Few Ars readers were surprised by last week's news about General Motors' connected cars. As The New York Times reported, some owners of General Motors cars are having trouble getting auto insurance. reason? They had unknowingly agreed to share their driving data with third parties. At least one driver is currently suing. If more followers emerge, it could become a force for improvement in the industry.
At the heart of the problem is one of GM's OnStar connected car services, Smart Driver. We have tested this in the past. It monitors your driving speed, how hard you accelerate and brake, how often you drive at night, your fuel economy, and more, and uses that data to generate a numerical score from 0 to 0. 100. A higher number indicates a safer driver.
These types of services are useful. Most people think they are good drivers until they get independent feedback. And the data collected by Smart His Driver helps him drive more economically and with less risk. But as I said at the time, I'm glad sharing data with insurance companies doesn't put my premiums at risk.
But buried in OnStar's privacy notice is the revelation that GM can and will share user information with third parties, including “usage-based insurance companies.”
Sorry, what did you agree to?
In fact, that doesn't seem to be the case here. GM will share this driver data with data analytics firm LexisNexis Risk Solutions, which will share the data with insurance companies.
It's easy to sympathize with someone who discovers all that was going on without their knowledge. Romeo Cicco, who is currently suing GM and LexisNexis, is making exactly that claim. “What I can't tell anyone is how you registered. I can tell you how many times you did a hard acceleration between 6 a.m. and 8 a.m. on January 30th. , I can't tell you how I registered,'' he told the NYT.
“The fundamental challenge with informed consent is that ultimately business relationships become much more fluid than click-through agreements,” said Tim McKee, head of software supply chain risk strategy at Synopsys Software Integrity Group. ” he explained.
“However, as the New York Times article highlighted, what Mozilla has highlighted is that the average person can determine whether they have consented in any way to data collection or data sharing. It’s very hard to know, and when your disclosure is 2,000 words or less… it’s a heavy, dense piece of writing,” McKee told me.
Europe implemented the General Data Protection Regulation (GDPR law) in 2018, providing strict protections for personal data and limits on how it can be shared with third parties.
California and Massachusetts have also passed data privacy laws, and the California Privacy Protection Agency announced it will investigate connected car manufacturers' data privacy practices in 2023. There are good reasons for this. Within a month of this announcement, the Mozilla Foundation released a scathing report claiming that “automobiles are the worst product category ever studied for privacy.”
“But they're essentially based on some level of consent, not necessarily ongoing recognition,” McKee said. In fact, virtually all connected car services use her one-time acknowledgment of an end user license agreement, which is typically presented at the time of purchase in a manner that is not conducive to easy reading and understanding.
And that assumes that the person giving the consent actually has the legal right to do so. “The New York Times article had some believe that new car salespeople may have been put through a click-through agreement, perhaps during the entire process of demonstrating all the features of the new car,” McKee notes. did. “The ability to actually go back and review the agreement is relatively difficult in a car,” he continued.
“There's no clear place where you can say, 'I consented to X. X requires me to share this kind of information with these parties for that purpose.' “We believe that this is the case, but to be honest, we don't know to what extent this behavior occurs in Europe as well,” McKee said.