Hacker News new | past | comments | ask | show | jobs | submit login
Vermont’s DMV has been selling personal data to private companies since 2004 (vtdigger.org)
229 points by Keverw 12 days ago | hide | past | web | favorite | 85 comments

Florida made $77 million in 2017 alone in selling its DMV data to bill collectors, data brokers, marketing firms, and insurance companies.


They hardly made any money. That's only 4 dollars per resident. That's ridiculous. I'd rather they just tax me another 10 dollars than give away my information without consent.

Don't give them ideas or they might just do it. And then sell your data anyway.

Not all residents drive.

But in any case, I doubt many people would think $4/yr for info that's probably already available.

Nitpick: the comparison should be to the number of residents that get an official state ID through the DMV, not drivers, and the former is a lot closer to the total >15-year-old population than drivers would be.

(At least, if Florida is like a typical state DMV, which issues the state ID cards that may or may not have a driving endorsement.)

Could you give me your past addresses, dob, any names you've had, ...?

Also, numerous states (I assume Florida is one of them) are hell bent on "real id" laws to control access to the polls, so essentially this is a "we will sell your data unless you choose not to vote".

It also ignores that total impracticality of relying on public transport in many parts of the US - it's frequently not available at all, frequently delayed even when it is present, and is often absurdly slow (like 15-20 minute drives becoming more than an hour), and can be extremely expensive.

> Not all residents drive.

That's why I bumped it to $10.

Wouldn’t insurance companies have a legitimate need for DMV data like verifying the insured driver has a license?

There are systems for this use case in place. They don't involve selling data in bulk however.

They probably lose money. They sign contracts so prevent unpaid sharing of identity data outside of law enforcement.

Other state entities buy this data back from information brokers.

There was a follow up by the VT Governor on this. He instructed the DMV to stop the practice for at least private investigators.

Federal law requires some of this information be for sale to insurance companies, trucking companies, others.


> Federal law requires some of this information be for sale to insurance companies, trucking companies, others.

man, that is incredibly f*cked.

I don't know how the laws are structured but there is a legitimate need for information to flow both ways between automotive insurance providers and State DMVs.

In many States, like GA, Insurers must report vehicle coverage changes to the State. If you get pulled over, Police Officers do not need to ask for insurance cards and can cite you for lapsed coverage.

At the same time, insurers want to know for liability purposes all drivers list at policy residences and when a driver's license is suspended.

Perhaps that information should be free with stipulations on how it can be used.

>At the same time, insurers want to know for liability purposes all drivers list at policy residences and when a driver's license is suspended.

What they want is irrelevant, and what they need is not-this. They'll find out someone's license is suspended when a coverage event happens, and that's it. Similarly, the police will know your license is suspended before insurance is in question.

There's simply no need to be proactive about getting that information because there's no risk to them for not knowing. Same with addresses and pretty much everything else not on an application for insurance at the outset.

I simply don't see how "liability purposes" fits.

There are numerous ways it can play out depending on the way each state structures their liability laws but imagine your child turns 16, you forget or "forget" to add them to your policy, and they are involved in a serious accident.

In some states the insurance company is on the hook because everyone at a residence is covered under the policy unless listed as excluded. The insurance company has no way to collect on any premium uprate that might have occurred had you listed them on the policy. And they might have recourse to come after you. And they could cancel your policy.

In other states the insurance company could retroactively cancel your policy for failure to list a driver leaving you with the liability from the accident.


Insurance companies use your driving record to determine premiums. Trucking companies use driving records to determine who they are going to hire/fire.

The article doesn't specify, but in those cases, there should be some form of informed consent.

I don't want Geico pulling my record unless I request a quote. They should be barred from doing so unless I explicitly grant permission.

I don't want Schneider International pulling my record unless I'm interviewing for a job. They should be barred from doing so unless I explicitly grant permission.

That's how it works here in the EU - if your job needs a record of (the lack of) any prior convictions, they can't just request/buy it from the police. You have to get the official form that lists that information, then give it to your employer.

It doesn't matter one lick if some company needs some bit of information. The government's role shouldn't be to spy on you on behalf of corporations.

Which is fine, but I was addressing the comment I was replying to, which basically discounted the entire concept of DMVs selling driving records to insurance companies and trucking companies as "fucked."

I mean, the fact that they're _selling_ it per se is also fucked -- the notion that data about me is something the state sells (not a thing that the state charges a fee to access, like some public records) is a pretty dismal concept.

What's the difference between "selling" and "charging for access?"

Possibly nothing, but in this context, to me, "sell" means sell for a profit, while "charge for access" means charge just enough to cover hosting/admin costs. For something like getting my address or driving record, that's possibly the difference between $5 and $20 per request (total guesses).

