Last week, General Motors subsidiary OnStar announced it intends to change its privacy policy later this year and will continue tracking users’ locations even after they discontinue OnStar service—or even if they never activate it in the first place. Now three U.S. Senators (Al Franken of Minnesota, Chris Coons of Delaware, and Charles Schumer of New York—all Democrats) have raised significant objections to OnStar’s planned policy change, characterizing it as an egregious violation of privacy.
Why does OnStar want to track people who aren’t using its service? And what implications could the move have for other vehicles with integrated GPS services?
What is OnStar thinking?
In the message it send to customers earlier this month, OnStar essentially announced two things. The first is that it would be changing its privacy policy to enable it to collect location data about all OnStar-equipped vehicles, even if customers cancel service or never activate service. The second is that OnStar will be reserving the right to sell aggregate data to third parties. Those third parties are likely advertising, insurance, and analytics companies eager to gather as much information about consumers’ driving habits, schedules, favorite destinations, and other travels as possible—although it is possible that OnStar will sell the information to things like traffic services in order to assist with traffic-based routing and even urban planning. The data will supposedly be anonymized to remove personally-identifying information.
OnStar works using a two-way CMDA cellular link between the OnStar onboard equipment in a vehicle and the OnStar service itself—it’s powered by Verizon Wireless in the United States and Bell Mobility in Canada. In addition to GPS-generated location information, information transmitted to Onstar includes a vehicle’s speed and current odometer reading, along with whether the driver is using a seat belt and whether air bags have been deployed.
OnStar does not articulate why it wants to collect the data; however, the company’s apparent hope is to use the information to further refine its own service, along with creating a new revenue stream by offering the aggregate data for sale to advertisers and other interested parties. OnStar says the link could also be used to inform even former customers about emergency conditions.
In a telephone interview with the New York Times, OnStar spokesperson Vijay Iyer says customers who cancel service will also be able to separately indicate they want OnStar to shut down two-way communications with their vehicles. It appears this opt-out will be a wholly separate action from terminating OnStar service—or declining to activate service in the first place. Iyer did indicate that customers who terminated OnStar service prior to the new policy going into effect will not need to separately terminate two-way communication.
Lawmakers’ reactions
Reaction from Democratic lawmakers was swift, with Senators Chris Coons and Al Franken issuing a letter to Onstar last week, requesting the company provide detailed information on how the company will protect consumers’ location data. “OnStar’s actions appear to violate basic principles of privacy and fairness for OnStar’s approximately six million customers—especially for those customers who have already ended their relationships with your company.” In addition to asking whether OnStar has already sold customer location information to third parties, the Senators want to know how OnStar plans to anonymize data it collects. The senators also cite research showing that it is “extraordinarily difficult” to successfully anonymize many items of personally-distinctive data about individuals—including location details.
“We believe that OnStar’s actions underscore the urgent need for prompt congressional action to enact privacy laws that protect private, sensitive information like location,” Coons and Franken wrote.
New York Democratic Senator Charles Schumer joined the fray today, characterizing OnStar’s move as a “brazen invasion of privacy” and calling for the Federal Trade Commission to investigate whether OnStar’s actions constitute an unfair trade practice under Section 5 of the Federal Trade Commission Act. Schumer characterized OnStar’s move as a “brazen, almost unheard-of invasion of the privacy of potentially millions of drivers.”
OnStar is under no obligation to respond to the Senators’ questions or statements, and there’s no word yet on whether FTC chairman Jon Leibowitz will take up Senator Schumer’s call for an investigation. The United States Government owns more than one quarter of OnStar.
What’s at risk for consumers?
OnStar has more than six million customers, and the OnStar system is factory-installed in myriad vehicles from General Motors and other manufacturers through a licensing arrangement: Licensees include Volkswagen, Audi, Acura, Subaru, and Isuzu. The first systems were available in selected 1997 model year vehicles—meaning OnStar systems have been on the market for nearly 15 years. Only systems from about 2003 onward can still be used with the current OnStar service—OnStar setups from 2003 through 2005 can only be used by way of a separately-installed analog adapter for their now-antiquated cellular gear.
OnStar customers may be able to opt out of tracking—if they pay attention to their email and read the fine print. It’s not at all clear how buyers of second-hand OnStar-equipped vehicles—whether used cars, former fleet vehicles, or what-have-you—would have any way of knowing whether data collection was active. Certainly, OnStar would have never acquired those drivers’ consent to tracking and collection of their personal information.
Similarly, OnStar tracking is on a vehicle-by-vehicle basis, not a driver-by-driver basis. Although some parents really like the idea of being able to keep track of their teens, OnStar doesn’t have tracking consent everybody who might use a car, whether that be family members, employees of a particular company, or just a friend lending a hand by moving a vehicle—with permission, of course.
Perhaps more significantly, however, recent research has shown that anonymizing highly personal data—like a user’s habitual routes and locations—can be extraordinarily difficult, if not impossible. Even if OnStar removes information from its data streams like vehicle identification numbers, fuzzes GPS data to within (say) a few hundred meters, and provides only rounded times (say to the nearest hour) rather than precise timestamps, it would still be possible to determine most drivers’ habitual routes—and determine when they varied significantly from those habits. (See Gruteser and Hoh, On the Anonymity of Periodic Location Samples, for example.) Furthermore, recent security breaches and hacking incidents have demonstrated that even if a particular data source is well-anonymized, that data can be correlated with other data sets to get a surprisingly complete picture of many individuals, effectively “de-anonymizing” the data—see Paul Ohms’ The Broken Promises of Privacy (PDF).
OnStar is also subject to U.S. law enforcement. Law enforcement agencies or courts could require OnStar to disclose location information in much the same way courts can require phone companies, mobile operators, and ISPS to turn over communications records.
Basically, unless OnStar is particularly clever—or renders the data near-useless to its likely customers—the information they plan to collect from drivers is likely to be enough to specifically identify many drivers. And—particularly in the case of used vehicles—drivers may have no idea (and no way of knowing) they’re being tracked.
What about other GPS-equipped vehicles?
OnStar is not the only system capable of tracking a vehicle’s location and activities: BMW Assist, Lexus Link, Toyota/Lexus Safety Link, eCall, Chevrolet MyLink, Ford Sync, LoJack, and other systems all offer varying telemetrics, mobile communications, and location tracking capabilities. If OnStar is successful in continuing to collect location and telemetric information about vehicles even after customers have canceled service (and potentially sold their cars to unsuspecting third parties), other system providers will be under pressure to do the same thing in order to remain competitive with OnStar—and, of course, tap in to new revenue from sales of location information. In other words: If OnStar can push this through, expect every other “connected” car system to do the same thing.
