This article originally appeared on VICE US
Departments of Motor Vehicles in states around the country are taking drivers' personal information and selling it to thousands of businesses, including private investigators who spy on people for a profit, Motherboard has learned. DMVs sell the data for an array of approved purposes, such as to insurance or tow companies, but some of them have sold to more nefarious businesses as well. Multiple states have made tens of millions of dollars a year selling data.
Motherboard has obtained hundreds of pages of documents from DMVs through public records requests that lay out the practice. Members of the public may not be aware that when they provide their name, address, and in some cases other personal information to the DMV for the purposes of getting a driver's license or registering a vehicle, the DMV often then turns around and offers that information for sale.
Many of the private investigators that DMVs have sold data to explicitly advertise that they will surveil spouses to see if they're cheating.
"You need to learn what they’ve been doing, when they’ve been doing it, who they’ve been doing it with and how long it has been going on. You need to see proof with your own eyes," reads the website of Integrity Investigations, one private investigator firm that buys data from DMVs.
"Under this MOU [memorandum of understanding], the Requesting Party will be provided, via remote electronic means, information pertaining to driver licenses and vehicles, including personal information authorized to be released," one agreement between a DMV and its clients reads.
Multiple DMVs stressed to Motherboard that they do not sell the photographs from citizens' driver licenses or social security numbers.
Some of the data access is done in bulk, while other arrangements allow a company to lookup specific individuals, according to the documents. Contracts can roll for months at a time, and records can cost as little as $0.01 each, the documents add.
“The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking," Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, told Motherboard in an email. "For survivors, their safety may depend on their ability to keep this type of information private."
The sale of this data to licensed private investigators is perfectly legal, due to the Driver's Privacy Protection Act (DPPA), a law written in the '90s before privacy became the cultural focus that it is today, but which critics believe should be changed. The process of becoming a licensed private investigator varies from state to state, and can be strict, according to multiple sources close to the industry. Some states, however, allow licensing to be granted on a local level or investigators to operate without a license.
The DPPA was created in 1994 after a private investigator, hired by a stalker, obtained the address of actress Rebecca Schaeffer from a DMV. The stalker went on to murder Schaeffer. The purpose of the law was to restrict access to DMV data, but it included a wide range of exemptions, including for the sale to private investigators.
"The DPPA is one of several federal laws that should now be updated," Marc Rotenberg, president and executive director of privacy activism group EPIC, wrote in an email. "I would certainly reduce the number of loopholes," he added, referring to how the law might be changed.
Do you work at a company selling data? Do you know of an abuse of DMV data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
The data sold varies from state to state, but it typically includes a citizen's name and address. In others, it can also include their nine-digit ZIP code, date of birth, phone number, and email address.
Rob Namowicz, a private investigator from Wisconsin, told Motherboard in an email he buys DMV records "to get driver license [sic] information on subjects I may be investigating."
The Virginia DMV has sold data to 109 private investigator firms, according to a spreadsheet obtained by Motherboard. The New Jersey Motor Vehicle Commission has sold data to at least 16 private investigation firms, another spreadsheet shows. The Delaware DMV has data sharing agreements with at least a dozen investigation firms, and Wisconsin has around two dozen current agreements with such firms, other documents show.
Motherboard did not obtain records from DMVs in all states, so the number of private investigators that have been granted access to citizens' data across the country is likely higher.
The data selling is not limited to private investigators, however. The DPPA also allows the DMV to sell data of drivers to various other entities. Consumer credit reporting company Experian features heavily in the documents obtained by Motherboard, which stretch from 2014 to this year, as does research company LexisNexis. The Delaware DMV has direct access agreements with around 300 different entities, according to one spreadsheet. The Wisconsin DMV has current agreements with over 3100 entities, another shows. Local media outlets in Florida, Texas, and elsewhere have also reported on DMVs selling data to third parties.
Valerie McGilvrey, a skiptracer who uses various tools and techniques to track down vehicles that need to be repossessed, told Motherboard "with Texas having no repo license and minimum standards, convicted felons can and do access professional databases."
Motherboard also found a bail bonds company included in one of the datasets. Motherboard has reported extensively on the abuse by bail bonds firms and bounty hunters around tracking techniques such as location data.
"The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking."
DMVs are making a lot of money from the sale of this data. The Rhode Island DMV made at least $384,000 selling personal data between 2015 and this year, according to a spreadsheet obtained by Motherboard. When asked how much the Wisconsin DMV made from selling driver records, a spokesperson wrote in an email "Per these 2018 DMV Facts and Figures, $17,140,914 was collected in FY18 for driver abstract fees." Examining that document shows that Wisconsin's revenue for selling driver records has shot up dramatically since 2015, when the sale drew in $1.1 million. The Florida Department of Highway Safety and Motor Vehicles made $77 million in 2017 by selling data, a local outlet found.
Documents explicitly note that the purpose of selling this data is to bring in revenue.
"This is a revenue generating contract," one document from the Indiana Bureau of Motor Vehicles obtained by Motherboard reads.
A spokesperson from the Wisconsin DMV wrote in an email that "Wisconsin DMV directly informs customers that their information may be sold."
Some uses of the data include being able to contact owners of certain cars in case they need to be recalled. But multiple DMVs confirmed that access to such data has been abused in the past—likely by customers using the data in a way that they were not authorized to do so.
"Yes, it has been done before," Binta Cissé, communications manager at the North Carolina DMV, wrote in an email after Motherboard asked if the DMV has cut off access to data buyers after abuse.
Alexis Bakofsky, deputy communications director from the Florida Department of Highway Safety and Motor Vehicles, also said the agency had revoked access after abuse.
"Since implementing the new controls in 2017, the department has cancelled three MOUs with requesting parties for misuse," she wrote. "Additionally, while there was no indication of misuse, the department proactively cancelled two MOUs with requesting parties for failing to provide adequate internal controls."
Spokespeople from the Virginia DMV and the New Jersey Motor Vehicle Commission also confirmed those agencies have cut-off access after abuse of data. The Indiana Bureau of Motor Vehicles said it has not had to terminate contracts because of abuse.
Senator Ron Wyden, who works especially on privacy and surveillance issues, told Motherboard in a statement “News reports over the past year have repeatedly exposed the troubling abuse of Americans’ location data, by private investigators, bounty hunters, and shady individuals.”
He added that if the DMV data has been abused by private investigators, "Congress should take a close look at the Driver’s Privacy Protection Act, and, if necessary, close loopholes that are being abused to spy on Americans."
Subscribe to our new cybersecurity podcast, CYBER.