Get the top HN stories in your inbox every day.
moooo99
this_user
German companies, especially old school industrial ones like VW, have a very hard time understanding open platforms. The view everything through the lense of liability and compliance first. Their thinking is that if someone runs their app on a custom ROM and uses that to manipulate the app in any way, and that causes some extremely hypothetical damage, that they might be held liable for not having prevented this situation.
Obviously, the chances of that are virtually zero. But they'd rather make their product worse than assume with any kind of risk, even if it is virtually zero. That is simply the way in which German enterprises operate.
leonidasrup
It looks like the software development at Volkswagen is done by mixed bag of different deparments with different quality.
On one hand you have: Linux at Volkswagen
"Software development without Linux is no longer possible within automotive environment. Therefore Volkswagen Group IT created and maintains a Linux distribution for our developers. This short talk will highlight our starting goal to integrate into the existing environment, highlight our integration problems and solutions with contributing to upstream. Furthermore we will show where Linux desktop need to improve in future iteration to be a good fitting replacement for other systems."
https://media.ccc.de/v/4486-linux-at-volkswagen
On the other hand you have insecure implementation of telemetry: Wir wissen wo dein Auto steht
"Bewegungsdaten von 800.000 E-Autos sowie Kontaktinformationen zu den Besitzern standen ungeschützt im Netz. Sichtbar war, wer wann zu Hause parkt, beim BND oder vor dem Bordell.
Welche Folgen hat es, wenn VW massenhaft Fahrzeug-, Bewegungs- und Diagnosedaten sammelt und den Schlüssel unter die Fußmatte legt?"
https://media.ccc.de/v/38c3-wir-wissen-wo-dein-auto-steht-vo...
podnami
I’ve spent time doing software at VW and a few of its subsidiaries, and this matches my experience.
Compliance is everything, and SAFe (Scaled Agile) is deployed as a blunt instrument.
Management treats software exactly like hardware production lines—everything is just an "engineering process" that can be optimized on a spreadsheet.
The underlying assumption is that individual engineering talent is just an interchangeable commodity. Once you view developers as replaceable cogs, outsourcing the entire infrastructure to the lowest bidder in India becomes the logical conclusion.
It’s a textbook case of process-over-people driving institutional tech debt.
raxxorraxor
They have a hard time to understand software in general, software developers have a very low standing in German engineering and engineering culture has long been replaced by finance people.
And I don't think the liability is the primary problem, they have a problem with freedom and fear that they lose some mechanism for monetisation. This is why you get subscriptions for heating your arse.
vitorbaptistaa
The same company that supposedly views everything through the lens of liability and compliance does this:
> When the cars were operating under controlled laboratory conditions - which typically involve putting them on a stationary test rig - the device appears to have put the vehicle into a sort of safety mode in which the engine ran below normal power and performance. Once on the road, the engines switched out of this test mode.
>
> The result? The engines emitted nitrogen oxide pollutants up to 40 times above what is allowed in the US.
4thguy
The first thing I did when I read the parent comment was to double-check if I mixed-up my German companies.
There's only one reason why they're doing this: it benefits them in some way.
inigyou
They have to, because German society is extremely litigious and based on finding loopholes in rules.
You know how some religious groups will string a rope between two houses, count it as a roof as long as they're within a certain horizontal distance of it, so they can follow the rope on occasions when the religion says they have to stay inside, and they think God enjoys them finding these loopholes?
Germany is like that, but with lawsuits. If anyone with money finds a technicality to sue you on, they will. So you have to be extremely liability averse if you want to be successful in business. Also, liability is almost always unlimited. You can be bankrupted by a single bad lawsuit.
rickdeckard
No idea what's your source on this, but I see you're spanning quite some "rope" from
a.) a global company in the car-industry being cautious of exposing ANY risk-surface in a product because every issue making it to the field doesn't just bear the risk of very expensive recalls/fines but may also put people's ACTUAL lives in danger, to
b.) the country Germany and its whole society
> If anyone with money finds a technicality to sue you on, they will.
In the car-industry you don't need anyone with money to sue you. If you ship a car which is found to endanger participants of traffic, your company may not recover from the aftermath for years...
treszkai
What do you base this information on? I live in Germany and have no idea what you're talking about.
anonymousiam
If they have concerns about the security of their app on some platform, they have the choice to either put "security" into the app, or to trust the platform vendor to provide the security. The correct solution is the first way. Deferring trust to the platform provider is the lazy way.
If their APIs are done correctly, they shouldn't be afraid to expose them.
okanat
You're proving the previous commenter's point. VW doesn't want liability. They do not care about "security" just liability.
When they leave the "security" to the platform they can blame them in a lawsuit.
nightpool
How else would you build "security" into the app (in the sense of not allowing third-party modifications of it that would open them up to liability), except relying on hardware attestation that the app has not been modified? That attestation necessarily requires the platform provider to be involved.
meyum33
I guess this mentality makes sense if your products’ failures may lead to actual people dying. And in VW’s case it’s the correct culture working as it is supposed to? My Toyota sometimes feels like it was designed by a lawyer. But I somewhat understand given their history of being badly sued. That being said, at this day and age they probably need to evolve to accommodate some UE principles from the consumer electronics industry. Especially given how cars are getting more computer centric. Hitting a good balance between the old compliance/safety mentality and UE mentality will be hard.
fooker
It's more about rules than hypothetical liability for Germans.
