“We will hold them accountable”: General Motors sued for selling customer driving data to third parties

Texas Attorney General Ken Paxton has sued General Motors (GM) for the unlawful collection and sale of over 1.5 million Texans’ private driving data to insurance companies without their knowledge or consent.

In June, the Attorney General (AG) announced he had opened an investigation into several car manufacturers over allegations that the companies had improperly collected mass amounts of data about drivers directly from the vehicles and then sold the information to third parties.

Following that investigation, the AG explained in a press release, he decided to sue General Motors:

 “Our investigation revealed that General Motors has engaged in egregious business practices that violated Texans’ privacy and broke the law. We will hold them accountable.”

The court filing provides some more detail. It reasons that when consumers buy a vehicle, they want a mode of transportation to get them from one point to another, but with GM (and its subsidiary OnStar) they unwittingly opt-in to an all-seeing surveillance system.

GM collected scores of data points from consumers about their driving habits and monetized that data by selling it on to other commercial parties. The AG accuses GM of installing technology that allegedly improves the safety, functionality, and operability of its vehicles, but at the same time this technology gathers driving data about the vehicle’s usage.

The driving data collected and sold by GM included trip details like speed, seatbelt status, and driven distance. On top of that, GM gathered data through other products like its mobile apps.

GM had agreements with various companies which allowed them to the driving data to calculate a driving score based on risk analysis. After buying a license from GM, an insurer could access the driving scores of over 16 million customers. Based on those scores the insurer could and did increase monthly premiums, drop coverage, or deny coverage.

GM claimed to have consent, but according to the AG it “engaged in a series of misleading and deceptive acts” to obtain that consent.

Among others, the onboarding process was treated as a mandatory pre-requisite to take ownership of the car. But it was nothing short of a deceptive flow to ensure customers would agree to sign up for GM’s products and get enrolled in the driving data collection scheme. Customers were presented electronically with some fifty pages of disclosures about its OnStar products, which consisted of product descriptions and a confusing series of applicable user terms and privacy notices.

At no point did GM disclose that it would sell any of their data, much less their driving data, nor did it disclose that it had contracts in place to make driving scores available to other companies or permit companies to re-sell driving scores to insurance companies.

Last year on the Malwarebytes Lock and Code podcast, David Ruiz spoke to a team of researchers at Mozilla who had reviewed the privacy and data collection policies of various product categories over several years. They reported that classified cars were the worst product category they ever reviewed for privacy.

A modern car hasn’t solely been a transportation vehicle for a long time. With multiple digital systems, they are increasingly plugged into web applications and digital processes—both of which are vulnerable to security flaws.

But at least those flaws are not intentional; some of the privacy issues apparently are. So it’s good to see a raised awareness among consumers about these issues, and investigations conducted.

As we noted, an ongoing US Senate investigation indicated that connected car makers violate consumer privacy by sharing and selling drivers’ data, including their location, on a vast scale, and that the same car makers often obtain consumer consent through deception.

Based on this investigation, senators have urged the Federal Trade Commission (FTC) to investigate automakers’ disclosure of millions of Americans’ driving data to data brokers, and to share new-found details about the practice.

As always, we will keep an eye on the developments in this field.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

https://blog.malwarebytes.com/feed/