I am planning to purchase a Nissan Leaf, to lower my impact on our environment when I drive to work at Veracode. Some studies have put the electricity used to produce gasoline as roughly the same as the electricity needed to drive an electric car as far as the gasoline will take a typical internal combustion engine car. The exact numbers are hard to pin down and much debated, but obviously removing the gas from the equation and getting roughly the same effect has a much lower impact on our environment.

In learning about the Nissan Leaf I read the manual for the navigation system. The manual describes in detail the information collected: location, speed, use of air conditioner and headlights, trip data, idling and braking data, and so on. Reading the list I couldn’t help think of how the data compares to the information collected by online ad networks, Carrier IQ, and malicious smartphone applications.

Then I realized: I’m not finding about this information disclosure from a Veracode report on the security of software. I’m not reading about this in an action alert from the Electronic Frontier Foundation or the Electronic Privacy Information Center. This isn’t a news article relating to the discovery of new malware. I’m not reading this report on a hackers blog. Nissan is clearly stating the information collected in the manual, in detail.

The Nissan manual also describes what features they provide using the information collected, and it is clear (although not explicitly linked) how the information collected is needed for the features to function as they should. In addition, they list how they share the data.

For example, my location is needed to show nearby charging stations and to provide local traffic information. I want to know the traffic information, and some time I’ll probably want to know where to find the nearest charger. Knowing the car’s location constantly they know the speed I travel at—that connection can’t be avoided.

I can also check the state of my battery charge before I go to the car, but Nissan can only tell me the charge level if they can collect the information from the car.

After thinking about the information uses my momentary concern over the information collected vanished. I still have some concern over the possibility that the information could be shared or stolen, and would like more control over unnecessary sharing, but that concern goes with every online transaction.

The other collectors of online information should take this approach. Explain what they collect up front, and explain why they collect it. If they need to sell the information to pay for a service given with no charge to customers, be clear about their business model. Don’t let the customers find out from a sensational newspaper article. It comes down to a basic communication skill: It’s better to present information in the way you want it presented then to let someone else presents the information in a hyperbolic manner.

What do you think? Share your thoughts and comments on this subject that I feel so passionately about.

Veracode Security Guides
Data Security Resources

About B.J. Herbison

B.J. is a developer working on the Veracode platform. He has been a security researcher for over 25 years, and has been developing web applications for over ten. Mr. Herbison started his computer security career with the Computer Security Development Group at Digital Equipment Corporation where he presented papers on network security at the National Computer Security Conference and the CRYPTO conference. He has also worked at Kendall Square Research, Data General Corporation, HighGround Systems/Sun Microsystems, and Raytheon. Mr. Herbison earned his Bachelor of Arts degree in Computer and Information Studies and Mathematics from Colgate University in Hamilton, New York along with a Master of Science degree in Computer Science from Yale University in New Haven, Connecticut.

Comments (2)

Joe Anon | January 10, 2012 12:40 pm

Leaf leaks like crazy


BHerbison | January 10, 2012 2:53 pm

I think “leaks like crazy” is an exaggeration, as the information was only sent to the owners of RSS feeds and only when the Leaf owner explicitly followed the feed from the Leaf. In any case, that security issue has been fixed.

It’s not surprising that there was a security flaw in the Nissan Leaf software, we find serious flaws in over 80% of the applications we scan. See our State of Software Security Report Volume 4 for more information. http://info.veracode.com/state-of-software-security-report-volume4.html

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.