julio 25, 2024

Kenn Dahl says he has always been a careful driver. The owner of a software company near Seattle, he drives a leased Chevrolet Bolt. He’s never been responsible for an accident.

So Mr. Dahl, 65, was surprised in 2022 when the cost of his car insurance jumped by 21 percent. Quotes from other insurance companies were also high. One insurance agent told him his LexisNexis report was a factor.

LexisNexis is a New York-based global data broker with a “Risk Solutions” division that caters to the auto insurance industry and has traditionally kept tabs on car accidents and tickets. Upon Mr. Dahl’s request, LexisNexis sent him a 258-page “consumer disclosure report,” which it must provide per the Fair Credit Reporting Act.

What it contained stunned him: more than 130 pages detailing each time he or his wife had driven the Bolt over the previous six months. It included the dates of 640 trips, their start and end times, the distance driven and an accounting of any speeding, hard braking or sharp accelerations. The only thing it didn’t have is where they had driven the car.

On a Thursday morning in June for example, the car had been driven 7.33 miles in 18 minutes; there had been two rapid accelerations and two incidents of hard braking.

According to the report, the trip details had been provided by General Motors — the manufacturer of the Chevy Bolt. LexisNexis analyzed that driving data to create a risk score “for insurers to use as one factor of many to create more personalized insurance coverage,” according to a LexisNexis spokesman, Dean Carney. Eight insurance companies had requested information about Mr. Dahl from LexisNexis over the previous month.

“It felt like a betrayal,” Mr. Dahl said. “They’re taking information that I didn’t realize was going to be shared and screwing with our insurance.”

In recent years, insurance companies have offered incentives to people who install dongles in their cars or download smartphone apps that monitor their driving, including how much they drive, how fast they take corners, how hard they hit the brakes and whether they speed. But “drivers are historically reluctant to participate in these programs,” as Ford Motor put it in a patent application that describes what is happening instead: Car companies are collecting information directly from internet-connected vehicles for use by the insurance industry.

Sometimes this is happening with a driver’s awareness and consent. Car companies have established relationships with insurance companies, so that if drivers want to sign up for what’s called usage-based insurance — where rates are set based on monitoring of their driving habits — it’s easy to collect that data wirelessly from their cars.

But in other instances, something much sneakier has happened. Modern cars are internet-enabled, allowing access to services like navigation, roadside assistance and car apps that drivers can connect to their vehicles to locate them or unlock them remotely. In recent years, automakers, including G.M., Honda, Kia and Hyundai, have started offering optional features in their connected-car apps that rate people’s driving. Some drivers may not realize that, if they turn on these features, the car companies then give information about how they drive to data brokers like LexisNexis.

Automakers and data brokers that have partnered to collect detailed driving data from millions of Americans say they have drivers’ permission to do so. But the existence of these partnerships is nearly invisible to drivers, whose consent is obtained in fine print and murky privacy policies that few read.

Especially troubling is that some drivers with vehicles made by G.M. say they were tracked even when they did not turn on the feature — called OnStar Smart Driver — and that their insurance rates went up as a result.

“GM’s OnStar Smart Driver service is optional to customers,” a G.M. spokeswoman, Malorie Lucich, said. “Customer benefits include learning more about their safe driving behaviors or vehicle performance that, with their consent, may be used to obtain insurance quotes. Customers can also unenroll from Smart Driver at any time.”

Even for those who opt in, the risks are far from clear. I have a G.M. car, a Chevrolet. I went through the enrollment process for Smart Driver; there was no warning or prominent disclosure that any third party would get access to my driving data.

“I am surprised,” said Frank Pasquale, a law professor at Cornell University. “Because it’s not within the reasonable expectation of the average consumer, it should certainly be an industry practice to prominently disclose that is happening.”

Policymakers have expressed concern about the collection of sensitive information from consumers’ cars. California’s privacy regulator is currently investigating automakers’ data collection practices. Last month, Senator Edward Markey of Massachusetts also urged the Federal Trade Commission to investigate.

