It looks like you're having connection troubles. Reconnect now.
01/13/2021 14:13:23
31c3-talk-6265 Latest text of pad 31c3-talk-6265 Saved Jan 13, 2021 |
Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!
Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!
======================================================================
So thank you very much. That so many people. Ladies and gentlemen, I'd like to listen to our talk about automobile as massive data gathering soars and the consequences for individual and privacy. We this are go honey and Jimmy Schulz, the president of the Association for Net Politics. Yeah, well, how often do you sign privacy terms on the Internet? If you sign up to a new service, buy something on the Internet, you always have to acknowledge, accept privacy terms. But did you ever do that driving a car, renting a car, using car sharing models? I've never heard of that. But always there is a lot of data gathered in a car. The CEO of VW, Mr. Winterkorn, said your car's data are mine. So what the hell is your car to you as cars data, what he is talking about and who controls the data of whom he is saying this data is mine. This was the starting point for us to think a little bit more about this issue. And we will show you a few slides today where we want to have a short look into the control systems and interfaces of your car, where we will present you some stakeholders around the car. Then do we have, again, a data retention issue? And last but not least, is there any hope or its. Um, yeah. Is there any help? OK, first of all, your car does have a data interface. Most of the modern cars built after 2000 to have an OBD to interface where you can read data collected by your car. The technical units and standards are the DCU Engine Control Unit, the OBD to onboard diagnostic standard, to the Canvas Controlled Area Network and for example, onboard navigation, all data being measurable by sensors and actuators in reality, length and structure. And for example, threshold's depending on the size of the memory of the car. Simple data, for example, the speed fuel level GPS coordinates, acceleration and r.p.m. the rounds per minute of the motor of the engine. But adductor data could be, for example, fuel consumption, the average pace. And for example, if you have connected it t
o an navigational system speeding because the navigation system knows where you are. No, if you are within a city limits and you drive more than, for example, in Germany, 50 kilometers an hour, of course you are speeding. And most and most of the roads have a data which is can be collected in a car, for example. The information, if you have it, call the system, which will be implemented in the next couple of years, and new cars, dash cams, parking cams and others. And there's no ownership on the data. Who owns that data and where it might be ownership by database structures, but it's not regulated. Who owns the data yet? There might be attacks on that data, for example, you can connect the OBD to interface by cable connection, for example, your garage will do so. The Automobile Association will do so. If I helped, you would connect via cable to your interface to the car and read out the car information and data. You also you can do that only if you have physical access to the interior of the car. But there are other interfaces which can be connected to the OBD to interface, which are wireless, for example, Wi-Fi or Bluetooth, and which can be easily accessed by everyone being in the surrounding of your car. I do have a, for example, on OBD to interface in my car, which is not encrypted because it doesn't offer any encryption. So everyone within the range of a couple of meters of my car can read the complete data of my car, which is easy to hack, of course. So let us have a look, which is the stakeholders of your cars, and this is an incomplete example, and this example is even not complete because we have no trucks in it. We have no farming machines. All these systems are gathering data and sending data about you. Let's take the first example. We have issues of ownership and driver. When you are in the family and you are one person or you are one person, then it might be easy. You are the owner of a car or you might be the owner of the car and you might be the drive
r of the car. And then you have the full control. But even if you give your car to your partner who's driving with the car, who has to get the information about the last, um. Right. Uh, done by the car. So, um, there could be some discrepancies. Could be interesting. OK, if you have a smartphone, we know we can also find where you were and where you are. But even with the car, this is possible. Now the next interest is here. OK, the next stakeholder who is interested in the car is the leasing company, um, most company cars are leased and and a lot of private cars, at least if you are driving to a car dealer with your private car and you want to buy a new car to lease a new car and you prefer a full service leasing, and you are coming up coming to the dealer with loud machine, loud engine zuway home, and then you might know the price you have to pay for the leasing rate will increase because the way how you drive has a deep impact about the costs for the cars and the costs of the maintenance and so on. Therefore, the lease company is very interested in how you are driving the car. The next stakeholder could be the government, that stakeholders could be the governmental stakeholder. For example, if you use your private car for some business trips and you want to get some kickbacks right back, so you have to plot and to write down in a small booklet where you were and, uh, how long you stay there, what and what are the kilometers and so on. This could also be done by the car and the Tax Office is interested in and especially its interested in that is done automatically. So next one, it's a German specialty that some part of the wages are paid by a business car, which you can use for, uh, for private reasons also. So therefore you have the same issue with tax office and private usage as before. Private usage is plotted, it's not plotted to data the data for the business. Use is plotted or there are there are other services done with the car, for example, fleet cars. If
