HideTechdirt is off for the long weekend! Looking for something to read instead? Check out our new Working Futures anthology »
HideTechdirt is off for the long weekend! Looking for something to read instead? Check out our new Working Futures anthology »

The DMV Is Selling Your Data To Vast Array Of Third Parties

from the dysfunction-junction dept

Another day, another data privacy scandal. This time the focus is on the Department of Motor Vehicles, which has been busted selling DMV user data to a laundry list of third parties, without always making such financial relationships or data transfers clear to patrons. Some of the data wound up being sold to the usual suspects (auto insurance companies being the most obvious), but much of it is routinely sold to more dubious third-party outfits and private investigators. And while some of the data is in bulk and "anonymized," we've long noted that doesn't mean what you think it does.

The collection and sale of sensitive user data is particularly problematic for those dealing with stalkers or other jackasses:

"The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking," Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, told Motherboard in an email. "For survivors, their safety may depend on their ability to keep this type of information private."

Granted all of this is perfectly legal due to the Driver's Privacy Protection Act (DPPA), a 90's law that critics say is in dire need of an update. That law was created in response to a series of abuses of DMV data, including the 1989 murder of actress Rebecca Schaeffer, after her killer obtained her home address from the DMV. And while the law was intended to stop the abuse of DMV data, it contained (surprise!) plenty of loopholes making it okay to sell this data to a wide variety of individuals, including PIs, bail bondsmen, and consumer credit reporting agencies.

While the data sold can vary from state to state, it generally includes names, addresses, zip codes, dates of birth, phone numbers, and email addresses. The documents obtained by Motherboard show that the Wisconsin DMV, for example, has personal data sales relationships with more than 3,100 different entities. The practice is, unsurprisingly, hugely profitable:

"DMVs are making a lot of money from the sale of this data. The Rhode Island DMV made at least $384,000 selling personal data between 2015 and this year, according to a spreadsheet obtained by Motherboard. When asked how much the Wisconsin DMV made from selling driver records, a spokesperson wrote in an email "Per these 2018 DMV Facts and Figures, $17,140,914 was collected in FY18 for driver abstract fees." Examining that document shows that Wisconsin's revenue for selling driver records has shot up dramatically since 2015, when the sale drew in $1.1 million. The Florida Department of Highway Safety and Motor Vehicles made $77 million in 2017 by selling data, a local outlet found."

Most DMVs say that they inform customers (in fine print) that their data may be sold, and that they've cut off access to data by firms that they've found to have abused the access. But given the wild west nature of US privacy law (read: we don't have many and the ones we do have are riddled with issues and loopholes), there's not much of a mechanism to confirm this data isn't being abused, or that DMVs are doing a particularly good job of dealing with issues when the data is being access by malicious parties. In response to the investigation, Presidential hopeful Bernie Sanders demanded more comprehensive oversight:

"The DMV should not use its trove of personal information as a tool to make money. While the internet has been an enormous source for good, all that convenience and connection has come with a price: our privacy has been invaded in an unprecedented way, in a manner that would have been unthinkable even 20 years ago. Nobody—from agencies like the DMV to large corporations like Facebook and Google—should be profiting from sharing or selling personal information without meaningful consent. Congress must get serious about ending practices that violate the privacy of ordinary Americans.

Granted it's hard to reform US privacy law when a broad coalition of industries are using every lobbying trick in the book to prevent said reform from taking place. And while a lot of companies publicly state they want a new privacy law, what they really mean is for Congress to pass another flimsy, loophole-filled law their lawyers wrote, that will primarily serve to pre-empt more comprehensive state and federal privacy proposals.

Filed Under: data, dmv, privacy, selling data


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Anonymous Anonymous Coward (profile), 12 Sep 2019 @ 11:15am

    It's not just about privacy, it's about government, not business

    The Government should not be in the business of selling anything, especially private information gleaned from requirements generated for enforcement purposes, and they certainly shouldn't be selling votes, as they often do. To begin with, it's our information, not theirs. Secondly the Government isn't a business, it's a government.

    Now if the Government comes into possession of something they no longer need, and that something has some value, then they could transfer it off their books for a consideration to a private entity. But in the instances related in the article, the data being sold is imaginary property and it isn't like the government doesn't need it any more.

    If they are in need of money, maybe they should take a good hard look at some of their wasteful spending. We don't need bridges to nowhere, and we don't need military projects that don't work, and we don't need a military industrial complex. There are too many other complex's to deal with, like politician's egos and political parties.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Sep 2019 @ 12:13pm

      Re: It's not just about privacy, it's about government, not busi

      They've been in the business of selling child sex slaves for decades now at least.

      reply to this | link to this | view in chronology ]

    • identicon
      Bodin8, 12 Sep 2019 @ 1:46pm

      Re: it's about government

      "The Government should not be in the business of selling anything,"

      .,.

