Carmakers’ shady data sharing takes spotlight in GM connected car scandal


A cartoon of a car, with a straw coming out of its roof, and a cloud coming out of the straw

Aurich Lawson | Getty Images

Few Ars readers will have been surprised by the news from last week concerning General Motors’ connected cars. As The New York Times reported, some owners of vehicles made by General Motors have been having a hard time getting car insurance. The reason? They unwittingly agreed to share their driving data with a third party. Now, at least one driver is suing. If more follow suit, this could be the push the industry needs to do better.

The heart of the problem is one of GM’s OnStar connected-car services, called Smart Driver. We’ve tested it out in the past—it monitors things like how fast you drive, how hard you accelerate and brake, how often you drive at night, and your fuel economy, then uses that data to generate a numerical score from 0 to 100, with a higher number indicating that you’re a safer driver.

These kinds of services can be useful—most people think they’re great drivers until they start getting independent feedback. And the data that Smart Driver collects really can help you drive more economically and with less risk. But as I noted at the time, I was glad my insurance rates weren’t at risk via data sharing with an insurer.

However, buried in OnStar’s privacy notice is the revelation that GM can and will share user information with third parties, including “usage-based insurance providers.”

I’m sorry, I agreed to what?

In fact, that doesn’t quite appear to be the case here. GM shares this driver data with LexisNexis Risk Solutions, a data analytics company, which, in turn, shares the data with insurers.

It’s easy to sympathize with someone who discovered all that had happened without their knowledge. Romeo Chicco, who is now suing GM and LexisNexis, alleges just that. “What no one can tell me is how I enrolled in it. You can tell me how many times I hard-accelerated on January 30 between 6 am and 8 am, but you can’t tell me how I enrolled in this,” he told the NYT.

“The fundamental challenge when it comes to informed consent is that the business relationships ultimately end up being a lot more fluid than a click-through agreement might have,” explained Tim Mackey, head of software supply chain risk strategy at Synopsys Software Integrity Group.

“But when it comes to having the normal human be able to determine whether or not they have agreed in any way to data collection or data sharing, as the New York Times article highlighted, about what Mozilla highlighted, fundamentally, it’s very difficult to know if a disclosure is deep within 2,000 words of… heavy, dense text,” Mackey told me.

Europe implemented its General Data Protection Regulation (GDPR) in 2018, enacting tough protections for personal data and restrictions on how it can be shared with third parties.

California and Massachusetts have also passed data privacy laws. In 2023, the California Privacy Protection Agency announced it was looking into the data privacy practices of connected vehicle manufacturers. With good reason, too—within a month of that announcement, the Mozilla Foundation published a scathing report claiming that “cars are the worst product category we have ever reviewed for privacy.”

“But they fundamentally are around some level of consent, not necessarily ongoing awareness,” said Mackey. Indeed, virtually every connected car service uses a one-time approval, usually of an end-user license agreement that’s presented in a way not conducive to being easily read and understood, generally at the time of purchase.

And that’s assuming the person doing the consenting actually has the legal right to do so. “In that New York Times article, there were some individuals who believe that they may have had the salesperson of their new vehicle going through the click-through agreement, perhaps during the entire process of demonstrating all of the features of the new car,” Mackey pointed out. “The ability to actually go back and see what was agreed to is relatively challenging in vehicles,” he continued.

“There’s no obvious place where you can go and say, “I have agreed to X, and X entails sharing of this type of information with these parties for that purpose.” And while I do believe that the GDPR-like scenario would be beneficial, I honestly don’t know how much of this behavior is also happening in Europe,” Mackey said.


Leave a Reply

Your email address will not be published. Required fields are marked *