Modern cars with sensors and computers that are able to collect information about the people operating them have become very efficient “data harvesting machines” that are violating Canadian privacy laws, according to a report.
The same technologies that enable manufacturers to build safer vehicles that also provide better entertainment are also facilitating the collection of vast databases of information about drivers in order to gain revenue generating “actionable insights” for businesses, according to a study funded by the Office of the Privacy Commissioner of Canada and released today by the British Columbia Freedom of Information and Privacy Association (BCFIPA).
The insights can be used not only to improve the vehicles but also to “track and profile customers” for targeted marketing and other purposes,” the report said.
“Some of the data collected and transmitted for data-mining and market research is simply not necessary for services and applications to work,” said the report’s head researcher and privacy lawyer Pippa Lawson. “It opens the door to a range of privacy risks that include security breaches, malicious access and state surveillance.”
Too often, consumers are given limited choice when it comes to the use and disclosure of their personal data collected by connected cars.
Many customers who sign up for a service find they have to agree to the use of their personal data not just for delivering the service, but also for marketing, product developing and “business purposes.”
This violates Canadian laws that require clear, informed consent for the use of any personal data for secondary purposes such as marketing, the report said.
The report also found that the usage-based insurance programs now offered in Ontario and Quebec generally comply with Canadian privacy law, but automakers providing connected car services are failing to meet their legal obligations.
The data generated by telematics and what has been called “vehicle infotainment” systems can reveal personal lifestyles, habits and preferences. The data collected can include driver behaviour data, biometrics and health data, location data, personal communication (voice, text, email, social networking), Web browsing data, personal contacts, schedules and even music or video content preferences.
“Through telematics and wireless connectivity, cars are collecting and processing enormous amounts of data,” said Vincent Gogolek, FIPA executive director. “More and more of this data is personal information, and some of it reveals intensely private details of a person’s life.”
Vast amounts of data, if not properly limited and secured, “create an architecture of surveillance” that can be exploitated by governments, corporations and cyber criminals.
When data is tracked and linked with other available data, the information generated by telematics devices can reveal “intensely private details of a person’s life.”
For example, monitoring a person’s vehicle use, driving routes and destinations can reveal information that is useful not just for marketers and insurance companies but also to thieves, stalkers, and others with malicious intent, the researchers warned.
The report made several recommendations:
- Establish data protection regulations for the Connected Car industry.
- Develop national data protection standards for usage-based insurance.
- Involve privacy experts in the design stage of Intelligent Transportation Systems, including Connected Vehicle research projects.
- Adopt “Privacy by Design” principles and related tools
“Policy-makers have to provide the guidance that the automotive industry desperately needs on how general principles of data protection apply in their sector,” the report said.