I suppose it's the difference between "you downloaded this page to your RAM" and "you downloaded this file to your hard drive", plus how "access" means you're given a license to the data, and "selling" means you now own it as property.

Why? Do you want a driver without a CDL or endorsements driving a hazmat load?

Perhaps it’s time for a federal privacy law if even local governments want in on the analytics action.

Devil's advocate, why not let Vermonters vote in their own privacy law for their own government?

At the risk of getting too political on HN, the knee-jerk reaction to national (sometimes even international) solutions for every problem is tiresome and unwise.

Some problems necessitate that, but most do not, this being one of them.

I can't find the source, but I read a strong argument about the difficult of moving between nations, states, and municipalities, and the conclusion was that the more localized the legislation, the greater freedom people have. "Vote with your feet"-type deal.

The only time I have ever heard of people moving somewhere because of laws is rich people moving to save on taxes. I have not personally known a single person who has actually voted with their feet on issues like this. Maybe I'm an outlier on that, but anecdotally it just doesn't seem like a real thing in practice despite it being a common theory. I would guess that is especially true on something like privacy which is likely very few peoples top priorities when choosing a place to live.

Many people move because of taxes, government programs, cost of living, education, social norms, housing, transportation, job opportunities, etc.

All of these are directly or indirectly influenced by policy.


Would you move purely because of a DMV privacy policy? No, probably not. But the basic principal of being able to choose your government by your location is sound.

At the extreme local level, consider HOAs. Their presence certainly influences people's choice to live there.

Almost all the things you listed that in my experience actually motivate people are indirectly influenced by policy. The things that are directly influenced by government action like government programs rarely seem to have an impact (taxes can be an exception like previously mentioned).

>Would you move purely because of a DMV privacy policy? No, probably not. But the basic principal of being able to choose your government by your location is sound.

But doesn't that last sentence invalidate the first? If no one actually moves based off privacy law, the idea of allowing people to choose their own privacy law through voting with their feet is pointless in practice.

I don't think HOAs are a good comparison because it is trivially easy to move a couple blocks within a city in comparison to moving to a different state or country. Also a lot of problems within HOAs stem from interpersonal conflicts and not fundamental differences in political ideology.

> it is trivially easy to move a couple blocks within a city in comparison to moving to a different state or country

Exactly. Extreme example of how the more localized we can keep politics, the better people can choose their government.

> If no one actually moves based off privacy law

A. Just like employment, there is a totality of factors to consider.

B. That should tell you how important it is.

> Also a lot of problems within HOAs stem from interpersonal conflicts

Have you ever seen state or national news?


I'm suggesting that as a rule, it's best to localize policy when possible.

Even if you disagree with the principal of "vote with your feet", there is still the point of how unnecessary it is to have 300 million people reach a consensus on DMV operation, when all you really need is the couple million it actually affects.

>Exactly. Extreme example of how the more localized we can keep politics, the better people can choose their government.

Using this logic, why doesn't every block in the US have their own local government? The reason is that these things don't scale linearly and that some decisions need to be made on a large scale in order to be practical. You can't have individual blocks creating their own privacy legislation and expect companies to be able to meet every law in every jurisdiction. There is a reason you have probably gotten dozen of "We have updated our privacy policy" emails over the last two months and that is because of the CCPA. Are we supposed to go through that process every time any individual municipality adjust their laws? Coming to a consensus on a singular approach to something like that is much more efficient even if large groups of people are unhappy with the final law.

I never claimed that every problem is best solved at the neighborhood block level.

I think Vermont DMV is best solved at the Vermont level.

Poor people move for Medicaid or housing. If you have a chronic condition in a state that doesn’t offer optional services, it may make sense to move to a state like NY that offers them. At one time, the county social services folks would offer you a bus ticket to help you on your way.

Housing is a similar issue, if circumstances call for subsidized housing, it’s often easier to move to a big city like NYC.

Schools are another big reason. If you have kids and live in place with poor governance like Kansas, you’ll likely benefit from moving.

There are also snowbirds who return to northern states for medical reasons, usually due to different policies.

I know several people that have moved because they got fed up with hyper local governance. They moved out of an HOA.

Non-American here. What's an HOA?

Its a private association formed when a residential subdivision is developed. It sets up rules that the owners must follow in maintaining their homes. No junk in your front lawn. You might need to get prior approval for changing the outside of the house. Often times there is a monthly fee that goes towards landscaping or common amenities like pools. You agree to these terms when you acquire the home and subsequent buyers must do so also. After most of the homes are sold, the homeowners elect a board to run the association. Sometimes the members of the boards can be power hungry and vindictive. The homeowners can all vote to end the association at some point so older single family homes tend not to be under an HOA.

