The scary part is not the GPS installed by the fleet company that previously owned the car, which in all likelihood was just forgotten there, but the GPS and eSIM that comes with most (all?) new cars and that in most (all?) new cars cannot be disabled.
Apart from privacy concerns of your data being used or sold by the car vendor, government outreach is also a concern. There was a bill announced in the US for all new cars to be equipped with "driver impairment" tech which was called a "kill switch". Media rushed to say it's not really a kill switch, just "sensors or cameras to monitor the driver’s behaviors, head or eye movements" and "block the driver from operating the vehicle". So... a kill switch. https://apnews.com/article/fact-checking-402773429497
Anyway, I'm staying with my old gas Honda until it dies which is probably never with proper maintenance and eventually restoration. I'll never go electric. Modern cars are just smartphones on wheels at this point, and smartphones are just spying devices at this point.
I'm with you here. I have an 89 BMW (which is old enough to have an actual servo motor attached to the intake manifold for cruise control) and an 83 Land Cruiser (whose most advanced feature is that it controls its emissions using vacuum controlled pneumatic circuitry).
I'm very glad I've put in the time to learn how to work on cars because I have zero interest in the tech direction of modern vehicles.
Electric cars are essentially black boxes. When you take it apart, you have largely no idea what any of the chips do, even if you chase down what they're connected to. Is this the infotainment system or is it the infotainment system and a data gathering system that sends all my data off seas? There's no way to know. Old cars don't have that problem. Here's an engine, here's a gearbox, add a radio if you'd like, but by and large it's possible to grok what's in your car. With newer vehicles in general, and electric cars especially, it's near impossible to tell.
> “can I get free data from the SIM card embedded in the device that I now technically own?”
That seems like the next-most-interesting question now that you've determined what the device is. Possibly followed closely by "can I use that free-to-me data in a fun way that might teach the people who installed the SIM to deactivate their devices when they sell them?"
i.e. Could you send and receive enough on the connection using that SIM to cost them enough money that they'd notice it?
It’s surprisingly common for SIMs in IoT devices to not be locked down. If the data usage spikes enough above the noise it’ll probably be detected & deactivated.
I bought an aparment 3.5 years ago and it had an alarm installed.
I called the security company to transfer ownership but that couldn’t be done without authorisation from the previous owner, which probably makes sense. The problem is, they were unreachable, and I was living on a house that I now owned, and which had cameras the previous owner could take pics from at any time.
My patience was running out so I threatened the security company with removing the cameras installed in the house I owned, but I was told that they owned them even if they were inside my house.
At that point, you could point out that you have no contract with them, and that they’ve abandoned their property on your place.
The last time I checked, US property rights made it clear that you cannot just store stuff on other people’s land without permission, and then complain when they throw it away.
They could try to argue that whatever contract the previous owner signed still applies, but for that to be the case, they would have had to amend the deed to the property, and that should have been noticed by your title agency.
Regardless I would have carefully taken these down and put them in a box on the day I moved in. And then called them (or better, written to them) and given them a reasonable amount of time (maybe a couple months) to collect their property, making it clear that I would dispose of it after that time expired.
The thing is, first of all I’m hardly a handyman, I wouldn’t have known where to start. Second, I was dealing with moving to a new place, which can be very stressful (to add to that, my girlfriend was 6 months pregnant and my dad had passed away unexpectedly less than 2 months earlier). And third, I wanted the alarm, just with me in the contract and with the access to the cameras, not the previous owner.
I simply covered them. The threat was just me running out of patience.
What the actual fuck?! Why would you have cameras inside your house to begin with, let alone ones that upload to “the cloud” and let alone ones that upload to users you don’t control?
This is a disturbingly common practice - I have seen videos on Reddit, YouTube and the like that show moments captured from cameras obviously mounted inside children’s bedrooms with a cloud service company’s logo on the feed.
The contract would likely say something to the effect of "I promise to pay for the data sent to or from this device" and nothing about the owner of the device. If anything was said about the owner, it would be that the responsibility of the original contract holder is to ensure the contract was terminated when the sale took place.
Is there case law on this? I don't see any way in which this is legally theft by the OP (admittedly my knowledge is more US-centric than Euro-centric). If I let someone tether a device to my cell phone (or loan my phone to them), are they committing theft?
The company on the contract voluntarily gave the SIM to OP.
You better believe if I buy a property in Germany which has security cameras inside the absolute first thing that’s happening is those are getting smashed to absolute bits and if anyone even tries to complain I’ll sue them.
I may even consider filing against the previous tenants for not removing them and so my being filmed destroying them was without my consent, it’s a clear crime to me to record someone on their private property without their permission ..
Same thing in France and I don't understand some answers in this thread. My home -> my cameras, and you can be sure they will be removed and thrown away ASAP. It's at least a violation of my privacy and wouldn't be tolerated where I live.
IAALBNYL it’s not theft because they’ve been abandoned and are in the new owner’s possession. If the prior owner can’t be reached and the security company which claims to own them won’t take them, they’re probably fair game.
At first glance this reminded me of some Ford Crown Victoria Police Interceptor models which had similar unlabeled buttons. One would disable all exterior lights, including brake lights, for going into stealth/surveillance mode. An adjacent button was used to be able to remove the key and keep the engine running, while preventing the car from being shifted out of park until the key was inserted again. I haven't seen either feature re-introduced in the newer Explorers or Fusions though.
Many modern ambulances have a similar shifter disable switch so that it can be left running and someone can't take off with your ambulance while you're off collecting your patient.
> … used to be able to remove the key and keep the engine running, while preventing the car from being shifted out of park …
I’m pretty sure (not 100%) that new cars with contactless keys have this feature by default. You can get out (with the key) and leave it running, but the shifter won’t work until you return with the key.
