What I don't understand is what is the benefit for the user of having its GPS location logged. I can understand that the GPS may keep in RAM the last minutes of location but not the whole history.
When I returned home from a long trip with the family, Google Location History was invaluable in helping me find which tolls I had to pay. Seeing where I'd travelled, I could see which of a couple of toll roads I'd taken off I-5.
From what we've seen of car software (e.g. Toyota accelerator control), it wouldn't surprise me if the electronics system is tightly coupled to both critical functions and specific hardware.
Looking forward, my hope is that electric/self-driving cars will be more like modern PCs or those heavy-duty e-juice vaporizers that people have today: composed of well-understood parts that connect in compatible ways.
Do car manufacturers provide a privacy policy, or a means to opt-out of data storage? Seems like we're heading in the direction that they should, if they don't already.
(Or maybe it's buried in some document you sign when buying the car.)
Will it be used in so many unethical ways to harass people for any coincidental info, that'll overshadow whatever benefit it was suppose to provide? You bet.[1]
Will someone find an exploit to disable and/or abuse it? Yup
Will the car companies then go file DMCAs, lawsuits or whatever at the hacker who tries to present her PoC code at DEFCON? Yes
Why would it be? The OBD-II port is inside the car, and police would presumably not be able to use it without a legitimate reason to search the car. I could see vehicle data being an invaluable tool in determining fault in car accidents or even providing the necessary clues to someone's life to figure out who murdered them.
Since it's offline and in person, it doesn't lend itself to anomaly detection or other scary mass surveillance scenarios. But it would be irresponsible for a criminal investigator not to gather all available evidence. I want police to stop trawling for possible lawbreakers, harassing people for driving while black, etc. and give investigations of actual crimes the resources they need. This tool empowers investigators. This is what real police work looks like.
It is a legitimate concern. There is all sorts of related stuff going on in the periphery, and has been for years. FasTrak (toll pass) records have been used by divorce attorneys and whatnot for the past decade or so. Many Bay Area cities operate license plate cameras to monitor all comers and goers. I would not be surprised if other agencies started utilizing this information. More and more we will see OnStar-like integrated systems come standard (featuring remote start/stop). "Black boxes" (event loggers) are already becoming mandatory in new cars. Much of this diagnostic data can be offloaded wirelessly.
Have you seen the demos of Jeep, Ford, Toyota, or Chrysler vehicles being "hacked"? The attackers were able to access the CANBUS (or whatever the particular ODBII spec in use) over the internet.
This is absolutely a concern for mass surveillance. If you want to get really paranoid, think about what could happen during disasters or protests. You may see your car cease to operate altogether.
But just to respond to the original question... As you mentioned this device requires physical access so it is not particularly alarming. Definitely a concern for future iterations though. Presumably those would not be publicized.
I think it's important that we recognise the distinction between targeted surveillance and mass surveillance. Within a legal framework that recognises the right to privacy as the default, surveillance is a necessary law enforcement tool. This kind of device is aimed at that kind of surveillance.
I think a lot of people tar all means of investigating crime with the same "surveillance bad" feather, and they're espousing a pretty extreme anarchist viewpoint that they don't really hold.
What it really says is we have a product waiting for a market.
Perhaps the market is so limited (police forensic teams) that it does not matter to them they cannot say something in their markets own words. Or perhaps they have not sold enough or listened to the sales to hear the words their customers use.
That tools seems to analyze flash dumps (e.g. created through JTAG debugging). You need to have very special hardware to get that data. Normal CAN/ODB2 connection won't help in most cases, and the data they mention isn't available through official diagnostics interfaces in most cases.
Ha, didn't realize that product existed. I think it's a bit silly, though, since anyone who really wants your data (e.g. law enforcement after an accident) will just remove the ecu itself.
