back to article Toyota's bungling of customer privacy is becoming a pattern

Japanese automaker Toyota has admitted yet again to mishandling customer data – this time saying it exposed information on more than two million Japanese customers for the past decade, thanks to a misconfigured cloud environment.  Toyota explained in a Japanese-language statement that it took measures to block external access …

  1. Anonymous Coward
    Anonymous Coward

    Is the BATFE going to publish the auto-seer plans so the rest of us who aren't felons can 3d print our own?

    1. Jellied Eel Silver badge

      Is the BATFE going to publish the auto-seer plans so the rest of us who aren't felons can 3d print our own?

      Probably not, but your typical search engine can find you plans to make your own. There's another interesting case going through the US legal system at the moment where Matt Hoover and Christopher Irvin are being charged with selling a credit card.. I mean pen holder that converts into a machine gun. Or converts a dreaded 'assault rifle' into a 'machine gun'. The card itself is apparently made out of a metal that wouldn't work, but could be used as a template to make one out of a metal that would.

      The law is that you can't sell parts that convert semi to full auto, and treats those parts as if they were machine guns themselves, which seems kinda reasonable. Perhaps less reasonable is how those parts are being defined, ie does possession of a template count now as possession of a machine gun? In which case would possession of a file that could print one, or a PDF or CAD file that allows someone to make one count as possesson of a machine gun? If so, could big tech execs be facing 110 years in jail for supplying those parts?

      But 2nd Amendment stuff gets weird like that sometimes. It's reasonable and proportionate though, because as everyone knows, a 9mm can blow a lung clean out of a body..

    2. IglooDame

      Also, the headline Just because you can make gun parts with 3D printing doesn't mean you should is more than a bit misleading; the reported issue doesn't seem to have had much to do with how the parts were created and more with the fact that they can be used to make semi-auto firearms fire full-auto. There are plenty of other semi-auto gun parts that are eminently suitable for 3D printing, and perfectly legal to do so (at least in my USian location).

      1. Anonymous Coward
        Anonymous Coward

        Just Because You Can Doesn't Mean You Should

        I suppose this is of little comfort to most people, but unless the firearm was designed from the outset to be possibly-converted to full-auto operation, there's a high chance that installing an auto-sear, or whatever, will result in a firearm which rips off a few rounds, then jams.

        1. martinusher Silver badge

          Re: Just Because You Can Doesn't Mean You Should

          The typical AK / AR type assault rifle is designed to support full auto operation but degraded to semi-auto to make it saleable. In practice full auto isn't useful, it looks good in the movies but makes the gun difficult to aim, overheats it and uses a lot of ammunition. This sort of practicality doesn't concern the yahoos who crave owning a machine gun because it boosts their testosterone or something, hence the demand for tweaked receivers.

          The US had no problem instituting a machine gun ban back in the 1930s so I've often wondered why it can't be done for other sorts of undesirable weapons. (We don't actually prohibit the sale and ownership of machine guns -- Second Amendment stuff -- but getting one is made really difficult and expensive.)

          1. Anonymous Coward
            Anonymous Coward

            Devil was (and is) in the details

            The original machine gun ban just blocked new manufacturing, anyone that had a pre-ban gun could keep them, and many of those F/A weapons are still lurking around on the US market. As least one was used in the crossroads music festival shooting. As it turns out that sort of thing is vanishingly rare as legal automatics often cost north of $25,000, as there will never be any more legal ones made for the civilian market. As a result collectors tend to be real careful with them, and most don't get shot on a regular basis.

            So most knuckle heads skip the paperwork and the legal channels and mod existing weapons, or smuggle them in (there were a few Israelis selling AKs in Long Beach back when I was in high school, no my cup of tea though.).

            Those problems highlight the core of our present situation. Legally, the only thing that would stand constitutional muster is a buyback program paired with a manufacturing ban. Simply making existing and convertible weapons illegal is itself illegal as an idea(violating several parts of the US constitution, and settled in multiple case all the way up to SCOTUS).

            Even then, it will only add another charge to the list of felonies a shooter is already getting convicted for, if the shooter survives. And there are millions of AR pattern rifles, Glocks, and other convertible arms lose that will never be turned in.

            So I'd encourage people to push leadership on both sides to work on legislation addressing the many other facets of gun safety, as most will have immediate impacts, and won't just line the pockets of a bunch of NRA lawyers as they play whack a mole with laws that were illegal and unenforceable as written.

