"Safe Driving" Apps
Manufactured Discounts and Privacy Invasions
Recently, the time came to renew my insurance premium for my auto insurance on the three cars of our household. Rather subtly, my carrier emailed me the new rate while conveniently leaving out the fact that it raised said rate by nearly 40% over the last premium. Like any savvy consumer, I first requested to negotiate the amount. My insurance agent responded with a drab bit about how inflation was “99%” of the cause behind the cost increase. She then dutifully instructed me that “as the operational costs for businesses rise, adjustments in pricing become necessary to ensure their sustainability. This is an unfortunate consequence of the evolving economic landscape.” Indeed. Out of curiosity, I took a look at the company’s annual and shareholder reports. It turns out that since 2020, the company earned a net profit of over $2 billion USD and had raised its shareholder dividend every year for most of the last two decades (including during this time of allegedly high inflation). Nevertheless, in allegiance to furthering her corporation’s “ailing” bottom line, she advised that I could download the company’s “safe driving app” to receive a “discount.”
Notwithstanding that the discount hardly dented the premium increase, I also decided to explore this mobile application my resolute corporate soldier hawked. First, everyone should maintain deep skepticism of any mobile application they download to their phone. Google’s Play Store, for instance, is notoriously bad at blocking or removing malicious apps, particularly those masquerading as legitimate ones. In 2022 alone, Kaspersky detected 1,661,743 pieces of malware or unwanted software installers in the Play Store. They admit the number is almost certainly higher. Second, and more nefariously, companies increasingly hide from, or at least vaguely inform, users of what data they collect through their apps and what they subsequently do with it, particularly in the app description on the Store. I examined 500 popular apps on the Store (10,000 or more downloads). Among them, I found less than 15 that explicitly define what they are allowed to collect and what they purport to do with it. To find that information often requires a studious search of the internet.
So, in light of my agent’s “helpful” suggestion to download the company app to receive my “discount,” I took a deep dive into how their application operates, what data it collects, and who it gives/sells it to. As corporations tend to heft their weight—to protect their moral corruption—by suing little people like me for unmasking their deceptiveness (or downright malfeasance), I am going to offer a little legal disclaimer here first. Everything I have to say about this application is either from information reported elsewhere, or from my own testing and research. It is my opinion based on the evidence available to me. Download and use (or don’t) at your own risk.
The application I examined is Allstate Insurance’s “Allstate Mobile” application. On the Google Play Store, it received more than 5 million downloads—unsurprising for a company with a multi-billion dollar profit margin (despite its alleged suffering from crushing inflation)—and is ranked 4th among all insurance companies for total underwritings in the USA. Across 102,000 or so reviews, it received an average rating of 3.9 stars out of 5. This is rather deceptive, though, because some of the 4-star reviews noted that that “safe driving” portion of the app operated rather poorly. One 4-star reviewer wrote, for example, that “I've been out of my car, two blocks away, sitting at a table and when I opened my phone it was still recording a trip. When I logged in to touch ‘end trip’ it marked me as having used my phone that trip.” In other words, the app marked this reviewer as driving while using his phone—a demerit toward his discount. Another 4-star reviewer stated, “The app keeps crashing since the update. I can't use it at all.” I am not sure that we all interpret the value of stars in this rating system in quite the same way.
Many of the complaints, in fact, turned on the dysfunction of the app in properly recording its safe driving. This is interesting, I would note, given that that feature of the app is its chief selling point to many consumers. In another review (also, mystifyingly, 4-star), the writer complained that many of their trips go uncredited (thereby reducing the metrics for the discount). Allstate’s response to this review was rather quaint from a technical viewpoint. Someone who dances to the corporate tune as deftly as my agent told the consumer:
We want to reward your safe driving! Here are a couple tips to ensure trips are recorded: 1. Allow Location Access “Always” and 2. Keep battery charge greater than 25%. Also, be sure you are using the most up-to-date version of the Allstate mobile app. For additional troubleshooting, tap ‘Profile & Settings’, ‘Drivewise’ then ‘App Diagnostics’.
There are some noteworthy trinkets in that response. First, location access must be set to “always.” Why does an app designed to measure the quality of your driving need your location to be set to “always”? Wouldn’t a permission allowing access when “in use” suffice? Second, the technician told the consumer to ensure the app was up-to-date. Does Allstate’s app not auto-update, or at least notify the user that the app is out of date and may not work properly? If not, this is a significant security flaw. Third, one should take a step back when a technician tells you your last-ditch solution is to run the (apparently faulty) app’s diagnostics. These are not features of a well-designed application.
