On Friday February 19th, someone drove past the Lake Merced Golf Club, along freeway 280, and were outside the Dignity Health-GoHealth Urgent Care facility. But their car was most frequently parked outside a specific address in the fancy Noe Valley area of San Francisco.
I know this because a company called Otonomo sells the granular location data of vehicles across the United States and the rest of the world. Otonomo also makes some of its location data available as part of a free trial. The data is supposed to be pseudonymous, linked only to a non-descript identifier for the car, but Motherboard found it is relatively easy to find who a car potentially belongs to and follow their movements. A source pulled data from Otonomo en masse and provided Motherboard with GPS coordinates of drivers in California, Berlin, and other cities, and that data can be mapped to track unsuspecting drivers wherever they go, and to determine their likely home addresses and identities.
Otnomo's data offering is a "privacy nightmare," Adam Schwartz, a staff attorney at the Electronic Frontier Foundation told Motherboard. Schwartz added that the EFF has been concerned that the location data of vehicles would be "bundled and sold to data brokers, who want to turn a profit," and pointed to how Otonomo had some of this data on their public facing website.
Do you work at a location data company, or are you a location data customer? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Otonomo, founded in Israel, has agreements with some car manufacturers to source location data from vehicles. A Otonomo presentation made for investors says the company has partnerships with 16 OEMs with an installed base of over 40 million vehicles, and that it collects 4.3 billion data points a day. The company also obtains data from telemetry service providers (TSPs), which are other sources such as navigation apps and satnavs that can act as a proxy for a vehicle's location and movements. The presentation adds that in turn "thousands of organizations" have access to Otonomo's data.
"[TSPs] have operated on the cusp of this new wave of innovation, capturing data directly from cars to improve fleet operations. The Otonomo Automotive Data Services Platform gives TSPs new opportunities to [...] extract value from their data," a Otonomo product description reads. Jodi Joseph Asiag, head of content and communications at Otonomo, told Motherboard in an email that the data available to free accounts is provided by the TSPs, and that there is no "freely available automotive OEM data."
Gaining access to some of Otonomo's data is fairly straightforward. Motherboard created a free account on Otonomo's website using a Gmail address, entered a fake company name, and was able to request a spreadsheet of 10,000 location points from a specific U.S. state soon after. This data included a unique identifier Otonomo assigned to the device or vehicle, the recorded latitude and longitude, a hash of the source or provider of the data, and the street the data point related to.
The researcher source independently repeated this process and built a large collection of Otonomo data spanning different states and countries across time. Motherboard granted the source anonymity to protect them from retaliation from Otonomo. The source then determined which locations were most frequently visited by each vehicle in the data to find a potential home location.
"Even if they [Otonomo] have what they believe to be de-identification and aggregation, those techniques notoriously are ineffective at actually protecting peoples' privacy," Schwartz from the EFF said about Otonomo's approach to data privacy.
A second source who works in a company that uses car location data said that such data is "relatively easy to deanonymize."
"I don't believe there's truly a way to anonymize this data, without completely modifying it and losing its value," they added. Motherboard granted the source anonymity as they weren't authorized to speak to the press. "Perhaps you could delete all the frequently visited areas to try and remove the chance [of] mapping it to a residence, but even then, there's always the potential of joining it to third party sources."
When told about the large data scraping, Asiag from Otonomo said in a statement that "Privacy is at the core of our platform, technology and vision."
"This is supported by our growing list of patent pending technologies which are focused on providing secure, privacy-preserving, rich and harmonized vehicle data to application developers and service providers across the automotive and mobility spectrum. This vehicle data drives new innovative and valuable services benefiting drivers, smart cities and the transportation ecosystem as a whole. These benefits range from road services, increased road safety, improved urban parking, reduced congestion, and paving the way for the electrification revolution to enabling innovative insurance," the statement added.
Asiag said Otonomo's terms of service prohibits users from attempting to derive "either directly or indirectly, the identity of an individual from any data set."
"Your message suggests that you, or the individuals that have shared with you data sets derived from free trial accounts, have used the data to identify individuals. To the extent that this was the purpose and the use in practice of the data, we request that you cease this type of processing and permanently remove any instance of these data sets," Asiag added in an email to Motherboard. Having a clause in a company's terms of service that asks users not to try and deanonymize people may not be generally considered a robust protection; malicious parties often violate terms of service to produce their own privacy-infringing products, such as facial recognition company Clearview AI scraping images from major social media sites.
"I don't believe there's truly a way to anonymize this data, without completely modifying it and losing its value."
Asiag said that "TSPs typically provide data from aftermarket telematics devices and not directly from a modem built into the vehicle by the vehicle manufacturer," and said that "TSPs have approval from their customers to share this data."
Otonomo may face problems with how it handles consent and its data under the California Consumer Protection Act, the state's privacy law which deals with user consent to give up data and other related issues, however.
"Unless Otonomo is specifically listed in every one of those agreements, that is not going to reach the 'freely-given and unambiguous' threshold for consent, particularly if users are unable to purchase the cars without providing their data to Otonomo. In addition, there would have to be consent for Otonomo to sell/share that personal data with additional parties (which, under their current practices, appear to be literally anyone)," Calli Schroeder, a privacy attorney, told Motherboard in an email. "Essentially, they're making a lot of consent claims here that I'm not sure they can back up. In addition, it's unclear whether the obligation to obtain consent extends to service providers like TSPs. That could be a real area of liability as well."
Schroeder also pointed to problems with Otonomo's opt-out mechanisms; following the "Do Not Sell My Personal Data" link at the bottom of Otonomo's website directs visitors to a page where they must select their region, and then asks them to create an account.
"Current understanding is that you cannot force a user to create an account in order to exercise their rights. There is a privacy email listed as well, but it's unclear whether users can actually exercise their rights this way or whether they will be redirected to the portal," Schroeder added.
Andrea Amico, the founder of Privacy4Cars, which sells tools to help dealerships remove data from vehicles, told Motherboard in an email that "Most consumers don't know that when they purchase, lease, or rent a car, they inadvertently consent to their data being collected and shared with third parties, and the third parties of the third parties, and so on. Even when they do, it is very uncommon for vehicle manufacturers to publicly disclose the individual names of any parties with whom they share personal data."
"Consequently, while individuals around the world gain more and more rights over their data, the extreme murkiness of the automotive data ecosystem means it is very, very challenging for drivers and vehicle occupants to exercise those rights in practice—because they have no idea who has their data in the first place!" he added.
Representative Anna G. Eshoo told Motherboard in a statement that "The results of this investigation are extremely troubling and speak volumes to the need for stronger privacy regulations. That’s why Congress should pass comprehensive privacy legislation, as I've proposed in the Online Privacy Act, to protect Americans from malicious use of their data."
Asaig said Otonomo has now introduced more vetting to the free account creation process on the company's site. Otonomo’s website now offers potential users access to a 30 day free trial if they contact the company, rather than the trial just being open for anyone to use immediately.
"Otonomo will conduct further internal review and explore ways to strengthen the ability to prevent unauthorized use of the data. To that end, in the short term we have removed direct access to the free trial from our website and added additional layers to the vetting process prior to granting free trial access to the limited randomized data on the platform," she said.
Subscribe to our cybersecurity podcast CYBER, here.