Applying software’s customer interaction models to hardware

face-surprise-2If you haven’t heard about Vendor Relationship Management, you should take a look.  As a consumer, VRM gives you more power in the relationships with your vendors, even if they don’t participate.  But for vendors who participate, VRM transforms the relationship into, well, an actual relationship.  As a vendor, VRM should be of interest because it provides much richer signals from your customers and enthusiasts and fulfills the promises made by social media.

I’ve decided to capture some of my thoughts on VRM as recorded in the email list.  Recently, a list participant compared the experience of buying software to that of buying a car.  Although he posited the two were much different and wondered why using a web site or buying software couldn’t be more like buying a car, the sad truth is that buying a car with extensive tech these days is like buying software, and in all the worst ways.  Read on to be horrified.

The following is pasted in verbatim.

Hi Alan,

> Why should we have to read a privacy policy in the first place? If
> we buy say, an automobile, we are not presented with a long and
> detailed list of its various components, their quality and
> functions, and asked if we agree or disagree with the choice of
> component or how it is being used. Quite rightly, we expect the car
> company to address all these issues in ways we can trust – and we
> expect them to be taken to the cleaners if they fall down on
> quality, safety and so on.

I used to think that too.  Until I bought a Ford Fusion with Sync.  Because my opinion of auto sales was similar to that which you expressed below, it never occurred to me to ask about the TOS or privacy policy.  But when you buy the car they tell you “go home and create a Sync account” in order to use the voice activation and other Sync features.  When you actually go to sign up, this is what you find:

“If you opt not to provide us with personal information, you can still access our website, however you may be unable to create log in credentials, participate in certain promotions, receive product information, activate or use a service, or have a purchase order fulfilled.”

“Activate or use a service” in plain English means “the ability to use the functionality for which you bought the car.”  Among the other smart features, you are able to run a Vehicle Health Report on all systems of the car.  That of course provides a lot of info to Ford.  How do they use the VHR?  From their Privacy Policy:

“When you run a Vehicle Health Report, Ford Motor Company may collect your cell phone number (to process your report request) and diagnostic information about your vehicle. Certain versions or updates to Vehicle Health Report may also collect additional vehicle information. Ford may use the vehicle information it collects, as well as information regarding individual access to Vehicle Health Reports at, for any purpose. If you do not want to disclose your cell phone number or vehicle information, do not run the feature or set up your Vehicle Health Report profile at”

So either you don’t run the health reports or you do and Ford can collect all car data, from all car systems, including your phone book uploaded to the audio/nav system, and use it for *any* purpose.  Their policy on Personally Identifiable Data is similarly wide open  Among the ways they admit to use your data are:

  • “Compile user data that is stored in our corporate database and may be used for marketing and other purposes.”
  • “Match personal data collected here with data about you that we collect offline.”

What the hell are “other purposes”?  Could they be any more vague?  And the bit about matching personal data translates in plain English to “key your cell number and account from the VHR to your demographic records” so that car data is not as uninterestingly anonymous as the previous paragraphs suggest.  They also reserve the right to send your data to any global location and note that it may reside in a jurisdiction that has different privacy levels than your own country.

> The mere fact of introducing an ‘agreement’ between the buyer and
> the car company on the quality/functionality of its components would
> open up a huge temptation for the car company to blind the buyer
> with science, cut corners, take advantage — all now with the
> defence ‘but you agreed to it’. That’s exactly what has happened
> with so-called ‘privacy’.

Been there.  Done that.

“By clicking “I Accept” below, you the user (“User”) agree to be bound by these Terms and Conditions whether or not you have read them. If you do not agree to these Terms and Conditions, you will be unable to run or activate the SYNC Driver Features. You must be at least 18 years old, or the age of majority, as determined by the laws of your state of residency, to accept these Terms and Conditions and assume the obligations set forth in these Terms and Conditions. Further, you agree to make all other drivers, passengers or guests of your car aware of these Terms and Conditions and subject to these Terms and Conditions. You are solely responsible for the use of the SYNC Driver Features for your vehicle, even if you are not the one using the SYNC Driver Features and even if you claim later that another person’s use was not authorized. “

So if you come to Charlotte and I pick you up to go to lunch, I’m supposed to read you the TOS before you get into the car.  And if I forget to read them to you and you later sue Ford for recording our conversation, I’m responsible because – you guessed it – ‘but you agreed to it’.  Oh yeah, and they can change the TOS without notice and your continued use of the service after that point constitutes your agreement:

“Ford may at its sole discretion, with or without notice, modify these Terms and Conditions at any time and such modifications will be effective immediately upon being posted on this website. Your continued use of the SYNC Driver Features will indicate your acceptance of these modified Terms and Conditions of Use. If you do not agree to the Terms and Conditions or any modification of the Terms and Conditions, then you must immediately stop using the Vehicle Health Report and/or SYNC Services.”

