Meet NOAA's Unique 3D Weather Tool

Government can do more to protect consumer data that is being collected by a growing number of in-car services that track the location of drivers, the Government Accountability Office said in a new report to Congress.

The growth of location-based services provided through in-car systems, personal navigation devices, and mobile apps is outstripping government and industry privacy protections, the authors of the report concluded. Companies providing the technologies and services have inconsistent safeguards and varying levels of security, and in the absence of meaningful legislation, agencies should fill the gap by establishing clear expectations for companies.

Both the Federal Trade Commission and the Commerce Department's National Telecommunications and Information Administration in 2012 recommended commercial privacy practices that are in line with industry best-practices.

But "we found that the companies in our sample did not consistently follow industry-recommended privacy practices and that federal agencies could clarify their expectations for steps companies should take to protect consumers' location data privacy," the GAO said.

[The GAO isn't the only organization interested in in-car data systems.  Read: Google Android Heads For Cars.]

The study was requested by Sen. Al Franken, chair of the Judiciary Committee subcommittee on Privacy, Technology and the Law.

GAO cited a Frost and Sullivan report predicting that the market for in-car telematics services will grow from 11.8 million subscribers in 2012 to 31.6 million in 2016. In 2012, Sprint announced plans to partner with Chrysler to provide embedded in-car communications services, and satellite radio company SiriusXM in 2013 agreed to acquire a company that provides auto manufacturers with location-based services for their customers. The one market segment that is likely to shrink is standalone personal navigation devices, which are being overshadowed by in-car technology and mobile apps.

For the study, the GAO questioned six auto manufacturers -- Chrysler, Ford, General Motors, Honda, Nissan, and Toyota -- who accounted for 75% of the U.S. new-car market in 2012. All offer models with in-car location-based services. Also examined were two manufacturers of standalone navigation devices, Garmin and TomTom, and two map and navigation application developers, Google Maps and Telenav.

All of these companies collect location data, and nine of the 10 share data with third parties that provide emergency response, traffic information, information about local services, advertisements, and other services. None of the companies sell data to data brokers. All of the companies take steps to remove personally identifiable information and have privacy policies informing customers of how data is used, but the policies often do not conform to industry best-practices and data security is uneven.

Not all data is encrypted while being transmitted and stored, methods for removing personally identifiable information vary, and customers often are not fully informed of how their information is being gathered and used, the GAO found. None of the companies allows customers to have their data removed from the systems.

"Currently, no comprehensive federal privacy law governs the collection, use, and sale of personal information by private-sector companies," the GAO said, although the FTC Act, the Communications Act of 1934, and the Electronic Communications Privacy Act of 1986 address some of these issues. In 2012, the FTC and NTIA called on Congress to pass data privacy legislation to provide a minimum level of protection, but none of three resulting bills introduced in 2012 or 2013 have been enacted.

The proliferation of technologies capable of generating sensitive data and of services using it, coupled with a lack of basic privacy protections, puts consumer privacy at risk, the GAO said.

William Jackson is a technology writer based in Washington, D.C., who specializes in telecommunications, networking, and cyber-security in the public sector.

Mobile, cloud, and BYOD blur the lines between work and home, forcing IT to envision a new identity and access management strategy. Also in the The Future Of Identity issue of InformationWeek: Threats to smart grids are far worse than generally believed, but tools and resources are available to protect them. (Free registration required.)