  2. TheMaskedMan Silver badge

    So CNIL is likely to see nil from Clearview.

    1. Paul Crawford Silver badge

      Perhaps they should take it to the global payment provides so they have to block Clearview or face fines themselves?

      Or make it criminal case so the executives can be extradited? After all the USA is only too happy to extradite Mike Lynch.

      1. Anonymous Coward
        Anonymous Coward

        Payment processors will block it in Europe, not in North America. Also their executives are unlikely to be extradited for scraping the publicly accessible internet. Assuming Clearview is being honest when they say they don't do business in the EU, there is no nexus.

        1. midgepad

          Their travel plans

          might be influenced by it.

  3. OhForF' Silver badge

    Identification impossible?

    chassis numbers, vehicle location information and timestamps were included in the exposed data, but Toyota said nothing in the dataset could be used to identify customers based on the data alone.

    Obviously it is impossible to figure out who the owner of a car is just by getting data where it is parked every night as nobody who values his privacy would park his car anywhere near his house. /s

    1. M man

      Re: Identification impossible?

      in Japan its illegal to own a car you don't have a parking space for.

      So uniquely for japan , YES there is an almost 100% chance you could identify every car owners address

    2. spold Silver badge

      Re: Identification impossible?

      ...also I only need to know that a specific individual was at a specific location at a given time (two might be better) then if there is a match I can now unravel all their movements from the data.

    3. Anonymous Coward
      Anonymous Coward

      Re: Identification impossible?

      and the VIN and vehicle registration totally aren't linked to the owner anywhere, right?

  4. JanCeuleers

    Seems like basic controls, such as internal audit, were missing.

    Should regulators require companies suffering data breaches to achieve ISO27K certification?

    1. ChoHag Silver badge

      By the time it gets to controls it's already too late. They should (as should their customers!) be asking why they even have the data. You can't lose what you haven't got.

      Who is it so valuable to that it warrants building a system for the collection and storage of such sensitive data? It didn't just turn up on its own.

      1. Anonymous Coward
        Anonymous Coward

        "Who is it so valuable to"

        Marketing gets all hot and steamy when it gets to customer data. Always have, always will. Before Internet they would try to make you fill in paper surveys, then it became online surveys, but the ideal way is to axe the middleman and just collect the data yourself.

        It doesn't matter if it is useless or not, the simple act of possessing heaps of customer data works wonders for a marketing critter's libido.

        1. Doctor Syntax Silver badge

          You'd like to think that at some point the board gets sufficiently worried that they start sending internal security to check just what marketing are hoarding.

      2. hoola Silver badge

        And this is the crux of the entire issue.

        The data is now compromised and has been exposed. That cannot be reversed. Until the penalties for this are actually meaningful and enforced, nothing is going to happen.

        Look at all the breaches that have happened:

        Usually years after the event there are a few fines that are irrelevant.

        Who is at fault or allowed the breach to occur does not matter. If a company is the custodian of the data then they are automatically responsible. If there is a breach they should have activities and assets constrained.

        They trouble is that nobody can be trusted and all that will happen is the incidents will not be reported. That takes us full circle if the breach comes to light and was not reported, freeze everything so they cannot do business and make executives actually liable.

        Things like being banned from directorships, prison, assets seized.

        Maybe a bit extreme but bluntly, nobody involved in these endless breaches of personal data appears to give a stuff.

        1. Doctor Syntax Silver badge

          The penalties should be big enough to bring a few companies down in a blaze of publicity. It's the only thing that will motivate boards and shareholders to be pro-active. And no nonsense about being too big to fail - the bigger the business the bigger the blast radius when the breach happens.

  5. CowHorseFrog Silver badge

    ive said it before, the software health of our systems across all sorts of industries is terrible. At least half of all developers shouldnt be allowed near a computer especially in a professional capacity, they write code that is not only poorly documented, but even more worringly dangerous, no parameter checking, poor logging, no error checking, no tests. Its all hanging by a wire, only a few moments from disaster.

  6. Henry Wertz 1 Gold badge

    PDF/CAD files

    "In which case would possession of a file that could print one, or a PDF or CAD file that allows someone to make one count as possesson of a machine gun? If so, could big tech execs be facing 110 years in jail for supplying those parts?"

