Unchecked Smart Cities are Surveillance Cities. What We Need are Smart Enough Cities.

We can have beautiful cities without turning our cities into surveillance cities.

Cities across the U.S. are forcing operators of shared bikes and scooters to use dangerous and privacy invasive APIs developed by the Los Angeles Department of Transportation. These APIs—collectively called the “mobility data specification,” or MDS—require that operators share granular location data on every trip taken. The location data that cities are demanding is incredibly sensitive and relates to the movements of real people. And some cities, like Los Angeles and soon Santa Monica and Washington, D.C., even require that the data be shared with a five-second delay—essentially in real-time.

The local authorities demanding access to individual trip data are failing to comply with existing privacy protections in the law. Meanwhile, cities cannot point to even a single use case to show why they need access to the individual level trip data. That means cities are recklessly and illegally stockpiling sensitive location data that they do not need.

As City Lab’s recent investigative deep-dive into MDS reports, LADOT’s APIs were designed to enable cities to operate as the air traffic controllers of our streets—to send out real-time route instructions and control the path of individual vehicles. That vision is not only unrealistic, but it would necessitate real-time surveillance of all of our movements on city streets, no matter our mode of transportation. What some cities are trying to paint as a vision of a future utopia is actually just a scene straight out of Minority Report

Think this won’t impact you if you don’t use shared bikes or scooters? Think again. Cities hope to use MDS as a model for regulating all forms of connected vehicles—including cars—in the future.

In California, EFF is asking the legislature to step in and protect Californians from LADOT’s invasive APIs—by placing sensitive individual trip data off-limits for planning purposes, and by limiting local authorities to aggregate and deidentified trip data. Such guardrails are necessary to protect the privacy interests of people who rely on shared mobility devices, and to clearly tell local authorities that they do not have a free pass to operate outside of the law.

As we told the legislature last month during a hearing of the Senate Transportation and Judiciary Committees, when cities start demanding individual level trip data, they are no longer just smart cities—they are surveillance cities. Turning our cities into surveillance cities is not necessary to achieve the laudable planning goals of city and regional transportation agencies. What we need are ‘smart enough cities’—cities that harness the power of data and technology in a way that respects everyone’s privacy interests.

Why Cities Are Collecting Data

Local transportation planning agencies across the country are currently demanding that operators of shared mobility devices turn over individual trip data as a condition of getting a permit to operate within their jurisdictions. They hope to someday obtain the same data for other forms of transportation

The local authorities making these demands are not balancing their planning goals with the privacy interests of residents who rely on these new modes of transportation. And they do not even seem to believe that individual level trip data is personal information. In a letter opposing a location privacy bill sent last June, five California cities argued that removing “customer identifiers” like names should be enough to protect rider privacy. That is simply not the case. Human mobility patterns are highly unique, and that makes anonymizing location data a notoriously difficult technical challenge. Studies have shown that when it comes to location data, removing names is not enough to protect privacy.  

City Demands for Individual Level Data Violate Existing Laws

The local authorities demanding individual trip data are violating multiple privacy protections in existing law. In California, for example, they are failing to comply with the California Electronic Communications Privacy Act, which provides that a government entity shall not compel the production of electronic device information from any person or entity other than the authorized possessor of the device, except in specific circumstances not present here (such as when they have a warrant). They are also failing to comply with the California constitutional right to privacy, which prevents governments from collecting and stockpiling unnecessary information about Californians, and “‘from misusing information gathered for one purpose in order to serve other purposes[.]”

Local authorities demanding individual trip data are also failing to comply with the Fourth Amendment. The Supreme Court was clear in Carpenter v. United States that location data is incredibly sensitive personal information, and that it is protected by the Fourth Amendment’s reasonable expectation of privacy. And in the administrative search context, the Court requires that subjects of searches have an opportunity for a neutral decision maker to weigh in on the legality of the search before complying. The MDS’s ongoing searches of operators’ trip data provide no such opportunity for review.

Courts have already been clear that similar searches violate the Fourth Amendment. The Southern District of New York held in 2019, for example, in a case involving New York City’s demand for Airbnb user data, that “[existing] Fourth Amendment law does not afford a charter for such a wholesale regulatory appropriation of a company’s user database.” Cities are ignoring Fourth Amendment precedent with their invasive and unreasonable demands for individual trip data.

Cities Do Not Actually Need Individual Level Trip Data

What’s more, the cities demanding access to this sensitive location data have not shown that they actually need this data. At EFF, we have yet to hear a single use case that would necessitate it.

The key for transportation research and city planning is patterns of movement. Cities don’t need time-stamped route information for a specific individual; they need to know where most people go, and when most people go there. That’s why there are so many data aggregators out there helping cities make sense of all the data they are getting. Data on individual level trips is not necessary or even useful to cities for city planning purposes. The idea that “you will never know what you might find until you have the data” is not compelling when you are talking about incredibly sensitive personal information, like granular location data. It might be interesting for cities to force their residents to all wear GPS ankle monitors so they could better understand residents’ mobilities, but that doesn’t mean they should be allowed to do so. There have to be limits on cities’ ability to collect sensitive location data.

For enforcing scooter caps and equitable distribution of scooters, cities don’t actually need trip data at all; all cities need is data regarding where scooter are parked. Data about specific scooter locations when they are not tied to individual trips does not raise the same privacy concerns as when they are tied to the movements of particular individuals. 

To ensure the veracity of data, there are technical auditing solutions that can be implemented on the operator side to avoid the need for sensitive data to change hands. Cities can also pass rules that impose liability for providing inaccurate or false data, and then enforce those rules with auditing and monetary penalties—all without any harm to privacy.

We want to be clear: we do not think that cities should be blocked from accessing all data whatsoever. At EFF, we agree that local public agencies should be able to collect some data in order to ensure that new transportation devices are deployed safely, efficiently, equitably, and sustainably. But local agencies do not need to collect sensitive, personally identifiable information about riders in order to achieve their goals. Civic planning authorities can and should be using sufficiently aggregated and deidentified data—data that is incapable of being tied back to an individual rider, even in combination with other data. This is the solution for ensuring that privacy is not sacrificed in the name of transportation planning. 

We Need Clear Limits From the Legislature

We can have beautiful cities without turning our cities into surveillance cities. And what we need to get there are clear limits from the Legislature that rein in efforts by local authorities to obtain access to sensitive individual trip data.

https://www.eff.org/deeplinks/2020/03/unchecked-smart-cities-are-surveillance-cities-what-we-need-are-smart-enough