‘Vague’ privacy policies help Toyota to spy on drivers, report claims

Australia’s leading consumer advocacy group, CHOICE, has found that Internet-connected technology built into Toyota cars collects a lot of personal information about drivers to share with insurance companies and other third parties.

The data collection is enabled by the “Connected Services” feature, which includes the Data Communication Module (DCM). This module “collects information such as vehicle location, driving data, fuel levels, and even phone numbers and email addresses,” the researchers found. The tricky part is that this module cannot be uninstalled, only disabled, and it appears that not many customers are aware of the ability to opt out of such information sharing and the implications of this practice. The researchers noted that Toyota’s policies are “incredibly vague” when it comes to the consent required for data collection. All of this could lead to personal information about people’s driving habits and location ending up in the hands of debt collectors and insurance companies without their knowledge.

It’s not exactly news that many car manufacturers are using built-in sensors, cameras, and other electronics to spy on people in the car, collecting vast amounts of data on drivers, their passengers, and sometimes even their surroundings. In its September report, Mozilla published a comprehensive report on how cars collect your data; check out our takeaways from it.

Apple deliberately breaks support for progressive web apps in the EU

Apple has confirmed that it is intentionally breaking support for progressive web apps (PWAs), which are websites that can behave like native apps on your phone. The company claims this is because of the new EU antitrust law, the Digital Markets Act (DMA), which forces Apple to allow different browser engines on iOS (other than WebKit).

Tommy Mysk, a researcher known for his in-depth privacy investigations, was one of the first to notice that PWAs were not working as they were supposed to in the beta of iOS 17.4. The sites would open in the default browser instead of in their own top-level activities (windows that display the app’s content and user interface), even if they were installed by a different browser. This made them appear more like regular websites, rather than native apps, which has affected their functionality.

The change in the way PWAs are launched in the EU sparked speculation that it was a deliberate attempt by Apple, which is required by the DMA to allow different browser engines on iOS, to maintain its monopoly and control over the iOS app ecosystem. And with Apple now confirming that the change was a feature, not a bug, this is starting to sound more like the truth. In justifying the removal of the ability to install web apps, Apple said that it was done to address security and privacy concerns.

Source: Apple

It’s hard to take this justification at face value, especially since Apple has just rendered another part of the DMA effectively useless. It did so by introducing a new core technology fee for developers who want to explore alternative distribution and payment options for their apps, effectively forcing them to stick with the old terms. More on this here.

Too much info: Woman accuses sex shop of sharing search details with Google

A woman in California has filed a class-action lawsuit against popular sex shop chain Adam and Eve, accusing it of failing to protect her private searches on its website from being tracked by Google. The unnamed plaintiff alleged that the site used Google Analytics but failed to enable the IP address anonymization feature. This oversight allegedly allowed Google to see everything the woman was interested in on the site without her knowledge or consent, the lawsuit claims.

The disgruntled sex shop customer is suing both Adam and Eve and Google for allegedly revealing her “sexual preferences, sexual orientation, sexual practices, sexual fetishes, sex toy preferences, lubricant preferences, and search terms,” according to a report by 404media. She is seeking $5,000 in damages for “each time it disclosed a message, report, or communication to Google without consent.” If she is successful, it would mean that all Adam and Eve customers in California could demand their piece of the pie.

While Google has reportedly argued that it’s up to website owners to make sure they don’t inadvertently share sensitive information with them, the issue of Google collecting data from the majority of sites on the web still stands. The recent clarification of the Chrome Incognito Mode disclaimer (in short, Google has finally admitted that it tracks you in the Incognito mode as well) is a step in the right direction, but more needs to be done to make the tracking less opaque to the layperson.

US regulator wants deepfakes of regular people to be illegal

The US Federal Trade Commission (FTC) is considering expanding an existing rule that prohibits impersonationg businesses and government agencies, including by using AI. The new, updated rule would also cover individuals to protect them from deepfake scams.

The agency said it has seen a spike in complaints about impersonation, and decided to take action to protect people from this growing threat. “Emerging technology — including AI-generated deepfakes — threatens to turbocharge this scourge, and the FTC is committed to using all of its tools to detect, deter, and halt impersonation fraud,” the agency said in a statement. The FTC’s chair noted that the new AI tools allow bad actors to “impersonate individuals with eerie precision and at a much wider scale.”

This is a positive development, as it is not only public figures, such as politicians and government agencies, that fall victim to AI-enabled fraud. It is often regular individuals who are most affected by this type of scams. However, as always, the key will be enforcement of this new rule.