February 25, 2008

The black box in your car

Event Data Recorders, EDRs, have been used by car manufacturers on fleet vehicles since the 1970s to collect data about performance of airbags and other safety features in the event of a vehicle impact. Much like an aircraft "black box", current EDRs record vehicle speed, engine RPM, whether the driver's seat belt is latched, and the position of brake and accelerator pedals, as well as information about the status and deployment of the air bag.

General Motors started including black boxes on higher-end models, like Cadillacs, in 1994, and was putting them in all passenger car models by 1999. Some other makes, like Toyota and Ford, have been using them in some cars since 1996, and Ford has included event data recorders in all models since 2000. Approximately 64% of model year 2005 cars have event data recorders.

IIHS says "General Motors, Ford, Isuzu, Mazda, Mitsubishi, Subaru, and Suzuki voluntarily equip all of their vehicles with EDRs, according to NHTSA's estimates. More than half of Toyotas have the devices, too. Passenger vehicles from BMW, Daewoo, Honda, Hyundai, Kia, Mercedes, Nissan, Porsche, and Volkswagen don't have what NHTSA defines as EDRs, according to the agency's estimates of 2004 and 2005 models."

Tools are available to download Ford and GM EDR data, but only Toyota can read Toyota data recorders. One vendor provides an online list of cars with event data recorders accessible by their crash data retrieval tool. NHTSA has mandated manufacturers provide tools to download EDR data within 90 days.

The biggest privacy issue is from police or accident investigators, working on behalf of lawyers or insurers, using these tools to download data without consent from one or more vehicles involved in a crash. Police or private investigators could seek the recorded data for other types of cases, though, such as car theft or chops shop busts. It's not even hard to imagine a high-profile, high-stakes custody case where one parent is looking for evidence that their ex-partner was speeding with the kids in the car.

Recent legislation or court orders could force disclosure of EDR data even if laws give ownership of that data to vehicle owner or lessee.

Insurers Encouraged to Harvest Data

[T]he Texas-based company offers insurance carriers the ability to retrieve, harvest, and store data concerning the events of a collision and provides analysis and interpretation of the data. [...] "for use in claims adjudication".

The initial question which springs to mind is how insurers are obtaining the data in the first place. If the vehicle is repairable and the information is coming from a vehicle intended to be returned to the owner, is the insurer, body shop, or someone associated with Injury Sciences LLC extracting the information? Searching the company's website does not provide the answer, but it suggests that insurers and/or body shops are accessing the information themselves. Otherwise, the company offers "access to a network of service providers" who are equipped to harvest the data.

If insurers are mining data without disclosing that activity to the insured or the third party, they may well be engaging in unfair claims practices or violations of privacy rights under individual state law. If insurers use this data against their own insureds, that action could easily be the basis for a bad faith insurance claim and could have broader implications as well.

Event Data Recorders and privacy

  • Experts agree that EDRs are extremely impractical to disable, because they are almost always integrated into the car's existing computers. They are factory installed and are not optional features on the cars that are built with them.
  • Know if any cars you drive regularly have EDRs. Toyota, Ford and GM currently disclose the existence of the recorder in the vehicle owner's manual. NHTSA has ruled that all manufacturers will have to disclose EDRs included in their cars made after September 1, 2010.
  • Check auto insurance and car rental contracts for stipulations requiring you to give the access to an EDR, or turn over EDR data in the event of an accident, perhaps under general provisions requiring you to cooperate with your insurer.
  • Don't consent to anyone downloading data from the EDR unless advised to do so by your lawyer. In this event, keep copies of your signed consent form.
  • Assume that even if your car has no EDR, any modern car involved in an accident is likely to have one, and any collision is likely to be recorded by traffic surveillance cameras.
  • EDR data belongs to the car's owner or lessee. Until served with a court order, there is no compulsion to turn EDR data over to any investigators, insurance companies or lawyers. You might be able to contract to have the EDR data preemptively erased before any such court order is issued, if you feel that erasure would protect your rights.

February 16, 2008

The Anonymity Experiment

A Popular Science writer spends a week staying anonymous in the digital age: paying cash, dodging surveillance cameras and using disposable cellphones.