Use a navigation or telematics system? You might share a lot more information with third-party providers than you realize. As each year brings new advancements to the connected car, the risk only increases.
At the behest of Congress, the Government Accountability Office audited privacy practices for 10 providers of navigation or telematics services in 2013: the Detroit Three, Nissan, Toyota, Honda, portable navigation providers Garmin and TomTom, and smartphone navigation developers Google Maps and Telenav. GAO interviewed privacy advocates, investigated exactly what those companies do with your information and compared it to industrywide best practices for privacy protection.
In a 32-page December 2013 report to Congress posted on Jan. 6, GAO found the providers fall well short of those practices.
GAO found that all 10 companies collect your location data to provide location-based services. That’s to be expected: Your navigation system has to know where you are to provide turn-by-turn directions, after all. Nine of the 10 providers share your location with third parties to provide services like real-time traffic alerts — again, to be expected.
It gets sketchier from there, however. Four of the 10 companies said they retain location data that’s tagged to your vehicle — and you can’t request its deletion, GAO found. Two of the 10 said they share your data (with personal information removed) to groups like university research programs, the National Highway Traffic Safety Administration, accident investigators and infrastructure planners. One company said it shares aggregated location data to marketers.
All 10 companies said they disclose that they collect and share your location, and all of them require your consent to do so. But none of them allow you to request deletion of your past data, which is an industry-recommended privacy practice, GAO notes. Garmin, TomTom, Google Maps and Telenav allow you to stop transmitting location data, though you’ll lose some traffic services.
All 10 companies attempt to conceal so-called “personally identifiable location data” that might uncover who you are and where you drive, but they do so in a range of ways — and some of those methods could allow third parties to identify you, GAO found. Indeed, in one instance, an app developer did not encrypt the data it sent to a provider of location-based services, and GAO was able to view location data, usernames, passwords and more. (The report did not implicate specific companies; it also said the app developer claimed, independent of the study, that it had decided to encrypt the data moving forward.)
Most of the companies’ privacy disclosures were broadly worded and often didn’t identify potential reasons for sharing the data. Nine out of 10 disclosures “potentially allow for unlimited data collection and use,” wrote Lori Rectanus, acting director of GAO’s physical infrastructure division. It also varies how long each company keeps that information. One company said it retains personally identifiable info for just 24 hours, but a contractor that works with three of the 10 companies said it’s privy to vehicle-specific location data for seven years.
That leaves the door ajar for future data usage, GAO notes. “While the companies we reviewed stated that they did not share data for purposes other than those mentioned, their policies give them the flexibility to do so,” Rectanus wrote. What’s more, none of the 10 companies share any external accountability practices.
Representatives from all 10 companies said they collect data to provide various location-based services such as driving directions, points of interest or nearby electric-vehicle charging stations. None of the 10 companies do anything illegal in their privacy practices. Several federal laws address the privacy of your data; for example, the Federal Trade Commission could take action if a company wasn’t following its own privacy-protection policies. But GAO notes that no overarching federal law exists to govern how companies collect, use and sell consumer data.
The study comes after a September 2012 GAO report that found mobile-device companies don’t follow industry-recommended privacy practices when they collect location data. It led GAO to recommend that FTC steps up its guidance of privacy protection. But the auto industry sees high potential in the 21st-century connected car, so the report aimed to raise privacy concerns against the upsides of automotive connectivity. It made no explicit recommendation, however.