The Washington PostDemocracy Dies in Darkness

A privacy policy for cars: What automakers know about you (and what they’re doing with it)

The General Motors OnStar command center is shown in Detroit in this 2006 file photo. (Photo/Carlos Osorio, file)

If you use a road service like OnStar, you know that your car can track your location and send an ambulance automatically if you crash. What you might not know is that your car manufacturer stores this location information, along with the date and time of the incident and whether the airbags deployed. Little "black boxes" akin to the flight recorders on airplanes monitor your braking habits, whether you use a seat belt and how fast you go. Your car may be one of millions. But in its electronics is a unique profile of you and your decisions as a driver.

Some fear that this automotive data could someday be seized by government spy agencies or used against helpless drivers by insurers or worse. How automakers use, store and protect even the most mundane data collected from our increasingly smart vehicles is going to become even more important as cars start talking to everything around them — from other cars to sensors embedded in the road to nearby businesses. Manufacturers are taking their first steps to safeguard this information. But even they acknowledge there's a lot they don't know how to do.

Last month, two of the industry's biggest trade groups, the Alliance of Automobile Manufacturers and the Association of Global Automakers, settled on a series of privacy commitments designed to make Americans more comfortable with next-generation vehicles. The agreement will take effect Jan. 2, 2016 — in time for the 2017 model year. It outlines basic steps, such as updating owners' manuals, that each manufacturer will take to inform car buyers of the data their vehicles will be collecting. Think of it as a privacy policy for your Passat.

"There's a recognition in the industry that privacy is essential for gaining the trust of consumers for new technologies," said Christopher Wolf, a privacy lawyer who helped draft the principles. "The sooner the industry can be seen as taking privacy seriously, the better off consumers will be — and the better off the industry will be, because there'll be trust."

With little more than a year until the self-imposed deadline, the auto industry is moving speedily to implement the agreement.  Manufacturers will be setting up Web sites informing users of the data collection and linking directly to the privacy policies of third-party commercial partners. Toyota, for instance, works with OpenTable to let drivers make dinner reservations from their vehicle's in-dash touchscreens, so informing consumers how those services may use their data only makes sense.

The privacy principles cover other in-car data, too, such as information collected when a driver routinely brakes hard at stop lights or in traffic to avoid rear-ending others. They also stipulate that manufacturers will not reveal a customer's location data to law enforcement without a warrant, which has drawn applause from privacy experts. Few other forms of digital information are protected to such a degree.

The commitments are "strong out of the gate," said Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology. But, he added, "it could use some additional work."

One unresolved question concerns how long car manufacturers should hang onto user information before purging it from their logs. The longer they retain the data, the more useful it becomes. But it also opens up greater opportunities for abuse by lawyers, marketers and law enforcement. (As written, the privacy principles require that car makers get drivers' explicit consent before using or sharing data for marketing purposes, but each manufacturer can interpret this commitment freely.)

Another question concerns the de-identification of data, or the process that turns specific information about you and your vehicle into anonymous statistics. Policy analysts are calling for the auto industry not only to separate driving data from the identities of the people who generate it, but also to randomly modify data points in a statistically insignificant way to make it extra difficult to trace behaviors back to specific drivers. (For more on randomization as a form of privacy protection, read this.)

Other policy analysts argue that what car makers can do with the data is described too broadly in the privacy principles. Manufacturers that commit to the voluntary agreement vow to use customer information for "legitimate business practices" only, but that's a phrase New America Foundation scholar Michael Calabrese says would permit anything that wasn't outright illegal.

The auto industry says these principles are only a baseline and that many individual companies will compete to provide the strongest protections on the market. For example, Toyota said Monday that it might someday seek to determine consumer demand for a "private driving mode" that turns off driver tracking in much the same way that private browsing modes on Web browsers temporarily stop recording a user's Internet history.

But there is little existing guidance from consumers, regulators or other industries for how car makers should address the gaps highlighted by the privacy experts, said Toyota's director of technology, Hilary Cain. "We're grasping at straws here," Cain told analysts and industry officials at a recent dinner in Washington.

In an interview Monday, Cain added that auto manufacturers welcome the feedback. "People say, 'You should do it,' and we agree," she said. "But when it comes to turning this into actionable steps, this is one area where there is a lack of direction — there's nothing out there. We've looked; we've dug deep. We've had to not just reinvent the wheel but to create the wheel on some of these issues and now have to answer some tough questions. Depending on who you ask, and what day of the week it is, you'll get a different answer."