      But YOU are the "Government" ! America is a democracv, right.

      Your state governor and legislators fully control the DMV ... and they obviously support their DMV selling private citizen data -- a long established government policy.

      You voted for these state officials ... or at least fully endorsed the electoral process that put them in power.
      Thus, you have NO right to complain about the state "government" that officially represents you.

      The Government is You !
      (or are you one of those flakes that doesn't trust government generally?)

      reply to this | link to this | view in chronology ]

      • icon
        Anonymous Anonymous Coward (profile), 12 Sep 2019 @ 1:56pm

        Re: Re: it's about government

        What in gods name makes you think you know how I voted?

        Beyond that, governments in general have given plenty of reason not to trust them. However, there are specific reasons for not trusting them, not general reasons.

        reply to this | link to this | view in chronology ]

        • identicon
          Bodin8, 12 Sep 2019 @ 3:58pm

          Re: Re: Re: it's about government

          ...relax, nobody said they knew how you vote.
          You made a broader point about government, as did I (with an exaggerated style for emphasis).

          Trust in your elected officials is not a granular concept -- you either trust them or you don't.
          Voting isn't a piecemeal proposition either. By participating in elections, you agree to abide by the results -- which typically means granting elected officials extensive power over you for long time periods; thus, you automatically "trust" election winners.
          That.s how elections work, though few people recognize the deeper principles of representative democracy.

          So do you trust your government or not?

          reply to this | link to this | view in chronology ]

          • icon
            Anonymous Anonymous Coward (profile), 13 Sep 2019 @ 6:53am

            Re: Re: Re: Re: it's about government

            Not.

            I don't like our election process. I don't like political parties. I don't like soft money in politics. I don't like politicians not being held accountable. I don't like politicians voting in favor of something that is not in their constituencies best interest. I don't like the way the Senate implements its advise and consent roll. Etc.. This is the short list.

            And I really don't like that all of these are fixable, but power hungry politicians won't do anything about it because they like the power they have, and fixing things might remove either their power or them from their power position.

            I am waiting for a list of reasons to actually trust the government, that isn't laughably strained. Even some of our founding fathers had little faith in governments. For example:

            "The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants. Thomas Jefferson"

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 13 Sep 2019 @ 6:56am

            Re: Re: Re: Re: it's about government

            "Trust in your elected officials is not a granular concept -- you either trust them or you don't."
            Trust is earned, it is neither given nor demanded.

            "By participating in elections, you agree to abide by the results"
            Wrong. Show from where you get this preposterous idea.

            "which typically means granting elected officials extensive power over you for long time periods; thus, you automatically "trust" election winners."
            Does this imply that people suffering under a dictatorship, by definition, trust the dictator? I don't think so Tim.

            "That.s how elections work"
            Wrong again.

            "deeper principles of representative democracy"
            Not sure what you are getting at here but it smells like bullshit.

            Why would anyone trust their government? I challenge you to come up with one good reason to do so. Many people consider it their responsibility to keep their government in check rather than simply giving them carte blanche.

            reply to this | link to this | view in chronology ]

      • icon
        Wendy Cockcroft (profile), 16 Sep 2019 @ 5:51am

        Re: Re: it's about government

        RE: those flakes that doesn't trust government generally

        The idea behind that is to make such people so mistrustful of government on principle that it doesn't occur to them that
        a) they effectively ARE the government, and
        b) they can effect change if they engage more and get others to join them.

        As you may have noticed, this is working like a Fascist dream; disengaged people shout about rebellion and revolution but it just doesn't click with them that they could, like, totally call their representatives or campaign for change like the sensible people do.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Sep 2019 @ 4:18pm

      Re: It's not just about privacy, it's about government, not busi

      Its a shame that Americans have been subjected to the dictatorship of the DMV across our country.

      reply to this | link to this | view in chronology ]

  • identicon
    bobob, 12 Sep 2019 @ 12:28pm

    The DMVs have done this for a while. Get an account at publicdata.com and you'll have access to that data from whichever states have made the data available. Texas is the worst offender.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Sep 2019 @ 12:40pm

    It's interesting that it seems to be ok if they simply tell you ahead of time that they are doing it. Sorta like when they steal your stuff because your stuff violated the law, they tell you in advance because that makes it ok.

    reply to this | link to this | view in chronology ]

  • identicon
    urza9814, 12 Sep 2019 @ 12:42pm

    Rhode Island informs us...

    I'm a Rhode Island resident, and I very clearly remember seeing a checkbox on the license renewals which would grant them permission to sell your data to third parties. I remember it because it seemed rather idiotic -- I never give them permission, and I'm not sure why anyone would, but I assume they're counting on people not actually reading the damn contracts they're signing and just checking boxes at random...

