If you drive in Canada, you’re probably aware that auto insurance in this country ain’t cheap. And, if the complaints voiced by everyone from politicians to users in the gnarlier reaches of Reddit are anything to go by, it’s clear that high premiums are the result of a system that needs change.
How much your auto insurance costs is based on how likely your insurance company believes you are to make a claim. For critics, the problem with this system is how insurers determine a driver’s level of risk. While companies tend to hand out cheaper rates to drivers with cleaner driving records, the way in which they also factor in demographic data (a driver’s age, sex, and location) can often skew rates — often much higher than would seem fair.
Those who shoulder the costs of this system — good drivers — have long known that this is a problem. And it seems some insurers agree.
In early July, the Canadian Automobile Association (CAA) launched MyPace — an insurance option in Ontario that uses telematics to lower premium rates for people who don’t drive very often. MyPace tracks a driver’s car usage and rewards certain driving habits with lower insurance rates.
CAA sees MyPace “as taking your traditional auto insurance and really modernizing it, and giving those choices and control back to consumers,” said Matthew Turack, the company’s president, before the program’s launch.
Because MyPace charges drivers based on how many kilometres they drive, the less they drive, the more likely they are to save up to hundreds of dollars a year in premiums, Turack says. All you have to do is install a device in your car to track how many kilometres you’re racking up. But are lower premiums really worth giving up that information?
It depends on the driver, but understanding what you’re giving to insurers is important before you agree to accept a telematics device.
Ann Cavoukian has some opinions on this matter. And, as a matter of fact, “control” is something that she’s interested in, too. Cavoukian was the Information and Privacy Commissioner of Ontario until 2014, and, as of 2017, has been heading the Privacy by Design Centre of Excellence at Ryerson University in Toronto. And when it comes to telematics, or any technology that extracts stores of data from its customers, she’s cautious.
“Privacy is all about control,” Cavoukian said. “It’s not about secrecy; it’s not about having something to hide. It’s about people being in control of how their information is used, and to whom it’s disclosed.
“That’s the message we have to get out to insurers and others.”
So, what exactly are the privacy risks of a telematics device like the one prescribed by MyPace? And are they enough to offset the benefits of the program? We talk to Turack and Cavoukian to find out.
How it works
CAA bills its MyPace program as the first of its kind in Canada: a type of auto insurance where drivers “pay as they go”.
Drivers are initially charged a base rate, and then billed again for each 1,000 km increment they drive. When a driver exceeds 9,000 km, they automatically get kicked out of the program and are charged a traditional rate instead.
The people who would benefit most from this program, says Turack, are those who don’t drive very much at all — but are still charged the same premiums as drivers who rack up far more mileage. “CAA MyPace is simply about really rewarding those drivers who drive low kilometres,” Turack explains.
To join the program, drivers have to install a telematics device in their car. The device collects several pieces of data about the driver, starting with — but not limited to — the number of kilometres the car has been driven; additional information that the device extracts include the locations that the car has been in, the trips that the car has taken, and information about the vehicle’s health, such as battery life.
Turack clarifies that CAA will not draw on this data to assess a customer’s risk levels. And, for the MyPace program, the only data that will be actively used by the company is the number of kilometres the customer has driven, so that the customer can be billed accordingly.
So, what’s the point of collecting all that additional information if it’s of no use to the CAA? Turack says that it’s for the customers to use themselves. The information can be accessed via the CAA app or through a web portal that customers would have to sign into.
“We felt that it was good information that the consumer can have,” Turack says. “They may want to see their journeys, they may want to know what’s happening with [their] vehicle, and be very proactive in terms of vehicle health, in terms of safety moments.
“The data is actually the consumer’s data,” he adds. “We’re stewards of the data.”
What are the risks?
Cavoukian doubts that insurance companies like CAA have any plans to exploit their customers’ data. But, the fact that the information has been collected at all, and exists somewhere in the material world, makes it exploitable — and that’s what makes her concerned.
“What I’ve noticed in my business — I’ve been in privacy [for] over 20 years — it’s always the unintended consequences that come down the road,” she says. “You create personally identifiable data, collect it for a particular purpose — the primary purpose here is to reduce insurance rates by demonstrating how much you drive or how little you drive.”
But what if, for example, “law enforcement comes knocking with a warrant? They [the insurance companies] would be required to hand the data over to the police.”
Telematics devices are not the only technology that poses this risk, of course. Every time you use Facebook, Instagram, or even just your web browser, someone, somewhere, is collecting data about you and your habits; Internet of Things devices, like FitBit and Google Home, are doing the same.
This data isn’t necessarily being used; Cavoukian describes such data as “data at rest”. But its existence — a result of our increasing desire and willingness to break our lives down into quantifiable pieces of information, and to collect it — means that it could potentially be used in one way or another. And many of those ways could actually harm you — like if a hacker decided to grab your personal data and steal your identity, or if an employer wanted to find a reason to dismiss you.
“The primary purpose [for an insurance company to collect their customers’ data] is never the issue,” Cavoukian explains. “It’s always the secondary uses of the data that arise later on, which nobody thought of, which drivers haven’t consented to — that’s where the problems arise.
“So I would tell these insurance companies to address the potential harmful effects of secondary uses. How are you going to deal with that?”
How can insurance companies protect your data?
But Cavoukian is not ruling out telematics altogether — especially if it could save Ontario drivers money.
“I always say it’s not privacy versus business interests,” she says. “It’s privacy and. As long as privacy’s embedded into the process by design… then you can have the benefits of having the data protected and the utility arising out of the program.”
So, what exactly does she recommend? First and foremost, there’s transparency — and CAA already seems to be ahead of the game.
“You have to be very transparent when people sign up for [a telematics program],” Cavoukian says. “You say, ‘here’s the data we will be collecting, that will enable us to charge you less.’ And spell it out. So ‘we collect how many kilometres you drive, what time of day’ — whatever it is. The person consents to that.”
The second thing that insurance companies need to consider is how they’ll deal with potential “secondary uses” of their customers’ data, Cavoukian continues. If they’re besieged by a cybersecurity attack, what will they do? If law enforcement arrives with a warrant, what policy will they have in place to make sure their customers are protected?
Lastly, Cavoukian says that insurance companies need to take other preventative measures — primarily by embedding privacy protections into their telematics technologies.
“You want to identify the risk upfront, build in the necessary protections, prevent the cancer, the privacy harms from arriving,” she insists. “As opposed to the existing system, which is one of regulatory compliance, which is after the fact — after you have a privacy infraction or a data breach.”
Cavoukian has a word of advice for drivers, too.
“I always tell people — look,” she says. “Privacy is not a religion. You want to release your information, be my guest. As long as you do it knowingly, and it’s your choice. That’s what it’s all about.”