Debunking MDOT’s anti-privacy argument

7 Aug 2020Press-release

This is a companion piece to this op-ed about our fight with Moscow’s Department of Transportation over providing sensitive passenger data. We wanted to explore three possible objections to our position, as well as share an overview of relevant legal cases.

Objection #1: the government has a legitimate reason to request this data.

Moscow’s DOT claims that the data will help them with three things: health & safety, traffic analysis, and infrastructure planning.

Taking those in order:

  • Safety. DOT first required that taxis feed live location data into their ‘God View’ system (ERNIS) in early 2017. Taxi accidents subsequently rose by 50% (‘17 to ‘18), and 80% (‘18 to ‘19). In contrast, the overall growth of taxi rides from 2017 to 2019 was just 25%. We have not been made aware of any positive safety improvements made possible by this data.

  • Traffic analysis. We’ve been provided no rationale from DOT as to how our data would meaningfully add to what they can get from satellites and traffic cameras. And given DOT’s history of arbitrary anticompetitive rulings (shutting us down in April, restricting pickups during the World Cup, etc), it’s difficult to take this idea at face value.

  • Infrastructure planning. We agree that travel pattern data helps with public transportation improvements. But this data doesn’t need to be live or very precise, and anything Wheely could provide here would be very, very small compared to existing datasets. (That said, we’re happy to provide the aggregate data in a safer and less intrusive form.)

Our position is thus that no legitimate reason exists for us to provide live data that can be used to identify individual riders and track their movements.

Objection #2: in other countries, ride-hailing apps already disclose the same data.

They absolutely do not.

When the Los Angeles Department of Transportation (LADOT) asked Uber for this data for their rental bikes and scooters, Uber’s Global Head of Security and Privacy said:

“We’ve only had two government agencies ask us for this kind of information, one was LADOT — the other was Egypt’s intelligence service.”

Egypt ended up passing a much narrower law than first conceived, largely because of parliamentary concern about passenger privacy. National security bodies were limited to making one-off requests for rider data, and only for up to six months. (They’ve tried to push for more, and have been met with continued resistance.)

Something similar unfolded in France, where the Senate stripped out a provision that would have granted some location tracking. Senator Jean-Fraçois Rapin expressed (translated from French) that ‘none of the government’s objectives justify the periodic transmission of trip data to a single administrative authority, even if anonymized’. He also added that essential data collection efforts ‘should be accompanied by more solid legal guarantees.

The normal policy otherwise is that ride-hailing apps will only provide location data for specific rides when presented with an uncontroversially-legal government request (often a subpoena or warrant).

As for LADOT, the bike/scooter data rule is still being litigated, and no city has been successful yet in getting similar data for other modes of private transportation. (Our sense is that cities are waiting for the results of that program, just as they’re looking at results of legal cases like ours. Any victory will make them bolder.)

Objection #3: loction data doesn’t personally identify anyone and isn’t a big deal.

This is also demonstrably untrue.

The head of Moscow’s DOT claimed last year that they couldn’t identify anyone from the data provided by taxi and metro sources, as it was all anonymous. But this is the same argument as saying ‘we can’t identify you from your date of birth alone’. The issue is how easy it is to mix data points together to de-anonymize individuals.

How easy this is has been proven time and time and time again.

Quoting from The New York Times:

“Describing location data as anonymous is ‘a completely false claim’ that has been debunked in multiple studies, Paul Ohm, a law professor and privacy researcher at the Georgetown University Law Center, told us. ‘Really precise, longitudinal geolocation information is absolutely impossible to anonymize.’‘D.N.A., ’ he added, ‘is probably the only thing that’s harder to anonymize than precise geolocation information.’

Location data is incredibly sensitive. Even the US Supreme Court has required that government agencies get a warrant before requesting location-based cellphone data because of how easy it was for federal agencies to mix datasets together. And Russian law enforcement can only request location data for missing minors after getting written parental permission and notifying a court. Shouldn’t the standard be higher for adults who aren’t missing?

It’s also worth noting that Moscow DOT’s ERNIS system doesn’t allow for the encryption of location data, meaning that data from participating taxis is accessible to anyone listening. This puts few limits on who can infer things like where you work, where you play, where you practice religion, whose houses you visit frequently, and when you’ve been to sensitive medical offices.

This is not a world Wheely wants to enable. We are for getting you where you want to go safely. The rest should be entirely your business.