Will Scooters Ride Away with Your Privacy?

If you live in or visit a major city, odds are you have noticed an uptick in shared bikes and scooters. Lime, Bird, Spin, Skip, JUMP, and Lyft are just some of the “dockless mobility” options now available. These services generate a tremendous amount of data that could potentially improve transportation infrastructure – early evidence suggests they are already offering new transportation services to underserved communities – and cities are racing to create new data standards to collect and analyze mobility data.

“Scooters and other types of dockless mobility have a ton of potential to improve transportation in cities, but they raise important privacy and security concerns. As Justice Sotomayor has acknowledged, tracing people’s movements reveals information that is ‘indisputably private in nature,’ including their intimate relationships and visits to health care providers such as abortion clinics or HIV treatment centers. Monitoring location data also reveals First Amendment-protected activities such as religious and political affiliation. In the wrong hands, this information can be used to stalk or harass riders, compromising their physical safety,” said Joseph Jerome, Privacy & Data Policy Counsel at the Center for Democracy & Technology (CDT).

A number of cities are launching pilot programs in an attempt to address concerns around privacy and data generated from scooters. These programs are aimed at finding answers to new liability issues, ensuring scooters are made available equitably, and setting expectations about the scale and timeliness of data being provided to local transportation authorities. The Los Angeles Department of Transportation (LADOT) is undertaking its own pilot program, and CDT submitted comments on the key privacy and security practices we would like to see implemented.

LADOT is asking for ongoing, real-time access to trip data for scooters. While the city has suggested it is “respectful of user privacy” because its data standard asks “for no personally identifiable information about users directly,” this sort of trip data by itself is highly revealing.

Additionally, scooter riders are likely to rely on their scooters for first- or last-mile transportation, taking it directly from their home and to their final destinations. This is different from car trips in cabs or rideshares that often begin or end some distance away from a user’s final destination, making the information potentially more sensitive.

CDT’s recommendations build on our earlier work on government data demands, and we’ve called on the transportation authority to adopt clear and robust privacy and security safeguards. These policies should build off of longstanding Fair Information Practices, include appropriate access controls, and address the availability of mobility data to researchers. Specifically, we recommend that LADOT should (1) limit access to and use of mobility data for clearly specified purposes, (2) establish a reasonable retention and deletion policy, (3) clarify how this data will be secured or obfuscated to protect against breaches and minimize the likelihood of disclosure of identifiable data, and (4) better communicate these policies and information to riders and the public.

“For cities to exercise true leadership in dockless mobility, they must establish policies and procedures that can be followed by cities with fewer resources and less technical capacity or expertise. We hope LADOT will take on this challenge, and we look forward to seeing how dockless mobility programs roll out across the country,” Jerome added.