Los Angeles Residents’ Location Privacy at Stake in Ninth Circuit Case About Mobility Data
March 7, 2022
by Thomas McBrien, EPIC Law Fellow
Tomorrow, the Ninth Circuit will hear oral argument in Sanchez v. Los Angeles Department of Transportation, a case affecting the locational privacy rights of people who use e-scooters and ride-hailing apps such as Uber and Lyft. In the case, L.A. residents are challenging a regulation that requires e-scooter companies to provide the government with detailed location tracking data for each scooter ride taken in the city. Like other mass location surveillance programs, the L.A. mobility data tracking program threatens to expose and memorialize where people live, work, play, worship, obtain medical services, and engage in other potentially sensitive activities.
The Mobility Data Specification (“MDS”), L.A.’s system for funneling data from companies to the Department of Transportation, has insufficient privacy protections given the highly sensitive nature of location data. MDS is one example of “smart city” surveillance technologies cities are increasingly adopting.
EPIC and the Center for Democracy & Technology submitted an amicus brief in the case urging the Ninth Circuit to protect L.A. residents’ locational privacy. In our brief, EPIC and CDT explained that L.A. can use mobility data to inform transportation policy decisions while also protecting the privacy of individuals.
L.A.’s Mobility Data Surveillance Program
When someone rides an e-scooter, the government should not be able to surveil their every movement. But this is now a reality for L.A. residents after the city implemented a regulation that requires e-scooter companies to provide GPS tracking data to the government through a set of application programming interfaces (“APIs”) called the Mobility Data Specification (“MDS”). MDS standardizes mobility data so cities and the companies that work with the data can more easily ingest and analyze information from multiple e-scooter companies. E-scooter companies must use MDS to provide L.A. with the start point, end point, route, and time of each ride taken.
MDS has some measures to protect privacy, but they are insufficient given the sensitive nature of location data. MDS, for example, does not include riders’ names or account information. L.A. claims that this feature makes rides anonymous. But rides cannot be truly anonymous when the government collects precise information about each route. With only a little time and effort, it is possible to infer some riders’ identities based on patterns in the data or combining the data with other sources of data, similar to how people may be reidentified in anonymous datasets based on their cell phone location. The danger of reidentification of individual trip data is not theoretical: as an example, data sleuths were able to identify passengers from a purportedly anonymous set of NYC taxi trips by combining the trip data with other publicly available information. Those who use e-scooters most frequently, such as low-income residents who cannot afford their own cars or taxis and who may be underserved by public transportation, are especially at risk of reidentification. MDS could also have privacy implications for more than just e-scooter users: its creators have stated their desire to have MDS used for other services, such as ride-hailing like Uber and Lyft.
Controversy also surrounds the creation and governance of MDS. L.A. hired a consulting firm, Ellis & Associates, to come up with a solution to their mobility data needs. Ellis & Associates proposed MDS and a public-private consortium of cities and companies, the Open Mobility Foundation (“OMF”), to maintain and distribute the MDS standard and code. Meanwhile, Ellis & Associates was acquired by Lacuna, a private location-data company, which has since played a shadowy role developing MDS and governing the OMF. The city of Austin recently dropped out of the OMF due in part to privacy and transparency concerns with MDS.
Smart Cities Can Become Surveillance Cities
L.A.’s mobility data surveillance program is just one example of city governments adopting surveillance technology as part of the push for “smart cities.” Some city governments attempt to become “smart” by partnering with private companies to deploy technologies such as high-speed communication networks, sensors, and mobile phone apps to gather data. The data can inform decisions about energy and water use, traffic routing, law enforcement, and other municipal priorities, but, without the proper privacy protections, the data can also be used to surveil citizens.
For example, L.A. implemented MDS to address the rapid rise of e-scooters within the city. E-scooters bring benefits and disadvantages: while they can help citizens travel efficiently and cheaply, they can also clog rights-of-way and be dangerous to the public. L.A. claims to have implemented MDS to ensure scooters are accessible and safe while helping enforce laws against leaving scooters in the middle of roads and sidewalks.
