Usage-based auto insurance found to pose privacy risks
Even the non-tracking driving habits data collected by insurers can reveal a lot, researchers say
Computerworld - Pay-as-you-drive insurance plans, where premiums are based on an individual's actual driving habits, pose a potential privacy risk for motorists, a recent study has found.
The study, conducted by researchers at the University of Denver, Colorado, found that driving habits data such as speed, time of travel, number of miles driven, braking and acceleration data could paint a surprisingly detailed picture of an individual's movement in a specific time period.
Insurance companies often like touting the fact that no location data is collected under usage-based insurance plans. But that only creates a false sense of privacy among users of such insurance plans, the researchers noted in their study, titled "Inferring Trip Destinations From Driving Habits Data."
"Customer privacy expectations in non-tracking telematics applications need to be reset, and new policies need to be implemented to inform customers of possible risk," the research paper said.
With pay-as-you-drive plans, insurance companies typically require drivers to plug in a small telematics device into the vehicle's on-board diagnostic port. The device monitors the vehicle operator's driving behavior and records data like speed, cornering and braking patterns over a specified time period.
The information is used to adjust insurance rates and to offer more customized plans for individual drivers. Insurance companies claim that such plans can help substantially lower auto insurance rates, especially for safe and low-mileage drivers.
Several major insurance companies, including Progressive, State Farm, National General and Esurance currently offer such plans. The National Association of Insurance Commissioners predicts that 20% of all vehicle insurance in the U.S. will incorporate some form of usage-based insurance within five years.
Vehicle telematics-based insurance programs offer many advantages for consumers and insurance companies. But they come with hidden risks, said Rinku Dewri, one of the authors of the study and assistant professor of the department of computer science at the University of Denver.
While insurance companies may not collect any actual tracking data, a lot can be inferred from the data that is collected, Dewri said. "Our work started with the hypothesis that non-tracking driving habits data can potentially be used for tracking," Dewri said.
Using just speed and distance data, the researchers attempted to find out if they could correctly identify the destinations of the trips during which data was collected. As part of the effort, the researchers extracted "quasi-identifying" information such as traffic stops, driving speed and the number of turns made by the driver during the trip. They then matched that data with publicly available map information to see if they could identify the destination.
"Assuming that we know where the trip started our algorithm consults a road map to identify all those routes that has intersections at least at those distances from the start point of the trip where the driver made a stop or a turn," Dewri said. "In some cases, we found 10 candidate routes; in others, we found more than 150 candidates."
The researchers applied a ranking method to the routes to predict the top destinations for the trip. "We observed that in 60% of the cases, our algorithm placed the true destination in the top three possibilities," Dewri said. Even when the number of potential routes was large, the destinations often tended to end up with a small geographic area.
The study highlights the issue of unwanted disclosures, where consumers unknowingly reveal something they do not want to with data they are willing to reveal, Dewri said. "Unfortunately, there is no theory that will immediately tell what may get disclosed, or inferred, from the data we share."
The best way that consumers can protect themselves against privacy risks associated with usage-based insurance is to demand more transparency from their insurance companies, he noted.
"Programs using these devices should make the consumer aware of the potential risks, even if these programs are themselves not involved in making secondary inferences," Dewri said. "The clearer we are on how the data is used, the better methods we can design that will retain the utility of the data, without making it prone to unwanted inferences."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- NSA defends collecting data from U.S. residents not suspected of terrorist activities
- Groups fear bill would allow free flow of data between private sector and NSA
- Google's move into home automation means even less privacy
- Bill to require warrant for email searches gains ground in House
- Coming soon to a fridge near you -- targeted ads
- Snowden leaks prompt tech firms to tout privacy, transparency policies
- License reader lawsuit can be heard, appeals court rules
- Is EU's 'right to be forgotten' really the 'right to edit the truth'?
- Tails 1.0: A bootable Linux distro that protects your privacy
- Privacy jitters derail controversial K-12 big data initiative
Read more about Privacy in Computerworld's Privacy Topic Center.
- Mission Critical: Managing Mobile Applications & Content Smartphones, tablets and other mobile devices have become embedded in enterprise processes, thanks to the consumerization of IT and a new generation of...
- Securing Mobility, From Device to Network At one time, the process of managing and securing mobile devices and applications was fairly straightforward. Most organizations worried about one application (email)...
- Planning for Mobile Success Many organizations are seeing clear and quantifiable benefits from the deployment of mobile technologies that provide access to data and applications any time,...
- The Challenges and Opportunities of Mobile Application Development Nearly all business users now demand mobile devices--their own or company-owned--along with anywhere access to corporate applications and data. What turns mobile devices...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!