Experts Say Law Should Change to Stop DMVs From Selling Your Personal Data

On Friday, Motherboard reported that Departments of Motor Vehicles across the country are making tens of millions of dollars selling drivers' personal information, including to private investigators who spy on people for a profit. The investigation, based on hundreds of pages of documents from DMVs obtained through public records requests, also showed that access to DMV data, which includes names, addresses, and other personal information, has been abused.

Now, Senators and digital privacy experts have criticized the practice.

“This is just another example of how unwitting consumers are to the ways in which their data is collected, sold or shared, and commercialized," Senator Mark Warner told Motherboard in a statement.

"The standard talking point that consumers ‘don’t care about privacy’ has been increasingly disproven, as we learn that consumers and policymakers have been kept in the dark for years about data collection and commercialization practices," he added.

Motherboard's story found that the Virginia DMV has sold data to 109 private investigator firms, and other DMVs have sold to a dozen or more. Wisconsin has data agreements with some 3100 different entities overall, and made $17,140,914 from selling driver data in 2018.

The sale of this data is legal under the Driver's Privacy Protection Act (DPPA), a law passed in the '90s. The DPPA was created after a private investigator, hired by a stalker, obtained the address of actress Rebecca Schaeffer from a DMV. The DPPA was supposed to tighten-up the sale of DMV data, but came bundled a list of exemptions, including private investigators.

"I certainly think that DPPA is riddled with loopholes that need to be closed," Lee Tien, senior staff attorney at activist group the Electronic Frontier Foundation (EFF), wrote in an email. "In this day and age, unfortunately, government entities don't resist the lure of selling Americans' personal information for private exploitation. This problem will only get worse as cities, trying to be 'smart,' collect more information about what we do and where we go," he added.

Senator Ron Wyden previously told Motherboard "News reports over the past year have repeatedly exposed the troubling abuse of Americans’ location data, by private investigators, bounty hunters, and shady individuals." If the DMV data has been abused by private investigators, he said, "Congress should take a close look at the Driver’s Privacy Protection Act, and, if necessary, close loopholes that are being abused to spy on Americans."

When asked whether it informs drivers that their data may be sold, a spokesperson from the Wisconsin DMV wrote in an email "Wisconsin DMV directly informs customers that their information may be sold." It appears unlikely that the general public understands that data they are legally obligated to provide to the DMV to obtain a license or register a vehicle is being offered for sale.

"While what the DMV are doing is technically legal due to their exemptions, it belies a deeper problem that motorists are under ever increasing levels of surveillance and having their data exploited," Christopher Weatherhead, technologist at activist group Privacy International, wrote in an email. "The car is a critical tool in the ability of individuals to have personal autonomy and individuals should be able to go about their livelihoods without the registration authority distributing their private information to third party without consent. It's problematic that vast amounts of data on individuals are being shared in this way, which could be misused in malicious ways against vehicle owners."

Subscribe to our new cybersecurity podcast, CYBER.