You’d better hope Ford’s web site isn’t breached because you are responsible for their damages if someone else uses your account:

“You are entirely responsible for maintaining the confidentiality of your account information, including your password, and for any and all activity that occurs under your account. You agree to notify Ford immediately of any unauthorized use of your account or password, or any other breach of security. However, you may be held liable for losses incurred by Ford or your dealer due to someone else using your user name, password, cell phone number or account.”

They go on to explain all the “vehicle travel information” is collected and may be shared with Sync service providers.  They don’t tell you who those are in the TOS but they include at the least Microsoft, Gracenote, Garmin and Sirius/XM.  Next they explain that you bind anyone else you let into the car to these terms.

“Further, you agree to obtain the consent to the collection, logging, storage, and sharing of vehicle travel information and other call details for the purposes set forth above from any other person(s) to whom you provide access to and use of the Service via your cell phone. If you don’t consent or wish to disclose this information, do not activate or use SYNC Services.”

Now, if you thought all of that was horrifying you should sit down before reading the next part.  They reserve the right to record all sounds and conversations in the car.  These are called “Whole Call Recordings” or WCRs.

“WCRs will include voice utterances and may include any other sounds in the vehicle, including the voices of the user and other vehicle occupants, during the entire time the Service is connected.”

Of course, you bind your passengers by proxy to these terms as well:

“By activating or using the Service, you expressly agree to the recording and sharing of your utterances and WCRs as set forth above for the purposes set forth above in these Terms and Conditions regardless of whether or not you have read them. Further, you agree to obtain the consent to record utterances and WCRs from all vehicle occupants and any person(s) to whom you provide access to and use of the Service via your cell phone. If you don’t consent or wish to disclose this information, do not activate or use SYNC Services.”

They also reserve the right to revoke licenses to any electronic media that you store or play such as Garmin maps, Gracenote DB entries, songs, videos, etc. on behalf of content owners:

“You therefore agree that MS and/or FORD MOTOR COMPANY may, in conjunction with such license, also download revocation lists onto your DEVICE on behalf of Secure Content Owners.”

> As soon as we start arguing about whether the small print is
> readable or not, we have already ceded the principle and the
> argument to the data landgrab industry.

Yeah, I found this out when I attempted to upgrade the maps and CD song title DB in the car.  Many Garmin units have free lifetime maps because it sells the hardware.  But once you pay $30k for the hardware, they figure you’ll pay $300 a pop for map updates.

The thread continues…

> At first I saw how long this message was and thought I didn’t have
> time to read it. But T-Rob is a compelling thinker, so I started reading it…
> …and couldn’t stop.

Thanks for the kind words.  And at the risk of abusing the privilege…

> Why would anyone agree to this??

Once you pays yer $30k there’s a BIG incentive to agree to it if the SYNC is why you bought the car.  I might have gotten away with returning the car on the basis of the dealer failing to disclose the TOS prior to purchase, but the non-Sync features are compelling.  We ended up just not using the Sync features.  My wife has some limited mobility and the car has a helluva rear-view camera, proximity warning systems and blind-spot alerts light up in the mirrors, none of which require Sync activation.  She probably won’t let me buy her another car until the Google self-driving ones are available.

On an interesting note, if you see a shady-looking dude sitting in a parked late-model Ford you can be pretty certain he’s not a criminal.  Or at least if he is, he’s a dumb criminal.  Can you imagine the next Gambino boss getting taken down because of the Whole Call Recording capturing him planning something nefarious?

