Consumer Rights Wiki - User contributions [en]

Volkswagen car-location data-exposure incident

2025-01-27T00:14:15Z

BobBarone: /* References */

{{Under_Development
|date=January 2025
|stage=early
|priority=high
}}

''Note: This article represents an ongoing situation and may be updated as more information becomes available.''

In 2024, Volkswagen experienced a data-security incident involving customer vehicle information stored on [[Amazon Web Services]] (AWS). The incident occurred when Volkswagen's implementation of [[CARIAD]], a system used for storing terabytes of customer data, was discovered to have publicly accessible storage instances, because of a misconfiguration<ref name=":0">[https://cybersecuritynews.com/volkswagen-data-breach/]"Volkswagen Data Breach: 800,000 Electric Car Owners’ Data Leaked" written by Guru Baran (co-founder of Cyber Security News and GBHackers On Security). [https://archive.ph/tVDzM Archived] from the original on December 28, 2024. Retrieved on January 15, 2025.</ref>.

==Background==

This incident occurred within a broader context of automotive data-security concerns. Modern vehicles increasingly collect and transmit various types of data, including location information, driving patterns, and user identification<ref name=":1">[https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/05/cars-consumer-data-unlawful-collection-use]"Cars & Consumer Data: On Unlawful Collection & Use" written in collaboration by the Office of Technology and the Division of Privacy and Identity Protection in the Bureau of Consumer Protection. [https://web.archive.org/web/20240514181955/https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/05/cars-consumer-data-unlawful-collection-use Archived] from the original on May 14, 2024. Retrieved January 15, 2025.</ref>. The automotive industry has previously faced scrutiny regarding data-collection practices, with documented instances of manufacturers collecting and sharing vehicle data with third parties.

==The incident==
[[File:Volkswagen.png|alt=Pie Chart showing the total cars affected including the severity of each(whether its location was exposed down to a radius of 10cm or 10km) and breakdown by brand|thumb|Pie Chart showing the total cars affected and breakdown by brand]]
The core issue stemmed from a misconfiguration in Volkswagen's AWS storage implementation, which left customer data publicly accessible without proper authentication or access restrictions<ref name=":0" />. This exposed sensitive information about vehicle locations, EV-battery statistics and sensitive customer information. The incident not only breached customer trust, but Volkswagen's own [[Terms of Service]].

==Industry context==

The incident highlighted ongoing discussions about automotive data security and privacy. Similar concerns were raised during the [[2020 Massachusetts Right to Repair ballot initiative]], where major automotive manufacturers including [[General Motors]], [[Ford]], [[Nissan]], [[Toyota]], and [[Honda]] invested approximately $25 million in campaign advertising discussing data security implications.

==Regulatory response==

The National Highway Traffic Safety Administration (NHTSA) has previously expressed concerns about automotive data security. Following the 2020 Massachusetts Right to Repair initiative, NHTSA official Carrie Gules issued a letter addressing potential security vulnerabilities in vehicle data systems.<ref>https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/vehicle_cybersecurity_best_practices_01072021.pdf. [https://web.archive.org/web/20210720041841/https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/vehicle_cybersecurity_best_practices_01072021.pdf Archived] from the original on July 20, 2021. Retrieved January 27, 2025.</ref>

==Broader implications==

This incident demonstrates the broader challenges facing the automotive industry regarding data security and privacy. It has been documented that automotive manufacturers regularly collect various types of vehicle data,<ref name=":1" /> including:
*Location information
*Driving patterns
*Vehicle-operation metrics
*User-behavior data

Some manufacturers have established partnerships with data aggregators and insurance companies for data-sharing purposes. For example, General Motors has been documented to share driving data with LexisNexis and insurance companies, including information about:

*Vehicle-location data
*Turning-radius information
*Stop times
*Drive times

==See also==
*Data privacy
*[[Right to repair]]
*[[CARIAD]]
*[[Volkswagen]]
*[[2020 Massachusetts Right to Repair ballot initiative]]
*[[General Motors data collection and sharing controversy]]

==References==
<references />

[[Category:Data breaches]]

[[Category:AWS security incidents]]


==Further Reading==
*[https://www.spiegel.de/netzwelt/web/volkswagen-konzern-datenleck-wir-wissen-wo-dein-auto-steht-a-e12d33d0-97bc-493c-96d1-aa5892861027 For the link to the news source which was tipped off by a German hacktivist group]. [https://web.archive.org/web/20241227094207/https://www.spiegel.de/netzwelt/web/volkswagen-konzern-datenleck-wir-wissen-wo-dein-auto-steht-a-e12d33d0-97bc-493c-96d1-aa5892861027 Archived] from the original on December 27, 2024. Retrieved January 15, 2025.
*[https://www.youtube.com/watch?v=Agcp37iiWLc&t=188s Youtube video with mentioned credits for more information].
[[Category:Automotive privacy]]
[[Category:Right to repair]]
[[Category:CARIAD]]
[[Category:Incidents]]

Arity's alleged unauthorized driver data collection through mobile apps

2025-01-18T00:15:38Z

BobBarone: /* References */ added archive.org links to some references.

