1y ago

Automakers Are Sharing Consumers’ Driving Behavior With Insurance Companies

www.nytimes.com

Kenn Dahl says he has always been a careful driver. The owner of a software company near Seattle, he drives a leased Chevrolet Bolt. He’s never been responsible for an accident.
So Mr. Dahl, 65, was surprised in 2022 when the cost of his car insurance jumped by 21 percent. Quotes from other insurance companies were also high. One insurance agent told him his LexisNexis report was a factor.
LexisNexis is a New York-based global data broker with a “Risk Solutions” division that caters to the auto insurance industry and has traditionally kept tabs on car accidents and tickets. Upon Mr. Dahl’s request, LexisNexis sent him a 258-page “consumer disclosure report,” which it must provide per the Fair Credit Reporting Act.
What it contained stunned him: more than 130 pages detailing each time he or his wife had driven the Bolt over the previous six months. It included the dates of 640 trips, their start and end times, the distance driven and an accounting of any speeding, hard braking or sharp accelerations. The only thing it didn’t have is where they had driven the car.
On a Thursday morning in June for example, the car had been driven 7.33 miles in 18 minutes; there had been two rapid accelerations and two incidents of hard braking.

World News @lemmy.ml

NightOwl @lemmy.ca

1y ago

Automakers Are Sharing Consumers’ Driving Behavior With Insurance Companies

www.nytimes.com /2024/03/11/technology/carmakers-driver-tracking-insurance.html

146 comments

I think this should be legally prohibited. Also is it possible to physically disconnected the network modules so they can't send anything?
- If it doesn't already, that's probably going to put you in the high-risk group with other car modders.
  
  It will be cat and mouse, but I would imagine for the time being, disconnecting the cell antenna on the board would stop it. Who knows what kind of, if any bullshit extra errors and codes that will keep popped up but I'm guessing if it became a popular thing, they would start making cars that will create bullshit errors and codes. I wouldn't do anything permanent until the warranty period is over.
  
  How dare you demand privacy!
- Simple answer that should always work: surround the chip/antenna with a faraday cage. The hardest part is finding the chip, not in disabling it.
  
  Why not to just break the antenna (or whatever it has) in half? It's much simpler and shouldn't cause damage to the chip itself
- I can't wait to see tuturials. I don't know much about cars and would love to see people disable these, or perhaps do something malicious. Not that I have a new enough car yet, but I know one day it's going to be unavoidable.
  
  As long as you know where they are, a simple faraday cage should work perfectly. Basically, surround the module with an electrically conductive material to catch radio waves.
- I'm sure it's possible, but I'm sure they've made it as painful as it can be.
  
  Most likely the module, if it is a separate module and not part of the SoC of the infotainment system or whatever, works over CAN bus and the car will throw errors when it doesn't detect its presence, or doesn't detect the SIM card. Might even refuse to start if that module is missing. Might be possible to remove the antenna so the car thinks it's just outside of the service area, but if it's built into the PCB and the PCB is cast into resin/silicone for waterproofing, even this might be extremely difficult. Probably the module is also serialized so replacing it with a "dummy" module or a module from a junkyard won't spoof the system, either.
  Manufacturers have been serializing even airbags for years, making replacing a faulty one with one from a junkyard impossible.
  
  I’m sure it varies widely. In Toyota’s you can call in to disconnect (I did it while waiting for a tire pressure machine) but to do it physically you pull a single fuse and the trade off is losing the microphone.
  Others have pulled the dash and disconnected antennae but it just reduces the range of the box since it’s a cellular radio like a phone.
- Somebody could go to jail for this. You.
  The DMCA makes it a felony to circumvent protections in services. If they wanted to push this and depending on the system disabling or using some hack to bypass could be illegal.
  I don't think that anyone would actually bring the case against an individual, but a company selling any sort of device or instructions to make it easier for people could be targeted.
  
