It was only a matter of time before the issue of automakers selling information generated by car owners exploded. It has been brewing under the surface for a while, but it’s a complicated subject. Now, it looks like GM has managed to sell information without customers’ consent in a manner that underlines the potential extent of the consequences of people losing their privacy.
Texas Attorney General Ken Paxton has filed a lawsuit alleging that General Motors is collecting data on its car owners’ driving habits and selling that information to insurers without consumers’ consent or knowledge. More accurately, the allegation is that GM is selling the telematics data taken from private owner’s vehicles to insurance companies to specialist companies like LexisNexis Risk Solutions and Verisk Analytics that can then be analyzed and used by insurance companies on an individual basis if names are attached.
The level of data that can be gathered by modern cars is staggering, but this issue goes much deeper than people’s car insurance premiums rising dramatically.
At the time of writing, no court date had been set. So far, Ken Paxton has only filed a lawsuit, and the outcome is still unknown. As such, everything General Motors is accused of is an allegation and not a fact.
How Data Gathering Works
Just about every aspect of a modern car’s movement can be measured and logged. From simple things like speed, rates of acceleration, braking, and cornering G forces to biometric information from cameras and sensors. With biometrics, for example, if your car has a driver attention system that warns when you might be tired, and that data can be logged. As can the data of when and where you may have ignored it. Add in things like sign recognition, which is becoming a common feature available on premium models, and a car displaying the speed limit also has access to the speed the vehicle is doing at that time. It’s also able to log stop signs and whether a car comes to a complete halt. Traffic light recognition can also log enough simple information to know how often you may, for example, choose to go through an orange light when you could have stopped safely. Or if you have sex in your car.
The Consequences
Back in March, the New York Times published a real-world example of the allegations against GM. According to the publication, upon seeing an unexpected and dramatic rise in Kenn Dahl’s insurance premiums, the Seattle-based owner of a Chevrolet Volt was told by an insurance company that his LexisNexis report was a factor in his rising cost in current insurance and further quotes. Dahl used the Fair Credit Reporting Act to acquire his report from the data brokerage company and received a 130+ page report full of timestamped details of his and his wife’s 640 trips in the Bolt over the previous six months. The example given from the report is that, “On a Thursday morning in June, the car had been driven 7.33 miles in 18 minutes; there had been two rapid accelerations and two incidents of hard braking.”
Dahl was, understandably, stunned and felt betrayed by Chevrolet. Of course, schemes are available from insurance companies where consent is given to access a vehicle’s data in exchange for lower premiums if the car is driven within an algorithm’s parameters. Dahl had not knowingly given his consent.
The GM feature responsible for this was called Smart Driver – a gamified app-based program using the OnStar service that gave feedback and awarded digital badges for good driving while also passing that data to insurance companies. According to GM, people being enrolled without their consent was “a bug,” and has since killed the feature. In March, GM severed its relationships with LexisNexis and Verisk and has since brought in a new chief trust and privacy officer.
According to the Texas lawsuit, “At no point did General Motors inform customers that its practice was to sell any of their data, much less their driving data, Nor did General Motors disclose that it had contracts in place to make its customer’s driving scores available to other companies.” It gets worse for GM, though. This is just one of many lawsuits on the subject in play at the federal level.
How Did It Happen?
GM says “a bug” signed some customers into the scheme, but GM may also have its sights on the information-selling business as a major revenue stream. The automaker is allegedly aggressive in making sure dealership sales departments enroll customers in its OnStar service, which comes with several years of Connected Access. It’s on the many screens of documents and tick boxes that the salesperson ticks as they rush people through at the end of an often long sales process. According to some sources, salespersons can have money docked for failing to enroll customers with OnStar. Add this to the fact GM plans to stop offering Apple CarPlay and Android Auto in its infotainment systems, made by companies famous for harvesting and using information, and it looks like GM sees information use as an essential part of its business moving forward.
How Else Can Information Be Used?
Car insurance isn’t the only area that could be exploited by automakers moving forward. Health insurance is the obvious next step when you take biometrics into account. Some automakers are already pushing to use the vehicle as payment like you would a phone wallet – so not only can the car log where you stop for fast food or drive-thru prescriptions, but how much you spend. Using algorithms and publicly available information to determine what individual drivers buy and eat is not a reach now. Drink too much Starbucks while also getting those driver attention warnings, and that’s useful for two insurance industries to use to push up rates. In countries with socialized healthcare, that’s not so much of an issue, but here in the US, it is very much an issue.
Is It Just GM We Need To Be Concerned About?
The simple answer here is no. On the surface level, all automakers are profit-driven, and recurring revenues like subscriptions and data selling add up. European brands, it appears, are safer in this regard as data privacy is much more tightly legislated and scrutinized there. The Mozilla Foundation, a global non-profit organization that dedicates itself to open-internet and privacy issues, dug deep into 25 car brands and gave all 25 its “Privacy Not Included” badge.
According to the foundation, all the brands collect more information than they need and claim 84 percent share your data while nineteen percent say they can sell your data due to their contracts and terms and conditions. Most concerningly, more than fifty percent say they can share gathered information with law enforcement and government agencies based on a request. Not a warrant requiring gathered information being handed over — a request.
