Ali Lakdawala
News

Cars Become Borders

8 stories · ~7 min read

Cars Become Borders

If You Only Read One Thing

Cars are no longer regulated mainly as machines. They are being regulated as data networks. GM's driver-data settlement shows the consumer version; the U.S. ban on Chinese connected-vehicle software shows the geopolitical version. The best read today is about EV standards, but the real story is that mobility is becoming an information border.

GM Shows the Car Is the Broker

The connected car did not become a privacy problem because GM hid a camera in the dashboard. It became one because an ordinary service relationship turned driving into a resaleable data feed.

California Attorney General Rob Bonta said GM agreed to pay $12.75 million to resolve allegations that it sold the names, contact information, geolocation data, and driving-behavior data of hundreds of thousands of Californians to Verisk Analytics and LexisNexis Risk Solutions. TechCrunch reported that Bonta's office said GM collected the data through OnStar and made roughly $20 million from the sales. The settlement also requires GM to stop selling driving data to consumer reporting agencies for five years, delete retained data within 180 days unless it gets consent, and ask the brokers to delete what they received.

Why it matters: The important point is not the fine. A $12.75 million penalty against a global automaker is not a deterrent by itself, especially when the alleged revenue was larger. The structural move is that California is treating car telemetry as a data-minimization problem, not just a disclosure problem. In the old privacy bargain, a company could collect broadly, write a long notice, and find revenue later. California is saying the collection itself has to be justified by purpose.

That changes the economics of connected-car platforms. Automakers have spent years pitching software-defined vehicles as higher-margin machines: subscriptions, insurance integrations, diagnostics, safety features, fleet services, and over-the-air upgrades. But the same sensor stack that makes those services possible also creates a brokerable record of where a person lives, works, worships, parks, speeds, brakes, and travels at night. The car is becoming a mobile account system, and privacy law is starting to price the difference between a service the driver asked for and a dossier the driver did not.

The Guardian noted the broader sensitivity: once precise vehicle location leaks into the broker economy, consumers have little control over where it goes next. That is why this case matters beyond GM. It gives state enforcers a cleaner theory for other connected products: do not ask whether the user vaguely accepted data collection; ask whether the company needed that data for the promised service and whether downstream resale changed the bargain.

Room for disagreement: GM can fairly argue that the specific Smart Driver product was discontinued in 2024 and that the company has already settled with the FTC. The California settlement also says the data likely did not raise insurance prices in California because state law bars insurers from using driving data that way. That makes this less a live insurance-pricing scandal than a precedent about data supply chains.

What to watch: The confirming signal is whether California or another state brings the same data-minimization theory against a second automaker, broker, or insurer before the end of August.

The EV Standard Splits

The United States wants to keep Chinese connected-car technology out of the country. The harder question is what happens if the rest of the world keeps adopting it.

Rest of World reported that Chinese EV makers, led by BYD, are building a global ecosystem around batteries, chips, charging, software, and local distribution partnerships, while U.S. restrictions increasingly block Chinese vehicle software and collaboration from American roads. BIS says its connected-vehicle rule restricts the import or sale of covered vehicle technologies with sufficient China or Russia nexus because those companies may be compelled to share data or allow remote access. The BIS compliance guide says model year 2027 vehicles cannot incorporate Chinese or Russian covered software, and vehicle-connectivity hardware restrictions arrive for model year 2030 or January 1, 2029 for non-model-year components.

Why it matters: This is not just a tariff story. Tariffs make imported Chinese EVs expensive. Software and hardware bans make Chinese vehicle systems legally radioactive inside the U.S. market. That distinction matters because EV competition is moving from the car as a finished object to the car as an integrated stack: battery chemistry, charging standard, autonomous-driving data, supplier tooling, update cadence, and distribution.

China's advantage is integration. BYD designs batteries, chips, and software together, while many U.S. automakers still stitch together vendor systems. Rest of World cites one sharp example: China and Japan are developing the ChaoJi charging plug, which can handle almost four times the power of Tesla's North American Charging Standard. It also notes that China has roughly 2,300 self-driving taxis across 30 cities, compared with about 700 in five U.S. cities. Scale feeds the data loop; the data loop improves the software; the software makes the standard more attractive abroad.

