Joseph Cox reports for Vice.com, Sept 6, 2019, that Departments of Motor Vehicles (DMVs) across America are making tens of millions of dollars a year by selling drivers’ personal information to thousands of businesses, such as insurance and tow companies, as well as to private investigators (PIs).
Vice‘s tech section, Motherboard, has obtained via public records request hundreds of pages of documents from DMVs laying out this practice.
The data sold varies from state to state, but it typically includes the driver’s name and address; in some states, the data can also include the individual’s 9-digit ZIP code, date of birth, phone number, and email address. Some DMVs insist they do not sell social security numbers or the drivers’ photos — small consolation!
The personal records can cost as little as $0.01 each. Some of the data access is done in bulk, while other arrangements allow a company to lookup specific individuals. Contracts between the DMV and a buyer can roll for months at a time.
In an email to Motherboard, Wisconsin PI Rob Namowicz admitted that he buys DMV records to get driver’s license information “on subjects I may be investigating.”
Below is a screenshot of a Virginia DMV document showing some of the private investigators (PIs) with whom the DMV has data-selling agreements:
Motherboard did not obtain records from DMVs in all states, but below are three DMVs that have sold data to private investigators:
- The Virginia DMV has sold data to 109 PI firms.
- The New Jersey Motor Vehicle Commission has sold data to at least 16 PI firms.
- The Delaware DMV has data sharing agreements with at least a dozen PI firms.
- Wisconsin has around two dozen current agreements with PI firms.
The data selling is not limited to private investigators. DMVs also sell the personal data of drivers to other businesses. As examples, the Delaware DMV has direct access agreements with around 300 non-PI businesses, while the Wisconsin DMV has current agreements with over 3,100 non-PI entities. Those non-PI businesses include:
- Consumer credit reporting companies, such as Experian.
- Research company LexisNexis.
- Bail bonds firms and bounty hunters.
- Car repo firms: Valerie McGilvrey, a skiptracer who tracks down vehicles that need to be repossessed, told Motherboard that “with Texas having no repo license and minimum standards, convicted felons can and do access professional databases.”
DMVs are making a lot of money from the sale of your personal data, which they admit is to bring in revenue. A document from the Indiana Bureau of Motor Vehicles reads: “This is a revenue generating contract.” Some examples of the money generated by selling drivers’ personal data:
- The Rhode Island DMV made at least $384,000 selling personal data between 2015 and 2019.
- The Wisconsin DMV made some $1.1 million selling driver records between 2015 and 2019.
- The Florida Department of Highway Safety and Motor Vehicles made $77 million in just 2017.
Not only are the DMVs’ selling of drivers’ personal data an invasion of privacy, it is also a safety issue. Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, told Motherboard in an email: “The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking. For survivors, their safety may depend on their ability to keep this type of information private.”
The practice is also subject to abuse.
“Multiple” DMVs told Motherboard access to drivers’ personal has been abused in the past—likely by customers using the data in a way that they were not authorized to do. Asked if the DMV has cut off access to data buyers after abuse:
- North Carolina DMV communications manager Binta Cissé wrote in an email: “Yes, it has been done before.”
- Florida Department of Highway Safety and Motor Vehicles deputy communications director Alexis Bakofsky said the agency had revoked access after abuse: “Since implementing the new controls in 2017, the department has cancelled three MOUs [memoranda of understanding] with requesting parties for misuse. Additionally, while there was no indication of misuse, the department proactively cancelled two MOUs with requesting parties for failing to provide adequate internal controls.”
- Spokespeople from the Virginia DMV and the New Jersey Motor Vehicle Commission also confirmed those agencies have cut-off access after abuse of data.
- Only the Indiana Bureau of Motor Vehicles said it has not had to terminate contracts because of abuse.
Incredibly, the sale of drivers’ personal data to licensed private investigators is perfectly legal, due to the Driver’s Privacy Protection Act of 1994 (DPPA), which was created after a PI, hired by a stalker, obtained the address of actress Rebecca Schaeffer from a DMV. The stalker went on to murder Schaeffer. The purpose of DPPA was to restrict access to DMV data, but it included a wide range of exemptions, including the sale of DMV data to private investigators.
Marc Rotenberg, president and executive director of privacy activism group EPIC, told Motherboard: “The DPPA is one of several federal laws that should now be updated. I would certainly reduce the number of loopholes.”
H/t Activist Post