Quite a few other manufacturers have done the same thing. I use a reverse engineered Polestar library to get charging status but I'm in the middle of building a CANBUS sniffer to do the same job because I don't trust they won't do the same thing as this.
I don't really understand it, it doesn't seem to offer a huge potential revenue stream and it pisses off the people who are most invested in your product.
summm 2 hours ago [-]
They already add cryptographic authentication to some CAN messages, so you can't change them. It is only a matter of time until they add encryption.
This is mostly a corporate problem of risk aversion in my opinion. Some department
writes down a risk assessment with a list of miniscule risks, for example of some 3rd party app backend being hacked. Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press.
This list circulates, and since nobody in the middle management wants to be responsible for anything, and there is no officially approved positive use case, draconian countermeasures are drafted and constructed one by one.
ornornor 1 hours ago [-]
> draconian countermeasures are drafted and constructed one by one.
Except when it’s about privacy or anything else we actually care about: then absolutely nothing is done because it would cost more than 0 to do anything.
reactordev 40 minutes ago [-]
On the contrary, lots are being done about it, they have to update their terms of service…
ethagnawl 2 hours ago [-]
Right? I imagine there would be a non-trivial sales/marketing boost for the one/first company (in any segment) to fully embrace HA. IKEA is arguably a good example of this.
andylynch 51 minutes ago [-]
This is kind of an interesting contrast with BSH (Bosch and Siemens home appliances ), who are also German.
They appear to have seen making their Home Connect platform open as at least in part a matter of compliance with EU data transparency and portability laws.
vincnetas 3 hours ago [-]
This comment has really nice translation of corpo-speek to human language :
Why are they shooting them selves in the feet? Is this really a tangible income stream? Is it really increasing security?
wiseowise 2 hours ago [-]
> Why are they shooting them selves in the feet?
They don’t. Majority of users don’t care, and some middle manager shmuck, working on MySkoda, can report how “we” prevented a huge security risk and funneled valuable ~~cattle~~ user data where it belongs.
vincnetas 23 minutes ago [-]
By the way, regarding additional profit stream, to access VW data before you still needed WeConnect subscription (100€ a year), just that before you could use another app or automation to access the data. Now you MUST use exclusively WeConnect and partners to access same data even though you paying already for subscription.
haritha-j 2 hours ago [-]
> Why are they shooting them selves in the feet?
Because people will still buy their cars. The average Joe has very little regard for their privacy. We've been trained to be numb.
> Is this really a tangible income stream?
Yep.
> Is it really increasing security?
Nope.
mrweasel 1 hours ago [-]
How is this a tangible income stream? I suspect that the amount of customers willing to pay for some weird API access or We Connect offering is rather limited. It would have to be bundled into some other solution, which again I'd guess have a limited customer base.
I have VW and I suppose We Connect, there's not a single thing that's worth paying for, not when you have CarPlay and Android Auto (or whatever that's called). If anything I'd prefer that they'd just drop the personalization they do with users. Our car will forever assume that my wife is driving, because that what the dealer configured and none of us care to mess around with it.
But yeah, people will buy the cars anyway, because all the automation is something that only an incredibly small segment has any interest in. It's just weird that those who actually care about connected cars are the only one VW is punishing with this move.
rootusrootus 19 minutes ago [-]
> I suspect that the amount of customers willing to pay for some weird API access or We Connect offering is rather limited
I tend to agree. But the counterpoint is Tesla. They charge for API access, and there are several businesses that exist to make that data available to customers. I don’t know how valuable it really is, but it’s working. My wife would pay Ford for the level of data she was getting from TeslaFi but instead she gives it to MileIQ. It’s not huge but that adds up.
HDThoreaun 3 hours ago [-]
> Why are they shooting them selves in the feet?
1. They dont think anyone will stop buying their cars because of this
2. They want to make more money
3. (speculation) The drop in demand for their cars in china is leaving them fucked, they need revenue now
close04 2 hours ago [-]
Unfortunately I think they're right on #1. In the grand scheme of things the lost sales because of this change are a drop in the bucket. HA and similar tools are not that popular, very few people who have their mind set on buying a VW will change their minds because of this alone.
