How Your Driving Is Being TrackedIs your phone really tracking your driving habits and selling the data? Maybe more so than you know. Skeptoid Podcast #947 by Brian Dunning There's always a certain amount of paranoia about what our phones might be tracking about us and who they might be sending that information to. Some we know for a fact and some we only suspect, and some has been disproven — but in that middle ground where most of us have no real idea is where we find both misinformation and justification for some of that paranoia. One of these questions concerns our driving habits. Who might be tracking our phones to learn about how and where and when we drive, and what might that be collected for? Today we're going to scratch at least some of that surface. Complicating this particular question is the fact that a lot of our cars link pretty tightly with our phones, via either Apple CarPlay or Android Auto. And even for those of us who don't connect our phones, more and more of our cars are running natively on those operating systems. The native dashboards of a huge number of new cars now run on Android Automotive. Apple continues developing their version of CarPlay for vehicles to run natively, but as of this writing there are none on the market. Aston Martin and Porsche are expected to be among the first. But even those of us who don't connect our phones to our cars at all and don't have apps running on native automobile operating systems, we still generally have a phone in our pocket as we drive. That phone has GPS and accelerometers. It can tell when we're riding in a car, and it can tell if we brake suddenly or accelerate hard, and whether we're speeding when we drive. It knows where we go and when we go there. It's a fact for almost all of us that all of this information, and more, exists and can be collected and sent to some recipient somewhere without our knowledge. The question today is whether it is, who's it going to, how is it being used, and is there anything we can do about it? This is one of those rapidly evolving fields, so depending on when you're listening to this episode, some of it may be out of date. But as of now, about the middle of 2024, the fundamental answer to all of these questions is auto insurance companies. Insurers want to know who is a good risk, who is a bad risk, and how much should people be charged. A number of national news articles published in the first half of 2024 have included the stories of people who found their insurance rates as much as quadrupled even though they hadn't had any accidents, and after some digging, they found that seemingly innocent apps on their phone had been collecting data on their driving habits — called telematics — and transmitting it to companies that resell individual driving scores to insurers. Yes, the fact is that an entire industry exists to harvest driving data from apps on your phone and in your car in order to calculate the right cost for your car insurance. Before we get to the obvious question — which is "How do I prevent these apps from doing this?" — let's look a little closer at how this whole ecosystem works. Some app on your phone offers you some service that you have to agree to. You may have done this years ago and don't remember doing it. But now that that app has permissions, it collects all sorts of data on your movements. Generally this does not include your location or where you drive to, but rather telematics like your speed and hard movements like braking, accelerating, turning hard, or crashing. It also includes how often you use your phone while driving, not just calling or texting but even just picking it up; and it includes whether you're speeding as measured by the speed limit at your location. The app then sells that data to a company that does analytics and risk assessment — and, crucially, the data they sell does include your identity, so these telematics are tied to you personally. The three best known of these companies are LexisNexis, Verisk, and Arity (Arity is owned by Allstate Insurance Company). The analytics company then assesses each driver's behavior and boils all of that data down into a single safety score from 1 to 10: 1 being a safe driver, 10 being a risky driver. This is from Arity's website:
What they end up with is an enormous database of personal identities with safety scores. It does not include locations or any specific drive information; just who you are and how risky of a driver you are assessed to be. Then the car insurance companies — all of them — buy this data from LexisNexis, Verisk, Arity, etc., for all their customers for whom it's available. The suspect apps that might be first on your list to worry about are the obvious ones we use while driving: navigation apps in particular, plus entertainment like music, podcasts, or audiobooks. Fortunately, as long as you stick with apps from the major tech companies, you're more likely to have your data protected. Anything from Google or Apple — including Google Maps, Waze, and Apple Maps — explicitly protects your privacy and does not do any such data collection and sharing. The navigation apps, however, do share other data; basically traffic and speed information that allow fast routes to be calculated, but this is aggregated and does not include personal information, and it's necessary for these services to do what they do. Apps that should be at the top of your concern list are the apps that you get from your car's manufacturer: HondaLink, FordPass, OnStar, myChevrolet, Toyota, myVW — a thousand others, one or two or three different apps available from every car manufacturer. In many cases, to use any of these apps' features at all, you're required to agree to data sharing. Just about every one of these apps collects your telematics and sells them to the data analytics companies. Additionally, any app