By Nomi Conway
As scooter companies Spin, Bird, and Lime scramble to get scooters on the street, they are also racing to gather data, and have failed to take the time and steps necessary to properly address rider privacy. Now, in addition to protecting heads with a helmet, scooter riders also have to worry about protecting their personal information.
When you scan a QR code, you might not realize that you are really hopping onto a two-wheeled data-hoarding device that is collecting far more of your personal information than the product really requires. In the wrong hands, this information – which includes location data, photos, and driver’s licenses – can be harmful. The Trump administration is already exploiting local government data and purchasing location data from private companies in order to target immigrants, activists, and others.
Here are some key ways these companies should be doing better:
These scooter companies have persistent data tracking on throughout the ride, tracking your every move, from the moment you open the app until the end of your ride. This means that if you take a scooter to a political protest, or to a religious service, or to see a medical specialist, the scooter company is collecting that information.
The companies are also storing this data. Lime and Bird reserve the right to store your information for an undefined period of time even after you request to delete your account. And while all three vow they don’t directly sell data to third parties, they also reserve the right to share user information with third parties such as sponsors and business partners, and potentially advertisers.
Persistent data tracking is not necessary for the scooters to function. Ford GoBike doesn’t use GPS tracking during rides, and these companies don’t need to either.
These companies should also show more concern for rider privacy by minimizing the collection of unnecessary information like social media data, photos, and driver’s licenses.
When you log in to a Lime account through Facebook, Lime is actually getting access to your profile information, including your name and profile picture. Bird requires you to provide a photo of your driver’s license in order to unlock a scooter and encourages users to upload a profile picture in the app setting, too. None of this personal information is actually necessary to ride a scooter and companies shouldn’t be collecting it.
All of this collection and retention of sensitive personal information is especially concerning given that these scooter companies have created privacy policies with weak language on law enforcement requests. Spin, Bird, and Lime all admit that they may disclose user information based only on a “good faith belief” that they are required to do so.
By taking a weak stance on government requests for user data, scooter companies are increasing the risk that their growing database of rider photos will end up in the hands of government entities looking to bolster surveillance capabilities. A wider collection of photos enables ICE to monitor immigrants as they embark on new lives, and enables police to identify (and even arrest) political protesters. Considering these serious privacy concerns, scooter companies should be clear that they will require a warrant before turning over user information to the government and will challenge improper government demands. They should also have a clear policy to provide timely notice to users about government demands.
In addition to clear and robust, substantive policies, these companies should also display their privacy policies more prominently. Transparency helps to build user trust, and making privacy policies accessible and easy to understand is an important way to keep people informed.
Bird, Lime, and Spin also seem to have zoomed past developing a comprehensive security plan and communicating it to users. All three vow to secure your most sensitive data, including your financial data, but it’s not clear what precautions they actually take. Spin tells users about any internal data security policies, makes a vague reference to “bank level security” in its app, and highlights some data breach procedures, but these half measures are inadequate. Bird and Lime are silent on security matters and also explicitly reserve the right to transfer data to other jurisdictions that may not be governed by U.S. law. None of this is a good signal to send to people about privacy and data security. Companies that collect user data should always have a comprehensive security plan and build trust with users by clearly communicating these security practices.
So, the next time you see a scooter flying by you on the sidewalk, remember that these devices pose risks beyond cluttering the sidewalk, and consider how they stack up on privacy (see this chart for a comparison of privacy policies). If Bird, Lime, Spin, and any others who soon join the market want to be a permanent fixture in urban environments, they need to be doing a lot more to protect user privacy.
Nomi Conway is a Technology and Civil Liberties Intern at the ACLU Foundation of Northern California.