It's inconceivable that someone would want to use a car outside of it's specified rules.
user3939382
VW didn’t seem too concerned with compliance when they were rigging their pollution tests.
xenocratus
They'd have you know they actually cared a bit too much about said compliance itself.
Hnedelin
And since they saw what it cost them, they are now VERY concerned with compliance.
zie
That was just engineers engineering their way into creating Electrify America :)
this_user
I mean, the only reason they did it was to be able to comply with the requirements of the test.
But the reality is that every once in a while you have a scandal like this or something like Wirecard, and it happens, because the culture is such that absolutely nobody thinks it possible. That includes officials and regulators whose first instinct will often be to come after the people trying to expose the scandal, as has happened in the case of Wirecard.
linzhangrun
“Compliance” only matters when their own interests aren’t involved
joe_mamba
Them cheating the tests WAS them ensuring THAT compliance.
In fact, that's how a lot of compliance works in industries where there's little little enforcement and relies a lot on self regulation.
nicce
> I got an offer from a dealer three weeks ago and was going to order the car, then the API for the community integration got turned off. I decided to hold back and see what comes from it. Now this, which ultimately - since I am a GrapheneOS user - makes me completely cancel my plans.
Make sure that dealers know why you changed your mind.
hydrogen7800
>Make sure that dealers know why you changed your mind.
"Some nerd couldn't use their nerd phone."
What incentive does a dealer have to know or care about this?
LollipopYakuza
As a dealer, it would be frustrating especially because it is so silly. Basically, if they report any of this to HQ, it would be along the line of "I am losing the sale of a whole car over some stupid app block".
theeyescanner
Net Promoter Scores is the only thing that the marketing department cares about. So fill out that customer satisfaction survey, give them a 1 out of 5, and say why. Passives (2-4) are not even considered lol.
SapporoChris
I wonder what a Venn Diagram of people that use GrapheneOS and people that wish to purchase a Volkswagen vehicle looks like. As of April 2026, the operating system had approximately 400K active users. https://en.wikipedia.org/wiki/GrapheneOS
I wish that Volkswagen would care about this, but I suspect they have little incentive to do so.
sowbug
You could make a similar argument about voting in democratic elections. It's still important to vote.
sufficientsoup
What incentive does a dealer have to know or care why a sale fell through? Bizarre question
unethical_ban
What is the risk of letting them know that someone lost trust in VW's features due to a boneheaded decision of their software group and decided not to buy that brand at all?
snarfy
I can't even consider them after diesel gate. When I start thinking about it, it's quite sad how many car brands are terrible. I own two Mazdas. Still terrible but the least I could find.
OsrsNeedsf2P
VW is obviously not thinking that any noticable portion of the userbase uses Graphene, and someone (somewhere) is going to get a promo by making VW infra adhere to "standards" or something
riedel
Actually we need to force our European governments to use services that do not depend on foreign services (ie. Google or Apple). Then I guess it will only then become obvious to them how crazy the situation has become.
The company's have done their thing to ensure that the average guy wouldn't even try escaping their lock-in. So chances are becoming smaller and smaller to hope for a critical mass of users to complain.
J-Kuhn
Yes, the EU calls it "digital sovereignty" and is currently "in" with the EU.
znort_
which is why shaming them is a valid attempt to get them to "think". it has worked in the past (particularly with bmw!).
specially because no car really supports grapheneos, but it can be used in any car supporting regular android provided google play is installed which ensures google's certification and validation is being preserved. if i get this right bmw is actively blocking this, which would be just a dick move.
echelon
I don't use Graphene, but now I'm out of the market for a VW.
Vendor lock-in to Play services is ridiculous.
A car is a big purchase, and ideally not something I discard after a few years. I'd like it to not treat me like a second-class citizen and renter who can't make decisions over how to extend the life of my purchase.
zamadatix
It's ridiculous, but are we only saying that because we're on HN or is it because the portion of the userbase who thinks it's actually a bad thing is the larger one?
Lio
I've had the same Golf since I bought it new in 2014. I like my Golf, so it should be an easy sale for VW to sell me a replacement.
However, VW just seem to make gaff after gaff. Collecting information they shouldn't, exposing information they shouldn't have to hackers via lax security practices.
How many rakes can a company step on?
Now, they're blocking GapheneOS? They've got two hopes of selling me another 'Dub.
(Bob and No).
port11
They appear to have no clue about what customers want. We’ve had VWs in the family for as long as I can remember. After I sold my Polo, a car I truly liked, that was the last of it.
Nobody wanted the crazy touch dashboards, data collection, emissions nonsense, etc.
Just make the damn car you’ve always made. Be reliable.
askvictor
Or, for the Australians: Buckley's and none
scns
> How many rakes can a company step on?
