Consumers’ locations and other data are at risk of being leaked by companies that run automobile navigation services like GPS, a report has found, putting the national debate on privacy behind the wheel.
Despite telling consumers they are collecting the information and seeking consent, companies do not always disclose what information is collected and how it is used. Companies are also inconsistent when it comes to giving drivers the ability to delete their information.
“The companies’ privacy practices were, in certain instances, unclear, which could make it difficult for consumers to understand the privacy risks that may exist,” said a report from the Government Accountability Office, Congress’ watchdog arm.
Privacy advocacy groups are concerned “that location data can be used to track where consumers are, which can in turn be used to steal their identity, stalk them, or monitor them without their knowledge,” the investigative agency said.
“Anytime you’re collecting data about consumers, there’s a need to be aware of what the companies are doing and the implications of holding that data,” said Alan Butler, an attorney with the Electronic Privacy Information Center. “It’s an issue people to need to be aware of. We haven’t heard yet of any major breaches or major violations of consumer rights.”
The increasing use of communication and location-based computers and gadgets in cars — called telematics — in some cases has left the government scrambling to keep up.
“Currently, no comprehensive federal privacy law governs the collection, use, and sale of personal information by private-sector companies,” the GAO said. “While legislative proposals aimed at protecting the privacy of location data by mobile devices and navigation systems have been introduced by members of Congress, none of the proposals have been enacted.”
The GAO looked at 10 companies involved in the automobile industry, including manufacturers: Chrysler, Ford, General Motors, Honda, Nissan and Toyota, GPS producers Garmin and TomTom, and navigation developers Google Maps and Telenav.
All 10 companies tell drivers they are collecting information, but some don’t disclose what information they are collecting or why, which could “allow for unlimited data collection and use,” the GAO said. Likewise, all the companies tell drivers the information is shared with third parties but don’t always give a reason.
Some don’t give drivers a choice to delete their personal data, a necessary step in maintaining privacy, Mr. Butler said. Keeping records of the data could create a repository of personal information that could be accessed easily by hackers or by law enforcement personnel against the driver’s wishes.
“Obviously this data, if it was breached, could reveal a great deal of information about individual drivers,” he said, adding that tracking someone’s car could reveal where they live, work and worship, among other things.
The Washington Times reached out to representatives for all 10 companies named in the report, which the GAO said represent the most widely used services or majority of the market.
TomTom, the Netherlands-based GPS maker, said it operates under the strictest privacy laws in that nation and provides “respect and safeguard” of drivers’ contributions.
“We always ask permission to use any data provided by our TomTom users, informing them how we will use it and allowing them to opt out at any time,” a statement form the company said. “All data provided is anonymised and aggregated. We never share customers’ private location data with third parties.”
Telenav, which produces navigation apps and software, said all information it receives is assigned a number and can’t be matched with a particular driver. The anonymous information can be shared with third-party traffic service providers to give real-time information, a service the company said it believes its customers expect.
“Location data is integral to the functionality of our location-based navigation products,” said spokeswoman MaryBeth Lowell. “We would not be able to provide maps, navigation directions, traffic updates, rerouting directions, nearby point-of-interest searches, etc., without it. However, we make every effort to respect the sensitive nature of this data.”
Information on drivers is collected to provide turn-by-turn directions and traffic information, locate vehicles for roadside assistance or recovery from theft, and give information on nearby gas stations, restaurants or charging stations for electric vehicles, among other reasons.
The GAO said some estimates expect use of telematics services to triple from 11.8 million subscribers in 2012 to 31.6 million in 2016.
Most of the time, companies will make efforts to “de-identify” data, such as listing a vehicle’s location but giving no information about the make and model of the car or the identity of the driver. However, there is no industry standard, and the ways companies try to protect the data vary, giving drivers differing levels of security.
Sometimes the businesses are using security measures that could still risk privacy, the GAO said, such as assigning each driver a number instead of using a name. After several trips, it would be easy to discern the number’s driving habits and possibly their home, leading consumers to be “re-identified.”
“While selected companies safeguard location data in part by de-identifying them, companies use different de-identification methods that may lead to varying levels of protection for consumers,” the GAO said.