General Motors (GM) first started tracking customers in 1996. Using its popular OnStar service, those in select GM vehicles could ask for directions, diagnose vehicle-related problems, or even disable a stolen vehicle by contacting a voice on the other end of the line.
For around $35 a month, GM provided customers with an on-demand concierge available at the touch of a button. But unbeknownst to many, OnStar required more than just a monthly subscription fee.
“Data is the currency of the digital age,” said Jim Barbaresso, Intelligent Transportation Systems lead at HTNB, told CNN last year. “Vehicle data could be the beginning of a modern day gold rush.”
This gold rush is pointing to a future where data collected by automakers might one day be more valuable than the car itself. And consumers, for the most part, remain blissfully unaware of just how much they’re giving away.
Lawmakers first noticed the problem in 2012.
In United States v. Jones, a landmark Supreme Court ruling, all nine justices voted to overturn an alleged drug dealer’s conviction after GPS data was deemed to constitute a warrantless search. Under the Fourth Amendment, US citizens are protected from unlawful search and seizure. FBI investigators violated the amendment by installing a tracking device that recorded location data without first securing a warrant.
These days, the FBI can simply dial up the automaker.
Since 2014, nearly 100 percent of GPS-equipped vehicles were capable of, or actively logging the type of data the FBI was after in the Jones case. Information such as saved GPS destinations, frequently visited locations, common routes, how often you’re inside the car, and even where you like to park are easy to come by, and there’s nothing, legally-speaking, preventing the FBI from obtaining it. There’s also nothing preventing automakers from handing it over.
They don’t even need a warrant.
Currently, the only thing resembling legislation is a 2014 letter to the FTC that promised self-policing policies were in place.
Starting with the last model year (2017) 21 automakers promised to remain transparent, obtain consent to gather data, and only share collected information with lawmakers (without a warrant, presumably) under certain conditions outlined in the vehicle purchase agreement.
Consent though, might mean something else to automakers than it means to the rest of us.
Hidden in a mountain of paperwork when buying a car is one of two types of fine print. The first states that, by signing this agreement to purchase a vehicle, you’re giving your consent to hand over collected data to automakers. The second includes an option to opt out, although you’re typically opting out of conveniences like GPS or in-car Wi-Fi as well.
Neither option is, typically, presented to the consumer at the time of purchase. Automakers rely on common human behavior, which is to skim (not read) these sorts of agreements from “trusted” entities before signing on the dotted line.
According to this Future of Privacy document, it gets worse. Newer technologies allow automakers to track information using in-car microphones and cameras, as well as external sensors that gather information about your immediate surroundings. Some cars contain facial recognition that could be used to categorize the data to individual drivers as opposed to the car itself. Apps like Apple CarPlay or Android Auto could be used to track mobile browsing, incoming calls, text messages, and additional data from third party providers.
The Washington Post paints an even more chilling picture.
Trips to homes or businesses reveal buying habits and relationships that could be valuable to corporations, government agencies or law enforcement. For example, regular visits to an HIV clinic can offer information about someone’s health.
Unlike medical records, automakers aren’t required to keep obtained information private. While it can’t prove with any certainty that your trip to the HIV clinic was health-related, as opposed to volunteering, for example, the data point is just one of many. Trip length, visits to a pharmacy upon leaving, or routine visits every few months could signify breaks in typical patterns that bring the details into focus.
For what it’s worth, automakers promise to only use this data internally unless you opt in. Chances are, though, that you already have.
And if you think this is some sort of far-fetched dystopian scenario, I’d point you to Otonomo, a third party analytics company that’s been collecting this data from automakers since 2015. The self-described “first connected car marketplace,” collects raw user data from manufacturers and packages it for distribution to interested third parties.
We’ve reached out to Otonomo, who informed TNW that the data being collected is anonymous, and used for “parking apps, smart city planning, and weather services.” Data collected includes:
- Mobility (where the car has been): GPS, Latitude, Longitude, Speed, Average Speed, Ignition On/Off
- Behavioral (how the car is driven): Acceleration, Hard Braking, Brake Pedal Pressure, Sharp turn, Fuel Consumption, Battery level, Throttle Position, ADAS, Seat belt, Windshield etc.
- Diagnostic (how the car is operating): DTCs, MIL Status, Tire Pressure, Door status, Wheel speed, SOC, ICE Engine Coolant Temperature, etc.
The company also states that it is also on course to GDPR compliance. The GDPR, or General Data Protection Regulation, is a set of strict new rules that protect European citizens from data loss. The regulation states companies must provide a “reasonable” level of protection for data, although it’s unclear at this time whether hackers or third-parties that buy and sell it are the bigger threat.
It’s a start, but it only protects European citizens, and leaves much to interpretation.
A 2015 report by Massachusetts Senator Ed Markey confirms these data sharing partnerships.
The large majority of the companies who responded (9 of 11) claimed that they do contract with third-party companies to provide the data-collecting features that they offer. In fact, 3 manufacturers specifically stated they license third party companies to transmit and store
data associated with the features.
The report details an astonishing amount of hubris by major automakers in dismissing the possibility of collected information ending up in the hands of bad actors. 16 of 16 companies who responded saw little cause for concern in regards to information leaks, as only 20 percent of cars on the road were internet connected. The other 80 percent would require specialty tools only available to mechanics in order to extract the data, tools that automakers seem convinced malicious actors couldn’t obtain.
Never mind the fact that hackers stole NSA spy tools from our nation’s leading intelligence agency.
Sen. Markey’s survey also revealed a surprising level of apathy from the general public when it comes to giving this kind of data away, although it’s not clear what the poll question actually was, or if they realized what the data could be used for. Of 3,000 people polled, 79 percent would willingly hand over the data for the sake of convenience.
If only they knew.
Edit: An earlier version of this article incorrectly stated that Senator Ed Markey was from Minnesota. He’s from Massachusetts.
Edit: Added an update with commentary from Otonomo.