Citizen Privacy and City Oversight Needs Are Compatible: Our views from the California Senate hearing
Yesterday, we joined the California Senate informational hearing on transportation and privacy issues in shared mobility data use. Along with city representatives, the ACLU, the EFF, and more, we voiced our concerns around surveillance of micromobility riders and the need to protect individual privacy while allowing cities the information they need to manage mobility. Below is a statement given by me, Morgan Herlocker, during the public comment period. More background for this hearing is linked here.
—
I am a software engineer at SharedStreets, a non-profit working to enable more data to be shared about our street networks between government agencies and private entities.
At SharedStreets, we believe agencies need data on mobility operators, have a right to collect it, and we have personally helped to enable them to do so.
I became concerned about this issue last year when I began to see city-created data policies regarding MDS processing that would allow for re-identification of users, despite claims that the data was de-identified.
I began investigating already public mobility data feeds following these practices and confirmed that several did not properly anonymize trips, including one that allowed me to identify trips between a high school and a nearby planned parenthood, in the middle of the school day, with +-7 minutes of precision.
Other researchers have used data just like this to stalk celebrities, identify vulnerable religious populations, and even track protesters at last year’s Women’s March, as reported by the NYT last month.
Over the last year, I found numerous additional vulnerabilities in these systems, allowing me to track nearly 1 billion trips generated by millions of riders globally in real time, from my home computer.
Last week, the California Auditor found similar data generated by ALPR systems was widely shared inadvertently with thousands of federal agencies & private entities, including ICE, CBP, and Palantir, due to incomplete security policies and insufficient tracking of data sharing agreements.
At SharedStreets, we partnered with Sacramento to build a system that allows cities to meet their regulatory responsibilities without putting personally identifying data at risk.
The software we developed is not novel. We used industry best practices developed by entities with decades of experience, including The US Census Bureau, Google, and academic researchers and think all agencies should be held to those same best practices when handling sensitive information.
We believe that cities can and should develop data collection infrastructure. This work must be paired with commensurate technical and policy infrastructure that ensures that individual trip data is properly aggregated and cannot be used to compromise citizen privacy.
Thank you.
—
