[SenAnder]

> In other words, it's A-OK for your car to "automatically and without authorization, instantaneously intercept, record, download, store, and [be] capable of transmitting" text messages and call logs since the privacy violation is potential, but the injury not necessarily actual.

So it's effectively legal to sell backdoored hardware and software to spy on people. I wonder what would happen if I sold backdoored phones to Volkswagen employees, execs, and their children. To judges and politicians and lawyers. A-OK until there was "actual injury", and even then, it is only the injury that would be wrong?

[JumpCrisscross]

This is a decision made regarding Washington state law’s “statutory injury requirement” [1].

It says “a plaintiff must allege an injury to ‘his or her business, his or her person, or his or her reputation,’” with “a bare violation” of the privacy law being “insufficient to satisfy the statutory injury requirement.”

It is particular to Washington state, not all Americans. And it may not apply to a prosecutor versus private plaintiff.

[1] https://www.documentcloud.org/documents/24133084-22-35448

[RHSeeger]

That sounds remarkably like saying "it's ok to drive drunk, as long as you don't hurt anyone"; which, clearly, is ridiculous. If you're breaking the law, there should be consequences even if you didn't _happen_ to hurt someone this time.

[lazide]

Most civil law requires actual damages. It’s the same situation.

If you haven’t actually been hurt yet, suing doesn’t result in anything.

[JumpCrisscross]

To underline why, consider the consequences of letting anyone sue anyone for potential violations. Every minor perceived violation would result in a cascade of lawsuits. You could bankrupt a competitor by baselessly speculating on their wrongdoing.

Generalised lawbreaking is a public concern. It’s prosecutors’ and regulators’ jobs to protect consumers ex ante.

[lazide]

Yup, though for some things that there is a strong public policy reason to discourage, statutory damages can make a good disincentive.

Easy to argue the good/bad of it, but the California statutory damages lawsuit wave related to ADA accommodations definitely got a lot of business owners to pay attention. [https://www.thakurlawfirm.com/single-post/2020/06/15/ada-law...]

[myself248]

Which creates an incentive, if you see a shiny bit of sidewalk that might be ice, to step on it rather than stepping around it.

It's perverse and bizarre. If you avoid harm, you deprive yourself of the tools that you might've used to save others from the same harm.

[lazide]

But also don’t actually suffer that harm. Which is good?

The tricky part here is when someone is steadily stockpiling things which seem likely to cause truly irreparable harm in the future. But that act is not itself causing harm yet. For example, stockpiling tons of sensitive data.

Another example, a mine with a nearly overtopping tailings dam full of toxic chemicals is a disaster that is almost inevitably guaranteed to happen.

But civil law gives little to no method of stopping that disaster until it has already killed countless people, since - as noted - it hasn’t actually happened yet. And there is no actual guarantee that it will! Potential options do exist, but are so time consuming and high risk, good luck.

But it does give methods for those people’s relatives to get compensation after the fact at least. Which is better than some alternatives.

Which is why other types of regulatory frameworks exist, at least in some cases.

Unfortunately, as in the tailings dam case, and the icy sidewalk case, the actual smartest move is to just avoid them all together - somehow. Move? Take a different route?

Not always possible though, and being constantly on the lookout for these things is exhausting and infeasible for most.

Not sure how that is possible privacy law wise though, even for the most alert? Never engage with anyone or give anyone anything true?

[myself248]

Worse, you've got a Hobson's choice when it comes to using many of these systems. If you decline to get your data hoovered up, you simply can't participate at all. In this way, the car's contact-download is pretty benign, you can still make phone calls even if you decline the contacts.

But it's worse pretty much everywhere else. A few years ago, my data was in a breach of a health-care company I'd never heard of and never dealt directly with, they were some sort of back-end broker several layers away from us patients. Recently I went to sign up for new insurance, and I asked for a list of all companies that might handle my data, and copies of their most recent cybersecurity audit. Of course I didn't get a useful reply, and as a 'customer', I have no useful levers to pull. I have no useful information to use when selecting an insurer. And I have no recourse unless someone starts siphoning money out of my account AND I notice and can prove that it happened because of a breach.

