By Nomi Conway
As scooter companies Spin, Bird, and Lime scramble to get scooters on the street, they are also racing to gather data, and have failed to take the time and steps necessary to properly address rider privacy. Now, in addition to protecting heads with a helmet, scooter riders also have to worry about protecting their personal information.
When you scan a QR code, you might not realize that you are really hopping onto a two-wheeled data-hoarding device that is collecting far more of your personal information than the product really requires. In the wrong hands, this information – which includes location data, photos, and driver’s licenses – can be harmful. The Trump administration is already exploiting local government data and purchasing location data from private companies in order to target immigrants, activists, and others.
Here are some key ways these companies should be doing better:
Turn off persistent data tracking
These scooter companies have persistent data tracking on throughout the ride, tracking your every move, from the moment you open the app until the end of your ride. This means that if you take a scooter to a political protest, or to a religious service, or to see a medical specialist, the scooter company is collecting that information.
The companies are also storing this data. Lime and Bird reserve the right to store your information for an undefined period of time even after you request to delete your account. And while all three vow they don’t directly sell data to third parties, they also reserve the right to share user information with third parties such as sponsors and business partners, and potentially advertisers.
Persistent data tracking is not necessary for the scooters to function. Ford GoBike doesn’t use GPS tracking during rides, and these companies don’t need to either.
Minimize other unnecessary data collection
These companies should also show more concern for rider privacy by minimizing the collection of unnecessary information like social media data, photos, and driver’s licenses.
When you log in to a Lime account through Facebook, Lime is actually getting access to your profile information, including your name and profile picture. Bird requires you to provide a photo of your driver’s license in order to unlock a scooter and encourages users to upload a profile picture in the app setting, too. None of this personal information is actually necessary to ride a scooter and companies shouldn’t be collecting it.
Require government officials to get a warrant
All of this collection and retention of sensitive personal information is especially concerning given that these scooter companies have created privacy policies with weak language on law enforcement requests. Spin, Bird, and Lime all admit that they may disclose user information based only on a “good faith belief” that they are required to do so.
By taking a weak stance on government requests for user data, scooter companies are increasing the risk that their growing database of rider photos will end up in the hands of government entities looking to bolster surveillance capabilities. A wider collection of photos enables ICE to monitor immigrants as they embark on new lives, and enables police to identify (and even arrest) political protesters. Considering these serious privacy concerns, scooter companies should be clear that they will require a warrant before turning over user information to the government and will challenge improper government demands. They should also have a clear policy to provide timely notice to users about government demands.
Make privacy policies more visible in the app
In addition to clear and robust, substantive policies, these companies should also display their privacy policies more prominently. Transparency helps to build user trust, and making privacy policies accessible and easy to understand is an important way to keep people informed.
Instead, in a failure for user transparency, these companies do not require riders to review their privacy policies before creating an account. Bird does not link to its privacy policy anywhere in the app once an account is created. Meanwhile, Lime and Spin bury their privacy policies behind multiple pages within the app. All three companies should give people more direct access to this important information before, during, and after account creation.
Have a comprehensive security plan and communicate it to users
Bird, Lime, and Spin also seem to have zoomed past developing a comprehensive security plan and communicating it to users. All three vow to secure your most sensitive data, including your financial data, but it’s not clear what precautions they actually take. Spin tells users about any internal data security policies, makes a vague reference to “bank level security” in its app, and highlights some data breach procedures, but these half measures are inadequate. Bird and Lime are silent on security matters and also explicitly reserve the right to transfer data to other jurisdictions that may not be governed by U.S. law. None of this is a good signal to send to people about privacy and data security. Companies that collect user data should always have a comprehensive security plan and build trust with users by clearly communicating these security practices.
So, the next time you see a scooter flying by you on the sidewalk, remember that these devices pose risks beyond cluttering the sidewalk, and consider how they stack up on privacy (see this chart for a comparison of privacy policies). If Bird, Lime, Spin, and any others who soon join the market want to be a permanent fixture in urban environments, they need to be doing a lot more to protect user privacy.
Nomi Conway is a Technology and Civil Liberties Intern at the ACLU Foundation of Northern California.