== Introduction ==
Arity, established in 2016 as a subsidiary of Allstate Corporation, positions itself as a leader in mobility data analytics. According to their mission statement:
<blockquote>''...collect{s} and analyze{s} trillions of miles of driving data to create a greater understanding of how people move. With the world's largest driving dataset tied to insurance claims collected through mobile devices, in-car devices, and vehicles themselves''<ref>https://web.archive.org/web/20250114015047/https://arity.com/solutions/vehicle-miles-traveled/</ref></blockquote>

[[File:Screenshot of arity.com as of January 15, 2025.png|alt=screenshot of arity.com as of January 15, 2025|thumb|screenshot of arity.com demonstrating their claim of having 40 million active mobile connections]]

According to their website, Arity maintains over 40 million active mobile connections, capturing data at intervals of 15 seconds or less.<ref>https://web.archive.org/web/20241217184520/https://arity.com/solutions/real-time-insights/</ref> The Texas Attorney General's office has initiated legal proceedings against Allstate Corporation and its subsidiaries, including Arity, asserting that this data collection occurred without proper driver consent.<ref>https://www.texasattorneygeneral.gov/sites/default/files/images/press/Allstate%20and%20Arity%20Petition%20Filed.pdf. [https://web.archive.org/web/20250114165226/https://www.texasattorneygeneral.gov/sites/default/files/images/press/Allstate%20and%20Arity%20Petition%20Filed.pdf Archived] from the original on 14 January, 2025. Retrieved 17 January, 2025.</ref>

The State of Texas, under the direction of Attorney General Ken Paxton, has filed a lawsuit naming Allstate, Arity, and their subsidiaries as defendants, alleging multiple violations of data privacy regulations.

== Claims made by the suit ==

=== Laws broken ===
The legal action alleges violations of multiple state regulations, including the Texas Data Privacy and Security Act<ref>https://capitol.texas.gov/tlodocs/88R/billtext/html/HB00004F.htm. [https://web.archive.org/web/20241230075523/https://capitol.texas.gov/tlodocs/88R/billtext/html/HB00004F.htm Archived] from the original on 30 December, 2024. Retrieved 17 January, 2025.</ref>, the Data Broker Law<ref>https://statutes.capitol.texas.gov/Docs/BC/htm/BC.509.htm. [https://web.archive.org/web/20241223161307/https://statutes.capitol.texas.gov/Docs/BC/htm/BC.509.htm Archived] from the original on 23 December, 2024. Retrieved 17 January, 2025.</ref>, and the Texas Insurance Code<ref>https://statutes.capitol.texas.gov/Docs/IN/htm/IN.541.htm. [https://web.archive.org/web/20250111144543/https://statutes.capitol.texas.gov/Docs/IN/htm/IN.541.htm Archived] from the original on 11 January, 2025. Retrieved 17 January, 2025.</ref>. The scope of the alleged data collection, implemented through mobile app software integration, extends beyond Texas residents to affect millions of Americans nationwide.

=== Claims made ===
Several assertions in this lawsuit require additional substantiation, as '''the source documentation provides insufficient information to verify their origins.''' For more information on this topic, please refer to [[Anonymity & Vagueness in Citations]].

==== Claims with evidence ====

===== What data Arity collects =====
According to the lawsuit and confirmed by Arity's privacy policy<ref name=":0" />, the company collects:

* Geolocation data
* Accelerometer data
* Magnetometer data
* Gyroscopic data
* Trip attributes:
** Start/end locations
** Distances
** Durations
** Times of these movements
* GPS points
* Derived events:
** Acceleration
** Speeding
** Distracted driving
** Crashes

===== Arity's claims regarding their massive data collection =====

====== This is technically true ======
Arity's website makes the following verifiable claims:

# Possession of the largest driving data collection
# Data collection intervals of 15 seconds
# Access to trillions of miles of driving data

====== Evidence of data collection vs. evidence of ''improper'' data collection ======
The lawsuit's citations primarily reference Arity's public statements, which alone do not establish wrongdoing. For comparison, Geico's smartphone application implements driver-monitoring data collection with explicit user consent, offering potential insurance rate reductions.<ref>https://www.geico.com/driveeasy/. [https://web.archive.org/web/20241211081848/https://www.geico.com/driveeasy/ Archived] from the original on 11 December, 2024. Retrieved 18 January, 2025.</ref> While such data collection may raise privacy concerns, the transparency of choice differentiates it from alleged improper practices. The mere existence of driving data collection does not inherently indicate privacy violations.

The lawsuit's core allegations focus on the undisclosed collection and monetization of insured drivers' behavioral data without proper consent, though concrete evidence supporting these claims remains pending.

===== Arity's lack of easy opt-out =====
{{Important|Consumers utilizing applications with integrated Arity SDK encountered systematic barriers to opting out of data collection.}}
The company's privacy policy<ref>https://web.archive.org/web/20241217050443/https://arity.com/privacy/</ref> provides inadequate guidance regarding data collection opt-out procedures. Their website redirects users to external resources, such as the Apple support center, which offer limited practical assistance in restricting Arity's data collection capabilities.

===== Defendants worked to Integrate the Arity SDK into Mobile Apps =====
The Texas Attorney General's lawsuit asserts that Arity and Allstate established financial arrangements with applications including Routely, Life360, GasBuddy, and Fuel Rewards to incorporate their SDK. While direct evidence of these arrangements is not presented in the legal documentation, the following economic factors support this business model:

# The substantial market value of driving behavior data
# Financial incentives for app developers to participate in data monetization
# Arity's strategic interest in expanding their driver data collection network

Arity actively markets their SDK integration services to businesses and developers.<ref>https://web.archive.org/web/20240716070042/https://arity.com/article/leveraging-a-telematics-sdk-for-mobile-apps/</ref> Documentation of Arity's app integration exists through:

# Public confirmation of the GasBuddy partnership through Arity's press releases<ref>https://web.archive.org/web/20241213031839/https://www.prnewswire.com/news-releases/gasbuddy-partners-with-arity-to-bring-personalized-experiences-to-drivers-looking-to-save-even-more-money-on-fuel-301321800.html</ref>
# Detailed case study documentation of Life360's implementation of Arity's technology<ref>https://arity.com/wp-content/uploads/2023/09/arity_case-study_moapps_Life360.pdf. [https://web.archive.org/web/20240804011729/https://arity.com/wp-content/uploads/2023/09/arity_case-study_moapps_Life360.pdf Archived] from the original on 4 August, 2024. Retrieved 18 January, 2025.</ref><ref>[[:File:Arity case-study moapps Life360.pdf]]</ref>

