one.

GM enters the spy car business with OnStar T&C update

In the past I’ve written about some pretty evil things done by large corporations: Google, Apple, Microsoft, AT&T, and a few others. What I read today, though, sets a new low, and from a most unlikely source.

Jonathan Zdziarski recently wrote a piece on GM’s OnStar service and a recent update to its terms and conditions. Jonathan was disturbed, to the point where he immediately canceled his OnStar service. And I don’t blame him; from the looks of it, GM vehicles with OnStar are now spy cars–and I don’t mean the James Bond type, either, I mean the type that spy on you. From the article:

OnStar’s latest T&C has some very unsettling updates to it, which include the ability to sell your personal GPS location information, speed, safety belt usage, and other information to third parties, including law enforcement. To add insult to a slap in the face, the company insists they will continue collecting and selling this personal information even after you cancel your service, unless you specifically shut down the data connection to the vehicle after canceling.
[…]
As you scroll down the list of information collected, you see that once you get past important emergency services (what we pay OnStar for), OnStar now has given themselves the right to also use this information to stuff their pockets. OnStar has granted themselves the right to collect this information “for any purpose, at any time, provided that following collection of such location and speed information identifiable to your Vehicle, it is shared only on an anonymized basis.”

(some emphasis added)

As Jonathan goes on to say, there really is no such thing as anonymized GPS data. It’s a simple matter to find the GPS coordinates where a vehicle is parked at least 12 hours out of the day, and assume that’s probably the owner’s residence. If location is involved at all, the data is not anonymized.

I’m disturbed enough that this data is being shared with law enforcement; if OnStar knows a car regularly exceeds an underposted speed limit by 10 miles per hour or more, and shares that with the cops, that’s problem enough right there. Especially when they know, for example, there are sports car models or high-end luxury vehicle models disregarding the posted limits (i.e. vehicle owners that can definitely afford tickets and are ideal for maximizing revenue). It’d be bad enough if the privacy invasion affected only GM vehicle owners, but the invasion of privacy actually spills over to the rest of us that will never buy another GM vehicle.

Again quoting Jonathan:

This is too shady, especially for a company that you’re supposed to trust your family to. My vehicle’s location is my life, it’s where I go on a daily basis. It’s private. It’s mine. I shouldn’t have to have a company like OnStar steal my personal and private life just to purchase an emergency response service. Taking my private life and selling it to third party advertisers, law enforcement, and God knows who else is morally inept. Shame on you, OnStar. You disgust me.

I couldn’t have said it any better myself.

Particuarly infuriating, is that we, the government, bailed out GM, and they repay our gratitude by doing something that is downright un-American. This country was founded on privacy; see the Fourth and Fifth Amendments to the Constitution (and it’s quite possible other amendments, such as the Ninth and Tenth, apply as well in certain cases). This is a wholesale invasion of our privacy, that has a disastrous effect on all of us, GM customers or not.

I’m horrified. This is inexcusable. Shame on you, GM. I wish you a speedy bankruptcy, this time without a taxpayer bailout.

Action items for my readers:

  • First, be aware of the issue. This affects you if you own, drive, or ride in a GM vehicle with OnStar service, even if the OnStar service is not active, unless the OnStar circuit has been deactivated by pulling the fuse.
  • If you don’t like what GM is doing here, and you own one or more GM vehicles with OnStar capability, cancel the service and remove the OnStar fuse (search in your favorite search engine for “onstar fuse location” followed by the make, model, and model year of your vehicle).
  • If you drive someone else’s GM vehicle with OnStar capability, be aware your privacy basically doesn’t exist if the OnStar circuit is active. Whether or not you pull the OnStar fuse for the time you’re driving the vehicle is your decision; the possible unhappiness of the vehicle’s owner should be weighed against your lack of privacy. Likewise, when you’re done driving that vehicle, put the fuse back in if you took it out (unless the owner instructs you otherwise).
  • Since seat belt information is involved, this technically even affects passengers in a GM vehicle with OnStar capability. Unfortunately, you may not have much choice here, as many state laws now require seat belt usage for all passengers, front seat or otherwise.
  • If you are in the market for a new car, and a GM vehicle was on the list, it’s time to rethink that. It goes without saying I think this is reason enough to disqualify all GM vehicles from consideration.