"where the user cannot directly access the data from the connected product or related service, the data holder must make the readily available data and necessary metadata accessible to the user without undue delay, in the same quality as available to the data holder, easily, securely, free of charge, in a structured, commonly used, machine-readable format, and continuously/in real time where relevant and technically feasible."
BYD DMCAd my whole repo to connect to their cars... https://github.com/github/dmca/blob/master/2026/05/2026-05-2...
It's a shame these car makers are locking down their cars (which are brought for a premium!) and going on a crusade against open source.
show comments
venzaspa
Quite a few other manufacturers have done the same thing. I use a reverse engineered Polestar library to get charging status but I'm in the middle of building a CANBUS sniffer to do the same job because I don't trust they won't do the same thing as this.
I don't really understand it, it doesn't seem to offer a huge potential revenue stream and it pisses off the people who are most invested in your product.
show comments
vincnetas
This comment has really nice translation of corpo-speek to human language :
Why are they shooting them selves in the feet? Is this really a tangible income stream? Is it really increasing security?
show comments
nunez
I've been doing smart home stuff for a long time. This is one of the reasons why I got off of Home Assistant.
It's a very cool and functional project but it is entirely dependent on companies keeping their APIs open, or, more commonly, companies not patching teh magic that makes reverse-engineered APIs possible.
Unfortunately, developments over the years have NOT gone in their favor. Tesla, Ring, MyQ, Ecobee and probably others have closed their APIs over the years. They've usually cited "security concerns" as the motivating factor for the API closures, which has some legitimacy, but IMO it's usually driven by fear of losing subscription revenue.
(Tesla charges a lot for official OAuth apps, though, to be fair, earlier hacks relied on a leaked OAuth app that they never got around to patching. Ecobee locked HomeKit and some other stuff behind their Security+ Subscription, which is a joke considering how anemic their security platform is. MyQ definitely did it to protect their $45/year subscription; jokes on them since RATGDO is infinitely better. Ring still works for some reason, but HomeKit Secure Video support is extremely dicey in part due to the fear of them turning their API off as well.)
For someone like me who primarily used HA for HomeKit integration, depending on it is a ticking timebob. When we moved into our new house, I focused on finding stuff that was natively compatible with HomeKit without workarounds. Our smart home works much better now because of it.
Client Assertion is an OAuth feature, but that is not at all what is being discussed here, if anyone else was confused. It is only present in the HN title and is not mentioned on the page.
show comments
baq
With the software supply chain running amok recently having anything connected feels like playing Russian roulette and I say this as somebody who is running home assistant for years. I’m particularly paranoid about connecting my ev (non-vw) to it now, feels like a serious footgun today, would’ve been convenient three months ago, true.
londons_explore
Seems doubtful that this security will be very strong. It won't be hard to spoof an official client.
show comments
pojntfx
There needs to be a law that makes remote attestation - no matter who provides the root certificates, Google/Apple/GrapheneOS - illegal. There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own, while also making interoperability cryptographically impossible. This is anti-competitive and should simply be illegal.
show comments
ivolimmen
Ok it's clear my next car will not be a Sköda (or Volkswagen)
This entire thing is simply ridiculous, and infuriating! Just sell me a car, or TV, or washing machine, etc. Don't sell me a multi-layered safe with different combinations for each level.
aenis
Garmin recently did something similar, resorting to tls fingerprinting to prevent unofficial logins to their api (via the popular garth library).
They lost a lifetime customer in me - i think i have spent close to 20k on garmin gear between my wife and myself, watches, gps devices for cars, boats, and hiking gear. If they refuse to give me access to my data, i will (a) lobby for laws to be passed to make this mandatory (b) absolutely never ever buy anything garmin until i see a reversal of this policy and an apology.
More broadly though, its yet another service that blocks API access. No doubt this is caused by proliferation of amateurs armed with agentic tools building nice, personalized frontends for themselves. Companies seem to absolutely hate it when people dont go through their shitty websites with dark patterns, misleading search results and analytics.
show comments
verisimi
Where's the 'Open Source Car'?
Where's the open source phone?
The open source washing machine?
show comments
holoduke
I recently saw a group of automakers together during an event. The contrast between Chinese and Germans was bizare. The group of german automakers were older men in black suits all wearing badge with titles like Senior Executive Sales blablabla. Whereas the Chinese were all young people wearing causual clothing and much more engineering minded. No wonder why european auto makers are doing so badly. They forgot to please people. The only know how to please their untergang.
show comments
spuz
What does client assertion mean here? I don't see any mention in the GitHub issue.
show comments
darkwater
/me scratches VAG cars from a possible new EV purchase.
I hate Elon as much as the next guy, but Tesla is still playing the API game way better than the rest of the pack (even with the "not so new" Tesla Fleet API change)
show comments
zb3
Sad to see some people still believe raw capitalism works and that they can "vote with their wallet".. but they don't see that all car manufacturers can just agree to enshittify their products the same way and use their position to ensure you won't just "start your own car company". There's no real choice and those in power don't care.
Only regulation can help.. or a revolution in case the political system in your country is broken..
show comments
neya
I mean, it was founded by the Nazi party, they single handedly destroyed diesels through the world's largest scam, what ethics can you really expect from them? I find it extremely funny when people boycott Teslas for being "Nazi" but won't boycott actual Volkswagens that was founded by the real Nazi party and to date - followed some of the most unethical practices in automative history :)
Wasn't the EU Data Act (https://digital-strategy.ec.europa.eu/en/policies/data-act) put in place to exactly prevent these kind of scenarios (Article 4 and 5)?
