It might seem surprising in today's world of Facebook updates and Foursquare checkins, but people are still concerned about privacy. In fact, privacy concerns have resulted in major headaches (and lawsuits) for both Google and Apple in recent months, and we wouldn't be surprised if Anthony Weiner considered drafting a cease-and-desist letter to Twitter.
Now, an intrepid tinkerer has discovered yet another security issue -- and if you're a Nissan Leaf owner, it could be revealing your location (and speed!) to websites around the globe.
The issue stems from CARWINGS, the telematics system that Nissan devised for the Leaf. As we've previously mentioned, CARWINGS can do some very nifty stuff, like allow you to see how much charge is left in the EV's battery and compare your usage stats to those of other Leaf owners. CARWINGS also lets you keep up with news on the go via its built-in RSS reader -- and that's exactly where the security problem lies.
The technical stuff
Whenever you pull information from a server -- either as you're doing now, by accessing a website, or via RSS readers like Google Reader and, in this case, CARWINGS -- you have to tell that server a little about yourself. Included in that information is your IP address, which lets the server know where you are.
That's not necessarily a bad thing. For example, it allows some sites to customize news, weather, and ads, so they'll be more relevant to you. It can also provide crucial information for the police when tracking down criminals. (If this is news to you, you might enjoy a quick rundown of the HTTP request process.)
However, when Leaf owners use Nissan's RSS reader to access sites like CNN, the New York Times, or this one, CARWINGS supplies more information than usual -- a lot more. As the author of the "Casey Halverson" blog learned, CARWINGS provides the exact location of the vehicle -- latitude and longitude -- and even the speed at which the vehicle is traveling at the time of the request.
Rather than get bogged down in the technical details of this issue, it might be best to watch the author explain it on video:
At this point, there's no reason to believe that Nissan or RSS-feed providers are using the information from CARWINGS for illicit purposes. In fact, we could easily forsee a day in the not-so-distant future when this data might actually improve the driving experience by offering important news and updates, based on a vehicle's location. (What role speed might play remains a mystery.) But as we mentioned above, it invariably raises concerns about privacy -- especially since, as far as we can tell, there's no way to turn the feature off.
We'll keep digging and let you know what we find.