"Never engage with anyone" equates directly to "Go be a hermit in the mountains". If that's where our privacy laws have gotten us, I think we're doing something wrong.

[RHSeeger]

Therein lies the issue. This type of thing shouldn't be civil in nature. Things that are dangerous to others and have a likelihood of causing significant damage... should be criminal in nature. Someone driving drunk is putting others at risk, but the injury isn't actualized until it is. A company forcing it's drivers to work too many hours, driving while unable to get enough sleep, is putting others at risk; but the injury isn't actualized until it is.

Along the same lines, a company gathering extensive details on the communications of and connections of others (especially without their permission) is putting others at risk. And, much like the previous example, the damage isn't actualized until it is. But it needs to be stopped _before_ the damage happens. Which means it needs to be criminal.

[simbolit]

This is why such things should be criminal offenses!

[lazide]

Yup! Or provide statutory damages instead of vague or no statutory penalties.

[zlg_codes]

As a Washingtonian I am embarrassed that my state loves to pretend its progressive but then I see shit like this, and two party consent laws that businesses can still treat like one-party.

Had the whole state pay for a stadium and a tunnel, in Seattle. So, pointless use of taxes and other wastes of my contributions.

Sadly, not an actually progressive place aside from Mutual Combat laws.

[drewcoo]

So post facto punishment and not consumer protection.

WA has a referendum system, though, so if people in WA care about this, you can get something on a ballot and vote it into law.

[smoldesu]

> A-OK until there was "actual injury", and even then, it is only the injury that would be wrong?

Hah! No, they argue that the injury is right.

For example: https://www.cbc.ca/news/politics/sikh-nijjar-india-canada-tr...

After the diplomat assassination kerfuffle, it appears that Canada invoked a communications backdoor for national security purposes. It's hard to feel bad for the dimwitted killers who plotted the entire thing on a smartphone, but it's also a statement about how widespread and de-facto surveillance is today. Even when backdoors surface, we shrug them off.

So... yeah. Until there is actual injury, and the injury isn't someone who people don't like and also don't care about. Then it will be a problem, and God help us all then.

[supportengineer]

Let's keep our older cars on the road as long as possible.

[bobim]

Let’s face it, in an energy starved world the car of the future is an e-bike. Side effect it’s free of connected BS. So far…

[falcolas]

> Side effect it’s free of connected BS. So far…

"So far" is the right qualifier. As electric scooter rentals have clearly shown, it's trivial to add in the connected BS.

[Night_Thastus]

We will not be "energy starved" anytime soon, short of an actual apocalypse happening. What we use for energy may change, but energy won't.

[bobim]

We live on free energy, free as in "dig a hole and voilà": energy. No nuclear, no solar, no wind can replace the sheer amount of energy we extract out of oil and coal. I’m afraid privacy in cars is going to be the least of humanity’s problems unless we make fusion working.

[Night_Thastus]

As fossil fuels get more expensive to acquire and renewables get cheaper and cheaper, it's really a self-solving problem.

Energy is necessary for modern society to function. It's not going anywhere nor will it decrease just because one source of it is inconvenient.

[JumpCrisscross]

> No nuclear, no solar, no wind can replace the sheer amount of energy we extract out of oil and coal

What are you basing this on? You realise we have localised grids that go 100% renewable regularly, and could easily keep doing that with electrified transport?

[kaibee]

If only there was some giant naturally occurring fusion reactor that we could siphon a bit of power from to power our things.

