The new cranky privacy report from Mozilla on car data is a useful point in time analysis… unmoored from the past and lacking suggestions for what to do in the future. Give it a read and ask yourself when things will change and why.
I am reminded of my 2019 blog post about 2012 research:
I’d say the problem is so old we’re already at the solutions phase, long past the identification and criticism.
Has it been 10 years already? You’d think I’d be excited for Mozilla to be pounding their drum so OEMs would rush into my welcoming arms. Alas, I am not sure it helps.
Earlier this year I was talking with data scientists inside a huge OEM and they said things like “wish I knew earlier about the solutions available, because the project just finished with some bad privacy compromises and will be released in a couple years”.
They know privacy is broken, because they have known for a decade, yet they still don’t know what they can do instead. That’s why the Mozilla report to them is ineffective, like a drop of rain in a hailstorm.
…according to our research, they are all bad! On top of all that, researching cars and privacy was one of the hardest undertakings we as privacy researchers have ever had.
.
^^^ That’s the world’s smallest violin playing for Mozilla researchers showing up suddenly and saying they had a very hard time researching car data.
*shakes fist
You kids, back in my day we walked uphill in snowstorms both ways to assess car data safety!
Here’s a fun fact: in 1999 it took me 30 seconds to install RedHat on an IBM 8-CPU Server with fiber NAS designed for Detroit OEM data analysis. I found some security flaws of course (it fell over if more than five virtual machines pushed via X to remote terminals, and it leaked metadata)… but I digress.
Let’s be honest here. The Mozilla narrative of “they are all bad” is lazy, the easiest form of research. It reinforces a deeper problem of coming up with no incentives for change. Mozilla is doing the opposite of “nudge” theory. Do they not have any economists on staff?
The report team even readily admits to using a counter-productive binary analysis for their entirely unsympathetic bashing of manufacturing. It’s easier to call everything bad for smash and grab headlines than do deeper nuanced analysis and open pathways to change.
Blurry, complex and messy things actually are hard and worth doing, so if some “news” interloper shows up to say it’s all bad… easy for OEMs to sit back and say they can do nothing. “We’re bad, impossible to be good, oh well”.
Mozilla says cars capturing customer “sexual activity” data is bad, for example, with absolutely no thought about why anyone designing seat recliners and center consoles would want to look into that ever.
Good/bad, leaves no venue for the process of getting better and even encourages cheats to just flip a score. I am reminded of the Tesla CEO yelling “fix this now so I won’t have to care” for everything without any real understanding of why complex interconnected things become so broken. His binary thinking led to coverups (bad flipped artificially to good) and has been getting hundreds of people killed unnecessarily.
To me there’s a huge missed opportunity for Mozilla to engage with data security experts, architects of information safety, and discuss what’s really possible for car privacy and therefore what’s next for OEMs. Let’s talk about goals for privacy change 12 months from now, 36 months…
Solutions exist.
The technology is ready.
Here’s one answer that an OEM just told me they liked, to drive out of the senseless “car data privacy sucks” headline loop while delivering data-driven consoles: solidproject.org
Try it. It’s not all bad.