I think you're right, although I've noticed that there's a timeout where newer cars automatically turns off if the key fob doesn't come back within range after so many minutes. Probably a safety feature to avoid accidental walkaways, whereas the button required a deliberate two-step action (hold down while turning and removing the key) to activate the feature.
So this was a gps tracker that was installed by a fleet and never removed. The larger issue is that most car companies in the US are reselling your data on newish vehicles (2016+) anyway. I am still amazed that this is not a larger issue.
>The larger issue is that most car companies in the US are reselling your data on newish vehicles (2016+) anyway.
A fun read related to this: "Privacy Nightmare on Wheels: Every Car Brand Reviewed by Mozilla - Including Ford, Volkswagen and Toyota - Flunks Privacy Test"
>The very worst offender is Nissan. The Japanese car manufacturer admits in their privacy policy to collecting a wide range of information, including sexual activity, health diagnosis data, and genetic data — but doesn’t specify how. They say they can share and sell consumers’ “preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes” to data brokers, law enforcement, and other third parties.
Back around 2004 a friend of mine worked at a car dealership in the Bronx that sold high end used cars.
They were putting GPS trackers in all of the cars they financed so they could repossess them when the customer didn't make their payment.
This was/is (from my understanding, IANAL) very illegal. They never told the customers either.
The financing was ridiculous and they preyed on the people who had just enough down and didn't care what they were signing so they had a large percentage of repossessions.
Made me wonder how many other shops were doing the same thing...even 20 years ago.
The switch is probably for tax reasons, to record whether you’re making a business vs personal trip. Personal trips go towards the 500 km allowance before the car is seen as indirect salary and should be taxed as such. Setting it to personal might also disable the tracking for privacy reasons.
As long as privacy-related misconducts are considered petty offenses, these things will just continue. Governments fail to see the implications because the virtual world is too difficult for them to understand. As long as there are no laws that actually get enforced, your privacy isn't worth anything.
A lot of used cars have something like this. I'm honestly more surprised OP apparently bought the car either sight unseen or without questioning this before signing any paperwork.
I wonder if it’s a tracking off switch or a panic button? I used to work for a fleet tracking SaaS, and some customers with unionised workforces needed a way to disable tracking, and panic buttons were common too (although less so in Europe).
Signal to HQ "I'm being robbed" or something like this, I would guess.
Around here, such a button in this place would be for the 20 000 lumen extralights. Typically for cars with xenon headlights, like this Opel, the extralights are powered via a relay that takes control signal from a can-bus adapter that extracts the high beam signal, via a manual switch like this.
My car came with a similar toggle switch under the dash. I figured out it was to fully disable the ABS system. (The previous owner was a fan of taking his car two track days.)
I kept accidentally toggling it off with my knee, so I replaced it with a nice flush push button. I haven't tracked the car yet though.
That was a fun read. It's interesting to think that they would leave it attached. Indeed, what could you do with that?
Did you find the unit that the wires go to? Then you could open that up and see what chips, sensors etc are in there.
Used car dealers install those as per bank requirement to find the car in case it needs to be repoed, if the customer finishes the payment it just stays in the car but the account is disabled (the dealer pays a monthly fee for nothing otherwise). So basically it’s sending location data to nobody.
I wonder what should be the GDPR implications for the car dealership, selling cars that track their owner's location and not being able to confirm it, explain why it exists, or who receives the data.
Unless the whole thing is disabled in absence of a registered fleet tracker key on the magnet on the right.
While I'm sure they discontinued the service on whatever cellular device transmits the data back it is a curious question about the legality of if they left the service in place and continue to track the vehicle long after they sold it
While you do own the hardware, you probably don’t own the data, licenses, and software in the SIM so you might not be entitled to the data it transmits once it hits the carriers network.
I don’t know how that would work, since that data is the personal information of whoever is in the car at the time of collection, so I would guess that the applicant to get the info would have to substantiate that they were in the car at the time, regardless of the ownership of the car.
Or maybe just ownership of the car is enough? I kind of suspect it might not be though.
The car belongs to the individual named Koen Van Hove (as stated in the blog). He holds GDPR rights to any location data that gets sent out.
Before that, if the system allowed for any correlation of location data to who was driving at that point, the exact same rights apply too for each involved driver.
Only if the data controller (the entity who made the choice to put a gps tracker on the car) took specific steps to ensure the location data could not be correlated to an individual (and can prove those steps were taken), is the data safe from GDPR.
It might be your smartphone, but all the data it collects, including recording audio and video is now mine, when I send it to my server. Don't you dare tamper with or even look at it!
(When did crazy things like this start becoming a real thing?)
Legally speaking the data was recorded without consent so if the company receiving this data tries to claim ownership, they'll need to delete it anyway.
However, because the author lives in a country covered by the GDPR, they have a right to receive, correct, and adjust the personal information collected on them. No need to capture the data transmitted by the system, the company is legally obligated to hand over every bit of personal information they have on the author, including any pseudomised information, in a format that's machine readable.
In theory you'd be liable for racking up a bill if you use their SIM card, but I doubt it still works.
Apart from privacy concerns of your data being used or sold by the car vendor, government outreach is also a concern. There was a bill announced in the US for all new cars to be equipped with "driver impairment" tech which was called a "kill switch". Media rushed to say it's not really a kill switch, just "sensors or cameras to monitor the driver’s behaviors, head or eye movements" and "block the driver from operating the vehicle". So... a kill switch. https://apnews.com/article/fact-checking-402773429497
Anyway, I'm staying with my old gas Honda until it dies which is probably never with proper maintenance and eventually restoration. I'll never go electric. Modern cars are just smartphones on wheels at this point, and smartphones are just spying devices at this point.
reply