Skip to content
Naked Security Naked Security

Uber to file federal suit against LA over users’ real-time location data

Real-time, in-trip geolocation data isn't good for traffic/bike lane planning, a draft of the suit says. What it's good for is surveillance.

Uber is poised to file a federal lawsuit over Los Angeles’s demands for what the company (as well as privacy advocates and, presumably, state law) consider to be the city’s privacy-invading demands for real-time location data of its users.
Uber provided an embargoed draft of the lawsuit, which a spokesperson said the company will file later this week.
Uber had already threatened to sue the city in October 2019 after the LA Department of Transportation (LADOT) instituted data demands on ride-hailing, scooter/bike-sharing companies. Uber wound up delaying that suit as it tried to hash things out with the city. LADOT suspended Uber’s permit, but it still allowed Uber to operate its scooters during the discussions.
Uber had presented a compromise: we’ll give you location data, but only 24 hours after trips start and stop, it proposed. That will give LADOT data to use for traffic planning, but it won’t affect user privacy, Uber said. As well, it would, at least potentially, give the company at least a small window of time in which to challenge a specific LADOT request, which is impossible to do when the city demands data in real-time.
According to its federal lawsuit, that wasn’t good enough for LADOT. Uber’s counsel said in the suit that they suspect that the proposal merely galled LADOT. At any rate, on 25 October 2019, LADOT suspended Uber-owned JUMP’s permit and ordered its bikes and scooters off the streets lest they be swept up by the city’s trash collectors.
What’s so special about real-time data, unless – this is Uber’s speculation – perhaps for surveillance purposes?
This isn’t an answer – LADOT hasn’t been able to give one – but in general, LA wants the data for a new data standard called the Mobility Data Specification (MDS).
MDS is based on a standard set of application programming interfaces (APIs) through which mobility companies are required to provide real-time information about how many of their vehicles are in use at any given time, where they are at all times, their physical condition, anonymized trip start and stop times, destinations, and routes, among other data. Besides LA, other cities now using MDS to collect data to manage their own dockless vehicles include Seattle; Austin and San Jose in Texas; Santa Monica, CA; Providence, RI; and Louisville, KY.
LA, like other cities, is trying to pull data from newly chaotic traffic situations in which Uber and Lyft drivers are whizzing around, picking up, dropping off or waiting for fares, while city buses, bicyclists and scooter riders – some using rent-by-the-hour bikes and scooters – jostle for space.
The request for real-time location data is in a policy the city instituted in September 2018 for dockless scooters. While other companies in the industry – including Lime, Lyft, Bird and Spin – have complied, Uber has refused, saying that demanding real-time location data is taking it too far.

Privacy experts agree with Uber

Privacy experts have backed Uber up on this. While LA promises it’s anonymizing the data, not collecting personally identifiable information (PII) such as name, age, gender or address, that really doesn’t matter. As has been demonstrated time and time again, Big Data can be dissected, compared and contrasted to look for patterns from which to draw inferences about individuals. In other words, it’s not hard to re-identify people – or cats, for that matter – from anonymized records.
The Center for Democracy & Technology (CDT) has said that LADOT’s collection of location data has the potential to seriously jeopardize riders’ privacy:

People’s movements from place to place can reveal sexual partners, religious activities, and health information. The US Supreme Court has recognized a strong privacy interest in location data, holding that historical cell site location information is protected by the Fourth Amendment warrant requirement […] Even de-identified location data can be re-identified with relative ease.

The Electronic Frontier Foundation has added to that list of sensitive PII that can be determined from tracking people:

Los Angeles riders deserve privacy in the bike and scooter trips they take – be they for work, medical appointments, social engagements, prayer, or other First Amendment-protected activities.

There are Fourth Amendment issues against unreasonable search at stake here as well, Uber claims: the company says that LA’s plan violates California’s Electronic Communications Privacy Act (CalECPA): a law passed in 2015 designed to prevent law enforcement agencies from accessing people’s data without a warrant.
Uber does share scooter location data with several cities. It’s the “real-time” part of LADOT’s demands that it’s balked at.
According to the draft of the federal lawsuit Uber is planning to file on behalf of its scooter division, JUMP, when LADOT had a chance to explain why it requires time-stamped geolocation data in real-time, it was stumped. It “dissembled,” as Uber’s legal counsel put it, and “its reasoning collapsed.”
That’s simply because there’s no good reason for LADOT to require it, the lawsuit maintains:

Real-time in-trip geolocation data is not good for planning bike lanes, or figuring out deployment patterns in different neighborhoods, or dealing with complaints about devices that are parked in the wrong place, or monitoring compliance with permit requirements
What it is good for is surveillance.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


It’s like puzzle. This piece couldn’t identify you, that piece couldn’t say who are you too. But altogether, your’re identified and knowing who you’re.
If your so called anonymous data in this and that “big data” categories, there’ll be higher chances that you’ll be identified.


This is a classic case of the thin end of the wedge – if you give them this info for this purpose, somewhere down the road we’ll suddenly find that the police, city hall etc have been slurping up the same data for their own reasons.


On a related point, what do you think of the idea of tracking infected covid-19 patients by their last 14 day geolocations? Taiwan did it, with great success, as did Isreal and Singapore.
Pros: Get the virus under control by strict tracking of infected patients in order to find other potential carriers.
Cons: Loss of privacy might cause some people to not self-report.
I’m with the loss of (temporary) privacy crowd here; but just so long as it’s temporary and necessary.


why don’t they just ask goog for the data? they have all traffic monitoring real time. Orrrr, may beee they don’t really want “traffic” data.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!