November 2024 Update: JLR legal reached out to me with an update to my CCPA request. It appears the omitted a bunch of data in my original request response. The clarification confirmed that JLR IS STORING GPS LOCATION DATA every time you stop and turn off the engine. It appears that they keep this data indefinately -- the data they had provided to me was for the life of my car. I also confirmed with them that the only way to disable the storage of location data is to opt out of InControl services, but they also said there is no way to opt out of "emergency or other legal" location tracking.

------------------------ original post -------------------

As a follow-up to a post a few months ago (locked link below), I did a CCPA privacy request of JLR to see what data they were collecting and selling on me and my car. The concern in the previous post and in the MA lawsuit was that they were collecting driving information and selling it to Insurance companies. The California Consumer Privacy Act gives residents the legal right to see all data stored on them by companies and understand how it is used or sold. I went back and forth with JLR legal a few times, but ultimately this is what I learned:

• They have a lot of administrative CRM data (services records, calls, interactions, emails, marketing campaigns, etc.)
• They store vast amounts of telemetry from the vehicle, including every time a door is locked, opened, engine turned on, etc.
• They store large amounts of "vehicle alerts" with health and reporting from every system
• They do not appear to store or maintain any location data, GPS data, or speed data
• They did provide my information to third part radio companies (assume Sirius), but not other third parties
• They do share website browsing data with third party marketing companies for analytics and ad campaigns

Overall, this seems pretty reasonable to me, since the app needs vehicle state telemetry to work. It is a little creepy that they store state information indefinitely, like every time I start my engine or lock my car. Not a big deal, but it is more "digital exhaust" that could be subpoenaed in the wrong situation.

This also isn't unique to JLR. I did this as a check, based on the lawsuit article, but if I made the request to Tesla or Apple I'm sure they have 100X more data on me.

Original thread: https://landroverforums.com/forum/20...surers-123268/

example data below...

 

Interesting. Thank you for reporting back. They definitely sell information to Carfax, and presumably others beyond "radio" stuff, too.

How much of that is tied to the use of the app, which you mentioned, and how much is not (I've never used it). For example, all the door opening, etc. Regardless, I agree it's creepy as heck.

Their terms of service for the app does hand themselves the "right" to collect GPS data, speed data, etc., and "share" (i.e. sell) all that with others, unless you opt-out, but apparently they are not doing so. That is wise at this time since people are increasingly sensitive to that behavior.

 

(data sample deleted for brevity)

This provides enough information to make you vulnerable enough.

Anyone who looks at these records at JLR is likely to also have access to your account which most likely has your address associated with the vehicle purchase (and you're very likely to still live at that address). Looking at just vehicle locked/unlocked status, it is reasonably possible to figure out your schedule, and spending a few minutes around your house around the time you're known to lock/unlock the vehicle will allow to figure out whether you're coming or going, hence, when the house is unoccupied. Same information can be derived from correlating locked/unlocked status with battery status, and odometer readings. Looking at distance to empty will allow to figure out your trip length, hence, amount of lead time available after the house alarm is triggered in case the alarm system is not centrally monitored (which is likely to be advertised on your front lawn). Along the same lines, this will yield the length of time the vehicle is left unattended when parked, to figure out how much time will be available to deal with it should someone decide to follow and appropriate the vehicle.

Further along, if this information leaks to your insurance company, they will be able to figure out how short or long your trips are and at what time they occur. Knowing where you live, they will have your effective driving radius, and since they already have a claims database for that neighborhood along with accident time distribution, they will be able to determine how likely you are, by their standards, to get into an accident compared to their census, and charge you accordingly, without ever telling you about their rationale.

Data science is scary.

PS: No, I don't break into houses or cars for living, it's just a mental exercise. I'm sure the people who do that will harvest much more information from this than I just have in an amount of time it took to type this.

 

At first, while reading your post, I was thinking "yes, all true, but who would bother to do all that work?" And then I thought "Oh no, AI will be extremely efficient at that kind of task."

The future will be "interesting."

 

Organized crime is very profitable. Do this once in an algorithmic manner, and you have the whole JRL customer base exposed (and just remember that your account probably contains your financing information, including the amount and the name of the institution, which opens up more possibilities). And it is very easy to modify the algorithm to cover other manufacturers which likely provide the same data in a different format. And you see how often breaches started happening.