“The ‘internet of things’ is really intruding into the lives of all Americans,” Senator Markey said in an interview. “If there is now a collusion between automakers and insurance companies using data collected from an unknowing car owner that then raises their insurance rates, that’s, from my perspective, a potential per se violation of Section 5 of the Federal Trade Commission Act.”

That is the federal law that prohibits unfair and deceptive business practices that harm consumers.

Mr. Dahl shared his experience on an online forum for Chevy Bolt enthusiasts, on a thread where other people expressed shock to find that LexisNexis had their driving data. Warnings about the tracking are scattered across online discussion boards dedicated to vehicles manufactured by G.M. — including Corvettes, a sports car designed for racking up “acceleration events.” (One driver lamented having data collected during a “track day,” while testing out the Corvette’s limits on a professional racetrack.)

Numerous people on the forums complained about spiking premiums as a result. A Cadillac driver in Palm Beach County, Fla., who asked not to be named because he is considering a lawsuit against G.M., said he was denied auto insurance by seven companies in December. When he asked an agent why, she advised him to pull his LexisNexis report. He discovered six months of his driving activity, including many instances of hard braking and hard accelerating, as well as some speeding.

“I don’t know the definition of hard brake. My passenger’s head isn’t hitting the dash,” he said. “Same with acceleration. I’m not peeling out. I’m not sure how the car defines that. I don’t feel I’m driving aggressively or dangerously.”

When he finally obtained car insurance, through a private broker, it was double what he had previously been paying.

The Cadillac owner, Mr. Dahl and the drivers on the forums had all been enrolled in OnStar Smart Driver. OnStar is G.M.’s Internet-connected service for its cars and Smart Driver is a free, gamified feature within G.M.’s connected car apps (all part of OnStar, but branded MyChevrolet, MyBuick, MyGMC and MyCadillac).

Smart Driver can “help you become a better driver,” according to a corporate website, by tracking and rating seatbelt use and driving habits. In a recent promotional campaign, an Instagram influencer used Smart Driver in a competition with her husband to find out who could collect the most digital badges, such as “brake genius” and “limit hero.”

In response to questions from The New York Times, G.M. confirmed that it shares “select insights” about hard braking, hard accelerating, speeding over 80 miles an hour and drive time of Smart Driver enrollees with LexisNexis and another data broker that works with the insurance industry called Verisk.

Customers turn on Smart Driver, said Ms. Lucich, the G.M. spokeswoman, “at the time of purchase or through their vehicle mobile app.” It is possible that G.M. drivers who insisted they didn’t opt in were unknowingly signed up at the dealership, where salespeople can receive bonuses for successful enrollment of customers in OnStar services, including Smart Driver, according to a company manual.

The Cadillac owner in Florida said he had not heard of Smart Driver and never noticed it in the MyCadillac app. He reviewed the paperwork he signed at the dealership when he bought his Cadillac in the fall of 2021 and found no mention of signing up for it.

“When a customer accepts the user terms and privacy statement (which are separately reviewed in the enrollment flow), they consent to sharing their data with third parties,” Ms. Lucich wrote in an email, pointing to OnStar’s privacy statement.

But that statement’s section on “third-party business relationships” does not mention Smart Driver. It names SiriusXM as a company G.M. might share data with, not LexisNexis Risk Solutions, which G.M. has partnered with since 2019.

A driver who was surprised to discover that he was enrolled in Smart Driver posted a screenshot of his low score to an online forum for Corvette drivers in 2022.Credit…The New York Times

Jen Caltrider, a researcher at Mozilla who reviewed the privacy policies for more than 25 car brands last year, said that drivers have little idea about what they are consenting to when it comes to data collection. She said it is “impossible for consumers to try and understand” the legalese-filled policies for car companies, their connected services and their apps. She called cars “a privacy nightmare.”

“The car companies are really good at trying to link these features to safety and say they are all about safety,” Ms. Caltrider said. “They’re about making money.”

Neither the car companies nor the data brokers deny that they are engaged in this practice, though automakers say the main purpose of their driver feedback programs is to help people develop safer driving habits.

After LexisNexis and Verisk get data from consumers’ cars, they sell information about how people are driving to insurance companies. To access it, the insurance companies must get consent from the drivers — say, when they go out shopping for car insurance and sign off on boilerplate language that gives insurance companies the right to pull third-party reports. (Insurance companies commonly ask for access to a consumer’s credit or risk reports, though they are barred from doing so in California, Massachusetts, Michigan and Hawaii.)