What's worse is that other manufacturers are starting to do the same thing. They all see unofficial integrations as lost revenue (less of your data to sell because you don't use their app), and higher costs because the usage still comes on their cloud spend bill.
I was talking to my gadget-passionate (but not techie) best friend when the company making our cars made it more difficult to authenticate using the HA integration. He looked at me like I switched to an alien language. "Who cares? Don't you use the app?".
pydry 2 hours ago [-]
Most executives make commercially disadvantageous decisions in exchange for more power.
It's practically a law of business: executives prioritize their power first and their company's profit margins second. This is one reason why outsourcing coding was so popular despite not saving money and being so commercially disastrous - execs were in the driving seat with that relationship much more than they were with us.
Despite what some people will tell you about how the home assistant consumer segment "doesn't matter" (it does) it really is more about the tangibility of control over data vs the intangibility of lost consumer goodwill.
Companies are not profit maximizing at all costs. The shareholders and the executives are not a singular body they have different and sometimes wildly divergent interests.
izacus 2 hours ago [-]
I haven't seen anyone put this dynamic in such a clear and succinct description - the fact is that a lot of people (especially corporate managers) just hate the loss of control and will go out of their way to ban people accessing their things "wrong" - even if it's counterproductive for their larger corporation or a goal.
ra 43 minutes ago [-]
wow - I was looking at moving from Tesla to Skoda for our next EV. Last month it was interceptor missiles for Israel and now this.
Retr0id 1 hours ago [-]
Client Assertion is an OAuth feature, but that is not at all what is being discussed here, if anyone else was confused. It is only present in the HN title and is not mentioned on the page.
qmarchi 1 hours ago [-]
The apps now require the use of "Security Assertion" from the client.
In this case, it's by Play Protect on Android, and whatever they use on iOS.
32 minutes ago [-]
londons_explore 2 hours ago [-]
Seems doubtful that this security will be very strong. It won't be hard to spoof an official client.
brabel 2 hours ago [-]
If they’ve done it using Secure Enclave it’s essentially physically impossible to spoof.
Retr0id 30 minutes ago [-]
The github OP reports that browser-based login still works, so it'll likely be circumventable.
dullcrisp 58 minutes ago [-]
Wouldn’t any Volkswagen keys need to cross the network to get into the Secure Enclave? Or couldn’t you exploit the Volkswagen app itself?
With the software supply chain running amok recently having anything connected feels like playing Russian roulette and I say this as somebody who is running home assistant for years. I’m particularly paranoid about connecting my ev (non-vw) to it now, feels like a serious footgun today, would’ve been convenient three months ago, true.
pojntfx 3 hours ago [-]
There needs to be a law that makes remote attestation - no matter who provides the root certificates, Google/Apple/GrapheneOS - illegal. There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own, while also making interoperability cryptographically impossible. This is anti-competitive and should simply be illegal.
pojntfx 2 hours ago [-]
There is a real chance that in 5-10 years, there will be laptops and smartphones running open processors and operating systems with UX and and an OS comparable or better than the proprietary equivalent, but which are effectively useless to the average consumer because it is cryptographically impossible to use them for anything due to remote attestation proliferating more and more
rurban 1 hours ago [-]
It already is illegal in the EU under the EU Data act. The VW executives are just criminals who don't care about the law, because they can bend it like before.
3form 22 minutes ago [-]
How so? Do you have rights to your data in secure enclaves?
5701652400 2 hours ago [-]
what you really looking for is API-free services/products.
so it works without cloud at all.
or products/companies that explicitly expose API access to their products.
jon-wood 60 minutes ago [-]
> There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own.
Well, that and making it possible to deploy devices you own in environments where they might be physically accessible to people you don't want extracting credentials from them. Or for ensuring people can only access sensitive company information on company issued devices rather than being able to casually make a copy of any data they have access to somewhere else. Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
I'm quite firmly in favour of anything I own giving access to the data it's generating in an open format but screaming about how there's no legitimate use for attestation is quite simply nonsense.
