Carmakers keep data on drivers' locations

David Shepardson

Washington — A government report finds that major automakers are keeping information about where drivers have been — collected from onboard navigation systems — for varying lengths of time. Owners of those cars can’t demand that the information be destroyed. And, says the U.S. senator requesting the investigation, that raises questions about driver privacy.

The Government Accountability Office in a report released Monday found major automakers have differing policies about how much data they collect and how long they keep it.

Automakers collect location data in order to provide drivers with real-time traffic information, to help find the nearest gas station or restaurant, and to provide emergency roadside assistance and stolen vehicle tracking. But, the report found, “If companies retained data, they did not allow consumers to request that their data be deleted, which is a recommended practice.”

The report reviewed practices of Detroit’s Big Three automakers, Toyota Motor Corp., Honda Motor Co. and Nissan Motor Co. It also looked at navigation system makers Garmin and TomTom and app developers Google Maps and Telenav. The report, which didn’t identify the specific policies of individual companies, found automakers had taken steps to protect privacy and were not selling personal data of owners, but said drivers are not aware of all risks.

The agency said privacy advocates worry location data could be used to market to individuals and to “track where consumers are, which can in turn be used to steal their identity, stalk them or monitor them without their knowledge. In addition, location data can be used to infer other sensitive information about individuals such as their religious affiliation or political activities.”

Sen. Al Franken, D-Minn., who chairs a judiciary committee on privacy and requested the report, said Monday that more work needs to be done to ensure privacy protections for in-car navigation systems and mapping apps. He plans to reintroduce his location privacy legislation sometime this year.

“Modern technology now allows drivers to get turn-by-turn directions in a matter of seconds, but our privacy laws haven’t kept pace with these enormous advances,” Franken said in a statement. “Companies providing in-car location services are taking their customers’ privacy seriously — but this report shows that Minnesotans and people across the country need much more information about how the data are being collected, what they’re being used for, and how they’re being shared with third parties.”

The Alliance of Automobile Manufacturers, the trade group representing Detroit’s Big Three automakers, Toyota, Volkswagen AG and other major automakers, said automakers are committed to driver privacy. “Details of the industry’s strict privacy policies are traditionally included in our sales and service agreements,” spokeswoman Gloria Bergquist said. “That way, we ensure our customers have the opportunity to familiarize themselves with these strict privacy policies.”

In addition to navigation systems, there are other ways vehicles can collect information: Event data recorders, known as “black boxes,” store data in the event of crashes. Transponders like EZ-PASS transmit location and are used in some instances by law enforcement and for research. Some owners also agree to monitoring of driving habits to qualify for lower insurance rates or to keep tabs on teen drivers.

The report said “companies should safeguard location data, in part, by de-identifying them; that companies should not keep location data longer than needed; and that such data should be deleted after a specific amount of time.” It found companies use different de-identification methods that may lead to varying levels of protection. It also found wide variation in how long they keep information.

GM said in a statement, “OnStar takes seriously matters that affect our customers’ privacy and operates its services with strong privacy protections and practices.” GM spokeswoman Heather Rosenker said the automaker keeps no records of requests for turn-by-turn navigation.

None of the companies told the GAO how long they keep data.

A contractor that works with three of the companies told the GAO that when a consumer requests services, information such as location, vehicle information number and other information may be kept for up to seven years.

Another company said it “retains personally identifiable location data for no more than 24 hours.” A representative from another company said that it does not retain such data at all. However, the report said representatives from both those companies said they kept de-identified location data indefinitely.

The GAO also found one developer of mobile apps did not encrypt transmitted information, and the agency was able to view locations and other information such as passwords. “This developer acknowledged that such data were not encrypted and told us that it had made a decision independent from our review to encrypt the data...,” the report said.