Connected cars as a revenue model for data brokers
This is the fourth article in our series on 'connected cars', or in other words, cars that transmit their data to the manufacturer. In this episode, we look at what happens to vehicle data after it reaches the manufacturer. A leading role is played by vehicle data hubs: data brokers who make their money trading vehicle data.
This piece in six points:
In recent years, out of sight of motorists, a major industry has blossomed: vehicle data trading. Globally, billions are involved.
Indeed, for the data generated by millions of connected cars, there is great tax demand. From insurers and advertisers, among others, but above all from fleet managers: small and medium-sized enterprises, car rental companies, leasing companies, and various authorities such as the police, fire brigade and hospitals.
Before data reaches such parties, it must first be 'smoothed out' and put into desired formats. That is what so-called vehicle data hubs: companies (mostly start ups) positioning themselves between manufacturers and end customers.
This third-party data brokers, among other things, receive unfiltered personal data and, while retaining as much commercial value as possible, usually redeliver it in aggregate. Geaggregated data, however, turns out not to be nearly as anonymous as assumed: who data originally belonged to can sometimes be traced.
The above refers to data generated by vehicles themselves. There is also a large market for data generated by 'boxes' or dongles. There is fierce competition between providers of such devices that are 'retrofitted' into cars.
The fact that a lot of vehicle data culminate in useful applications that road users themselves can benefit from, does not mean that as a motorist, you have to have your data must give up if you object. Refusing to do so is a right covered by the General Data Protection Regulation. But how many motorists read the terms and conditions and make it work to shield their data?
'Turn data around your car into cash now'. The exclamation mark is still missing but the exhortation is clear. It is the first thing you read on the German startup's website MyAutoData (MAUD). Stop letting different parties take your vehicle data without getting anything in return. Take matters into your own hands and, under 'ideal circumstances', earn up to $1,000 a year. That is the message MAUD has now managed to convince 12 million motorists in 25 countries of.
How it works. By exercising your rights under the General Data Protection Regulation (AVG), you let parties collecting your vehicle data know that they must stop doing so. You then install a dongle from MAUD in your car, which you pair with a corresponding app on your phone. From then on, via the app, you control entirely which vehicle data you share with which parties.
Although there is criticism of trading your own data on the principle that you should not (be able to) sell your privacy, MAUD's contrarian initiative is in many ways a significant improvement. If all the companies are after your data anyway, you'd better be in control of it yourself ánd get something out of it. Normally, this is hardly the case.
So what is usually involved? In Connected cars generate seas of data, our previous article in this series, we explained how vehicle data gets to car manufacturers. What happens to the data afterwards is the subject of today's article. The data fans out widely and ends up in the hands of very different parties. In addition to insurers and advertisers, for example, it mainly involves fleet managers: small and medium-sized enterprises, car rental companies, leasing companies, but also governments, the police, the fire brigade and hospitals.
In processed form, the data enable them to gain insight into the overall condition of their vehicles (ROB: repair, maintenance and tyres) to prevent maintenance problems, for example, and schedule service appointments for the right number of cars. This can save costs. However, it is far too expensive and complicated for these parties - especially large leasing companies that sometimes have as many as 20 to 30 brands driving around - and also for car manufacturers to enter into hundreds of separate contracts with each other. Moreover, they do not speak each other's 'languages'; everyone uses different data formats. There is a reason for this.
Data from cars is deliberately not standardised. Each manufacturer has its own data format; this way, others cannot access the meaning of the ones and zeros and are able to sell more services and parts within their own brand channel. On the other hand, they do not always make things easy for themselves either; as the data formats are different not only by brand, but sometimes also by model.
Vehicle data hubs
Here come the vehicle data hubs around the corner: companies that act as intermediaries and 'smooth' or 'normalise' the data by - simply put - running conversion tables on it. 68 degrees Fahrenheit from OEM A (an Original Equipment Manufacturer) and 293 degrees Kelvin from OEM B are converted to the 20 degrees Celsius desired by party C. Think of the data hub as a huge socket with all kinds of different inputs: one incoming plug has two pins, another has as many as three or five, there are USB connectors and micro-USB connectors, HDMI connectors and UTP connectors, you name it. On the other side of the socket, there is one uniform output.
Vehicle data hubs (data processors for short), like countless companies in countless sectors, work with application programming interfaces (APIs). An API enables communication between different (software) applications/programmes, in this case theirs and those of car manufacturers. APIs - which require continuous maintenance and updates - also allow customers of data processors to integrate data into their own apps and services.
