Today’s cars are connected to computer systems that measure hundreds of data points from sensors on driver and passenger seats to braking patterns and vehicle emissions. Automakers are now part hardware and part software developers, and may even compete with Google and Apple in collecting consumer data. “The first space shuttle contained 500,000 lines of software code, but compare that to Ford’s projection that by 2020 their vehicles will contain 100 million lines of code” says Lisa Joy Rosner, chief marketing officer of Otonomo, which sells connected-car data to third parties, sharing profits with automakers.
There are seventy-eight million cars on the road connected to online systems according to ABI Research. Gartner predicts that in three years, 98 percent of new cars sold in the United States and Europe will be connected. Consumers purchasing or leasing new vehicles give automakers permission to track and collect driver data by signing lengthy service agreements, with the notion of using that data to improve vehicle performance and safety. “Before a customer even gives consent, we describe what kind of data is to be collected and how it will be used (mobile app, proactive alerts, etc.),” Dan Pierce, a GM spokesman, told the Washington Post. Toyota, on its website and on vehicle service agreements, informs customers that vehicle data is collected to improve safety, manage maintenance, and analyze vehicle trends, but also that with permission, customer data may be shared with “companies affiliated with Toyota.”
While cars have been connected to computers since the 1960s, the data gathered had been limited and mostly used for diagnostics and “event data recorders,” which captures accident data. Today, the volume, accuracy, and scope of data collected has expanded, but so is the manner in which the data is being transmitted. “Before, devices that generate data would stay on the car, but there are new ways for that information to be communicated off the vehicle,” said Lauren Smith, who studies big data and cars as the policy counsel at the Future of Privacy Forum. Diagnostics services from Verizon Hum, Zubie, Autobrain, and OnStar connects to online computer systems remotely, but those third party systems can be deactivated, while some automaker communications systems are embedded within the functioning of a vehicle.
Driver data can be as unique as fingerprints, a valuable asset that makes the data collected by automakers vulnerable to hacks and misuse. In a 2016 study, McKinsey estimated that the overall revenue pool from car data monetization at a global scale might add up to $450 – $750 billion by 2030. “Most people don’t realize how deeply ingrained their habits are and how where we park our car on a regular basis can tell someone many things about us,” Pam Dixon, executive director of the World Privacy Forum, told the Post, noting that research shows that even aggregate data can be reinterpreted to track an individual’s habits. “There’s a load of anti-fraud companies and law enforcement agencies that would love to purchase this data, which can reveal our most intimate habits.”
Frequent drives to specific locations can reveal consumer habits and relationships that could be valuable to corporations, governments agencies, or law enforcement. The Post uses the example of how regular visits to an HIV clinic can offer information about a driver’s health, but unlike healthcare providers, consumer health data collected by an automaker isn’t covered by HIPAA. “Ultimately, there’s no car privacy statute that car companies have to abide by,” said Ryan Calo, an associate professor of law at the University of Washington who teaches courses on robotics law and policy. “Not only are automakers collecting a lot of data, they don’t have a particular regime that is regulating how they do it.”