Last Updated on November 26, 2018 by Dave Farquhar
Insurance companies are starting to offer discounts if you plug one of their devices, often called a RightTrack or SnapShot, into your car’s ODB2 port.
One of my college buddies asked me about them when his insurance company offered his family a 5% discount to plug these into their cars, and then make them eligible for up to another 25%. Those are compelling numbers. So what are the potential drawbacks?
First, I’m not going to tell you whether you should accept or decline the offer. I’m only here to present the information I think you need to make an informed decision. I can’t decide for you. So far, I’ve opted not to, but the savings potential is tempting.
What they track
The insurance companies freely admit they track how far you drive and how well you drive. A driver who keeps a relatively constant speed will pay less money than a driver who drives aggressively, brakes suddenly and frequently, and accelerates suddenly.
That appeals to a lot of us. It feels good to know the guy who terrorizes rush hour traffic in that yellow Camaro by tailgating people and then cutting them off pays a lot higher insurance for being a jerk.
It also makes sense that someone who drives 50 miles a day round trip ought to pay more insurance than someone who drives 5. Being on the road 10 times as much certainly seems riskier.
So what’s the catch? Yes, there’s a catch.
Canbus and ODB2
This argument will make many eyes glaze over, but there are many things that are connected together on cars today that have absolutely no business being connected together. That’s what made it possible for Charlie Miller to hack a Jeep on I-64. So I’m not too wild about throwing a device from my insurance company into the mix. I know what the device is supposed to do, but I don’t know what else it can do and I don’t know how hackable it is. I do know it makes my car more hackable because it adds complexity.
To use another analogy, modern cars are like the Internet before firewalls. I’m old enough to remember those days, and it was a scary place. Car companies are starting to figure out there’s some bad stuff going on, but not all of them are taking a constructive approach to it.
It is completely possible to identify a person based on the way they type. It’s even easier to identify them based on the way they drive. The insurance company will know who’s driving and when. They will also know if somebody else is driving, for whatever reason, but they won’t know the reason.
I’m a computer security professional, so protecting data is my job. But I’m trained as a journalist, and I know incomplete data, especially without context, is incredibly dangerous.
Invasion of privacy
I have nothing to hide, so why should I worry about an insurance company tracking me?
That’s a very common sentiment in this age of surveillance. But in this case, someone you don’t know is making judgments about you. Here’s a real-life scenario from my neighborhood. One of my favorite bakery/sandwich shops is two doors down from a store that sells trashy lingerie. So, is Dave getting a sandwich, is he getting sugary baked goods, or is he at the lingerie store?
Someone is making that call, and making decisions based on that. And don’t think the insurance company isn’t selling that data to someone else. Buying and selling data is part of many insurance companies’ business model now. And the other companies who get that data will make their own judgment on it.
Will my health insurance rate rise because they think I’m eating doughnuts when I’m eating a turkey sandwich? Or will it rise because they think I’m promiscuous and what I’m buying isn’t for my spouse? (Maybe I’m getting her a sandwich too!)
Data without context is dangerous, and it’s incredibly easy to jump to the wrong conclusion if you only have part of the story. When all you have is GPS coordinates, a turkey sandwich can look exactly like an affair.
Now, there is other data that can exonerate me. If I’m paying with a credit or debit card, that answers the question about which store I’m in, and the purchase amount may even answer the question of whether it’s a turkey sandwich, a cup of coffee, or a box of cupcakes. But is whoever is making decisions about me buying that data as well and correlating it? There’s no guarantee.
That’s why I’m not a fan of metadata collection, regardless of who does it.