===== Arity's claims about usage of data =====
The lawsuit references Arity's terms of service regarding data utilization, specifically citing their privacy policy<ref name=":0">https://web.archive.org/web/20241217050443/https://arity.com/privacy/</ref>:

<blockquote>Arity shares your information with its business clients as part of your purchase, or use, of services from those business clients. Those business clients include, but are not limited to, insurance companies as well as mobile app providers who track the location of members of a defined group or who provide weather related information. If you have purchased an insurance product offered by an Arity business client, then your information may also be used by that business client to calculate insurance rates or rewards provided under the product or service. Our insurance company business clients may also use your information to update their pricing and underwriting models. All such use of your personal information by our business clients is subject to their privacy policies and not this Privacy Statement.</blockquote>

===== Drivers not knowingly consenting to these terms =====
The terms of service present significant consent issues:

====== "Arity shares your information with its business clients as part of your purchase, or use, of services from those business clients."<ref name=":0" /> ======
This arrangement presents substantial privacy concerns, illustrated through the following scenario:

# A user (James) engages with an Arity business client's application
# James lacks awareness of Arity's existence
# The business client omits disclosure of Arity's data handling practices
# This creates an inherent impossibility of informed consent to Arity's privacy policy

====== "If you have purchased an insurance product offered by an Arity business client, then your information may also be used by that business client to calculate insurance rates or rewards provided under the product or service."<ref name=":0" /> ======
{{Important|The distinction between insurance and non-insurance business clients creates a critical privacy concern: '''Non-insurance entities may collect data that influences insurance rates without user awareness or consent.'''}}

This structure potentially enables non-disclosed data collection to impact insurance premiums, exemplifying the problematic nature of what can be termed a [[Game of Telephone privacy policy|telephone privacy policy]].

==== Claims without evidence ====
The following allegations rely on the legal principle of ''information and belief,'' indicating that supporting evidence is anticipated through the [[wikipedia:Discovery_(law)|discovery]] process rather than currently available.

{{Important|Substantial allegations regarding automotive industry practices require corresponding evidence beyond [[Trust me bro|trust me bro]] assertions.}}

===== Arity purchased information from automakers to complement their own data =====
[[File:Facebook screenshot of insurance app.png|alt=Facebook screenshot of insurance app|thumb|Facebook screenshot of insurance app]]
The smartphone-based data collection methodology presents inherent accuracy limitations. For example, recreational activities like roller coaster rides might erroneously register as dangerous driving behavior.<ref>https://www.cincinnati.com/story/entertainment/2024/10/08/insurance-cuts-driving-score-man-riding-the-beast-kings-island/75554987007/. [https://web.archive.org/web/20250114231210/https://www.cincinnati.com/story/entertainment/2024/10/08/insurance-cuts-driving-score-man-riding-the-beast-kings-island/75554987007/ Archived] from the original on 14 January, 2025. Retrieved 18 January, 2025.</ref><ref>https://www.facebook.com/photo/?fbid=8578211025555918&set=gm.8485090164900182&idorvanity=121958981213384</ref>

However, the lawsuit's assertion regarding automotive manufacturer data sales remains unsubstantiated.

<blockquote>To potentially account for the Arity SDK Data's limitations, Defendants sought to combine the SDK Data with data collected directly from vehicles. As a result, Defendants began purchasing consumers' driving-related data from car manufacturers, such as Toyota, Lexus, Mazda, Chrysler, Dodge, Fiat, Jeep, Maserati, and Ram. On information and belief, consumers did not consent, nor were otherwise aware that, Defendants purchased their driving-related data from these car manufacturers</blockquote>

===== Arity's bonus incentives to developers for bundling data collection into their apps =====
The lawsuit states: <blockquote>"To encourage developers to adopt Defendants' software, Defendants paid app developers millions of dollars to integrate Defendants' software into their apps. Defendants further incentivized developer participation by creating generous bonus incentives for increasing the size of their dataset."</blockquote>This claim lacks supporting documentation.

{{Important|While economic incentives for such arrangements are theoretically plausible - with potential profits from data sales exceeding developer incentive costs - '''the lawsuit presents no concrete evidence of these financial arrangements.'''}}

===== Automakers who sold data =====
The lawsuit names Toyota, Lexus, Mazda, Chrysler, Dodge, Fiat, Jeep, Maserati, and Ram as participants in data sales to Arity, without providing supporting evidence for these assertions.

== References ==
{{reflist}}

[[Category:Lawsuits]]
[[Category:Privacy]]
[[Category:Data Collection]]
[[Category:Allstate subsidiaries]]

Magic Leap

2025-01-17T23:43:06Z

BobBarone: Updated formatting, and changed referencing from in-text hyperlinks to bibliography.

== Magic Leap ending support for Magic Leap 1 ==

Magic Leap is a company founded in 2010. Magic Leap creates Augmented Reality (AR) Devices which overlay computer graphics over the user's real life view.<ref>https://www.forbes.com/sites/davidewalt/2016/11/02/inside-magic-leap-the-secretive-4-5-billion-startup-changing-computing-forever/. Retrieved 17 January, 2025. [https://web.archive.org/web/20161103140449/https://www.forbes.com/sites/davidewalt/2016/11/02/inside-magic-leap-the-secretive-4-5-billion-startup-changing-computing-forever/#13f1aaa34223 Archived] from the original on 3 November, 2016. Retrieved 17 January, 2025.</ref>

Their first device, the Magic Leap 1 released in August of 2018 and retailed for $2,295 USD.<ref>https://appleinsider.com/articles/18/08/08/magic-leap-one-mixed-reality-glasses-launch-in-six-us-cities. Retrieved 17 January, 2025. [https://web.archive.org/web/20180809022213/https://appleinsider.com/articles/18/08/08/magic-leap-one-mixed-reality-glasses-launch-in-six-us-cities Archived] from the original on 9 August, 2018. Retrieved 17 January, 2025.</ref> Their most recent device, the Magic Leap 2 released in September of 2022.