Homeowner association. They tell you the color you can paint your house, if your mailbox has a chip in the paint they can fine you and if you don't pay lose your house, a major story where a proud military veteran wasn't allowed to fly an American flag, someone got in trouble over the color of their swing set they bought for their kids, etc.. You pay a monthly fee to them. Some provide services like a pool, clubhouse, some are gated, etc... Some like them, some don't like... Probably depends on the community but some are over reaching. Some even try to tell people it's illegal to have satellite television service too, because they think the dishes look ugly but the Over-the-Air-Reception Devices (OTARD) law overrides that.

I'm not really a huge fan of HOA's personally, but maybe if I was a millionaire with a mansion some are nice, but some HOAs are just regular people with like 100K home values. So not only do you have the city telling you what you can do with your property, you have people who couldn't get elected to a real city government telling you what you are allowed to do with your property on top of what the city and state says.

Right now the only HOA I think I'd want to live at is the Golden Oaks one, which is a real estate development at the Walt Disney Resort, but not rich enough yet for that... Can dream I guess haha. One of the Walmart executives has a house there though, so super wealthy people. I think a lot of it is just vacation homes, but I'd like it year around. But only because of the location and being a huge Disney fan, otherwise I hate HOAs in general but maybe some other areas I might be a fan but in general I rather live without one... So many HOA horror stories online. but if I was some millionaire, living in a gated community I think I'd feel safer.

>I'm not really a huge fan of HOA's personally, but maybe if I was a millionaire with a mansion some are nice, but some HOAs are just regular people with like 100K home values.

I would worry more about neighbors who don't keep up their property in a neighborhood of cheaper homes than a neighborhood of millionaires.

In the last year I moved out of Washington state in response to the passage of 1639[1] and other similar laws. Unfortunately I will likely be paying more taxes now since the state I moved to has an income tax while WA did not. I can agree that it is probably uncommon to move in order to be away from one particular law, but I doubt it's too uncommon for people to move to an area that shares a more common political worldview.

1: https://en.wikipedia.org/wiki/Washington_Initiative_1639

As a member of the LGBT community, there are entire states I will not move to until they fix their legislation/legislators. I also will never move back to PA because of their filial responsibility laws.

But I think this is one of the problems which requires a national solution (or for small countries an international solution). Look at the EU where many of the member countries had their own privacy laws, some of them stricter than the GDPR, but until the GDPR few cared about privacy laws, not even all government agencies in did. A unified privacy law at the EU level got a much higher rate of adoption than the previous mesh of local laws.

Yeah but with other states and countries saying their privacy laws applies outside of the border, seems like a bunch of duplication and conflicting laws. Kinda insane as soon as you put something on a server, you are expected to comply with laws all over the world. For example School Districts in Ohio are suing Facebook for selling ads to a charter school that went out of business.

If someone from California buys a summer house and registers a car to keep in Vermont to garage there and never drives it to California, I wonder if California considers Vermont violating their new privacy law since no opt-out but wonder if they could really enforce it on Vermont anyways. Seems like uncharted territory, but I know some companies have said they plan to follow the sticker privacy laws even if you live outside of California or Europe since it's easier to developed processes that way.

Seems like privacy law in the US is all over the place. One for banking, one for children, one for education, one for health, one for email marketing and then laws scattered all over the different states. Then I think there's even a specific law about library books checkout history too. So seems bad for startups or even mid size companies to keep up with it, especially if states start saying it applies even if you don't have a office in California.

Then if you have a service, legal requests for peoples data you have to handle and the more popular you are, the more common people might misuse your services. For example drug dealers were using Sony Playstations to communicate with each other and then Jussie Smollett for example, Google has to hand over a year of Gmail relating to the hoax he pulled(Maybe he talked to others using Gmail when planning it), but I think if he was a European citizen then providers have to decide to break US or European law, but some stuff is as clear as mud. I feel in that case they'd follow the warrant and deal with breaking European law as I don't think they'd have much choice as a catch 22.

So even if you are trying to do the right thing following the law - maybe even helping get a dangerous criminal of the streets, so many conflicting privacy laws and different agencies responsible for different ones too. Not sure though if Europe has gone after any companies for handing over data to a foreign government relating to a valid legal request where they have offices or data centers but seems you could be screwed either way when trying to decide how to handle the conflicts. Then there was a case involving Microsoft, just because you are a US company if you keep servers anywhere in the world the US can subject them to requests. So sounds like a mess for a company to decide how to handle these edge cases where things conflict, so standardizing on one would help give businesses clarity. Maybe even treaties too.

