Don’t believe the hype. Insurance companies wanting information about what you do in your car say that they can’t use it to track your location. But a team of computer engineers at Rutgers University in Piscataway, N.J., have shown that to be untrue. The engineers say they’ve figured out how to create a fairly accurate map of where a car has traveled based solely on where it started and a stream of data indicating how fast it has gone— no GPS or cellular triangulation is necessary.
You’ve probably seen the commercial: A woman dressed in white informs a pair of drivers that they can dramatically lower their auto insurance premiums by letting the company she represents gauge their driving habits. Safe drivers, we learn—well, not in the commercial itself, but in a quick read of the insurance company’s website—get a break on the cost of insuring their vehicles when they install a device that gives the insurance company access to the car’s onboard diagnostic (OBD-II) port. A wide array of information about a car’s performance, including speed, acceleration/deceleration, and engine rpm can be gleaned from there. This presents some obvious privacy concerns. After all, who would want to turn over access to a blizzard of information that could easily be used to track their movements anytime they hit the road or give the insurer ammunition it can use to deny a claim?
Insurers insist that because their only interest is in creating a “snapshot” that indicates how safely a person drives, they record only the car’s speed and the time of day. The company’s ostensible rationale: drivers who peel out with tires screeching or frequently slam on the brakes are more likely to get into accidents. But the Rutgers team says they have used speed data to reveal, to within a half kilometer or less, a car’s driving path.
So how can they tell whether you went left or right based on how far down you pressed the accelerator pedal? As Janne Lindqvist, the assistant professor who led the team, explained in a press release:
The technique, dubbed “elastic pathing,” predicts pathways by seeing how speed patterns match street layouts. Take for example, a person whose home is at the end of a cul-de-sac a quarter mile from an intersection. The driver’s speed data would show a minute of driving at up to 30 miles per hour to reach that intersection. Then if a left turn leads the driver to a boulevard or expressway but a right turn leads to a narrow road with frequent traffic lights or stop signs, you could deduce which way the driver turned if the next batch of speed data showed a long stretch of fast driving or a slow stretch of stop-and-go driving. By repeatedly matching speed patterns with the most likely road patterns, the route and destination can be approximated.
Transmitting speed information over wireless networks or storing it on the insurance companies’ internal computer networks presents privacy risks for the driver beyond what the insurer might do, says Lindqvist. One possible scenario is the police getting a warrant demanding that a company turn over this information and using it to generate a picture of where a person went on some random day in the past.
“I’m not saying that insurance companies should not monitor speeds like this,” insists Lindqvist, lead author of a paper detailing the research that will be presented next month at the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing, in Seattle. “I’m just saying that they should not imply that their speed data collection is privacy preserving.”
What’s even more frightening? “In time, we expect improvements will be made to our initial approach,” says Lindqvist. “The data, once collected, do not go away, and improvements may make it possible to plumb more private information.”
Willie Jones is an associate editor at IEEE Spectrum. In addition to editing and planning daily coverage, he manages several of Spectrum's newsletters and contributes regularly to the monthly Big Picture section that appears in the print edition.