=== Incident ===

On December 31, 2024 Magic Leap released an article detailing the end of life of their product, the Magic Leap 1. In this article, they explain that the device will no longer be supported. As the article states, the device core functionality including the device and its apps as well as cloud services are no longer available. This means that the device is now unfortunately no longer usable by any end user who has purchased it. In the article, they encourage users to purchase a Magic Leap 2 to continue to use their services and applications.<ref>https://www.magicleap.care/hc/en-us/articles/18878883445645-Magic-Leap-1-End-of-Life. Retrieved 17 January, 2025. [https://web.archive.org/web/20250111133355/https://www.magicleap.care/hc/en-us/articles/18878883445645-Magic-Leap-1-End-of-Life Archived] from the original on 11 January, 2025. Retrieved 17 January, 2025.</ref>

[[File:Magic Leap 1 End of Life Article.jpg|thumb|Screenshot of the Magic Leap 1 End of Life Article from their webpage.]]

== References ==
<references />

RepairShopr data privacy

2025-01-17T23:28:36Z

BobBarone: /* References */ added archive.org link, and removed duplicate reference.

== RepairShopr Changing Terms of Service ==

=== Introduction ===
[[RepairShopr]], a [[Software-as-a-Service]] (SaaS) platform used primarily for [[Customer Relationship Management]] (CRM) and ticketing in repair shops, has recently been the subject of scrutiny due to changes in its [[terms of service]]. Previously praised for its utility and robust features, concerns have arisen about data usage policies and subscription practices after its acquisition by [[Synchro]], leading to dissatisfaction among long-term users.<ref>https://www.youtube.com/watch?v=bu_rjYHZj9I</ref>

=== Background ===
Initially developed by Troy Anderson, RepairShopr gained popularity as an affordable and effective CRM solution for repair businesses. Its features included [[QuickBooks]] integration, shipping automation, and caller ID syncing with ticket statuses. Users valued its simplicity and responsiveness to feedback. However, following its sale to Synchro, the platform has faced criticism for declining functionality, increased pricing, and controversial terms of service updates.<ref>https://www.youtube.com/watch?v=ASJE0501nOA</ref>

=== Key Issues ===

==== AI Tools and Data Usage ====
The most contentious issue involves RepairShopr’s updated terms of service, which grant the platform the right to use "user content" and "usage information" to train AI tools. While Synchro claims no current AI features are operational, the terms allow for future implementation. Critics argue this represents a violation of privacy, as user content includes communications with customers, which are considered sensitive business data.<ref name=":0">https://www.repairshopr.com/repairshopr-user-access-and-license-agreement. [https://web.archive.org/web/20250106203556/https://www.repairshopr.com/repairshopr-user-access-and-license-agreement Archived] from the original on January 6, 2025. Retrieved January 17, 2025.</ref>

==== Opt-Out Policies ====
Users must opt out of data collection for AI training by directly contacting the company. However, previously collected data remains usable under the terms, creating further concerns about consent and [[retroactive policy enforcement]]. This policy is outlined under the '''"Intellectual Property; Reservation of Rights"''' section of the RepairShopr User Access and License Agreement, specifically the sixth point:<ref name=":0" />

"If you wish to opt out of any future collection and aggregation by Servably of your User Content or Usage Information in an anonymous form in order to train Servably’s AI Tools, please contact us as set forth below. For clarity, such opt-out will apply only on a go-forward basis and will not obligate Servably to cease using any previously anonymized and aggregated User Content or other Usage Information as otherwise permitted in this Agreement."

Furthermore, the opt-out process must be initiated by the business owner, which limits the ability of individual employees or customers of the business to safeguard data. Per Louis Rossmann’s account, the changes to the terms were not disclosed until after they had already taken effect, leaving a window of time where data could have been collected without the user’s knowledge or consent.<ref>https://www.youtube.com/watch?v=bu_rjYHZj9I</ref>

==== Increased Costs and Functionality Decline ====
Since the acquisition, RepairShopr’s subscription fees have increased by 40%, with users reporting degraded service quality. Core functionalities, such as email communication with customers, have experienced extended downtimes, undermining its role as a CRM tool.<ref>https://www.youtube.com/watch?v=ASJE0501nOA</ref>

==== Transparency and Communication ====
Users were notified of changes to the terms of service by email late in December 2024, with the new policies already having been in effect for weeks. Many users criticized the lack of proactive communication, claiming the updates were poorly communicated and buried under non-critical updates.<ref>https://www.youtube.com/watch?v=bu_rjYHZj9I</ref>

=== Broader Implications ===
This case reflects broader trends in SaaS:
* '''Erosion of Ownership Rights:''' Platforms increasingly transition to subscription-based models, asserting greater control over user data and functionality.
* '''AI Training and Data Ethics:''' Policies allowing AI training on user-generated data raise ethical and legal concerns about privacy and informed consent.
* '''Consumer Trust:''' Poor communication and retroactive application of terms erode trust in service providers.
* '''Transparency in Terms of Service:''' SaaS providers should clearly communicate terms changes, ensuring users explicitly consent to updates.

=== See Also ===
* [[Retroactive Application of Policies and Enforcement]]
* [[Consumer Rights in SaaS Platforms]]
* [[AI Training and Data Privacy Ethics]]

== References ==
<references />

[[Category:Incidents]]
[[Category:Synchro]]
[[Category:RepairShopr]]
[[Category:Servably]]
[[Category:Consumer rights]]
[[Category:Anti-consumer]]
[[Category:Subscription-based services]]

Mazda remote-start subscription

2025-01-17T23:25:10Z

BobBarone: Added archive.org links to reference list.

== Mazda Connected Services Remote Start Subscription ==
In 2019, Mazda introduced "Mazda Connected Services," a feature enabling remote start and other functionalities through a smartphone app. However, customers were only offered a three-year complimentary trial, after which continued access required a $10 monthly subscription. As these trials began expiring in 2023, affected users received notifications encouraging subscription enrollment.<ref>[https://www.motor1.com/news/729233/mazda-connected-services-remote-start-subscription/ "Mazda Connected Services Remote Start Subscription Now Costs $10 Per Month."] Retrieved January 15, 2025. [https://web.archive.org/web/20240806170145/https://www.motor1.com/news/729233/mazda-connected-services-remote-start-subscription/ Archived] from the original on 6 August, 2024. Retrieved January 17, 2025.</ref>

=== Background ===
Historically, remote start functionality was integrated into car key fobs and did not require additional fees. With the rise of connected services, manufacturers have shifted these features to subscription models, framing them as value-added services. This transition has raised concerns over diminishing consumer ownership rights.

The service works by leveraging cloud-based infrastructure to enable remote features such as:
* Remote Start
* Vehicle Health Reports
* Status Notifications
* Keyless Entry

Users must connect to Mazda's servers to access these features, eliminating self-hosting or alternative server options, a feature previously standard in many client-server architectures.

=== Consumer Backlash ===
Mazda's decision sparked criticism among consumers, many of whom argue that the subscription model effectively limits functionality of hardware they already paid for. Critics also point to broader concerns about diminishing ownership, as these features are entirely reliant on Mazda's continued support of their servers.

=== Legal and Technological Context ===
Efforts to bypass the subscription requirement have encountered legal obstacles under the Digital Millennium Copyright Act (DMCA). Section 1201 of the DMCA prohibits bypassing digital locks, even for features tied to hardware consumers legally own. In 2023, a developer attempting to create an open-source solution enabling direct control of Mazda vehicles without relying on Mazda’s servers received a DMCA takedown notice.<ref>[https://github.com/github/dmca/blob/master/2023/10/2023-10-10-mazda.md "Mazda DMCA Takedown Notice Against Open Source Developer."] Retrieved January 15, 2025. [https://web.archive.org/web/20241203010657/https://github.com/github/dmca/blob/master/2023/10/2023-10-10-mazda.md Archived] from the original on 3 December, 2024. Retrieved January 17, 2025.</ref>

=== Broader Implications ===
The Mazda Connected Services controversy highlights several trends in modern consumer protection:
# '''Shift from Ownership to Licensing:''' Increasing reliance on subscription models for basic features.
# '''Barriers to Repair and Modification:''' Legal restrictions on circumventing software controls tied to physical products.
# '''Privacy Concerns:''' Reliance on cloud-based solutions may involve the collection and use of customer data without adequate transparency.

This incident also highlights the challenges faced by independent developers and open-source communities attempting to restore consumer autonomy.

== See Also ==
* [[Right to Repair movement]]
* [[Digital Millennium Copyright Act]]
* [[Connected car security]]
* [[Subscription-based features in vehicles]]
* [[Consumer ownership erosion]]

== References ==
<references />

[[Category:Automotive industry incidents]]
[[Category:Subscription-based services]]
[[Category:Right to repair]]
[[Category:Connected car security]]
[[Category:Consumer rights]]
[[Category:Incidents]]

Valve removes arbitration requirement from Steam Subscriber Agreement

2025-01-17T23:20:12Z

BobBarone: Added archive.org links to reference list.

In September 2024, [[Valve]] removed both the individual [[Forced Arbitration|binding arbitration]] requirements and class-action waiver from the [https://store.steampowered.com/subscriber_agreement Steam Subscriber Agreement], which is, essentially, [[Steam]]'s [[End-User License Agreement]]. This was done because of a pending [https://storage.courtlistener.com/recap/gov.uscourts.wawd.337957/gov.uscourts.wawd.337957.1.0.pdf class-action lawsuit] wherein "the named Plaintiffs won binding decisions from arbitrators rendering Valve's arbitration provision unenforceable for both lack of notice and because it impermissibly seeks to bar public injunctive relief."[1]

== Implications ==
This restores consumer rights to both court litigation and class-action lawsuits, rather than being bound to forced arbitration, for resolving disputes with Steam.

== Sources/Links ==

* Link to the Steam news article: https://store.steampowered.com/news/app/593110/view/4696781406111167991. [https://web.archive.org/web/20240927180120/https://store.steampowered.com/oldnews/ Archived] from the original on 27 September, 2024. Retrieved 17 January, 2025.
* Link to the Steam Subscriber Agreement: https://store.steampowered.com/subscriber_agreement. [https://web.archive.org/web/20240928014938/https://store.steampowered.com/subscriber_agreement/ Archived] from the original on 28 September, 2024. Retrieved 17 January, 2025.
* Louis Rossmann's video on the news: https://www.youtube.com/watch?v=1f81qXxggo8
* NACA's arbitration definition: [https://www.consumeradvocates.org/for-consumers/arbitration/ https://www.consumeradvocates.org/for-consumers/arbitration/.] . [https://web.archive.org/web/20250101160116/https://www.consumeradvocates.org/for-consumers/arbitration/ Archived] from the original on 1 January, 2025. Retrieved 17 January, 2025.
* [1] "Steam doesn’t want to pay arbitration fees, tells gamers to sue instead": https://arstechnica.com/tech-policy/2024/09/steam-doesnt-want-to-pay-arbitration-fees-tells-gamers-to-sue-instead/. [https://web.archive.org/web/20241217090450/https://arstechnica.com/tech-policy/2024/09/steam-doesnt-want-to-pay-arbitration-fees-tells-gamers-to-sue-instead/ Archived] from the original on 17 December, 2024. Retrieved 17 January, 2025.

