Honk if you love privacy (or hate having your location tracked)
When car dealers can Lojack your vehicle, they can also track it. And so can anyone else who can log into their system.
It's a cliche that the three secrets to success in the retail business are location, location, and location. Turns out the same applies to privacy.
There are many examples to choose from these days, but what I'm writing about today is that wild story about cars run amok in Austin, Texas. It seems that more than 100 vehicles in the city turned into Christine from that silly Steven King movie -- suddenly unable to start, or unable to stop honking.
The culprit: A disgruntled former car dealer employee who accessed a Web-enabled system that lets the dealer control cars remotely. Per Wired's Kevin Poulsen:
"Police with Austin’s High Tech Crime Unit on Wednesday arrested 20-year-old Omar Ramos-Lopez, a former Texas Auto Center employee who was laid off last month, and allegedly sought revenge by bricking the cars sold from the dealership’s four Austin-area lots...
The dealership used a system called WebteckPlus as an alternative to repossessing vehicles that haven’t been paid for. Operated by Cleveland-based Pay Technologies, the system lets car dealers install a small black box under vehicle dashboards that responds to commands issued through a central website, and relayed over a wireless pager network. The dealer can disable a car’s ignition system, or trigger the horn to begin honking, as a reminder that a payment is due. The system will not stop a running vehicle."
This system is not unique to that dealer or WebteckPlus. Other remote lojacking systems can do the same thing.
Apparently Ramos-Lopez either guessed the dealer password or used a friend's to get in, whereupon he disabled the ignition systems on some cars, while causing others' car horns to go off endlessly.
This is worrisome on several levels, one of which is someone else's ability to secretly track your movements. Most of these systems have a GPS built in. Once employees at the dealership turn off your car, they need to be able to find it so they can repo it. That means the dealership can track your car whenever it wants to. So can some ex-employee with a grudge, as in this example, or even a current employee who takes a special (i.e., creepy) interest in you.
And for that matter, so can the cops or your spouse's divorce attorney, if they've got the appropriate legal papers.
I don't know if the system used by the Texas Auto Center keeps a running record of the car's movements -- a process known as "bread crumbing" -- or if so, for how long. According to the PayTeck Web site [PDF]:
"WebteckPlus will locate your customer at home 99% OF THE TIME as compared to GPS systems that require the vehicle to not be parked in a garage or building of any type."
"WebTeckPlus provides you with logs, reports, everything you need to run your business. We even make it possible to send to you an E mail with DAILY RESULTS when you are on vacation."
(I've asked PayTeck what kind of location data it can collect and how much of it can be stored; I'll update this post if and when they respond.)
Other systems can do this too. It's totally within the realm of technical possibility, and there's nothing stopping them.
Almost as troubling to me is what this says about car "ownership." Sure, when you're making car payments somebody else is holding the pink slip, just as the bank really owns your house until you pay off your mortgage. But the bank can't disable the locks so you can't get in when you miss a couple of mortgage payments. (Though I predict that day is coming.) That's a big difference.
What this means is that buying a Lojack-enabled car is much more like purchasing a software license that the dealer can disable remotely at any time. That's not a positive development, IMHO.
This is also yet another example of how a system set up for one purpose (ensuring prompt payment) can be easily subverted for other purposes, legal or otherwise. That's really the biggest problem with data collection; invariably, information collected (often benign) purpose can be used for other less benign ones. That can easily be as scary as any Steven King movie.
Update: Since this post was published, I heard from John Duffy at LoJack, who tells me I'm 100 percent correct about car dealers and GPS tracking, but 100 percent wrong about LoJack. He writes:
"LoJack is a Stolen Vehicle Recovery System, operated exclusively by Law Enforcement. With a 90% success rate, and guaranteed recovery in 24 hours, police using LoJack have recovered over 250,000 vehicles worldwide. Activation is automatice and solely controled by law enforcement, through the entry of a stolen report - for vehicles, motorcycles, construction equipment. A car dealership cannot activate or track or do anything else to a LoJack system. Only the police can."
Actually, I was using the term "LoJack" generically, like "kleenex" or "xerox" -- not referring specifically to products made by LoJack. I guess I won't be doing that any more. Apologies for the errors.
Author Dan Tynan would rather be biking. Follow him on Twitter (@tynan_on_tech) or prepare to be
appalled amused by his geek humor site, eSarcasm.