Smart city data collection programs might help inform policymaking aimed at improving urban life, but without strong privacy protections, these data collection programs can also become surveillance programs. Smart city programs are subject to the same risks of abuse, mission creep, and biased enforcement that is already well documented with other kinds of surveillance. And technological solutions are not a panacea for social and political issues.
Cities around the country have realized the dangers of allowing police to use smart-city technology and are responding with bans to law enforcement use of facial recognition and other technologies. But such restrictions should not focus narrowly on law enforcement use of surveillance technologies. Surveillance programs can grow out of other agency data collection programs, even those that seem most mundane. For example, a proposal to install 39,000 energy-efficient, “smart” LED streetlights in San Jose quietly mentioned the capability to add cameras and microphones to the lights in the future. And recent reporting showed that citizens’ utility data was sent to the abusive government agency Immigration and Customs Enforcement (“ICE”) without citizens’ knowledge.
Privacy Protections Can Keep Smart City Programs Aligned With Policy Goals
It’s possible to have both data-informed policy and robust privacy protection. Privacy-by-design, democratic control of smart-city technologies, and data trusts are mechanisms that can mitigate privacy risks and allow cities to pursue legitimate data-informed policy.
As EPIC and CDT explained in our amicus brief in the LA Department of Transportation case, cities like L.A. can use mobility data to inform policy decisions without exposing their citizens to as much risk of surveillance by adopting privacy-by-design techniques such as aggregation, sampling, and differential privacy.
Cities like L.A. do not need access to granular, individual mobility trip data to answer the types of policy questions they claim to have. Aggregated data would enable cities to answer important policy questions such as identifying commonly used routes, evaluating neighborhoods with higher or lower densities of e-scooters, and finding areas in which scooters are more likely to be illegally parked, but it wouldn’t expose individual trip routes like the current data collection scheme does. Instead, the individual trip data would either stay housed with the transportation provider or be placed on a secure server controlled by a third-party company. The government agency would submit queries to the off-site database and receive aggregated data in response. There are already third-party companies that provide similar services to cities that do not wish to collect and store individual trip data locally for privacy and security reasons.
Sampling is another privacy-protective technique in which a city looks at only a representative sub-portion of data to avoid exposing every trip. For example, if a government agency received a complaint that e-scooters were clogging a specific street during rush hour, the agency could request data about e-scooter information only at that place and time to identify how it could reduce density. Just like with the aggregation technique, government agencies would not have access to the full, individual trip data, which would be housed with the provider or a third-party company on a secure server.
Differential privacy could also help cities like L.A. reach their goals while respecting citizens’ privacy. This technique involves adding a controlled amount of artificial data to a dataset so that the overall insights from the dataset are maintained, but individual privacy is protected by the inability to distinguish real from artificial data points. This technique could be implemented along with aggregation to prevent potential re-identification from repeated queries.
Democratic control and community oversight can also help ensure smart-city technologies aren’t abused by private and public actors. Some cities are already using these mechanisms to curtail police surveillance. For example, the city of Oakland passed an ordinance requiring law enforcement to obtain permission from a Privacy Advisory Commission before procuring new surveillance technologies.
Finally, data trusts are an innovative solution that could be layered onto systems like MDS to reduce their privacy risks. Trusts are people or organizations with a legal duty to act in the best interests of their trustees. In this context, a trust with a legal duty to act in the best privacy interests of residents could hold the MDS data. The trust would then decide how, when, and to whom they will release scooter data. Such a trust could replace (or enhance) the third-party companies that already act as intermediaries between some cities and MDS data.
While L.A.’s aims are understandable, their means unreasonably expose L.A. citizens to privacy harms. By adopting some or all of the privacy-protecting measures discussed, L.A. could become a model for data-driven governance that protects its citizens. First, L.A. citizens must hope for a positive determination from the Ninth Circuit following this week’s oral argument.