All of em.
aucisson_masque
You're speaking of a company that made special programs to cheat on CO2 emissions during car inspections.
bojan
Same here. I'll be in a market soon and I had my eyes on a VW i4 or a Škoda Enyaq, but this makes me seriously reconsider. I really wanted to support local industry and buy a European product this time, but they are making it seriously difficult (no, don't get me even started on Stellantis).
goobatrooba
I was hesitating between a VW ID.4 and Peugeot 5008 (7 seater, much space). In the end I went for the Peugeot and it's fine. The ID was much more fun to drive, but I would have lost space and paid a lot more.
Peugeot is reasonable and works. Charging could be faster and WLTP longer, and once I had the screens restart while on the motorway which thankfully did not affect driving but was pretty terrifying. All that to say - go ahead and buy European. You'll have some issues but for me all better than to get a china car with who knows what data exfiltration and hidden issues, or a Tesla that will lock you in when the car burns. EU companies are too boring to spy and too risk averse to have tesla-like issues..
bogeholm
Mercedes has some interesting EV options, and they have some models at the moment that are not necessarily that expensive. Through the grapevine I overheard something about surplus production due to mandate to build a certain number of EVs.
If you don’t want/need a new car, the used car market in Germany is pretty active with EQAs and EQBs.
martin_a
Mercedes is terrible for EVs. Adaptive Cruise Control for example is a paid feature with a recurring subscription. Don't encourage "Car as a Service" concepts.
FabCH
Renault makes good electric vans.
Not quite an SUV, but maybe fits the same use case?
amelius
Companies just don't realize how personal computing is.
An analogy is trying to make users wear certain clothes when they use your product, and then asking why it doesn't fly.
aka13_404
This is sadly not even the full extent of it. What they did is, they locked their api entirely for anything that is not play protect certified. That means, all the cool stuff that was doable via community-driven projects is now dead in the water.
The "app" they provide is 60% advertisement, 30% features, and I unironically preferred using a Home Assistant connection instead of of it for everything. Even for automations like "when to preheat the car", since that was easier and more intuitive outside of their native function.
This also means, that charge control from the cars side is not possible to automate anymore.
Sure, one could take the position "but it was never officially promised", but for some people, including me, having the api (which is paid btw) was a selling point.
Yes, I registered specifically for this comment.
winstonp
Car apps, beside Tesla, are universally awful to use. Even Tesla's is not beyond reproach (app size is massive, for one), but at least it doesn't make me want to poke my eyes out. Apple should make a "Cars" app that's like the "Watch" app and let them standardize.
Gigachad
Why does a car even need an app? Don't they have a screen and internet connection on the car itself?
BLKNSLVR
Why does a car even need an Internet connection? I'd prefer a car without. I recently bought a 2024 model Chinese EV, and it doesn't seem to have an internet connection of its own. Neither does it seem to have an app.
Reasons I could think of for an app: Remotely check battery charge, and that would purely be for interest rather than necessity.
I get why people might like or want remote heating/cooling as well, and I'd probably use it if I had it, but it would be an exceedingly rare occurrence (although I'm more sensitive than most as to becoming a 'soft' human being).
starvar2
Starting my heating/airco at a distance, checking whether the car is charged so I can continue my trip, exporting charging session for my accountant, ...
FinnKuhn
It's for when you are not in the car. E.g. notifying you the car has finished charging or to start heating in winter.
m463
tesla is worse and starts from zero - you can't buy a tesla without installing the app.
subscribed
I feel you. From my side I try to complain / rate / review every time, even if it's a low effort action, to cost them time and in the case of the regulated companies, to slightly worsen their complaint stats.
There's enough of users to start making a difference. Really, even a low effort action raising valid concerns (security theater, a lie, google's monopolistic position, anti-competitive, etc), keywords that will make their response more careful and potential complaint to the regulator more impactful.
helterskelter
Things like this can actually be a good way to nudge a company in the right direction sometimes. Nobody uses those internal review systems, and sometimes their stats are actually important. A handful of users might make up a really big chunk of the reviews.
In a similar vein, I once met a woman who told me how she would enter every single one of those stupid contests that you'd see printed on cereal boxes and ice cream containers because literally five people enter into those things, so you're odds of winning are surprisingly high. Apparently she won a bunch of them, but her favorite was when got a week long vacation that included going on a fishing trip with Ben and Jerry of "Ben and Jerry's".
helterskelter
%s/you\'re/your/
_carbyau_
It hurts anytime there is a subscription intermediary and people are being trained to think this should be the case.
Iroh networking can't become a standard fast enough.
themafia
I feel like that should be a warranty claim. You sold me one car with a specific set of features and now you've updated it into a different one lacking those features. It's not the same car. You broke it. Fix it or pay me for it's value.
mrhottakes
They have plenty of boilerplate in the warranty to be sure they don't have to pay you for this.
themafia
Fortunately the government has demonstrated that it can regulate the terms of warranties.
z3c0
So "Play Protect" is doing all the damage to the third-party ecosystem that it'd seemed designed for.