Many, many consumers reported that if they use their phone—you know, for phone stuff—within a short enough time after completing a trip in the Allstate app, it marks them as them using the phone while driving. I don’t know how many in total reported this because I stopped counting after a lot. If these reports are true, and there is no reason to believe otherwise, this is deeply suspicious because—again—this is the main feature by which consumers save money (in exchange for giving away an abundance of privacy). In the random cases Allstate responded to these complaints, they either recommended the app diagnostics method or asked the consumer to send even more private information, this time about their specific device. I wonder how many saw any correction in their discount.
Allstate’s app seems functionally tenuous, so let’s talk about privacy. To begin, on the Play Store, Allstate is quite vague about its security. It states only that “Your data is transferred over a secure connection” and is encrypted. I am led to wonder… how? What encryption? Is it using TLS 1.0, 1.1, 1.2? Why so vague? Without downloading the app, it is impossible to know. And even then, for the average consumer it will remain impossible to know. How can one assess the privacy of an application without any knowledge of its security protocols?
To this point, the app is already unappealing and it becomes even less so when you investigate what data it collects and for what purported purpose. On the Play Store, Allstate provides the following data categories: Location, Personal Info, Health and Fitness, App Activity, App Info and Performance, and Device or other IDs. Red Flags are waving.
Location
While it lists this as an “optional” permission, I noted above that to use the Drivewise feature (that which earns the so-called “safe driving discount”), Allstate technicians want you to allow this permission “always.” Curiously, Allstate’s stated purpose for collecting location data is “App functionality, Developer communications, Advertising or marketing.” The safe driving discount amounts to little more than a ploy to procure detailed data about where customers go with which it can sell consumers more things—and potentially sell their data elsewhere, but more on that below.
Personal Info
Allstate collects the following categories of personal information according to the Play Store description. It labels all of these as optional, but it is hard to imagine how one would even use the app without providing at least some of these: Name, Email address, User IDs, Address, and Phone number. In other words, how does an app mounted on your phone work without knowing the phone number? The company proclaims its reason for collecting these data points are variably: Developer communications, Advertising or marketing, Account management, and App functionality.
Health and Fitness
The description of this data is all but useless. I will just give a screenshot:
What in the world does that even mean? Fitness info for app functionality?
App Activity
Here, the description on the Play Store is also hopelessly vague. App activity is defined as “App interactions” and “other user-generated content.” In short, everything you do on the application.
Privacy Statement
The description on the Google Play Store, though legal in the USA, represents a fundamental problem in the US legal landscape when it comes to data and privacy protections. To read what Allstate actually intends to do with user data, and what data that includes, you must navigate to the webpage: http://www.allstate.com/about/privacy-statement-aic.aspx. What the company shares about its privacy practices in the Google Store—the place where people are most likely to read it—cannot even be called a summary. It is simply useless. For comparison, here is a list of data the company actually collects or maintains the right to collect from any app user:
Personal identifiers: Name, alias, signature, postal address, phone number, date of birth, unique personal identifier, online identifier, email address, internet protocol (IP) address, state identification card number, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
Personal characteristics: Age, race, ancestry, national origin, citizenship, religion, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information) and other descriptions of your physical characteristics (e.g., height).
Commercial information: Service or product related information including policy coverage information, premiums, account name, policy number, payment history, claims history, records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies, account log-in, bank account number, credit or debit card number, other payment or financial information, health insurance information, driving record, credit information, medical history, or family member information. If you use the Allstate Digital Footprint℠ feature, we will also access emails in your inbox.
Biometrics and multimedia information: Fingerprint, voice print, retinal print, scan of hand or facial geometry, audio, electronic, visual or similar information.
Internet or other electronic network activity information: Browsing history, search history, information regarding your interaction with our website, application or advertisement, links you use or web pages you visit while visiting our site or applications, browser type, internet service provider (ISP), cookies, and mobile device information including device identifier or other information.
Geolocation data: Physical location, movements, or trip tracking information.
Professional or employment information: Employment history, union membership, some contents of mail, e-mail and text messages on company devices, applications or communication platforms.
Education information: Education records, grades or transcripts.
Inferences: Inferences drawn from any personal information collected to create a profile reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.
Sensitive Personal Information: Some personal information we collect is defined under the law as sensitive personal information. Sensitive personal information we collect includes Social Security number, driver’s license number, state identification card number, passport number, customer account log-in, financial account number, debit card number, credit card number in combination with any required security or access code, password, or credentials allowing access to an account, precise geolocation information, racial or ethnic origin, religious beliefs, union membership, genetic data, biometric information used for identification, personal health information and sexual orientation.
Let me draw your attention to some specific ones:
gender identity, gender expression, genetic information (including familial genetic information), fingerprint, voice print, retinal print, scan of hand or facial geometry, browsing history, search history, physical location, movements, racial or ethnic origin, religious beliefs, union membership, education records, grades or transcripts.
This insurance company essentially claims the right to collect and retain any and every single piece of information it can get its hands on about its customers, irrespective of the relevance that data has to underwriting an insurance policy.
Now, further down in the privacy statement, Allstate wants you to rest assured that it “do[es] not share personal information for cross-context behavioral advertising as defined under California law.” It goes on, “We may share your personal information with our affiliates for business purposes.” As two advertising executives noted, the California law referenced here does not clearly define whether its restriction is limited to the “entity that is targeting and delivering the ad” or any business associated with the research, production, or dissemination of behavioral advertising ads. In other words, with the ambiguity in plain sight, users should be skeptical of Allstate’s use of the phrase “business purposes,” as the company can likely twist that phrase into any meaning it likes.
Indeed, still further down in its statement, it inexplicitly defines what it deems “business purposes”:
provide marketing and advertising, email or other communication services
provide services that support our online activities including providing tracking technologies, web hosting and analytics.
In addition to the above, it further states:
We may share personal and other information with third party online and other marketing and advertising partners or permit these partners to collect personal information from you directly on our Sites to personalize online advertising. We may share personal information with other financial institutions or other companies with whom we have a joint marketing agreement. [Emphasis added, though maybe I should have bold-faced the whole thing.]
It also notes that with those tracking technologies mentioned above, the company can “Identify and contact you across multiple devices” to “plan for and enhance our Sites.”
That’s an extraordinary amount of information and a very free-wheeling claim about how the company claims its right to use it. Or put another way, basically all of your information is Allstate’s to do with whatever it wants, in the company’s view. Now, of course if you do business with a company you have to provide some of this data to complete the transaction, but a mobile application attached to a personal cellphone collects far more information than a person could ever think to give away, let alone do purposefully. And this company—an insurance company—maintains the right to collect it all and essentially do whatever it wants with it.
To circle back to the beginning, in light of this nefarious dragnet of data-vacuuming, you would expect the company to at least expend as much time and space on its website about how it protects it. Right? Here is everything the company has to say about that:
Protecting your personal information is important to us. We use a combination of reasonable technical, administrative, and physical safeguards to protect your personal information. However, no website, mobile application, database or system is completely secure or "hacker proof.'' So, we cannot guarantee its absolute security. You are also responsible for taking reasonable steps to protect your personal information against unauthorized disclosure or misuse.
We limit access to your personal information to those who need it to do their jobs. We comply with all applicable federal and state data security laws.
“Reasonable technical” safeguards. That the best it can offer is that nothing is “hacker proof” suggests to me that their security is terrible. Naming specific protocols is not making oneself vulnerable to “hackers,” but failing to name even one makes me wonder if anyone at the company can, in fact, name one—specifically their cybersecurity people, if they have any. As a comparison, read the Signal app’s security protocol specification available on its website (hint, it is pages long).
Allstate is not the only company doing this of course, nor are they the first or the last. But this is a clear example of how lawmakers in the USA (and so, so many other jurisdictions) are failing their constituents. While Allstate may have a lawful cover for doing business this way, they most certainly lack a moral one. This company is literally profiting billions of dollars, yet it cannot contrive more than a single, vague paragraph about how it secures millions of users’ data, nor can it provide any rational explanation for why it consumes some of the categories of data it collects. Many sizeable boycotts have hit the news lately, predicated on “culture war” type issues that affect a tiny sliver of the population at most. Meanwhile, companies increasingly treat consumers as the commodity themselves, while lying to or at least cleverly obfuscating this from those same consumers. They are double-dipping consumers by forcing them into engaging with these applications by artificially raising prices then offering discounts. This enables them to profit off of their actual product (here, insurance) as well as to profit off a treasure trove of personal information that, arguably, they have no right to possess. Where are the boycotts or protests about this egregious practice?
***
I am a Certified Forensic Computer Examiner, Certified Crime Analyst, Certified Fraud Examiner, and Certified Financial Crimes Investigator with a Juris Doctor and a master’s degree in history. I spent 10 years working in the New York State Division of Criminal Justice as Senior Analyst and Investigator. Today, I teach Cybersecurity, Ethical Hacking, and Digital Forensics at Softwarica College of IT and E-Commerce in Nepal. In addition, I offer training on Financial Crime Prevention and Investigation. I was a firefighter before I joined law enforcement and now I currently run a non-profit that uses mobile applications and other technologies to create Early Alert Systems for natural disasters for people living in remote or poor areas.
Find more about me on Instagram, Facebook, Twitter, LinkedIn, or Mastodon. Or visit my EALS Global Foundation’s webpage page here.
For a different method of abusing tech, see here. Thanks for reading!
This is amazing. This is scary. Thank you for the amount of work that you put into this when you're doing so much other things in this world. I can't believe they can get away with this. I can't believe our government isn't sticking up for us and stopping this crap.