you are a technician and, um, you have to drive to a customer and you have no own car, you take a fleet car or out of a pool of cars. And if you are, for example, um, somebody of an airline who has to travel home, they have also fleet cars, which can be used frequently with some mixture between a cost sharing and a rental car from it. From the then there are other stakeholders, car sharing and car rental. Um, several years ago, um, there was a message in a German newspaper about a car rental company in the US which, uh, asked for special payments, that I asked the driver for special payments because he was too fast, because he has signed a document that he has to keep the speed limit. And in Germany, there were some news about this in the newspapers. Um, Car-sharing, um, if you have a car to go and so on, the cars has to be picked up at the end and to be transported, uh, to a place where it could be rented again or where you can find it. So the car will give the information about the place where the car is at the moment and also the level of the fuel in the, uh, in the car. Then we have the assistance systems. Brand Garras I would take these points later on, but we also have to police, um, for example, you have an accident. Um, will your car be a witness against you and saying the police and your counterpart in the accident may be that you work too fast, or do you have a chance to say, no, I'm not accepting that my car gets the data to the police? Or if we think about the equal, uh, which data are sent to the cultural center, uh, OK, it's clear that there's a minimal sentence data sentence. There are positioning information and also a call would try to build up, uh, to check whether there are people injured or whether it was only a small small accident or something else. But, um, so control center could be interested to estimate the damage. Hospital could also be interested maybe by the sensors, uh, of the, um, um. For of protection systems, they are knowing whether
this heat, whether it has somebody on the seat or not, and then you have maybe an accident where you can see that the car was badly broken and four places were seated, then it's an information from the hospital. So they could be interesting. Last but not least with the data, the police is collecting, the court, the lawyer or even the lawyer of the other of your partner in the accident could be interested in what was a real accident. We have the situation or if you are talking about witness, you know, and even if you were in an accident, you know, five minutes later, you see the accident in a different ways as 10 hours later is one week later and so on. And this is not because you are you want to shift or to change the past, but it's because you remember in a different way. And therefore people think that the data and the car are more correct than you are and they trust more in the data of the car, whether that's true or not. So then we have surveyors, um, which want to check when there was an accident, whether something was before, whether this damage is really the damage of this accident and not the accident before. And last but not least, the insurance company was to adjust the claims of an accident, for example, on the other hand. Hmm. Insurance companies are also interested, uh, not, uh, to, uh, not that accidents are not happening too often. And therefore, they have, uh, they are interested in that. People are, uh, driving in the way that they are not creating risks. So therefore they are offering no, uh, systems where you have to pay less if you drive in the, um, in the less risky way, you know, there is a stick you can put on the bus of a firm, I think, uh, generally. And, uh, and you are the way of your driving is analyzed then. And, uh, if you and the insurance is then less OK, then let's come to the next slide. Yeah. Well, um, well insurance companies are of course interested in the state mileage, for example, to evaluate the price of your insurance. But
other stakeholders we already mentioned CEO Volkswagen, Mr. Winterkorn, and he earlier this year said we don't accept that the data of our customers trickle somewhere else. And he also said this data belongs to us, as you already heard. So the VA, the German Association of Automobile Manufacturers, released some principles a month ago about how to deal with this data. They differentiate between car related data, for example, mileage, which is important, of course, for maintenance reasons and technical reasons, personal data, relay related data, for example, address and which should be under the control of the driver, for example, the usage and the gas usage, for example. And the third is assistance and for assistance and infotainment data, which must be erasable because while who is interested in what music did you hear? The car manufacturers are not. So these are the principles and the differentiation about the free kinds of data which is collected in our car. Um, OK. So and we were thinking there is one stakeholder saying the data on mine, the data is mine and there are other stakeholders, as we have presented before. And we said, OK, let's have a try and let's ask them what they think about who belongs to whom belongs. The data we have sent, we have requested forty one companies and stakeholders, also associations. And when you see we got after the second time we have asked, we've got a feedback of seventeen. They have answered. OK, if I would ask you, it's private people. I have a feedback, let me say, of two three. Four percent, this organization, they have normally CRM systems and so on, therefore the feedback is not really high. And when I'm looking on the answers, at the end we had seven answers where there was some content in it. Some answers were often the way that they said, for example, an insurance company, uh, we are thinking about and we will communicate our ideas by our own. Others are saying, oh, the questions are going too deep into our company pol
icy, and therefore, uh, we will not tell you something. This was a car rental company having been paid more than 50000 euro in 2012 by plotting, uh, high value car sales and, um, from other companies that were no answer. No on an email. Not answering is also a statement, isn't it? And some were writing. This is not a discussion. We are not quite sure. And so on. There are only a few answering more precisely from the few which were answering more precisely are the one. This is the Assistant and Automobile Association's little bit to show. What is the business if you drive with a car and the car is breaking down, when you are driving somewhere, you have to issue a challenge. And normally, therefore you are. You are a member of AT&T. Uh, I am in fall or other road systems companies. And what, uh, are these companies doing that try to mobilize you, that you can travel again, the optimal solution that you could that you can drive again with your own car. So what are they doing? They are doing small repairs on the road. Or if this is not possible, they are transporting your car to the garage or to a garage. And, uh, sometimes if the repair is too big, then they are offering you, uh, for a replacement vehicle. So in the past, it was easy. You can put on the new wheel. You could change some parts of the engine. But now you need something more. You need car related data from the engine. Uh, you need maybe some as you need the main functions of the systems. You have to change something. You need data how to change some parameters in the engine. And if you have to have the right to access, uh, this data to change this data data. And therefore, they are asking the car manufacturer for open interfaces explicitly, if they are not getting those interfaces, then they are coming. They say, OK, this is a Ford. This isn't BMW. This is the time that this is the VW. We have no access rights. We can offer you a replacement car and we bring your car to your car, to the garage. And this is
not a nice business is a little bit expensive. Therefore, the System and Automobile Association companies are asking for open enterprises interfaces. Maybe it's not so difficult or so worse because mobility warranties from some car suppliers are managed by, um, assistance company together with car rental companies. But sometimes it could be more heavy. It's not in business for Eterno. So this was one business type and the other was answered as a garage and car dealers. What is the business of a garage and car dealer? The business is to repair cars, to maintain cars and to manage the warranties. Um, therefore the activities are the same. And what do they need? They need car related. They turn they need the male functions. They need also some personal data, for example, whether your your your warranty is still valid and so on, or your warranty is, uh, covering the mileage and so on, and then need also the access rights to change the data. So and there are two groups of car dealer and garage, one are linked to the brands and the others are not linked to the brands and. If they don't get an interoperable, standardized, secure and open access platform, the come to the garage is not related to the car. Manufacturers have a problem in doing their business. In the past, um, it was also not every time very easy. For example, I was when I was young, I was driving of the new Antonino. I had a problem with the brackets and for the brackets you need special, um. Special parts to handle this and for this special parts, there is an industry delivering oral garage. This is part, but this is quite a little bit different if you have if you have only electronic. A special part, let me say it, and those words or for another example, if you, uh, if there is no electricity in your car, you have to restart and the security environment in your car, you need some data belonging to the key environment, which, um. Garage can get KeyData of VW, of your Audi, or maybe of your dimler. Is there
every country in Europe or in the world of the same level to get those data? That's a question. OK. So after hearing that, are we facing a new dawn of data retention within the car, we have to answer a couple of questions. What data is stored, car related data, for example, mileage malfunctions, speed, etc., personal related data, location times and dates and even more personal data. For example, your phone calls, if you connect your phone or have a built in cell phone in the car, the address book, if you send it with your smartphone, for example, that music titles you listen to. Have you ever entered? Have you ever rented a car, a modern car and just looked into the bought computer and OK, you know, from the navigation system, which destinations the user before that drove to? That's one thing. But most of the people use, for example, on rental cars or in car sharing cars, the built in a phone, Sinclair phone books. You see who they called. You see the addresses if you if you haven't erased the data afterwards. So and who else has access to the data, for example, another user of your car or for a rental car, unless you control the data, everyone has access. Who has access to the car, to your car you used your garage has access to the data, the car manufacturer, the Automobile Association, if I help you, mobile devices and all apps and you carry around with you and especially a specific car apps, for example, many offers a special app for iPhone, for example. They can control all the data within the car and exchange and sync data. If you don't erase it on the car, who has access to that car and who has access to the data that is gathered by your smartphone? The manufacturer, Google, Microsoft, Apple. And another interesting question is, where is the data stored and the car with unknown duration and structure? And there is a tendency because memory gets cheaper and cheaper, that and more services for better problem solving are coming to the market. That more and preci
