The DMV Is Selling Your Data To Vast Array Of Third Parties

from the dysfunction-junction dept

Another day, another data privacy scandal. This time the focus is on the Department of Motor Vehicles, which has been busted selling DMV user data to a laundry list of third parties, without always making such financial relationships or data transfers clear to patrons. Some of the data wound up being sold to the usual suspects (auto insurance companies being the most obvious), but much of it is routinely sold to more dubious third-party outfits and private investigators. And while some of the data is in bulk and “anonymized,” we’ve long noted that doesn’t mean what you think it does.

The collection and sale of sensitive user data is particularly problematic for those dealing with stalkers or other jackasses:

“The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking,” Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, told Motherboard in an email. “For survivors, their safety may depend on their ability to keep this type of information private.”

Granted all of this is perfectly legal due to the Driver’s Privacy Protection Act (DPPA), a 90’s law that critics say is in dire need of an update. That law was created in response to a series of abuses of DMV data, including the 1989 murder of actress Rebecca Schaeffer, after her killer obtained her home address from the DMV. And while the law was intended to stop the abuse of DMV data, it contained (surprise!) plenty of loopholes making it okay to sell this data to a wide variety of individuals, including PIs, bail bondsmen, and consumer credit reporting agencies.

While the data sold can vary from state to state, it generally includes names, addresses, zip codes, dates of birth, phone numbers, and email addresses. The documents obtained by Motherboard show that the Wisconsin DMV, for example, has personal data sales relationships with more than 3,100 different entities. The practice is, unsurprisingly, hugely profitable:

“DMVs are making a lot of money from the sale of this data. The Rhode Island DMV made at least $384,000 selling personal data between 2015 and this year, according to a spreadsheet obtained by Motherboard. When asked how much the Wisconsin DMV made from selling driver records, a spokesperson wrote in an email “Per these 2018 DMV Facts and Figures, $17,140,914 was collected in FY18 for driver abstract fees.” Examining that document shows that Wisconsin’s revenue for selling driver records has shot up dramatically since 2015, when the sale drew in $1.1 million. The Florida Department of Highway Safety and Motor Vehicles made $77 million in 2017 by selling data, a local outlet found.”

Most DMVs say that they inform customers (in fine print) that their data may be sold, and that they’ve cut off access to data by firms that they’ve found to have abused the access. But given the wild west nature of US privacy law (read: we don’t have many and the ones we do have are riddled with issues and loopholes), there’s not much of a mechanism to confirm this data isn’t being abused, or that DMVs are doing a particularly good job of dealing with issues when the data is being access by malicious parties. In response to the investigation, Presidential hopeful Bernie Sanders demanded more comprehensive oversight:

“The DMV should not use its trove of personal information as a tool to make money. While the internet has been an enormous source for good, all that convenience and connection has come with a price: our privacy has been invaded in an unprecedented way, in a manner that would have been unthinkable even 20 years ago. Nobody?from agencies like the DMV to large corporations like Facebook and Google?should be profiting from sharing or selling personal information without meaningful consent. Congress must get serious about ending practices that violate the privacy of ordinary Americans.

Granted it’s hard to reform US privacy law when a broad coalition of industries are using every lobbying trick in the book to prevent said reform from taking place. And while a lot of companies publicly state they want a new privacy law, what they really mean is for Congress to pass another flimsy, loophole-filled law their lawyers wrote, that will primarily serve to pre-empt more comprehensive state and federal privacy proposals.

Filed Under: , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “The DMV Is Selling Your Data To Vast Array Of Third Parties”

Subscribe: RSS Leave a comment
Anonymous Anonymous Coward (profile) says:

It's not just about privacy, it's about government, not business

The Government should not be in the business of selling anything, especially private information gleaned from requirements generated for enforcement purposes, and they certainly shouldn’t be selling votes, as they often do. To begin with, it’s our information, not theirs. Secondly the Government isn’t a business, it’s a government.

Now if the Government comes into possession of something they no longer need, and that something has some value, then they could transfer it off their books for a consideration to a private entity. But in the instances related in the article, the data being sold is imaginary property and it isn’t like the government doesn’t need it any more.

If they are in need of money, maybe they should take a good hard look at some of their wasteful spending. We don’t need bridges to nowhere, and we don’t need military projects that don’t work, and we don’t need a military industrial complex. There are too many other complex’s to deal with, like politician’s egos and political parties.

Bodin8 says:

Re: it's about government

"The Government should not be in the business of selling anything,"


But YOU are the "Government" ! America is a democracv, right.

Your state governor and legislators fully control the DMV … and they obviously support their DMV selling private citizen data — a long established government policy.

You voted for these state officials … or at least fully endorsed the electoral process that put them in power.
Thus, you have NO right to complain about the state "government" that officially represents you.

The Government is You !
(or are you one of those flakes that doesn’t trust government generally?)

Bodin8 says:

Re: Re: Re: it's about government

…relax, nobody said they knew how you vote.
You made a broader point about government, as did I (with an exaggerated style for emphasis).

Trust in your elected officials is not a granular concept — you either trust them or you don’t.
Voting isn’t a piecemeal proposition either. By participating in elections, you agree to abide by the results — which typically means granting elected officials extensive power over you for long time periods; thus, you automatically "trust" election winners.
That.s how elections work, though few people recognize the deeper principles of representative democracy.

So do you trust your government or not?

Anonymous Anonymous Coward (profile) says:

Re: Re: Re:2 it's about government


I don’t like our election process. I don’t like political parties. I don’t like soft money in politics. I don’t like politicians not being held accountable. I don’t like politicians voting in favor of something that is not in their constituencies best interest. I don’t like the way the Senate implements its advise and consent roll. Etc.. This is the short list.

