Another day, another data privacy scandal. This time the focus is on the Department of Motor Vehicles, which has been busted selling DMV user data to a laundry list of third parties, without always making such financial relationships or data transfers clear to patrons. Some of the data wound up being sold to the usual suspects (auto insurance companies being the most obvious), but much of it is routinely sold to more dubious third-party outfits and private investigators. And while some of the data is in bulk and “anonymized,” we’ve long noted that doesn’t mean what you think it does.
The collection and sale of sensitive user data is particularly problematic for those dealing with stalkers or other jackasses:
“The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking,” Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, told Motherboard in an email. “For survivors, their safety may depend on their ability to keep this type of information private.”
Granted all of this is perfectly legal due to the Driver’s Privacy Protection Act (DPPA), a 90’s law that critics say is in dire need of an update. That law was created in response to a series of abuses of DMV data, including the 1989 murder of actress Rebecca Schaeffer, after her killer obtained her home address from the DMV. And while the law was intended to stop the abuse of DMV data, it contained (surprise!) plenty of loopholes making it okay to sell this data to a wide variety of individuals, including PIs, bail bondsmen, and consumer credit reporting agencies.
While the data sold can vary from state to state, it generally includes names, addresses, zip codes, dates of birth, phone numbers, and email addresses. The documents obtained by Motherboard show that the Wisconsin DMV, for example, has personal data sales relationships with more than 3,100 different entities. The practice is, unsurprisingly, hugely profitable:
“DMVs are making a lot of money from the sale of this data. The Rhode Island DMV made at least $384,000 selling personal data between 2015 and this year, according to a spreadsheet obtained by Motherboard. When asked how much the Wisconsin DMV made from selling driver records, a spokesperson wrote in an email “Per these 2018 DMV Facts and Figures, $17,140,914 was collected in FY18 for driver abstract fees.” Examining that document shows that Wisconsin’s revenue for selling driver records has shot up dramatically since 2015, when the sale drew in $1.1 million. The Florida Department of Highway Safety and Motor Vehicles made $77 million in 2017 by selling data, a local outlet found.”
Most DMVs say that they inform customers (in fine print) that their data may be sold, and that they’ve cut off access to data by firms that they’ve found to have abused the access. But given the wild west nature of US privacy law (read: we don’t have many and the ones we do have are riddled with issues and loopholes), there’s not much of a mechanism to confirm this data isn’t being abused, or that DMVs are doing a particularly good job of dealing with issues when the data is being access by malicious parties. In response to the investigation, Presidential hopeful Bernie Sanders demanded more comprehensive oversight:
“The DMV should not use its trove of personal information as a tool to make money. While the internet has been an enormous source for good, all that convenience and connection has come with a price: our privacy has been invaded in an unprecedented way, in a manner that would have been unthinkable even 20 years ago. Nobody—from agencies like the DMV to large corporations like Facebook and Google—should be profiting from sharing or selling personal information without meaningful consent. Congress must get serious about ending practices that violate the privacy of ordinary Americans.
Granted it’s hard to reform US privacy law when a broad coalition of industries are using every lobbying trick in the book to prevent said reform from taking place. And while a lot of companies publicly state they want a new privacy law, what they really mean is for Congress to pass another flimsy, loophole-filled law their lawyers wrote, that will primarily serve to pre-empt more comprehensive state and federal privacy proposals.
The DMV Is Selling Your Data To Vast Array Of Third Parties
Comcast Sues Maine For Demanding It Sell TV Channels À La Carte
That Time EFF Got A Copyright Takedown Demand Of Its Own Artwork
Intellectual Property Is Neither Intellectual, Nor Property: Discuss