*Updated on 11-Apr-2019 to include more resources
Conversations At The Intersection Of IT Security And Society
Melanie Ensign, Uber | Bennett Cyphers, EFF
Sean Martin | Marco Ciappelli
Pretend for a moment that you are crushing it on Sunset Blvd. on one of those electric scooters that are all over the place in Los Angeles. You're minding your own business, enjoying yet another sunny day, going wherever you want to go, and nobody needs to know about it. Right? Wrong. The Los Angeles Department of Transportation (LADOT) is on the scene. Apparently, they really want to know what you're up to—or at least what your scooter is up to. There’s more to this story though.
In this Unusual Gatherings episode, we talk about data collection, anonymization, sharing, re-aggregation, storage and the potential utilization of such data and, of course, what it means in terms of consumers’ privacy and identity as we use those services.
We are having this conversation because LADOT is requesting that all the shared scooter companies give them all the data they collect as a condition “sine qua non” if they want to do business on the streets of L.A.. As you can imagine, this requirement to share ride information makes us citizens—regardless of the choice to use those specific types of transportation or not—a little worried for the many ways that our privacy can be affected by this practice. As it goes, we are not the only ones who are concerned: Electronic Frontier Foundation (EFF) didn’t celebrate when they heard of the news—and neither did Uber.
In order to understand and consider the vast implications of this news, we invited Melanie Ensign from Uber and Bennet Cyphers from EFF to ride their electric scooters as fast as they could—and as carefully as possible—to meet us at the intersection of IT security and society to have a conversation with us. Soon after our request, they arrived, parked their scooters responsibly, grabbed some coffee, sat down, and had this conversation that goes in our books as:
ITSPmagazine’s Unusual Gatherings XXVI:
All your trips’ data belong to us — and so does your privacy.
We started by pinpointing and understanding why the LADOT request was so alarming for our privacy as individual citizens and our society as a whole. This move appears to be step one of a plan where the ultimate goal is to get their hands on all data collected on every ride share, delivery business, autonomous vehicle system, and pretty much everything that moves in the city at a commercial level.
The amount of information that LADOT is hoping to collect is quite extensive, and there is a high level of uncertainty in regards to what will be done with the data once received.
According to our guests, if this was not enough to be worried about, the loudest of the alarms are sounded by the fact that all the information in question is supposedly destined to be sent to, not LADOT, but a third-party data aggregator—a company that the city of Los Angeles has contracted with.
So with all these conversation starters, we find ourselves following up with many questions.
What will happen to the data collected? How will the data be treated? What can, and cannot, it be used for? What kind of security and encryption is used to protect this treasure trove of data? How can a citizen and user of those services opt in or out from such collection, sharing practice, and subsequent usage/accessibility of such data? These are just a few of the many questions we had.
This kind of phenomena doesn’t seem to be unique to the city of L.A.; it is happening in many other cities. EFF told us that the city of New York has been collecting all sorts of information for years from the cabs operating in the city. What is mind-blowing about this fact is that the data collected is subject to public access requests, which means that if anyone wants it, they can have it. They just need to ask for it.
In fact, we have been told the story of a journalist who requested all the data available for an entire year and got back a massive file that was “supposed to contain anonymized data” but that in reality was not too complicated to re-aggregate by cross-referencing and matching it with some other information. As an example, a paparazzi photo sent from a well-documented event connected to a cab ride from a particular location to the ride's endpoint could easily give away the private home location of the celebrity in the picture. Yes, it is that easy—that and so much more.
Furthermore, to the point of this expanding well beyond Los Angeles, LADOT has the vain goal for their Mobility Data Specification (MDS) project to become The Data Standard and API Specification for all mobility-as-a-service providers to follow for all other U.S. cities. The project is on GitHub, and if you want to look at it, the link is in the resources section below the podcast. Now, should a public project like this be on a public, open-source platform? Does that sound right to you? Did you get the chance, as a citizen, to share your thoughts on this decision? Perhaps this is a conversation for another podcast.
One must wonder if the next natural step for this project is to go above and beyond dockless bikeshares, e-scooters, and shared ride providers’ information such that it taps directly into resident devices that have GPS capability, as we do not even need to ask them directly. Our personal data and the whole of our identity is already being collected and stored in so many different repositories that, regardless of intention (good or bad), people who are interested in this information do not even need to get it directly from the users. Data can be requested or accessed from different entities, triangulated and aggregated to result into a clear user profile to create a dystopian scenario too real to even think about writing a Sci-Fi novel about it. It’s too real and too easy.
