Your connected car: Big Brother’s little helper?
If you hadn’t noticed yet, your modern car is just another digital device. Actually, a device run by dozens to more than 100 other devices — sensors and control modules called electronic control units.
They monitor or control everything from oil pressure to airflow, coolant, engine operation, the throttle, brakes, fuel pressure, infotainment, and more.
Oh, and many of them also monitor you.
Sometimes that could be a welcome thing, such as your car calling 911 if you’ve been knocked unconscious in an accident.
But as The Markup documented recently, your “smart” vehicle is also collecting “a firehose of sensitive data” that has nothing to do with helping you in an emergency, and then transmitting it to dozens of companies. Some are major insurance or telecom brands, but many are part of “an ecosystem of dozens of businesses you never knew existed.”
Indeed, surely you’ve heard of brands like Verizon, AT&T, Geico, Liberty Mutual, LexisNexis, and others, but how about CCC-X, Otonomo, Mojio, Samsara, Verisk, Wejo, and Zeliot? There are more — The Markup listed 37, which it said was an incomplete list. Most of those that aren’t insurers or telecoms fall into the category of “vehicle data hubs” and “vehicle telematics.” That means they collect, analyze, organize, and sell data. Your data.
According to The Markup, “Most drivers have no idea what data is being transmitted from their vehicles, let alone who exactly is collecting, analyzing, and sharing that data, and with whom.”
And Sammy Migues, principal scientist with the Synopsys Software Integrity Group, said even if vehicle owners did know, the data “wouldn’t make any sense to many, and even those who understand the data probably can’t think of all ways it could be misused.”
Beyond that, even those who understand and object to it “can’t really do anything about it except not buy the car — for now, until the noncyber used car market dries up.”
Which is the future. “There will be no non-telemetry-generating cars going forward,” Migues said.
Indeed, while all those companies fly under the radar of mainstream awareness (probably because they do little to no public advertising), they are part of the nascent but growing connected vehicle data industry, which it’s estimated will be worth $300 billion to $800 billion less than eight years from now, by 2030.
According to McKinsey & Company, the ecosystem of companies interested in profiting from vehicle data — which ranges from 1 to 2 terabytes per day per vehicle — includes stationary trade and leisure, governments, advertising and marketing, content providers, third-party marketplaces, financial services, tech companies, charging and fueling providers, and infrastructure players. That list, McKinsey adds, is “nonexhaustive.”
In other words, information is not just power. It’s money — lots of money.
But obviously, vehicle information is also personal. Which means it has privacy implications. Or, more to the point, invasion-of-privacy implications. The Markup noted that vehicle data collection starts the moment a driver gets into a car. Dozens of sensors collect and send data to the car’s computer, covering everything from whether the doors are unlocked to whether there are passengers, the internal temperature, and the status of the sunroof.
Once a trip starts, sensors also collect and transmit location and speed, use of the brakes, headlights, wipers, tire pressure, what’s playing on the entertainment system, whether oil level is low, whether the vehicle needs a scheduled maintenance, and more.
Some of that data collection yields information we find convenient, like those signs on the highway telling us how many minutes it will take us to go the next 12 miles. How do “they” know that? By GPS tracking of your vehicle and all the others around you. It’s also why your smartphone directions app can tell you if there’s a traffic jam on the route you’re about to take.
So many uses
But that’s just a mini slice of the data that makes its own journey from the car manufacturer to the connected vehicle data marketplace to be, as they say, “monetized.”
In some cases, companies are up front about using data collection for surveillance. Multiple insurers offer discounts to policyholders who agree to install a sensor in their cars that will then monitor their driving — how far, when, where they go; their speed; how they use the brakes and accelerator; and more — much more. The discount on an annual premium can range to $150 or more. Of course, another way to look at it is that drivers who want to maintain their personal privacy have to pay a penalty of $150 or more.
But overall, those in the vehicle data hub and telematics industries insist there is no personal privacy risk — that the data they collect, collate, analyze and sell is aggregated and anonymized, which they say means vehicle owners don’t need to worry about being identified or surveilled.
And they argue that there are significant benefits to the collection and analysis of that date — that it’s useful for everything from traffic management to electric vehicle infrastructure planning, fleet management, advertising, mapping, city planning, and location intelligence.
Not so simple
There are mixed views on that from privacy experts.
James Lee, COO of the Identity Theft Resource Center, said those claims are generally true and that significant legal privacy protections for vehicle owners already exist. “There are 17 state laws dating back to 2003 that require consumer consent, and there is a 2015 federal law (within the Fixing America’s Surface Transportation Act) that prohibits the sharing of vehicle data without the express permission of the vehicle’s owner or lessee,” he said.
He acknowledges that the cybersecurity of that data is crucial. But he said if rigorous security protections are in place along with knowing consent and anonymization, “then all of the elements of proper data use and protection are in place.”