Get Tickets To Vanguard’s Immigration Rights Event
Is the same issue on Jump Bikes? I have not tried on yet to see how you log on to use them.
Going to look more into it – good point.
JUMP might mean, Just Updating My Profile (or, Preferences)… someone (poster here), I recall, complained they had a 250 lb limit for users… could be the over 250 lb cohort is less likely to be a “target audience” for advertisers…
Yes. Great article in the News and Review on this subject:
https://www.newsreview.com/sacramento/is-uber-evil/content?oid=26595688
As with most N&R articles, you need to read in several paragraphs to get to the subject matter.
The SN&R article says “more importantly, this is another blow against the fossil-fuel empire.” while a Jump bike uses less fossil fuel than a Harley it still uses fossil fuel (unlike a regular bike that really avoids using fossil fuel and will burn a lot more calories). I am surprised how many smarter than average people are not aware that about half the electricity in CA comes from fossil fuels (and nuclear power).
http://www.energy.ca.gov/almanac/electricity_data/total_system_power.html
P.S. Almost every tech company wants to get as much personal data as they can so they can use it to make money or sell it to make money…
No way, man! Electricity is CLEEEEEEEEEN! You’re harshing my mellow.
Protect your privacy and get more excercise: RIDE A BICYCLE . . . and I don’t mean one of those electric assist bicycles that track your movements and do most all of the work for you, turning our greatest exercise/transportation option into the modern version of playing a video game while on wheels.
Also, kill you Facebook account, and if you plan on doing something super illegal, don’t take your cell phone with you!
The bikes don’t do most of the work. Probably 1/3 of it, with a boost cutoff at 15 mph, but they’re so low-geared that at that speed one has to spin very fast to go faster. The 15 mph limit is a tune-down from the 20 mph limit for which Type 1 e-bikes are designed: They were slowed because the UC Davis campus speed limit is 15 mph. There is no evidence that this will improve safety.
The bikes have a 210-lb weight limit (the previous generation pilot Tower Bridge in Sac and West Sac bikes had a 250-lb limit.) The Davis Bike Club and Cycling Hall of Fame boards declined to protest this. I’ve been promised for months that the City’s in negotiation about the weight limit so I shouldn’t badmouth Jump about this situation. But apparently Jump has no plans to change this. As I’ve also mentioned before, the system has an 18-year old age minimum. However, I’ve spoken to a bunch of DHS students who say that lots of friends under that age use the bikes. As far as I know, there have been no problems specific to this breach of the user agreement — must be that Davis kids are good ones, and/or that they are using their parents’ credit card and are being prudent. In Austin, Texas when it was obvious that lots of younger teens were using the bikes, they officially lowered the age limit to 13. That’s also the age limit for bike share in Alameda.
My guess is that SACOG and the City of Davis would say that there’s no issue with data collection by Jump. They don’t seem to be sure that the bikes are being tracked whilst checked out.
Privately-run and under-regulated (ageist, and therefore classist and racist since lower-income and/or people of color are over-represented among the mobility challenged) bike share is the Trojan Horse for the Neo-Liberal takeover of the Commons.
> They don’t seem to be sure that the bikes are being tracked whilst checked out.
Seem.
The “over age 18 requirement” is unenforceable and doubtless a clause inserted by the company’s legal staff to mitigate liability. The same rationale for the weight limit and also similarly unenforceable.
Reality check for the paranoid among us, you are being monitored in so many ways (social, economic, cultural, political) that fearing you’re being watched because you’re riding an E-bike is stupid. They’re already dialed in. At worst it only validates what they already know about you.
Every electronic transaction in which you voluntarily engage (including this one) is offering information and being recorded on a database. Virtually every database is vulnerable to hacking and hackers sell that information through a thriving underground economy. That, too, is unenforceable. You have two choices, drop out of society and throw away all your electronic devices, or live with it. Don’t use this E-bike phenomenon as a pretense to cry “Big Brother.”
Ride any and all bicycles as a stress reliever, and paranoid antidote. You’ll also decrease your weight to a desirable standard of personal health and a greater sense of self-esteem.
> Ride any and all bicycles as a stress reliever, and paranoid antidote. You’ll also decrease your weight to a desirable standard of personal health and a greater sense of self-esteem.
Well, three out of four ain’t bad.