In theory, yes, CA can sue VT in that case. There is precedent for states suing states: https://www.law.cornell.edu/constitution-conan/article-3/sec...

Sometimes companies form separate legal entities in each region or country so they can deal with each in isolation.

Yeah but not sure how that works if the parent company is US based, since the US says legal requests even applied to foreign servers in that case. Since large companies have servers all over the world. Then with the cloud and globally accessible services, hard to isolate I think unless there were separate Facebook for each country where you can't friend your friends from Europe if you are in America. Just seems like a mess, but the big companies have enough lawyers to deal with this stuff and advice on conflicts but seems a blow to startups.

I am arguing for GDPR. Corporations and local entities will exploit workarounds if privacy policy is a patchwork across jurisdictions (imagining all servers in the country moving to Arkansas because their privacy laws are non-existent or absent). National standards and federal enforcement are the only way to guarantee consistency.

If you can afford to move

If access to healthcare weren't tied to employment, it would be a lot less risky to move.

Right. And moving between cities is easier than moving between states which is easier than moving between countries.

So the more local the policies the lower the barrier to choose them.

It's unclear if a Federal law dictating what states can do with information would even be constitutional. This is not a power enumerated to the Federal government in the Constitution.

Seemingly, the Commerce clause gives the fed's near unlimited power.

I wonder how many DMVs do this. I bet its way more than people think.

I went to a tire retailer website and they were able to look up make/model car by having me put in my license plate number. I thought that was pretty creepy - if that have that, what else do they have?

Probably more than you think.

There are private networks selling near real time location data from LPRs. There are probably physical retailers that can map you from the cash register to your vehicle.

In the UK the make (i.e BMW) and the colour is public information.


If you’re in Washington State, chat up the DoL clerk the next time you renew your tabs. They’re not a government office, and they’ve been legislated to only make a couple bucks off of each tab or plate.

If memory serves they make more money off the convenience fee for paying with a credit card than they do off of the licensing.

They basically don’t have a way to turn a net profit. This is exactly the sort of situation that would make someone sell customer data.

I think the situation that makes the DMV sell their customer data is privatization of the DMV. Why should the DMV have to turn a profit? If they weren't at some point turned into a profit seeking entity, there would be no motivation to make money off their customers personal info.

Indeed, that’s probably the bulk of the problem.

Although we also have police depts padding tickets because some of the revenue comes back to them. You put a measure on anything and people will game it.

Wonder what other states have done privatization... I know I was reading in Texas, driving schools are allowed to give you your driving exam, so you can do the written test online and the driven test with the same driving school you bought your lessons from. I thought that was kinda cool and unique. So be useful if you are an adult who never got their license but don't really have any family or friends to let you use their car for a test. I know someone who refuses to let their adult child have a driver license as long as they still live at home because they fear a rise in insurance rates due to their age. I think i'd be cool if high school had driver ed again like in the old days.

> I know someone who refuses to let their adult child have a driver license as long as they still live at home because they fear a rise in insurance rates due to their age.

That was my situation. I didn't get a license until I was 22, a month or so before I moved out (and the move was planned when I did).

there is no motivation to keep data secret. What we need, is some serious liability for heads of agencies or companies that lose or sell it. Then they will be motivated to keep data secret like it should be. Something reasonable, like 10 years in jail for each piece of data lost/sold without consent. That'll motivate them

I think that's a bit draconian, sounds like a way to ensure only the Facebook's and Google's of the world hold a monopoly as I could see that to discourage entrepreneurs and new startups.

Ok. Then perhaps confiscation of 10% of personal net worth?

It NEEDS to hurt, else it will just be considered a "cost of doing business"

Maybe a little better... I guess if you are a young startup and broke then nothing to lose? If you don't own a house or much in the bank...

But I feel these breaches also make the compaines look bad, so bad PR I think is a big hurt. However at the same time you have no choice to be included or not with some things. Like with LexisNexis or Equifax, since as far as I know I can't tell them to delete all my info and as far as I know I never consented to them having my data.

> DMV officials say the vast majority of the revenue comes from insurance companies and businesses who buy information about their employees’ driving histories.

> However, the department has also allowed law firms, private investigators and out-of-state corporations to buy or access personal information about Vermont drivers, including where they live, the cars they drive, their driving records and their criminal histories.

None of that strikes me as improper, with the exception of maybe out-of-state corporations, and in that case, it would depend on what the corporation was and what they intended to use the data for. Whether the data remains in possession of the corp after its original intended use (and for how long) and whether it is kept only for the original stated use or made available to other portions of the corp for other purposes would play into whether I considered that in improper or not.

