Car makers sold people's driving habits, location data for pennies, say US senators
Khaan! Khaaaaaan!
Two US senators have urged the FTC to probe and potentially prosecute three automakers that allegedly unlawfully sold motorists' personal data for pennies.
Senators Ron Wyden (D-OR) and Edward Markey (D-MA) sent a letter [PDF] to the US regulator's boss Lina Khan on Friday after the pair conducted an investigation into General Motors, Honda, and Hyundai. The senators claim those three manufacturers sold their customers' information to various brokers either without obtaining explicit permission to do so or without even bothering to try.
For instance, drivers' personal information including people's acceleration and braking readings as well as records of their whereabouts were sold to credit agency called Verisk, we're told, which compiled the info into so-called Driving Behavior Data History Reports that were then sold to car insurance giants.
It's said Verisk computed a driving score for each motorist, plus offered safer driving suggestions, based on that harvested information, which were passed onto those drivers as handy hints by the vehicle manufacturers – all while those folks' details were being traded in the background.
The senators claimed the three automakers used so-called dark patterns to obscure their data-sharing schemes.
- Drivers: We'll take that plain dumb car over a flashy data-spilling internet one, thanks
- Elon Musk's latest brainfart is to turn Tesla cars into AWS on wheels
- Mozilla calls cars from 25 automakers 'data privacy nightmares on wheels'
- It's perfectly legal for cars to harvest your texts, call logs
Honda apparently only mentioned its data-sharing agreement with Verisk in a long legal document drivers were presented with when they tried to join an optional Driver Feedback program in the Honda phone app. The senators wrote:
On the enrollment screen, Honda asked consumers for consent for the company to track them so that it could determine the consumer’s driving score and their eligibility for insurance discounts.
Users who provided consent were then prompted to accept the company’s lengthy legal terms, in which Honda stated that Verisk would receive the consumer’s data. However, Honda buried the disclosures about its business relationship with Verisk, which did not appear on the first page, and were not likely to be seen by many consumers.
GM and Hyundai allegedly neglected to mention selling data to Verisk at all.
If GM car owners wanted notifications about things like attempted break-ins and vehicle component health, they needed to sign up for the manufacturer's Smart Driver program, and doing so would quietly opt them into allowing their info to be sold on.
"The lengthy disclosures presented by GM before the opt-in did not disclose to consumers that as part of enrolling in Smart Driver, their driving data would be shared with data brokers and resold to insurance companies," the senators alleged, adding GM "disclosed customer location data to two other companies, which it refused to name."
Hyundai apparently enrolled its drivers into a similar Drive Score program without even asking, if they enabled the internet connection on the vehicle. The senators said:
Hyundai required drivers to click through a consent form to enable the internet connection for a new car, but the company did not disclose that it would also share consumers’ data with Verisk if they agreed. Once enrolled, drivers could disenroll from the program through the company’s website or app.
Although Honda and Hyundai claimed drivers who entered their data collection programs could get cheaper insurance, the same data could make folks' premiums go up if their info wasn't agreeable to actuaries working out rates, the senators argued.
"Verisk officials confirmed to Senator Wyden's office that the company's contracts with automakers and insurers did not require that driver telematics data only be used to provide discounts," the pair's FTC letter says.
"Senator Wyden's office spoke with a national expert at an insurance industry trade association, who confirmed that some insurance companies do in fact use driver data from telematics programs to raise premiums above the rate a consumer would have paid without telematics data."
Before Verisk shut down its aforementioned scoring program in April, as a result of a New York Times article, it apparently bought the data of 97,000 Honda drivers for $25,920 and 1.7 million Hyundai drivers for just over a million dollars. That's a rate of just 26 cents per Honda and 61 cents per Hyundai car. That's pretty cheap considering car insurance can cost hundreds per month.
Car makers say everything was legit
The Register reached out to GM, Honda, and Hyundai and asked for their thoughts on the investigation. The manufacturers said their data-sharing programs and Verisk's involvement had been misunderstood.
According to Honda PR group lead Chris Martin, the Driver Feedback scheme was primarily anonymous, as the only info Verisk shared with insurance companies was the driver scores without any personally identifiable information. The underlying data used to build the score wasn't made available either, it's claimed.
Insurance companies could then ask Verisk to extend discount offers to drivers with good scores. Only if a driver accepted the potential discount would an insurance company finally receive a name to match a score to the driving data, and Martin argued Honda had disclosed that data would be shared at this stage. The senators believe that disclosure was underhand.
Honda's position was more or less echoed by GM and Hyundai in their statements.
"Data was only shared with an insurer if a customer initiated a quote directly with their chosen carrier and provided a separate consent to that carrier," a GM spokesperson said to The Register.
"It is important to note that Verisk was not authorized by Hyundai or the customer to share the Drive Score data with insurers until the customer affirmatively consented to this on an insurer's website or app," Hyundai senior group manager Ira Gabriel similarly claimed.
Martin also claimed it was basically impossible for a driver to be tricked into handing over their data and then seeing their premiums go up. Driver data is kept secret until a discount offer is accepted and - since it's unlikely a driver with a bad score would get one of those offers - it was apparently improbable that anyone who consented to data sharing would be penalized.
Even if an insurance company decided it didn't like a driver's habits, it would merely retract the offer and wouldn't share the data with other firms, Martin told us. He claimed to be unaware of any instance where data sharing resulted in someone paying higher premiums, though admitted he can't be completely certain it's never happened.
Interestingly enough, GM practically admitted the way it enrolled its drivers into Smart Driver was unpopular: The program was wound down in April and shut down completely in June, a decision "based on customer feedback." Similarly, Honda has also ended Driver Feedback. Because people were upset, not due to heightened scrutiny.
Ultimately, GM, Honda, and Hyundai argued they properly disclosed Verisk's involvement from the get-go.
"We vehemently deny the assertion that we used 'manipulative design techniques' to coerce consumers into enrolling in Smart Driver," said Team GM. "Each consumer was given choice at the time of enrolling and throughout the life of the product."
"Regrettably, Senator Wyden's letter mischaracterizes Hyundai's data policies and the safeguards it implemented to ensure customer consent for sharing driving behavior information with insurers," Gabriel concurred. "The letter also inaccurately describes the customer consent required for the sharing of customer driving behavior data with Verisk, a third-party data-sharing service provider."
Martin added not only was the Verisk data sharing agreement included in its terms-and-conditions document, but that it also disclosed it prominently on a webpage that has since gone down with Driver Feedback. Though it's not clear how many people actually saw the disclosure in either the T&Cs or on the website.
The FTC confirmed receipt of the letter to The Register and declined to comment further. ®