10 security, privacy issues you might not know about your car’s auto-location services

Does location data collected by various companies pose privacy risks?

As cars become more wired to the Internet and other communications services, the threat that your personal information and privacy could be exploited goes up exponentially.

You can understand the concerns since at least one study from Frost & Sullivan found that the market for telematics services provided by auto manufacturers in North America is expected to increase from 11.8 million subscribers in 2012 to 31.6 million in 2016.

+MORE ON NETWORK WORLD: The weirdest, wackiest and coolest sci/tech stories of 2013+

+Car crash prevention technologies face huge challenges+

A report released this week by watchdogs at the Government Accountability Office said privacy groups and policy makers have questioned whether the location data collected and used by various companies offering such services pose privacy risks.

"Specifically, they are concerned that location data can be used for purposes other than to provide services to the consumer, such as selling the data to others for marketing. They also have concerns that location data can be used to track where consumers are, which can in turn be used to steal their identity, stalk them, or monitor hem without their knowledge. In addition, location data can be used to infer other sensitive information about individuals such as their religious affiliation or political activities," the GAO stated.

The GAO notes that Congress and several federal agencies have considered the implications of the collection of location data on consumer privacy. While legislative proposals aimed at protecting the privacy of location data by mobile devices and navigation systems have been introduced by members of Congress, none of the proposals have been enacted.

For its report the GAO said it interviewed 10 industry players including auto manufacturers, portable navigation device (PND) companies, and  developers of mobile device navigation applications General Motors, Ford and Toyota as well as Google and Garmin.

The GAO stated that all of the 10 companies it included "have taken steps consistent with some, but not all, industry-recommended privacy practices. In addition, the companies' privacy practices were, in certain instances, unclear, which could make it difficult for consumers to understand the privacy risks that may exist."

In that vein, the GAO also noted a number of practices that may not be all that well known including:

All selected companies disclose that they collect and share location data. However, inconsistent with recommended practices, nine companies' disclosures provide reasons for collecting data that are broadly worded (for example, the stated reasons for collecting location data were not exhaustive) and five companies' disclosures do not describe the purposes for sharing de-identified location data. Without clear disclosures, risks increase that data may be collected or shared for purposes that the consumer is not expecting or might not have agreed to.

  • All of the companies obtain consumer consent to collect location data and obtain this consent in various ways. In addition, all companies offered consumers some controls over location data collection. However, if companies retained data, they did not allow consumers to request that their data be deleted, which is a recommended practice. Without the ability to delete data, consumers are unable to prevent the use or retention of their data, should they wish to do so.
  • All companies take steps to safeguard location data - a recommended practice - but use different de- identification methods that affect the extent to which consumers may be re - identified and exposed to privacy risks. Also, there is wide variation in how long companies retain vehicle- specific or personally identifiable location data. To the extent that a company's de- identification methods allow a consumer to be identified or that identifiable data are retained, risks increase that location data may be used in ways consumers did not intend or may be vulnerable to unauthorized access.
  • The interviewed companies disclose to consumers or take steps to protect location data that they share with third parties; such efforts are consistent with recommended practices. However, inconsistent with recommended practices, none of the selected companies disclose to consumers how they hold themselves and their employees accountable. The companies told GAO that internal company policies serve this function.
  • Recommended practices state that companies should clearly disclose how they collect, use, and share location data and the purposes for doing so. The GAO found that companies use various methods to disclose their privacy practices, but the information about the use and sharing of location data was sometimes unclear. Without clear disclosures about the collection and sharing of location data, consumers may not be aware of all the purposes for which their data are collected and share. Thus, data may be used and shared for purposes that the consumer is not expecting or to which the consumer might not have chosen to agree.
  • All 10 selected companies use privacy policies, terms of service agreements, and other practices- such as on- screen notifications - to notify consumers of their privacy practices. Of the 10 companies the GAO reviewed, six have stand -alone privacy policies and four use terms of service agreements that include an explanation of their privacy practices.
  • All 10 selected companies disclose the reasons for collecting location data, which are generally based on the types of services they provide. However, 9 of 10 companies also provide reasons for collecting location data that are broadly worded and potentially allow for unlimited data collection and use. For example, one company's terms of service states that the provided reasons for location data collection were not exhaustive. Furthermore, none of the selected companies explicitly state in their disclosures that location data are not collected for other purposes.
  • Three of the selected companies state in their disclosures that they seek consumers' consent before using location data for purposes beyond those listed. Without clear disclosures about the purposes , consumers may not able to effectively judge whether the uses of their location data might violate their privacy. Furthermore, risks increase that data may be used for purposes the consumer is not expecting or to which the consumer might not have chosen to agree.
  • All 10 selected companies disclose that they share consumer location data with third parties, mainly to provide requested services. Six companies' disclosures allow for additional sharing for location data when they are de -identified, but the purposes for sharing such data were not described in five of these companies' disclosures . Although not disclosed, representatives from three of the five companies explained that they share de-identified or aggregated location data for providing services or for other purposes. Representatives from the remaining two companies said that although their disclosures give them the option to share de-identified location data, their companies do not share such location data at all.
  • None of the selected companies' disclosures discuss how long data are retained, but some company representatives we interviewed told us that they do not retain location data "longer than necessary." A contractor that works with three companies in our review to provide location - based services told us that when a consumer requests services, in accordance with the contractual terms in place with the companies, the contractor may retain vehicle- specific location data, VIN, and other data associated with the consumer's request for up to 7 years. The contractor told the GAO that it retains such subscriber information to protect against potential lawsuits, to allow the companies to evaluate how the contractor is performing, and for tax purposes should a tax authority audit their income associated with the provision of services. Representatives from one company stated that it retains personally identifiable location data for no more than 24 hours, and a representative from another company said that it does not retain such data at all. However, representatives from both of these companies told us that they retain de-identified location data indefinitely

Follow Michael Cooney on Twitter: nwwlayer8 and on Facebook

Check out these other hot stories:

Are time travelers surfing the Web?

Your dog have peculiar potty behavior? Check the Earth's magnetic field

NASA's greatest challenges in 2014

What do John Lennon, Bach, Beethoven, Salvador Dali and Truman Capote have in common?

IBM: Smart machines set to rule the world

"Revenge porn" operator busted over extortion allegations

Private Mars mission beams Lockheed Martin onboard to build spacecraft

DARPA targets $4.8M to close backdoor security problems

Navy launches drone from submerged sub

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.