Tech by VICE
DMVs Are Selling Your Data to Private Investigators
You gave them your data in exchange for a driver’s license. DMVs are making tens of millions of dollars selling it, documents obtained by Motherboard show.
By Joseph Cox
Sep 6 2019, 6:09am
IMAGE: CATHRYN VIRGINIA
Departments of Motor Vehicles in states around the country are taking drivers' personal information and selling it to thousands of businesses, including private investigators who spy on people for a profit, Motherboard has learned. DMVs sell the data for an array of approved purposes, such as to insurance or tow companies, but some of them have sold to more nefarious businesses as well. Multiple states have made tens of millions of dollars a year selling data.
Motherboard has obtained hundreds of pages of documents from DMVs through public records requests that lay out the practice. Members of the public may not be aware that when they provide their name, address, and in some cases other personal information to the DMV for the purposes of getting a driver's license or registering a vehicle, the DMV often then turns around and offers that information for sale.
Many of the private investigators that DMVs have sold data to explicitly advertise that they will surveil spouses to see if they're cheating.
"You need to learn what they’ve been doing, when they’ve been doing it, who they’ve been doing it with and how long it has been going on. You need to see proof with your own eyes," reads the website of Integrity Investigations, one private investigator firm that buys data from DMVs.
"Under this MOU [memorandum of understanding], the Requesting Party will be provided, via remote electronic means, information pertaining to driver licenses and vehicles, including personal information authorized to be released," one agreement between a DMV and its clients reads.
private-investigators-dmv-data
A SMALL SECTION OF A DOCUMENT FROM THE VIRGINIA DMV SHOWING WHICH PRIVATE INVESTIGATORS THE DMV HAS DATA SELLING AGREEMENTS WITH. IMAGE: SCREENSHOT.
Multiple DMVs stressed to Motherboard that they do not sell the photographs from citizens' driver licenses or social security numbers.
Some of the data access is done in bulk, while other arrangements allow a company to lookup specific individuals, according to the documents. Contracts can roll for months at a time, and records can cost as little as $0.01 each, the documents add.
“The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking," Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, told Motherboard in an email. "For survivors, their safety may depend on their ability to keep this type of information private."
The sale of this data to licensed private investigators is perfectly legal, due to the Driver's Privacy Protection Act (DPPA), a law written in the '90s before privacy became the cultural focus that it is today, but which critics believe should be changed. The process of becoming a licensed private investigator varies from state to state, and can be strict, according to multiple sources close to the industry. Some states, however, allow licensing to be granted on a local level or investigators to operate without a license.
The DPPA was created in 1994 after a private investigator, hired by a stalker, obtained the address of actress Rebecca Schaeffer from a DMV. The stalker went on to murder Schaeffer. The purpose of the law was to restrict access to DMV data, but it included a wide range of exemptions, including for the sale to private investigators.
"The DPPA is one of several federal laws that should now be updated," Marc Rotenberg, president and executive director of privacy activism group EPIC, wrote in an email. "I would certainly reduce the number of loopholes," he added, referring to how the law might be changed.
Do you work at a company selling data? Do you know of an abuse of DMV data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
The data sold varies from state to state, but it typically includes a citizen's name and address. In others, it can also include their nine-digit ZIP code, date of birth, phone number, and email address.
Rob Namowicz, a private investigator from Wisconsin, told Motherboard in an email he buys DMV records "to get driver license [sic] information on subjects I may be investigating."
The Virginia DMV has sold data to 109 private investigator firms, according to a spreadsheet obtained by Motherboard. The New Jersey Motor Vehicle Commission has sold data to at least 16 private investigation firms, another spreadsheet shows. The Delaware DMV has data sharing agreements with at least a dozen investigation firms, and Wisconsin has around two dozen current agreements with such firms, other documents show.
Motherboard did not obtain records from DMVs in all states, so the number of private investigators that have been granted access to citizens' data across the country is likely higher.
The data selling is not limited to private investigators, however. The DPPA also allows the DMV to sell data of drivers to various other entities. Consumer credit reporting company Experian features heavily in the documents obtained by Motherboard, which stretch from 2014 to this year, as does research company LexisNexis. The Delaware DMV has direct access agreements with around 300 different entities, according to one spreadsheet. The Wisconsin DMV has current agreements with over 3100 entities, another shows. Local media outlets in Florida, Texas, and elsewhere have also reported on DMVs selling data to third parties.
Valerie McGilvrey, a skiptracer who uses various tools and techniques to track down vehicles that need to be repossessed, told Motherboard "with Texas having no repo license and minimum standards, convicted felons can and do access professional databases."
Motherboard also found a bail bonds company included in one of the datasets. Motherboard has reported extensively on the abuse by bail bonds firms and bounty hunters around tracking techniques such as location data.
"The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking."
