The way you drive is surprisingly unique. And in an era when automobiles have become data-harvesting, multi-ton mobile computers, the data collected by your car—or one you rent or borrow—can probably identify you based on that driving style after as little as a few minutes behind the wheel.

In a study they plan to present at the Privacy Enhancing Technology Symposium in Germany this July, a group of researchers from the University of Washington and the University of California at San Diego found that they could “fingerprint” drivers based only on data they collected from internal computer network of the vehicle their test subjects were driving, what’s known as a car’s CAN bus. In fact, they found that the data collected from a car’s brake pedal alone could let them correctly distinguish the correct driver out of 15 individuals about nine times out of ten, after just 15 minutes of driving. With 90 minutes driving data or monitoring more car components, they could pick out the correct driver fully 100 percent of the time.

“With very limited amounts of driving data we can enable very powerful and accurate inferences about the driver’s identity,” says Miro Enev, a former University of Washington researcher who worked on the study before taking a job as a machine-learning engineer at Belkin. And the researchers argue that ability to pinpoint could have unexpected privacy implications: Everything from letting insurance companies punish drivers who loan their cars to their teenage kids, to confirming the identity of a driver who violated traffic laws or caused a collision.

With very limited amounts of driving data we can enable very powerful and accurate inferences about the driver’s identity. Miro Enev

The ability to identify a driver based on a car’s data may not seem like the creepiest privacy invasion. But the fingerprinting study, Enev argues, should serve as a more general warning to car owners about the sensitivity of the data that travels across their vehicles’ internal networks. The same data that tells their insurance company when they’ve let their 16-year-old kid take their car to prom might just as easily be used to identify drunk driving or a medical condition that’s altered someone’s driving ability, tests Enev claims would actually be simpler than trying to distinguish a driver’s identity.

In fact, drivers are increasingly sending that sensitive data to the cloud with gadgets like Hum, Vinli, Automatic and Zubee, designed to be plugged into their cars’ CAN networks via a port under the vehicle’s dashboard. Other OBD2 devices are offered by insurance companies, like Progressive and Metromile, in exchange for lower rates, giving those firms access to a car’s wealth of digital output. And as cars become increasingly connected to the internet, driving data may also be uploaded directly by cars themselves, as Tesla already does. “To me the whole concern is more about the risk surface that’s exposed by these continual sensors, and the fact that not many people are thinking about this,” says Enev. “Instead they’re just giving this data from their car to third parties.”

Click HERE to read the entire article.