Hacker News

Indeed, this seems to be exactly the area where the Data Act could be used to regain access. Unfortunately it seems that it's not possible to directly sue (e.g.) Volkswagen to get access, unlike the GDPR where you have direct standing under article 79 [1].

There doesn't seem to be much written about enforcing the Data Act, so I looked at the regulation directly. Article 39 [2] seems to require to first lodge a complaint with the competent authority as designated by the member state of your residence. Then when that authority invariably fails to act – I have no idea which timeframe we're talking about here – you can "in accordance with national law, either have the right to an effective judicial remedy or access to review by an impartial body with the appropriate expertise". But then you are suing that authority, and not the company directly (edit: I was originally unsure about who to sue under article 39, but 39(3) does clarify that it is the authority).

I would very much like to be wrong about this. I can imagine Muñoz vs. Superior Fruiticola applies [3] ("it must be possible to enforce that obligation by means of civil proceedings"), but I'm not at all sure, and it's a much weaker route than the one which the GDPR explicitly describes.

Would anyone know or have better references on how to enforce the Data Act, preferably individually?

[1] https://gdpr-info.eu/art-79-gdpr/

[2] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ:...

[3] https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...

You should email Louis Rossmann, he's been helping people in similar situations.

This sure reads like a "you did nothing illegal but will attempt to make it look illegal" kind of thing. Like putting the key to a public space under the doormat, with a sign "key here" and then complaining you cannot use that key to access the already public space.

They alleging you have broken their encryption.. DMCA would be appropriate I would assume in this case. OTOH, if there isn't a first party way to get an auth token or a way to connect your car with home assistant, I see that as a deficiency of service.

r/opensource_legalaid let's reply and demand access to the data.

They already add cryptographic authentication to some CAN messages, so you can't change them. It is only a matter of time until they add encryption.

This is mostly a corporate problem of risk aversion in my opinion. Some department writes down a risk assessment with a list of miniscule risks, for example of some 3rd party app backend being hacked. Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press. This list circulates, and since nobody in the middle management wants to be responsible for anything, and there is no officially approved positive use case, draconian countermeasures are drafted and constructed one by one.

Right? I imagine there would be a non-trivial sales/marketing boost for the one/first company (in any segment) to fully embrace HA. IKEA is arguably a good example of this.

This is kind of an interesting contrast with BSH (Bosch and Siemens home appliances ), who are also German.

They appear to have seen making their Home Connect platform open as at least in part a matter of compliance with EU data transparency and portability laws.

The ability to interface with your car is fundamentally at odds with the regulatory momentum that's going towards encrypted everything.

Take a look what the automotive risc-v people are working on or the requirements of the EU cyber resilience act.

John Deere started the trend with locking down the farm equipment they sell.

Is there a repo for the new project?

> Why are they shooting them selves in the feet?

They don’t. Majority of users don’t care, and some middle manager shmuck, working on MySkoda, can report how “we” prevented a huge security risk and funneled valuable ~~cattle~~ user data where it belongs.

By the way, regarding additional profit stream, to access VW data before you still needed WeConnect subscription (100€ a year), just that before you could use another app or automation to access the data. Now you MUST use exclusively WeConnect and partners to access same data even though you paying already for subscription.

> Why are they shooting them selves in the feet?

Because people will still buy their cars. The average Joe has very little regard for their privacy. We've been trained to be numb.

> Is this really a tangible income stream?

Yep.

> Is it really increasing security?

Nope.

> Why are they shooting them selves in the feet?

1. They dont think anyone will stop buying their cars because of this

2. They want to make more money

3. (speculation) The drop in demand for their cars in china is leaving them fucked, they need revenue now

Most executives make commercially disadvantageous decisions in exchange for more power.

It's practically a law of business: executives prioritize their power first and their company's profit margins second. This is one reason why outsourcing coding was so popular despite not saving money and being so commercially disastrous - execs were in the driving seat with that relationship much more than they were with us.

Despite what some people will tell you about how the home assistant consumer segment "doesn't matter" (it does) it really is more about the tangibility of control over data vs the intangibility of lost consumer goodwill.