DMVs are making a lot of money from the sale of this data. The Rhode Island DMV made at least $384,000 selling personal data between 2015 and this year, according to a spreadsheet obtained by Motherboard. When asked how much the Wisconsin DMV made from selling driver records, a spokesperson wrote in an email "Per these 2018 DMV Facts and Figures, $17,140,914 was collected in FY18 for driver abstract fees." Examining that document shows that Wisconsin's revenue for selling driver records has shot up dramatically since 2015, when the sale drew in $1.1 million. The Florida Department of Highway Safety and Motor Vehicles made $77 million in 2017 by selling data, a local outlet found.
Documents explicitly note that the purpose of selling this data is to bring in revenue.
"This is a revenue generating contract," one document from the Indiana Bureau of Motor Vehicles obtained by Motherboard reads.
A spokesperson from the Wisconsin DMV wrote in an email that "Wisconsin DMV directly informs customers that their information may be sold."
Some uses of the data include being able to contact owners of certain cars in case they need to be recalled. But multiple DMVs confirmed that access to such data has been abused in the past—likely by customers using the data in a way that they were not authorized to do so.
"Yes, it has been done before," Binta Cissé, communications manager at the North Carolina DMV, wrote in an email after Motherboard asked if the DMV has cut off access to data buyers after abuse.
bmv-data-selling
A SECTION OF A DOCUMENT FROM THE INDIANA BUREAU OF MOTOR VEHICLES DESCRIBING HOW THE SALE OF DATA IS TO GENERATE REVENUE. IMAGE: SCREENSHOT.
Alexis Bakofsky, deputy communications director from the Florida Department of Highway Safety and Motor Vehicles, also said the agency had revoked access after abuse.
"Since implementing the new controls in 2017, the department has cancelled three MOUs with requesting parties for misuse," she wrote. "Additionally, while there was no indication of misuse, the department proactively cancelled two MOUs with requesting parties for failing to provide adequate internal controls."
Spokespeople from the Virginia DMV and the New Jersey Motor Vehicle Commission also confirmed those agencies have cut-off access after abuse of data. The Indiana Bureau of Motor Vehicles said it has not had to terminate contracts because of abuse.
Senator Ron Wyden, who works especially on privacy and surveillance issues, told Motherboard in a statement “News reports over the past year have repeatedly exposed the troubling abuse of Americans’ location data, by private investigators, bounty hunters, and shady individuals.”
He added that if the DMV data has been abused by private investigators, "Congress should take a close look at the Driver’s Privacy Protection Act, and, if necessary, close loopholes that are being abused to spy on Americans."
Subscribe to our new cybersecurity podcast, CYBER.
TAGGED:PRIVACYDATADMVSENATOR RON WYDENPRIVATE INVESTIGATORSDEPARTMENT OF MOTOR VEHICLESDATA ABUSEDATA SELLINGDPPA
Watch This Next
We Go Inside a Cybersecurity Firm to Find out What a Major Internet War Might Look Like
FROM VICE NEWS TONIGHT ON HBO
Subscribe to the VICE newsletter.
Your email
Subscribe
Tech by VICE
Experts Say Law Should Change to Stop DMVs From Selling Your Personal Data
Motherboard found that DMVs across the country are selling personal data likely without drivers’ knowledge, including to private investigators.
By Joseph Cox
Sep 9 2019, 11:25am
IMAGE: CATHRYN VIRGINIA
On Friday, Motherboard reported that Departments of Motor Vehicles across the country are making tens of millions of dollars selling drivers' personal information, including to private investigators who spy on people for a profit. The investigation, based on hundreds of pages of documents from DMVs obtained through public records requests, also showed that access to DMV data, which includes names, addresses, and other personal information, has been abused.
Now, Senators and digital privacy experts have criticized the practice.
“This is just another example of how unwitting consumers are to the ways in which their data is collected, sold or shared, and commercialized," Senator Mark Warner told Motherboard in a statement.
"The standard talking point that consumers ‘don’t care about privacy’ has been increasingly disproven, as we learn that consumers and policymakers have been kept in the dark for years about data collection and commercialization practices," he added.
Do you work at a company selling data? Do you know of an abuse of DMV data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Motherboard's story found that the Virginia DMV has sold data to 109 private investigator firms, and other DMVs have sold to a dozen or more. Wisconsin has data agreements with some 3100 different entities overall, and made $17,140,914 from selling driver data in 2018.
The sale of this data is legal under the Driver's Privacy Protection Act (DPPA), a law passed in the '90s. The DPPA was created after a private investigator, hired by a stalker, obtained the address of actress Rebecca Schaeffer from a DMV. The DPPA was supposed to tighten-up the sale of DMV data, but came bundled a list of exemptions, including private investigators.