But Rebecca Herold, CEO of Privacy & Security Brainiacs, said it’s not that simple. She agrees there is value to data being aggregated and anonymized, but said that doesn’t make personal privacy bulletproof.
While aggregating massive amounts of data would, in theory, eliminate any way to link specific data points to specific individuals, “with artificial intelligence (AI) and machine learning (ML) tools, and even long-used rudimentary sorting algorithms, this does not protect privacy,” she said. “They can often comb through all this digital data to detangle the assumed chaos, creating ‘reidentified’ data to result in very clear views of specific individuals,” she said.
Herold added that even anonymization — stripping personalized data from datasets — can be undermined by evolving technology. “AI/ML algorithms are improving and reducing this effectiveness,” she said. “The effectiveness is reduced further when anonymized data is combined with other datasets, where even more connections to individuals can be revealed.”
And Bennett Cyphers, staff technologist at the Electronic Frontier Foundation (EFF), goes even further. He told The Markup that the combined volume of data for sale and lack of regulation in most U.S. states is “a match made in privacy hell,” adding that “the unique nature of location and movement data increases the potential for violations of user privacy.”
“The more different ways you’re being measured in your vehicle, the more likely it is that someone can […] use the characteristics of all of those different data points to fingerprint a particular user or a particular vehicle,” he said, adding that “people’s location traces are extremely unique.”
Migues is also skeptical about the promise of anonymity. While he agrees that some may strive to keep the promise of anonymity, “to suggest that all collectors and aggregators ethically and morally deidentify all data the moment they get it and never allow for it to be tied to a specific car or human is to suggest that I’ll win the next MegaMillions without even buying a ticket,” he said.
Does that mean the expected growth of this industry will simply add one more nail in privacy’s coffin?
If history is any guide, it could.
Yes, there are some federal legislative efforts that would require affirmative consent before companies can collect and share (sell) data. Besides the Driver Privacy Act of 2015 cited by Lee, more legislation is pending, including The Health and Location Data Protection Act of 2022 and the American Data Privacy and Protection Act. However, neither bill is even close to passage.
And Herold, who recently posted a blog critiquing both bills, said while they have “many great and effective ideas scattered throughout, including consent requirements,” they also have numerous flaws. She said the bill covering health and location data “will not stop the implicit sale of health data by many organizations that will claim they do not fall under the ‘data broker’ definition as written.”
More granular, more personal
And, like everything in the digital world, data collection continues to get more detailed and, as they say, “granular,” measuring everything from heart rate to driver fatigue. Which means it is more personalized and intrusive.
Even if data is anonymized, it can be abused, Migues said. “Imagine if I anonymize all the data for all the cars that are leaving voting stations, but I still know how many, what times, and so on. Might I be able to use that data to disrupt a polling station? Or what if I know how many cars/drivers got speeding/DUI/etc. tickets after leaving some sports event. Might I use that for some kind of activism or even a lawsuit against the town/team? Or how many people go to a religious center? Or an abortion clinic?”
“Even anonymous data has a lot of value and a lot of ways to be misused,” he said.
Lee agrees that personal data can be misused and abused — he notes that “anonymous telematic data, if stolen, could reveal that certain makes or models are more likely to need certain repairs. Pairing that information with stolen vehicle ownership data, as happened in 2021 in Texas, could open a consumer who owned one of those cars to potential identity-based fraud.”
But he believes that while the U.S. needs stronger data protection, data privacy, and identity management laws, “the goal shouldn’t be to end data sharing for fear of a surveillance state. There are good and valuable benefits from data when it is properly collected for a permissible purpose with informed consent.”
Herold said the need for more rigorous privacy laws is critical. “There are some mind-blowing and privacy-invasive data collection products being imagined, planned, and tested that have not yet been introduced to the public,” she said.
Get in front of it
But that means government needs to do better to get in front of it, she said, contending that the current hodge-podge of state and federal laws won’t do it.
“Instead of creating very situation-specific types of laws and regulations, we need to establish a federal data management regulator,” she said, “to set rules and regulations governing the guardrails, security, and processes that must be implemented for any type of data collection, derivation, processing, analysis, use, sharing, selling, modifying, archiving, and deleting.”
That, she said, could help “wrangle a large portion of those vehicle privacy horses back into the barn.”
But she notes that this is not just about connected cars, given that there are dozens to hundreds of business sectors involved in data collection. “Telecommunications, technology, utilities, schools, retailers, manufacturers, and an almost infinite number of other types of organizations can package the data they collect within products and services,” she said.
Migues agrees. Even if data collection by vehicles is restricted or controlled, “what if I put some of the collection hardware — cellular, license plate readers, exhaust analyzers, etc. — in traffic signals, streetlights, and video doorbells and then sell that data? Or I simply lobby the government saying that I provide a public service with the data — traffic control, bank robber tracking, helping with AMBER alerts — and then I’m a viable collector again?”