[[Category:Valve Corporation]]

Talk:Volkswagen car-location data-exposure incident

2025-01-17T22:48:24Z

BobBarone: /* NHTSA letter */

== Information Gaps and Needed Sources ==
{{Talk header}}

Hello contributors. As this is one of our first articles on the Consumer Protection Wiki, I wanted to highlight several areas where we need additional information and sources to strengthen this article's accuracy and completeness as we start to define proper wiki article format/structure/sources that should be added.

This was mostly generated as from transcripts provided to Claude Pro using Sonnet 3.5 which leaves it as a skeleton/placeholder and nowhere near a final iteration. In fact, we should create a template for AI-assisted initial drafts if this will be a common practice. Something like {{AI-Draft}} that could be standardized across articles.

=== Priority Information Needed ===

==== Incident Specifics ====
* Precise date of the incident
* Scope of exposed data
* Official Volkswagen statements
* Duration of exposure
* Discovery details

==== Regulatory & Legal Context ====
* NHTSA letter details and citations
* Applicable data protection laws
* Any resulting investigations
* Legal requirements for customer notification

==== Technical Documentation ====
* Details about AWS/Carad implementation
* Nature of the misconfiguration
* Industry standard security practices
* Technical safeguards typically used

==== Impact & Resolution ====
* How Volkswagen addressed the vulnerability
* Customer impact details
* Financial consequences
* Long-term security changes implemented

=== Red Links Added ===
Several key terms have been marked as redlinks in the main article to indicate needed sub-articles:
* CARIAD
* Automotive data privacy
* Right to Repair movement
* Vehicle telematics
* Connected car security

=== Collaboration Request ===
If any contributors have access to reliable sources covering these aspects, please help expand the article. Remember to follow our editorial guidelines regarding factual, non-accusatory tone and proper source citation.

=== Next Steps ===
# Add specific dates and timeline
# Include technical details with proper verification
# Document regulatory responses
# Expand the industry context section

Please add to this discussion if you identify other areas needing improvement or have suggestions for additional sections.

[[Category:Article Development]]
[[Category:Data Privacy Incidents]]

[[User:Travis|Travis]] ([[User talk:Travis|talk]]) 09:48, 14 January 2025 (UTC)

== NHTSA letter ==

'''17 January 2025'''

Do you have any further information or reference for the letter, e.g., where it was mentioned?
As far as I can see, I can't find anyone called "Carrie Gules", but there is a "Carrie Giles" who works in transport but not at the NHSTA. Can't find any published letters from them though.

I have found this letter today from the FCC related to vehicle data security from Jan 2024.
https://docs.fcc.gov/public/attachments/DOC-399695A1.pdf

'''15 January 2025'''

Is this the letter you were looking for?
https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/nhtsa_testimony_in_response_to_ma_committee_letter_july_20_2020.pdf

There is also this letter from NHTSA.
https://drive.google.com/file/d/1UInBq29yxNaLMrNWX3qEW50M-dbcYkJO/view

Response from senators to above letter.
https://www.warren.senate.gov/imo/media/doc/2023.06.15%20Letter%20to%20DOT%20and%20NHTSA%20re%20Right%20to%20Repair1.pdf

Response from NHTSA to senators' letter.
https://pirg.org/wp-content/uploads/2023/08/351-1.pdf

They also seem to have released a vehicle cybersecurity best practices in 2016.
https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/812333_cybersecurityformodernvehicles.pdf
Then updated in 2022.
https://www.nhtsa.gov/sites/nhtsa.gov/files/2022-09/cybersecurity-best-practices-safety-modern-vehicles-2022-tag.pdf

Talk:Volkswagen car-location data-exposure incident

2025-01-15T01:55:01Z

BobBarone: /* NHTSA letter */

== Information Gaps and Needed Sources ==
{{Talk header}}

Hello contributors. As this is one of our first articles on the Consumer Protection Wiki, I wanted to highlight several areas where we need additional information and sources to strengthen this article's accuracy and completeness as we start to define proper wiki article format/structure/sources that should be added.

This was mostly generated as from transcripts provided to Claude Pro using Sonnet 3.5 which leaves it as a skeleton/placeholder and nowhere near a final iteration. In fact, we should create a template for AI-assisted initial drafts if this will be a common practice. Something like {{AI-Draft}} that could be standardized across articles.

=== Priority Information Needed ===

==== Incident Specifics ====
* Precise date of the incident
* Scope of exposed data
* Official Volkswagen statements
* Duration of exposure
* Discovery details

==== Regulatory & Legal Context ====
* NHTSA letter details and citations
* Applicable data protection laws
* Any resulting investigations
* Legal requirements for customer notification

==== Technical Documentation ====
* Details about AWS/Carad implementation
* Nature of the misconfiguration
* Industry standard security practices
* Technical safeguards typically used

==== Impact & Resolution ====
* How Volkswagen addressed the vulnerability
* Customer impact details
* Financial consequences
* Long-term security changes implemented

=== Red Links Added ===
Several key terms have been marked as redlinks in the main article to indicate needed sub-articles:
* CARIAD
* Automotive data privacy
* Right to Repair movement
* Vehicle telematics
* Connected car security

=== Collaboration Request ===
If any contributors have access to reliable sources covering these aspects, please help expand the article. Remember to follow our editorial guidelines regarding factual, non-accusatory tone and proper source citation.