  If they make disabling spyware illegal, I'll do it anyways because human rights. If they decide to charge me for it, I'll just consider it a violation of my freedoms
Comprehensive privacy law time? Nahh just ban the Chinese EVs and pretend this doesn't happen. Same thing as tiktok. You'll never be protected as long as they can point to the Chinese boogyman.
- Yeah, I feel like that's why the EU has such strong privacy regulations. Tech giants in our market are mostly either state-tolerated&-utilized monopolies from the US or state-owned monopolies from China.
- There's also the potential that raising concerns of Chinese spyware raises more concern of the rest of it. They should continue raising those concerns about them all. And ban all the spyware.
"Sharing" is a funny way to word a headline. They are selling it, for a profit, because it's legal. It's immoral and shady as hell, but "prevent it or expect it" applies here.
- Yeah should say "currently legalized sales of personal data" to emphasize that this sort of thing is illegal in many other regions.
Last time I drove a rental car I was constantly aware that it was probably tracking everything I did, sending that data back to its owners, who would then sell it on to data brokers and insurance companies and whoever else wanted it.
It was sort of tolerable on a temporary basis, until I got to driving along a road where the speed limit had recently changed. The car helpfully displayed what it thought the speed limit was, and suddenly I had to choose between driving safely and driving according to what the computers presumably wanted to see.
Drivers of the world, do not let your cars have Internet access. No good can come of it.
- Classic JDM shit boxes till I die. Used to be a joke, but since cars have become what are essentially IoT devices, it's become real. 🥲
- Yes, the only access to the Internet a car should have is through my phone in an opt-in basis. That way I can stream music, map directions, etc through my phone that I've already made somewhat secure.
- That's not always a choice, without hurdles. I have a truck with it, but I would have no idea how to disable it short of cutting the antenna wire for it.
  
  Yes, that is exactly what you should do. Remove the antenna.
- Your anecdote isn’t meaningful. That’s simply an outdated map software.
  
  It serves as a convenient representative example of the ways in which such systems can go wrong.
  
  That assumes the outdated map software manages to somehow make an accurate report. Most likely, if it makes one, it'll be "Going X over a Y MPH area" even though Y is wrong, or it'll be just "speeding by X MPH for Y seconds/minutes". Either way, nobody is likely to verify and correct the data, so you could be punished for perfectly safe and legal driving.
  
  Which then reports back to LexisNexis that you are speeding through an area, which is then reported to insurance companies who in turn flag you as a dangerous driver, raising your premiums.
  
  The anecdote doesn’t necessarily prove anything but it is conceivable that stretch of road is mismarked in multiple systems.
  
  Some cars don't just rely on maps and attempt to scan speed limit signs on the side of the road but doesn't always see the sign or update accurately.
We need to start poisoning this data. I don’t think the solution is to cut the wires, I think it’s to send bogus data. Just make it so that no matter how I drive, the data is always overwritten that I traveled 5 miles at 30mph average with no hard stops and no hard accelerations. I only ever make that trip. Wanna base my insurance off that? Go for it.
Anyways I lack the technical ability to do this, but wonder if some enterprising person could hack the obd to constantly overwrite the data here.
Again I want to poison this data. It should be illegal, but it’s not. Companies will charge me more if I block it. So the solution is data poisoning imo.
Incidentally we need to be poisoning ALL data brokers and collectors for these types of things.
- Incidentally we need to be poisoning ALL data brokers and collectors for these types of things.
  Go here for a good start: https://adnauseam.io/
  
  Thank you for sharing!!
- It might be nice if auto reviewers included a "privacy rating" for a vehicle based OK whether it broadcasts anything via radio (e.g. cell or tire-pressure systems can be used to identify someone). It's not just auto manufacturers, but anyone who wants to set up a radio monitoring network, if there are unique IDs being broadcast.
  I don't know how a reviewer could know whether there's a way for a manufacturer to gather logs during maintenance.
- i think we should also flood them with so much data it cant keep upnandevendecipher what is really anymore. Same for computer habits. Flood it with random data.
  
  Use AdNauseam
- I'll take the route of I'm not going to own a car that will tell on me, or I will make that car not report.
We don't have to worry about the government tracking us everywhere we go. These corporations will do it for them and then sell the data for a proft.
- What a great use of my tax dollars.
- Not will, do: https://www.politico.com/news/magazine/2024/02/28/government-buying-your-data-00143742
  This is how you radicalize a populace. Fuckin stupid move.
- That's right. The thing that anti-government people seem to forget is that, left unchecked, corporations are much worse than oppressive governments. Democratic Nations need to be vigilant of both.
- The government buys your data, too. And not just your government.
  For any legal case, government or your spouse's divorce attorney, it's a low bar to soupeana "business records" from these companies.
  The US needs stronger data protection and privacy laws. Unfortunately, the corporations buy enough politicians to prevent it.
- Unfortunately one of their customers is the government, so we still have to worry about that too.
- Flock Safety has entered the chat
I still have my 2010 Mazda 3. The only tech it has is Bluetooth connectivity for phone and music and some voice commands for calls.
The day I will change cars will be the day my car completely dies and there's nothing I can do about it, or it becomes illegal to drive, or it gets wrecked in an accident.
I don't ever want the new cars. I hate hate hate the stupid touch tablets they've put to control everything instead of physical knobs, and now this fucking crap where your car spies on you and rats you out to you insurance company.
- They can pry my 2007 Tundra from my cold dead hands.
  
