Threat to privacy found in auto insurance 'pay as you drive' programs

That's what four University of Denver computer scientists found in an experiment.

"With access to simple features such as driving speed and distance travelled, inferring the destinations of driving trips is possible," they write in a paper published in the proceedings of the 2013 ACM Workshop on Privacy in the Electronic Society in November. "Privacy advocates have presumed the existence of location privacy threats in non-tracking telematics data collection practices. Our work shows that the threats are real."

The scientists, Rinku Dewri, Prasad Annadata, Wisam Eltarjarnan and Ramakrishna Thurimella, developed an algorithm and applied it to data from 30 routine trips made in and around the Denver area. In 18 of the trips, the algorithm was able to place the actual destination within the top three projected destinations.

Numerous auto insurance companies offer discounts to policy holders who enroll in "pay how you drive" programs. These programs rely on the collection of driving habits data such as speed, time of driving, and mileage, during a monitoring period. This information is then analyzed to offer a customized discount to the policy holder. The "pay how you drive" programs generally do not track global positioning system (GPS) locations and thus imply an expectation of privacy that the customer's destinations are not tracked.

The University of Denver scientists, however, working through the Colorado Research Institute for Security and Privacy, found that a mixture of "quasi-identifiers" can be used to infer destinations even without GPS data. "Quasi-identifiers" are driving data that are non-tracking by themselves but can be used to infer driving routes when used in combination.

In addition to measuring driving speed and distance travelled, they tracked traffic stops and turns. They matched this information to road maps to determine the potential destinations of a trip, and then ranked them to deduce the most likely destination.

"We argue that customer privacy expectations in non-tracking telematics need to be reset," they write, "and new policies need to be implemented to inform customers of possible risks."

Their paper is titled, "Inferring Trip Destinations from Driving Habits Data."