Retr0id 50 minutes ago [-]
> Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
It only attests that the device booted normally (locked bootloader, factory firmware, etc.). Any kind of post-boot compromise (whether it's from malware or something user-initiated) goes completely undetected and does not impact attestation status.
5701652400 2 hours ago [-]
check any T&C. direct API unauthorized access... well, is un-authorized.
they are just asserting their T&C more precisely now.
wiseowise 2 hours ago [-]
*Smuggly* Huh, don’t like it? Just vote with your wallet and buy a car with better TC. Or build your own?
I wonder if companies can T&C their way out of any problem.
5701652400 2 hours ago [-]
pretty much. correct me if I am wrong, but these T&C treated like "local" laws (in respect to interaction of client and business within their interaction) within most jurisdictions by courts.
so even if T&C does not make sense, usually courts are in favour of enforcing them.
unless some severe contradiction with constitution or alike, or serious harm to people or something, they would throw away T&C in cases. but AFAIK that is rare.
alerighi 2 hours ago [-]
No: T&C cannot override the law, that is a national/EU law is still superior to anything that is written in the T&C. If there is a contrast between T&C and the law of course that T&C are just scratch paper.
UqWBcuFx6NV4r 2 hours ago [-]
Nobody claimed that this wasn’t the case.
izacus 2 hours ago [-]
Noone is claiming T&C overrides the law, but most laws (even here in EU) give a lot of leeway to contracts (which T&C is an example of) in cases where law doesn't establish any extra positive right.
And there's no law demanding you get access to a proprietary system (as of right now) that would override a T&C restriction.
vincnetas 2 hours ago [-]
Definitely not. you cant have T&C that are against the law, event if consumer has agreed to that. Like you cant sell your kidney even if you want to. Its illegal.
close04 2 hours ago [-]
> T&C treated like "local" laws. so even if T&C does not make sense, usually courts are in favour of enforcing them. unless some severe contradiction with constitution or alike
It's not a "law", it's always under the law like any contract. And a court will not enforce illegal terms unless something very shady is afoot. The law always takes precedence, Even "lowly" laws, not just the constitution. In case of conflict the law wins so you can't have illegal provisions in the T&C even if you agree to them. They can give you extra rights but they can't take away the ones you have legally.
The principle is simple, the company isn't allowed to ask for illegal things. Your agreement is irrelevant because you are not entitled to legitimize an illegal demand.
The problem is you need to go to court if the company won't cooperate.
charcircuit 2 hours ago [-]
That's how local laws work. The higher jurisdiction always takes precedence over the more local one.
spuz 2 hours ago [-]
What does client assertion mean here? I don't see any mention in the GitHub issue.
fhars 2 hours ago [-]
It means that the request to the API contains cryptographic proof that is was generated by a legitimate, reviewed app running on a unmodified and non-rooted mobile device controlled by Apple or Google.
Retr0id 1 hours ago [-]
fwiw this is a correct definition of Remote Attestation, matching what is mentioned in the github thread, but Client Assertion is something mostly unrelated (an OAuth implementation detail)
verisimi 1 hours ago [-]
Where's the 'Open Source Car'?
Where's the open source phone?
The open source washing machine?
spaqin 30 minutes ago [-]
We used to have them. Devices so simple anyone with a hammer could fix. Maybe not open source as we understand it today, but rather - trivially reverse engineerable, often with schematics included. Most complex would be rewiring the motor on a washing machine.
Did their job fine, but you can't sell them forever, so more complex devices were introduced. Nowadays motorcycles would probably be the closest equivalent, they're often very simple to work on.
darkwater 2 hours ago [-]
/me scratches VAG cars from a possible new EV purchase.