An employee familiar with G.M.’s Smart Driver said the company’s annual revenue from the program is in the low millions of dollars.

LexisNexis Risk Solutions, which retains consumers’ driving data for six months, has “strict privacy and security policies designed to ensure that data is not accessed or used impermissibly,” the company said in a statement.

Verisk provides insurers with trip data and a risk score “approved by insurance regulators in 46 states and the District of Columbia,” said a spokeswoman, Amy Ebenstein. Automakers that Verisk gets data from “provide their customers notice and obtain appropriate consents,” she said.

Some drivers who had Smart Driver turned on, though, said they did not even realize they were enrolled until they saw warnings on online forums and then checked their app. They quickly unenrolled themselves by turning off Smart Driver in their car app.

Omri Ben-Shahar, a law professor at the University of Chicago, said he was in favor of usage-based insurance — where insurers monitor mileage and driving habits to determine premiums — because people who are knowingly monitored are better drivers. “People drive differently,” he said. “The impact on safety is enormous.”

But he was troubled, he said, by “stealth enrollment” in programs with “surprising and potentially injurious” data collection. There is no public safety benefit if people don’t know that how they drive will affect how much they pay for insurance.

General Motors is not the only automaker sharing driving behavior. Kia, Subaru and Mitsubishi also contribute to the LexisNexis “Telematics Exchange,” a “portal for sharing consumer-approved connected car data with insurers.” As of 2022, the exchange, according to a LexisNexis news release, has “real-world driving behavior” collected “from over 10 million vehicles.”

Verisk also claims to have access to data from millions of vehicles and partnerships with major automakers, including Ford, Honda and Hyundai.

Two of these automakers said they were not sharing data or only limited data. Subaru shares odometer data with LexisNexis for Subaru customers who turn on Starlink and authorize that data be shared “when shopping for auto insurance,” said a spokesman, Dominick Infante.

Ford “does not transmit any connected vehicle data to either partner,” said a spokesman, Alan Hall, but partnered with them “to explore ways to support customers” who want to take part in usage-based insurance programs. Ford will share driving behavior from a car directly with an insurance company, he said, when a customer gives explicit consent via an in-vehicle touch screen.

The other automakers all have optional driver-coaching features in their apps — Kia, Mitsubishi and Hyundai have “Driving Score,” while Honda and Acura have “Driver Feedback” — that, when turned on, collect information about people’s mileage, speed, braking and acceleration that is then shared with LexisNexis or Verisk, the companies said in response to questions from The New York Times.

Honda says driver data will not be shared without consent, but the user needs to read through a 2,000-word “terms and conditions” screen to see that the company is sharing data with Verisk.Credit…Honda

But that would not be evident or obvious to drivers using these features. In fact, before a Honda owner activates Driver Feedback, a screen titled “Respect for your Privacy” assures drivers that “your data will never be shared without your consent.” But it is shared — with Verisk, a fact disclosed in a more than 2,000-word “terms and conditions” screen that a driver needs to click “accept” on. (Kia, by contrast, does highlight its relationship with LexisNexis Risk Solutions on its website, and a spokesman said LexisNexis can’t share driving score data of Kia participants with insurers without additional consent.)

Drivers who have realized what is happening are not happy. The Palm Beach Cadillac owner said he would never buy another car from G.M. He is planning to sell his Cadillac.

How to Find Out What Your Car Is Doing

  • See the data your car is capable of collecting with this tool: https://vehicleprivacyreport.com/.

  • Check your connected car app, if you use one, to see if you are enrolled in one of these programs.

  • Do an online search for “privacy request form” alongside the name of your vehicle’s manufacturer. There should be instructions on how to request information your car company has about you.

  • Request your LexisNexis report: https://consumer.risk.lexisnexis.com/consumer

  • Request your Verisk report: https://fcra.verisk.com/#/

Find something interesting, or know more about this? Contact me at kashmir.hill@nytimes.com.

Susan C. Beachy contributed research.