Let’s take this a bit further.  We all know that photo/video recording is often legal where audio recording is not.  Ford have created an environment that provides warrantless access to all your car telematics and voice utterances.  So they know who you are, what you said and where you were when you said it, what direction you were travelling and how fast.  No more burden of proof on the government to provide a witness who puts you in the car at a certain place and time or that you weren’t speeding.  You have basically waived your right to not testify against yourself.

Why warrantless?  Note the privacy policy:

“ will disclose your personal information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to: (a) conform to the edicts of the law or comply with legal process served on Ford Motor Company or the site; (b) protect and defend the rights or property of Ford Motor Company and this site; or, (c) act under exigent circumstances to protect the personal safety of users of Ford Motor Company, its web sites, or the public.”

So all they need is a “good faith belief” that disclosure is required.  Or that it would be required if the agent asking had brought a warrant.  But since it’s the government asking and we trust the request because it originates form a trusted entity, here’s your data.

The Ford policies are an example of why I’m so concerned about data security, crypto and roots of trust.  My usual customers include national infrastructure targets so I’m painfully aware of the level of sophistication brought to bear in attacking them.  But anyone who does not think that a personal cloud vendor would be just as attractive a target is deluded.  Attacks are generally motivated by money, espionage (industrial or state), or activism.  When individuals are targeted today, it is usually because of their economic or political value.  They are rich, powerful, directly connected to the rich and/or powerful, or they have celebrity.  Typically financially motivated attacks are against technology such as your browser or a specific piece of software rather than targeted at specific high-value individuals.  However, the money gained from these attacks funds criminal enterprises and enables higher-level attacks on individuals and infrastructure.

Why are attacks on targeted high-value individuals not more common?  For one thing, because your data is spread across so many vendors.  It is currently costs so much to gather up lots of data about specific individuals that the threshold of “high-value” is military targets, corporate execs, and so forth.  There is some effort in the black market to aggregate data and this is leading to long-game cons where an attacker gains enough information to sell your house out from under you, collect the payout in cash and then disappear.  The risk of a few large-value transactions is a lot less than making the same money using retail credit card merchandise transactions.  This makes attacks on homeowners as lucrative as compromising business bank accounts, except that they are a lot less risky and there are a helluva lot more homeowners than corporate treasury officers.  But we haven’t seen a lot of this because the source data is aggregated from random breaches and doesn’t correlate well.  Once we are kind enough to begin aggregating our own data, expect a spike in attacks targeted on individuals and significant reduction in the floor on what constitutes a “high-value” target.

Also expect a change in the focus of individually targeted attacks.  Rather than look for individuals with high net worth that can be directly stolen, attackers will begin to look for individuals with influence within moderate- to high-value business targets.  If you breach a personal cloud provider you are bound to find at least a few people who don’t want it known that last week they purchased a Fleshlight, rubber sheets, 5 gallons of honey, a case of gummy worms and a signed poster of Noam Chomsky.  The next day a money mule will walk into that person’s place of employment, provide a code word and the target will simply hand over the money from the cash drawer.  The ability to so completely compromise large populations of individual is so attractive that personal clouds will be subjected to continuous sophisticated attacks in the same way that banks, Google, Amazon, military and other high value targets are today.

It won’t only be criminals.  The US government has consistently abused every law that suspends or reduces civil liberties and there’s no reason to suspect they would suddenly exercise restraint or conform to any new laws put in place that treat these information caches specially.  If the aggregated data are readable by the hosting provider, it *will* be available to government.  But if we use current technology to safeguard the data so only the individual can issue temporal keys to view it, we know individuals as a population suck at managing keys or picking security over functionality.  Large subsets of the population will not suspect that a free personal cloud hosting provider might have an income derived from something other than advertising to them.  We’ve also seen some recent court decisions that you *can* be compelled to provide your encryption key.   Rather than testifying against yourself, it is treated similar to a physical object that you can be compelled to produce.  The cases where these keys were compelled were where the defendant had aggregated a database of incriminating evidence that the prosecution had otherwise been unable to prove by going after the many sources of the data.  Sound familiar?  (Incidentally, one was a mortgage scam.)