IOW, the case of selling data to corporations is gonna be a case-by-case "it depends".

As for insurance companies and private investigators, I think it is right and proper that such entities can look up things like address, criminal history, or vehicles owned. While it seems that every entity gathering up any and all possible data about people will claim that all of the data gathered serves a legitimate business need, in the case of entities like insurance companies or investigators, I think that claim is more likely to be true than not.

I am surprised that VTdigger would report this, since they typically side with the state instead of the individual, and aggressively solicit donations from unions & corporations that profit from the corrupt status quo in Vermont. The executive director is a corporate fascist who worships the state and censors like crazy: the board routinely breaks their own posting rules to permit or remove comments in accordance with their political agendas. Pointless whining is always welcome, but hard facts and practical solutions are prohibited. Here's an example of censored comments from the current article:

> "We don’t just let anybody have it."

Smith is obviously lying here: if the data is so easy to get that nearly 800 companies already have it, there is simply no way to monitor & regulate what is done with that data. Some of these companies are false fronts, and the data is being used for criminal purposes — including fraud & industrial espionage. The public should refuse to support the governor in the next election until he prosecutes Smith for every stolen record in the DMV database. I recommend that we offer him a deal: 20 years in prison for a guilty plea, versus a life sentence for a quarter million deliberate violations of the fourth amendment (which amounts to high treason.)

> Federal law requires DMVs to provide driver information to government agencies, and sell it to certain businesses...

The correct phrasing here would be "federal policy", not "federal law": A federal statute or regulation which violates the federal constitution is not law. The powers of the federal government are enumerated in Article I, and all other powers are reserved to the states by the tenth amendment. When the states created the federal constitution they did NOT create a federal police jurisdiction within the states. The federal government has no lawful authority to demand personal information on state residents, or dictate state DMV policy.

Illinois DMV definitely sells names and addresses. They misspelled my name in a very unique way on my drivers license once, and I’ve received junk mail to that name ever since.

Did you ever present that license to anyone though? It could have been them that sold your info. e.g. concert venues who scan licenses, etc. Not that I doubt the DMV did it!

No, I noticed the error while walking out of the DMV and went back in line to have it corrected. The physical card never left the premises!

There are a bunch of websites with this information available for a very small fee.

It's incredible you can find names, addresses, phone numbers, emails, properties, cars owned, etc.

Most of the questions asked for identity verification are useless if so much information is effectively public.

And then there are soft credit checks...

My impression is that there is a huge blind spot in americans regarding these things, they not only don't care but are hostile to anyone pointing the problems.

I don't see this improving in the future.

What other States allow their DMV to do this?

Pretty much all of them. NY DMV shares information with the private, foreign company running the 407 toll highway in Toronto. Canadians from other provinces have better data protection that prevents such sharing.

Most of them do, I believe.


I know MN and WI do.

I believe most states do this. Or least, Vermont is not unique.

Public information for sale:

> The database shows where people live, what cars are registered to them, whether they have criminal records, and their driving histories.

> The only information it won’t provide on any condition is driver medical information and Social Security numbers, according to DMV officials. Photographs are also not for sale.

As is every other DMV. Also voting records. Chalk it up to bankrupt state governments.

California does too.

I wonder if the new california privacy law allows you to opt out somehow.

Pretty much all states sell this data. It's vital for auto insurance companies to be able to get up-to-date driving records for policy quotes.

The issue isn't for insurance companies (where there is consent).

> “Nobody — from agencies like the DMV to large corporations like Facebook and Google — should be profiting from sharing or selling personal information without meaningful consent. Congress must get serious about ending practices that violate the privacy of ordinary Americans,” Sanders said.

When my bank wants my 1040 for refinance request, I fill out a form allowing the IRS to release it to them. No reason the DMV couldn't do the same. If an insurance company wants my info, I can fill out and sign a form allowing the DMV to release the info to them. Else, they don't need it!

So for quotes, that's one query. What justifies the rest?

If it means a pleasant experience at the DMV... sign me up.

I like you, you’re funny.

A pleasant experience at the DMV... hahaha!

Some of this is necessary, I think. When you get an auto insurance quote, companies like ChoicePoint (LexisNexis) are what provide driver history (accidents, violations, insurance fraud info, etc).

So it's not like they're Google/FB/Amazon using this data for ad purposes.

Obviously, not all of the money comes from carriers like this, but I wanted to point out that some of it is legit.

What's to stop those same insurance companies from using it for marketing purposes?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact