By Eric Jaffe, January 8, 2013
Oregon recently launched pay-per-mile driving, and it's only a matter of time before others follow suit. Florida and Massachusetts have discussed the idea, and Rep. Earl Blumenauer recently proposed something similar to Congress. Still, at every level and every stage, there's a common objection to the idea of government tracking personal mileage: people find it too invasive.
Now, government surveillance is an especially touchy topic at the moment, and for good reason. But whether they realize or not, many people are already using navigation devices that watch what they do on the road. And unlike what the government would (or at least, should) do with location data in a mileage-fee system, many of the companies that run these devices share that information with third-party vendors.
In a report from December, the Government Accountability Office details the data-collection practices used by the country's leading in-car navigation suppliers [PDF]. GAO spoke with representatives from six car-makers (Chrysler, Ford, General Motors, Honda, Nissan, and Toyota), two portable GPS makers (Garmin and TomTom), and two app developers (Google Maps and Telenav). All ten collect location data from customers; nine share that data with outside companies to provide additional services.
The basic practice works like this: GPS signals identify the customer's location, which is sent back to the company over a network. From there, the information is often diverted to a third party to provide location-based services. These services can include basic directions, traffic updates, charging station locators, stolen vehicle tracking and roadside assistance, and restaurant alerts.
This shouldn't come as a great surprise to anyone, and the situation isn't all bad. None of the companies said they sold personal location information to marketing companies or data brokers. All of them said they obtain consent to collect the data (though often via a quick click that's easy to ignore) and all offer some customer control. All 10 companies also said they're taking steps to meet some industry recommended privacy standards.
But GAO cautions that meeting some standards isn't the same as meeting them all, and that many of the current practices could blind consumers from the true privacy risks. Some of the highlights:
- Nine in-car navigation companies gave reasons for collecting location-based data that were broad or vague, and none explicitly stated that location data aren't collected for other purposes (perhaps leaving that option open).
- None of the companies that retained location-based data offered customers the option of deleting it.
- Companies varied widely in terms of how long they retained location data, with some admitting they kept it "longer than necessary."
- At the time of the GAO inquiry, one third-party developer did not encrypt data it transmitted from a navigation app, including usernames and passwords, though it later said it made an independent decision to do so in the future.
- All companies said they protect location data shared with third parties but none disclosed how they hold themselves accountable for this protection.