Finding Solutions to Privacy and Security Challenges in the On-Demand Economy

Getting around when traveling has never been easier. Open up an app on your phone, set your pick-up location and enter a destination, then within minutes you’re on your way to the fabulous restaurant you booked online. This is just one example of the emerging “on-demand” economy, where people offer their services and are accessible when you need them.

Many of the companies that are pioneers in the “on-demand” space are proving popular around the globe, but as these companies enter into traditionally regulated spaces, questions about the user privacy and security are cropping up – for both providers and consumers. Importantly, these companies often have far more data on consumers than traditional entities. In the example above, a traditional taxi dispatcher might have some information, but they are unlikely to know your travel history in other cities, have sensitive information like your phone number, or know your most frequent destinations.

As a result of this mass amount of new data, a number of vital questions must be addressed. What do civil agencies do with your data when regulating companies? How can we protect security in an era of seemingly constant data breaches? Can we balance privacy and transparency when promoting necessary regulations?

To help answer the most pressing privacy and security questions posed by the emergence of the on-demand economy, CDT has written a paper, Data in the On-Demand Economy. In the paper, we dissect a number of existing regulatory proposals aimed at technology companies in highly regulated markets, and then provide specific guidelines for agencies and regulators looking to craft effective regulations. The paper builds on our numerous previous writings where we outlined our privacy and security concerns of specific proposals, while praising initiatives that promote regulatory goals that protect users.

Some of the key points we make in the paper include:

• Government regulation is necessary to promote safety, non-discrimination, and equal access. Just because a company is a new player in a highly regulated space doesn’t mean that it shouldn’t be subject to the same laws as existing players.
• Many of the traditional Fair Information Practice Principles should apply to regulatory data requests. In particular, agencies should only collect necessary data — in an age where companies need to collect location data and financial information in order to operate their services, transmitting all the data associated with an individual account could be overbroad and irrelevant to a particular government use. Agencies should also proactively specify what use it plans for specific data sets, limit backdoor sharing, and detail de-identification and security standards designed to protect individuals.
• Agencies should decide how open data requests will be handled. Improperly redacted data sets have already led to re-identification issues when released through open government requests. If agencies plan to collect consumer data, they need to implement programs designed to protect consumers when the public exercises its right to know about government programs. Balancing privacy and transparency is of critical importance in this space, as is responsibly promoting the public debate around issues raised by the on-demand economy.

As proposals continue to percolate in state and local governments throughout the country, CDT will also continue its engagement on these issues, with the goal of promoting appropriate regulatory oversight and consumer protection – while also protecting individuals against overbroad data mandates. Hopefully this paper serves as a solid foundation for future regulations and policies.