I’ve been doing this long enough to have seen problems related to durability.  Entire categories of electronic signatures have been invalidated over the years.  In some cases because the algorithms or key lengths used are now obsolete.  In other cases because the root of trust was compromised.  For example, if you have a contract or data electronically signed by certs of Digi Notar parentage, you are now unable to validate those signatures with confidence.  If personal clouds had already been in wide use, the bulk of them owned by citizens of The Netherlands, as well as global transactional history networking out from there, would all now be suspect at best or unusable as evidence in court or for commerce at worst.  Unfortunately, considerations of durability of secure data are largely confined to bulk data archiving technology.  Most discussions of security are focused exclusively on instantaneous authentication, authorization and privacy of live connections and transactions and any assurance of durability is based on trustworthiness of the custodian.

This is why I’m dubious when people tell me we don’t need to encrypt and/or sign individual datums.  I am interested in the ability to verify authenticity and integrity of data over time.  Up to now our electronic systems have relied almost entirely on context to assure these things – the context of the connection to a trusted source.  But increasingly we see that the trusted sources are themselves breached, exposing massive quantities of data in one fell swoop.  Worse, when the roots of trust are breached we lose integrity and authenticity assurance across large swaths of the Internet and massive quantities of data all at once.  We have seen multiple instances of this and have no reason to expect the situation will improve.  In fact, the recent policy changes by the CA/Browser forum were intended to improve the situation, but only for their chartered use cases of certs in browsers and email clients and for code signing.  Unfortunately, the cascading effect has been to erode security in every other use case where CA-signed certs had formerly been common.

When I bought my Ford, the features were so compelling that I disabled Sync and ignored the Draconian TOS and privacy policy.  That’s what people do.  That’s why every new blockbuster technology that isn’t specifically a security technology is broken in V1 and stays that way until people believe they are statistically likely to be victims of a breach.  (Firesheep, anyone?)  That’s why we have defibrillators that can be remotely directed to deliver a lethal shock and the security around that remote connection is broken.  Same situation with infusion pumps, automobile control systems, smart meters, home automation and more.  People must either believe a breach will be personally catastrophic or statistically probably before they care about security, and when they do begin to care they believe it is the vendor’s responsibility, not theirs.

Personal clouds and VRM have that potential to be blockbuster, paradigm changing technologies.  They are in that category of technology that is so compelling users will accept assurances of security without demanding proof or paying more for it.  If I were a criminal organization actively running cyber attacks, I’d be busy funding personal clouds and VRM groups, the consultancies that will bring VRM to large Enterprise, and finding ways to silently support any persuasive and vocal evangelist.  The best case for criminals is that personal clouds are broken at birth.  But even if we get it massively right, you still end up with data that is aggregated cleanly and accurately to individuals across a much broader spectrum of sources.  This dataset is the Holy Grail of cybercriminals and impossible for them to do at scale today.  This gives the criminal a the most attractive possible target short of direct compromise of the bank itself, a very large attack surface, and a victim population notoriously bad at managing keys and also vulnerable to social engineering, phishing and so forth.  And that’s the *best* case if we do everything right.

It is naive to think we could do this without some percentage of implementations being breached.  Our duty then is to consider what is an acceptable percentage of loss and the much greater potential impact of that loss to individuals than is present in current systems, and then build in mitigation.  The mitigations may include keeping some level of data partitioning so that several physical clouds form a logical one.  It may include encrypting and/or dual-party signing the data elements as they are produced, independent of storage and transmission security, and possibly using multiple roots for each party in case one is broken.  It may need to include honeypot services to provide fake but traceable data to detect breaches and identify their sources.  As we move forward I’m sure many other mitigations will suggest themselves, hopefully due to forward thinking rather than hindsight in the wake of a breach.

I neglected to post the Ford TOS and Privacy Policy links last time:
(TOS is buried behind a click-wrap button on the reg page.)

About T.Rob

Computer security nerd. WebSphere MQ expert. Autist. Advocate. Author. Humanist. Text-based life form. Find me on Twitter or LinkedIn.
This entry was posted in Clue train, Social issues, VRM and tagged , , , , , , , , , , , . Bookmark the permalink.

1 Response to Applying software’s customer interaction models to hardware

  1. DwH says:

    I will ask my hacker buddies about a rootkit for myfordsync to see if it can be disabled, altered or otherwise messed with so that (a) it is not giving away secrets and (b) can be altered to do some unintended activities… if there isn’t one right now, I’m sure there will be soon

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.