I've slowly but surely been moving away from any service provider of any type who does not allow me to use their service without their often Play Services-dependent app. Changing vehicles would be a lot harder though.
strcat
Developers have to go out of their way to implement triggering Play Integrity API checks in their app and then retrieve the results to check on their services. They're putting a lot of effort into banning anything not licensing Google Mobile Services. It's definitely not a security feature since it permits devices with no security updates for more than 8 years but not a far more secure OS than anything Google certifies. Google doesn't allow GrapheneOS to obtain certification and certification comes with highly anti-competitive rules which would be completely unacceptable. Their licensing system has been ruled illegal in South Korea and other countries should not only do the same but ban the Play Integrity API and other related anti-competitive features. These are not actual security features and that's an excuse for the actual purpose of enforcing their GMS licensing model including forcing including a bunch of Google apps with extremely privileged access and using their builds of many OS components shipped from the Play Store.
dreamcompiler
Rivian would have gone out of business a year ago if VW had not approached them with an offer of $5.8B to rewrite all of VW's car software [0]. Because VW knew their own software sucked.
I wonder if this is a result of Rivian writing VW's software or if that effort hasn't yet borne fruit.
[0] https://en.wikipedia.org/wiki/Rivian_and_Volkswagen_Group_Te...
undefined
afarah1
Driving a rental car in Germany almost makes me cheer for the ongoing bankruptcy of their auto industry. It really needs a full reset at this point. Sad thing is EU law mandates for a modem in the car as well as intrusive driving aids that actually make driving less safe by constantly driving your attention away from the road[1]. So there is no hope to get a minimally decent car in Europe in the near future, unless a wider reset also happens at the political and social level.
Matumio
I recently saw a reportage about emergency call-takers. As you watch them work you'll notice they get an automatic call from the crashed car long before any human calls them, presumably from that modem.
I'm not arguing that the modem should be mandatory, or that you shouldn't be able to control what it does. But forcing car vendors who want to built in a modem to make this modem do an automatic emergency call by default, that seems quite sensible. Even more sensible would be if the modem did nothing unless you allow it, except when it detects that crash, but... profits.
crote
This is already sorta-kinda the case, and it is leading to a lot of issues right now.
The eCall functionality isn't exactly trivial, and due to its safety use there are probably some rather strict regulations around it. In practice this has led to many car manufacturers opting to use dedicated off-the-shelf modules for them, which are completely separate from all the connected infotainment stuff.
However, early modules were built around 2G/3G cellular technology, and cars with those were still sold well into 2025. Not a huge surprise, because its application doesn't require 4G/5G data speeds. Buuuut many countries are now actively retiring their 2G/3G networks, leaving those cars unable to place emergency calls, and with a functioning eCall module often being legally required it would mean some 2-year-old cars would no longer be road legal...
fodkodrasz
Recently I rented Cupra for a week, its assistants were non intrusive, and helpful. It was a pleasant surprise. Now don't get me started on Toyota or Hyundai assitants... BTW the video you linked features a Toyota.
Grollicus
Our Mercedes:
- beeps about the speed limit, especially if it misses a sign. For example every time starting on a parking lot it keeps the 5 kph even after multiple turns
- warns about leaving the lane, including trying to stay on the lane by slightly couter steering while ignoring yellow construction lines
- Sometimes when moving off from a standstill in a queue, it triggers all "careful you're about to crash into something"-warnings. I suspect it's detecting exhaust gasses from a car in front?
- You must not, ever, touch the turn signal to announce your will switch lanes soon, while there is still a car next to you. You'll get a loud, obnoxious warning tone. This one is especially annoing as it makes sleeping as a passenger on the autobahn basically impossible.
BLKNSLVR
My 2024-model Chinese EV allows for volume to be turned down for various things - and these volume settings are kept across 'reboots'. It makes the occasional 'bing' or 'bong' that I need to look at the screen to work out why (which is probably a 'new' safety issue caused by 'safety' settings), but it's nowhere near loud enough to awaken a sleeping passenger.
My sister-in-law has to reconfigure all of the cars safety settings every time she turns the car on as they reset to their seemingly maximal defaults upon boot.
gib444
> ... it makes sleeping as a passenger on the autobahn basically impossible.
Which people often do when sharing the driving on long drives. So, another case of it making driving more dangerous, if the spare driver can not rest properly.
techpression
Whoever came up with the idea that the car should beep loudly even close to the speed limit has clearly never driven a car. The best way to silence it is to constantly be over the speed limit or well below.
iroddis
Probably made worse by the fact that _every_ VW brand car I’ve driven has read about 10% high on the speedometer. I think I’m going 100 kph, but timing using the km markers on the highway show I’m going about 90.
When I talked to the dealers, they said that the speedometers only have to be accurate +/- 10% according to the SAE specifications.
After DieselGate I assumed that the high reading was to game the fuel consumption game.
Never again, VW auto group…
martinpw
> When I talked to the dealers, they said that the speedometers only have to be accurate +/- 10% according to the SAE specifications.
I believe the requirement is only one way - they can read high by a certain % but they cannot read low. Which makes sense. But that means in reality they will usually read a little high.
storus
Just use the speed reported by your GPS. Most navigation apps show the GPS-based speed.
jabroni_salad
I have a GTI and with cruise control on, the speedo and my phone's gps reads exactly the same speed.
martinpw
Was in an Uber in Korea recently traveling from the airport and the car literally beeped every 30 seconds for the entirety of the one hour drive with what presumably was a speed limit warning - a beep AND a verbal message. Seemed to be only marginally over the limit. Drove me insane. I don't know how the driver dealt with it - he must experience it all day every day.
