Published on July 13th, 2019 |
by Jennifer Sensiba
July 13th, 2019 by Jennifer Sensiba
Yes, it’s nice to think about the promise of emerging technologies, and the potential benefits we may get from them, but too often, the future of human rights and privacy fails to be a big enough part of the debates that come up in the transitions. There should be serious debate and serious protection for any data that could be used to jack up insurance rates, imprison you, or even lead to much worse things.
We need to advocate for robust privacy and human rights protections at every stage to make sure emerging technologies benefit us instead of harming us in the long run.
An Ignored Problem
Here’s an example: There’s a big debate going about how roads should be funded as more vehicles reduce or eliminate their use of taxed fossil fuels.
Some unscrupulous lawmakers have been trying to use this as a pretext for punitive taxes and fees meant to discourage the adoption of electric vehicles. Others have proposed reasonable fees that are at or below what the typical drivers spends on fuel taxes. Others suggest a pay-by-the-mile rule with GPS tracking, and finally, many EV proponents suggest no additional fees to encourage EV adoption.
We all are so busy arguing over whether fossil fuels should be phased out, how that should happen, what’s financially fair, etc., and meanwhile, a potentially dangerous privacy issue only gets minimal attention. While pay-by-the-mile may be a fair way to distribute road taxes, it’s unwise to allow government officials to install GPS tracking devices in private vehicles, mostly due to the potential for abuse of that data, especially in the hands of government officials.
Regardless of who holds the data–be it government, a private entity tasked with anonymization, or anybody–if the data exists and can be tied to a driver, it’s just one court order, subpoena, or other discovery tactic away from being used against you in criminal cases, divorce proceedings, or anything else imaginable in court, or even in some cases, by a spying lawless government official.
It’s Nothing New: Past Examples of Abused Data
It’s easy to forget that data collection, and the abuse of collected data, is nothing new. It’s just becoming a lot easier as technology improves.
CARFAX was started in 1984 to help auto dealers combat odometer fraud by keeping a database of odometer readings that could be called up to see if someone was selling or trading in a tampered car. As with almost all commercial data collection initiatives, the idea in this case was to help people and make some money doing it. Nobody likes odometer fraud, right?
Nobody envisioned what it would turn into today, though. I was in touch with an owner of a new Tesla Model 3 a few weeks ago who had been put in a very bad position by CARFAX. She declines to be named in an article because Tesla ultimately took very good care of her. After buying a brand new vehicle, she learned a few weeks later that her vehicle had a reported “major accident” on CARFAX prior to sale, and this could severely impact the car’s value.
Tesla told her that the car had been involved in a small parking lot accident that damaged one of the car’s doors, but that the door had been replaced entirely with a factory new door, putting the vehicle back in factory condition prior to sale. Unfortunately, one of the shops involved in swapping the door reported the work to CARFAX, leading to the whole unnecessary loss of value on a car that was in no way different from any other car that rolled out of the factory.
This is possible because CARFAX has gone from fighting odometer fraud to vacuuming up as much vehicle data as possible to sell to anybody it can sell it to. As one local TV station in Ohio learned, CARFAX now has around 100,000 sources of data, including not only public records and dealers, but also any business that works on vehicles, including body shops, mechanics, tinters, accessory shops, and even car stereo installers.
In some ways, reports from mechanics and body shops could be helpful. For example, you could use a CARFAX report to prove that your vehicle was properly and regularly maintained if the shops you go to report the data. In other ways, it could come to bite you in the rear later, though. For example, the last link tells the story of a driver whose insurance company got mileage data from CARFAX and used it to jack up her rates. This is becoming a widespread practice in the insurance industry, and has even happened to my mom when she went to get a flat tire repaired.
As the above Tesla owner’s story illustrates, and as this post from a non-participating shop shows, a vehicle’s owner could be financially harmed by incorrect or out-of-context data. For example, an owner of an off-road vehicle could visit a shop on 3 occasions to have extra lighting installed, only to later find that CARFAX reports each instance as “electrical repairs,” leading to the appearance that the vehicle has serious electrical issues.
Sadly, this can go far beyond mere economic harm. As one writer for the Daily Kos reports, CARFAX is offering free access to its massive pools of data to trade with law enforcement agencies for its vehicle data. Thus, it is using data collected about your vehicle without your knowledge or consent, giving it to law enforcement without your permission, and getting access to even more information to share with everybody, including your insurance company.
I know a lot of people trust government officials, but keep in mind that even data as innocuous as census records has a history of abuse. During the Japanese internment, the census was used to find Japanese-Americans who were evading capture, and place them in the camps.