I hate Elon as much as the next guy, but Tesla is still playing the API game way better than the rest of the pack (even with the "not so new" Tesla Fleet API change)
connicpu 2 hours ago [-]
Volvo is also doing pretty good with offering an official API
darkwater 6 minutes ago [-]
And, does the Volvo community have something like TeslaMate built upon the API? It's not sine qua non factor but it will move the scale a LOT in favor of a brand.
darkwater 2 hours ago [-]
But Volvo does not have cheap models with a reasonable range, unfortunately. I'm seeing right now on their Spain's website 40k EUR for a single motor EX30 with 337km WLTP which is ridiculous
eloycoto 1 hours ago [-]
EX30 in Spain starts at 29K small battery version, and 36 the large battery version. The dealerships make a huge discounts to be honest.
I was dealing with this 6 weeks ago!
darkwater 10 minutes ago [-]
Yeah this surprised me. 40k is for a vehicle ready to buy immediately from their website. At the same time they have an ongoing campaign for 29k for a financed EX30 + charger installation.
But I hate to deal with car dealerships, they are the worse kind of salespeople out there, trying to sell you what they need to sell rather what you need to buy. You need to go there with a very, very well informed opinion about it. But then they will play the discounts card...
kotaKat 2 hours ago [-]
Volvo also has the fully mandatory requirement of a consumer Google Account to use the vehicle now due to how tightly integrated Google Automotive is.
qmarchi 1 hours ago [-]
You can still use the infotainment without signing into a Google Account. The only thing that's locked out is the Play Store and 3rd party apps (which you need the play store to download).
Even Google Maps is usable without an account.
dzhiurgis 2 hours ago [-]
Fleet api kinda sucks, but esphome via ble is solid. Even managed to connect $10 macropad so kids in back can control music.
venzaspa 55 minutes ago [-]
That's pretty brave.
aenis 2 hours ago [-]
Garmin recently did something similar, resorting to tls fingerprinting to prevent unofficial logins to their api (via the popular garth library).
They lost a lifetime customer in me - i think i have spent close to 20k on garmin gear between my wife and myself, watches, gps devices for cars, boats, and hiking gear. If they refuse to give me access to my data, i will (a) lobby for laws to be passed to make this mandatory (b) absolutely never ever buy anything garmin until i see a reversal of this policy and an apology.
More broadly though, its yet another service that blocks API access. No doubt this is caused by proliferation of amateurs armed with agentic tools building nice, personalized frontends for themselves. Companies seem to absolutely hate it when people dont go through their shitty websites with dark patterns, misleading search results and analytics.
V1ndaar 2 hours ago [-]
Huh, I completely missed that. I've been using python-garminconnect [0] for a few months without issues. I agree though that it's annoying, though not reason enough for me to switch away from Garmin yet.
Already minted tokens work, they broke the login process.
For now its just tls fingerprinting, not client attestation - so, I managed to implement a working solution. But I am sure they will tighten the screws still further.
The only annoyance is that Garmin requires 2FA if you enable the ECG feature on your smart watch/fitness tracker, but I have a small program that reads the 2FA codes from my Gmail inbox and supplies them to the scraper without too much trouble.
3 hours ago [-]
holoduke 3 hours ago [-]
I recently saw a group of automakers together during an event. The contrast between Chinese and Germans was bizare. The group of german automakers were older men in black suits all wearing badge with titles like Senior Executive Sales blablabla. Whereas the Chinese were all young people wearing causual clothing and much more engineering minded. No wonder why european auto makers are doing so badly. They forgot to please people. The only know how to please their untergang.
SuddsMcDuff 3 hours ago [-]
This could equally illustrate the difference between long established multi national companies with an overbearing corporate culture vs young upstart companies with a dynamic startup culture.
tormeh 2 hours ago [-]
Yeah, this is just the difference between the "cash cow" and "question mark" companies on the BCG growth-share matrix. The Chinese companies will sooner or later turn into stodgy cash cows themselves.
calgoo 2 hours ago [-]
Yea is there not a saying about when the suits and bean counters take over a company the culture dies?
chao- 2 hours ago [-]
I know it as "when the Elves leave Middle Earth" from an essay of the same name:
The question is why doesn't Germany have any young upstart auto companies when the US and China do? The question being the rhetorical kind.
tormeh 2 hours ago [-]
It's not like the US has that many either. It's not the kind of winner-takes-all network effects industry that attracts venture capital outside of the Musk reality distortion field.
joe_mamba 32 minutes ago [-]
>It's not like the US has that many either.