se data for longer duration is stored within your car, the computer centers of your car manufacturer car store that correlated data service related data, person related data, and also here the tendency to use cloud services always on services and more services covering call lifecycle. And also the same here, more and more precise data and longer duration of storage. Your garage, the little store, car related data, service related data and personal related data, and here the tendency to use cloud services, AlwaysOn services and more services covering driver lifecycle, a driving life cycles and more precise data and longer duration of storage of the data and forth and the computer centers of the companies like Google, Microsoft, Apple, by using your smartphone connected to your car. And here is the tendency to have a big data relation. And that's even more worrying that they collect these data, more precise data and use that to relate those collected data. But nothing is without awareness, and you are showing me that the awareness is coming up. It's really important for us to discuss what is happening there and what has to be done. Also, from the political point of view. Awareness is one point, which is very important, and it shows that the room is more than overcrowded, but there is a lot of awareness here in the room, but we have to get it outside. What we think is even also very important is that all the interfaces your car uses are open standards and interfaces. So you are able to control which data is while get a get out of your car and you also have access to the data yourself. You are in control of the interfaces and therefore they have to be open. So and the other thing is we think that a car is something like a part of your home and therefore all data should be encrypted starting in the car and you should have the key of opening the data to somebody else or to keep it closed. Another important thing is transparency. You should know where the data is stored, w
hat data is stored, how long it's stored and who has access to it. And even more important is you shouldn't gather this information. Transparency, information from all the different sources. There should be one single point of information where you can look where what is happening to my data from my car. And last but not least, we need a data, a privacy declaration and simple speech that everybody who's able to drive a car is also able to understand what she or he is signing that wet well, something we should have and other places, too. OK, thank you very much. Thanks. We hope you had fun and. Thank you very much. Before we take 10 minutes of Q&A, there is a small there is a small crowd management issue here of the Q&A. May I ask you to leave the room through this entrance down here? Not up there, because other people are waiting already. So please leave through this door. You're not through this door. And before starting and the first ones to leave, please, all the people sitting in the aisles. And remember, we will have ten minutes of Q&A. So those of you who are interested, just stay here and line up behind the microphones. Oh, but now we let the people leave who perhaps need to go for the next course on just a two minute break. Thank you. So. It's fighting to free Lutzes. Thank you very much for your patience. The people who are leaving now on the way to the next talk and we have 10 minutes of Q&A, just give them two or three minutes. That's. If anything, it was. But this interview by Deloitte. I'm a sophomore at Zynga is open microphone kind of. Yeah, I get your team. We are showing him how much happier he gets this. Should we start with some questions from the left while people leaving the room? Uh, could the door angels please tell the people waiting outside that we will be having maximum 10 minutes of Q&A and then the entrance starts? I know, I know, I know the schedule is a little bit flexible. It is. And may I ask the people lining up for Q&A, ask a short
question and expect short answers. We have only a maximum and absolute maximum of 10 minutes, OK? OK, let's start question one, OK? Is it on the line? OK, I've got two brief questions. First one, to speak up loud and eat the microphone. Eat the microphone. OK, the first one is, um, as far as I know, the whole functionality of the two is only available. Why are wired connection? How good is the functionality of, um, Bluetooth or Wi-Fi connection? And secondly, um, how easy or is it possible with standard OBD diagnostic tools for a service technician to manipulate these data in the car? Thank you. Hmm. OK, the interface for OBD two can be wired, can be wireless Wi-Fi or Bluetooth. Um, of course service technicians must be able to alter the data in the car, for example, to erase our codes after having while repaired the car. So of course you have to be able to alter the data. And of course, you might have heard about that, that round about 30 percent of all used cars sold in Europe have not the exact mileage they had. Well, they really have. So, of course, there are means to alter the data. A question to you question this on, for example, electric cars and Nissan Leaf. They do ask you whether you want to send data to their son. However, if you don't accept it, it will not go to Navigator. I think it's still since the point of where you are, where you are parking the car because the Nissan system is sending email if you have unlocked the car in. The other thing is that many Nissan Leaf owners have are using a little toothpaste or the speed reader, mostly because they're using an application called Leaf Spy, which is logging all the data locations and whatever. So a pretty good idea that you can get just about anything out of those cars which have this Naldo ODP reader blocked in when when when the owner leaves, it leaves the car parked. Well, that was the question. I'm just curious. I'm just curious. Have you looked at the Nissan Leaf on all this new accounts? Because t
hey they actually are quite verbose, especially the look like this law. I think that's a pretty open. Now, can we have the next and last question. I know one more and then we have to stop solely in order not to completely sabotage our schedule. OK, short question, with regard to the organization load, is there any kind of collaboration with, uh, automotive makers, OEMs, uh, suppliers and so on, if we are connected with any car manufacturers in any way? No, we're not a political organization. NGO is not an interest or not even that there is an interest making liberal Internet politics. That's the motivation. We have the. OK, thank you very, very much.
