Comments to LADOT on Privacy & Security Concerns for Data Sharing for Dockless Mobility
Seleta Reynolds, General Manager
City of Los Angeles
Department of Transportation
RE: Privacy Considerations in Dockless Mobility Pilot Program
Dear Ms. Reynolds:
The Center for Democracy & Technology is a nonpartisan, nonprofit technology policy advocacy organization dedicated to promoting digital privacy, free expression, and individual liberty. CDT works to develop and promote balanced public policy that encourages new technology while empowering consumers to make informed choices about sharing their personal data online.
We write to urge the Los Angeles Department of Transportation (LADOT) to further evaluate and implement safeguards for its data sharing requirements for dockless mobility (DM) permit holders. The current Mobility Data Specification (MDS) gives LADOT access to highly sensitive and potentially identifiable location information, both historically and in real time to a greater degree than the existing General Bikeshare Feed Specification (GBFS). LADOT must take seriously the risks to privacy and security this data collection poses. The department should ensure that the data collection is justified by legitimate needs, appropriately limited to serving those needs, and protected by privacy and security safeguards that respect the Fair Information Practice Principles (FIPPs).
Location information is among the most sensitive data, especially when collected over extended periods of time. People’s movements from place to place can reveal sexual partners, religious activities, and health information. The U.S. Supreme Court has recognized a strong privacy interest in location data, holding that historical cell site location information is protected by the Fourth Amendment warrant requirement. As explained below, even de-identified location data can be re-identified with relative ease.
LADOT must take deliberate steps to protect this highly sensitive information. The department has recognized the need to protect the privacy of MDS data and has taken the important step of classifying the data as “confidential” under the City’s Information Handling Guidelines. However, LADOT should further clarify how it will safeguard MDS data, including how long it will retain the data; the specific purposes for which the data will be used; and how the department will limit access and use to those specific purposes. Further, LADOT should use the current pilot period to determine how it can achieve its legitimate needs while minimizing data collection. Taking rider privacy seriously will help Los Angeles lead the way for other cities adopting similar pilot programs.
I. The MDS raises significant privacy and security concerns.
LADOT has acknowledged that user privacy is an important consideration in the DM pilot program, but the MDS raises serious privacy issues that warrant further attention by regulators and the public. The MDS will result in detailed, real-time trip data being collected, analyzed, and stored through the DM pilot program. This information is without question valuable to the city, but it also presents a detailed map of the individual riding habits of residents of Los Angeles.
As Justice Sotomayor has acknowledged, tracing people’s movements reveals information that is “indisputably private in nature,” including their intimate relationships and visits to health care providers such as abortion clinics and AIDS treatment centers. Monitoring location data also reveals First Amendment-protected activities such as religious and political affiliation. In the wrong hands, this information can be used to stalk or harass riders, compromising their physical safety. Ride-sharing APIs have been abused for things like spying on ex-partners, and a 2016 Associated Press study found that law enforcement officers across the country abused police databases to stalk romantic partners, journalists, and business associates. The risk of harm from exposing this information is particularly high for survivors of gender-based assault and hate-motivated violence.
In its report to the City Council, LADOT states that its proposed data sharing requirements are “respectful of user privacy” because LADOT asks “for no personally identifiable information about users directly.” This is an unreasonably limited view of what constitutes personally identifiable information (PII), given the sensitivity of the data LADOT is asking for. MDS trip data includes the precise start and end times and locations of trips, tied to persistent, unique device identifiers (UDIDs) for each bike or scooter. UDIDs can be PII. According to the Federal Trade Commission (FTC), persistent identifiers like UDIDs, MAC addresses, and static IP addresses are often reasonably linkable to a particular person, computer, or device. The recently enacted California Consumer Privacy Act also recognizes that UDIDs and other technical information are often PII. While such information by itself is often categorized as anonymous, the technical identifiers LADOT is asking for do not exist in a vacuum.
As LADOT links or appends additional information (such as trip data) to a UDID, it becomes more identifiable. When persistent identifiers are connected to historical location information, individuals can be personally identified with reasonable ease. Moreover, studies regularly demonstrate that de-identified data can be “reverse engineered” to identify passengers and connect them to pick-up and drop-off location information. One researcher, Anthony Tockar, demonstrated how individual riders’ movements could be reconstructed using a de-identified trip dataset from the New York Taxi and Limousine Commission alongside other available information. In one experiment, Tockar was able to identify individuals with a high probability who frequented Larry Flynt’s Hustler Club. Evidence shows that even with robust de-identification, the more data points that are added to a data set, the easier it is to re-identify individuals. This is especially true with respect to location data, where just a handful of location and time-stamped data points are needed to identify individuals.
DM trip data may be even more revealing than trip data from other types of transportation because users are more likely to rely on DM for first- and last-mile transportation, taking it directly to their homes or final destinations. Car trips, for instance, often end some distance away from a user’s final destination due to parking issues or other space constraints; even where taxicabs or other vehicles-for-hire, riders can specify a generic address or intersection to obfuscate their final destination.
The surveillance implications of DM location tracking could disproportionately burden underserved and marginalized riders. While DM alone will not solve transportation inequity, it has some potential to improve mobility for communities that are underserved by traditional transportation. The dockless nature of new bike and scooter programs could make them more accessible than traditional docked bike shares, which can be inequitably distributed. Some cities and companies have initiatives aimed at ensuring that DM is accessible to underserved residents. LADOT’s permitting application requires that DM providers submit plans for providing equitable service.
The practical result of the data sharing requirements of the pilot program is that DM riders’ movements will be disproportionately tracked compared to people using other forms of transportation. Overbroad tracking could itself become a barrier to entry for low-income and minority riders, who already face disproportionate surveillance and scrutiny from law enforcement and other authorities. Without appropriate safeguards restricting access to the data, its collection could deter underserved riders.
II. LADOT should adopt clear and robust privacy and security safeguards for MDS data.
The duration of the DM pilot program provides an opportunity for the LADOT to establish specific privacy and security policies to address how LADOT and any other governmental or private actors may access or receive MDS data. These policies should address each of the FIPPs and include appropriate data security and access controls. The availability of this information to third parties including researchers must also be addressed.
CDT was pleased to see that LADOT has taken the important first step of classifying MDS Trip Data as Confidential data under the City of Los Angeles Information Handling Guidelines. Under the guidelines, confidential information is exempt from disclosure under the California Public Records Act (CPRA), and its access or disclosure is limited to those with a “need to know.” The guidelines also include certain security requirements; for example, confidential data must be encrypted in electronic transmission. However, these guidelines still leave many unanswered questions as to how LADOT will handle trip data.
LADOT should (1) limit access to and use of MDS data to specified purposes; (2) establish a reasonable retention and deletion policy; (3) clarify how MDS data will be secured or obfuscated to protect against breaches and minimize the likelihood of disclosure of identifiable data; and (4) communicate DM data collection and use transparently to DM users. These considerations are consistent with the FIPPs. CDT offers the following more specific recommendations:
- Purpose limitation and access controls: LADOT has stated that it intends to use MDS data for permit enforcement, communication of events, parking restrictions, and city planning. To the extent possible, LADOT should communicate the specific purposes for and ways in which trip data will be used and what other entities, if any, it will be shared with. The City of Los Angeles Information Handling Guidelines limit access to Confidential information (including trip data) to those with a “need to know” who are individually designated by the information owner. In its 2016 Urban Mobility in a Digital Age: A Transportation Technology Strategy for Los Angeles, LADOT acknowledge that “growing interest in sharing data” raises privacy issues. It concluded “[e]valuating how the data may be used for analysis can help define the level of detail and anonymity necessary.” We agree: data sharing exacerbates privacy and security challenges posed by any collection of information. LADOT should clarify that it will limit access to the MDS API to designated officials within the agency or city government solely for enforcing DM permits, communicating events, enforcing parking restrictions, and city planning. The uses of trip data for “city planning” should be further specified. Specifically, LADOT should commit that it will not share trip data with law enforcement without a warrant. The U.S. Supreme Court has recognized that people have an expectation of privacy in their physical movements. In Carpenter v. U.S., the Court held that police must get a warrant before collecting historical cell site location information. Without proper access controls, agency collection of location data can become an end-run around constitutional protections.