    Here's the form...top of section G. Note that it is NOT opt-out, you must select either yes or no.
    http://www.dmv.ri.gov/documents/forms/license/LI-1.pdf

    So, are they violating that and selling information without consent? Because otherwise, what they're doing kinda sucks, but it's also kinda your own fault if you get screwed by it....

    Heck, even Sanders as quoted only said that they shouldn't do it "without meaningful consent". I think what they already have counts as 'meaningful consent'. What more would you want -- are they supposed to send out a separate letter every single time they want to sign a new sales contract? That would be pretty annoying to those of us who just want to give a blanket 'NO'. Perhaps they could improve the language/layout of the form a bit...but it's NOT buried "in fine print" as claimed in the summary above, it's NOT an opt-out, it's NOT automatic...you have to give them a clear "YES, you have permission to share my data". Seems like meaningful consent to me. It's not perfect, but it's a FAR higher ethical standard than most data collection agencies that keep it buried in some click-through EULA that they damn well know most users aren't reading.

    reply to this | link to this | view in chronology ]

    • icon
      TKnarr (profile), 12 Sep 2019 @ 1:18pm

      Re: Rhode Island informs us...

      I think the problem is the "unless otherwise authorized by law" proviso in the consent checkbox. They never say anywhere exactly what disclosures are authorized by law. If the law authorizes the DMV to sell information to credit reporting agencies, does that count and mean that your information may be sold even if you check the NO box?

      IMO the rule should be that government agencies that collect personal data SHALL NOT disclose that data to any other party except to:

      1. comply with a lawful court order.
      2. comply with a legal requirement to disclose, in which case they shall at the time of collection or imposition of the requirement inform the person of the information that may be disclosed, the parties to whom it may be disclosed and the exact citation to the law requiring such disclosure.
      3. complete the performance of their lawful duties and render any service the person has requested, in which case they shall at the time of collection inform the person of the information to be disclosed, the parties to whom it may be disclosed and the exact purpose of the disclosure.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Sep 2019 @ 2:11pm

        Re: Re: Rhode Island informs us...

        I think the problem is the "unless otherwise authorized by law" proviso in the consent checkbox.

        Worse, they ask whether you authorize "such disclosure". But what does "such" mean? Disclosure authorized by law, or other than authorized? We may as well be checking boxes at random if we don't know what "Yes" and "No" mean. (But, at least "no" looks like a safe choice. Authorize nothing unless you're sure.)

        reply to this | link to this | view in chronology ]

        • identicon
          urza9814, 13 Sep 2019 @ 6:26am

          Re: Re: Re: Rhode Island informs us...

          Yeah, as I said they could improve the wording a bit, but I don't think it's THAT bad when you include the full context. Because the question starts with "EXCEPT", therefore you know that it does not apply to the disclosures authorized by law, so "such disclosures" can only mean those which would require consent.

          reply to this | link to this | view in chronology ]

      • identicon
        urza9814, 13 Sep 2019 @ 6:29am

        Re: Re: Rhode Island informs us...

        "If the law authorizes the DMV to sell information to credit reporting agencies, does that count and mean that your information may be sold even if you check the NO box?"

        I hope not, though it's not THAT hard to go look up some laws. If that was authorized, I'd certainly find that newsworthy. But "agency which asks users if they'd allow disclosing data is disclosing data!!!11!" is a pretty worthless headline, and that's certainly all I'm seeing in this article...

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Sep 2019 @ 12:51pm

    How long will it be to discover your finger print was sold and then placed at the scene of a crime?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 12 Sep 2019 @ 12:58pm

      Re:

      Fingerprint analysis has been shown to be frequently unreliable anyway

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 12 Sep 2019 @ 4:21pm

        Re: Re:

        More people have died in prison because of fingerprint analysis. That's funny.

        reply to this | link to this | view in chronology ]

      • identicon
        urza9814, 13 Sep 2019 @ 6:35am

        Re: Re:

        People have gone to prison based on far less though. Just do a web search for "bite mark analysis in criminal prosecutions" and you'll find page after page after page of insanity -- people going to prison based on a PHOTO of a bite that "experts" claimed was a match, EVEN WHEN THE DNA IN THE SALIVA DID NOT MATCH. Heck, even when there was one expert saying the bite mark matched, and a second expert saying that it didn't, and that was the only evidence presented...the guy still ended up in prison. You must be incredibly naive if you think "fingerprints are unreliable anyway" would be a sufficient defense in court...

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Sep 2019 @ 3:44pm

    What would happen if a European citizen got a license in some US state? Would their DMV info have to be handled by GDPR policies? What would the penalties be if it wasn't?

    Just thinking that might be an interesting angle of attack here, if all Europeans with US licenses flagged up the DMV.

    reply to this | link to this | view in chronology ]

  • icon
    Techslips.com (profile), 13 Sep 2019 @ 5:21am

    Did you know how many life that have destroyed because of this. OMG!!!

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.