In-car communications systems can collect a broad range of information about your driving habits. What kind of information is being collected, and how is it being used? From the perspective of privacy, is there cause for concern?

Imagine you are doing some online research on car insurance, comparing quotes to see if you can save some money. You know that many companies offer discounts to customers with good driving records, and you search, “safe driver discounts.” You soon find a page on a major insurance company’s website which announces, “You’re a good driver. And with our Drive Safe & Save program, that actually gives you more control over how much you can save on your auto insurance.” As you read on, you realize that State Farm Insurance is offering a discount of up to 50% on auto insurance in exchange for the right to monitor your driving using your vehicle’s OnStar® or In-Drive communication system. In State Farm’s friendly words, “The safer you drive, the more you save. It’s that easy.”

One of the FAQs catches your eye: “Will State Farm share my information with anyone else?” Instead of giving an answer, the page refers you to the company privacy policy. After several minutes of searching, you finally find this policy. If you read past the reassuring privacy principles at the top, you will eventually see that the parties with which State Farm may share customer information include the “State Farm family of companies,” “State Farm agents,” “persons or organizations inside or outside our family of companies,” “companies that perform marketing or other services for us,” companies “with whom we have joint marketing agreements,” and “consumer reporting agencies.” In short, just about anyone with whom State Farm does business. State Farm is effectively asking individuals to give up their privacy in exchange for a discount, without knowing who may see the information collected about them.

In-car communications systems and privacy

Should you be concerned about this? Consider what information is collected by in-car communication systems such as OnStar® or In-Drive. These systems track location, speed, acceleration and deceleration, and stops. With this information, it is possible to observe not only how carefully you drive, but also your regular routes and travel patterns, which gas stations and coffee shops you stop at, and when and where you usually get stuck in traffic, to give a few examples. In addition, insurance companies already have demographic information about their customers. How could an insurance company use this information? State Farm intends to use it to evaluate driving habits in order to determine insurance rates. While they state in their privacy policy that they will not sell customer information to advertisers, there are several other ways that they could profit from this data. Large companies, such as fast food chains and big box stores, invest considerable resources in market research to decide where to locate new outlets. Knowing the preferred routes and destinations of various groups of people – for example, teens, seniors, minivan owners, or sports car owners – would be very valuable to them. Urban planners and local governments might be interested in gaining detailed information about traffic patterns. Police forces might seek the cooperation of in-car communications providers to locate criminal suspects or stolen cars. On a more sinister note, if information from these systems is misused, hacked, or stolen, it could easily be used to harass or stalk individuals.

Uncharted legal territory

You may wonder who regulates the collection and use of information from in-car communications systems. The simple answer is that no one is entirely sure. North American privacy laws are written to regulate specific domains such as health care, education, commercial transactions, or telecommunications. When a technology or service does not clearly fit in one of these categories, courts usually apply the most relevant legislation available. In Canada, privacy requirements in all domains are guided by the Canadian Standards Association (CSA) Model Code for the Protection of Personal Information, a set of general principles which underlies Canadian privacy legislation.

There are only a few North American laws relevant to vehicle tracking. Some US laws require the tracking of vehicles carrying hazardous materials. Perhaps the only law that directly addresses privacy is a California law regulating the use of information gathered through “event data recorders” (also known as “black boxes”), which are required to be installed in vehicles in California. This law strictly limits the retrieval and use of this data, permitting access only by the vehicle owner or others permitted by the owner, by authorities in response to a court order, for the purpose of improving vehicle safety, or for servicing or repairing the vehicle. In practice, the data is often used by police to track stolen cars or suspects in criminal investigations. However, there are no Canadian laws concerning vehicle tracking.

Another possible source of relevant legislation is the field of mobile communications. Canadian Radio-television and Telecommunications Commission (CRTC) regulations are applicable, but provide little guidance with regard to privacy.

Core privacy principles

The most promising approach to determining privacy requirements in this scenario is to apply general privacy principles to the specific context of in-car communications systems. The ten privacy principles of the CSA Model Code underlie Canadian privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA). These principles apply to all commercial and institutional collection, use, and disclosure of personal information. There are two principles of the code that are especially relevant:

  • Consent: “The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.” (Principle 3)
  • Limiting Use, Disclosure, and Retention: “Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.” (Principle 5)

In accordance with these principles, commercial service providers are obligated to inform customers of how they collect and use personal information and to whom they disclose it. Without consent, they cannot collect, use, or disclose such information, except as required by law. Further, customer information should not be retained beyond the end of the customer’s relationship with the service provider.

In the case of State Farm’s Drive Safe & Save program, drivers are consenting to be monitored. This is legal, though it is uncertain whether it would hold up in the event of a high-profile complaint. If Canada’s Information and Privacy Commissioner has not addressed this issue, it is probably because no one has complained or asked about the practice of tracking driving habits. Because privacy legislation tends to be complaint-driven, the risks of in-car communication systems capable of tracking people’s locations and driving behaviours may only receive government attention when there is a high-profile incident, such as an OnStar employee using location data from an in-car system to track his ex-spouse. One final thought is that since the existing privacy laws are covered by civil law rather than criminal law, companies may opt to break them if they think that the advantage of doing so will exceed the damages they may have to pay.

Secondary uses of in-car system information

PIPEDA makes it clear that in-car communications providers must seek customer consent to share their personal information with other companies or agencies. But what is and is not personal information? Most jurisdictions name specific identifiers that are always considered to be personal information, including names, dates of birth, health card numbers, and credit card numbers. Computer IP addresses are considered personal information in Canada and the EU. There is currently a lot of interest in establishing whether MAC (medium access control) wireless network addresses, which are used by wireless devices including smart phones and in-car communications systems, constitute personal information. However, personal information is legally defined simply as information that can identify an individual, either alone or in combination with other available information. Alberta’s Health Information Act specifically defines identifiability, saying that if information can reasonably be used to ascertain the identity of an individual, it is personal information. In the case of in-car tracking data, the definition of personal information would extend beyond names, driver’s license numbers, and so on to include any data that could identify individuals. For example, someone with access to customer data could probably recognize a family member or close friend by the pattern of their most frequent locations and travel times.

It is not legal for companies to share customers’ personal information with third parties without consent. However, information from in-car communications systems could legally be used for secondary purposes if it is thoroughly de-identified – that is, if the information shared cannot be used to identify individuals. If in-car communications providers ever opt to sell information to retail companies or government agencies, they will need to ensure that the privacy risk of this data is very low. Where sensitive data such as demographics and location are involved, service providers should develop strong privacy risk measurement capabilities before sharing data with third parties.


The Connected car: Who’s in the driver seat

Office of the Privacy Commissioner of Canada, “Legal information related to PIPEDA.”

Ki Consulting, Breached by Design.

Ki Consulting, Risk-based Privacy Maturity Model.

Ki Consulting, Taking Advantage of Big Data Analytics.

%d bloggers like this: