A new report shows that the DMVs (Department of Motor Vehicles) in many states are taking full advantage of the modern information economy, and they’re making bank doing it. The data we’re required to hand over by law in order to qualify for a driver’s license is being used for very different purposes than you likely intend. Specifically, it’s being sold to private investigators.
That’s the result of a major Motherboard investigation into how DMVs are using the personal data of the citizens they supposedly serve. Like a lot of companies these days, DMVs sell data. Insurance companies buy some of the data, but much of it is being sold to other sources, like private investigators. Such data is apparently popular for surveilling cheating spouses, and the same private investigators that advertise such services are apparently major purchasers.
Multiple DMVs stressed that they don’t sell social security numbers or photographs, as if this represents some kind of meaningful protection. Some contracts with these investigators are for bulk searches; some are targeted searches. The cost per search is as low as $0.01, and these contracts can run for months at a time.
“The selling of personally identifying information to third parties is broadly a privacy issue for all and specifically a safety issue for survivors of abuse, including domestic violence, sexual assault, stalking, and trafficking,” Erica Olsen, director of Safety Net at the National Network to End Domestic Violence, told Motherboard in an email. “For survivors, their safety may depend on their ability to keep this type of information private.”
All of this is perfectly legal, thanks to the Driver’s Privacy Protection Act, which was passed in 1994. While that law was specifically intended to increase the protections surrounding DMV databases, it included specific carve-outs for private investigators. Granted, the text of the law states that private investigators are only allowed to access these records for a “permitted” DPPA use, but apparently that’s not an issue.
The exact data sold varies from state to state, but it typically includes at least a name and address. Other data, including zip codes, phone numbers, date of birth, and email address are also included depending on the state. The DMV also sells data to credit reporting companies like Experian and LexisNexis. Delaware has arrangements with more than 300 entities. Wisconsin has more than 3,000.
Why are DMVs going down this road? Money. Delaware brought in $384,000 for itself between 2015 and 2019, while the Wisconsin DMV brought in $17M in 2018 alone, up from just $1.1M in 2015. In Florida, the DMV made an eye-popping $77M just in 2017. The contracts with various DMVs explicitly state that the purpose of these agreements is to generate revenue, and the states are aware that some of the information they sell to third-parties is abused. Whether their controls for catching and locking abusers out of these systems are adequate are an entirely different question.
It is long past time for the United States to pass better privacy laws. There is absolutely no justification for the current free-for-all. There is no standard for how data-sharing agreements should be overseen. Local investigations have found that Florida is selling data to marketing firms, not just private investigators, and some citizens have been hit with an onslaught of robocalls and spam as a result. Florida sells data to Acxiom, one of the largest data brokers in America. Acxiom is not a PI firm, just in case you were wondering. Citizens who have been slammed with robocalls, direct mail, and even door-to-door salesman showing up at their homes as a result of this relentless data-selling have no recourse. There’s no one to complain to, there’s no way to get taken off the lists, and there’s no way to prevent their own data from being endlessly sold. Robocalls have become such an epidemic, people now actively avoid answering the phone unless they know the number of the person calling them.
People often ask questions like “Why should I care if someone sells my data?” but don’t connect the question to the fact that they get 15 robocalls a day. Sexual assault and domestic violence survivors may not have those kind of options. But privacy shouldn’t be a right that depends on whether someone is threatening to harm you physically. Privacy should be the default state, particularly when it concerns the government organizations virtually all of us are required to interface with.
If you ever drive in the United States, you must have a driver’s license. Just as with credit reporting agencies, none of us get any choice in the manner. The legal system allows states and the federal government to create effectively mandatory standards because it recognizes that doing so helps ensure the safety of everyone. But if the legal system is going to require that citizens submit data to the federal and/or state government for licensing and registration purposes, it ought to simultaneously require that said data is kept private and only accessed under strictly controlled conditions. The idea that people “opt in” to these practices simply by existing has been stretched past the breaking point. It’s time for a change.