  2008 Crewmax SR5, bought new 12/2007. I feel exactly the same way.
- Agreed.
  I now need to root my Android and put a new OS so it stops telling Google where I am. I'm slightly afraid as I just want my phone to work when I need it.
  I'm sure T-Mobile uses my location data for something too.
  
  Everyone calls me paranoid for even just giving a shit about being spied on. Am I supposed to enjoy getting reamed by the rich?
- Later model 3 but definitely lower-tech (has the touchscreen nonsense but no internet or anything) and I plan on running it as long as possible lol
  
  I don't know how to tell you but just because the Car can phone home with cellular - doesn't mean you will see it as a free Internet Browser.
- Apparently a part of that is that EVs are more expensive to insurance companies, so they are spreading that cost around.
  My insurance jumped by about 20% as well, after discounts from shopping around.
  It cant just be EVs, but when i was searching this was the main reported factor.
  Or, all the insurance companies just decided to massively bump rates
  
  My understanding is that they all got together and decided to raise rates across the board.
  
  My completely uninformed guess is:
  we all forgot how to drive like normal people during/after lockdowns and,
  cars continue to get bigger and heavier, so accidents are more likely to result in total loss
  
  I bet you all the insurance companies are using a service that provides pricing via algorithms. In their opinion it's not collusion, just math.
It would seem that I'm going to be driving old cars until I die. I also like manual instruments and gauges that make sense. I don't need to watch Netflix rolling along at 70mph. Before anyone schools me on my carbon footprint, I get 37mpg and a tank lasts me about a month.
- Just got my 2014 RAV4 and I'm in love. I was using rentals between vehicles and Holy Fuck do I hate modern cars. WHY do we need a fucking DIAL for the gear shift? Or BUTTONS? Why do I need a fucking 18" display!!
  
  I was pissed that there was no aboiding getting an infotainment system in the car i bought last summer. 2015 Subaru Crosstrek has a sluggishly slow touchscreen that is a danger. Then i took a ride in my uncle's 2022 Outback last year and it felt like a freaking slot machine at a casino. Every control ran through it and it was still disgustingly slow and sluggish.
  
  Push button transmission? It's been done before.
  Of course back then distracted driving was digging through the box of 8 track cassettes.
Kinda like those who choose to be in the Progressive Insurance "Snapshot" program where you install an OBD2 dongle that reports a lot of data about your driving habits back to Progressive in the dim chance you drive so well that they will lower your rates.
- Big difference is consent.
  
  Very true, I was focusing more on the story's driver being "surprised" and "stunned" by the amount of data collected and that all that date didn't convince an Insurance Company's algorithm he was a driver worthy of paying them less than his current premium. I expect upwards of 90% of drivers would be stunned as well that they are not as good of a driver as they imagine and that "I've never having an accident" doesn't carry as much weight with the algorithm as they might have hoped.
- Surely theres someone who has a rasberi pi that reports fake data to this thing? Yes, insurance company, I drive like a Grandma. You're welcome, now give me my discount.
  
  I feel like fraud is a big risk for, what, less than $100/mo? You can do better.
  They're literally an insurance company. They have lawyers coming out of their ears.
  
  It'd be cool if you could tap into the OBD2 dongle and find what its criteria is that denotes "rapid accelerations" or "hard braking" and them reprogram it to dampen that curve and never report more than maybe 5% less than what would trigger an acceleration or braking flag
  
  It's fine till you have an accident. Then your completely fucked.
  Those deals, at least over here, are generally aimed at new drivers. I actually agree with them, to a level. It lets the insurance company rapidly sort the safe drivers from the idiots, and so discriminate on prices. It also trains new drivers to be safer. I remember how fearless I was when starting out. The quicker we get new drivers out of that mindset, the better.
But you don't have to worry if you got nothing to hide... /s
- I've seen people drive. They definitely would want to hide their driving habits from insurance companies
  
  Your driving record should speak for itself. I don't need nor want insurance companies tracking people's private lives.
Louis Rossman has more than one video on the topic of newer cars that are basically always connected to the internet and all of the data harvesting they do. Here's one
https://yewtu.be/watch?v=OYcmF9IAJbU
- Is there any way you can sever that connection, or does it brick the car? I don't want my car connected to anything. Ever.
  
  On some vehicles, you can apparently disable it.
  Here's what one guy found works on a 2023 Corolla, where it's getting increasingly-more-of-a-pain-in-the-ass than in earlier models:
  https://www.bitchute.com/video/epzioGDOdTeo/
  Apparently, it used to be possible to just pull a fuse out of the user-accessible fuse panel in prior years, but that got moved to some internal-to-the-dash panel that's hard to get at.
  It also apparently disables the microphone (which you may or may not want disabled) and the front driver's side speaker unless you also run wire leads bypassing the DCM.
  I'd also add that I don't know for sure what any other impact is. I'd imagine that it voids your warranty. I don't know if the car manufacturer relies on this communication mechanism to push out firmware updates for the car, but if so, I suppose that one might not get firmware updates.
  I also don't know whether the vehicle maintains local logs, even if it's not uploading them, so I'd guess that someone who can get physical access to the car might be able to get ahold of data that might have been sent to the manufacturer via the cell network. I don't know whether part of the maintenance process might also involve uploading logged data to the manufacturer; I could imagine that being the case.
  Apparently some older Hyundais disable themselves, because they can't speak newer cell phone protocols, and those older cell towers are going offline, which causes the connectivity to be severed.
  https://owners.hyundaiusa.com/us/en/resources/blue-link/2g-3g-wireless-service-update
  EDIT: Note that even aside from the telemetry, one point that a number of people brought up when I was reading about this is that apparently car tire pressure systems also do surprisingly-long-range radio broadcasts (i.e. they really only need to go from the tire to the rest of the car, but can be picked up miles away) with apparently a unique ID, so while it's not phoning logged data home, if someone has a radio listening for it, they can detect and log unique identifiers of cars within range. If you have enough people with receivers participating in a network (the way people have with AIS for ships and ADS-B for aircraft), then you can build a map of where vehicles travel, particularly if you can correlate signal strength across multiple receivers.
  I'd imagine that you could cross-correlate any unique IDs being broadcast over the radio with license plate numbers and an image of the vehicle if you stick a camera somewhere aimed at a high-volume road, like an interstate highway. A single encounter probably isn't enough to link license plates or the like -- there will be multiple vehicles in broadcast range. However, once a vehicle has passed such readers twice, that's probably enough information to uniquely identify the vehicle, since it'd be unlikely to have two different vehicles both in range of the receiver at the same time. Any additional encounters with just add confidence. I don't think that it'd take a great many such readers to get a national database built up pretty quickly.
  considers
  I suppose that if you can correlate that with personal cell phone IMEIs -- cell phones broadcast unique identifiers in the clear that are linked to the phone, not just to the SIM -- that you could also do a pretty good job of determining who rides in a given vehicle, which is probably commercially-useful information.
  
  The issue is the cellular modem built into most cars nowadays. It can vary in difficulty to disable or remove, with the added bonus of potentially taking other services that are attached to it such as Bluetooth. It fucking sucks. I don't know more details than that.
Moving from 64 to 65 also moves you to a different age bracket, I would guess that this is the main reason he saw a general rise on his insurance cost from all the other insurance companies.
- True, but the insurance agent told him the spyware report was a factor.
- Age buckets are so archaic
  
  I disagree, they're effective and a reasonably privacy-friendly way of predicting risk. Younger people are generally more aggressive drivers than older people, and older people generally have worse reactions than younger people. It's one of the strongest indicators for driving behavior before an infraction is recorded.
  I don't like it either, but it's better imo than using one of those driving meters.
  
