There is a growing movement to surveil the drivers of cars — for insurance purposes.

One idea is that vehicle insurance premiums should depend on verifiable, periodic measurements of how far a car has been driven. The case for such premiums is strong: driving further clearly increases the risk of an accident, and "Pay As You Drive" premiums would allow (some) drivers to pay less for insurance; would allow insurance companies to make higher profits; and would reduce the congestion, greenhouse emission and traffic accident costs that each mile driven causes for society.

Another idea is that vehicles should collect data on the way that they are being driven (location, speed, acceleration and braking patterns, type of roads, time of day, smoothness of steering, etc). These measurements can be used to identify good drivers, and offer them insurance discounts — or to spot dangerous drivers, charge them higher premiums and encourage them to take driving skills courses. The policy case for this kind of measurement may turn out to be strong too, though it is less well-established.

The problem with these proposals is that they are often accompanied by a technical proposal for a tracking device that sits in your car and transmits voluminous data over wireless or satellite links, so that insurance companies can decide how much to charge you. Many modern vehicles are already collecting this information, and the insurance industry just needs to get a copy of it.

One state currently considering these schemes is California. The State's Department of Insurance held a workshop last week on how best to modify existing regulations to implement Pay As You Drive insurance. EFF participated in the process; you can read our letter to the Department (written with Andrew Blumberg at Stanford) here.

Briefly, EFF's view is that there is a perfectly good, ubiquitous and tamper-resistant device avaialable for measuring vehicle mileage: the odometer. It may be good policy to require fine-grained dependence of insurance premiums upon mileage — but if so, the data should be collected by examining odometers rather than 24/7 wireless or satellite surveillance. We think the public agrees: a similar tracking scheme by UK insurer Norwich Union was abandoned this week.

The best way to protect drivers' privacy, of course, is to not record any facts about where and when and how they are driving at all. But in the long run, there may be sound policy cases for devices that spot dangerous drivers, or charge road tolls based on congestion, etc. If policy-makers are persuaded that there is a strong need for such systems, they need to be built in a way that has the minimal possible privacy consequences. Cryptography offers many ways to implement these kinds of schemes without compromising locational privacy (one technical example is described in this paper). The general principle is that only the minimal amount of information should leave the vehicle: the total billable amount, for instance. If verification is an issue, cryptography and some extra hardware can provide it.

If governments are persuaded that they should allow insurers or anybody else to use detailed information on location or other vehicle observations, they should mandate that these schemes not upload any information from vehicles except for the premium itself, and they should require that the privacy properties of any technology being proposed for vehicles be audited by the computer security community before it is deployed.

If we let insurance companies, car manufacturers or tech companies build a gigantic driver surveillance system, it will be exceedingly difficult to go back to the days where you could drive to a church, or a gay bar, or a political meeting, or a cheap motel at lunchtime, without some company (or hacker) permanently recording that fact.

Related Issues