The U.S. counterargument is serious. A connected car is a rolling sensor platform, and dependence on Chinese software in transportation infrastructure creates real security exposure. ITIF, a Washington competitiveness think tank, argued last week that keeping Chinese EV firms from embedding in the U.S. market is both an economic and national-security necessity. The tradeoff is that protection can become isolation when the protected market stops shaping the global standard.

Room for disagreement: The ban may buy U.S. automakers time to rebuild domestic software, battery, and charging capacity without Chinese firms setting the terms. That is a plausible industrial-policy bet. But time only has value if it is used to close the capability gap; otherwise the U.S. ends up with a protected home market and weaker products abroad.

What to watch: The near-term test is the July 1 USMCA review. If connected-vehicle software, Chinese supplier content, or Mexico-based Chinese EV production becomes a formal negotiating item, the U.S. is turning the car stack into a North American border regime.

The Contrarian Take

Everyone says: These are two different stories: GM is a privacy enforcement case, while Chinese EV restrictions are national-security policy.

Here's why that's wrong (or at least incomplete): They are the same story at different scales. In both, regulators have stopped treating the car as a self-contained product and started treating it as a node in a data network. California's theory is that the driver did not consent to the data supply chain created around OnStar. Washington's theory is that the country should not accept a vehicle supply chain that can be reached through Chinese software, hardware, or legal compulsion. The common denominator is not cars. It is control over who gets to observe and update physical movement.

Under the Radar

  • The FCC wants KYC for voice providers. The FCC's robocall proposal is not a final phone-number ID mandate, but the fact sheet asks whether providers should collect names, physical addresses, government-issued ID numbers, alternate phone numbers, and supporting records before granting service. The identity perimeter is moving from apps and age gates into telecom origination.

  • LayerZero made bridge security a governance problem. After the KelpDAO exploit, LayerZero apologized and said it made a mistake by allowing its verifier to act as a 1-of-1 DVN for high-value transactions. The point is broader than crypto: configurable security defaults become systemic risk when users inherit them without understanding the tradeoff.

Quick Takes

  • IREN bought the cloud control plane. IREN agreed to acquire Mirantis for about $625 million in stock, adding Kubernetes orchestration, enterprise support, and cloud-infrastructure software to its AI-cloud push. The signal is that GPU landlords are learning that power and chips are not enough; customers need a usable operating layer on top of the cluster. (Source)

  • Nvidia's capital loop keeps widening. TechCrunch, citing CNBC, says Nvidia has committed more than $40 billion to equity investments in AI companies this year, including OpenAI, Corning, and IREN. The bullish read is moat-building. The skeptical read is circular demand support: the supplier funds the customers and infrastructure that later buy its chips. (Source)

  • The KelpDAO damage is not just the headline theft. Galaxy's analysis says the ~$290 million exploit left bad-debt concentrations across L2 chains, including estimated shortfalls on Mantle, Arbitrum, Base, and Ink. Cross-chain infrastructure sells composability, but when verification fails, composability becomes how losses propagate. (Source)

  • Oracle showed remote work's labor-law edge. TechCrunch reported that some workers in Oracle's estimated 20,000 to 30,000 layoffs tried to negotiate better severance after losing soon-to-vest RSUs, while remote classifications complicated WARN Act protections. The structural point is that distributed work can weaken location-based labor triggers just as AI-era layoffs test white-collar bargaining power. (Source)

The Thread

Today's common thread is that software turned physical infrastructure into policy terrain. A car generates data like a phone, updates like a computer, travels like a border-crossing device, and connects to brokers, insurers, chargers, cloud systems, and governments. That is why the regulatory fights are converging. Privacy law, national-security law, telecom rules, DeFi bridge security, and AI-cloud M&A all point toward the same structural shift: control is moving to the layer that verifies identity, governs data movement, and decides which networks can connect.

Predictions

New predictions:

  • I predict: By 2026-07-15, at least two voice-provider or wireless-industry trade groups will file comments opposing identity-collection or record-retention duties in the FCC's robocall proposal. (Confidence: medium; Check by: 2026-07-15)
  • I predict: By 2026-06-30, at least two cross-chain bridge or restaking protocols will announce verifier-quorum changes and explicitly cite the KelpDAO/LayerZero exploit. (Confidence: medium; Check by: 2026-06-30)

Generated: 2026-05-10 03:18 EDT

Tomorrow morning in your inbox.

Subscribe for free. 10-minute read, every weekday.