I guess you just filter it out after a while but it definitely makes me think I need to do some research before getting a new car any time soon.
martin_a
Well, just don't drive fast than the speed limit and nothing will beep at you. Simple as that.
Positive side effect: No expensive photos will be taken, too.
techpression
Yes, let’s make people focus less on the road and instead worrying about 1km/h speeding. And where I live expensive photos are only taken way way later than the car starts beeping. It’s the real life equivalent of the cookie banner.
lnsru
This thing makes me crazy. But I can somehow ignore my Skoda’s whining. The other car was bought months before this regulation happened and I will keep it as long as I can.
skrebbel
Wait what brand does that? I need to know what car to not buy.
tonyedgecombe
Every new car sold in the EU. Most make it easy to turn off but it does default to on when you start the car.
lisper
That is one of the best, most profound and prescient videos I have ever seen.
epolanski
I rented a VW EV (the ID 5) 1 year ago in Germany and had no issues.
The driving aids can be annoying (especially when there are works on highways or similar and you need to drift beyond lines but lane assist wants to keep going in that direction) but they actually saved me from crashing the car in the parking!
I completely did not see a small wall behind the car and the car emergency broke before I made major damage.
gib444
> constantly driving your attention away from the road
Absolutely agree! After a few minutes you realise you forgot to disable one of the 'features' and then get distracted trying to do that.
Lane keep assist is broken and dangerous
Auto high beam assist is broken and dangerous
Auto cruise control is broken and dangerous
Collision detection-avoidance is broken and dangerous (thinks you're going to crash quite often in our narrow, built-up areas in the UK)
Speed sign detection is broken
Hell, even automatic wipers, after all these years, is far from perfect. I feel they should have had to prove themselves with that before being given anything more important
virgilp
How are all these "broken and dangerous"? In my car (Volvo) they work rather well. Perhaps sign detection sometimes misses signs, but so do I so I can't fault it. The others though, I rank them all somewhere between "genuinely useful" and "absolutely awesome"
frollogaston
The auto high beam blinds other drivers when it fails to detect them
gib444
N.B. I didn't write /all/ were "broken and dangerous"
But some personal examples:
- Auto high beam assist saw a car at a side junction, turned off high beam, then turned back on, mimicking a 'flash' to let the car out, which they acted on by pulling out. I had to brake hard to avoid them. I was doing 60 mph
- I was on the motorway and a stranded vehicle was on the hard shoulder and the driver decided to exit from the side closest to my lane. I went to move over slightly to give space and avoid him, and the lane assist pushed me back towards him (there was too much traffic for me to change lanes)
- Driving in built-up areas with lots of parked cars and narrow sections, the collision avoidance has pre-activated with huge beeping warnings that massively distracted me, causing me to actually nearly hit something
These were all different modern (but not high end) vehicles
Auto cruise control doesn't take into account vehicles in other lanes etc. It encourages disengagement in dangerous situations/surroundings. It is by definition dangerous
edit: and speed sign detection is probably the most broken. The constant beeping and flashing. I mean, I don't have to explain that do I? Distraction -> danger.
AJRF
I don't know how large a group who will do this is - but if the UK bans VPNs I can see Graphene having a very large target on its back.
- Buy Pixel, Get Graphene
- Use FDroid, don't sign up for Google Play, download Tor browser
- Censorship resistant access to the internet without handing over your ID.
The squeeze on the free internet happened so quick by the UK (well it took years of indifference and a failure to enshrine protections - but once they started moving the did so super fast)
Realistically we're speed running ID being tied to internet usage - create your escape hatch while you can!
leoedin
There must be 10s of millions of x86 PCs with unlocked bioses in the UK. The issue won't be running an open device. The problem is software - what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work. The next logical step is severely limiting internet traffic.
lifty
The first wave will be to mandate ID verification for online services. Some people will then start using p2p services, so the next step is to ban devices that can run non-approved software. Probably having your own VPS running your own software will also not be allowed. And like that, all the avenues for escaping control will be closed… for your safety, of course.
jasonvorhe
Don't use those services. You're not gonna miss most of the crap after a few weeks anyways. Everything else is consent.
rjsw
Am currently trying to open a business bank account in the UK, several banks require running a proprietary ID validation app.
BLKNSLVR
I want to downvote your comment to register my displeasure with the banks' actions.
torginus
I think a lot of them already do, considering you can do things like digitally sign legally binding contracts.
altairprime
> what does someone running Linux do if the government mandates online services require proprietary attestation APIs?
One dual-boots to a reputable Linux vendor’s signed/sealed OS image with secure boot enabled in BIOS, so that the attestations are valid; financially supports said vendor; contacts them quarterly with check-ins on the status of their lockdown+attestation roadmap and uses professional journalism approaches to highlight their (in/)action; and, contacts one’s relevant governing body to petition for the addition of that vendor’s signed/sealed product line to be added to the authorized signatures list by both government-sponsored apps and to the verification platforms of the competing vendors (in order to balance the necessities of attestations with an appropriate degree of anti-monopolistic protections for consumers).