from an automobile insurance company is probably doing the same thing, many of them openly so, pitching themselves with something like "Use this app to show us what a good driver you are and save on your insurance," when in fact the intent is to find how terrible a driver you are to charge you more for your insurance. A benefit of getting apps from the Apple app store is that every app's page in the store includes complete disclosures, audited by Apple, of what data is being collected and shared, and whether it's personally identified as you or not. I went through a number of insurance company apps in the Apple app store — State Farm, Progressive, Allstate, GEICO, Farmers, plus a few others — and every one that I looked at was collecting most or all of the possible data types, including contact and financial info, location, user content, diagnostics, and usage data, everything necessary to assemble those telematics. None of these are necessary for the app to do what it appears to do for you, the user, which is to access and make changes to your insurance policy. This tells you there's some reason other than your own convenience for the companies to give you these apps. You can also find the apps published by the car manufacturers on the app store, and you can see the disclosures about those apps' data sharing as well. If you don't wish to have your telematics collected and shared, then whenever you install any of these apps, you need to decline to give permission for data sharing. Some of the apps won't let you proceed if you don't agree to this. In that case, you'll just have to do without the app and use the company's website when you need something from them. But insurance and carmaker apps are only the obvious ones. What's more insidious, and thus arguably a higher risk, are the countless independent apps. Theoretically, any app at all could include the telematics collection and sharing modules that are available to app developers. Even an innocuous game. When The New York Times published a series of articles in early 2024 about this (including this and this and this and this), there were three apps that they highlighted specifically, which were found to all sell their users' telematics to Arity:
All of these articles caused enough of a splash that General Motors, which came out of The New York Times series with perhaps the worst black eye, reacted by pledging in March 2024 to stop selling customer data to LexisNexis and Verisk. So far, at least as far as I could find, no other manufacturers have followed suit. The Mozilla Foundation, which tracks online privacy, reported the following eye-popping headline in late 2023: It's Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy There are two interesting standouts in this crowd, the electric vehicle manufacturers Tesla and Rivian. Both claim in their privacy disclosures that they do not sell any customer data to third parties, as GM is now pledging. And, coincidentally, they are also the two holdouts who refuse to allow Apple CarPlay and Android Auto connectivity — and here's the kicker — GM also announced they are terminating support for those as well. I've spoken to lots of people, I've done lots of online research, and I have not been able to find a strategic motivation for these three manufacturers to take both of these steps. We can confidently conclude that it's not purely to protect their customers' privacy, since those customers all still have cell phones in their pockets and are still having their telematics collected and sold. It could be as simple as to protect the manufacturers' ability to charge for Internet connectivity; since when a driver uses CarPlay or Android Auto, their phone provides all needed connectivity. But somehow Tesla drivers, at least, are still having their telematics harvested. Buried deep in the LexisNexis website are court cases in which they've provided evidence. Quite a few of these are cases where someone sued Tesla; one example is Dugan v. Tesla from March 2024. Apparently Dugan crashed his Tesla and tried to claim the car went crazy on him. LexisNexis stepped in and provided data showing that Dugan drives like a maniac (obviously those are paraphrases), and the court ultimately found shared liability between both parties. The takeaway here is that even though Tesla assures its customers that they don't sell drivers' telematics to LexisNexis or anyone else, and they block the use of CarPlay and Android Auto, LexisNexis is still getting all the data anyone needs from Tesla drivers. Obviously apps that Dugan may have had on his phone are one potential source for how LexisNexis got his telematics; if there is another way, I look forward to learning what it was and issuing a future update to this episode. Rivian, despite their privacy promises, recently appeared at an industry conference in Las Vegas on a panel with LexisNexis titled "Using emerging driving data analytics to price policyholders for maximum profitability." So it seems reasonable to suspect that we're not being given the complete picture from these manufacturers. So in summary, not all conspiracy theories about what your phone is doing are false. And in this rapidly evolving field, what's true today may not be true six months from now, or was true six months ago. But for today, the official Skeptoid advice is to either be happy with having your personally identified telematics collected and sold, or to start reading license agreements a lot more carefully and start declining to give privacy-related permissions a lot more often. There isn't always somebody out to get you, and that's what makes the conspiratorial mindset generally an unhealthy one; but sometimes there are people after your personal data, and that's what makes the skeptical mindset essential.
Cite this article:
©2024 Skeptoid Media, Inc. All Rights Reserved. |