Without vehicle data hubs, the vehicle data market would not take off, but which companies are we talking about exactly? This market is not very clear-cut, and new clubs with fancy names to. Reasonably well known are Wejo (British), Synaptiv (British), Caruso (German), High Mobility (German), Echoes (French), Targa (Italian), Crossyn (Dutch) and Carscan (South African). There is also a good number of Americans, some of whom operate in Europe and some not: Dimo, IMS, Lexis Nexis, CarConnectivityConsortium, CCC-X, CerebrumX, Mojio, Otonomo, Smartcar, Terbine (which focuses specifically on electric cars) and, for example, Verisk. This list is certainly not complete.
Almost without exception, these third-party data brokers futuristic websites, with statistics on the billions of 'data points' coming in daily from millions of connected cars, and slick infographics and videos showing what they are all capable of. Especially to get in the sights of (venture) investors. Broadly speaking, they all do the same thing: convert vehicle data into useful information and also offer a trio of 'solutions' for fleet management, smart mobility and car sharing, geofencing (excuse the English), efficient charging of electric cars, locating (stolen) vehicles, and whatnot (and there is a lot of it).
None of these parties has 'OEM exclusivity': car manufacturers always work with multiple data processors to serve the market. One-to-one relationships with individual motorists are usually not entered into by vehicle data hubs. Various other types of service providers within the automotive sector that build in boxes or dongles - of which there are many more, think TomTom and the ANWB, among others - serve both consumers and other companies.
There are several ways in which vehicle data can reach data processors (or other service providers):
- a car manufacturer sells vehicle data from its connected cars (privately owned or privately leased) to a processor, which resells the data anonymised and aggregated to interested parties;
- a processor requests access to vehicle data of a specific number of cars (a fleet) from a car manufacturer on behalf of a customer (e.g. a leasing company). When a fleet manager adds cars to its fleet, it delivers the VIN numbers (the vehicles' unique identification numbers) to its data processor, which then enters the numbers into its system. Once the relevant car manufacturer gives the green light for connection, the data stream comes to the neutral server of the data processor up and running;
- a processor (or other service provider) builds in a box on behalf of a customer - and outside the manufacturer - that collects data;
- a private owner (or private lease driver) installs a box in his own car, to purchase one or more services from a service provider.
In the last three cases, fleet operators and private owners deliberately purchase a service and it is clear to them that data is being exchanged. In the first possibility, this is usually not the case. The first two cases involve data coming directly from the car (Probe Vehicle Data), while later built-in boxes involve Floating Vehicle Data. Options one and four often take place simultaneously. For more information on Probe Vehicle Data and Floating Vehicle Data: see our earlier article Connected cars generate seas of data.
Competition between providers of boxes that are retrofitted or plugged into the OBD port is very fierce. In the Netherlands, there are about a hundred of them, from Accredis to FleetGo, and from TomTom to TrackJack. (These are also data processors in their own way, but not the vehicle data hubs that smooth vehicle data from different cars on behalf of fleet operators as described above.) Some of these service providers are for the purpose of trip recording by the Inland Revenue accredited and has a seal of approval. Trip registration was also the reason those boxes were introduced here about 15 years ago.
It is quite possible that dongles and boxes will eventually disappear. Vehicle data hubs also make use of them but, for several years now, they have started to focus more and more on the capabilities of Probe Vehicle Data coming from the Telematics Control Unit (TCU), which is basically a box already built into the car by the manufacturer itself.
Echoes (based in southern France, connection with 15 OEMs, provides services in 18 European countries) is an example of a company that works this way. The CEO of that company (Mathieu Chèbenit) previously worked as a software engineer at TomTom, where the business model is primarily about retrofitting boxes. Before entering the market with Echoes, he focused for about five years on developing technology that avoids the need for boxes ("Manage your multi-brand fleet without installing a third-party device"). In practice, that amounts to shaping a proprietary API that is as compatible as possible with those of car manufacturers.
With most data processors, it is difficult to find out whether or not they work with a box. It doesn't matter much either, but as far as Privacy First has been able to verify, at least CerebrumX, High Mobility, Smartcar and Targa, in addition to Echoes, have already gone the new way.
While all carmakers are launching connected cars and gathering data, they are not all building a professional business model around them to the same extent, and the extent to which they invest in the technology to connect to vehicle data hubs varies. By setting up dedicated data departments, some brands are leading the way in this regard, including General Motors (Connected Vehicle Platform), BMW (BMW ConnectedDrive), Mercedes (Mercedes-Benz Connectivity Services) and Stellantis, which with this year's established Mobilisights wants to make big strides in software- and data-related services. Those services should bring this parent company of 14 car brands EUR 20 billion in additional sales by 2030, according to its own expectations.