> It's scary how quickly the banning is moving. The problem is what happens next. When they realise that banning things doesn't really work
This confidence that ‘attestation doesn’t really work’ is the same sort of confidence that lead the Linux user community to largely scoff at, and ignore, attestation’s threat from when it was ballistically launched three decades ago towards the future. Options are now very limited for stopping it, and largely reduced to ‘getting some Linux into the approval list’. Severe compromises in user freedom will be required for the signed+sealed distro images to receive government approvals.
Imagine if Linux were an app on a video game console and you start to see the outcome: it’s a perfectly great working environment into which all of /usr/local and /opt and /home are writable, but the lockdown prevents you from modifying the OS in any way that could defeat the attestation protections. Apps you install into /opt can only access their own /opt/prefix, apps you install into /usr/local can access $HOME. The apps you install can choose to write session data (such as digital age verification certificates) to a system-protected /data store keyed first by the kernel’s signature, and second by the vendor signature the kernel reads from the app; with the understanding that an attestation latch-forward after an exploit patch will wipe that store, and that dual-booting to a different vendor will suspend access to sessions stored by that vendor.
This is, to climb on my hobby horse for a moment, why I continue to believe that Valve will be the first Linux vendor to receive government attestation approval alongside Apple / Google / Microsoft have previously across the desktop and mobile spaces. I’d really prefer that to be Graphene, Ubuntu, and Valve — but Graphene’s customer base is hostile to this, Ubuntu doesn’t have any incentive to care, and of the Linux vendors out there, Valve has a decade-long head start on the need for a locked-down and attested platform for business reasons. All of the above falls out naturally from considering how to defend one app from another on Android, iOS, Steam Deck, and Xbox. So far as I can tell today, though, Linux intends to be left out in the cold on all this. Oh well.
m3galinux
Linux intends to be left out of all this attestation garbage because it completely undermines the point of fully owning and controlling your own devices. I don't want or need to ask permission before I run a program - not from random megacorporations, and ESPECIALLY not from any of the various governments. If some third party service wants to make sure I'm not doing anything nefarious, they should do it at the border of their servers and the services they offer.
dmantis
>signed/sealed OS image
This way we will just have unremovable age verification, spyware, online accounts to use the os, name another bs from other vendors. What's the point of Linux then? The moment big corps and the state can seal spyware into your computer, they'll happily do it.
I'd rather have a separate burn device with whatever os for state services which lives in a faraday cage most of the time and have a proper OS I control on the main device than give somebody control over it.
doublerabbit
I would never ever trust Linux from a vendor. If it's not installed by myself, I refuse to use it.
When you accept government gift in approval consider it tapped. At any point they can return to the vendor and go "install this". No? Okay bye to your certification.
Call me paranoid.
spogbiper
https://www.androidauthority.com/google-pixel-organized-crim...
“Every time we see a Google Pixel, we suspect it might belong to a drug dealer,” said a police official leading the anti-drug operation in Catalonia.."
Seems like some countries/areas are already targeting the Pixel (really its because of GrapheneOS)
HybridStatAnim8
It is far more likely that it is due to scams and grifts that pretend to be GrapheneOS, associated with GrapheneOS, or based on GrapheneOS, rather than GrapheneOS itself. Criminals tend to be not that bright.
simondotau
* the criminals we know about
RickS
I regret not signing up for Discord when they first introduced facial recognition and middle schoolers were trivially spoofing their ID checks with meme pics.
There's really something to be said for greedily signing up for most things and trying to get grandfathered before the zipcuffs tighten.
IRL, though, fuck this. Home depot added flock cams and broad facial recognition, grocery store installed turnstiles, haven't stepped foot in either since. I'm just dropping out of the IRL retail economy left and right.
undefined
jbxntuehineoh
aren't online purchases even easier to track though?
justhave2phones
> - create your escape hatch while you can!
I really, really, really dont understand why people keep avoiding saying the obvious.
DON'T TREAT YOUR PHONE AS YOUR PRIMARY ENTERTAINMENT DEVICE.
Have two phones. One is the real one. The one you use. The other one is the "cops and bank" phone.
LightBug1
Who said the UK is going to ban VPN?
Genuine question. That's news to me and I'm here.
tentacleuno
The "Technology Secretary" is actively investigating it[0].
[0]: https://www.birminghammail.co.uk/news/midlands-news/new-vpn-...
arbol
When they realise their social media ban for children doesn't work
jasonvorhe
They said so. "Nothing is off the table" was the quote, iirc.
domh
Apologies for the youtube shorts link, but Liz Kendall was on LBC yesterday talking about VPNs:
https://youtube.com/shorts/WvHl3G6KojI
I believe they're "doing research" into it, which basically means they don't understand how any of it works.
subscribed
https://stateofsurveillance.org/articles/government/uk-lords...
