GPS-based car insurance faces security concerns

As I have written about here in the past, a broad coalition of organizations, from consumer rights groups like the Consumer Federation of California (us) and Consumer Watchdog, to privacy rights groups like the ACLU, Privacy Rights Clearinghouse, and the Electronic Frontier Foundation, are opposed to Assembly Bill 2800 (Huffman).

This so called "Pay as You Go" law would requires insurance companies to base the auto insurance rates charged in California primarily on a motorist’s 1) driving safety record, 2) annual miles driven and 3) years of driving experience.

There are a number of reasons why our coalition opposes this kind of policy-making - most notably related to privacy and economic justice. Before I get to the privacy aspects, here's a bit more on why this a bad bill.

AB 2800 would create an unfair system of insurance discrimination in which similarly situated policy holders would pay different prices. Under AB 2800, an insured who participates in an insurance company’s optional “green” plan would pay a lower insurance rate than a similarly situated policy holder who drove an identical number of miles but who did not participate in the same insurance company’s “green” plan. If every other factor about the policy holders is the same, the fact that one is not a participant in a program would unfairly result in a higher premium under AB 2800.

Now to the privacy aspect of the bill, and how it relates to the article I'm going to post today. AB 2800 would allow insurance companies to require drivers to use technological devices in their cars, or pay a higher rate if they refuse. The mileage program is nominally “voluntary,” but its permissive language would result in mandatory GPS monitoring, since a driver would be forced to pay more if he or she did not participate. There is no language in the bill limiting the information that an insurer may collect from a GPS device.

This raises significant privacy concerns regarding collection of data on consumers’ driving habits, destinations and other information that is not germane to the objective of verifying the total miles driven.

Now I point you to exhibit A - an article in Computing, a UK web magazine.

Angelica Mari reports:

The adoption of GPS technology for underwriting processes in the automotive industry may present potential security concerns. While wrong use of data could have an adverse effect in ways that might not have been foreseen, such as affecting house prices, the same ambiguity can also be found in the automobile insurance space.

...

But despite its apparent attractions, management of the technology represents a challenge to businesses, said Martha Bennett, research director for financial services at analyst Datamonitor. "The question is, how do insurers ‘draw the line’ when the driver switches off the system – do they switch it off legitimately because they are on their lunch hour, or do they do it deliberately because they are about to commit a crime?”

...

In such schemes, GPS-based systems are used to assess premiums to be paid by insurance companies depending on whether cars run on accident-prone areas, but there is also the potential risk of privacy invasion.

“Other points of debate include the right for police or government agencies to ask for such data and how long the data should be kept if they ask for GPS records from insurer, because there is reason to believe a vehicle has been used for a crime,” said Bennett.

I suspect this debate over using GTS monitoring to determine insurance rates is in its early stages, and apparently the UK, as with California, are examples of what's to come. What's interesting about these two, is the UK is notoriously bad on privacy rights issues and California is notoriously good. We'll see how this issue plays out in each, and how that might influence future debate in other states and nations.