I’m not suggesting that your vehicle’s data will be used to round you up and put you in a prison camp, but the potential for all kinds of abuse is there, and the data was taken from your vehicle without your permission and sold to third parties, who gave it to government officials. If that doesn’t cause you at least a little concern, you are probably a good person to talk to about some land I have for sale in Arizona. Prime oceanfront property at great prices!
Your Car Doesn’t Even Have To Be A Connected One
Everything I’ve described above came from data that wasn’t collected that often. You might have your car in somewhere for repairs or maintenance only a few times a year, and census records happen only every ten years. If the potential for abuse and misuse exists with that, then imagine the problems that might accompany daily or even constant collection of your vehicle’s data?
Even cars that aren’t connected to a cellular data network have seen electronic data used against their owners. As I’ve pointed out in previous articles, insurers promised that data collected by devices like Progressive’s Snapshot would only be used for discounts and not for raising rates, but they were eventually used to raise rates. There are now even insurers who won’t take you on as a customer at all without constant monitoring of your whereabouts and driving via OBD ports, GPS data and smartphone apps.
Nearly all vehicles since 2012 (and many before that year) record several different types of data in the Event Data Recorder, or “black box.” Most have a small computer that constantly records several seconds worth of data, continually overwriting older data for newer data. In the event of a crash, the box stops recording, so that only the last few seconds of data remains. This was originally meant to give automakers and the NHTSA data after accidents, but an increasing number of jurisdictions are harvesting the data post-crash to bolster criminal investigations.
I know many readers will say they “have nothing to hide” and thus don’t fear this data’s availability. As one trial attorney points out, people have gone to prison based almost entirely on what the “black box” contained. Even if you are a completely reasonable and prudent driver, one who follows all laws to the letter (this is virtually impossible), keep in mind that this last few seconds of data might be a poor representation of what you actually do behind the wheel. Not only can the data possibly be wrong, because sensors and wiring tend to get mangled in serious accidents, but it only shows the last few seconds.
You could be driving perfectly for hours before an accident and suddenly need to accelerate to attempt to avoid a collision or even another driver intentionally trying to harm you (aka road rage), but the vehicle’s black box doesn’t show all that. It only shows the last few seconds before the crash, and that last few seconds’ worth of data could be misconstrued to make you look like some sort of Mad Max wannabe who needs to be imprisoned to protect the motoring public.
Even if you only drive older vehicles without OBD ports or “black boxes,” don’t install any insurance company apps on your phone (or don’t carry one), and do everything else to protect your privacy, they’re still looking for ways to track you and get this data. CES recently put out an article praising the potential of one startup’s “connected license plate” technology that could give motorists “peace of mind” by allowing insurers and government officials the ability to gather all of this data, regardless of how old the vehicle is.
Connected Vehicles Give Much More Data To Abuse Us With
Tesla’s upcoming insurance product is a great way to illustrate this point. High insurance premiums for high price, high value vehicles has been an impediment to some purchasing a Tesla. To get around this, Tesla is going to share data with the underwriting insurance companies to give them a better idea of the risks involved with a particular car and driver. Assuming one rarely or never drives the vehicle in a way the insurer disapproves of, this could save on insurance costs.
Unfortunately, one informal/unscientific poll I conducted revealed what would be obvious to any car enthusiast. The owners of a high performance vehicle like to use its capabilities. Around half of the 200 respondents said they regularly race or push the vehicle to its limits. Perhaps these drivers wouldn’t be a good fit for Tesla insurance, but if insurance from competitors continues to be too expensive, then these drivers will be forced to drive in such a way as the insurers dictate, regardless of the customer’s loss history.
The occasional hard launch from a light, carving up rural canyon roads, and other “dangerous” driving could be effectively priced out of existence, whether the driver has a history of wrecks or not.
Before anybody reading this accuses me of picking on Tesla, I want to point out some of the even more draconian things other manufacturers are considering or have done.
After being bought up by a Chinese company in 2010, Volvo is looking at adding restrictions to its cars that would prevent speeding regardless of whether you’re willing or able to pay higher premiums. The company plans to start with a 112 MPH top speed for all new Volvo vehicles starting in 2020, but wants to use GPS to detect location and impose lower top speeds based on the speed limit in other locations.
Earlier this year, the European Union announced that it wants new cars to be unable to speed anywhere starting with 2022 models. Such systems might be possible to override, either with a harder push of the gas pedal or buried in some menu, but the vehicle would log all such overrides of the speed limit so that data would be available for insurers and law enforcement to view later.
A few years ago, GM found itself getting negative press when it was revealed that it keeps a log of all vehicle locations and speeds for OnStar equipped vehicles, including vehicles that don’t have an active subscription. A non-subscriber can opt out, but it requires contacting OnStar to request your vehicle be disconnected, while most drivers aren’t even aware the data is being logged, subscription or not. Wired pointed out that this data could be used for the public good or commercial profit without revealing individual locations and speeds, but that the data is available for courts and could possibly be used for mass citation of all speeders.
