OnStar is a subsidiary of General Motors, which is still partly owned by the U.S. and Canadian governments after receiving billions in bailouts
Among the many changes, OnStar said it would share the data it collects with marketers, police, public safety authorities, foreign governments in countries where it stores data, and others — even after users cancel their subscriptions. The information the company gathers includes everything from the location and speed of a car to seat belt usage and phone records.
“We may use the information we collect about you and your Vehicle to improve the quality of our Service and offerings and may share the information we collect with law enforcement or other public safety officials, credit card processors and/or third parties we contract with who conduct joint marketing initiatives with OnStar,” the update said. “Unless the Data Connection to your Vehicle is deactivated, data about your Vehicle will continue to be collected even if you do not have a Plan.”
One of the first experts to draw attention to the policy changes was Jonathan Zdziarski, senior forensic scientist at Via Forensics, who promptly canceled his OnStar subscription and blasted the new terms and conditions. He noted on his blog that the updates were “very unsettling” and “too shady.”
Making matters worse, claims that OnStar would normally make the GPS data anonymous before selling it are hard to swallow. “It’s impossible,” Zdziarski said. “If your vehicle is consistently parked at your home, driving down your driveway, or taking a left or right turn onto your street every single day, its pretty obvious that this is where you live!”
The potential for abuse is huge, he noted. OnStar could, for example, provide information on speeders or seat-belt usage to the police. Or insurance companies could use the data to monitor their customers and raise their rates.
“Shame on you, OnStar, for even giving yourselves the right to do this,” wrote Zdziarski. “Even more insulting, it was difficult to ensure the data connection was shut down after canceling,” he noted, saying the company repeatedly ignored his request to shut down the connection.
OnStar and other “large abusive data warehousing companies desperately need to be investigated,” he concluded. “When will our congress pass legislation that stops the American people’s privacy from being raped by large data warehousing interests?”
After Zdziarski’s blog post, news of the privacy changes exploded into the headlines across America. And countess other customers were apparently furious, too.
Two top U.S. lawmakers even got involved. Sen. Al Franken (D-Minnesota) and Sen. Christopher Coons (D-Delaware) sent a letter to the company saying, among other things, that the policy highlighted the need for new consumer-privacy legislation.
"OnStar's actions appear to violate basic principles of privacy and fairness for OnStar's approximately six million customers — especially for those customers who have already ended their relationships with your company," the letter stated. Both of the senators sponsored a bill earlier this year that would require informed consent before companies could collect and share consumer information.
"OnStar is telling its current and former customers that it can track their location anywhere, anytime — even if they cancel their subscriptions — and then give or sell that information to anyone as long as OnStar deems it safe to do so," the lawmakers complained in the letter. The company told Bloomberg News it would respond to the congressional inquiry directly.
And it isn’t just lawmakers and forensic scientists who are upset. Numerous analysts have warned about the implications of the company’s new approach as well.
“OnStar must be very careful how they handle this issue of the changes in policy and to whom and how they provide the acquired data or they may be adding fuel to the user privacy concerns fire,” noted Technorati's Cesar Ortiz, an information security expert.
From the New York Times’ “Wheels” section and various auto-related publications to Discovery News and Wired, many other media outlets also highlighted the concerns. Even financial publications picked up the news.
Various OnStar spokesmen were quoted in the press trying to downplay the seriousness of the policy changes. But after the wave of bad publicity and criticism continued to grow, the company eventually released an official statement. “Our guiding practices regarding sharing our subscribers’ personal information have not changed,” said Vice President of Subscriber Services Joanne Finnorn. “We apologize for creating any confusion about our Terms and Conditions.... As always, we are listening to our subscribers’ feedback and we will continue to be open to their suggestions and concerns.”
Critics, however, are still upset. And nothing really changed despite the furor. Meanwhile, Ford — which did not receive a government bailout, but did benefit from a Federal Reserve lending program — announced last week that it was adding new features to its Sync system, including the ability to reach a live operator for help, which has traditionally been one of OnStar’s big selling points.
The new OnStar privacy policies will not be in effect until December. But because shutting down the two-way connection between OnStar and vehicles equipped with the technology takes several weeks, commentators suggested that users concerned about their privacy should start the process soon.
Photo of OnStar command center in Detroit: AP Images
This article was revised to take into account the fact that Ford — though not a participant in the federal government's bailout of GM and Chrysler — did benefit from the Federal Reserve's "Commercial Paper Funding Facility."