Major consulting firms such as McKinsey, Capgemini and the Ptolemus Consulting Group (who obviously have their own interests and are only too happy to advise car manufacturers) assume in rosy studies that the vehicle data market will be worth many hundreds of billions of euros by 2030.
For releasing (part of) the vehicle data, car manufacturers charge a monthly fee per connected car at vehicle data hubs. That could be four euros, but just as easily 15. It depends on the revenue model the brand has in mind, which in any case must recover the costs of installing the TCU, for the data connection to the cloud (the telecom subscription) and for storing the data (the server space).
The data processors pass that amount on to their own customers (as mentioned earlier: mainly fleet operators), and they charge on top of that a fairy for the use of their neutral server and the services they provide. Depending on the scope of those services, the amounts vary, from a single euro a month for some simple track and trace-options to around a tenner (or more) for tailored service.
There is no doubt: data hunger is everywhere. But what about riders' privacy in this whole story? First of all, a public discussion on mass data trading never took place. The technology was developed, a market emerged, and that market was soon stormed by startups smoking their opportunities. And the motorists? They often have no idea, even though this has been the practice for years.
They could have known, if they had read their car manufacturer's privacy terms and conditions. After which they could have chosen - via the dealer, the car manufacturer's website or the dashboard in the car - not to give the manufacturer permission to collect data and share it with third parties. They have that right - and other, related rights - under AVG. But then again, who reads the terms and conditions and who actually makes an effort to shield their data? People want to drive from A to B without any hassle and not sacrifice convenience. Besides, the belief that people have 'nothing to hide anyway' is persistent, although probably few would cheerfully agree if they were asked straightforwardly whether they would be OK with their locations and routes being structurally tracked - regardless of whether or not the manufacturer does anything with that information.
The fact that much vehicle data culminates in undeniably useful applications that motorists themselves can also benefit from (although those applications are not free and you de facto often pay for them twice: with your data as well as your wallet), in any case, does not mean that you have to use your data must relinquish if you object.
Personal Identifiable Information
Vehicle data hubs receive vehicle data, including personal data, raw and unfiltered. They all boast of complying with the AVG and similar legislation in other countries. Together with The Future of Privacy Forum, a major US NGO, data processor Otonomo even released a few years ago a Privacy Playbook for Connected Car Data out, containing nine recommendations to ensure the privacy of motorists.
For privately owned cars, processors anonymise and aggregate the data before reselling it to interested parties, preserving as much commercial value as possible. Personal Identifiable Information (PII) and the VIN number are then untraceable, at least on paper. However, exactly how the data is 'de-identified' and obfuscated is never disclosed. Otonomo explains in Otonomo's dynamic blurring engine does hint at its patented technology.
However, numerous studies show that aggregated data is nowhere near as anonymous as assumed. It is known that handy IT people who cut their teeth on aggregated data often go a long way in finding out who that data originally was, for example by making comparisons with other datasets that may be available. Using via-via data obtained from Otonomo, Otonomo found out Motherboard precise vehicle data from individuals in different countries. Before that, the same tech platform managed to distil 10,000 locations from free vehicle datasamples On Otonomo's website.
For fleet managers, the situation is different. They receive the data on the basis of the VIN number, giving them precise insight into mileage, maintenance status and any driving behaviour for each car. Privacy in the case of a leasing company, for example, is not so simple, because who does the data belong to? Does the odometer reading or maintenance interval say anything about the lease driver, or about the registered owned by the leasing company? Or both? And what if for once someone other than the usual lease driver drives the car, to whom does the data belong? To what extent can general wear and tear of a car when leased or rented be attributed to a specific customer, and does it or does it not involve personal data? Around these kinds of issues, there are guidelines from the European Data Protection Board (EDPB), which are on motorists' minds. In line with the AVG, the guidelines advocate data minimisation. The umbrella organisation Leaseurope ('The voice of leasing and automotive rental in Europe') added concerns at.
In any case, data minimisation is not in the DNA of vehicle data hubs and growth is the credo (although not every hub is equally commercially minded: some limit themselves only to serving fleet operators). See, for example, this one - aimed at investors internal presentation of Otonomo ('strictly private and confidential') from February 2021. That was before things went rapidly downhill for this Israeli company, which was acquired - with name retention - by US-based Urgently earlier this year.
In April last year, a BMW lease driver in California sued on behalf of others in part class action (mass tort claim) against Otonomo, alleging that the company without the explicit consent of riders and in secret real-time GPS locations of 50 million cars would be collected and sold. Otonomo, which states that motorists own their own data, got the judge to allow the claim rejecting it in January this year, but the plaintiff went ahead a month later on appeal. The case is ongoing.