privacy mode please —

Car companies are preparing to sell driver data to the highest bidder

Connected cars are going to monetize data, but most drivers don’t know that.

Car companies are preparing to sell driver data to the highest bidder

The confluence of the technology and automotive industries has given us mobility. It's not a great name, conjuring images of people riding rascal scooters in big box stores or those weird blue invalid carriages that the government handed out in the UK back in the last century. But in this case, it's meant as a catch-all to cover a few related trends: autonomous driving, ride-hailing, and connected cars. The last of these is what I'm here to discuss today. Specifically, the results of a pair of surveys: one that looks at consumer attitudes and awareness of connected cars and another that polled industry people.

Love ’em or hate ’em, connected cars are here to stay

Connected cars are booming. On Tuesday, Chetan Sharma Consulting revealed that 2017 saw more new cars added to cellular networks than new cellphones. In particular, it noted that AT&T has been adding a million or more new cars to its network each quarter for the last 11 quarters. While Chetan Sharma didn't break out numbers for other service providers, it also revealed that Verizon is set to make at least $1 billion from IoT and telematics. And previous research from Gartner suggested that, this year, 98 percent of new cars will be equipped with embedded modems.

OEMs aren't just connecting cars for the fun of it; the idea is to actually improve their customers' experience with the cars. But right now, we're still missing an actual killer app—and to be honest, data on how many customers renew those cell contracts for their vehicles. A survey out this week from Solace that polled 1,500 connected car owners found that they still don't really trust the technology.

For instance, nearly 40 percent said that they would not trust their car to "automatically react to driving conditions"—the example given is automatically braking. And that number is actually greater when you just look at drivers aged 18-25; 46 percent of them wouldn't trust such features, compared to 33 percent aged 65 or over. I should note that "connected car" as used here is a pretty wide bucket, similar to the one used in Esurance's recent survey on distracted driving. That's notable because the features that most drivers—almost 49 percent—say they would rely on are safety sensors like blindspot monitoring, which don't require any external connectivity and can be found on plenty of cars without 4G LTE.

Wait, is this thing recording?

But the bit of Solace's survey I found most interesting was the widespread ignorance regarding data collection. Only 38 percent of connected car drivers knew that their cars could store personally identifiable information about them, with 48 percent unaware this was the case. And that's important because that PII is being viewed as a goldmine.

Ben Volkow, CEO of Otonomo, told me that, by 2020, bundling and selling data from connected cars will be a massive new revenue stream for the OEMs, on the order of billions of dollars a year. Car companies will bundle data together—for example, a fuel bundle might include the odometer reading, fuel level, oil level, tire pressures if available, and battery charge.

"[The fuel companies] want to offer you more than fuel," Volkow said. "Many times, the fuel stations are also interested in anonymized data—why do some people always stop, do they take whatever's available or a specific brand, places to build new stations, and so on."

What's more, unlike selling cars, selling data is a high-margin business—between 80- and 90-percent profit. "A big part of the investment is already done," he said. "The databases are built, SIMs and modems are in the cars; they've crossed the Rubicon."

Otonomo is there to help the OEMs do that—it provides the car companies with a way to do accounting and clearing for data sharing, and it has more than 2 million vehicles on its platform right now. For instance, data protection laws vary wildly around the world—they're minimal here in the US but much stricter in Europe.

"We check where the car is based with the OEM and where data is going. Based on those parameters, we tell the OEM what they can share openly, anonymized, encrypted, or not share at all. It's a way for the OEM to make sure they stay in compliance. We work with a team of lawyers that specialize in privacy (in Europe) with regulations like Safe Harbor," he said.

Volkow thinks that drivers will be happy to share this data, as long as they get some value out of it, like free servicing or micropayments per mile traveled. But he also thinks consumer education is vital. "People tend to be more demanding when it comes to cars; they don't think of them as the same as mobile devices. You have to convince them there's a benefit," he told me.

Fail to do that, and it might be costly. Another survey published this month—this time by Foley and Lardner LLP—queried industry professionals about the business and legal issues that could affect the development of connected cars. By far the greatest concerns to the growth of these connected vehicles were—you guessed it—privacy and cybersecurity.

Is that light at the end of the tunnel?

Encouragingly, my travels over the last year or so have revealed that the auto industry is finally taking this stuff a lot more seriously. In the past, questions about security would be met with boilerplate "we don't discuss that" replies.

But now there's an Automotive Information Sharing and Analysis Center for evaluating threats, and OEMs are adding layers of security like anomaly detection and firewalls to their vehicles so that infotainment systems can't actually give someone control over safety-critical functions. General Motors even let me meet its Red Team, and the company has put cybersecurity on the same level as other safety risks in the design and development of new vehicles.

But I also think we've got a way to go yet. Absent the high-profile Jeep hacking of a few years ago, done by some security researchers, there has yet to be an actual malicious actor exploiting connected vehicles. And just about every exploit I've read about has required physical access to a vehicle. So it's not an issue that the average driver even thinks about—obviously here at Ars the audience is a lot more aware. Going forward, there are a few things I think should happen.

First, customers need to start demanding to know about the privacy and security policies that come with connected cars. With regard to data brokerage, it should be very clear what data is and isn't collected and to whom it gets sold. And consent is key—it's completely feasible for me to tell my car I'm OK with it sharing data with the OEM but no one else, or I could be fine sharing specific attributes with my insurance company but not to unrelated third parties. This has to be transparent, and I ought to be able to change those settings whenever I want.

What's more, if a car company is going to monetize my data, I'd better not be paying a monthly bandwidth bill for the privilege. Just like I'm not Facebook's customer, I wouldn't be the customer in this transaction either. And finally, connected cars will need to come with some kind of hard-wired privacy switch. After all, privacy concerns with regard to connected vehicles are often equated to cellphones, which almost all of us carry around everywhere. But it's trivial to put my phone into airplane mode—it ought to be the same for my car.

Channel Ars Technica