[dcow]

No, there is just no foundation to the claim that there is a backdoor in Teslas for their own use. There’s remote unlock and remote software updates, both features that are for my benefit and use. And they don’t come with some naïve backdoor that attackers can exploit. They’re cryptographically secure and don’t expose me to vulnerabilities.

There’s a difference between the government legislating obscure and weak backdoors into all microchips so the NSA can spy on you, and a car company providing features consumers want, agree to, and pay for, in a secure way. One is a surveillance platform, the other is a good product. It’s silly to equivocate the two. Thats what I’m responding to.

[JohnFen]

> just no foundation to the claim that there is a backdoor in Teslas for their own use.

If it's not for their own use, whose use is it for? It's literally just for their use. They may promise that they won't use that backdoor for purposes that aren't for your benefit, but that's just their promise. And how do they define "for your benefit"?

How secure from other attackers that back door is is only one aspect. It's important (and important to remember the truism that "if there's a way to access it legally, there's a way to access it illegally"), but not the only issue. Even if we assume that hackers really can't get in that way, the backdoor and the data collection are still unacceptable to me.

[dcow]

I don't know if we’re arguing semantics or what at this point but it’s not a backdoor if it’s advertised as part of the product that consumers pay for. It’s just a product feature that needs to be secure like any other—frontdoor. If you’re not comfortable with that feature then don’t buy the car. But don’t go spewing certifiable nonsense about how Tesla backdoors your car and steals your personal data for profit. There is nothing in their terms or privacy policy that indicates this is happening, and data collection that could expose PII is opt in. Like research the product before making crazy claims…

It would help me understand your concern if you pointed to the data collection and use thereof that you consider unacceptable.

The way I see it, you’re essentially uncomfortable with Tesla being able to update the software on your system (which is also opt in BTW). Do you feel this way about all products that auto-update?

[JohnFen]

> If you’re not comfortable with that feature then don’t buy the car.

This was the only point I was actually making, yes.

> But don’t go spewing certifiable nonsense about how Tesla backdoors your car and steals your personal data for profit.

Aside from niggles about what constitutes a "back door", I was not doing that.

> There is nothing in their terms or privacy policy that indicates this is happening, and data collection that could expose PII is opt in.

None of that is actually reassuring, but the reason why is a whole other, very large, discussion.

> The way I see it, you’re essentially uncomfortable with Tesla being able to update the software on your system (which is also opt in BTW).

No, I'm uncomfortable with the data connection to Tesla. I'm uncomfortable with their data collection, and I'm uncomfortable with them having any sort of control over the car.

> Do you feel this way about all products that auto-update?

Yes. I consider auto-updating to be harmful. But the reasons why are another long, separate, conversation.

[dcow]

> I'm uncomfortable with their data collection

Again, I have no idea what you mean by "their data collection". What data are they collecting and how specifically is it being used in an untrustworthy, and harmful way? Our interests are aligned to get to the bottom of how Tesla handles data, because I don't want to own a car that is spying on me and you want a world where the internet doesn't exist (only half tongue in cheek).

EDIT: Also just so you're aware, did you know the car part of a Tesla works entirely offline at 100% capacity? Did you know the infotainment system, hud, etc. software can crash and you remain in complete control and full operation of the vehicle while it restarts. If you went in an disconnected the LTE antenna you'd have a connection-less Tesla. The fact that Tesla has designed the car this way speaks just a little to the quality of their engineering. The car is more like a plane than you'd think.

[JohnFen]

> What data are they collecting

As I understand it, they are collecting data about the operation of the cars.

> and how specifically is it being used in an untrustworthy, and harmful way?

I didn't claim that it was. I was expressing my objection at it being collected. I have the same objection to similar data collection by software, electronics, etc.

Allowing data collection is an act of trust. Tesla (like most companies) has not earned that trust, and speaking generally, this trust has been so commonly abused that I give nobody the benefit of the doubt.

> you want a world where the internet doesn't exist

Your tongue may only be half in your cheek, but this statement literally could not be more wrong.

> did you know the car part of a Tesla works entirely offline at 100% capacity?

I would certainly hope so! If it didn't, I'd be saying that Tesla's design was inherently broken. I'm not saying that.

Since you are claiming I have opinions that I do not have, I clearly have done a terrible job explaining what my opinion is. It's pretty simple: the collection of usage data has been widely abused for a long time. Because of that, I have zero trust in almost any company that they won't abuse any data they get about me or my use of my machines. I think that's been well-earned. Teslas (as well as other cars) collect a great deal of data. I object to that.

It isn't because "Tesla sucks" or anything specific to Tesla. It's because Tesla (and not only Tesla) is engaging in a practice that historically has been abused.

[dcow]

> As I understand it, they are collecting data about the operation of the cars.

You're missing the part where it's not inherently linked to your PII without your consent (for example during a troubleshooting session).

> Since you are claiming I have opinions that I do not have, I clearly have done a terrible job explaining what my opinion is.

/eyeroll. I said I was playing.

Okay. I understand what you're saying. Removing all other noise, you just don't want data collected and Tesla hasn't done anything to earn your trust.

My response is simply that I think this is a blanket assessment that comes from an uninformed position about how Tesla's product actually works vs other car manufacturers vs tech companies in general, and that you're unfairly lumping Tesla in with #abusivebigtech. There's a lot of security research and evidence that supports the conclusion that Tesla does give a shit about both the security of their platform and the privacy of their users. In the absence of evidence suggesting Tesla abuses user trust, I do not presume guilt because that's a pretty harmful MO. Since your argument is essentially "but they're big tech", I can't help drawing the conclusion that your position on this topic boils down to that of a HN curmudgeon.

---

Anyway... car manufacturers aside, I'm also really struggling to understand what your proposed solution is where service providers don't have any data about users. (Let's not even get into in-product functionality like needing to uniquely key a user's account or send them communications.) Serious question: have you ever built a product? Not having any data whatsoever is great (I've tried it, trust me I used to think very much like you do)... for about 30 seconds until one of your users has a problem. They write in and oh shit now you've got their email. Let's sweep that under the rug for a second, you read their request for support and what do you do? You have absolutely no way to help them so your response is limited to "we don't collect software telemetry in any way sorry frustrated user, you're SOL". That's generally understood to be a wholly unacceptable response from a company the user is paying for a working product, so what privacy conscious companies with good product experiences do is [ask the user if they can] collect anonymous diagnostic and usage information. This gets you a little further, but you still can't do anything to help that user who wrote in because you can't find their telemetry since it's all totally anonymous. So you realize the lesser of two evils is to collect anonymized telemetry. This data doesn't contain the user's PII, but if the user consents, they can share the necessary identifier with the company when they submit the support request, and voila you can investigate and solve the user's issue, leaving the user happy.

The point is that you can't just unilaterally obliterate all data collection and remote connections and end up in a perfect world. You have to have a conversation with users about what data is collected and whether it's okay for it to be collected. I think this idea that the "good" state for software products is zero data and anything more than that is abusive is in fact harmful. It's harmful to product user experiences and it's harmful to protocols and standards when they weirdly hyper focus on specifying things in ways where access to unique identifiers is either nonexistent or controlled (rather than just designing for user permission). It gives incredible power to central authorities when you tell everyone they can't know anything about anyone, unless they're a blessed platform. Anyway I'm rambling at this point, but I'm really just curious how your vision for software actually works in practice. I don't see it without some radical shift where everyone refers to each other by the mnemonic version of their public keys or something incredibly foreign.