U.S. study of automotive location data raises privacy concerns

The government's research arm found that data-hungry in-car location services could use some improvement in the privacy and consumer notification departments.

The Government Accountability Office's report prompted U.S. Sen. Al Franken, D-Minn., the longtime comedian and political pundit, to call on Congress to pass a location-privacy bill.

"Companies providing in-car location services are taking their customers' privacy seriously -- but this report shows that Minnesotans and people across the country need much more information about how the data are being collected, what they're being used for, and how they're being shared with third parties," Franken said in a statement.

"This report also underscores the need for me to reintroduce and pass my location privacy bill. It's just commonsense that all companies should get their customers' clear permission before they collect or share their location information."

The report can be downloaded in .pdf form here.

The Location Privacy Protection Act was the first of several privacy bills introduced in the past few years to make it out of the committee stage a year ago. If passed, it would require companies to obtain user consent before collecting or sharing mobile location data. Expect the new GAO report to influence updates to the bill.

The report, released publicly this week, evaluates the practices of ten firms that enable location-based services for vehicles, including six auto manufacturers: Chrysler, Ford, General Motors, Honda, Nissan and Toyota.

Navigation device makers Garmin and TomTom, along with map and navigation application developers Google and Telenav were also included. The report looked at the types of car-related data collected by the firms, what they use it for, and whether their privacy and data protection practices jibe with industry guidelines.

All of the automakers share location information with third parties, according to the GAO, to provide services such as traffic information, connections to live operators, or telecommunication and information processing for global positioning systems, known as telematics.

All firms evaluated share location data with law enforcement, and some offer aggregated data not associated with individuals to "university research programs, the National Highway Transportation Safety Administration, and state departments of transportation for research purposes … and to improve information about traffic patterns for infrastructure planning."

Selling to insurers?

Location data could theoretically be sold to insurance firms to better target services based on driving habits or to aim ads at drivers based on where they are. Through small devices installed in cars by a small crop of beta testers, mobile app developer Dash Labs tracks 300 data points including the car location, the type of vehicle being driven, who's in it and the time of day the driver is behind the wheel.

The firm, not evaluated in the GAO report, aims to sell the information to insurance firms or automakers, and counts Foursquare founder Dennis Crowley among its advisers.

"Dash will not share individual driver data with third parties without explicit opt-in from the user," said Dash CEO Jamyn Edis.

The GAO report suggests that the companies' disclosures about privacy practices are sometimes unclear.

"Without clear disclosures about the purposes, consumers may not be able to effectively judge whether the uses of their location data might violate their privacy," notes the "In-Car Location-Based Services" report, originally provided last month to Franken, chairman of the Privacy, Technology and the Law Subcommittee.

"Furthermore, risks increase that data may be used for purposes the consumer is not expecting or to which the consumer might not have chosen to agree," adds the report.

Recommendations

The GAO recommends the companies give people using their services more control over the location data collected.

"None of the 10 selected companies allow consumers to delete the location data that are, or have been, collected," states the report. Some of the firms do not retain location data, or they de-identify it so it cannot be connected to individuals. However, four of the firms reviewed, which go unnamed in the report, do store location data tied to individual vehicles.

"In such cases, consumers are unable to prevent the retention or use of retained data, should they wish to do so," the report said.

The researchers also indicated that a contractor working with three of the firms studied may store data including specific locations visited, vehicle identification numbers and other information for as many as seven years.

The longer data is stored, suggested the GAO, "the more vulnerable the data are to use by bad actors, such as hackers, or to unauthorized third party access."