"I certainly think that DPPA is riddled with loopholes that need to be closed," Lee Tien, senior staff attorney at activist group the Electronic Frontier Foundation (EFF), wrote in an email. "In this day and age, unfortunately, government entities don't resist the lure of selling Americans' personal information for private exploitation. This problem will only get worse as cities, trying to be 'smart,' collect more information about what we do and where we go," he added.
Senator Ron Wyden previously told Motherboard "News reports over the past year have repeatedly exposed the troubling abuse of Americans’ location data, by private investigators, bounty hunters, and shady individuals." If the DMV data has been abused by private investigators, he said, "Congress should take a close look at the Driver’s Privacy Protection Act, and, if necessary, close loopholes that are being abused to spy on Americans."
When asked whether it informs drivers that their data may be sold, a spokesperson from the Wisconsin DMV wrote in an email "Wisconsin DMV directly informs customers that their information may be sold." It appears unlikely that the general public understands that data they are legally obligated to provide to the DMV to obtain a license or register a vehicle is being offered for sale.
"While what the DMV are doing is technically legal due to their exemptions, it belies a deeper problem that motorists are under ever increasing levels of surveillance and having their data exploited," Christopher Weatherhead, technologist at activist group Privacy International, wrote in an email. "The car is a critical tool in the ability of individuals to have personal autonomy and individuals should be able to go about their livelihoods without the registration authority distributing their private information to third party without consent. It's problematic that vast amounts of data on individuals are being shared in this way, which could be misused in malicious ways against vehicle owners."
Subscribe to our new cybersecurity podcast, CYBER.
TAGGED:PRIVACYDMVRON WYDENPRIVATE INVESTIGATORSDATA BROKERSPRIVACY INTERNATIONALEFFMARK WARNERDEPARTMENT OF MOTOR VEHICLES
Watch This Next
We Go Inside a Cybersecurity Firm to Find out What a Major Internet War Might Look Like
FROM VICE NEWS TONIGHT ON HBO
Subscribe to the VICE newsletter.
Your email
Subscribe
Tech by VICE
Bernie Sanders Says DMVs Should Stop Profiting From Drivers’ Personal Data
The comments follow Motherboard’s investigation into how DMVs are selling drivers’ data.
By Joseph Cox
Sep 9 2019, 2:23pm
IMAGE: ALEX WONG/GETTY IMAGES
Senator and Democratic Presidential candidate Bernie Sanders said that Departments of Motor Vehicles should not profit from drivers' personal information after a Motherboard investigation found DMVs across the country selling data to a wide array of companies, including private investigators.
“The DMV should not use its trove of personal information as a tool to make money. While the internet has been an enormous source for good, all that convenience and connection has come with a price: our privacy has been invaded in an unprecedented way, in a manner that would have been unthinkable even 20 years ago," Sanders told Motherboard in a statement.
Motherboard's investigation, based on hundreds of pages of DMV documents, found that the Wisconsin DMV had data selling agreements with over 3100 different entities, including around two dozen private investigation firms. The Virginia DMV has similar arrangements with 109 private investigators, the documents showed. Some DMVs make tens of millions of dollars from the sale of data, and multiple DMVs confirmed to Motherboard that they have cut-off access to certain companies after the data was abused.
"Nobody—from agencies like the DMV to large corporations like Facebook and Google—should be profiting from sharing or selling personal information without meaningful consent. Congress must get serious about ending practices that violate the privacy of ordinary Americans," Sanders added.
Multiple privacy experts have called for the law that permits the sale of DMV data to private investigators—the Drivers' Privacy Protection Act (DPPA)—to be changed. Senator Richard Blumenthal told Motherboard in a statement that Congress should take action on the law.
"Americans rightly expect that government agencies entrusted with their personal information are taking necessary measures to protect their privacy. DMVs should not be in the business of recklessly selling drivers’ personal information to third parties. Federal privacy laws should never license the sale of private information to stalkers and disreputable private investigators. This deeply disturbing report underscores the urgent need for Congress and states to take action to vigorously enforce the letter of the law, and close any loopholes exploited by malicious actors," he said.
On Monday Senator Mark Warner told Motherboard in a statement “This is just another example of how unwitting consumers are to the ways in which their data is collected, sold or shared, and commercialized. The standard talking point that consumers ‘don’t care about privacy’ has been increasingly disproven, as we learn that consumers and policymakers have been kept in the dark for years about data collection and commercialization practices."
Senator Ron Wyden previously told Motherboard that if the DMV data has been abused by private investigators "Congress should take a close look at the Driver’s Privacy Protection Act, and, if necessary, close loopholes that are being abused to spy on Americans."
Do you work at a company selling data? Do you know of an abuse of DMV data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Update: This piece has been updated to include comment from Senator Blumenthal.
Subscribe to our new cybersecurity podcast, CYBER.
TAGGED:PRIVACYDMVPRIVATE INVESTIGATORSEFFMARK WARNERDEPARTMENT OF MOTOR VEHICLESDATA ABUSEDPPA
Watch This Next
We Go Inside a Cybersecurity Firm to Find out What a Major Internet War Might Look Like
FROM VICE NEWS TONIGHT ON HBO
Subscribe to the VICE newsletter.
Your email
Subscribe
Tech by VICE
Senators Call on FCC To Investigate T-Mobile, AT&T, and Sprint Selling Location Data to Bounty Hunters
After Motherboard’s article, Senators Kamala Harris, Mark Warner, and Ron Wyden are coming out against telcos who are selling their customers' location data.
By Joseph Cox
Jan 9 2019, 1:27pm
IMAGE: ETHAN MILLER/GETTY IMAGES
On Tuesday, Motherboard revealed that major American telcos T-Mobile, AT&T, and Sprint are selling customer location data of users in an unregulated market that trickles down to bounty hunters and people not authorized to handle such information. In our investigation, we purchased the real-time location of a cell phone from a bail industry source for $300, pinpointing it to a specific part of Queens, New York.
The issue potentially impacts hundreds of millions of cell phone users in the United States, with customers likely unaware that their location data is being sold and resold through multiple companies, with even the telcos sometimes having little idea where it ends up and how it is used.
Now, senators and a commissioner for the Federal Communications Commission (FCC) have urged government bodies to investigate, with some calling for regulation that would ensure customers are properly made aware of how their data is being sold.
“The American people have an absolute right to the privacy of their data, which is why I’m extraordinarily troubled by reports of this system of repackaging and reselling location data to unregulated third party services for potentially nefarious purposes. If true, this practice represents a legitimate threat to our personal and national security,” Senator Kamala Harris told Motherboard in a statement.
The phone Motherboard paid to locate was on the T-Mobile network. That data access traveled through a complex series of companies and resellers, starting with T-Mobile, before moving to a another company called Zumigo, a so-called ‘location aggregator’. Zumigo then provided the access to Microbilt, which offers phone location services to the bail bondsman industry. In turn, a bounty hunter sold it to a source, and that source sent the phone’s location to Motherboard.
There are more legitimate uses for this data, such as financial companies detecting fraud, or roadside assistance firms finding stranded customers. But there is space for abuse: T-Mobile, Zumigo, and Microbilt only became aware of the unauthorized resale of the data access on the black market once Motherboard informed them.
The location itself was presented in a Google Maps interface, with the accuracy being around 500m. The phone received no warning, such as a text message, it was being tracked.
“This is just another example that of how unwitting consumers are to the ways in which their data is collected, sold or shared, and commercialized. It’s not that people ‘don’t care about privacy,’ as some have argued—it’s that customers, along with policymakers, have been kept in the dark for years about data collection and commercialization practices,” Senator Mark Warner told Motherboard in a statement.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Harris explicitly called on the FCC to investigate the issue.
“The FCC needs to immediately investigate these serious security concerns and take the necessary steps to protect the privacy of American consumers,” she said.
The FCC may already have that in mind. On Tuesday, commissioner of the FCC Jessica Rosenworcel tweeted “The FCC needs to investigate. Stat.”
“It shouldn’t be that you pay a few hundred dollars to a bounty hunter and then they can tell you in real time where a phone is within a few hundred metres. That’s not right. This entire ecosystem needs some oversight,” she added on MSNBC’s Velshi & Ruhle show on Wednesday.
“I think we’ve got to get to this fast,” she added. Because of the ongoing government shutdown, it is unclear when an investigation, if it went ahead, would start.
Multiple senators are calling on regulation that could curb this unauthorized use and sale of phone location data.
“Responsible federal agencies and the U.S. Congress should continue to hold hearings to shine a light on these practices, and look at regulations to ensure companies are actually upfront with consumers about whether and how their sensitive data is being used and sold,” Warner’s statement added.
Senator Ron Wyden recently proposed a bill designed to safeguard personal data.
“The industry has failed again and again to protect Americans’ information. It’s time for Congress to step in and pass strong privacy legislation, like my bill, to safeguard our data and hold companies accountable when they fail,” Wyden told Motherboard in a statement.
Beyond the tracking itself, and any potential legislation or investigations, is ultimately an issue of consent.
“I haven’t consented to this, and I bet you haven’t either,” Rosenworcel added in her MSNBC interview.
Subscribe to our new cybersecurity podcast, CYBER .
TAGGED:TECHMOTHERBOARDPRIVACYCYBERSECURITYRON WYDENSENATOR RON WYDENFCCKAMALA HARRISCELL PHONE TRACKINGMARK WARNERMICROBILT
Watch This Next
The Nightmare World of Gang Stalking
FROM HYSTERIA
Subscribe to the VICE newsletter.
Your email
Subscribe
No comments:
Post a Comment