Snapshot: Progressive and Privacy

Posted on 16 November 2011 by

17


Dragon NewsBytes pointed this morning to a piece about security researcher Trevor Eckhart, who discovered that Sprint and Verizon phones are running CarrierIQ, a piece of software which has the potential to track minute details about callers’ lives.

This reminds me of the conversation Dave and I were having recently about the large swathes of privacy people will surrender in exchange for the smallest remuneration. The poster child for this of course is the 2004 study on the streets of London in which researchers found that people would surrender their passwords, user names and personal details in exchange for a bar of chocolate.

Note, this was not a study on people being generally moronic with their passwords, this was a study in which people were approached on the street and asked questions like, “What is your home address?” and “What is the password for your online bank account?” and seventy percent answered the questions when promised chocolate.

I remembered this when I saw the ad for the Progressive Insurance Snapshot Discount scheme. A cold chill ran down my back as I watched the helmet-haired Progressive girl explain how easy it was to just slip this little dongle into your car’s data port and save.

To be clear, the Progressive people have stated that they won’t track GPS or personal information with it. But as with the spyware on the Verizon and Sprint phones above, the question isn’t what Progressive is stating they do, it’s the potential of what they could do that worries me.

I’m also worried that almost everyone is dumb enough – including me – to plug that sucka in in order to save money.

Overview
The scheme works like this: plug in the device and it tracks your driving habits for 30 days based on inputs from your car’s onboard computers including speed and engine settings. Progressive says it doesn’t track whether you are speeding. After 30 days you learn what discount, if any, you’re preliminarily entitled to and you keep the gizmo on board for six months before getting the final quote. They promise your rate won’t go up, it can only go down.

Sounds nice.

Some notes on car hacking
As we wrote in the public introduction to an official-use only briefing in early 2010,

Attacks against vehicle-borne computers, components and networks have been under research for several years. Accelerated competition in the attack research and commercial exploit market; the successful demonstration of remotely exploitable automotive computing vulnerabilities; readily available free and low-cost exploitation platforms; an active hobbyist sub-culture; clear financial incentives; and media attention to the security of automotive computers will lead to targeted, in-the-wild attacks in the next 12 to 18 months. Mitigation is problematic and expensive. New business models necessitating greater wireless Internet connectivity of vehicular computers, such as pay-per-service, and expanded Bluetooth and WiFi connectivity, will rise in the coming years, exacerbating these problems.”

Were we aggressive in the timeline? Yes and no; in 2010, our law enforcement report was based heavily on work by researchers from the University of Washington and USCD, who released a paper describing just how vulnerable were these systems. They created a tool, CarShark, to inject packets into and monitor vehicular computer networks, and found among other things that they could influence things like speed and braking. Read it; it’s a grabber.

Another grabber? In May of 2011, Kevin Finisterre of the security research firm Digital Munition wrote a report called Owning A Cop Car, which you should also read. We’ve covered this issue before in PLI, but we’re concerned here not necessarily what the Progressive plug does, but what it can do – and what that means for security and privacy.

Things Your Car Knows About You
Like supermarket loyalty programs which know everything about what you buy (in March, 2010 I wrote about the first time I know of when the government used that data to contact consumers of a certain type of tainted food and wondered whether the reaction by the public would have been nearly as grateful had it been the FBI, not the CDC, doing the outreach), your car stores in its computer systems even more personal information about what you do.

For those in law enforcement reading this blog, it’s no news that 30 days is enough time to observe multiple illegal activities. For anyone, it’s obvious that 30 days is, in Dave’s words, “Long enough to get the full picture of their routine activity.”

Your car’s computers know, for example, when you’re weaving. So are you drunk? Or are you just texting? And is texting illegal in your state?

As a patrol officer I know that the complexities of the transportation code make it difficult for most people to drive from work to home without breaking some traffic rule – that’s about 30 minutes.

Can you be good for 30 days?

If you have a built-in GPS – as many new cars do – your car’s computers also know, despite protestations from Progressive, exactly where you are, and when you are there. They know where you live of course, but they also now know where you spend your days. It is no large leap then to infer that if we know where you live and work, we know other places you go.

Of course, thanks to Google Maps, Street View, Internet lookups and other data sources, your car’s data can rather quickly be mined to see where you spend your time. Is it at a business? Like a liquor store, or an adult book shop, or a strip club, or a gay bar, or a straight bar? Do you go to the drive-through tobacco store, the Cig Shack, every day? Or to a medical marijuana facility? We’re certainly not making judgments about any of these activities, but insurance companies are in the business of making judgments about the impact of your choices and decisions on their bottom line.

Maybe you regularly visit a professional services location – like a doctor’s office, or a specialist whose specialty could imply, for example, that you’re getting dialysis or AIDS medication, or psychiatric help.

Or maybe you spend a couple nights a week at a church or community center. Are you in AA? NA? OA? Or are you just religious?

Most important, since all this data is in there, and since insurance companies have historically been simply miles – leap years – ahead of everyone in terms of their mining of actuarial data, and since insurance companies typically share data amongst themselves, here’s my question: Do you really want Progressive, or any insurer for that matter, asking the kinds of questions I just did? Or making the same inferences?

I certainly don’t.

I’ll say again, the Snapshot privacy policy offered by Progressive is actually quite good. A couple of things raise my eyebrows a little:

Will Progressive share Snapshot data with anyone else?

We won’t share Snapshot data with a third party unless it’s required to service your insurance policy, prevent fraud, perform research or comply with the law. We also won’t use Snapshot data to resolve a claim unless you or the registered vehicle owner gives us permission.

That’s interesting on a couple of fronts. First, I’m not sure what is involved in “servicing my policy” but I know it’s broader than I might think. Second, that they will only use the data with my permission means it’s already being harvested and analyzed in such a manner that makes it directly attributable to me. The company states later that they retain such data for a period based on your state’s retention requirements, after which time they strip your personally identifiable information from it and keep it in the aggregate – this supports my inference that they keep and attribute more data than they claim to use for the purposes of the program. For the record, they claim:

The Snapshot device collects:

  • Time of day and vehicle speed, which helps determine how many miles you drive and how often you make sudden stops.
  • When the device is connected and disconnected from the vehicle.
  • Vehicle Identification Number (VIN).

The Snapshot device doesn’t contain GPS technology or track vehicle location. It also doesn’t track whether you’re exceeding the speed limit.

Interesting, there, that they state that the snapshot device does not contain GPS technology. Correct – it doesn’t need to: your car has all that, and it will sing like a canary to anyone who asks for the data. It doesn’t “track” whether you’re exceeding the speed limit is not the same as it doesn’t “know” when you’re exceeding the speed limit – this is easily calculable by correlating speed and location information.

Speaking of terms, I like the one about where they will release data to “comply with the law”. Does this mean that I might subpoena Progressive to obtain information on one of its customers? Pa-POW! Now that’s progressive. What a bounteous harvest might await.

Remember, I am speaking here of capability, not behavior, and I don’t accuse Progressive of doing any of these things I state they’re capable of. I’m merely pointing out some technical facts. But the capabilities I describe are not just within the bounds of possible, they’re downright child’s play.

In my opinion, this may be one of those times when the cost may greatly exceed any discount you might get.