When I first heard of the GM privacy issue, I located the OnStar module and disconnected both its power and antenna connection in a 2005 GM vehicle I owned. However, that’s not a good solution for most newer vehicles. Connected systems are increasingly interwoven into not only infotainment systems, but into everything from ECUs to airbags, making disabling them difficult or impossible.
For Those Thinking I’m Paranoid
I know some readers will think I’m being paranoid here. The Internment example is admittedly extreme, and of course, if you’re driving the speed limit, not breaking any law, and aren’t some sort of insurrectionist or drug dealer, you have nothing to worry about these days. Only ne’er-do-wells would want to be able to speed, and probably would be mashing that skinny pedal with custom baby seal leather boots.
You don’t want to be one of those people.
But then again, let’s look at the things revealed by Edward Snowden. The United States government, and many of its allies around the world, got caught with its hands in the privacy cookie jar. Warrantless wiretapping, PRISM, XKeyscore, government hackers, and much much more. Some of it was done legally, and other things were done illegally, but none of it respected the constitutional rights of the populace. The paranoid post-9/11 government, and administrations that followed, have shown no meaningful attempt to reform their ways.
If you’re gullible enough to think that we can trust private companies with our data, you’re likewise mistaken. If nothing else, the Cambridge Analytica data scandal proves that even elections aren’t safe once you get enough data to misuse.
You don’t have to be some sort of paranoid conspiracy theorist to think that privacy is important.
If you’re still not convinced, I’d recommend this presentation by a law school professor on the importance of the Fifth Amendment to the United States Constitution:
He makes a great case on the importance of exercising our right to remain silent, and we should demand that our personal belongings and possessions are likewise remaining silent.
Where We Can Go From Here
I’m hoping that by now I’ve made the case that our automotive privacy is in real danger, but I don’t want to leave it there. I want to share some ideas we can use to help fix this situation. Both as individuals and as a group, we need to do things to make sure we can reap the benefits of connected vehicle technology without regretting it later.
Things You Alone Can Do
As an individual, there are a few things you can do to keep your automotive data private.
First, talk to the people running any place you take your vehicle for service. Find out what data they collect and what they do with that data. If they sell data to third parties, see if you can opt out, and if not, take your business elsewhere. If you need to go to a particular shop that doesn’t respect your privacy, find ways to evade data collection. For example, take just a tire to a tire shop for repair instead of bringing in the whole vehicle.
Next, check with databases like CARFAX to see what it has on your vehicle already. It may surprise you how much the company knows. You also might find incorrect data that could impact the value of your vehicle, so be sure to dispute wrong data in such databases.
Another thing you can do is take charge of your car’s electronics and harden it against hacking and unauthorized transmissions. One of the biggest weak points is your vehicle’s OBD port. There are products available to add a locking cover to the port, as well as to relocate the plug and even replace it with a semi-functional dummy/decoy port to keep unauthorized snoopers away.
You might also consider locating antenna connections for cellular data in your vehicle. If you don’t use any connected services, simply unplug the antenna to prevent transmission. If you do use connected services, it’s usually possible to add a switch to the antenna’s feed line to decide when you want the services active.
Also, try to learn about your car’s “black box.” Figure out where it’s located, what it records, and whether it can be safely disconnected without compromising airbags or other safety systems.
Finally, consider “low tech” solutions to privacy issues. Some Tesla Model 3 owners, for example, have put sliding camera covers meant for laptops over the interior camera to prevent unauthorized viewing by hackers, rogue government officials, and Tesla. There may be nothing to fear with that camera, but it illustrates how you don’t need to be an electronics expert to take charge of your privacy in small ways.
Things We Need to Advocate For
Wherever we live, we need to push for robust legal privacy protections for vehicular data.
First, all data sharing should be opt-in. A consumer shouldn’t have to dig through an owners manual or search on the internet to determine what data they’re sharing with the manufacturer or third parties. These things should be done only with permission of the owner.
Second, owners should have complete control over their vehicle’s data. No data should be recorded without the owner’s consent. This must include the ability to delete all stored data at will or on set schedules/events. For example, one should be able to set the vehicle to clear all data when the vehicle is turned off.
Another important aspect of control is that the owner or driver should be in control of all radio transmissions the vehicle makes. The owner should be able to turn off all connectivity at will.
Finally, both public and private entities storing such data should be subject to restrictions to protect driver privacy. Nothing should be given to third parties without the permission of the owner, a court order, or probable cause. Even then, the owner should be informed of all such sharing of data and have a right to object.