It mostly happened already and it's in motion.
iAMkenough
Think of the children that will bypass all of the "protections" recently adopted by the UK.
gonzalohm
How would they even do that? A VPN is just a remote machine. Anything can be a VPN
prmoustache
VW blocking third party to access their servers is one thing, the thing that I find shocking is that you need to access VW servers to obtain your charging data while this should be directly available locally from the car.
bri3d
The historical data is aggregated in some "cloud" rather than in the car, but if you want to collect and aggregate the data locally, you can still, for now at least. Car Scanner Pro and ABRP (A Better Route Planner) are both really popular for EVs for this exact use case, and both support VW EVs; they read battery charge state / voltage / temperature and operating states (speed, consumption, etc) using both standard OBD and proprietary manufacturer diagnostic IDs over the OBD port and then redo the aggregation and math that VW are doing on their end.
m3galinux
I've seen some great successes using HomeAssistant combined with one of these that connects your vehicle's various CANbuses (via OBD port) to Wifi/BLE. https://www.meatpi.com/products/wican
9cb14c1ec0
Google Play has been a huge drag on innovation and security in the mobile ecosystem. I'm actually looking forward to the time when AI kills the mobile app ecosystem so that every phone manufacturer can bundle their own "vibe-code-your-own-app" system with their devices, and the Google Play monopoly is broken.
miketery
I don't think that will happen. Sure for a minority of users the same as people running linux for their daily driver, and I definitely support it!
It's possible that we get to a place where everyone cooks their own meal (vibe coded app), and only goes out to eat sometimes (official app store). Spreadsheets are the same, you can get a lot of milage, and most still buy and use closed source software.
Reminds me of this: https://www.robinsloan.com/notes/home-cooked-app/
bflesch
I see a future where it is easier for startups to create their own mobile devices than to deliver certain functionality through the Google and Apple platforms where your own data will be used against you and where their devices can record you 24/7 without any remediation to ensure privacy.
bluGill
Unlikely for most. For some situations yes, but for most situations customers are going to demand that you work with their existing phone.
doublerabbit
Let's rewind 15 years ago when everyone was jumping and praising mobile Eco-systems. Did no one ever see this happening or were most too gullible with Facebook hugs and pokes
wongarsu
My recollection of HN 15 years ago includes a lot of annoyance with apps that could have been a website and how these walled gardens harm our freedom
doublerabbit
Got my date wrong. What about twenty years ago?
applfanboysbgon
> everyone was jumping and praising mobile Eco-systems.
Literally who?
code_duck
There were a lot of companies who thought an app was preferable to a mobile website (which is still true today). For example, around 2010-11 I was working on Etsy API stuff at the time but had no interest in making a mobile app for anything, and saw a few developers and apps acquihired by Etsy.
mystraline
The app-devs were salivating on striking it rich on a garbage app.
The rest of us groan when we hear "DOWNLOAD OUR APP" or grocery stores that want you to install their spyware coupon app.
These days, nost apps are just data exflitrators, spyware portals, and surveillance pricing initiatives, wrapped up with a "FREE THINGY" wrapping.
undefined
jsiepkes
If this is a deal breaker, then you want to avoid KIA. The KIA connect app also doesn't work on GrapheneOS due to the use of NSHC DxShield [1].
h4kunamata
VW won't be missed! Cars weren't meant to be computers on wheel.
I bought a 2025 Suzuki because it is a manual and there is no firmware update, no internet connection, GOS Android Auto is all I get and only if my phone connects with the car.
It is so weird how companies in 2026 still making such bad mistakes.
otsukare
I've used a 2023 Suzuki S-Cross (manual fwiw) and this doesn't match my experience. Which model are you using?
They have an app [0] (which doesn't sync correctly for me, and their support is awful). When working it shows things like where you last parked, fuel efficiency, and allows you to remotely lock the vehicle, so it has internet access.
I sent Suzuki a Subject Access Request as a workaround to gain access to the data, and received months of extremely accurate location, speed, etc data.
There are also software updates, you just have to do them yourself [1]. They also didn't work for me.
Software aside however, they are extremely reliable cars, most of which seems down to their simplicity.
[0]: https://play.google.com/store/apps/details?id=suzuki.app.a02...
microtonal
Connected cars can be convenient though. E.g. when doing larger trips, we usually take a break when we need to charge (get some tea, food, etc.) and it's really handy to get a notification when the car is done charging.
Also in the heat of the summer, it's nice to be able to start the air conditioning a few minutes before leaving.
jdw64
Because I frequently supply to the automotive industry, I fully understand all these issues. No matter how good many open source projects are, companies always have to face lawsuits and liability. That is why, no matter how good Linux servers are, factories use Microsoft servers. Regarding the responsibility for that software, if a problem occurs, the company that signed the contract takes on the liability. Ultimately, they shift the security responsibility to Google. It is unfortunate for open source enthusiasts, but if they do not restrict open source and an accident happens, the possibility of a lawsuit being filed against Volkswagen would be the real problem.
Cider9986
Grapheneos is compatible with over 99% of android apps. The only apps that don't work either actively block Grapheneos or have bugs caught by Grapheneos exploit protections which can be disabled.
You don't have to do anything extra to support Grapheneos, just don't add in attestation which does nothing for security and limits user freedom.
This is fundamentally different from not choosing to use Linux servers. It's more similar to not letting a customer enter your store because of the color of their skin saying they aren't regular humans. It's pure discrimination because just as the functionality of android doesn't depend on these extra checks, the customer works the same regardless of how they look.