  I think they totally have the computer power to use an hyper parametric model with each age as own variable. A problem this could had, is that they are not going to be enough older adults to accurately assess the risk of them and the model could end showing that 80yo's are better drivers than 30yo's.
I will end up living in the woods at this rate.
- Stay outta my tree!
- Planet Labs saves an image of the world -- including whatever woods you're referring to -- at 3-meter resolution every day.
- I desperately wish I could be satisfied living such a life. I have wanted to disconnect completely for a couple of years already. But I know myself and I know I'd be ill-suited for such a life.
We didn't see that one coming huh
meanwhile I have to pre fill out some forms so the sherrif office can track it if its stolen. It cracks me up how the government getting things is a big deal but corpos then no worries.
Is there a way to disable this? Does it report though android auto? Is there a way to prevent those packets sending?
- Varies widely. In Toyota’s you call via the SOS button, have your VIN and they can do it. There are also other direct ways like pulling the Mayday fuse to disconnect the “Data Connection Module” (DCM) but that takes the microphone with it.
  Some older vehicles that have 3G radios might not have been disconnected explicitly but are as good as dead because 3G as they knew it is gone.
  It does not report via Android Auto since these vehicles have their own cellular radios, but not to say Google has its own metrics.
  Your best bet is looking for a car/make-specific forum or subreddit and see if anyone’s asked the questions before while ignoring the “nothing to hide, you have a phone lol” clowns.
  
  I was going through a reddit post that asked a question how to remove network on a Tesla model 3 and they were all like "I've got nothing to hide" "you're cheating on your wife" etc. However, I did find some schematics and there are guides on youtube.
  https://olegkutkov.me/2021/06/10/tesla-model-3-us-lte-modem-replacement-and-some-reverse-engineering/
  https://teslamotorsclub.com/tmc/attachments/tesla-model-3-sim-replacement-guide-pdf.563266/
- The car has a cellular connection and whoever manufacturers the car probably pays for it.
  How to disable? Probably not without breaking something else. You could at best block the Connection with Lead foil but you'd have to find where it was. You might lose all Connection though - Bluetooth, FM/AM
  
  If it's not through android auto, I'm fine just connecting though a hardwired USBC to my phone.
Is that the whole text of the article? (paywall) Was there any investigation as to the source of the data on the report? ~~As this is a leased vehicle, I would not be surprised if the data came from a dealer module that they use to immobilize and locate the vehicle if you miss a payment or otherwise violate your lease.~~
According to the report, the trip details had been provided by General Motors
https://archive.ph/lmMp9
- Car companies are directly sending this data to the brokers in exchange for “low millions of dollars.” Imagine destroying all consumer trust in a multi-billion dollar brand for so little. I would never even consider buying a GM or any brand involved in this.
  
  EVERY brand is involved in this. Mozilla org investigated literally every car manufacturer available in the United States last year and gave them all an F for privacy.
  
  Yeah, I had thought about buying a Bolt because they're reasonably inexpensive EVs, but this is a definite nope from me.
- Unfortunately its not a third party module but manufacturer built-in features.
  Modern cars are internet-enabled, allowing access to services like navigation, roadside assistance and car apps that drivers can connect to their vehicles to locate them or unlock them remotely. In recent years, automakers, including G.M., Honda, Kia and Hyundai, have started offering optional features in their connected-car apps that rate people’s driving. Some drivers may not realize that, if they turn on these features, the car companies then give information about how they drive to data brokers like LexisNexis.
  
  Wow optional is a big word here that should be at the very top of the article and this discussion.
Am I the only one who doesn't find this surprising. All these big car companies making drivable spyware and who would probably want that data? Insurance companies. This is why my first car I'm gonna tear out the modem.
- Surprising? Hell no. Infuriating? Fuck yes. Your accident records should speak for themselves, not some bullshit algorithms calculating if yOu AcCelLerATeD ToO fASt or not. Get the fuck outta here with that baby shit.
- I'm not surprised it happened, but a little surprised how quickly it happened. Most insurance companies still offer a plan where you voluntarily plug in a tracker to monitor your driving in exchange for lower rates if you're a good driver, so it's extra fucked that they're doing the same thing to presumably everyone with an internet connected car without even telling them upfront, let alone getting consent.
- So basically all modern cars. There are methods to rip it out. It can be really complicated or easy depending on the model. I think some dealerships also have their own box.
Not at all surprised by this. I sold my car a decade ago, I just hope motorcycles can stay dumb for longer.
258 pages?! That's half of MS's office format specification!
I work in fintech and I had glimpses of raw API data that credit agencies, Mastercard and LexisNexis provide (among others). It's crazy detailed. Even just our query increases the query count by one and provides at least ten data points on the why and when.
I'm not surprised that the car manufacturers are selling this data to LexisNexis who in turn sell it to insurance companies.
Wrap the modem in tinfoil.
So what's the results? Which generation is better at driving? Which age group is more conservative with fuel usage? Hmm?
- They're all bad. 20-50% rate increases across the board!
- /s and I’m just stupid or is that really your key takeaway ?^^

146 comments