Dockless Mobility Pilots Let Cities Scoot Away with Sensitive Data
Written by Joseph Jerome
In Washington, D.C., a day hardly goes by where I don’t come upon multiple scooters parked on street corners, near park benches, or outside my apartment building. Lime, Bird, Spin, Skip, JUMP, and Lyft all have “dockless mobility” operations in the capital. These services generate a tremendous amount of data that could potentially improve transportation infrastructure – and early evidence suggests they are already offering new transportation services to underserved communities in Washington – and cities like Detroit and Los Angeles are racing to create new data standards to collect and analyze mobility data.
These efforts raise important privacy and security concerns that deserve further consideration as cities across the country launch dockless mobility pilot programs. Next door to D.C., for example, is Alexandria and Arlington, Virginia, which have started their own pilots. These programs are attempting to find answers to new liability issues, ensure scooters are made available equitably, and set expectations about the scale and timeliness of data being provided to local transportation authorities. The Los Angeles Department of Transportation (LADOT) is currently undertaking its own pilot program, and the Department’s program highlights some of the relevant privacy and security issues involved.
LADOT is asking for ongoing, real-time access to trip data for scooters. While the city has suggested it is “respectful of user privacy” because its data standard asks “for no personally identifiable information about users directly,” this sort of trip data by itself is highly revealing. As Justice Sotomayor has acknowledged, tracing people’s movements reveals information that is “indisputably private in nature,” including their intimate relationships and visits to health care providers such as abortion clinics or HIV treatment centers. Monitoring location data also reveals First Amendment-protected activities such as religious and political affiliation. In the wrong hands, this information can be used to stalk or harass riders, compromising their physical safety. Ride-sharing APIs have been abused for things like spying on ex-partners, and a 2016 Associated Press study found that law enforcement officers across the country abused police databases to stalk romantic partners, journalists, and business associates. The risk of harm from exposing this information is particularly high for survivors of gender-based assault and hate-motivated violence.
This type of data collection raises the specter of surveillance and warrants public discussion about what information must be made available to government officials and at what scale.
We also should acknowledge that scooter riders are likely to rely on their scooters for first- or last-mile transportation, taking it directly from their home and to their final destinations. This is different from car trips in cabs or Ubers that often begin or end some distance away from a user’s final destination. This type of data collection raises the specter of surveillance and warrants public discussion about what information must be made available to government officials and at what scale.
For this reason, CDT has written to the Los Angeles Department of Transportation, which is mid-pilot program, to ask them to provide more information to the public about the privacy and security protections it intends to put in place around this data. LADOT views itself as a leader in dockless mobility, but its guidance for handling mobility data is largely limited.
Building on our earlier work on government data demands, we’ve called on transportation authority to adopt clear and robust privacy and security safeguards. These policies should build off of longstanding Fair Information Practices, include appropriate access controls, and address the availability of mobility data to researchers. Specifically, we recommend that LADOT should (1) limit access to and use of mobility data for clearly specified purposes, (2) establish a reasonable retention and deletion policy, (3) clarify how this data will be secured or obfuscated to protect against breaches and minimize the likelihood of disclosure of identifiable data, and (4) better communicate these policies and information to riders and the public.
We believe that these pilot programs provide an opportunity for transportation officials to assess how they can achieve legitimate aims with thinking about how to minimize the amount and granularity of data being collected. Cities must also take careful stock of the types and sensitivity of data for which it is asking and determine whether each data type is necessary for enforcement or how information can be obscured to minimize privacy risks. It should also consider the granularity of location information it needs.
For cities to exercise true leadership in dockless mobility, they must establish policies and procedures that can be followed by cities with fewer resources and less technical capacity or expertise. We hope LADOT will take on this challenge, and we look forward to seeing how dockless mobility programs roll out across the country.