The report, released publicly this week, evaluates the practices of 10 firms that enable location-based services for vehicles, including six auto manufacturers: Chrysler, Ford, General Motors, Honda, Nissan and Toyota.
Navigation device makers Garmin and TomTom, along with map and navigation application developers Google and Telenav were also included. The report looked at the types of car-related data collected by the firms, what they use it for, and whether their privacy and data protection practices jibe with industry guidelines.
All of the auto makers share location information with third parties, according to the GAO, to provide services such as traffic information, connections to live operators, or telecommunication and information processing for global positioning systems, known as telematics.
All firms evaluated share location data with law enforcement, and some offer aggregated data not associated with individuals to “university research programs, the National Highway Transportation Safety Administration, and state departments of transportation for research purposes … and to improve information about traffic patterns for infrastructure planning.”
Selling to insurers?
Location data could theoretically be sold to insurance firms to better target services based on driving habits or to aim ads at drivers based on where they are. Through small devices installed in cars by a small crop of beta testers, mobile app developer Dash Labs tracks 300 data points including the car location, the type of vehicle being driven, who's in it and the time of day the driver is behind the wheel.
The firm, not evaluated in the GAO report, aims to sell the information to insurance firms or auto makers, and counts Foursquare founder Dennis Crowley among its advisers.
“Dash will not share individual driver data with third parties without explicit opt-in from the user,” said Dash CEO Jamyn Edis.
The GAO report suggests that the companies' disclosures about privacy practices are sometimes unclear.
“Without clear disclosures about the purposes, consumers may not be able to effectively judge whether the uses of their location data might violate their privacy,” notes the “In-Car Location-Based Services” report, originally provided last month to Sen. Franken, chairman of the Privacy, Technology and the Law Subcommittee.
“Furthermore, risks increase that data may be used for purposes the consumer is not expecting or to which the consumer might not have chosen to agree,” adds the report.
The GAO recommends the companies give people using their services more control over the location data collected.
“None of the 10 selected companies allow consumers to delete the location data that are, or have been, collected,” states the report. Some of the firms do not retain location data, or they de-identify it so it cannot be connected to individuals. However, four of the firms reviewed, which go unnamed in the report, do store location data tied to individual vehicles.
“In such cases, consumers are unable to prevent the retention or use of retained data, should they wish to do so,” the report said.
The researchers also indicated that a contractor working with three of the firms studied may store data including specific locations visited, vehicle identification numbers and other information for as many as seven years.
The longer data is stored, suggested the GAO, “the more vulnerable the data are to use by bad actors, such as hackers, or to unauthorized third party access.”
This report appeared in Automotive News, a Detroit-based sister publication of Tire Business.