Location Privacy: GAO Asks More of NHTSA, New State Laws In the Works - Inside GNSS - Global Navigation Satellite Systems Engineering, Policy, and Design

Location Privacy: GAO Asks More of NHTSA, New State Laws In the Works

Federal watchdogs examining automakers’ privacy practices are urging a key regulatory agency to step up and clarify its role in protecting the location and other personal information of those operating  connected vehicles. The report, posted on August 28, was just one of a number of location-privacy developments including advances in pro-privacy laws in some states and a pullback by Uber on its tracking of its customers.

Federal watchdogs examining automakers’ privacy practices are urging a key regulatory agency to step up and clarify its role in protecting the location and other personal information of those operating  connected vehicles. The report, posted on August 28, was just one of a number of location-privacy developments including advances in pro-privacy laws in some states and a pullback by Uber on its tracking of its customers.

Connected Cars
Collecting information about where drivers go and how they drive used to be "impossible or very difficult," the Government Accountably Office (GAO) wrote in its just released July 2017 study. The sensors and wireless networks of connected vehicles, however, gather and transmit information — including GPS-derived location — to enable roadside assistance, automatic crash reporting and other capabilities like voice and data connections.

But it’s not just about safety-related services; the market for this type of information is potentially huge. GAO cited a 2016 McKinsey & Company report that estimated the worldwide revenue from connected vehicle data could reach between $450 billion and $750 billion by 2030. As a result, said GAO, "private companies, including automakers, are considering how to use this data to generate revenue."

Privacy Worries
During its research, GAO selected 16 automakers to interview. Thirteen of them said they currently offer connected vehicles and all but one of the 16 planned to eventually offer connected services in all their models.

All of the 13 firms now offering connected service collected location information from the vehicles. The 13 primarily used the data they gathered to provide services and for safety and performance-related research. Five of the 13 automakers, however, reported using collected data to market products and services to their customers including using vehicle health data "to target advertisements to specific consumers for specific vehicle service or maintenance offers."

Two firms said they provided insurance companies with information "to enable consumers to participate in insurance plans that base premiums on driving behavior." All said they shared information with law enforcement and seven said they gave collected data, specifically vehicle health data, to dealerships to aide in vehicle servicing. Several companies reported sharing de-identified information more broadly. They gave it, for example, to researchers studying post-crash vehicle structural integrity and traffic services working to improve their accuracy.

Interestingly, none of the 13 firms said they shared information with data brokers though some "emphasized that their current use and sharing of data may change as the industry evolves and data collection expands," GAO said.

Part of the reason for the seemingly conservative approach may be linked to the opaque legal status of the data’s ownership. GAO found no consensus among the firms about who actually held the rights to the data they gathered. Two companies said they owned it,  three said the data belonged to the vehicle owner but they had a license to use it,  while one automaker said they owned anonymized data but the customer owned their personal data. Seven firms said data ownership was legally unclear or they did not yet have a position.

GAO also interviewed 16 privacy experts about issues associated with connected vehicle data. All 16 said tracking, loss of consumer control over their personal information and potentially insecure data were areas for concern. They emphasized that tracking was especially relevant in the context of vehicles and could be used to "paint a picture of an individual’s life, revealing with whom they associate, the doctors they see, and the places they frequent."

Clarity Needed
While the primary role of the Federal Trade Commission (FTC) in protecting privacy is clear, said GAO, the role of the National Highway Traffic Safety Administration (NHTSA) is not. NHTSA has a mandate to consider privacy as it develops safety regulations for the estimated 265 million passenger vehicles on the road, GAO wrote. That safety mission can be undermined by the public’s privacy concerns so NHTSA already has been coordinating with the FTC and addressing privacy as part of its work.
Industry stakeholders, however, are unclear about NHTSA’s role and agency officials acknowledged that some stakeholders may be uncertain whether, or to what extent, the agency has the authority to address privacy issues with respect to motor vehicles. To prevent problems the GAO urged the Secretary of Transportation to direct NHTSA to make its position clear to connected-vehicle stakeholders.

States Act
One of the issues highlighted by GAO was the lack of privacy choices being offered to consumers by automakers. Often the only choice was between allowing their personal data to be shared or not using the services.

California’s newly amended Broadband Internet Privacy Act would mandate that firms not deny service based on a customer’s refusal to allow sharing. The Act, which is still under consideration, would prohibit the release of private information, including location, unless the customer has agreed, the information is needed to provide services or the data is required during an emergency.

Illinois became the first state to pass a bill limiting the sharing of location data. Approved by lawmakers in July the Geolocation Privacy Protection Act makes it illegal for a private entity to "collect, use, store, or disclose geolocation information from a location-based application on a person’s device" unless they give specified notice requirements and then get affirmative consent. The measure has not yet made it into law, however. More than a month after lawmakers gave final approval the Act remains unsigned by the state’s Republican Governor Bruce Rauner.

There is no question, however, that consumers are acting on their privacy concerns. A day after the GAO report came out Uber was forced to reverse a policy change that allowed its customers to be tracked.

In 2015, Uber had enabled its app to track location while it was running in the background then updated the software in November 2016 so that clients had to allow tracking, which continued for five minutes after they reached their destinations, or be forced to manually enter pickup and drop-off locations. An Uber spokeswoman told TechCrunch the move had been taken in response to user feedback and said the firm was now evaluating its approach to location data collection.

For more on this topic, read Geolocation Privacy, and Location Privacy Poised to Take a Hit on the Inside GNSS website.

IGM_e-news_subscribe