[olliej]

No, it's saying that because none of the information is transmitted there isn't a privacy violation - the law requires that a privacy violation actually occur, not that it "could".

e.g. that fact that there's a local call/message log on the car, and the car also has a mechanism for transmitting some data, does not mean that there's a privacy violation given that the car does not transmit the call/message log. That's the only reason this lawsuit got thrown out. It would be like saying "my phone receives messages, and stores those, and could transmit them to apple/google, therefore I should be able to sue them for the privacy violation they could do".

[adrianmonk]

> the car also has a mechanism for transmitting some data

As far as I can tell, the car itself doesn't have a mechanism for transmitting data. It just stores the data.

Transmitting only happens if/when someone gets some Berla "vehicle forensics" hardware and physically connects it to the car. The Berla equipment would do the transmitting.

From the complaint linked to by The Register[1]:

> 26. Third party Berla Corporation (“Berla”), based in Annapolis, Maryland, manufactures equipment (hardware and software) capable of extracting stored text messages from infotainment systems in Honda vehicles.

> 27. Berla also manufactures equipment capable of extracting stored call logs from infotainment systems in Honda vehicles.

> 28. Honda infotainment systems thereby transmit stored text messages and call logs to Berla.

And from Berla's web site[2]:

> An acquisition may require systems to be removed from a vehicle and disassembled or be performed in place in a vehicle. In either case, acquisition hardware must be attached to the vehicle or system to acquire data.

---

[1] https://regmedia.co.uk/2023/11/09/honda-infotainment-class-a...

[2] https://berla.co/ecosystem/

[olliej]

I thought the original lawsuit (in addition to the Berla/diagnostics tools extraction method) was also trying to claim that the system supported transmission of a data (which seems a thing in many new cars? crashes and what not?) even though it was in no one transmitting any of this information.

[SenAnder]

Thank you for the correction. This makes the judgement much more reasonable.

[nonameiguess]

I'm not an attorney, but I think a lot of the Internet misunderstands the law. It is legal to do this, apparently, but that doesn't mean the court is saying it's okay or they should do this, and it certainly doesn't mean anyone would be okay with you doing it. But if you managed to, then yes, it would apparently be legal. The court can only rule on what the law actually says and it says you only have grounds to sue once you've suffered an actual injury, not because the party you're trying to sue has done someone that might harm you in the future.

This is frankly a shortcoming of trying to use civil law for something like this. As far as I'm aware, this is nearly always the case that you have no grounds to sue unless you've suffered quantifiable monetary damage from someone's actions. If we just want this kind of thing to be generally illegal, then it needs to be made illegal according to criminal law or it needs to violate some law overseen by a government regulatory body with the power to levy its own fines.

[SoftTalker]

Yes, civil law is not about deciding legality. It's about deciding liability. And to do that, there has to be a harm demonstrated. The plaintiff could not do this, so the case was thrown out.

[SenAnder]

> It is legal to do this, apparently

I am extremely skeptical of this, no matter what this judge says. This seems to be a clear case of illegal wiretapping [1]. Having an illegal act perpetrated upon one, whether it is wiretapping or assault, seems a very clear "injury". It is baffling that there would have to be some kind of financial price attached to be recognized as harm by a court. A disgusting reduction of justice to mere finance, something I would expect from the cartoonishly greedy Ferengi of Star Trek, than a real court.

[1] https://en.wikipedia.org/wiki/Wiretapping#United_States

[mistrial9]

agree and - the crux here appears to be .. when you are in a moving vehicle on public roads then you have no expectation of privacy -> slippery slope -> license plate readers run by govt 24x7; license plate readers run by parking lots or retail shopping malls; interception of cell traffic via stinger units in strategic locations; interception of the driver's cell phone communications.. etc.

Gov Gavin Newsom preparing to run for President, is OK'ing these uses quickly and without public discussion

[keep_reading]

I have never seen a car do this without asking you if you want to sync contacts, calendar, and messages upon connecting to Bluetooth. iPhones also let you control this per Bluetooth connection.

Where is this being done without authorization?

[hoosieree]

Jeep owners will be upset if they can't take the backdoors off.