DETROIT — Daniel Dunn was about to sign a lease for a Honda Fit last year when a detail buried in the lengthy agreement caught his eye.
Honda wanted to track the location of his vehicle, the contract stated, according to Dunn — a stipulation that struck the 69-year-old Temecula, Calif., retiree as a bit odd. But Dunn was eager to drive away in his new car and, despite initial hesitation, he signed the document, a decision with which he has since made peace.
“I don’t care if they know where I go,” said Dunn, who makes regular trips to the grocery store and a local yoga studio in his vehicle. “They’re probably thinking, ‘What a boring life this guy’s got.’ ”
Dunn may consider his everyday driving habits mundane, but auto and privacy experts suspect that big automakers like Honda see them as anything but. By monitoring his everyday movements, an automaker can vacuum up a massive amount of personal information about someone like Dunn, everything from how fast he drives and how hard he brakes to how much fuel his car uses and the entertainment he prefers. The company can determine where he shops, the weather on his street, how often he wears his seat belt, what he was doing moments before a wreck — even where he likes to eat and how much he weighs.
Though drivers may not realize it, tens of millions of American cars are being monitored like Dunn’s, experts say, and the number increases with nearly every new vehicle that is leased or sold.
The result is that carmakers have turned on a powerful spigot of precious personal data, often without owners’ knowledge, transforming the automobile from a machine that helps us travel to a sophisticated computer on wheels that offers even more access to our personal habits and behaviors than smartphones do.
“The thing that car manufacturers realize now is that they’re not only hardware companies anymore — they’re software companies,” said Lisa Joy Rosner, chief marketing officer of Otonomo, a company that sells connected-car data, sharing the profits with automakers. “The first space shuttle contained 500,000 lines of software code, but compare that to Ford’s projection that by 2020 their vehicles will contain 100 million lines of code. These vehicles are becoming turbocharged spaceships if you think of them from a purely horsepower perspective.”
Automakers say they collect customer data only with explicit permission, though that permission is often buried in lengthy service agreements. They argue that data is used to improve performance and enhance vehicle safety. The information that is gathered, they add, will soon be able to reduce traffic accidents and fatalities, saving tens of thousands of lives.
There are 78 million cars on the road with an embedded cyber connection, a feature that makes monitoring customers easier, according to ABI Research. By 2021, according to the technology research firm Gartner, 98 percent of new cars sold in the United States and in Europe will be connected, a feature that is being highlighted this week here at the North American International Auto Show in Detroit.
After being asked on multiple occasions what the company does with collected data, Natalie Kumaratne, a Honda spokeswoman, said that the company “cannot provide specifics at this time.” Kumaratne instead sent a copy of an owner’s manual for a Honda Clarity that notes that the vehicle is equipped with multiple monitoring systems that transmit data at a rate determined by Honda.
Connecting cars to computers is nothing new. Vehicles have relied on computerized systems since the 1960s, mostly in the form of diagnostic systems that remind drivers to check their engines and “event data recorders,” which capture accident data and are considered the “black boxes” of automobiles.
What’s changed in recent years is not only the volume and precision of that data but how it’s being extracted and connected to the Internet, according to Lauren Smith, who studies big data and cars as the policy counsel at the Future of Privacy Forum.
“Before, devices that generate data would stay on the car, but there are new ways for that information to be communicated off the vehicle,” Smith said, referring to diagnostic services such as Verizon Hum, Zubie and Autobrain that connect cars to the Internet using a “key” or dongle that plugs into a vehicle. These services provide drivers and companies with everything from trip histories to maintenance issues.
Though the automotive industry still collects less personal information than the financial, health-care or education industries, experts say, it doesn’t take much to jeopardize customers’ privacy.
Some privacy experts believe that with enough data points about driver behavior, profiles as unique as fingerprints could be developed. But it’s location data, experts say, that already has the greatest potential to put customers at risk.
“Most people don’t realize how deeply ingrained their habits are and how where we park our car on a regular basis can tell someone many things about us,” Pam Dixon, executive director of the World Privacy Forum, said, noting that research shows that even aggregate data can be reinterpreted to track an individual’s habits. “There’s a load of anti-fraud companies and law enforcement agencies that would love to purchase this data, which can reveal our most intimate habits.”
Trips to homes or businesses reveal buying habits and relationships that could be valuable to corporations, government agencies or law enforcement. For example, regular visits to an HIV clinic can offer information about someone’s health.
But unlike information gathered by a hospital or a clinic, health data collected by a non-health provider isn’t covered by the federal privacy rule known as HIPAA, according to the National Institutes of Health.
In a 2014 letter to the Federal Trade Commission, automakers pledged to abide by a set of privacy policies that included not sharing information with third parties without owners’ consent.
They’ve tucked their warnings about data collection into a few lines of text in owner’s manuals or enticing lease and purchase agreements, and on their websites.
General Motors, which became one of the first automakers to start collecting customer data in real time with its OnStar system in 1996, said in an email that the company’s system “does not collect or use any personally identifiable customer data without a customer’s consent.”
“Before a customer even gives consent, we describe what kind of data is to be collected and how it will be used (mobile app, proactive alerts, etc.),” Dan Pierce, a GM spokesman, said. “If a customer declines, we do not collect any data from the vehicle.”
Karen Hampton, a Ford spokeswoman, replied to The Washington Post with a similar statement.
On a page outlining its customers’ privacy rights, Toyota notes that vehicle data is collected to improve safety, manage maintenance and analyze vehicle trends. The site also notes that, with permission, customer data may be shared with “companies affiliated with Toyota.”
Though people might be wary of their data being outsourced, Rosner said companies like Otonomo are focused on using customer data for the greater good — such as improving transportation, reducing emissions and saving lives with automatic crash detection.
Otonomo, which began in 2015 and calls itself the “first connected car data marketplace,” partners with major automakers that give Otonomo access to their raw driver data, the company said. Otonomo takes that data, analyzes it, “cleans it up,” and then sells the information to third parties, helping automakers commercialize their data, Rosner said.
What sort of third parties use Otonomo data? A parking app developer, for example, that wants to better understand a city’s traffic patterns, or a company that wants to use those patterns to chose the location of its next billboard or business.
“The automaker gets a revenue share on every piece of data that is consumed,” Rosner explained.
Though the pledge restricts automakers from selling data to an outside company without customers’ consent, experts have noted that the voluntary self-regulatory standard doesn’t stop them from using that data for their own benefit.
The law has been unable to keep up with rapid advancements in auto technology, according to Ryan Calo, an associate professor of law at the University of Washington who teaches courses on robotics law and policy.
“Ultimately, there’s no car privacy statute that car companies have to abide by,” he said. “Not only are automakers collecting a lot of data, they don’t have a particular regime that is regulating how they do it.”
Though the possibility of abuse exists, Calo and other experts say automakers have so far been “responsive” to concerns about data collection and privacy. While privacy scandals periodically erupt in Silicon Valley, automakers have sought to differentiate their business models by ensuring privacy, according to James Hodgson, a senior analyst at ABI Research.
“They want to sell cars and maintain a competitive advantage over the Googles and Apples of the world,” he said.
And yet, Calo said, by collecting massive amounts of data, car companies could be setting themselves up for the 21st century’s ultimate Faustian bargain. The more data a company collects, the more incentive the company has to monetize that data.
“Any company that has tons of data about consumers and can control the interaction with them is going to have the capability and incentive to try to use that information to the company’s advantage — and possibly to the detriment of consumers,” Calo said.
“It’s almost unavoidable,” he added.