If you’ve been following the industry for a while, you’ll not be too surprised to learn that, according to the Mozilla Foundation, Tesla is the worst for gathering and handling car owner’s data. Second worst on the list is Nissan, then Hyundai, then the GM brands Cadillac, GMC, Buick, and Chevrolet. Acura and Honda follow next, then Audi, Lincoln, Ford, Lexus, and Toyota. The best brands regarding privacy on the list available in America are BMW, Subaru, Fiat, Stellantis-owned Jeep, Chrysler, Dodge, and Volkswagen. BWM may be the best ranked of the group available in the US, but you still have to opt out of the brand’s data collection.
When Mozilla contacted Nissan, a spokesperson replied, saying: “Nissan takes privacy and data protection for our consumers very seriously. When we do collect or share personal data, we comply with all applicable laws and provide the utmost transparency to allow our consumers to make informed decisions about their data. We have clear methods for consumers to opt out of collection, use and sharing of personal data.”
The problem there is glaring – the words “opt-out.” What brands should be doing is making data collection an opt-in process. Data collection, sharing, and selling should not be defined in the terms you must accept to use the product and then jump through hoops to opt-out. In the privacy section of Nissan’s website, under the question “What Information does Nissan Collect from You?” it says:
Nissan collects certain Personal Data in the ordinary course of business. There are a few categories of information we commonly collect:
Contact information
– name, email address, phone number, mailing address.
Payment information or related sensitive identification information
– when necessary (for example, an in-app purchase), we collect credit card information. Social Security numbers are collected in very limited circumstances (for example, to comply with state or federal tax laws if you win a contest or sweepstakes).
Geolocation
– when using Nissan Platforms we may collect Geolocation Data. This can include General Geolocation or Precise Geolocation data.
Demographic information
– zip code, age, date of birth, or gender.
Service or warranty information
– vehicle information including when and what repairs you received for your vehicle
This feature article would become a book if we went through the entirety of one automaker’s privacy notices, let alone all of them. We suggest taking the time to find the brand website of the car(s) you own and read through them. In Nissan’s favor, though, it’s clear on a few issues, and most relevantly:
“Nissan does not sell any driving activity data to insurance companies for programs that might directly impact your premiums unless you have consented or asked an insurance company to retrieve this information, nor do we sell personal data to marketing companies to send you advertising for products or services that are not related to Nissan.”
However, we notice the wording leaves Nissan clear to sell information to insurance companies that isn’t used to directly impact individual premiums, and use personal data to send advertising for products and services related to Nissan.
But I Already Carry A Google or Apple Smartphone, And They Harvest My Data
The broad response to the “I’m already in the system” attitude is that both Google and Apple are actual global tech companies that are well scrutinized and governed as such. That’s not to say they should be fully trusted. If they aren’t selling our data, they are most certainly using our data in-house to help drive profits. However, they are also well documented in some cases for protecting privacy, including Apple’s resilience to giving access to its phones to law enforcement and government agencies a few years back. More recently, Google made drastic changes to its Maps GPS-based application so that it no longer has access to a user’s individual location history – making sure law enforcement warrants issued to gain data on everyone who was in the vicinity of a crime can’t be given – your location at any given time is private information, after all. Apple also says it’s technically unable to supply the kind of location information law enforcement often requests.
The issue with vehicles is that this is relatively new territory for automakers, expanding dramatically due to new technology and, understandably, most drivers don’t expect their cars to be feeding so much information to a corporation, let alone without their consent.
So, What Can I Do?
This is a tough question to answer, particularly if you already own a modern car, even one bought used. Well, we say own, but if you don’t own the data generated by your car, do you really own it? That’s a whole separate issue, so we’ll stick with the privacy one for now.
The best piece of advice we can give for now is to read anything you sign thoroughly, and if you don’t understand a service, and it can’t be explained clearly and concisely, don’t agree to it. If you don’t agree with the terms and conditions, don’t agree. If that stops the deal, it’s time to shop elsewhere. Only agree to anything that benefits you and any downsides are fully understood and personally acceptable. For example, the idea of getting lower insurance rates for driving habits being monitored is not necessarily a bad one. It’s a question of what information is being harvested, then what is being used, then how much you value privacy versus the benefit offered. We would suggest that if your information is that valuable, then you should be paid for it if you consent. Then there’s a question of what you’re happy to sell, and how much for.
Buying a used car is more problematic as you’re buying a car that the automaker knows has changed hands, and whatever is logging and feeding data back to the automakers is possibly already turned on. Make sure you investigate the connected services associated with the make and model. If you need to change an account or sign up, read the terms and conditions before you pull any triggers.
Conclusion: Read Those Terms And Conditions
The conclusion to draw for now is that no automaker can be trusted, as no automaker has definitively demonstrated a reason to trust them. If automakers are going to push into becoming tech companies, they need to start drawing up codes of ethics now and then stick to them. That would include not going with the opt-out model (where owners are signed in unless or until they opt out) and not sharing or selling information without explicitly gaining consent, and include not sharing information with law enforcement without a warrant, and not harvesting information with the owner’s identification attached to it, and only collecting data for in-house use to do with development.
In reality, until things change, we do not have control over what information is harvested short of disconnecting a Wi-Fi-connected car from the internet and never taking it to a dealership. It’s up to automakers to change things, or they invite government oversight.
Conclusion To The Conclusion
GM has an opportunity to lead the industry here by turning a public and customer relations disaster into lessons learned publicly and making itself the gold standard for privacy in the automotive industry. That’s a badge it could wear proudly and market strongly, thus forcing the rest of the industry to follow. Ultimately, we suspect the industry will end up attracting lawmakers’ attention more and more over the next few years, but we hope that the automakers can regulate themselves and avoid that by making privacy a standard feature in their cars as they become even more well-connected.