Math was never my strong point, but AFAIK the "not that many" of the US is still a greater number than the zero of Germany.
mschuster91 1 hours ago [-]
Access to capital, mostly. The US has always been willing to grant hefty amounts of taxpayer money to startups, something culturally foreign to Germany (startups are risky, Germans don't want taxpayer money to be spent on risky adventures that might bring losses) and the US also has dozens of billions of dollars a month in 401k pension savings making their way into the asset markets.
And China, well, it's a dictatorship with effectively unlimited foreign currency reserves. They can do whatever they want.
joe_mamba 36 minutes ago [-]
>Access to capital, mostly.
German auto makers were wealthier than the US auto makers. Germany's GDP is now third in the world. There is capital.
>Germans don't want taxpayer money to be spent on risky adventures
But they wanted it to be spent on Russian gas pipelines, foreign aid, anti nuclear activism, and in the pockets of politically connected multinationals like T-systems to build another "government digitalization project" while their internet speed lacks behind developing nations?
>that might bring losses
If they hate losses, why do they keep losing? Germany decline in past 15 years seems like its a self fulfilling prophecy. The more risk averse they are to avoid change or losses, the more they keep losing to economies who embraced change, disruption and risk.
zb3 2 hours ago [-]
Sad to see some people still believe raw capitalism works and that they can "vote with their wallet".. but they don't see that all car manufacturers can just agree to enshittify their products the same way and use their position to ensure you won't just "start your own car company". There's no real choice and those in power don't care.
Only regulation can help.. or a revolution in case the political system in your country is broken..
vladms 59 minutes ago [-]
Anti-competitive practices that you describe ("all car manufacturers can just agree") is definitely not a capitalistic thing (market competition being an important part of capitalism), and indeed regulation can improve the bad outcomes.
I think revolutions are more successful when there is some new idea of what to replace the system with. Currently I did not see anything remotely interesting (ex: french revolution came with the new idea of equality before the law, which was not the case before), and I think is mostly due to low overall education - you can't improve a system if most of the people do not think about complex issues like laws, taxes, efficiency, etc. Everybody loves to point a finger at someone and blame them (immigrants, rich people, woke people, etc.) like that would "miraculously" solve any issue.
neya 2 hours ago [-]
I mean, it was founded by the Nazi party, they single handedly destroyed diesels through the world's largest scam, what ethics can you really expect from them? I find it extremely funny when people boycott Teslas for being "Nazi" but won't boycott actual Volkswagens that was founded by the real Nazi party and to date - followed some of the most unethical practices in automative history :)
UqWBcuFx6NV4r 2 hours ago [-]
This is not an intelligent comment. the Nazi parry and modern-day Volkswagen have nothing in common, whereas Tesla is currently^ actively^ run by someone morally reprehensible to many.
If you had any actual understanding—:as opposed to just hearing this little factoid in passing and have been waiting for every opportunity to whip it out— you’d know that already.
It’s funny as a quip, but don’t for a a second act like it’s a legitimate point, which is exactly what you’re doing.
neya 52 minutes ago [-]
Stop pasting LLM replies through fake accounts. Dieselgate happened very recently (in this decade). Just research your stuff before you slap a prompt onto an LLM please.
Well so the Nazis founded VW with confiscated union capital, and after the war control of the company was basically handed over to the union to make things right.
charcircuit 2 hours ago [-]
Just because the Nsdap party created something that doesn't mean you can automatically treat it is bad. That is prejudice. Something bad happening decades and decades after the party's dissolution is not going to be directly related. It is a reach to think unsupported third party apps breaking is related.
neya 2 hours ago [-]
While I agree with you in principle, I don't think this is followed equally. Tesla's are still being vandalized to date, though. Selective outrage is a dangerous thing.