"where the user cannot directly access the data from the connected product or related service, the data holder must make the readily available data and necessary metadata accessible to the user without undue delay, in the same quality as available to the data holder, easily, securely, free of charge, in a structured, commonly used, machine-readable format, and continuously/in real time where relevant and technically feasible."
There is even special EU guidance for vehicle data for it: https://digital-strategy.ec.europa.eu/en/library/guidance-ve...
BYD DMCAd my whole repo to connect to their cars... https://github.com/github/dmca/blob/master/2026/05/2026-05-2... It's a shame these car makers are locking down their cars (which are brought for a premium!) and going on a crusade against open source.
Quite a few other manufacturers have done the same thing. I use a reverse engineered Polestar library to get charging status but I'm in the middle of building a CANBUS sniffer to do the same job because I don't trust they won't do the same thing as this.
I don't really understand it, it doesn't seem to offer a huge potential revenue stream and it pisses off the people who are most invested in your product.
This comment has really nice translation of corpo-speek to human language :
https://github.com/robinostlund/homeassistant-volkswagencarn...
Why are they shooting them selves in the feet? Is this really a tangible income stream? Is it really increasing security?
I've been doing smart home stuff for a long time. This is one of the reasons why I got off of Home Assistant.
It's a very cool and functional project but it is entirely dependent on companies keeping their APIs open, or, more commonly, companies not patching teh magic that makes reverse-engineered APIs possible.
Unfortunately, developments over the years have NOT gone in their favor. Tesla, Ring, MyQ, Ecobee and probably others have closed their APIs over the years. They've usually cited "security concerns" as the motivating factor for the API closures, which has some legitimacy, but IMO it's usually driven by fear of losing subscription revenue.
(Tesla charges a lot for official OAuth apps, though, to be fair, earlier hacks relied on a leaked OAuth app that they never got around to patching. Ecobee locked HomeKit and some other stuff behind their Security+ Subscription, which is a joke considering how anemic their security platform is. MyQ definitely did it to protect their $45/year subscription; jokes on them since RATGDO is infinitely better. Ring still works for some reason, but HomeKit Secure Video support is extremely dicey in part due to the fear of them turning their API off as well.)
For someone like me who primarily used HA for HomeKit integration, depending on it is a ticking timebob. When we moved into our new house, I focused on finding stuff that was natively compatible with HomeKit without workarounds. Our smart home works much better now because of it.
seems like google is playing a part in this ? https://github.com/robinostlund/homeassistant-volkswagencarn...
Client Assertion is an OAuth feature, but that is not at all what is being discussed here, if anyone else was confused. It is only present in the HN title and is not mentioned on the page.
With the software supply chain running amok recently having anything connected feels like playing Russian roulette and I say this as somebody who is running home assistant for years. I’m particularly paranoid about connecting my ev (non-vw) to it now, feels like a serious footgun today, would’ve been convenient three months ago, true.
Seems doubtful that this security will be very strong. It won't be hard to spoof an official client.
There needs to be a law that makes remote attestation - no matter who provides the root certificates, Google/Apple/GrapheneOS - illegal. There is only one use for this technology right now, and it is to prevent people from doing what they want to do with the devices they own, while also making interoperability cryptographically impossible. This is anti-competitive and should simply be illegal.
Ok it's clear my next car will not be a Sköda (or Volkswagen)
DIY alternative with https://www.openvehicles.com/
This entire thing is simply ridiculous, and infuriating! Just sell me a car, or TV, or washing machine, etc. Don't sell me a multi-layered safe with different combinations for each level.
Garmin recently did something similar, resorting to tls fingerprinting to prevent unofficial logins to their api (via the popular garth library).
They lost a lifetime customer in me - i think i have spent close to 20k on garmin gear between my wife and myself, watches, gps devices for cars, boats, and hiking gear. If they refuse to give me access to my data, i will (a) lobby for laws to be passed to make this mandatory (b) absolutely never ever buy anything garmin until i see a reversal of this policy and an apology.
More broadly though, its yet another service that blocks API access. No doubt this is caused by proliferation of amateurs armed with agentic tools building nice, personalized frontends for themselves. Companies seem to absolutely hate it when people dont go through their shitty websites with dark patterns, misleading search results and analytics.
Where's the 'Open Source Car'?
Where's the open source phone?
The open source washing machine?
I recently saw a group of automakers together during an event. The contrast between Chinese and Germans was bizare. The group of german automakers were older men in black suits all wearing badge with titles like Senior Executive Sales blablabla. Whereas the Chinese were all young people wearing causual clothing and much more engineering minded. No wonder why european auto makers are doing so badly. They forgot to please people. The only know how to please their untergang.
What does client assertion mean here? I don't see any mention in the GitHub issue.
/me scratches VAG cars from a possible new EV purchase.
I hate Elon as much as the next guy, but Tesla is still playing the API game way better than the rest of the pack (even with the "not so new" Tesla Fleet API change)
Sad to see some people still believe raw capitalism works and that they can "vote with their wallet".. but they don't see that all car manufacturers can just agree to enshittify their products the same way and use their position to ensure you won't just "start your own car company". There's no real choice and those in power don't care.
Only regulation can help.. or a revolution in case the political system in your country is broken..
I mean, it was founded by the Nazi party, they single handedly destroyed diesels through the world's largest scam, what ethics can you really expect from them? I find it extremely funny when people boycott Teslas for being "Nazi" but won't boycott actual Volkswagens that was founded by the real Nazi party and to date - followed some of the most unethical practices in automative history :)