Site icon Sophos News

Uber sues LA in bid to protect scooter riders’ geolocation data

Los Angeles wants to know exactly when you hop on an Uber scooter or bike, when you hop off, and where you go, promising that such location data is “respectful of user privacy” because it’s not asking for personally identifiable information (PII) about users – well, at least not directly.

Uber’s response: Nope. Geolocation data is clearly PII, and LA’s requirements that companies like Uber and Lyft share scooter-sharing data could compromise user privacy, as well as the companies’ own trade secrets.

Uber, better known for its ride-hailing car service, on Monday filed a lawsuit after months of refusing to give the LA Department of Transportation (LADOT) what the city’s after, CNET reports.

The publication quoted an Uber spokesperson:

Independent privacy experts have clearly and repeatedly asserted that a customer’s geolocation is personally identifiable information, and – consistent with a recent legal opinion by the California legislative counsel – we believe that LADOT’s requirements to share sensitive on-trip data compromises our customers’ expectations of data privacy and security.

Therefore, we had no choice but to pursue a legal challenge, and we sincerely hope to arrive at a solution that allows us to provide reasonable data and work constructively with the City of Los Angeles while protecting the privacy of our riders.

Like other cities, LA is wrestling with a newly chaotic traffic situation, with Uber and Lyft drivers whizzing around, picking up, dropping off or waiting for fares, as city buses, bicyclists and scooter riders – some using rent-by-the-hour bikes and scooters – jostle for space.

Those ubiquitous dockless e-scooters and bikes often wind up randomly scattered or piled up in heaps on city sidewalks. Some cities have gone so far as to ban them.

Other cities, including LA, are looking to pull data from the chaos so as to rein it in. They’re hoping that scooter data can help to determine how citizens are getting around, where it makes the most sense to spend money on infrastructure and where to cut back, and whether the companies they’ve allowed to use their public streets and sidewalks are following the rules and not making pig-piled scooter messes.

LA’s plan, which it began work on last year, is a new data standard called the Mobility Data Specification (MDS). It’s based on a standard set of application programming interfaces (APIs) through which mobility companies are required to provide real-time information about how many of their vehicles are in use at any given time, where they are at all times, their physical condition, anonymized trip start and stop times, destinations, and routes, among other data.

Real-time location data? That’s taking it too far, Uber says, and privacy experts have backed it up. It doesn’t matter that the city isn’t collecting PII such as name, age, gender and address, given that, as has been demonstrated time and time again, Big Data can be dissected, compared and contrasted to look for patterns from which to draw inferences about individuals. In other words, it’s not hard to re-identify people – or cats, for that matter – from anonymized records.

The Center for Democracy & Technology (CDT) says that LADOT’s plan to collect location data could seriously jeopardize riders’ privacy:

People’s movements from place to place can reveal sexual partners, religious activities, and health information. The U.S. Supreme Court has recognized a strong privacy interest in location data, holding that historical cell site location information is protected by the Fourth Amendment warrant requirement… Even de-identified location data can be re-identified with relative ease.

The Electronic Frontier Foundation added to that list of sensitive PII that can be determined from tracking people:

Los Angeles riders deserve privacy in the bike and scooter trips they take – be they for work, medical appointments, social engagements, prayer, or other First Amendment-protected activities.

Uber claims that LA’s plan will violate California’s Electronic Communications Privacy Act, a law passed in 2015 designed to prevent law enforcement agencies from accessing people’s data without a warrant.

Uber is the last holdout. Companies including Lime, Spin and Lyft are complying with the city’s data requirements, in spite of California’s Legislative Counsel having determined that the location data requirement could be violating the law.

Uber’s suit against LA was filed along with a temporary restraining order so that it can keep its scooters in the city while the case plays out.

In a statement it put out in response to the lawsuit, the LADOT threatened to yank the permit that keeps Uber’s scooters zooming around:

LADOT has the responsibility to manage the public right-of-way, ensuring safety and access for everyone. To be effective, the department requires reasonable information about the tens of thousands of shared vehicles operated by transportation technology companies that use our streets for profit.

While all other permitted scooter and bike companies are complying with our rules, Uber has repeatedly refused. L.A.’s requirements have been clear since last November, and Uber agreed to abide by them. By 5pm tomorrow, we expect Uber to come into compliance or they will face suspension proceedings, which could eventually lead to revocation of their permit.

Exit mobile version