For a change, let's assume well-intentioned scenarios and look at a perfect world instead of the dystopian consequences. A standard for data sharing in a future (well, let’s go with the present) smart city can undoubtedly have a series of positive effects on the safety and the overall functionality of the cities' infrastructures. A common platform that allows and regulates all the companies operating in a city can facilitate such a process and be of immense benefit for the functionality of the city and the safety of its citizens—a centralized and standardized model. However, that doesn’t make the big problem we are facing here go away; in fact, it could exacerbate the problem. Why? Because on its own it lacks citizen-approved regulation, transparency, and details for how, when, and if a third party will use the data.
In the European community (regulated by GDPR), we have a situation where all public agencies are subjected to the same regulations and requirements that the commercial entities must follow, which means that even if a company such as Uber shares user data with a city, the user knows that their data will be subjected to the same privacy standard. On the other side of the Atlantic, however, citizens don't have the same level of protection when their data is in the hands of a public agency. This lack of control creates an uncomfortable situation where the customer of a commercial entity cannot have the guarantee that their data will be treated the same way when shared with a public agency. This is a pretty big issue and one of the main reasons why we had this conversation.
We might think that the proposed California Consumer Privacy Act (CCPA), which is focused precisely on the protection of consumer data from being shared, sold and used in ways that the consumer hasn’t agreed to—and still up for discussion in many ways—could be the answer to this problem. However, this is not the case. As it is, the CCPA does not apply to government agencies, but only to commercial entities. Therefore, it has no legal role in helping with this particular matter, which leaves the consumer in a very uncomfortable limbo. Of course, it's only uncomfortable if they even know what's happening.
So where do we stand as consumers if this initiative goes further?
We are in a place where:
We have no means to say anything on the matter, and there is no way to opt in or out of the data collecting/sharing scheme
We do not know where our data goes and what becomes of it once it leaves the direct entity (aka, the commercial entity in this case) with whom we had an agreement
We have no guarantee—nor any idea, really—what security controls will be used to protect our personal information once these entities start circulating it to third, fourth, or “nth” parties for re-aggregation purposes. One doesn't have to be a meteorologist to forecast that our everyday lives that are zipping along on electric scooters in sunny Los Angeles could turn into a cloudy, stormy and quite dangerous weather situation.
This recap could end now, but it wouldn’t represent who we are if we didn't mention a moral compass that points to that place of limbo where no one wants to be. So what about ethics? Glad you asked.
If you have been participating or following our conversations here on ITSPmagazine, we have learned that the technology challenges associated with privacy and humans, for the most part, are not really “technology” problems. Instead, these challenges involve a multidisciplinary decision-making process where technology is the tool and the humans are those that build, use and should control such a tool. Go figure, right?
So where do morals and humanity stand on this topic? Some might even wonder if this is a relevant question because it may look like people do not care anymore about privacy. Maybe they do, but they think there is nothing they can do about it. With all the unfortunate news picked up by the popular media about data breaches, companies caught collecting and sharing data without users’ permission, and all sorts of IoT devices and apps that are full on tracking and spying, it is easy to think that there are no other options than to give up.
After all, our data are all over the place and our identity is already a puzzle able to be reconstructed anywhere and anytime it is needed, and city officials might honestly think about collecting all of it to make the residents' lives better with no malicious intent. If this is the case, are we all just going to let it happen without standing up for our privacy? Hopefully not! Privacy is not dead. Sure, it has been attacked and compromised, but it is definitely not six feet underground. We all need to fight to make things better right now. We must lay the foundation for a future where we, and the next generation that follows, have full control of our personal data.
When we make new rules and regulations, we must think about the future that we want. Laws should not be a ceiling, but rather a floor on which to build privacy, legality, transparency, and the right of ownership and choice for our data, stronger than before because the right to privacy is the right to freedom.
What’s your position on this subject? Do you care? Have a listen to what Melanie, Bennett, Sean, and Marco have to say and look at some of the resources below … then decide.
Talk Show Resources
Motherboard first reported on this: Scooter Companies Split on Giving Real-Time Location Data to Los Angeles
Additional commentary from Motherboard: EFF Says LA’s Scooter Location Data Could Unmask Individual Riders
EFF Call-To-Action: Tell the City Council to put the brakes on LADOT’s rider surveillance program
Interesting to watch this video of LA Metro executive bragging about how his new role heading up Office of Extraordinary Innovation is to "break the rules."
Putting Car Culture in Reverse with LA Metro’s Office of Extraordinary Innovation
A Few Notable Tweets
“Location information, especially aggregated over time, is extremely sensitive. Human mobility patterns are highly unique, so this data can be used to determine the identity of real people," says EFF's Jamie Williams. @LADOTofficial needs to safeguard it.https://t.co/9SwkkS8p6i— EFF (@EFF) March 20, 2019
eff thinks the sort of real-time location data being collected by Bird and Lime scooters in Los Angeles could be de-anonymized and identify individual users. eff identified an individual's route with new york bike share data, for examplehttps://t.co/mMoFmZOyVy— Joseph Cox (@josephfcox) April 11, 2019