Privacy Concerns Aren't Keeping Automakers From Selling Massive Amounts of Your Data

connected vehicles data transmission tablet
Connected vehicles transmit data to automakers throughout their lifecycle. Metamorworks/Getty Images

Vehicles are becoming more connected than ever, linking to their maker, other cars and smart devices. As a result, automakers are gathering heaps of driver data every day.

Location, speed, driver ability, entertainment choices, voice requests and other data points emanate from your car every time you drive.

More often than not, that data is sold to third parties, like insurance companies, trying to tailor services to the average driver. In certain jurisdictions, law enforcement can obtain a wiretap warrant to listen to your conversations in your car.

If law enforcement deems it necessary to apply for a warrant, and a judge signs off on that warrant, they can get access to a car's location history.

In some cars with roadside assistance features, law enforcement officers can apply for a wiretap warrant. Such was the case in 2014 when an FBI agent in New York's Western District applied for a warrant to track a car's location for 10 days using location information provided from the car's SiriusXM satellite radio technology.

Louisiana law enforcement officials pressed to have General Motors hand over OnStar location data in 2009 to track and arrest a suspect traveling from the state to Houston.

According to data privacy experts, most drivers don't know that data is being generated, much less the extent to which their information is being collected, packaged and sold.

University of Washington School of Law professor Ryan Calo told Newsweek that the types of information being collected are growing all the time.

"Some companies have begun to experiment with your affect," he explained. "Trying to figure out if you're tired and beginning to close your eyes. Or you're yawning. Where you're actually looking. Are you looking at the street? Are you looking at the console?"

He says that outside of California, which passed the California Consumer Privacy Act of 2018, it's difficult for an average driver to find out what data is being collected, who that data is shared with or if they can opt out of that collection. California residents have the right to opt-out of the sale of their data.

There are similar protections afforded to drivers in the European Union, but there is no U.S. federal law governing this type of privacy.

"I think that it is high time that we have national privacy legislation that would reach consumer deceiving and unfair practices by companies around privacy," Calo said.

In an interview with Newsweek, Dorothy Glancy, a law professor specializing in transportation at Santa Clara University, said that each automaker has a proprietary set of data points that they collect. There is also no standard for how long that data is kept.

"The manufacturers generally will tell you what category of data they are collecting," Glancy said. "But one of the major privacy issues about car data is that it is very, very opaque. It's very much missing the kind of transparency that most privacy regulations should require."

Google and Facebook both say that while they collect personally identifiable information to improve their service. For third-party vendors, they share non-identifiable information.

Toyota, in accordance with the California Consumer Privacy Act, tells new car buyers that in the preceding 12 months of ownership, the company may have sold personal information to third-parties, such as: contact information, consumer product and service data, consumer online activity and consumer interaction data.

Consent for Connected Services data collection is gained, according to Toyota, when you purchase or lease a Connected Services-equipped vehicle and do not deactivate that service, use Connected Services in your vehicle, agree to a subscription agreement for Connected Services, agree to an end user license agreement for your app suite and use compatible third-party services in connection with the app suite.

According to Hyundai's policy, "Hyundai may share personal information, including information about users of Services or vehicle owner information, with third parties including our affiliates and subsidiaries, authorized dealers, and licensees."

Hyundai and Toyota are not unique in their approaches.

A group of 20 automakers, as part of the Alliance for Automotive Innovation (AAI), signed onto a commitment to "provide customers with clear, meaningful information about the types of information collected and how it is used" in 2018.

"In privacy terms, we tend to argue that just implied consent is not enough," she said. "They need to have truly informed consent and active consent by everyone who uses this technology."

The AAI also commits to getting informed consent before "using geolocation, biometric, or driver behavior information for marketing and before sharing such information with unaffiliated third parties for their own use."

Currently, Calo explained, the only way for drivers to try to reign in any abuse of their data at the federal level is by filing a complaint with an "underfunded and understaffed" Federal Trade Commission (FTC).