    Oh they had a case on that described here:

    In short, restrictions on CAD files and the like were put in place in the US in 2015 or perhaps a year previously; a lawsuit was filed in 2015, and the gov't settled (dropping all restrictions on these files) in 2018. This lawsuit's primary argument was that this was a violation of first ammendment rights (which I think is a fair argument, freedom of speech in the US is guaranteed. Producing or dealing in illegal items is illegal; discussion on how they COULD be produced is not.)

  7. Anonymous Coward
    Anonymous Coward

    Like T-Mobile?

    Let us know when they surpass T-Mobile's ineptitude.

    1. WolfFan

      Re: Like T-Mobile?

      It seems that being wide open for a decade blows right past T-Mob. Something that takes real talent.

      I have devices on T-Mob, and a Toyota. Time to go change passwords. Again. And to think dark thoughts about what should be done to T-Mob and Toyota marketing and senior management. Something involving Komodo dragons would be a good start.

  8. phogan99

    "However, the GDPR prohibits the processing of data belonging to EU citizens regardless of whether an organization does any business on the continent. ®"

    Countries or blocks can make whatever laws they want, that doesn't mean they're enforceable outside their boarders. If Clearview's statement about not doing business in the EU is accurate, the CNIL's ability to enforce it is down to finding a sympathetic judge in the U.S who is willing to enforce it...which seems unlikely.

    1. Terje

      I don't see that they would object to much over this seeing as doing so would be equivalent to telling the EU it's fine to do the same in response, and the US is way more happy to fine European companies and individuals then the other way around.

    2. Dan 55 Silver badge

      It doesn't matter, Clearview still slurped UK and EU citizens' data. They are amassing GDPR breaches and it's difficult for a judge to just throw out a case just because it comes from the UK or an EU country, CCPA is a thing and the comparisons between GDPR and CCPA can easily be made. They also settled with the ACLU which is as good as admitting guilt so why shouldn't they pay up for GDPR breaches?

      1. prh99

        Clearview is in New York which is where any suit filed to collect would need to be filed. So California's law could be considered, but that's not a sure thing.

        This isn't a court decision, it's regulatory meaning it doesn't benefit from uniform foreign money judgment laws in most states. Even if it was, I don't know if it could satisfy the jurisdiction requirements.

        They settled with ACLU cause they had Illinois residents pictures and Illinois law enforcement etc as clients. Meaning they violated the biometric privacy law and where doing business in the state.

        I don't think it's likely the U.S courts will make them or accept extra-territorial jurisdiction over data scraped from the public internet to enforce fine based on a foreign law.

    3. midgepad

      ...or finding

      an officer of the company, current, ex, or future, in the EU or anywhere with relevant treaties with the EU.

      Which includes some parts of the Caribbean and the American landmass.

      The USA is a big place, perhaps big enough for all concerned.

      1. Anonymous Coward
        Anonymous Coward


        Clearview can try to skate the fines and hide outside the EU courts direct juridiction, but outside the US that will start getting tricky, and their staff may face increasing travel risks if they don't want to get scooped up because of and INTERPOL flag or similar.

        Canada and other non-EU nations may take a similarly dim view of clear-views activity, and they will be permanently shut out of the EU market, conferences, etc. Multi-nationals operating in the EU may get caught in the crossfire, which will cut them out of larger and larger numbers of fortune 500 companies.

        Lastly, the fines and avoiding them will cause further brand damage to their credibility.

        So even if the EU never see a dime, the sanctions can help pressure changes in Clearview's policies.

  9. VoiceOfTruth

    Find a way to extradite them

    -> Whether Clearview would ever pay either fine is unclear.

    If the boot was on the other foot, the USA would.

  10. Claptrap314 Silver badge

    Nice bit of data you've got there...

    So Clearview, a US company operating in the US, scrapes internet pictures sourced in the EU contrary to EU law, as determined by EU courts. I expect/hope for the EU courts to quarantine the data. Specifically, they should rule that anyone who accesses the data will have to pay the entire fine. In other words, they should ban Clearview like various Russian entities have been banned, along with any company that gains access to the data.

    Make the data worthless to Clearview.

    No violation of sovereignty on any side. Let the EU do what the first job of any government is supposed to be--protect its citizens.

    1. An_Old_Dog Silver badge

      The Devil's in the Details

      Specifically, they should rule that anyone who accesses the data will have to pay the entire fine.

      With a law like that, if was scraped by Clearview, and I go to and access a pic which Clearview had scraped, I'd get hit with the full fine. If by "accesses the data" you mean, "accesses the data via Clearview", how would you prove/disprove the company accessed it via Clearview, and not in some other, independent manner?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like