Hello, friends,
A journalism maxim an editor once shared with me: Not everything that is important is secret, and not everything secret is important.
This might seem obvious, but for an investigative journalist, it can be counterintuitive. Journalists are often conditioned to believe that it is our job to reveal hidden things, to uncover deep, dark secrets, to find the smoking gun. But the reality is that many things that are bad and worthy of journalistic attention are not secret; they are hiding in plain sight.
Think of poverty, domestic violence, gun violence, mass incarceration, and our increasingly volatile climate as just a few examples of things that are not secret but important.
One item to add to the list of not-secret-but-important things is the amount of data being gathered by car manufacturers and others. Jon Keegan and Alfred Ng published a deep dive into these companies and their efforts to monetize that data.
Relying largely on the companies’ own marketing and investor materials, Jon and Alfred identified 37 companies in the rapidly growing connected vehicle data industry that operates in an environment with few regulations governing the sale or use of such data.
All told, the technology consultancy Capgemini estimated in 2020 that there were 150 startups in the “connected vehicle” market and that by 2030 the global vehicle data market would be worth $80 billion to $800 billion.
Some companies, like SiriusXM and OnStar, have easily understandable uses for collecting data, such as roadside assistance. Others, such as INRIX and Otonomo, are resellers who sell aggregated data and “insights” from connected vehicles.
One company, called High Mobility, advertises on its website 57 categories of data, including “Heart Rate” and “Race.” High Mobility CEO Risto Vahtra told Jon and Alfred that not all the data categories listed are used by its customers, but he did not respond to a follow-up question from me about the specific categories of Heart Rate and Race. Automakers such as Ford and Toyota have explored ways to monitor drivers’ heart rates for signs of a heart attack. It is not clear why autos would want to monitor a driver’s race. [Update: After this newsletter was published, High Mobility CEO Vahtra reached out to clarify that the company’s “race” data category refers to data related to the car’s acceleration and other data related to “racing.” He said the “heart rate” category was not currently being used commercially.]
Last year, Motherboard reporter Joseph Cox discovered that Otonomo was offering individual vehicle data samples on its website that could be reidentified. Otonomo, which claims to offer data on about 50 million cars, is currently being sued in California Superior Court for the County of San Francisco by a California BMW owner who alleged in the lawsuit that he never granted permission to the company to collect and sell his personal data. Otonomo has argued that the owner did grant permission for the car manufacturer to collect vehicle data and that Otonomo did not attach any device to his vehicle.
Otonomo says that it offers all car manufacturers who use its technology software that lets drivers opt out of data collection.
It’s not clear what is going to happen to all this car data. Companies like Otonomo list potential buyers of their data as insurance companies and companies managing large fleets of vehicles, as well as people developing traffic or parking plans. But since there are few limits on the sale of this data, it really could end up anywhere.
“When you see the volume of data that’s up for sale, and the lack of regulation in the vast majority of American states regarding how companies can use data, it seems like a match made in privacy hell,” Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation, told Jon and Alfred.
And of course, it bears repeating that location information—such as the type collected by cars—is among the most privacy-invading information available. In 2013, researchers proved that four data points of approximate place and time was enough, in a data set of 1.5 million people, to uniquely identify someone 95 percent of the time.
Last year, China enacted some of the first car privacy rules regulating the data that can be collected by vehicles, in particular limiting data that could be used to discriminate against drivers, passengers, and vehicle owners.
In the U.S., the federal privacy legislation being considered in Congress could require companies to seek consent when collecting potentially identifiable data from cars. But as we know from the endless pop-ups online asking us to agree to “allow cookies,” consent is not always an effective privacy protection. And truly it’s horrifying to imagine some kind of consent pop-up in a car that would prevent you from driving!
Privacy expert Neil Richards has argued a better approach would be a federal privacy bill that includes a robust “duty of loyalty” that requires data to be used in a way that serves the consumer’s best interests and not in ways that are purely self-serving to the corporate bottom line.
“The beauty of a duty of data loyalty is that it enables us to share data without being constantly pestered for consent,” Neil told me in a recent newsletter interview.
For now, the federal privacy bill appears stalled over questions including whether the duty of loyalty in it is as strong as it could be.
In the meantime, if you want to delete data stored in a car you’ve been driving, you can start by reading the owner’s manual and finding out how to reset your infotainment system to its factory settings.
As always, thanks for reading.
Best,
Julia Angwin
The Markup
Update: This article has been updated to clarify that High Mobility’s reference to “race” data gathered from vehicles refers to the car’s acceleration, not the race of the driver.