On Friday February 19th, someone drove past the Lake Merced Golf Club, along freeway 280, and were outside the Dignity Health-GoHealth Urgent Care facility. But their car was most frequently parked outside a specific address in the fancy Noe Valley area of San Francisco.
I know this because a company called Otonomo sells the granular location data of vehicles across the United States and the rest of the world. Otonomo also makes some of its location data available as part of a free trial. The data is supposed to be pseudonymous, linked only to a non-descript identifier for the car, but Motherboard found it is relatively easy to find who a car potentially belongs to and follow their movements. A source pulled data from Otonomo en masse and provided Motherboard with GPS coordinates of drivers in California, Berlin, and other cities, and that data can be mapped to track unsuspecting drivers wherever they go, and to determine their likely home addresses and identities.
The news highlights the nascent market of vehicle location data, tapped into by insurance firms, advertisers, and others who can obtain it. Government contractors have also offered to sell such data to the U.S. military for surveillance purposes. The experiment shows how fragile the anonymity of location data can be, with one of the few barriers being an agreement in Otonomo’s terms of use to not try and unmask real people in the data.
Otnomo’s data offering is a “privacy nightmare,” Adam Schwartz, a staff attorney at the Electronic Frontier Foundation told Motherboard. Schwartz added that the EFF has been concerned that the location data of vehicles would be “bundled and sold to data brokers, who want to turn a profit,” and pointed to how Otonomo had some of this data on their public facing website.
Do you work at a location data company, or are you a location data customer? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Otonomo, founded in Israel, has agreements with some car manufacturers to source location data from vehicles. A Otonomo presentation made for investors says the company has partnerships with 16 OEMs with an installed base of over 40 million vehicles, and that it collects 4.3 billion data points a day. The company also obtains data from telemetry service providers (TSPs), which are other sources such as navigation apps and satnavs that can act as a proxy for a vehicle’s location and movements. The presentation adds that in turn “thousands of organizations” have access to Otonomo’s data.
“[TSPs] have operated on the cusp of this new wave of innovation, capturing data directly from cars to improve fleet operations. The Otonomo Automotive Data Services Platform gives TSPs new opportunities to […] extract value from their data,” a Otonomo product description reads. Jodi Joseph Asiag, head of content and communications at Otonomo, told Motherboard in an email that the data available to free accounts is provided by the TSPs, and that there is no “freely available automotive OEM data.”
Gaining access to some of Otonomo’s data is fairly straightforward. Motherboard created a free account on Otonomo’s website using a Gmail address, entered a fake company name, and was able to request a spreadsheet of 10,000 location points from a specific U.S. state soon after. This data included a unique identifier Otonomo assigned to the device or vehicle, the recorded latitude and longitude, a hash of the source or provider of the data, and the street the data point related to.
The researcher…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
