Skip to Content

Privacy & Data

Being Connected Shouldn’t Mean Being Controlled

/ Michelle De Mooy

A story in yesterday’s New York Times makes clear the need for practical guidelines and rules around the Internet of Things (otherwise known as when dumb things get smart). The Times reports that the latest iteration of IoT allows car lenders using connected ignition devices to remotely turn off cars when drivers are late with payments or default. Credit with virtual handcuffs?

Just because lenders can remotely turn off a car doesn’t mean they have the right to do so.

The basic fairness issue is foremost for me. Just because lenders can remotely turn off a car doesn’t mean they have the right to do so. The article cites drivers who say their cars were remotely disabled by their lender when they were only a few days behind on payments, which arguably violates state laws that prohibit repossession of a vehicle unless it’s in default (normally when payment is 30 days overdue). These are consumers who are in need of assistance — not the blunt force trauma of disabling the ignition. Nor do they deserve the pecking away of personal dignity that accompanies being tracked by GPS, or being forced to listen to the rapidly increasing beeping sound that the device emits when a car payment due date draws closer. Another fundamental concern: turning off a car remotely without any context seems intrinsically unethical and perilous, as attested in the article by a consumer who was unable to take her sick child to the doctor because of remote shut down.

The capacity for remote disabling also raises serious privacy and security concerns. This kind of background surveillance brings to mind the Federal Trade Commission case against Aaron’s Rent-to-Own, in which the rental company knowingly installed spy software on rented computers that remotely activates its customers’ laptop webcams without their knowledge. For those who are financially struggling, both a car and a computer can be critical tools to employment and overall stability. Can poor people afford to say no to intrusive technology that robs them of their privacy and autonomy? And these particular connected cars, far from being a tool to facilitate consumer empowerment or control, are aimed at subprime borrowers and have actually encouraged more high-risk lending, as they offer more certainty to lenders in making loans. This exacerbates an already powerful imbalance between those struggling to get credit, and those parceling it out with high interest rates and default-enabling terms.

One of the lenders profiled in the article boasts that he has remotely turned off cars while “shopping at Walmart,” presumably by using his cellphone or mobile device. I have to wonder how he is accessing the service while out and about. Is the answer “via Walmart’s public wifi,” or is it through an encrypted communication? Does this gentleman have a passcode on his magic car turning-off device, or it is left unprotected in his cart with his toddler while he looks for oranges?

Does being connected mean being controlled?

There are larger security issues intrinsic to the IoT. Security expert Bruce Schneier has written about the cheap and aging software that is often embedded in the connected devices in our homes and cars, including routers and modems. The software may not be updated with security patches, making them vulnerable to hackers and bugs, like the recent Bash bug (also known as “Shellshock”), which can be used to gain access to web servers and IoT devices, and thus user data like GPS information (and potentially the vehicles themselves).

All of which brings me to the ethical question at the heart of this issue: does being connected mean being controlled? Will having a connected home mean your mortgage lender can lock your door if you are late in paying your home loan? The Internet of Things has the potential to empower consumers in their own homes and cars, to become more mindful about energy usage and cost savings, and make their lives more organized. But there are also inherent risks, making IoT ripe for rigorous attention from policymakers. Now is the time to start creating practical policies and rights that enforce the importance of consumer control online.

Related Reading

Samir Jain Testimony for House Committee. White document on black background.

CDT VP of Policy Samir Jain Testimony Before U.S. House Energy & Commerce Committee on “Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights”
The CDT logo. A light and dark grey "cdt" alongside "Center for Democracy & Technology" on a white background.

Deprecating third-party cookies: a small step towards a more private web
CDT brief, entitled "Unintended Consequences: Consumer Privacy Legislation and Schools." White and blue document on a grey background

Brief – Unintended Consequences: Consumer Privacy Legislation and Schools