Companies are not profit maximizing at all costs. The shareholders and the executives are not a singular body they have different and sometimes wildly divergent interests.

wow - I was looking at moving from Tesla to Skoda for our next EV. Last month it was interceptor missiles for Israel and now this.

The apps now require the use of "Security Assertion" from the client.

In this case, it's by Play Protect on Android, and whatever they use on iOS.

Client attestation might be more accurate?

If they’ve done it using Secure Enclave it’s essentially physically impossible to spoof.

Which brand are you thinking of, then?

There is a real chance that in 5-10 years, there will be laptops and smartphones running open processors and operating systems with UX and and an OS comparable or better than the proprietary equivalent, but which are effectively useless to the average consumer because it is cryptographically impossible to use them for anything due to remote attestation proliferating more and more

It already is illegal in the EU under the EU Data act. The VW executives are just criminals who don't care about the law, because they can bend it like before.

what you really looking for is API-free services/products. so it works without cloud at all.

or products/companies that explicitly expose API access to their products.

> There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own.

Well, that and making it possible to deploy devices you own in environments where they might be physically accessible to people you don't want extracting credentials from them. Or for ensuring people can only access sensitive company information on company issued devices rather than being able to casually make a copy of any data they have access to somewhere else. Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.

I'm quite firmly in favour of anything I own giving access to the data it's generating in an open format but screaming about how there's no legitimate use for attestation is quite simply nonsense.

Huh, I completely missed that. I've been using python-garminconnect [0] for a few months without issues. I agree though that it's annoying, though not reason enough for me to switch away from Garmin yet.

  [0]: https://github.com/cyberjunky/python-garminconnect

We used to have them. Devices so simple anyone with a hammer could fix. Maybe not open source as we understand it today, but rather - trivially reverse engineerable, often with schematics included. Most complex would be rewiring the motor on a washing machine. Did their job fine, but you can't sell them forever, so more complex devices were introduced. Nowadays motorcycles would probably be the closest equivalent, they're often very simple to work on.

There are freely available plans for all of those things. They are just more primitive than what you have in mind.

This could equally illustrate the difference between long established multi national companies with an overbearing corporate culture vs young upstart companies with a dynamic startup culture.

It means that the request to the API contains cryptographic proof that is was generated by a legitimate, reviewed app running on a unmodified and non-rooted mobile device controlled by Apple or Google.

Volvo is also doing pretty good with offering an official API

Fleet api kinda sucks, but esphome via ble is solid. Even managed to connect $10 macropad so kids in back can control music.

Anti-competitive practices that you describe ("all car manufacturers can just agree") is definitely not a capitalistic thing (market competition being an important part of capitalism), and indeed regulation can improve the bad outcomes.

I think revolutions are more successful when there is some new idea of what to replace the system with. Currently I did not see anything remotely interesting (ex: french revolution came with the new idea of equality before the law, which was not the case before), and I think is mostly due to low overall education - you can't improve a system if most of the people do not think about complex issues like laws, taxes, efficiency, etc. Everybody loves to point a finger at someone and blame them (immigrants, rich people, woke people, etc.) like that would "miraculously" solve any issue.

https://m.youtube.com/watch?v=sa8sllg5KIU&pp=ygUOxaFrb2RhIGh...

Insert "we live in a society" meme

This is not an intelligent comment. the Nazi parry and modern-day Volkswagen have nothing in common, whereas Tesla is currently^ actively^ run by someone morally reprehensible to many.

If you had any actual understanding—:as opposed to just hearing this little factoid in passing and have been waiting for every opportunity to whip it out— you’d know that already. It’s funny as a quip, but don’t for a a second act like it’s a legitimate point, which is exactly what you’re doing.

Just because the Nsdap party created something that doesn't mean you can automatically treat it is bad. That is prejudice. Something bad happening decades and decades after the party's dissolution is not going to be directly related. It is a reach to think unsupported third party apps breaking is related.

Well so the Nazis founded VW with confiscated union capital, and after the war control of the company was basically handed over to the union to make things right.

“Nazis”: see Godwins law