=== Next Steps ===
# Add specific dates and timeline
# Include technical details with proper verification
# Document regulatory responses
# Expand the industry context section

Please add to this discussion if you identify other areas needing improvement or have suggestions for additional sections.

[[Category:Article Development]]
[[Category:Data Privacy Incidents]]

[[User:Travis|Travis]] ([[User talk:Travis|talk]]) 09:48, 14 January 2025 (UTC)

== NHTSA letter ==

Is this the letter you were looking for?
https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/nhtsa_testimony_in_response_to_ma_committee_letter_july_20_2020.pdf

There is also this letter from NHTSA.
https://drive.google.com/file/d/1UInBq29yxNaLMrNWX3qEW50M-dbcYkJO/view

Response from senators to above letter.
https://www.warren.senate.gov/imo/media/doc/2023.06.15%20Letter%20to%20DOT%20and%20NHTSA%20re%20Right%20to%20Repair1.pdf

Response from NHTSA to senators' letter.
https://pirg.org/wp-content/uploads/2023/08/351-1.pdf

They also seem to have released a vehicle cybersecurity best practices in 2016.
https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/812333_cybersecurityformodernvehicles.pdf
Then updated in 2022.
https://www.nhtsa.gov/sites/nhtsa.gov/files/2022-09/cybersecurity-best-practices-safety-modern-vehicles-2022-tag.pdf

Talk:Volkswagen car-location data-exposure incident

2025-01-15T01:47:57Z

BobBarone: /* NHTSA letter */

== Information Gaps and Needed Sources ==
{{Talk header}}

Hello contributors. As this is one of our first articles on the Consumer Protection Wiki, I wanted to highlight several areas where we need additional information and sources to strengthen this article's accuracy and completeness as we start to define proper wiki article format/structure/sources that should be added.

This was mostly generated as from transcripts provided to Claude Pro using Sonnet 3.5 which leaves it as a skeleton/placeholder and nowhere near a final iteration. In fact, we should create a template for AI-assisted initial drafts if this will be a common practice. Something like {{AI-Draft}} that could be standardized across articles.

=== Priority Information Needed ===

==== Incident Specifics ====
* Precise date of the incident
* Scope of exposed data
* Official Volkswagen statements
* Duration of exposure
* Discovery details

==== Regulatory & Legal Context ====
* NHTSA letter details and citations
* Applicable data protection laws
* Any resulting investigations
* Legal requirements for customer notification

==== Technical Documentation ====
* Details about AWS/Carad implementation
* Nature of the misconfiguration
* Industry standard security practices
* Technical safeguards typically used

==== Impact & Resolution ====
* How Volkswagen addressed the vulnerability
* Customer impact details
* Financial consequences
* Long-term security changes implemented

=== Red Links Added ===
Several key terms have been marked as redlinks in the main article to indicate needed sub-articles:
* CARIAD
* Automotive data privacy
* Right to Repair movement
* Vehicle telematics
* Connected car security

=== Collaboration Request ===
If any contributors have access to reliable sources covering these aspects, please help expand the article. Remember to follow our editorial guidelines regarding factual, non-accusatory tone and proper source citation.

=== Next Steps ===
# Add specific dates and timeline
# Include technical details with proper verification
# Document regulatory responses
# Expand the industry context section

Please add to this discussion if you identify other areas needing improvement or have suggestions for additional sections.

[[Category:Article Development]]
[[Category:Data Privacy Incidents]]

[[User:Travis|Travis]] ([[User talk:Travis|talk]]) 09:48, 14 January 2025 (UTC)

== NHTSA letter ==

Is this the letter you were looking for?
https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/nhtsa_testimony_in_response_to_ma_committee_letter_july_20_2020.pdf

There is also this letter.
https://drive.google.com/file/d/1UInBq29yxNaLMrNWX3qEW50M-dbcYkJO/view

They also seem to have released a vehicle cybersecurity best practices in 2016.
https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/812333_cybersecurityformodernvehicles.pdf
Then updated in 2022.
https://www.nhtsa.gov/sites/nhtsa.gov/files/2022-09/cybersecurity-best-practices-safety-modern-vehicles-2022-tag.pdf

Talk:Volkswagen car-location data-exposure incident

2025-01-15T01:38:11Z

BobBarone: /* NHTSA letter */ new section

== Information Gaps and Needed Sources ==
{{Talk header}}

Hello contributors. As this is one of our first articles on the Consumer Protection Wiki, I wanted to highlight several areas where we need additional information and sources to strengthen this article's accuracy and completeness as we start to define proper wiki article format/structure/sources that should be added.

This was mostly generated as from transcripts provided to Claude Pro using Sonnet 3.5 which leaves it as a skeleton/placeholder and nowhere near a final iteration. In fact, we should create a template for AI-assisted initial drafts if this will be a common practice. Something like {{AI-Draft}} that could be standardized across articles.

=== Priority Information Needed ===

==== Incident Specifics ====
* Precise date of the incident
* Scope of exposed data
* Official Volkswagen statements
* Duration of exposure
* Discovery details

==== Regulatory & Legal Context ====
* NHTSA letter details and citations
* Applicable data protection laws
* Any resulting investigations
* Legal requirements for customer notification

==== Technical Documentation ====
* Details about AWS/Carad implementation
* Nature of the misconfiguration
* Industry standard security practices
* Technical safeguards typically used

==== Impact & Resolution ====
* How Volkswagen addressed the vulnerability
* Customer impact details
* Financial consequences
* Long-term security changes implemented

=== Red Links Added ===
Several key terms have been marked as redlinks in the main article to indicate needed sub-articles:
* CARIAD
* Automotive data privacy
* Right to Repair movement
* Vehicle telematics
* Connected car security

=== Collaboration Request ===
If any contributors have access to reliable sources covering these aspects, please help expand the article. Remember to follow our editorial guidelines regarding factual, non-accusatory tone and proper source citation.

