I know where you went last Summer

Privacy implications of vehicle-tracking technology

Published on

I'm sure everyone has heard about the tussle (that's an understatement) between Elon Musk's Tesla Motors and the New York Times concerning that paper's negative review of the Tesla Model S. When Musk countered the review in his blog by citing information that the car gathered about where and how the Times reporter drove the Model S, as recorded by the car's "black box," he sparked a flaming debate about the information that our cars record. And, whether he meant to or not, he put the privacy implications of such recording technology at the forefront of public concern.

Coincidentally, I recently met the Program Manager for Octo Telematics North America. As stated in its press release, the company manufactures and distributes a comprehensive range of vehicle telematics solutions to the North American automotive insurance market, from usage-based insurance, driving behavior, and mileage reporting to safety and security services, crash kinematics, and dynamics reconstruction. Octo Telematics is considering making these offerings available to vehicle dealers, which I imagine would be very helpful in combating consumer breach of warranty and prior damage claims.

At around the same time, I also read Monica Demeglio's article, The Creepy Factor; Technological innovation creates new wave of privacy regulation, in the Winter 2013 issue of All Rise, a publication of The Ohio State University Moritz College of Law (my alma mater, in case you didn't know). Monica's article is based in large part on an extensive interview of OSU-Mortiz law professor Peter P. Swire, who notes that "One of the current challenges is how to respond to the fact that we carry tracking devices [GPS-enabled cell phones] for the first time in human history." Thus, Swire notes, we live in an era in which the very concept of privacy--our ambiguity about its value, and our expectation of its very existence--is historically unique, such that it is unclear whether legal frameworks established before this era remain relevant. If policy-makers or the public decide that they are not, or that they are insufficient, policy innovations such as "do not track" registries may be instituted. And,if they are, it's unclear whether or how they would affect the sort of "black box" automotive technology, which is intended for other than marketing purposes. Swire is no armchair futurist, musing academically about what may come. He was the nation's first Chief Counselor for Privacy and, while in that post, was responsible for privacy rights legislation in the medical and financial industries. Last November, he was tapped to co-chair a World Wide Web Consortium working group developing Do Not Track standards, which would give Internet users greater control over what is gathered about them.

Finally, it was reported back in December that, while data recorders exist in about 90% of new vehicles sold in the U.S. today, the National Highway Traffic Safety Administration (NHTSA) is pushing for mandatory crash recorders for all cars. Car and Driver reported on the myths of this rulemaking, including the myth that the government will be able to track you in your car (as currently contemplated, it will not). But some groups are bristling at this effort, namely the Electronic Frontier Foundation. They are worried that, whatever today's intentions, recording technology will lead tomorrow to tracking and recording of data that encroach on the privacy of drivers.

All of this got me thinking about the privacy issues implicated by technology like that found in Musk's (very cool) cars, Octo's (and others') tracking and telematics technology, and the use of information collected by this technology in litigation.

Litigators have long recognized the value of electronic evidence, particularly electronically stored communications. We scrutinize e-mail and posts for information to support litigation. According to a recent survey conducted by the American Academy of Matrimonial Lawyers, 81 percent of responding attorneys found and used evidence from social media sites in litigation (hint: if you're cheating on your spouse, don't brag about it on Facebook).

And, because some opposing counsel tend to scrub e-mails and social networking sites clean before the information is requested (shame on them), we serve subpoenas on internet service providers (ISPs) and social media sites. But the Stored Communications Act (SCA) prohibits service providers from disclosing e-communications, even in the face of a subpoena. There is an issue brewing as to whether the SCA applies to ISPs and social sites. In California, the courts have interpreted the SCA to apply to ISPs providing e-mail services and to social sites. For example, in O'Grady v. Superior Court of Santa Clara County, the court of appeal directed a trial court to grant a protective order to operators of online news magazines, in response to civil subpoenas served by Apple Computer. In Crispin v. Audigier, the defendants in a business dispute served subpoenas on Facebook and MySpace. Social media sites opposed the subpoena and the court held that Facebook and MySpace's private messaging or e-mail services are subject to the SCA's prohibitions against disclosure, even if the social site is served with a civil subpoena. The court quashed the subpoenas. What was interesting about this case is that as to the comments posted openly on Facebook and Myspace, the court remanded the matter to the magistrate judge to develop a fuller evidentiary record regarding the plaintiff's privacy settings on those social media sites. The court relied on a provision of the Wiretap Act that provides, "It shall not be unlawful...for any person...to intercept or access an electronic communications made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public."

So all of this raises the question: what role will monitoring, telematic and analytic technology in cars play and will it be subject to any privacy protections?

As for government intrusion, that question was partially answered last year by the United States Supreme Court in U.S. v. Jones, in which a unanimous court (yep..unanimous) ruled that police don’t have the authority to put GPS tracking devices on vehicles unless they get a warrant first.

The bigger issue is the reasoning behind that decision. This is where the court split. Five justices said that the government violated the Fourth Amendment—which guarantees our right to be free from unlawful search and seizure—merely because police officers tracked a vehicle by making physical contact with it, without a warrant and without permission. The other four justices wrote that what the police did was illegal because, regardless of physical contact, they tracked a vehicle for a month without court-given permission in the form of a warrant.

This means that the Court's opinion is limited to GPS tracking devices physically placed on your vehicle by the government, not privately-installed black boxes and the like. This is just the beginning, as several lower courts have struggled with the proper bounds of U.S. v. Jones and the SCA and have suggested that legislation is required to remedy the "constant government intrusion" issue that this opinion raises.

As for privately-installed black boxes and other tracking and monitoring technology, the answer is even more complicated. Who owns this data and does the SCA apply to information relayed to the vehicle manufacturer, the dealer or the device's manufacturer or distributor? Seventeen states regulate who owns this data. In California, for example, the consumer owns it.

Specifically, in 2004, California became the first state to enact legislation (Calif. Vehicle Code § 9951) requiring manufacturers to disclose to customers whether event data recorders or "black boxes" are installed in vehicles. Black boxes record data such as the speed of a vehicle, safety belt use, and other vehicle safety information. The law also prohibits download of that data without the owner's permission or a court order. In a related area, California (Calif. Civil Code § 1936) and New York (New York Gen. Bus. Law § 396-z) have passed laws prohibiting rental car companies from using electronic surveillance or global positioning devices to impose fees, charges or penalties relating to the renter's use of the vehicle.

The 2004 California legislation is limited to Event Data Recorders (EDRs) or black boxes, but newer technologies make it possible to record much more than that which is recorded by EDRs. It appears that additional legislation will be needed to address the impacts of that technology. For now, at least in California, litigators may be able to subpoena EDR data and communications to prove whether a vehicle was damaged pre- or post- sale (provided the device keeps or communicates earlier-stored data and does not simply re-write over it) or whether and when an alleged defect was discovered and whether it was caused by misuse or abuse of a consumer, instead of a manufacturing defect, in appropriate circumstances.

I recently listened to a debate on black boxes on KPCC's Air Talk between Clarence M. Ditlow, Executive Director of the Center for Auto Safety, and Nate Cardozo, Staff Attorney for the Electronic Frontier Foundation. But the debate focused mostly on government intrusion and privacy concerns, rather than the civil litigation ramifications of the data and communications resulting from this technology. Although, Cardozo did say that the Electronic Frontier Foundation's position to NHTSA is that for a civil trial, only a subpoena should be required for disclosure of this information.

It appears that we have a long way to go before we can know the true extent of our ability to use data stored or communicated by new vehicle technology in litigation. This is a continually evolving area and more will certainly follow.