New report by BC FIPA takes a hard look at how our cars are watching us
Our cars have changed. Once simply a means of traveling from point A to B, cars are increasingly capable of astonishing computerized feats. New “Connected Cars” are essentially computers on wheels whose functions include navigation, diagnosing vehicle health, monitoring driver behavior, offering shopping suggestions and providing customized on-board entertainment.
But the same technologies that allow for safer, more convenient and more entertaining cars enable the collection and processing of enormous amounts of data. Much of this data is personal information, and some of it reveals intensely private details of a person’s life.
Who has access to this data, on what terms, and whether collecting, storing and transmitting information from cars to outside computers complies with Canadian privacy laws are the subject of FIPA’s new report, The Connected Car: Who is in the Driver’s Seat. The report is the culmination of a year-long study that took a detailed look at the privacy implications of these new technologies. With Connected Cars poised to saturate Canadian markets in the coming years, the report concludes that now is the time to get serious about setting industry privacy standards and putting them in place.
We launched The Connected Car: Who is in the Driver’s Seat on March 25th at the site of the Vancouver International Auto Show, and it quickly caught the attention of national media. Written by well-known privacy lawyer Philippa Lawson and generously funded by the Office of the Privacy Commissioner, the Connected Car report is the first of its kind in Canada.
The report outlines how data culled from vehicle telematics and infotainment systems can be used for safety, monitoring, customer relationship management and the new usage-based insurance programs offered in some Canadian provinces. Yet we also found that some data harvested from cars can be used to track and profile customers for marketing and other purposes.
The breadth and depth of personal data that can be culled from Connected Cars goes significantly beyond what is already available via mobile devises. Customer data generated by Connected Cars are seen as a major new source of revenue for automakers and many of their partners. But the monitoring of a person’s vehicle use, driving routes, destinations, entertainment preferences, contacts, and schedules – for example – provides information that is not just useful for marketers and insurance companies. The data may also be of great interest to identity thieves, voyeurs, stalkers and others with malicious intent. The collection and retention of personal data for secondary purposes such as marketing and data mining not only exacerbates security risks, but creates an architecture of surveillance into which the tentacles of the state can reach, with or without required authorization.
At the heart of the issue is the limited choice consumers are being offered when it comes to the use and disclosure of their personal data. Our review of Connected Car terms of service and privacy policies shows that automakers are failing to meet their legal obligations under almost every principle of Canadian data protection law. A privacy pledge signed by a large group of major automakers in 2014 is promising but falls far short of Canadian legal standards in numerous respects. Deficiencies include lack of consent and forced agreement, inadequate openness and accountability, and a lack of consumer choice with respect to unnecessary data collection, use or disclosure.
Our review finds that the usage-based insurance programs now offered in Ontario and Quebec generally comply with Canadian privacy law mostly because insurance regulators put privacy protections in place before allowing companies to offer these programs. Usage-based insurance is currently voluntary, but over time it could become the industry standard. Even if the programs remain voluntary, there is a risk that insurers may at some point choose to penalize drivers who do not ‘voluntarily’ choose to participate. If stronger guidelines are not in place, drivers could one day be faced with the difficult choice between obtaining affordable insurance and surrendering their right to privacy.
The good news is that Connected Cars are still in development. There is still time for Canadians to demand that the privacy of their personal information be respected by the industry and that individuals be given control over the data harvested from their vehicles. Policy makers can still establish data protection regulations for the Connected Car industry and usage-based insurance. Privacy experts can be brought into the process to ensure that “Privacy by Design” principles and tools are applied. This would include establishing a privacy management program, identifying and avoiding unintended uses of data, building-in openness and transparency, respecting user privacy, and working with industry players at all levels to integrate controls and data minimization techniques.
We were encouraged by the help we received from the New Car Dealers Association of BC from the very beginning of our study, and by the attendance of the heads of both major automotive manufacturing associations at the launch of the report. Hopefully this bodes well for a cooperative effort to ensure proper protection for Canadian car buyers personal information and freedom of choice.
There is no reason our personal information in the automotive context should not be protected in the same way our safety is protected by government standards. We hope that you will join us in working to keep car drivers in the Connected Car driving seat.
What you can do:
FOR IMMEDIATE RELEASE
March 25, 2015
Privacy organization says now is the time to act to protect private information collected and shared by in-vehicle computer systems
VANCOUVER— The BC Freedom of Information and Privacy Association (FIPA) has released a year-long study on privacy, consumer choice and onboard vehicle technology.
The Connected Car: Who is in the Driver’s Seat? looks at how vehicles have changed from simple means of transportation to computers on wheels. A new generation of “Connected Cars” is capable of remarkable feats, from navigation to diagnosing vehicle health, monitoring driver behavior and providing customized on-board infotainment services.
“Through telematics and wireless connectivity, cars are collecting and processing enormous amounts of data,” said FIPA Executive Director Vincent Gogolek. “More and more of this data is personal information, and some of it reveals intensely private details of a person’s life.”
Data culled from vehicles can be used for safety, monitoring, customer relationship management and the new usage-based insurance programs offered in some Canadian provinces. Yet the same technologies that allow for safer, more convenient and more entertaining cars can be used to track and profile customers for marketing and other purposes.
“Some of the data collected and transmitted for data-mining and market research is simply not necessary for services and applications to work,” said the report’s head researcher and privacy lawyer Pippa Lawson.
“It opens the door to a range of privacy risks that include security breaches, malicious access and state surveillance.”
The report finds that the usage-based insurance programs now offered in Ontario and Quebec generally comply with Canadian privacy law, but automakers providing Connected Car services are failing to meet their legal obligations. Too often, consumers are given limited choice when it comes to the use and disclosure of their personal data collected by Connected Cars.
“The good news is that there’s still time to address these privacy challenges” said Gogolek, “but with Connected Cars set to mass-penetrate North American markets in the coming years, we need to get serious about setting industry standards and putting guidelines in place.”
This research was made possible by grant from the Office of the Privacy Commissioner of Canada’s Contributions Program.
Vincent Gogolek, Executive Director,
Alternate Contact: Tamara Herman, Program Director
FIPA is a non-partisan, non-profit society that was established in 1991 to promote and defend freedom of information and privacy rights in Canada. Our goal is to empower citizens by increasing their access to information and their control over their own personal information. We serve a wide variety of individuals and organizations through programs of public education, public assistance, research, and law reform.
For more than twenty years, the B.C. Freedom of Information and Privacy Association has relied on the support of our community to provide resources, educational programming, and one-on-one advice. By making a contribution to the Association in exchange for this resource, you’re helping us provide another two decades of service to Canadians and supporting more publications like this in the future. There is no minimum donation amount. Every bit helps.
Click here to make a donation. We hope you consider supporting the Association, but more importantly, we hope you find The Connected Car: Who is in the driver’s seat? a valuable and practical addition to your research activities!
Let us know what you think: If you have comments, questions, or concerns about The Connected Car: Who is in the driver’s seat? please send them to FIPA at firstname.lastname@example.org.