Electrical and computer engineering PhD student Hassan Rekabi Bana and PhD candidate Peiman Kheiran at the University of Windsor’s SHIELD Lab. (LINDSAY CHARLTON/ University of Windsor)
By Lindsay Charlton
Many insurance companies offer lower rates to drivers who demonstrate safe habits — but what data is actually being collected, and how is it being used?
A new research project led by Dr. Mitra Mirhassani, professor of electrical and computer engineering at the University of Windsor, is examining the privacy implications of the mobile apps insurers ask drivers to install.
“These apps track driving behaviour, and the incentive for people is they often offer better rates if you drive within certain restrictions,” Mirhassani said. “We have no problem with that. The issue is they track and monitor your movements and may collect unwanted personal information.”
The work is supported by a research grant from the Office of the Privacy Commissioner of Canada and focuses on privacy protections in smart mobility systems.
“We targeted the insurance companies specifically for this project because a lot of people are downloading these apps to their phones without realizing what is being done with that information,” Mirhassani said.
PhD student Hassan Rekabi Bana said some insurers store information including the roads drivers take, their speeds and other behavioural data.
“A critical part is GPS data because it shows all the roads you travel on,” he said. “Insurance companies can store that data, and in some cases it can be shared with third parties.
“But in many cases, they don’t need all that information. For example, they may need to know if you travelled to the U.S., but they don’t need to know which border crossing you used. In our project, the border data is encrypted and the system compares your route internally. It can confirm whether you crossed the border without revealing your exact route.”
By creating this encryption system, Mirhassani and her team are building a wall between the insurance company and the driver — essentially giving the company an overall driving score without sharing the behaviour behind that score.
“The company looking at your information only sees complete gibberish. However, their AI can process the encrypted data, even though it has never seen the original information,” she said. “Once it releases the output, like a score, it doesn’t know what it replied to, making everyone except the user blind to the nature of the information.”
Mirhassani said the approach uses a well-known method called homomorphic encryption, which was once primarily theoretical.
“Now, we have actually created the demo, so we will encrypt the data, generate a score and return only the score the user achieved if they agree to release it,” she said. “No other information about driving habits or the pathways you took.”
“We also applied a method to reduce comparison time in our system,” said Peiman Kheiran, a PhD candidate working on the project. “After adjustments and finding the right balance, we significantly reduced processing time. That’s a major achievement.”
While privacy is often overlooked, it remains an important right that needs safeguarding, Mirhassani said.
“This data can open you up to fraud, identity theft or other damaging issues, and the fact is these companies don’t feel obligated to secure data once it’s been collected,” she said.
“All our information at one point or another has been stolen, possibly several times. With our method, even if our data stays on the company website and they are breached or hacked, the hacker will only see heavily encrypted information they won’t be able to understand.”
Mirhassani said the service will benefit users and companies alike by offering privacy and protection for both.
In addition to the encryption system, the project includes a public demo showing what data is collected, how it can be used and when it may be released.
“These findings will be shared with the Office of the Privacy Commissioner, and at the end of our report, we will provide actionable steps they can take and advise them on privacy law considerations,” she said.
Online resources will include webinars, discussions and infographics to provide reference material for both the public and professionals unfamiliar with privacy issues.