Jun 26, 2019

Should Shared Mobility Services Share Your Data?

Jennifer Huddleston Research Fellow , Trace Mitchell Staff writer

Should a city know where you take a dockless scooter or a rideshare? Should companies require police to get a warrant to access this information? As municipalities start to grapple with new developments in shared mobility, such data questions will only become more pressing.

A timely case in point is the Los Angeles Department of Transportation, which recently released a policy on data protection principles for dockless transportation options like electric scooter and bike shares. The policy puts limitations on the city’s new Mobility Data Specification System (MDS), which is an application programming interface (API) standard allowing city employees to view anonymized data on shared devices, like where they are stored and whether some neighborhoods are underserved. 

All dockless mobility providers were required to be MDS compliant by April 15 in order to operate in the city. Other cities, particularly those already deploying the MDS more generally, could follow suit.

Advocates say data sharing will help cities better plan for a multi-modal transit future and solve possible problems like sidewalk crowding and accessibility. Skeptics, including both privacy advocates and some ridesharing companies, are concerned about the potential privacy and Fourth Amendment violations that could stem from cities constantly monitoring the movements of its citizens.

Over the last year or so, dockless scooters have grown from a surprising new anomaly to a fairly common sight in many American cities. More last-mile micromobility options are appearing around the world; now mopeds and even pogo sticks are getting the sharing economy treatment. These options continue to evolve and become part of the transportation landscape. Entrepreneurs are improving traditional transportation options like cars making them increasingly connected and using their data to help make transportation less stressful. 

This 21st century transportation renaissance raises new and old questions about whether or how governments can collect private transit data. Government demands to access dockless transit GPS location data might be useful for planning, but it can also raise privacy concerns like  warrantless law enforcement access. This is yet another example of the challenges that emerge as technology outpaces existing policies. 

This is not the first time government access to data has been an issue in the sharing economy.  Earlier this year, home-sharing platforms like AirBnB challenged a New York City ordinance that required them to provide city regulators with reports on the clients using their platforms, including personal information about the hosts and the dwelling. 

The Federal Court for the Southern District of New York found the ordinance unconstitutional on the basis that it effectively allowed regulators to troll the records for potential violations even when there was no evidence or suspicion of a violation by the user. Requirements that a sharing economy platform turn over sensitive data such as an individual’s location to the government without a warrant can decrease trust and users’ relationship with the platform.

Unlike the decision of which companies’ data privacy and security practices to trust, government mandates give individuals little to no choice in handing over this data. Even when the data is anonymized, sensitive and personal information can be made public when stored in a government database either by hackers or the unique ability to request government data through public record request processes like the Freedom of Information Act (FOIA). 

Privacy researcher Anthony Tockar was able to identify which celebrities did and did not tip thanks to taxi records that were made publicly available after a FOIA request by Chris Whong. (Since MDS data will appear on the city’s open data portal such requests might not even be necessary to gain access to tracked micromobility data.) While such actions may seem innocent, it is easy to see how an individual’s location information could also reveal more sensitive facts as well.

The question of Fourth Amendment protections for data has become increasingly complicated as technology evolves to utilize more and more data. Right now, the Supreme Court of Georgia is considering whether police need to obtain a warrant before accessing the data that are stored in a vehicle’s computer system. Many exciting technological changes that will lead to safer and more enjoyable transportation will also raise new Fourth Amendment issues that courts will need to address. 

This is particularly true because of the increasingly interconnected nature of many emerging technologies. While many people are aware that the Fourth Amendment provides protections that typically require a warrant, an exception known as the “third-party doctrine” can lower this bar for data that has already been shared with someone else. 

This doctrine was first established in 1967 and reasons that once you share information with a third party, you no longer have a “reasonable expectation of privacy” in that information. But in today’s day and age, we share virtually all of our information with a third party, and often multiple parties. Even the most privacy-sensitive individuals have likely placed a call or used a mapping app that will provide someone else with information about where the device was. 

Now judges are trying to adapt to the ways in which technologies have changed. Courts are starting to consider what it means to share information with a third party and what might be considered a “legitimate expectation of privacy” in the digital age. 

Last year, the Supreme Court refused to apply the third-party doctrine to cell site location information obtained from cell phone towers in Carpenter vs. United States. The Court recognized that since few people leave home without their phone, cell site location information can be used to track virtually the entire population. Such a decision does not prevent law enforcement from obtaining such information through the proper channels, but requires that they go through the heightened procedures necessary to get a warrant.

While this decision was limited to a specific type of data, it may show a willingness by the Court to adapt the third-party doctrine in future decisions, particularly when it comes to transportation. In fact, the Court noted in the decision that “society’s expectation has been that law enforcement agents and others would not—and indeed, in the main, simply could not—secretly monitor and catalogue every single movement of an individual's car for a very long period.” 

Today we are using rideshares and dockless mobility options that automatically share information with a third party. However, we likely don’t think of this information as any more publicly shared with the world than when we use our own devices.  

As technology and data continue to evolve in the transportation industry and sharing economy, they will likely result in further questions about how the third-party doctrine and the Fourth Amendment play out in a world of connected transportation. Communities, citizens, and companies will all have to consider what a “reasonable expectation of privacy” means in the context of data and the digital age.

Photo credit: John MacDougall/Getty Images

Support Mercatus

Your support allows us to continue bridging the gap between academic ideas and real-world policy solutions.Donate