A small patchwork exists at the state level. Illinois' Biometric Information Privacy Act, for example, allows individuals to sue companies for damages for misuse of biometric data.

Overall, Calo says that the focus on data collection tends to be on the potential harms instead of examining the benefits.

"What are the real benefits here," he asked. "Is this stuff really all that beneficial or is it a gold rush?"

He says that on the whole, the use of this data has been more about turning a profit than providing customers tangible benefits.

Ben Volkow would argue that data collection from vehicles is wholly beneficial. He's the CEO of Otonomo, a publicly traded company that places itself in the middle of automakers, vehicle data and third-parties in search of that data. They act as a middleman, advertising themselves as a "one-stop shop for vehicle data."

The company directs car data to insurance companies, fleet managers, market researchers and others. It counts BMW, Mercedes-Benz and Avis Budget Group among its clients.

Otonomo receives personally identifiable data and anonymized data, like car make, car model, geo-coding country and city, longitudes and latitudes of the vehicle location, RPM, battery voltage and fuel level.

With the caveat that they only receive personally identifiable data with explicit consent, they also receive names, your car's license plate number, any government issued IDs, telephone numbers and addresses.

Speaking with Newsweek, Volkow said that his company only receives data from carmakers that have received consent from drivers.

"Data is innocent," Volkow asserted. "If there's something wrong in the process, let's fix it. But I know that my sole responsibility around my business is always to make sure that I have all the right approvals for the data I'm getting. And this is being done."

When pressed about how those consents are acquired, however, he conceded that "maybe" the consent process needs to be strengthened.

"Openness of data without consent is very bad," he said. "I'm not saying there isn't consent but maybe consent could be more clear."

Volkow says not sharing data is just as bad, saying that he would prefer to see the democratization of data access as a way to improve the world.

"When we do this we need to have the right consents in place," he said. "But keeping data buried in basements with no access is also not a positive thing. Because the data can save you money, increase safety and improve your life so you want it shared. But I guess you want it shared in the right place with consent, visibility and transparency."

He also pointed out that on the platforms his company operates on, drivers can opt out of some data collection.

Complying with California's privacy law, Otonomo says on their website that in the last 12 months they have sold: identifiers, internet or other electronic network activity information, vehicle information, geolocation data and "inferences drawn from of the information identified" in the other categories.

At the Electronic Frontier Foundation, a nonprofit that advocates for civil liberties in the digital space, senior staff attorney Lee Tien tracks legislative efforts surrounding privacy at the state and federal level.

He told Newsweek that the legislative ideas that are being considered in Congress are not focused on a driver's privacy. Instead, they focus on what law enforcement can or cannot do regarding vehicle surveillance. He says that efforts need to be more consumer-centric.

"I think that's where we need a great deal of progress," Tien said. "Because it's the private market for information that creates all of the demand."

He says that there needs to be a better understanding of where data goes once it's sold. If an insurance company collects data to offer discounts on their products, what happens afterward? Tien asserts that it could easily be sold to data brokers, which could then be sold to law enforcement agencies.

"If every data broker is able to get its hands on that kind of data, then sell it or use it for whatever purpose, then that's the privacy problem," he said.

The only major piece of legislation that has tried to address this recently is the SPY Car Act, sponsored by Sens. Edward Markey and Richard Blumenthal.

In a statement to Newsweek, Markey said that protecting sensitive information generated by a connected car is essential.

The bill would establish cybersecurity standards in cars, create a "cyber dashboard" that would inform drivers how well any given vehicle protects driver privacy via a rating system and instructs transportation authorities to develop systems to protect against data breaches.

While the recent infrastructure bill has a slate of proposals to enhance automotive safety, he thinks addressing privacy has been left out.

"That's why I will soon reintroduce my SPY Car Act to establish strong federal standards for protecting vehicle cybersecurity and drivers' privacy," Markey said in the statement. "We must ensure that transportation innovations do not lead to privacy violations."