And I really don’t like that all of these are fixable, but power hungry politicians won’t do anything about it because they like the power they have, and fixing things might remove either their power or them from their power position.

I am waiting for a list of reasons to actually trust the government, that isn’t laughably strained. Even some of our founding fathers had little faith in governments. For example:

"The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. Thomas Jefferson"

Anonymous Coward says:

Re: Re: Re:2 it's about government

"Trust in your elected officials is not a granular concept — you either trust them or you don’t."
Trust is earned, it is neither given nor demanded.

"By participating in elections, you agree to abide by the results"
Wrong. Show from where you get this preposterous idea.

"which typically means granting elected officials extensive power over you for long time periods; thus, you automatically "trust" election winners."
Does this imply that people suffering under a dictatorship, by definition, trust the dictator? I don’t think so Tim.

"That.s how elections work"
Wrong again.

"deeper principles of representative democracy"
Not sure what you are getting at here but it smells like bullshit.

Why would anyone trust their government? I challenge you to come up with one good reason to do so. Many people consider it their responsibility to keep their government in check rather than simply giving them carte blanche.

Wendy Cockcroft (profile) says:

Re: Re: it's about government

RE: those flakes that doesn’t trust government generally

The idea behind that is to make such people so mistrustful of government on principle that it doesn’t occur to them that
a) they effectively ARE the government, and
b) they can effect change if they engage more and get others to join them.

As you may have noticed, this is working like a Fascist dream; disengaged people shout about rebellion and revolution but it just doesn’t click with them that they could, like, totally call their representatives or campaign for change like the sensible people do.

urza9814 (profile) says:

Rhode Island informs us...

I’m a Rhode Island resident, and I very clearly remember seeing a checkbox on the license renewals which would grant them permission to sell your data to third parties. I remember it because it seemed rather idiotic — I never give them permission, and I’m not sure why anyone would, but I assume they’re counting on people not actually reading the damn contracts they’re signing and just checking boxes at random…

Here’s the form…top of section G. Note that it is NOT opt-out, you must select either yes or no.

So, are they violating that and selling information without consent? Because otherwise, what they’re doing kinda sucks, but it’s also kinda your own fault if you get screwed by it….

Heck, even Sanders as quoted only said that they shouldn’t do it "without meaningful consent". I think what they already have counts as ‘meaningful consent’. What more would you want — are they supposed to send out a separate letter every single time they want to sign a new sales contract? That would be pretty annoying to those of us who just want to give a blanket ‘NO’. Perhaps they could improve the language/layout of the form a bit…but it’s NOT buried "in fine print" as claimed in the summary above, it’s NOT an opt-out, it’s NOT automatic…you have to give them a clear "YES, you have permission to share my data". Seems like meaningful consent to me. It’s not perfect, but it’s a FAR higher ethical standard than most data collection agencies that keep it buried in some click-through EULA that they damn well know most users aren’t reading.

TKnarr (profile) says:

Re: Rhode Island informs us...

I think the problem is the "unless otherwise authorized by law" proviso in the consent checkbox. They never say anywhere exactly what disclosures are authorized by law. If the law authorizes the DMV to sell information to credit reporting agencies, does that count and mean that your information may be sold even if you check the NO box?

IMO the rule should be that government agencies that collect personal data SHALL NOT disclose that data to any other party except to:

  1. comply with a lawful court order.
  2. comply with a legal requirement to disclose, in which case they shall at the time of collection or imposition of the requirement inform the person of the information that may be disclosed, the parties to whom it may be disclosed and the exact citation to the law requiring such disclosure.
  3. complete the performance of their lawful duties and render any service the person has requested, in which case they shall at the time of collection inform the person of the information to be disclosed, the parties to whom it may be disclosed and the exact purpose of the disclosure.
Anonymous Coward says:

Re: Re: Rhode Island informs us...

I think the problem is the "unless otherwise authorized by law" proviso in the consent checkbox.

Worse, they ask whether you authorize "such disclosure". But what does "such" mean? Disclosure authorized by law, or other than authorized? We may as well be checking boxes at random if we don’t know what "Yes" and "No" mean. (But, at least "no" looks like a safe choice. Authorize nothing unless you’re sure.)

urza9814 (profile) says:

Re: Re: Re: Rhode Island informs us...

Yeah, as I said they could improve the wording a bit, but I don’t think it’s THAT bad when you include the full context. Because the question starts with "EXCEPT", therefore you know that it does not apply to the disclosures authorized by law, so "such disclosures" can only mean those which would require consent.

urza9814 (profile) says:

Re: Re: Rhode Island informs us...

"If the law authorizes the DMV to sell information to credit reporting agencies, does that count and mean that your information may be sold even if you check the NO box?"

I hope not, though it’s not THAT hard to go look up some laws. If that was authorized, I’d certainly find that newsworthy. But "agency which asks users if they’d allow disclosing data is disclosing data!!!11!" is a pretty worthless headline, and that’s certainly all I’m seeing in this article…

urza9814 (profile) says:

Re: Re: Re:

People have gone to prison based on far less though. Just do a web search for "bite mark analysis in criminal prosecutions" and you’ll find page after page after page of insanity — people going to prison based on a PHOTO of a bite that "experts" claimed was a match, EVEN WHEN THE DNA IN THE SALIVA DID NOT MATCH. Heck, even when there was one expert saying the bite mark matched, and a second expert saying that it didn’t, and that was the only evidence presented…the guy still ended up in prison. You must be incredibly naive if you think "fingerprints are unreliable anyway" would be a sufficient defense in court…

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...