Insurance company accused of using secret software to illegally collect and sell location data on millions of Americans

Insurance company Allstate and its subsidiary Arity unlawfully collected, used, and sold data about the location and movement of Texans’ cell phones through secretly embedded software in mobile apps, according to Texas Attorney General Ken Paxton.

Attorney General Paxton says the companies didn’t give consumers notice or get their consent, which violates Texas’ new Data Privacy and Security Act.

Arity would pay app developers to incorporate software that tracks consumers’ driving data in their apps. When consumers installed these apps they unwittingly downloaded that software, which allowed Arity to monitor the consumer’s location and movement in real-time.

Using this method, the company collected trillions of miles worth of location data from over 45 million people across the US, and used the data to create the “world’s largest driving behavior database.”

Allstate then used the covertly obtained data to justify raising insurance rates, according to Attorney General Paxton. Allstate is accused of not just using the data for its own business, but also for selling it on to third parties, including other car insurance carriers.

Location and movement data is valuable for insurance companies when they are preparing a quote. By having insight in the driver’s behavior, they can offer a rate that covers the risk better.

Car manufacturers are known to be selling similar data on to insurance companies. Last year, Attorney General Paxton sued General Motors (GM) for the unlawful collection and sale of over 1.5 million Texans’ private driving data to insurance companies, also without their knowledge or consent.

Privacy violation aside, these companies don’t always keep the data safe. Just last week we spoke about a breach at data broker Gravy Analytics, which is said to have led to the loss of millions of people’s sensitive location data.

Back to the Allstate case, the Texas Data Privacy and Security Act (TDPSA) requires clear notice and informed consent regarding how a company will use Texans’ sensitive data. That is something which Allstate allegedly failed to do.

In the press release, Paxton states:

“Our investigation revealed that Allstate and Arity paid mobile apps millions of dollars to install Allstate’s tracking software. The personal data of millions of Americans was sold to insurance companies without their knowledge or consent in violation of the law. Texans deserve better and we will hold all these companies accountable.”

Protect your location data

Sometimes apps ask permission to use your location data and you find yourself wondering, why does this app need to know where my phone is?

This is one possible reason.

Whenever you are asked to share your location data with an app and there’s no clear reason why you might need to, deny the app that permission.

If you have to share your location—for example, when using a map app—choose the “Allow only while using the app” option, so that it will be unable to continuously track your location and movement.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.