You’ve bought your lovely used car, did you even think about who has access to all the data and the online controls for it, did you even know these features existed?
I recently decided to buy myself a used car, the car has had a couple of previous owners. The last owner traded it in with the dealer against their next car, the dealer obviously had plenty of stock so they decided, as is very often the case, to put the car into the independent dealer market. So far so good, happens all the time and actually the significant proportion of used cars go through independent dealers.
Many of the current generation of cars have a host of online ‘connected’ features, Apps that allow you to interact with the vehicle even when you’re nowhere near it, mine has the ability for you to remotely control the climate systems, to call breakdown services, to upload GPS / destination details and much more, it also keeps a record of much of this information and stores it all against your on line account
Did you know that your car is connected to an on line account? I’m betting the majority of people have no idea about these features, don’t use them and wouldn’t even think that all of this data can be connected and collected.
I’m a bit of a geek so I decided that I would download the Apps to my phone and start to experiment…
After downloading the ‘InControl’ and ‘Remote’ Apps the first thing you have to do is setup your online account and use the last 8 digits of the VIN number to link your vehicle to your account, and this is where my problems started.
When trying to link the vehicle to my account the web site informed me that the vehicle was currently linked to another users account, that’s it, no help no assistance, just an error message. I decided to contact the local dealer as I wanted to get the car serviced anyway so thought I’d get this sorted out at the same time. Service done, the dealer also informed me that they’d changed the ownership online so that I can see the service history using my online account, great so now I’ll get playing with the Apps.
Back to my account, enter the last 8 digits of the VIN number…“This vehicle is currently registered to another user”
I phoned the manufacturer who asked me to send them a scan of the V5, 7 days later and no response and still not able to connect the vehicle to my account, I contacted their ‘Experience Centre’ and got the reply to take it to the dealer who can sort it out for me. Phoned the dealer and couldn’t speak to anyone in the service department, emailed them and got no reply, emailed them again and this reply staggered me…
Dear Mr Watts
We are not in a position to remove owner without their permission, previous owners would normally disconnect before they sell the car or if we took in part-ex we would have their written authority to remove from system.
I would suggest you contact previous owner and ask them to disconnect their car from the system (this can be done by them on their App), when this is carried out we would be happy to connect you with proof of ownership.
Kind regards
Seriously read that a few times and let it sink in. We are not in a position to remove the owner without their permission I am the owner, I have a receipt for the purchase, I have a V5 with my name on it, I took all of this to the dealer when I tried to sort this out and apparently it’s not sufficient.
Contact the previous owner ??? The process to get the manufacturer to update the online details for the vehicle is for me to try and find the previous owner and get them to do it for me.
Okay okay you’re probably thinking ‘first world problems’ right? but, the previous owner of my car has control over it, they can unlock it, they can remotely set the Climate Control without me knowing about it, even when the car isn’t running, they potentially can even look at the Sat Nav system, they can also call break down services to the vehicle and all of this without me knowing anything about it.
Someone else has access to a significant amount of data about myself and my vehicle and there appears to be nothing that the manufacturer is prepared to do about it.
Many of the cars that are sold today have these features, they are collecting vast quantities of data about the vehicle during it’s lifetime and therefore your behaviour, location, destinations, and the vast majority of these cars go through the Independent dealer market.
User data and information should be the very first consideration in developing new systems and capabilities, not an afterthought. In my case I feel this is a blatant disregard of my Data Protection rights and shows that this manufacturer in particular, in their race to develop new and sophisticated systems and on line tools have completely disregarded privacy and the approach to how an owner or future owner can manage their data.
So if you’ve bought a 2nd hand ‘connected’ vehicle recently, did you know your car has these features, do you know who your car is currently registered to and what information and control they have, have you even thought about it?
Love to hear your thoughts on this
Company car scheme Matt…. 😉
Then it just becomes the next owners problem, I guess it shows that many companies simply haven’t thought through the implications of this for the life of the vehicle
Hi Matt,
Good topic that you brought concerning our connected world and our connected cars. I had also some intelligent connected cars and yes it is great to play with all the settings in your smartphone or tablet. I remember when I left the country for a business trip, I wasn’t sure that I closed the doors… so the moment I landed, got connected and just close the doors by distance. Gives you a good feeling!
On the other hand, what you just described, for me it’s part of an existing guarantee that you have on buying a second car. If you are not able to handle the apps because another user still have access to it and did nit unregistered, you ask the garage to take the car back. Simple as that, because they sold it as an intelligent connected car, but you are not able to use those features.
I must say also honestly, before I could use my apps of the car it toke weeks… It was a Merc, and believe me, they can build nice cars, there guarantee on mechanical issues is great, but having support on a IT topic … they are not ready yet. The never heard about an IT Servicedesk… it was also outsourced to a company in Prague I believe… luckily I speak some German :-), because my English and their English…well there is an ocean between.
Good luck Matt to try to solve this, but I would play it hard on the second hand dealer. And it’s a nice story for your followers …the danger buying second hand connected devices!
Thanks for the comment Frank, this seems to be an issue that many of the ‘Connected’ car manufacturers simply haven’t considered, or they have and feel this is acceptable.
I’ll be taking this further next week and will update my blog to let you know what progress I make
Matt
You should sue the dealer and manufacturer for breach of GDPR. Do this through the ombudsman and with the press involved not just a post on LinkedIn. I bet they sort it real quick then.
I’ll be taking it up with their Data Protection officer this weeek and will keep my post updated
Matt
I’m not certain there’s a GDPR breach here. Don’t get me wrong, it’s a really shitty situation, pretty unforgiveable in fact, but the previous owner will know where *the car* is. That person has no way to know who the current owner is, AFAICT. As GDPR affects personal data, you’d need something linking Matt to this particular car, surely?
Having said that, this is another example of manufacturers paying fast and loose with connected cars. This is all pretty scary.
There should be at minimum a master reset usable from the car that de-auths the online account, anything else is just foolhardy.
Thanks for the comment
It’s a really grey area, the car is of course nearly always parked at my house so does that give a previous owner, or Land Rover the possibility to connect it to me? I really don’t know whether this is a breach or not, but as you say it’s not a nice situation.
Equally as much of a concern is that, with many of these ‘connected’ cars if it’s still registered to a previous owner then they can locate it and unlock the doors.
There definitely needs to be some way to automatically reset the online account, maybe when the V5 details change, or at least a very very simple way for a new owner to hit a reset button.
Matt
Matt,
This is a great topic, but you should be aware that Charles Henderson of IBM X-Force Red presented this exact research at RSA 2017.
https://www.rsaconference.com/videos/iot-end-of-days
https://www.nbcnews.com/tech/security/connected-homes-cars-can-be-difficult-new-buyers-un-plug-n726261
https://money.cnn.com/2017/02/17/technology/used-car-hack-safety-location/index.html
https://www.bbc.com/news/business-40324983
etc…
Dillon
I’m glad to see that this has been raised before, thanks for sharing the links.
It’s a concern that even after these very public articles the manufacturers seem to be offering no real solution. I see it as a security issue, as these articles state, and also a data issue as if the car is still bound to a previous owner then there’s a lot of location data and more being shared with them about the new owners habits. There are many many people that don’t even consider the connected services that are available with their second hand car and may not even think to check whether this is still being stored and provided to someone else
Thanks
Matt
Not sure if you’ve seen this already Matt, looks like some frantic activity will be taking place at car manufacturers… https://www.theregister.co.uk/2018/08/09/connected_car_legal/
I hadn’t seen it, thanks for sharing.
Really glad that this issue is continuing to be commented on, data and privacy must be at the heart of these new tools and systems and cannot be an afterthought, which is how it is beginning to appear
Matt
Hi Matt I’ve got the same problem with InControl app and just been to a dealer and call the main office and they can remove it from previous owner but for £160 did u solve it somehow??
Hi Marius, after a lot of communication from Land Rover, mostly due to John Leyden from the register asking their PR department to comment on the issue, they instructed my local dealer to contact me. I had to go to the dealer with the vehicle and proof of ownership and they then removed the previous owners details from their system.
The dealer told me they were glad to be told what to do by JLR as this had always been a grey area for them. The fact that they now want to try and charge you to prevent someone else having access to data about the status and location of your vehicle is quite frankly absurd.
I can probably dig up the contact details for the person in JLR’s PR department if you’d like to raise it with them, which is the route I would certainly take.
Matt
The same thing happened to me. I was trying to get it registered and the same insult. Go back to the previous owner, it was sold at an auction to the car sales I bought it from. So I chased it a bit, but one get’s busy. I write code a lot.
Then the icing on the cake, my car was STOLEN. They said contact the previous owner. Even though all the data is sitting in their big fat database.
Ha ha, they probably used some of my code to allow the hijacking of new owners cars. Oh and thieves of course. Their customer service to criminals is excellent.
Great topic Matt. These days, manufacturers are quick to develop and launch without fully thinking through the implications of their creation. I am a similar but less serious issue with Streaming TV services. They are there to offer additional 3rd party services but the finger pointing begins once you have a service question.