Last year, Joshua Wessel, a man in Kalamazoo, Michigan, was arrested for the June 2017 murder of Ronald French. Using data stored in Mr. French’s car, investigators identified Mr. Wessel as the person who gave voice instructions to the car’s infotainment system—a recording made within 90 minutes of French’s death. This data helped investigators dismiss Wessel’s original claim that he had merely stolen the car.

Digital vehicle forensics has recently become a favorite data source for police. Modern cars collect and store massive amounts of information, from telematics (i.e., information navigation, location, speed, and acceleration) to the “infotainment system” that records interactions, destinations, and voice commands. These data are very revealing, and are therefore highly sought after by police and prosecutors conducting criminal investigations.

In recent years, including in Mr. Wessel’s case, law enforcement agencies generally needed physical access to a car in order to obtain data from our cars. But this requirement has effectively become a thing of the past. Now, much of our car-related information, including our location, is accessible online to the highest bidder—no keys required.

An Accelerating Industry

Recent reporting from Vice News shows that a surveillance company and U.S. military contractor, the Ulysses Group, is openly advertising a product the company claims can pinpoint the real-time locations of specific cars in nearly any country on earth. Documents released by Senator Ron Wyden (D-Ore.) show that the company promises to deliver a dramatic enhancement of “military intelligence and operational capabilities,” offering “15 billion vehicle locations” worldwide every month.

Where does this military intelligence company get all this information? There’s only one conceivable answer: Our car location data is being bought and sold.

Here’s how it works. First, automakers and original equipment manufacturers collect data for themselves. Then, they share the data with third parties, with little or no oversight, and few, if any, safeguards against abuse. Finally, those third parties repackage that data, aggregate it with other data, and sell it to the highest bidder.

As a result, private companies and governments are in a position to know where we and our cars are at any given moment, both in real time and historically. It goes without saying that this is a powerful surveillance tool. And while law enforcement agencies must now obtain a warrant to access cell phone location information showing where we were last week, month, or year — after years and years of state and federal litigation that ended up in a landmark Supreme Court decision in Carpenter v. U.S. — the Supreme Court has not specifically ruled on the question of whether police can skirt Fourth Amendment requirements by buying vehicle location data.

As the Supreme Court observed in Carpenter, location records are very sensitive personal information. The collection, processing, and dissemination of our location information profoundly impacts and affects both our information and decisional privacy. Unlimited access to information revealing where we are, or have been, interferes with the rights of individuals to make intimate decisions and to keep these decisions private from the government. Our location privacy also implicates other rights, like our First Amendment rights to associate, speak, and practice our religion without government interference.

Given its ruling in Carpenter, the Supreme Court may ultimately rule that the government can’t skirt the warrant requirement by buying our location records from private entities. But we cannot wait for courts to rule on this issue. After all, the Supreme Court only required police to get a warrant to access cell phone location records in 2018, decades after cell phones were introduced on the consumer market.

And we have more than government surveillance to worry about, as well. People can also be grievously harmed by non-government use of these sensitive records. Just think of what an abuser could do with timely records showing where his ex-wife has been going, and when.

For these reasons, legislatures must take action now to prevent corporations from buying, selling, and making available our location information, before this industry grows beyond our control, and before millions of people’s rights are violated.

The Massachusetts Information Privacy Act Protects Our Location Privacy

Here in Massachusetts, lawmakers have filed comprehensive consumer privacy legislation that would protect this information, and much more. The Massachusetts Information Privacy Act, introduced this session by Representatives Rogers and Vargas in the House and by Senator Creem in the Senate, provides one of the country’s most privacy-protective statutory frameworks for data protection and digital consumer rights.

Among other things, the legislation imposes on companies duties of care, loyalty, and confidentiality with respect to the information they collect about people. To users and consumers, the bill provides for rights of access, correction, data portability, and deletion. It also grants the right to demand that companies stop collecting and processing our personal information.

Importantly, the bill also establishes crucial protections for location and biometric information.

First, it provides for especially strict rules to control how this information can be collected and processed. The general consent typically given to process personal information does not suffice, given the unique sensitivity of these records. Therefore the legislation requires specific, opt-in consent given by individuals before companies can collect location and biometric information.

Second, the bill imposes strict requirements on companies before they may share location information with the government. Following Carpenter, it imposes a warrant requirement for government access to location records. It also requires notice to individuals when this information is routinely shared under state or federal law, for example to comply with any law requiring companies like Uber and Lyft to share ride data with public planners.

Third, it bans companies from monetizing and profiting from the sale or other transaction involving our location and biometric data. Under this bill, companies are authorized to process an individual’s biometric or location information only if the company discloses the reasons for and nature of such use.

Finally, to ensure compliance, the bill provides for punishments against companies that engage in abusive trade practices, granting individuals a private right of action to enforce all the provisions of the legislation. In other words, if companies violate the law and collect your biometric or location records without your consent, you can sue them for monetary damages.

In these ways, the bill targets the supply chain behind the industry of buying and selling of sensitive personal material like car location information. If car companies or other data processors that collect location information cannot sell it, companies like the Ulysses Group will have no data to collect and aggregate, and thus no product to offer up to buyers—be they cops, feds, or creepy ex-husbands.

For far too long, we have tolerated corporations using — or misusing and abusing — our personal information to gorge on profits without any regulation or oversight. As we have seen, privacy cannot protect itself. We need strong laws to establish when and how companies can collect, process, and share our personal information. Here in the Commonwealth, that legislation is the Massachusetts Information Privacy Act.

If you’re interested in helping the ACLU pass strong consumer data protection and digital rights law in Massachusetts, sign up to get involved in our fight for a free and fair future for all.

 

This blog post was written by Technology for Liberty Policy Counsel Emiliano Falcon-Morano.