- Duration of access and retention: The period in which LADOT intends to retain DM data should be clearly specified. The NACTO Shared Active Transportation Guidelines note that locaties must require companies to retain all records in “full accordance with local and state records retention policies.” LADOT’s guidelines indicate that, to the extent that confidential MDS data is used for transportation policymaking, LADOT will retain the data unobfuscated for no less than two years. The Department appears to have established a minimum retention requirement, but has not articulated any retention limits or deletion requirements. While the City’s Data Handling Guidelines specify a destruction method for hard copies of confidential data (shredding), they also do not provide a retention or electronic deletion schedule. Again, we would note that lengthy retention periods of historic location information present significant privacy risks, and additional real-time transmission of this information enables invasive tracking of individual movements in near real-time. A formal deletion policy pairs well with data minimization to ensure that data is kept for the minimum amount of time necessary to extract value before deleting it.
- Security of transmission and storage: While transportation officials have emphasized the importance of real-time data transmission for DM, the information security challenges of constantly transmitting data have not been adequately addressed. The City of LA’s Data Handling Guidelines require confidential information to be encrypted in transmission and password protected in storage. To the extent possible, LADOT should also obfuscate trip data in storage to minimize the likelihood that personally identifiable information will be revealed through database queries or potential breaches. Further, LADOT’s policy states that it will not disclose “unobfuscated Confidential Data” in response to a California Public Records Act (CPRA) request, but it does not define “unobfuscated.” Not all methods of obfuscation are equally effective, and hashing of public location datasets has been broken before. LADOT should determine and clarify the circumstances under which it anticipates disclosing MDS data and its plans for effectively obfuscating it and protecting against reverse engineering or re-identification. Ideally, LADOT would detail its own security policies and the expectations it has of permit holders.
- Transparency: While the publication of the MDS on Github provides one level of needed transparency, LADOT should also give consideration to how the department, as well as DM permit holders, will communicate to individual riders about the data collection and usage practices involved with scooters. As a practical matter, many of the LADOT documents referenced in this letter were not easily locatable or accessible. CDT recommends that LADOT consider how it can offer information about the department’s privacy and security policies and practices in a centralized location.
III. LADOT should use the current pilot period to determine how it can achieve its legitimate needs while minimizing the amount and granularity of data it collects
CDT recommends that LADOT use this pilot program as an opportunity to assess what types of raw data are absolutely necessary to facilitate safe and equitable DM in Los Angeles. The scope of LADOT’s data collection should not exceed what is necessary to enforce DM permit requirements and regulations. Courts have recognized the importance of narrowly tailoring government agency requests for companies’ data absent a warrant. The Supreme Court has identified three criteria that a reasonable administrative search must meet: (1) There must be a substantial government interest that informs the regulatory scheme; (2) the inspection must be necessary to further the regulatory scheme, and (3) the inspection program must provide a “constitutionally adequate substitute for a warrant,” in terms of the certainty and regularity of its application.
The city should take careful stock of the types and sensitivity of data for which it is asking, including potential PII such as UDIDs, and determine whether each data type is necessary for enforcement or how information can be obscured to minimize privacy risks. It should also consider the granularity of location information it needs. GPS coordinates, for example, are two numbers that describe the latitude and longitude of a location on a coordinate system (e.g., 38.9029818° N, 77.0319413 W). Imprecise geolocation generally captures coordinates having the precision of two or fewer decimal places. LADOT should consider whether location to the third or fourth decimal, which captures individual street level and land parcel, are sufficient for its regulatory purposes.
LADOT’s DM pilot program and its MDS are already being pointed to as a potential national standard. It is worth acknowledging that part of LADOT’s leadership role is establishing policies and procedures that can be followed by cities with fewer resources or less technical capacity and expertise. We hope the LADOT will consider these issues, as well as our recommendations, as it engages in its DM pilot program.
Policy Analyst, Privacy & Data Project
Policy Counsel, Privacy & Data Project