Class-Action Lawsuit Targets Company that Harvests Location Data from 50 Million Cars

A new class-action lawsuit filed in California targets Otonomo, a data broker that harvests location data from tens of millions of vehicles around the world and then sells access to that information.

Otonomo says it has systems in place that protect peoples’ privacy. But in June last year, Motherboard published an investigation based on a set of Otonomo data and used the information to find where people likely lived, worked, and where else they drove. At the time, experts said that Otonomo could face legal consequences because of how it handles consent and its data. The new lawsuit focuses specifically on those issues.

“Defendant Otonomo Inc. is a data broker that secretly collects and sells real-time GPS location information from more than 50 million cars throughout the world, including from tens of thousands in California. This data allows Otonomo—and its paying clients—to easily pinpoint consumers’ precise locations at all times of day and gain specific insight about where they live, work, and worship, and who they associate with,” the lawsuit, filed by lawyers from Edelson PC, reads. Courthouse News first reported on the lawsuit.

The plaintiff in the case is Saman Mollaei, a citizen of California. The lawsuit does not explain how it came to the conclusion that Otonomo is tracking tens of thousands of people in California. Otonomo originally started in Israel and has an office in California.

Mollaei drives a 2020 BMW X3, and when the vehicle was delivered to him, it contained an electronic device that allowed Otonomo to track its real-time location, according to the lawsuit. Importantly, the lawsuit alleges that Mollaei did not provide consent for this tracking, adding that “At no time did Otonomo receive—or even seek—Plaintiff's consent to track his vehicle’s locations or movements using an electronic tracking device.”

More broadly, the lawsuit claims that Otonomo “never requests (or receives) consent from drivers before tracking them and selling their highly private and valuable GPS location information to its clients.” The lawsuit says that because Otonomo is “secretly” tracking vehicle locations, it has violated the California Invasion of Privacy Act (CIPA), which bans the use of an “electronic tracking device to determine the location or movement of a person” without consent.

As Motherboard previously reported, Otonomo has agreements with some car manufacturers to source location data from their vehicles. A February 2021 Otonomo presentation says that the company has partnerships with 16 OEMs with a total of over 40 million vehicles, and that Otonomo collects 4.3 billion data points a day. The company also sources data from navigation apps and satnavs which are used as a proxy for a vehicle’s location, given that they typically are placed inside a car. These are known as telemetry service providers (TSPs).

In turn, Otonomo sells its collected data. The presentation says that “thousands of organizations” have access to Otonomo’s data.

A source who works in a company that uses car location data previously told Motherboard that such data is “relatively easy to deanonymize.”

“I don't believe there's truly a way to anonymize this data, without completely modifying it and losing its value,” they added.

Motherboard previously obtained a spread of 10,000 location points from Otonomo through a feature on the company’s website that provided access to large samples of the information for free. A researcher independently collected data from Otonomo themselves as well, and provided Otonomo location data from California and Berlin to Motherboard. Among other things the data included a unique identifier Otonomo assigned to the device and its GPS coordinates. This allowed Motherboard to follow specific vehicles over time, and discover where the owners likely slept. 

Otonomo told Motherboard at the time that the freely available data was from TSPs and not OEMs. After Motherboard obtained the data, Otonomo made a change to its website meaning users had to request the data from Otonomo itself rather than the information being freely available to download.

Otonomo did not respond to a request for comment on the class action lawsuit.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.