Allstate accused of quietly paying app makers for driver data

Texas Attorney General Ken Paxton on Monday filed a lawsuit against Allstate Corporation and its mobile analytics subsidiary, Arity, alleging the American insurance giant conspired with mobile app developers to collect telematics data on millions of motorists without consent, in violation of consumer protection laws.

Allstate then allegedly used this data against those drivers to justify rate increases, deny coverage, or to drop coverage.

"Our investigation revealed that Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software," said Attorney General Paxton in a statement. "The personal data of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law. Texans deserve better and we will hold all these companies accountable."

According to the complaint [PDF], Allstate paid app developers to integrate the Arity Driving Engine SDK, a software library that, as explained in the documentation, "enables a mobile app to detect, record, and score your end-user's driving behavior."

Mobile apps that implemented the SDK Routely (now owned by Allstate), Life360, GasBuddy, and Fuel Rewards – are alleged to have collected:

• mobile phone geolocation data, accelerometer data;
• magnetometer data; gyroscopic data;
• trip attributes (start time, end time, distance; GPS points (accuracy, position, longitude, latitude, heading, speed, GPS time, time received, bearing, and altitude of a consumer’s mobile phone);
• derived events (acceleration, speeding, distracted driving, crash detection, etc);
• and metadata (ad ID, country code, operating system User ID, device type, app version, and OS version).

Those apps – some named in prior privacy lawsuits over the sale of location data – initially request permission from users to access location data in conjunction with app features. "But after an app integrated the Arity SDK, if an app user allowed the app to access their location information for those same in-app features, the user was also unwittingly enabling Defendants to collect the Arity SDK Data via the Arity SDK," the complaint says.

Because the Artity SDK data alone could not reliably identify drivers, Allstate is alleged to have licensed the personal data available to the apps – first and last name, phone number, address, zip code, mobile ad-ID (MAID), device ID, and ad-ID – and to have combined the data sets to profile drivers.

Yet the use of this data, it's claimed, was misapplied. For instance, Allstate could not be certain that individuals surveilled through these mobile apps were operating a vehicle. Nonetheless, the detection of telematics sensor data that suggested erratic careless driving would be held against users of these apps, even if they weren't driving.

• Europe coughs up €400 to punter after breaking its own GDPR data protection rules
• Look for the label: White House rolls out 'Cyber Trust Mark' for smart devices
• FCC boss urges speedy spectrum auction to fund 'Rip'n'Replace' of Chinese kit
• Apple auto-opts everyone into having their photos analyzed by AI for landmarks

"For example, if a person was a passenger in a bus, a taxi, or in a friend’s car, and that vehicle’s driver sped, hard braked, or made a sharp turn, Defendants would conclude that the passenger, not the actual driver, engaged in 'bad' driving behavior based on the Arity SDK Data," the complaint explains. "Defendants would then subsequently sell and share the data so it could be used to inform decisions about that passenger’s insurability based on their 'bad' driving behavior."

In one publicly reported instance of this last October, a man posting to the Roller Coaster Enthusiasts Club group on Facebook wrote, "My insurance company mistakenly believed I was driving my car when, in reality, I was riding the roller coaster The Beast at Kings Island. Those red dots indicate where the app incorrectly assessed my cornering and braking skills and lowered my driving score."

To improve the accuracy of its data, Allstate is alleged to have purchased info about drivers from car manufacturers, such as Toyota, Lexus, Mazda, Chrysler, Dodge, Fiat, Jeep, Maserati, and Ram – without the consent of those drivers.

In August, Paxton filed a lawsuit against General Motors, claiming that the car company has been unlawfully collecting data about drivers of its cars and selling that information to insurance companies.

The Allstate/Arity complaint goes on to allege that the privacy notices presented to app users failed to disclose the extent of data collection and sharing and inaccurately stated that Allstate and Arity "do not sell personal information for monetary value."

The companies are charged with violations of the Texas Data Privacy and Security Act, Data Broker Law, and unfair competition/deceptive behavior under the state insurance code.

An Allstate spokesperson told The Register, "Arity helps consumers get the most accurate auto insurance price after they consent in a simple and transparent way that fully complies with all laws and regulations." ®