The California Department of Motor Vehicles is selling drivers' data to private investigators and bail bondsmen, according to an internal DMV document obtained by Motherboard. The document in all lists nearly 98,000 entities that have had access to some form of DMV data, including trucking companies and insurance firms.
The revelation highlights how not only private companies are in the business of selling information but some government bodies as well, and has reignited calls for laws around drivers' data to be changed. The news comes after Motherboard previously revealed that the California DMV makes $50 million a year selling data of drivers.
"The vast sale of Californians’ personal information to bail bondsmen, private investigators, and other bad actors is an appalling betrayal of the public’s trust," member of Congress Anna Eshoo, who represents California's 18th Congressional District, said in a statement when Motherboard described the findings.
Do you work at a company selling data? Do you know of an abuse of DMV data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
The document lists all so-called commercial requesters for California DMV data as of December 2019. Motherboard obtained the document through a California Public Records Act request. The specifics on the California DMV providing data to private investigators in particular has not been previously reported.
After residents give DMVs their personal information in exchange for a driver's license, DMVs then often sell some of that data. Depending on the state, that data can include a driver's name, address, nine-digit ZIP code, date of birth, phone number, and email address. In its public records response, the California DMV said residence addresses "will only be released in limited exceptions."
A wide range of businesses purchase this information, including firms who may need to contact vehicle owners in the event of a recall, or insurance or tow companies. Employers also receive data under the Employer Pull Notice program. The DMV explained in its response that "These employers are mailed a driving record when an employee is enrolled and when a conviction, accident, license suspension or revocation, or any other action taken against the employee’s driving privilege is added to the employee’s driving record." The "vast majority" of the commercial requester accounts are participants of this program, the response added.
However, many companies in the list include private investigators who explicitly market their services as including surveillance, as well as investigations into alleged infidelity.
"Infidelity and family matters as well as corporate and business dishonesty have become a large part of AIS's services," one investigator firm, called Affiliated Investigative Services, describes itself online. One review for another private investigator firm included in the list recommends them for "cheating spouse" cases. One private investigator included in the list claims on his website that he worked as a Personal Security Specialist for Elon Musk at Space X.
Several private investigator firms included in the list did not immediately respond to a request for comment. One private investigator who has bought DMV records in another state previously told Motherboard he does so "to get driver license [sic] information on subjects I may be investigating."
Some of the investigation companies included in the document no longer appear to be active. The list of commercial requesters also includes multiple bail bondsmen firms.
The California DMV told Motherboard it has terminated or suspended a commercial entity’s access to the data based on improper access or use of the information. Multiple other DMVs have previously said they have cut off data requesters after they abused access to the information.
“The vast sale of Californians’ personal information to bail bondsmen, private investigators, and other bad actors is an appalling betrayal of the public’s trust.”
As part of its public records response, the California DMV told Motherboard that it follows applicable state and federal laws around the disclosure of driver license or vehicle registration information. The DMV added the "department is statutorily required to provide certain driver- and vehicle-related information and is permitted to recover its costs for doing so."
The California DMV told Motherboard "the DMV does not sell information, but recovers the cost of providing information as allowed by law."
The sale of driver records is legal under the Driver's Privacy Protection Act (DPPA), a law written in 1994 after a stalker hired a private investigator and obtained the address of actress Rebecca Schaeffer from a DMV. The stalker then murdered Schaeffer. The DPPA included a list of exemptions for certain businesses that could still obtain DMV data however, including an explicit section on private investigators.
Privacy activists and policymakers have called for changes in legislation around the DPPA since Motherboard revealed the widespread sale of DMV data across the country. At the start of August Eshoo led a group of nearly a dozen lawmakers and wrote to the California DMV looking for answers on how and why it generates revenue by selling such data.
"This kind of abuse is exactly why I led federal and state lawmakers in writing to the DMV earlier this month to determine how the data of Californians are handled," Eshoo said in the statement, referring to the sale of data to private investigators and bail bondsmen. "Outdated data protection laws need to be updated, and the practice of government agencies selling personal data must be stopped," she added.
You can view the list of commercial requesters here.
Update: This piece has been updated to include more responses from the California DMV.
Subscribe to our cybersecurity podcast, CYBER.