Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Do You Wonder Who is Collecting Data from Your Car?

August 3, 2022

If you don’t wonder, it’s time for a reality check about how many companies are collecting your data!

The Markup reported on July 27 that most drivers have no idea what data is being transmitted from their vehicles, or who exactly is collecting, analyzing, and sharing that data, and with whom. A recent survey of drivers by the Automotive Industries Association of Canada found that only 28 percent of respondents had a clear understanding of the types of data their vehicle produced, and the same percentage said they had a clear understanding of who had access to that data.

The world of connected vehicle data is vast, an ecosystem of dozens of businesses you probably never knew existed.

The Markup identified 37 companies that are part of the rapidly growing connected vehicle data industry that looks to monetize data in a world in which there are few regulations governing its sale or use.

While many of these companies stress they are using aggregated or anonymized data, the unique nature of location and movement data increases the likelihood of violations of user privacy.

So how much money is your connected vehicle data worth? Analysts predict it will be worth anywhere from $300 billion to $800 billion by 2030. Not exactly chump change.

The industry is in its infancy and under pressure to make profits to attract investors and keep them happy.  As a countervailing force, the disclosure of sensitive and potentially identifying information from smartphones has caused U.S. lawmakers to threaten massive crackdowns on the collection, transfer, and sale of location data.

For a vehicle with a factory-installed cellular connection, once a driver gets into a car, dozens of sensors emit data points that flow to the car’s computer. The driver door is unlocked; a passenger is in the driver’s seat; the internal cabin temperature is 86° F; the sunroof is opened; the ignition button is pressed; a trip has started from this location.

These data points are processed by the car’s computers and transmitted via cellular radio back to the car manufacturer’s servers.

As the journey continues, more information is collected – the vehicle location and speed, whether the brakes are applied, which song is playing on the entertainment system, whether the headlights are on or the oil level is low.

The data goes from the car manufacturer to companies known as “vehicle data hubs” and on through the connected vehicle data marketplace.

Car manufacturers, also known as OEMs (original equipment manufacturers) are directly responsible for and control the collection of most vehicle data used to sell maintenance, emergency roadside assistance, and other driver convenience services.

Vehicle data hubs take in vehicle and movement data from multiple sources: from car manufacturers, other connected vehicle data providers, directly from vehicles using aftermarket hardware such as “onboard diagnostics” (OBD) dongles, or from smartphone apps. The data is then consolidated and normalized in one place for analysis and insights.

Navigation and in-vehicle infotainment companies provide dashboards with driving directions, music, and third-party apps.

Insurance companies create “usage-based” insurance and other products that offer discounts, or premium increases, based on actual driving data.

Telecom operators offer car manufacturers connectivity solutions both integrated into the vehicle or in the form of a dongle that plugs into the car’s OBD port, acting as a Wi-Fi hotspot while also tapping into the car’s telematic data.

Telematics providers make aftermarket tracking hardware and software that collect data directly from cars. They cater to commercial fleet operators and to OEMs.

So much data! Most car manufacturers, or OEMs—original equipment manufacturers—found themselves in an unfamiliar role. “What has given rise to the industry is that most OEMs have recognized that they are better at making cars than they are at processing and handling data,” said Andrew Jackson, research director at PTOLEMUS Consulting Group, which studies the connected vehicle industry.

This created an opening for a new kind of third-party data company, vehicle data hubs, which are at the center of the connected vehicle data market.

Vehicle data hubs take in vehicle and movement data from several different sources – from OEMs, from other connected vehicle data providers, directly from vehicles using aftermarket hardware (such as an onboard diagnostic [OBD] dongle), or from smartphone apps. The companies offer the data to customers in the form of a dashboard or insights derived from analysis or other data products.

Car manufacturers capture and store data differently, creating obstacles to analyzing data across the industry. Hubs solve this problem by gathering data from dozens of car manufacturers and other sources and consolidating it in one place for analysis.

Many vehicle data hubs market their massive amount of data for applications including insurance, traffic management, electric vehicle infrastructure planning, fleet management, advertising, mapping, city planning, and location intelligence. Many promote their data as crucial to the future application of autonomous vehicles.

Insurers partner with vehicle data hubs or OEMs – or collect data from smartphone apps or “onboard diagnostics” (OBD) dongles in the car.

They create “usage-based insurance” (UBI) products priced on driver data.

Allstate, Liberty Mutual, Farmer’s Insurance, Geico, and State Farm all offer UBI products. The companies did not respond to requests for comment.

UBI coverage is “pay as you drive,” based on mileage, or “pay how you drive,” where safe drivers get a discount and risky drivers pay a higher premium. Progressive Insurance’s “Snapshot” UBI program, for example, which draws data from a phone app or plug-in dongle in the OBD port, suggests annual savings of $156, with the warning that there may be a rate increase once Progressive sees actual driver data.

Snapshot drivers can get discounts by not slamming on brakes, avoiding late night travel, avoiding phone use while driving, and driving less.

Among the notable companies in the vehicle data hub space are INRIX, CARUSO, Verisk, LexisNexis, Otonomo, and Wejo.

For the most part, the companies say they devote a lot of time and resources to protect consumers’ privacy. They aggregate and anonymize driver data.

But due to the sensitive nature of movement and location data, risks are high for violating user privacy.

According to Bennett Cyphers, from the Electronic Frontier Foundation, “The more different ways you’re being measured in your vehicle, the more likely it is that someone can take a stream of data and use the characteristics of all of those different data points to fingerprint a particular user or a particular vehicle.”

Cyphers said the amount of personal data collected in combination with a lack of regulations for its sale and use is troubling. “When you see the volume of data that’s up for sale, and the lack of regulation in the vast majority of American states regarding how companies can use data, it seems like a match made in privacy hell.”

Regarding assurances of anonymized location data, Cyphers noted, “It is not possible to minimize individualized location data traces whenever you have several different data points about a person’s location or a vehicle’s location over time. It doesn’t matter what else you do to the data, it’s not going to be anonymized because people’s location traces are extremely unique.”

One area where the car-as-smartphone metaphor breaks down is users’ ability to grant or revoke permissions for apps to access personal data. Both Apple and Google have built fine-grained controls to review and grant permissions and have strengthened prompts to explain what data will be shared with third parties. But progress toward this level of control is slow.

EFF’s Cyphers said drivers should know exactly what data they are granting permission for and how it will be used. “If you opted into sharing location data for the purpose of accessing a navigation program on your car’s screen, your location data should only be used for the purpose of delivering that service. You can’t grant consent for one thing that you want and then have the car company use that for something else, like selling it to a data broker.”

A new federal privacy bill known as the American Data Privacy and Protection Act was voted out of the House Committee on Energy & Commerce last week. It would ensure that clear user consent is obtained for each data processing purpose, for services offered through “nontraditional devices such as cars.”

Without strict privacy laws, I’d expect sensitive data to end up in the hands of the highest bidder. That’s just how it works these days when it comes to privacy.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology