The Los Angeles Department of Transportation (LADOT) is about to make a bad privacy situation worse, and it’s urgent that Los Angeles residents contact their city council representatives today to demand they put the brakes on LADOT’s irresponsible data collection. The agency plans to scoop up trip data on every single e-bike and scooter ride taken within the city and, left unchecked, it will do so in the absence of responsible and transparent policies to mitigate the privacy risks to Los Angeles riders.
Location data is among the most sensitive forms of information related to a person's privacy. Collected over time, people’s movements from place to place reveal a good deal about them: where they work, where they play, where they worship, their political leanings, and even personal and familial relationships. While the U.S. Supreme Court and California’s State Legislature are in agreement on the sensitivity of location data, the Los Angeles Department of Transportation appears to be much less convinced.
EFF and OTI have called on LADOT to start taking the privacy of Los Angeles residents seriously and cease moving forward with its invasive data collection plans until it has real policies in place to protect the data. Make your voice heard, too.
A Tale of Two API’s
In September, after the streets of Los Angeles were overwhelmed with dockless e-bikes and scooters, the Los Angeles City Council passed an ordinance calling for the creation of a Shared Mobility Device Pilot Program. In part, the ordinance called on LADOT to issue permits and set guidelines aimed at reducing sidewalk interference and regulating vehicle speed.
LADOT’s Mobility Data Specification (MDS), part of which went into effect shortly after the ordinance passed in September, gives the agency the ability to request massive amounts of information about Los Angeles riders and their day-to-day travels. Specifically, the MDS requires dockless mobility permit holders like LimeBike and Bird to provide LADOT access to a provider-side application processing interface (API), allowing the agency to demand granular trip data for dockless bicycle and scooter rides. This trip data includes extremely precise, time-stamped, location data from the beginning to the end of each trip.
LADOT has not grappled with the serious privacy and civil liberties issues implicated by such a massive data collection campaign.
The problem? LADOT has not grappled with the serious privacy and civil liberties issues implicated by such a massive data collection campaign. Months later, despite requests from EFF and the Open Technology Institute; and the Center for Democracy and Technology, LADOT still fails to acknowledge the raw trip data it collects through its MDS is personal data pertaining to real movements of real individuals. More importantly, it has failed to set out basic privacy protections for the sensitive location data it collects every time Los Angeles residents take a dockless scooter or e-bike ride through their city.
Now, despite their lack of a clearly articulated plan to protect Los Angeles residents from the potential harms that could result from the exposure of this data, LADOT plans to make a bad situation worse. Beginning on April 15, LADOT will require dockless mobility operators to push trip data for each and every e-bike and scooter ride taken within the City directly to LADOT, and its for-profit partner Remix, through a new agency-side API as well.
Responsible Data Collection Requires Responsible Data Policy
In our letter to the Los Angeles City Council, EFF and OTI have called on the Council to put the brakes on these additional data sharing requirements before the April 15 deadline. LADOT should by no means be moving forward with increased data demands when it has yet to address the privacy and civil liberties concerns raised by earlier stages of the MDS.
So far, LADOT has issued only high-level “Data Protection Principles,” which amount to a list of aspirations and buzz words you would want to see in a strong policy: ‘de-identification,’ ‘data minimization,’ ‘aggregation.’ But they provide no meaningful, enforceable restrictions to protect the privacy of Los Angeles residents. These “principles” are a far cry from the transparent, actionable, and enforceable data privacy policies we would expect of any city agency demanding this level of sensitive information about Los Angeles residents.
Furthermore, LADOT’s failure to limit law enforcement access to raw trip data through anything less than a warrant signed by a judge is in seeming opposition to the Supreme Court’s holding in Carpenter v. United States, which held that “the Government must generally obtain a warrant supported by probable cause before acquiring” location records. In its ruling, The Court recognized that time-stamped location data “provides an intimate window into a person’s life, revealing not only his particular movements, but through them his familial, political, professional, religious, and sexual associations.” The Supreme Court’s analysis of the sensitivity of location data was echoed by the California State Legislature when it passed the California Consumer Privacy Act (CCPA)—explicitly listing geolocation information as personal information and affirming that “any information that can be reasonably linked, directly or indirectly, with a particular consumer should be considered “personal information."
Even with names stripped out, location information is notoriously easy to re-identify.
Part of the problem is LADOT’s failure to acknowledge the sensitive nature of trip information, claiming that the MDS requires “no personally identifiable information about users directly.” (emphasis added). But even with names stripped out, location information is notoriously easy to re-identify—particularly for habitual trips. To demonstrate the process through which this information could be re-identified, EFF Staff Technologists—in a cursory analysis of publicly available data from New York City’s rideshare program, CitiBike—identified what is likely a single rider regularly leaving home between 7:30 am and 8 am each morning and returning home just after 6 pm each evening. Unlike New York’s public rideshare program, which requires riders to pick-up and return bikes at docking stations dispersed throughout the city, LADOT’s program applies to dockless bikes and scooters, so the location data acquired through Los Angeles’ dockless mobility program is even more unique to each rider. Yet, even with the data available through CitiBike, one need only wait for our rider’s regular routine to begin one morning in order to confirm his identity. This may seem innocuous, but what if our rider was a domestic violence survivor at risk of being stalked by their assaulter? Or, instead of a regular commute to and from work or school, the data showed our rider taking regular trips to attend Jummah prayer at a local mosque or meetings of a local political organization? The potential threat to their safety as well as religious and political freedom makes it easy to see how critical it is that LADOT and the City Council act to protect this sensitive personal information.
LADOT’s GitHub Repository and June 2018 press release announcing “A New Digital Playbook for Mobility” make it clear the department has no intention of stopping at dockless e-bikes and scooters. At the same time, LADOT’s General Manager Seleta Reynolds, in her capacity as an official within the National Association of City Transportation Officials, also seems intent on spreading this methodology to other cities across the U.S. The people of Los Angeles and cities across the country deserve safe streets. They also deserve the freedom to move about those streets without undue risks to their privacy and physical well-being through unchecked vehicle surveillance. With the April 15 compliance deadline for the next phase in Los Angeles dockless mobility program quickly approaching, it’s urgent that Los Angeles residents contact their City Council representative today, and demand that they put the brakes on LADOT’s irresponsible data collection.