EFF Says LA’s Scooter Location Data Could Unmask Individual Riders
In March, Motherboard reported on the Los Angeles Department of Transportation's (LADOT) plans for scooter companies in the city to provide real-time location data of their vehicles to the department. Lime and Bird, two scooter companies, had been granted a one-year permit for their scooters in the city. Uber, which operates a scooter service called JUMP and which has pushed back against the data collection plans, was given a shorter permit. The stated purpose of the data is for city-planning, such as seeing which communities are actually able to access the scooters.
Now non-profit digital rights group the Electronic Frontier Foundation (EFF) has voiced concerns around how that location data could be de-anonymized to identify individual riders and their routes. In a letter dated April 3 and reiterated in a blog post published Wednesday, the EFF said "even with names stripped out, location information is notoriously easy to re-identify-particularly for habitual trips."
The news signals a burgeoning privacy debate not only around the use of scooters, but potentially other transportation services too, as they are likely to become part of other data requests by cities across the United States.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Last year, LADOT published a standard that it wanted scooter and other mobility companies to use, that would keep the data companies provided to the department consistent. After it rolls out on the planned date of April 15, the real-time location data of the scooters will be sent from the companies to LADOT and to a data aggregator called Remix, which sells visualization tools for cities to understand that data.
Remix's website reads, "How many scooters are on your streets at any given time? How is new mobility affecting first/last mile connections in your community? Remix brings data from mobility providers into a single platform to give city leaders the context they need to get answers quickly."
An LADOT spokesperson told Motherboard in a statement, "LADOT requires mobility providers to share information on for-profit vehicles operating in the public right-of-way. We continue to hear from our constituents on the importance of this as we have developed our one-year pilot for shared dockless e-scooters and e-bikes."
But EFF says there is the potential for this data to identify individuals.
"This is especially true when location data is aggregated over time," the group's letter reads.
The EFF points to several studies and instances of de-anonymization. In one case, researchers were able to take a database of every cab ride taken in New York in 2013, which contained information on 173 million trips, and identify the license numbers and medallion numbers for each trip in the entire set. Another researcher then used that data in combination with other information to identify individual riders.
In another example, the EFF writes its technologists looked at New York's public bikeshare database. From that, they found a route that appears to be frequented by a single individual, who leaves home at around 7:30am most mornings and returns home at just after 6:00pm each evening, the letter adds.
"One only needs to identify the individual at the start or end of the route on a single occasion-either via seeing the individual pick up or dropping off a bicycle in person or via some other dataset revealing their location in that place at that time-in order to link them to this extensive and potentially revealing history of behaviour," the letter reads.
To be clear, this does not necessarily mean that the scooter location data could certainly be linked to individuals, but it does still signal a potential privacy issue that campaigners, companies, and LA residents may be concerned about.
The LADOT spokesperson added, "LADOT has had ongoing engagement with the American Civil Liberties Union, Center for Democracy & Technology, Electronic Frontier Foundation, and Future of Privacy Forum around best practices for privacy. We created a set of Data Protection Principles that will apply to all data we obtain from Mobility Providers.
"LADOT will ensure the data is de-identified in accordance with established data protection methodologies before any Dockless Mobility data begins to be published to the City of Los Angeles Open Data Portal," they wrote.
Subscribe to our new cybersecurity podcast,CYBER.