Anonymized Data Really Isn't Anonymous: Vehicle Data Can Easily Be Used To Identify You

Companies increasingly hoover up larger and larger oceans of consumer data, promising that security and privacy aren't much of a worry because data is "anonymized." But as research has shown time and time again, anonymous data isn't all that anonymous -- since it takes only a modicum of effort to either analyze the data -- or cross reference it with other data -- to ferret out personal identities. It doesn't really matter whether we're talking about NSA surveillance troves or social networking data: anonymous data just isn't anonymous.



As yet another example of this, researchers from the University of Washington and the University of California at San Diego have found that the data collected by a car's onboard computer can be surprisingly personal. In fact it's so personal, the researchers found that they could identify a driver -- from a possible list of fifteen drivers -- just by looking at data collected from the brake pedal alone:

"The research team found that 15 minutes' worth of data from the brake pedal - and only the brake pedal - could lead them to choose the right driver, out of 15 options, 90% of the time. Again, with just the brake pedal data, upping that collected data to 90 minutes' worth, allowed them to pick the correct driver 100% of the time. For a 100% hit rate with 15 minutes' worth of data, they just had to collect records from more than one car part.

By itself, especially with the fifteen person pool, this isn't really all that alarming. But as we shift toward self-driving automobiles or just highly connected vehicles, this data is going to increasingly find its way into the hands of insurance companies and others. Verizon, for example, is making a significant push toward selling a $15 per month subscription "Hum" service -- comprised of a device that plugs into the vehicle's OBD port and a Bluetooth-enabled device that is clipped to the vehicle visor. The service not only makes a dumb car smart by providing emergency and other services, it gives Verizon -- a company already awash in consumer cellular location and other behavior data -- a huge amount of additional data to ferret through and monetize.



Especially when cross-referenced with other datasets already in government or corporate collection piles, researchers warn that this opens up the door to allowing insurance companies to dictate rates based on everything from emerging medical problems to when you let your kid drive the car (warning: Wired's ad block blocker still doesn't work properly and may block all users):

"...the fingerprinting study, Enev argues, should serve as a more general warning to car owners about the sensitivity of the data that travels across their vehicles' internal networks. The same data that tells their insurance company when they've let their 16-year-old kid take their car to prom might just as easily be used to identify drunk driving or a medical condition that's altered someone's driving ability, tests Enev claims would actually be simpler than trying to distinguish a driver's identity."

Those examples are likely just the tip of the iceberg, as companies cooperate to use that data to their collective, coordinated advantage in ways we haven't even thought of yet -- while consumers are increasingly treated like criminals should they want to control or access much of this data. And given that the "internet of things" continues to have embedded security that's about as good as no security at all, it's inevitable that this collected data will increasingly find its way into the public domain.

Permalink | Comments | Email This Story