Yep. 1984 turned out to be an instruction manual. And the future is already here. One word as a cold shower: AUVSI. Terminator movies? Obsolete.

 

On the other hand, my experience with AI is not impressive. It is like dealing with the computer equivalent of "Cletus, the slack jawed moron," computer version. I actually have venture capital in an AI venture in mining, so far it looks great on paper, yet still has issues in running water trucks. Perhaps some time in the future. As it stands, my new iPad and iPhone 16 will have Apple's newest offering. Which I will immediately rename to Cletus, seems more appropriate.

The plus side of all this, perhaps we could weed out the 40-60,000 murderers that populate the roads every year. Depends, do you want to fear every driver out there, it would be nice to relax and not personally know two or three people murdered by $hitty agro drivers. The price of freedom. Then again in flying we do monitor virtually everything and the insurance companies do get that information. I suppose we should keep all the bad secrets of airline pilots and pilots in general secret so the absolutely all the bug eating madmen can still take over, lock out the captain and crash the Airbus into an nearby mountain. I had that conversation yesterday with an AA captain, who now will not leave the cockpit to pee, since now they need to protect the incompetent and or crazy one's information. Yeah, bet that makes you feel better about getting on that next Lufthansa or any flight for that matter.

Do you want your information totally private, or let your kids get run down in a crosswalk by a very important woman speeding, on a cell phone, in another hurry to get to a hair appointment (true murder). Trade offs...

 

You nailed it.

I actually forbid my business partners from using any "AI", contractually. They get caught - they get evicted. AI is susceptible to make subtle mistakes, which is the worst case - they will only be caught by a highly qualified professional, but a junior will probably never notice them.

In the case I described, though, it's not going to be AI, but software engineers turned to the dark side. I initially wrote "expert software engineers", but then changed my mind, even script kiddies will do an acceptable job here, all you need is access to data sets - and they're out there for sale already. Cross-referencing them is our worst nightmare.

Not attainable anymore.

The eternal "security vs. convenience", and the "weakest link", a.k.a. humans.

Back to JLR - I don't think it would be realistically possible to do anything about it. Yes, you can request, but that gives them a trump card - they've just lost vehicle telemetry that they need in order to make an educated assessment, hence your vehicle is no longer under warranty. I wouldn't be surprised if this is spelled out somewhere in a very small font. Not to mention the "legitimate interest" which is a trump card to beat all trump cards; I would not be surprised if your request would be visible as satisfied to you, but ignored factually with a "do not disclose" flag set. Shame, but alas, this is today's reality.

 

I think the convenience of the app warrants the sending of telemetry, but I think JLR and other companies could do better in two ways: 1) they do not need to store telemetry for more than a few days, especially door open-close type data. Actually that type of "state data" they could delete almost immediately after the state changed. Stored data becomes a privacy liability. 2) They should allow anyone to easily opt out of telemetry (and the app) and only store vehicle alerts in the vehicle for the service department to download at time of service (and delete after use). -- To JLR more data is good, since they can derive vehicle/product usage data, predictive maintenance, and lots of other valuable insights, but to the consumer it could be a privacy liability waiting to be exploited.

 

November 2024 Update: JLR legal reached out to me with an update to my CCPA request. It appears the omitted a bunch of data in my original request response. The clarification confirmed that JLR IS STORING GPS LOCATION DATA every time you stop and turn off the engine. It appears that they keep this data indefinately -- the data they had provided to me was for the life of my car. I also confirmed with them that the only way to disable the storage of location data is to opt out of InControl services, but they also said there is no way to opt out of "emergency or other legal" location tracking.

So, yes they are storing GPS location data. I am sure all the other car companies are too -- like our phones and other GPS networked connected devices. I understand the trade-off of using the InControl app features to see location, but (if anyone at JLR is listening) there is no consumer reason they can justify storing every parked location for eternity. At best it seems like they would only store the private location data until the next time you parked the car -- that would be a more reasonable data retention policy.

 

Ugh! I had relaxed on this issue due to your earlier post, and now this!

If you live in California, as I believe you do, don't you have the right to demand that they delete this data and stop collecting it? Or are they claiming that this "emergency and other legal" BS is a loophole that allows them to continue collection and storage forever, regardless?

An important question: You don't say exactly, but do they collect and store GPS data under their "emergency and other legal" loophole even if you don't use their InControl app? I suppose they do.

I guess I really do have to try disconnecting the telematics antenna.