=== Next Steps ===
# Add specific dates and timeline
# Include technical details with proper verification
# Document regulatory responses
# Expand the industry context section

Please add to this discussion if you identify other areas needing improvement or have suggestions for additional sections.

[[Category:Article Development]]
[[Category:Data Privacy Incidents]]

[[User:Travis|Travis]] ([[User talk:Travis|talk]]) 09:48, 14 January 2025 (UTC)

== NHTSA letter ==

Is this the letter you were looking for?
https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/nhtsa_testimony_in_response_to_ma_committee_letter_july_20_2020.pdf

They also seem to have released a vehicle cybersecurity best practices in 2016.
https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/812333_cybersecurityformodernvehicles.pdf
Then updated in 2022.
https://www.nhtsa.gov/sites/nhtsa.gov/files/2022-09/cybersecurity-best-practices-safety-modern-vehicles-2022-tag.pdf

Volkswagen car-location data-exposure incident

2025-01-15T01:31:11Z

BobBarone: /* References */

{{Under_Development
|date=January 2025
|stage=early
|priority=high
}}

= Volkswagen Car Location Data Exposure Incident =

In 2024, Volkswagen experienced a data security incident involving customer vehicle information stored on Amazon Web Services (AWS). The incident occurred when Volkswagen's implementation of [[CARIAD]], a system used for storing terabytes of customer data, was discovered to have publicly accessible storage instances due to a misconfiguration<ref name=":0">[https://cybersecuritynews.com/volkswagen-data-breach/]"Volkswagen Data Breach: 800,000 Electric Car Owners’ Data Leaked" written by Guru Baran (co-founder of Cyber Security News and GBHackers On Security). [https://archive.ph/tVDzM Archived] from the original on December 28, 2024. Retrieved on January 15, 2025.</ref>.

== Background ==

This incident occurred within a broader context of automotive data security concerns. Modern vehicles increasingly collect and transmit various types of data, including location information, driving patterns, and user identification<ref name=":1">[https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/05/cars-consumer-data-unlawful-collection-use]"Cars & Consumer Data: On Unlawful Collection & Use" written in collaboration by the Office of Technology and the Division of Privacy and Identity Protection in the Bureau of Consumer Protection. [https://web.archive.org/web/20240514181955/https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/05/cars-consumer-data-unlawful-collection-use Archived] from the original on May 14, 2024. Retrieved January 15, 2025.</ref>. The automotive industry has previously faced scrutiny regarding data collection practices, with documented instances of manufacturers collecting and sharing vehicle data with third parties.

== The Incident ==
[[File:Volkswagen.png|alt=Pie Chart showing the total cars affected including the severity of each(whether its location was exposed down to a radius of 10cm or 10km) and breakdown by brand|thumb|Pie Chart showing the total cars affected and breakdown by brand]]
The core issue stemmed from a misconfiguration in Volkswagen's AWS storage implementation, which left customer data publicly accessible without proper authentication or access restrictions<ref name=":0" />. This exposed sensitive information about vehicle locations, EV battery statistics and sensitive customer information. The incident not only breaches customer trust, but Volkswagen's own Terms of Service.

== Industry Context ==

The incident highlighted ongoing discussions about automotive data security and privacy. Similar concerns were raised during the [[2020 Massachusetts Right to Repair ballot initiative]], where major automotive manufacturers including General Motors, Ford, Nissan, Toyota, and Honda invested approximately $25 million in campaign advertising discussing data security implications.

== Regulatory Response ==

The National Highway Traffic Safety Administration (NHTSA) has previously expressed concerns about automotive data security. Following the 2020 Massachusetts Right to Repair initiative, NHTSA official Carrie Gules issued a letter addressing potential security vulnerabilities in vehicle data systems{{Citation needed|date=January 2024|reason=Letter reference needed}}.

== Broader Implications ==

This incident demonstrates the broader challenges facing the automotive industry regarding data security and privacy. It has been documented that automotive manufacturers regularly collect various types of vehicle data<ref name=":1" />, including:
* Location information
* Driving patterns
* Vehicle operation metrics
* User behavior data

Some manufacturers have established partnerships with data aggregators and insurance companies for data-sharing purposes. For example, General Motors has been documented to share driving data with LexisNexis and insurance companies, including information about:

* Vehicle location data
* Turning radius information
* Stop times
* Drive times

== See Also ==
* [[Automotive data privacy]]
* [[Right to Repair movement]]
* [[Vehicle telematics]]
* [[Connected car security]]
* [[CARIAD]]
* [[Volkswagen Group]]
* [[2020 Massachusetts Right to Repair ballot initiative]]

== References ==
<references />
''Note: This article represents an ongoing situation and may be updated as more information becomes available.''

[[Category:Data breaches]]
[[Category:Automotive industry incidents]]

[[Category:AWS security incidents]]


3. [https://www.spiegel.de/netzwelt/web/volkswagen-konzern-datenleck-wir-wissen-wo-dein-auto-steht-a-e12d33d0-97bc-493c-96d1-aa5892861027 For the link to the news source which was tipped off by a German hacktivist group]. [https://web.archive.org/web/20241227094207/https://www.spiegel.de/netzwelt/web/volkswagen-konzern-datenleck-wir-wissen-wo-dein-auto-steht-a-e12d33d0-97bc-493c-96d1-aa5892861027 Archived] from the original on December 27, 2024. Retrieved January 15, 2025.

4. [https://www.youtube.com/watch?v=Agcp37iiWLc&t=188s Youtube video with mentioned credits for more information].
[[Category:Vehicle privacy incidents]]
[[Category:Right to repair]]
[[Category:CARIAD]]
[[Category:Incidents]]