The report, released publicly this week, evaluates the practices
of ten firms that enable location-based services for vehicles,
including six auto manufacturers: Chrysler, Ford, General Motors,
Honda, Nissan and Toyota.
Navigation device makers Garmin and TomTom, along with map and
navigation application developers Google and Telenav were also included. The report
looked at the types of car-related data collected by the firms,
what they use it for, and whether their privacy and data protection
practices jibe with industry guidelines.
All of the automakers share location information with third
parties, according to the GAO, to provide services such as traffic
information, connections to live operators, or telecommunication
and information processing for global positioning systems, known as
telematics. All firms evaluated share location data with law
enforcement, and some offer aggregated data not associated with
individuals to "university research programs, the National Highway
Transportation Safety Administration, and state departments of
transportation for research purposes…and to improve
information about traffic patterns for infrastructure
Location data could theoretically be sold to insurance firms to
better target services based on driving habits or to aim ads at
drivers based on where they are. Through small devices installed in
cars by a small crop of beta testers, mobile app developer
Dash Labs tracks 300 data points including the car location,
the type of vehicle being driven, who's in it and the time of day
the driver is behind the wheel. The firm, not evaluated in the GAO
report, aims to sell the information to insurance firms or
automakers, and counts Foursquare founder Dennis Crowley among its
"Dash will not share individual driver data with third parties
without explicit opt-in from the user," said Jamyn Edis, CEO and
founder of Dash Labs.
The GAO report suggests that the companies' disclosures about
privacy practices are sometimes unclear. "Without clear disclosures
about the purposes, consumers may not be able to effectively judge
whether the uses of their location data might violate their
privacy," notes the "In-Car Location-Based Services" report,
originally provided last month to Mr. Franken, chairman of the
Privacy, Technology and the Law Subcommittee. "Furthermore, risks
increase that data may be used for purposes the consumer is not
expecting or to which the consumer might not have chosen to agree,"
adds the report.
The GAO recommends the companies give people using their
services more control over the location data collected. "None of
the 10 selected companies allow consumers to delete the location
data that are, or have been, collected," states the report. Some of
the firms do not retain location data, or they de-identify it so it
cannot be connected to individuals. However, four of the firms
reviewd, which go unnamed in the report, do store location data
tied to individual vehicles.
"In such cases, consumers are unable to prevent the retention or
use of retained data, should they wish to do so," notes the
The researchers also indicated that a contractor working with
three of the firms studied may store data including specific
locations visited, vehicle identification numbers and other
information for as many as seven years.
The longer data is stored, suggested the GAO, "the more
vulnerable the data are to use by bad actors, such as hackers, or
to unauthorized third party access."