I have 38 apps on my GOS phone and none have had any issues.
jdw64
GOS may be much more technologically advanced and secure than Android. But that doesn't mean it has official safety certifications that can be submitted to courts and insurance companies in the event of an accident. Because GOS cannot pass hardware-based keystore authentication. I generally think open source is often better. The problem is that there is no entity to take responsibility.
Cider9986
There are banks that officially support Grapheneos through their hardware attestation. Android has an open and secure attestation, but Google pushes play integrity because it enables their monopoly. Companies making apps aren't exposed to these alternatives because of Google's power so that's what they choose, it's not because of security.
dmichulke
Are you saying Microsoft ever paid damages for problems with Windows (e.g. a non-bootable computer after an OS update)?
I think they didn't, so I don't see why them having the responsibility matters.
spixy
So is this problem of german (or EU) laws?
neilv
> In my opinion, the most useful next step is to contact Volkswagen support in a coordinated and technically precise way [...] Smartphone: Google Pixel Operating system: GrapheneOS
I strongly recommend saying that the operating system is one of "Android" (there are many variants), "Android (GrapheneOS)", or "GrapheneOS Android".
But if you say only "GrapheneOS", you are practically telling VW to respond that they do not support that operating system.
bjackman
I have no plans to buy a car but I'm curious: what is the sensible choice for technical people with a reasonable amount of money?
I rent cars whenever I travel to the US and I've never not been pissed off by a car's software.
If you live in a country that makes it practica/affordable and you don't need too much range, I wonder if buying an old car with a broken engine and paying someone to do an electric conversion is a good choice?
Or maybe generally just buy a ~10 year old car, find a mechanic and say "I want this car to last a really long time, if we can build a trust relationship I will spend a lot of money in your business" and just budget for extensive proactive maintenance? Maybe with this approach you can still save money relative to a new car?
Or, is it possible to buy a newish car and then just rip out and completely replace the infotainment/climate control/etc while still keeping stuff like the parking cameras working?
Cider9986
I would get a Rivian because you can disable all connections.
jesterson
> I'm curious: what is the sensible choice for technical people with a reasonable amount of money?
I am probably the extreme minority, but I prefer cars with as little "tech" as possible. I don't need "drive assist" and sorts.
All my cars are 10+ old benzes, Nissans, Toyotas. All under good maintenance routine so giving me very little headache.
I had all sorts of stupid issues with modern cars while renting. One toyota scared the crap out of me while it imagined some pedestrian and yelled with all signs while I was going 100+ km/h on highway. Horrible crap
bjackman
The "driving" tech I want in my car is:
- Cruise control.
- Camera for parking. I guess sensors too. These are just unbelievaly useful IMO, it makes parking trivial in cases that used to require quite intense focus. I see the appeal of fully automated parking, but with cameras and a car that you have lots of experience parking I think I am fine Austin-Powers-ing into any space that the car physically fits into.
- I guess, maybe, I kinda like the thing where it automatically watches your blindspot and has a little orange light to remind you that there's a car there.
I dunno, when did cars get all that stuff? (Cruise control was basically universal in the US before I was even born I think, but not sure when the others showed up).
But then there's some non-driving tech that I do want:
- Completely frictionless navigation and media control. Android Auto just seems to be fucking nonfunctional so I think maybe what I want here is actually just a Qi mount and a reliable bluetooth controller?
- I've never had it but I bet remote climate control is really nice (warm up the wheel 5 mins before you set off on a frozen morning / turn on the AC 2 mins before you get into a car that you couldn't park in the shade).
jmward01
I want a law that requires publishing your API for apps like this as well as allowing users to crate their own frontend based on it. That would enable more privacy aware versions of these apps.
surajrmal
If you pay for the privilege of using the app, that makes sense. I can't imagine such a law would ever be made for free apps as controlling the client experience is key for enabling them to offer it for free. The reason free apps often don't have a paid tier is because the folks who would pay for it are often the key demographic they need to not pay for the entire thing to be profitable for subsidizing the less desirable demographics.
I'm not trying to suggest that these sorts of things should be this way, but if there is a server involved in the economics of maintaining that endpoint come into play and can't be ignored. Ideally things were federated and you could point your car or whatever device at and endpoint you maintain, but that comes at a cost as well as maintaining software where both client and server are controlled by the same party is an order of magnitude easier than cases where they aren't the same.
bluGill
https://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty... from 1975, but is has more of what you were asking for than you might guess. And it was written about info-tainment systems (radios).
varkokonyi
[dead]
Get the top HN stories in your inbox every day.
It is amazing how Volkswagen keeps messing up. I am currently in the market for a new car, an EV specifically. Volkswagen brands were at the top of my list for many reasons, among them the excellent driving assist implementation.
I got an offer from a dealer three weeks ago and was going to order the car, then the API for the community integration got turned off. I decided to hold back and see what comes from it. Now this, which ultimately - since I am a GrapheneOS user - makes me completely cancel my plans.
I really do not understand VWs thinking here. It would cost them little to nothing to continue not blocking the the inofficial API and not block GrapheneOS (or other non Play Protect androids) users. It would have no adverse effects on the average Joe, but it would gain a lot of support and enthusiasm from heavy users, differentiating from other brands. Not to mention the fact that it is the USERS data in the first place