Markoff 2 hours ago [-]
Yup, I wonder if Israelis visiting Germany avoid highways.
davidwritesbugs 2 hours ago [-]
“Nazis”: see Godwins law
5701652400 3 hours ago [-]
"non-approved 3rd parties" lol.
how are they even complaining?
even approved API clients are subject to T&C, which usually leaves room for this.
besides, client assertions is a normal API behavior. they are just technically asserting their T&C. you are either authorized to use it or aren't. and if you are not authorized, don't complain if they kick you out.
if you don't like that car/company, don't buy their product. buy competitors. that will show them much better. (or petition to government to put pressure on them).
vladvasiliu 2 hours ago [-]
> if you don't like that car/company, don't buy their product. buy competitors. that will show them much better.
I'm all for voting with my wallet, but it gets exhausting trying to be a few steps ahead. And then nothing guarantees that there won't be a rug pull once you bought the car.
> or petition to government to put pressure on them
Right. Not sure why you have to mention it, since everybody knows this works oh so well.
The problem is that all these T&Cs are just pages upon pages of legalese that not only nobody understands or even reads, but that also aren't exactly advertised before buying. "Buy our smart widget! It only works with its own app, and we'll only support it for a ridiculously short time! Please don't upgrade your phone, or it will stop working!"
Of course governments should do something about it, but even here in the EU, they don't seem too bothered. Hell, even people seem generally fine with it, judging by the number of crappy widgets they buy.
5701652400 2 hours ago [-]
true. on both accounts.
alerighi 2 hours ago [-]
> if you don't like that car/company, don't buy their product. buy competitors. that will show them much better. (or petition to government to put pressure on them).
That maybe fine, but if something is allowed at the time I've bought the car, and then the manufacturer changes their policy such that the usage that I did is no longer allowed?
BTW, to me this is bullshit, first cars shouldn't be connected to the internet in the first place, in the case that they are, I would need to be in full control of what I can do with the API, not that I need to use special software to talk to my own car.
5701652400 2 hours ago [-]
> something is allowed at the time I've bought the car,
good point. yet, I bet in their T&C it was covered. it was just not enforced. and usually they have claim like "if we fail to enforce any part of agreement does not constitue waiver.". so most likely it was expected all along, they were not technically adept to actualyl enforce this. now they can.
but, if your claim stands, I bet you can win case against them.
> cars shouldn't be connected to the internet
yep, same with you on this one.
2 hours ago [-]
Rendered at 10:29:05 GMT+0000 (Coordinated Universal Time) with Vercel.
I don't really understand it, it doesn't seem to offer a huge potential revenue stream and it pisses off the people who are most invested in your product.
This is mostly a corporate problem of risk aversion in my opinion. Some department writes down a risk assessment with a list of miniscule risks, for example of some 3rd party app backend being hacked. Or just a headline "Tinkerer hacked his car to use with his home assistant" in the local press. This list circulates, and since nobody in the middle management wants to be responsible for anything, and there is no officially approved positive use case, draconian countermeasures are drafted and constructed one by one.
Except when it’s about privacy or anything else we actually care about: then absolutely nothing is done because it would cost more than 0 to do anything.
They appear to have seen making their Home Connect platform open as at least in part a matter of compliance with EU data transparency and portability laws.
https://github.com/robinostlund/homeassistant-volkswagencarn...
Why are they shooting them selves in the feet? Is this really a tangible income stream? Is it really increasing security?
They don’t. Majority of users don’t care, and some middle manager shmuck, working on MySkoda, can report how “we” prevented a huge security risk and funneled valuable ~~cattle~~ user data where it belongs.
Because people will still buy their cars. The average Joe has very little regard for their privacy. We've been trained to be numb.
> Is this really a tangible income stream?
Yep.
> Is it really increasing security?
Nope.
I have VW and I suppose We Connect, there's not a single thing that's worth paying for, not when you have CarPlay and Android Auto (or whatever that's called). If anything I'd prefer that they'd just drop the personalization they do with users. Our car will forever assume that my wife is driving, because that what the dealer configured and none of us care to mess around with it.
