[dcow]

I don't know if we’re arguing semantics or what at this point but it’s not a backdoor if it’s advertised as part of the product that consumers pay for. It’s just a product feature that needs to be secure like any other—frontdoor. If you’re not comfortable with that feature then don’t buy the car. But don’t go spewing certifiable nonsense about how Tesla backdoors your car and steals your personal data for profit. There is nothing in their terms or privacy policy that indicates this is happening, and data collection that could expose PII is opt in. Like research the product before making crazy claims…

It would help me understand your concern if you pointed to the data collection and use thereof that you consider unacceptable.

The way I see it, you’re essentially uncomfortable with Tesla being able to update the software on your system (which is also opt in BTW). Do you feel this way about all products that auto-update?

[JohnFen]

> If you’re not comfortable with that feature then don’t buy the car.

This was the only point I was actually making, yes.

> But don’t go spewing certifiable nonsense about how Tesla backdoors your car and steals your personal data for profit.

Aside from niggles about what constitutes a "back door", I was not doing that.

> There is nothing in their terms or privacy policy that indicates this is happening, and data collection that could expose PII is opt in.

None of that is actually reassuring, but the reason why is a whole other, very large, discussion.

> The way I see it, you’re essentially uncomfortable with Tesla being able to update the software on your system (which is also opt in BTW).

No, I'm uncomfortable with the data connection to Tesla. I'm uncomfortable with their data collection, and I'm uncomfortable with them having any sort of control over the car.

> Do you feel this way about all products that auto-update?

Yes. I consider auto-updating to be harmful. But the reasons why are another long, separate, conversation.

[dcow]

> I'm uncomfortable with their data collection

Again, I have no idea what you mean by "their data collection". What data are they collecting and how specifically is it being used in an untrustworthy, and harmful way? Our interests are aligned to get to the bottom of how Tesla handles data, because I don't want to own a car that is spying on me and you want a world where the internet doesn't exist (only half tongue in cheek).

EDIT: Also just so you're aware, did you know the car part of a Tesla works entirely offline at 100% capacity? Did you know the infotainment system, hud, etc. software can crash and you remain in complete control and full operation of the vehicle while it restarts. If you went in an disconnected the LTE antenna you'd have a connection-less Tesla. The fact that Tesla has designed the car this way speaks just a little to the quality of their engineering. The car is more like a plane than you'd think.

[JohnFen]

> What data are they collecting

As I understand it, they are collecting data about the operation of the cars.

> and how specifically is it being used in an untrustworthy, and harmful way?

I didn't claim that it was. I was expressing my objection at it being collected. I have the same objection to similar data collection by software, electronics, etc.

Allowing data collection is an act of trust. Tesla (like most companies) has not earned that trust, and speaking generally, this trust has been so commonly abused that I give nobody the benefit of the doubt.

> you want a world where the internet doesn't exist

Your tongue may only be half in your cheek, but this statement literally could not be more wrong.

> did you know the car part of a Tesla works entirely offline at 100% capacity?

I would certainly hope so! If it didn't, I'd be saying that Tesla's design was inherently broken. I'm not saying that.

Since you are claiming I have opinions that I do not have, I clearly have done a terrible job explaining what my opinion is. It's pretty simple: the collection of usage data has been widely abused for a long time. Because of that, I have zero trust in almost any company that they won't abuse any data they get about me or my use of my machines. I think that's been well-earned. Teslas (as well as other cars) collect a great deal of data. I object to that.

It isn't because "Tesla sucks" or anything specific to Tesla. It's because Tesla (and not only Tesla) is engaging in a practice that historically has been abused.

[dcow]

> As I understand it, they are collecting data about the operation of the cars.

You're missing the part where it's not inherently linked to your PII without your consent (for example during a troubleshooting session).

> Since you are claiming I have opinions that I do not have, I clearly have done a terrible job explaining what my opinion is.

/eyeroll. I said I was playing.

Okay. I understand what you're saying. Removing all other noise, you just don't want data collected and Tesla hasn't done anything to earn your trust.

My response is simply that I think this is a blanket assessment that comes from an uninformed position about how Tesla's product actually works vs other car manufacturers vs tech companies in general, and that you're unfairly lumping Tesla in with #abusivebigtech. There's a lot of security research and evidence that supports the conclusion that Tesla does give a shit about both the security of their platform and the privacy of their users. In the absence of evidence suggesting Tesla abuses user trust, I do not presume guilt because that's a pretty harmful MO. Since your argument is essentially "but they're big tech", I can't help drawing the conclusion that your position on this topic boils down to that of a HN curmudgeon.

