A couple weeks ago Irma ravaged the Caribbean and Florida. My heart goes to all who suffered loss and damage. An article in the New York Times caught my eyes. Tesla boosts car battery power during Irma, raising questions of control. It’s a smart move and I do hope it helped many Tesla owners to get safe in time. The question is not there.
The first criticism in the article is related to the fact the full power of the batteries is not released in normal operations. Well, if I understand it correctly the car comes in two models, one with normal and one with extended range. To facilitate production, both actually contain the same hardware, but a software switch differentiates both cars. And there is a financial value to the extended range, so to unlock it in normal situations, you have to pay extra. It looks like some people discover this approach. I can tell you it exists since years. I remember hard disks that changed size by cutting a bypass on the printed circuit and this was more than 20 years ago. Today such bypass are done in software rather than hardware, that’s the only difference. We all know that car companies have several horse powers for motors with the same cylinder size. The difference is the e-prom. It’s really a question of optimizing manufacturing costs. So, frankly, the fact Tesla approaches its car options through the use of software configurations is a non-issue for me.
The second criticism in the article is related to remote control, but we have many devices that can be and are remotely controlled. Company mobile phones that can be whipped out from a distance. As for many of us, our mobile phone contain our life and our life lines, this can be extremely damaging. Portable healthcare devices, connected cars (of which Tesla is an example), even heating systems, all have remote access capabilities facilitating maintenance and other required interventions. Do we want that to happen or not? Well, when we purchase the device we often get to sign a form to allow this form of intervention. So, later-on pretending not to accept un-authorized interactions is actually incorrect. We just may have forgotten to read the fine print. My car for example calls the emergency services when my airbag goes off. Frankly, I’m quite happy about that, because I’m not sure in what state I could be after a crash and I may not have the possibility to call myself. The question is, what other information is my car transmitting to the brand owner during the life of the vehicle? They know exactly where I am at any moment in time, so how can I keep some level of privacy? Do I trust a car company to ensure my privacy?
There are two elements here. The first one is related to the level of privacy I expect to have, the second one is about the trust I can place in my suppliers to handle that privacy.
Privacy, GDPR and security breaches
Actually, do we still have any privacy? I believe we need to ask ourselves the question. An interactions on our smartphone, a drive on our car, a check-in for a flight, a posting on FaceBook, they all generate traces of our lives. And at the contrary of what you might think, they are not forgotten. Do you think about that when posting on FaceBook?
This is where privacy comes in. What can the companies recording your information do with it and what is their responsibility in case that data is leaked? As Wikipedia states, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU), and try address these issues. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive (officially Directive 95/46/EC) of 1995. The regulation was adopted on 27 April 2016. It becomes enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable. The regulation applies if the data controller (organization that collects data from EU residents) or processor (organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. Furthermore the Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.
According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. The legislation also contains a right to erasure, which allows the subject of the data to request the erasure of personal data related to them on any one of a number of grounds. The requestor will have to justify why he request this. But what about newer types of data such as the location of your car, gathered through the use of sensors and other techniques? Nothing seems to be planned for that type of data.
Tesla knows where you are.
According to USA Today “The company confirmed Sunday that it temporarily increased the battery power of its luxury electric cars in the Southeast to allow motorists to travel farther as hundreds of thousands of people evacuated areas most vulnerable to the hurricane.” This seems to indicate that Tesla knows where you are at any given moment in time. Drivers have probably given their consent by signing a whole stack of papers when receiving the car. We all read the fine print so we are perfectly aware of all data the company collects and what it does with it. This is not a problem for me as long as the data is only used for actions that are directly related to my car. I am not interested by having that data used to guess my living patterns and proposing me non related services that I might be interested in.
There is no such thing as a free lunch
And I’m sure Tesla does not resell or share that data with any other organization. It doesn’t need it as it makes its money by selling you cars at a premium price. However many services on the internet and on mobile devices are provided for free. If you put OpenSource aside for a minute, nothing comes for free. The Google’s of this world need to get money to run their computer environments and to develop the software they provide. Your data is their source of income. Mining your data, understanding your patterns, monitoring your behaviors help them sell your profile to advertisers without you actually knowing it. Because that is where the issue comes. You don’t know what they do with your data. You have no understanding of how this works. It’s all black magic so you cannot ask yourself if you are willing to be a subject of that financial exchange and if you are ready to receive the service that results from it.
You get to know the initial free service, but nobody tells you what the implications are of consuming that service. You might be interested in reading the Google Privacy & Terms page as an example. It’s very interesting they go in great depth explaining to you that they collect all the information to improve their service to you. They do not speak about what they do with that information in the advertisement area. Having reviewed my whole profile a minute ago, I can tell you they have a pretty accurate view of my interests, which is worth gold in the advertisement world.
Let’s protect the little privacy left.
Let’s protect the little privacy we still have. As there is nothing that comes free these days, take the time to think through what you share. Make sure you understand what happens with the data that is collected about you, in other words, read the fine print. GPDR requires active consent, this will be your moment to put things back in perspective. Don’t forget.