But yeah, people will buy the cars anyway, because all the automation is something that only an incredibly small segment has any interest in. It's just weird that those who actually care about connected cars are the only one VW is punishing with this move.
I tend to agree. But the counterpoint is Tesla. They charge for API access, and there are several businesses that exist to make that data available to customers. I don’t know how valuable it really is, but it’s working. My wife would pay Ford for the level of data she was getting from TeslaFi but instead she gives it to MileIQ. It’s not huge but that adds up.
1. They dont think anyone will stop buying their cars because of this
2. They want to make more money
3. (speculation) The drop in demand for their cars in china is leaving them fucked, they need revenue now
What's worse is that other manufacturers are starting to do the same thing. They all see unofficial integrations as lost revenue (less of your data to sell because you don't use their app), and higher costs because the usage still comes on their cloud spend bill.
I was talking to my gadget-passionate (but not techie) best friend when the company making our cars made it more difficult to authenticate using the HA integration. He looked at me like I switched to an alien language. "Who cares? Don't you use the app?".
It's practically a law of business: executives prioritize their power first and their company's profit margins second. This is one reason why outsourcing coding was so popular despite not saving money and being so commercially disastrous - execs were in the driving seat with that relationship much more than they were with us.
Despite what some people will tell you about how the home assistant consumer segment "doesn't matter" (it does) it really is more about the tangibility of control over data vs the intangibility of lost consumer goodwill.
Companies are not profit maximizing at all costs. The shareholders and the executives are not a singular body they have different and sometimes wildly divergent interests.
In this case, it's by Play Protect on Android, and whatever they use on iOS.
or products/companies that explicitly expose API access to their products.
Well, that and making it possible to deploy devices you own in environments where they might be physically accessible to people you don't want extracting credentials from them. Or for ensuring people can only access sensitive company information on company issued devices rather than being able to casually make a copy of any data they have access to somewhere else. Or using a phone as a credit card payment terminal without the possibility of displaying one payment amount on screen and authorising for a different amount.
I'm quite firmly in favour of anything I own giving access to the data it's generating in an open format but screaming about how there's no legitimate use for attestation is quite simply nonsense.
It only attests that the device booted normally (locked bootloader, factory firmware, etc.). Any kind of post-boot compromise (whether it's from malware or something user-initiated) goes completely undetected and does not impact attestation status.
they are just asserting their T&C more precisely now.
Caught one in the wild!
https://news.ycombinator.com/item?id=48320351
so even if T&C does not make sense, usually courts are in favour of enforcing them.
unless some severe contradiction with constitution or alike, or serious harm to people or something, they would throw away T&C in cases. but AFAIK that is rare.
And there's no law demanding you get access to a proprietary system (as of right now) that would override a T&C restriction.
It's not a "law", it's always under the law like any contract. And a court will not enforce illegal terms unless something very shady is afoot. The law always takes precedence, Even "lowly" laws, not just the constitution. In case of conflict the law wins so you can't have illegal provisions in the T&C even if you agree to them. They can give you extra rights but they can't take away the ones you have legally.
The principle is simple, the company isn't allowed to ask for illegal things. Your agreement is irrelevant because you are not entitled to legitimize an illegal demand.
The problem is you need to go to court if the company won't cooperate.
Where's the open source phone?
The open source washing machine?
I hate Elon as much as the next guy, but Tesla is still playing the API game way better than the rest of the pack (even with the "not so new" Tesla Fleet API change)
I was dealing with this 6 weeks ago!
But I hate to deal with car dealerships, they are the worse kind of salespeople out there, trying to sell you what they need to sell rather what you need to buy. You need to go there with a very, very well informed opinion about it. But then they will play the discounts card...
Even Google Maps is usable without an account.
They lost a lifetime customer in me - i think i have spent close to 20k on garmin gear between my wife and myself, watches, gps devices for cars, boats, and hiking gear. If they refuse to give me access to my data, i will (a) lobby for laws to be passed to make this mandatory (b) absolutely never ever buy anything garmin until i see a reversal of this policy and an apology.