---

Anyway... car manufacturers aside, I'm also really struggling to understand what your proposed solution is where service providers don't have any data about users. (Let's not even get into in-product functionality like needing to uniquely key a user's account or send them communications.) Serious question: have you ever built a product? Not having any data whatsoever is great (I've tried it, trust me I used to think very much like you do)... for about 30 seconds until one of your users has a problem. They write in and oh shit now you've got their email. Let's sweep that under the rug for a second, you read their request for support and what do you do? You have absolutely no way to help them so your response is limited to "we don't collect software telemetry in any way sorry frustrated user, you're SOL". That's generally understood to be a wholly unacceptable response from a company the user is paying for a working product, so what privacy conscious companies with good product experiences do is [ask the user if they can] collect anonymous diagnostic and usage information. This gets you a little further, but you still can't do anything to help that user who wrote in because you can't find their telemetry since it's all totally anonymous. So you realize the lesser of two evils is to collect anonymized telemetry. This data doesn't contain the user's PII, but if the user consents, they can share the necessary identifier with the company when they submit the support request, and voila you can investigate and solve the user's issue, leaving the user happy.

The point is that you can't just unilaterally obliterate all data collection and remote connections and end up in a perfect world. You have to have a conversation with users about what data is collected and whether it's okay for it to be collected. I think this idea that the "good" state for software products is zero data and anything more than that is abusive is in fact harmful. It's harmful to product user experiences and it's harmful to protocols and standards when they weirdly hyper focus on specifying things in ways where access to unique identifiers is either nonexistent or controlled (rather than just designing for user permission). It gives incredible power to central authorities when you tell everyone they can't know anything about anyone, unless they're a blessed platform. Anyway I'm rambling at this point, but I'm really just curious how your vision for software actually works in practice. I don't see it without some radical shift where everyone refers to each other by the mnemonic version of their public keys or something incredibly foreign.

[JohnFen]

> You're missing the part where it's not inherently linked to your PII without your consent (for example during a troubleshooting session).

No, I'm not missing that. It's just not a significant point to me, in large part because I think that the definition of "PII" is too narrow. For instance, I consider the identity of the specific car I drive as being PII.

> you just don't want data collected and Tesla hasn't done anything to earn your trust.

Yes, exactly. And that's not a special stance about Tesla. It's my stance with most companies.

> I think this is a blanket assessment that comes from an uninformed position about how Tesla's product actually works

I'm sure that's true. But, honestly, I have no motivation to spend the time and energy to inform myself about how Tesla handles this stuff. To do so in any meaningful way is a moderate research project that I'd have to have some real reason to engage in. I don't think it's unreasonable to follow a larger heuristic until there's some reason to pay attention to a particular product or company.

> I can't help drawing the conclusion that your position on this topic boils down to that of a HN curmudgeon.

Draw whatever conclusion you wish. I haven't arrived at my attitude arbitrarily or through some sort of "big tech bad" mentality. It's due to years of actual experience.

> Serious question: have you ever built a product?

Not that it matters, but yes, many. Several rather successful ones. The odds are reasonable that you're even using one or two of them.

> You have absolutely no way to help them so your response is limited to "we don't collect software telemetry in any way sorry frustrated user, you're SOL".

This just isn't true at all. I've never had to say anything like that. Blanket telemetry is not necessary to help customers with malfunctions -- if it were, then all the software that I (and everyone else) sold and supported before telemetry was even possible would have been impossible to support.

That said, I have occasionally gathered telemetry as part of the support process. But it's on a case-by-case basis with the full cooperation of the customer, not a blanket thing the I subject all customers to.

And, to be clear, I'm not opposed to telemetry in general. I'm opposed to forcing it on people, or engaging in it without their informed consent.

> I think this idea that the "good" state for software products is zero data and anything more than that is abusive is in fact harmful.

My position is certainly not that all data collection is abusive. My position is that our industry has been widely abusive in terms of data collection.

[dcow]

> For instance, I consider the identity of the specific car I drive as being PII.

So VIN (vehicle identifier) is not included in the data collection, and, though Tesla collects the anonymized data by default in the US (this is not true in countries with stricter laws requiring any data collection to be opt in instead of opt out), you opt in to sharing anything that de-anonymizes it as needed. You also generally opt in to the collection of larger or more sensitive data (even in the US), on a use-case bases. I can go into settings and enable/disable road segment data, for instance. The Tesla privacy policy is a 5 min read and deliberately accessibly worded.

I know you're acting in good faith, but I see this theme reappear on HN (and generally) where people cry out for change, society responds, and then the people who asked for change are too jaded to believe that it's possible that somebody listened. Or it's "too big of a research project" to care. That's the reason I'm even arguing the point here. If we were talking about Facebook I wouldn't give it the time of day because there just isn't anything redeemable about their past actions or current product. But you're talking about how you are compelled to go buy an old used gas guzzler as your next car because there isn't a car company today that is possibly trustworthy. As a person who cares about privacy and security, and as a Tesla owner, I'm simply challenging you to maybe check your gut heuristic on Tesla, because they make a really good product, have been positively received in the security community, and have a privacy policy that reads like they care about treating your data with respect. I could be wrong in the future and you get to say I told you so. But if not, they might be a solution to your problem once you're in the market.