More broadly though, its yet another service that blocks API access. No doubt this is caused by proliferation of amateurs armed with agentic tools building nice, personalized frontends for themselves. Companies seem to absolutely hate it when people dont go through their shitty websites with dark patterns, misleading search results and analytics.
For now its just tls fingerprinting, not client attestation - so, I managed to implement a working solution. But I am sure they will tighten the screws still further.
The only annoyance is that Garmin requires 2FA if you enable the ECG feature on your smart watch/fitness tracker, but I have a small program that reads the 2FA codes from my Gmail inbox and supplies them to the scraper without too much trouble.
https://steveblank.com/2009/12/21/the-elves-leave-middle-ear...
Math was never my strong point, but AFAIK the "not that many" of the US is still a greater number than the zero of Germany.
And China, well, it's a dictatorship with effectively unlimited foreign currency reserves. They can do whatever they want.
German auto makers were wealthier than the US auto makers. Germany's GDP is now third in the world. There is capital.
>Germans don't want taxpayer money to be spent on risky adventures
But they wanted it to be spent on Russian gas pipelines, foreign aid, anti nuclear activism, and in the pockets of politically connected multinationals like T-systems to build another "government digitalization project" while their internet speed lacks behind developing nations?
>that might bring losses
If they hate losses, why do they keep losing? Germany decline in past 15 years seems like its a self fulfilling prophecy. The more risk averse they are to avoid change or losses, the more they keep losing to economies who embraced change, disruption and risk.
Only regulation can help.. or a revolution in case the political system in your country is broken..
I think revolutions are more successful when there is some new idea of what to replace the system with. Currently I did not see anything remotely interesting (ex: french revolution came with the new idea of equality before the law, which was not the case before), and I think is mostly due to low overall education - you can't improve a system if most of the people do not think about complex issues like laws, taxes, efficiency, etc. Everybody loves to point a finger at someone and blame them (immigrants, rich people, woke people, etc.) like that would "miraculously" solve any issue.
If you had any actual understanding—:as opposed to just hearing this little factoid in passing and have been waiting for every opportunity to whip it out— you’d know that already. It’s funny as a quip, but don’t for a a second act like it’s a legitimate point, which is exactly what you’re doing.
how are they even complaining?
even approved API clients are subject to T&C, which usually leaves room for this.
besides, client assertions is a normal API behavior. they are just technically asserting their T&C. you are either authorized to use it or aren't. and if you are not authorized, don't complain if they kick you out.
if you don't like that car/company, don't buy their product. buy competitors. that will show them much better. (or petition to government to put pressure on them).
I'm all for voting with my wallet, but it gets exhausting trying to be a few steps ahead. And then nothing guarantees that there won't be a rug pull once you bought the car.
> or petition to government to put pressure on them
Right. Not sure why you have to mention it, since everybody knows this works oh so well.
The problem is that all these T&Cs are just pages upon pages of legalese that not only nobody understands or even reads, but that also aren't exactly advertised before buying. "Buy our smart widget! It only works with its own app, and we'll only support it for a ridiculously short time! Please don't upgrade your phone, or it will stop working!"
Of course governments should do something about it, but even here in the EU, they don't seem too bothered. Hell, even people seem generally fine with it, judging by the number of crappy widgets they buy.
That maybe fine, but if something is allowed at the time I've bought the car, and then the manufacturer changes their policy such that the usage that I did is no longer allowed?
BTW, to me this is bullshit, first cars shouldn't be connected to the internet in the first place, in the case that they are, I would need to be in full control of what I can do with the API, not that I need to use special software to talk to my own car.
good point. yet, I bet in their T&C it was covered. it was just not enforced. and usually they have claim like "if we fail to enforce any part of agreement does not constitue waiver.". so most likely it was expected all along, they were not technically adept to actualyl enforce this. now they can.
but, if your claim stands, I bet you can win case against them.
> cars shouldn't be connected to the internet
yep, same with you on this one.