Laura Bliss is a staff writer at CityLab, covering transportation and technology. She also authors MapLab, a biweekly newsletter about maps (subscribe here). Her work has appeared in the New York Times, The Atlantic, Los Angeles magazine, and beyond.
The new mobility mode is generating a lot of rider data. It’s fair to ask where it’s likely to end up.
On a blue-sky day in Washington, D.C., dockless bikes are the ticket to ride. Key in your credit card digits into any one of five dockless bikesharing apps, locate a candy-colored two-wheeler nearly anywhere in town, and unlock it with a QR-code scan. For just a buck or two an hour, you can cruise to your heart’s content.
Meanwhile, your personal data is also taking a little trip. From unlocking to relocking, your name, payment information, geographic location and route are getting beamed, via smartphone and a chip on the bike, to company servers. Where? It depends on which company you’re riding with.
If your bike comes courtesy of the Beijing-based companies Ofo or Mobike—the two dominant dockless players, now muscling their way into the U.S.—there’s a chance your data could eventually land in China, where the line between state and private sector is notoriously blurry. Some cybersecurity and data privacy experts think that could be a compromising position.
One concern: Personal and mobility data could conceivably be valuable from a counterintelligence standpoint. If a dockless bike-sharing app generated enough comprehensive GPS location data, “based on that data, you could look to see where I am and where I’m going,” said Anthony Ferrante, a former White House cybersecurity advisor and current head of cybersecurity at FTI Consulting. Examined alongside other account information, “you could also find out who my friends and family are.”
Whether you should worry about snagging a ride on a China-based bikeshare company’s cycle is definitely debatable. But Brooks Rainwater, director of the National League of Cities’ Center for City Solutions, thinks that issue should at least be raised. “The way these bikes are set up, you’re creating a wholesale understanding of how people are moving through cities,” he said. “When it comes to the question of how you treat companies from China, versus companies from the U.S., I do think there are fundamentally some national security concerns.”
Shared bicycles, untethered of stationary docks and available for pick-up and drop-off anywhere, seem like manna from Jane Jacobs heaven. An alternative for short trips city dwellers might otherwise make by car could relieve traffic congestion and put more dollars in commuter pockets. For their “revolutionary” and “transformative” potential, dockless bikes have drawn comparisons to the advent of ride-hailing and even the internet itself. “Bikes plus smartphones…might just be enough to usher in a new golden age for cities,” Felix Salmon recently wrote at Wired.
In China, where the dockless model was pioneered in 2014, the shared bikes now number a staggering 16 million, according to a recent study. There, super-dense urban populations and a laissez-faire approach to new companies competing in city streets have allowed dockless bikes to take off (and in some cases, pile up).
Dockless bikesharing, much like ride-hailing, is built on data-sharing platforms. The business model is to collect user data, retain it for company purposes, and sometimes share it with third parties; the apps that these firms issue are essentially “data-gathering machines,” as Josh Cohen recently wrote in CityLab. Especially when yoked to other types of consumer information, such as spending habits, credit histories, and addresses, rider data could be a valuable commodity to private companies. Dockless bike-sharing doesn’t seem to be profitable yet, but the potential is a big part of the draw for investors.
Ofo, which claims to operate more than 10 million bikes in 250 cities around the world, has raised $1.3 billion to date, with the Chinese online retail giant Alibaba as its primary backer. Mobike has raised about $1 billion, led by Chinese online messaging and gaming powerhouse Tencent. It says its orange-rimmed two-wheelers are rolling in 200 cities worldwide, including Washington, D.C.; Ofo operates in D.C., Seattle, Dallas, Los Angeles, Boston, and at least 15 other cities.
The question is: What’s happening to their data?
By signing up, accessing and/or using the Services, you expressly consent to our transmission, processing and storage of your information in locations outside the United States or your country or region of residence.
Some cybersecurity and data privacy experts say that this should be raising eyebrows.
In China, companies commonly share consumer data with the government. As the Wall Street Journal reported in a November 2017 investigation, Chinese companies—including Baidu, Tencent, and Alibaba, which have data on the identities, consumer habits, and communications of hundreds of millions of Chinese citizens—talk openly about working with government authorities on “law enforcement and security issues.” As has been widely reported, China is building out far-reaching digital surveillance systems, capable of drawing in and analyzing terabytes of data.
American companies operating in China, like Apple, must also make their data available for the government’s perusal. Although officials are supposed to supply reasons for proprietary data requests, no independent judiciary exists to review or approve them. Nor are there formal processes for companies to appeal these demands, the Journal found.
Some U.S. companies that have attempted to operate in China, such as Google and Uber, have found the costs and compromises of the government’s stringent data-sharing and censorship requirements too great to stay in the market. In the U.S., companies often resist such requests by the government. A company like Apple can rely on the justice system to spurn, for example, the FBI’s request to gain access to an iPhone belonging to the San Bernardino shooter. Currently, the Supreme Court is weighing whether police departments should be able to track suspects through phone activity.
“By and large, the U.S. has warrants and restraints on what [private information] the government has access to,” said Samir Jain, the former senior director of cybersecurity policy for the National Security Council and a current partner at the international law firm, Jones Day. “In China, there is much less control.”
To be clear, there is no evidence to date of dockless bikesharing companies opening up customer data to any government, with the exception of Mobike sharing data with Chinese city officials to help guide transportation planning. Responding via email, a Mobike representative said, “Mobike does not share or disclose any personal data to any third party without the users’ consent or in any way that is non-compliant with local data protection laws. Mobike prioritizes user privacy, and any data collected is anonymized before sharing with local, U.S. cities."
Via email, Ofo representatives in the U.S. told CityLab, “We take consumer privacy extremely seriously and protecting the privacy of our users is [a] top priority. All of our US data is stored on servers located in the United States.” The company also explained that it has never shared any of its data with the Chinese government or any other foreign entity, nor has it ever received any request for data. And if it did, the company said it would push back.
Despite this assurance, Jain and others believe that the strong precedent and legal bases for the Chinese government’s access to consumer data should be cause for concern as dockless bikes roll across the U.S.—especially given China’s demonstrated interest in gathering intelligence on U.S. citizens.
Reached for comment on whether Ofo or Mobike’s data privacy policies were of concern, a District Department of Transportation representative told CityLab, “You certainly raise some interesting questions, questions that are probably better suited for the vendors and their customers. Thanks for bringing the matter to our attention.” The Seattle Department of Transportation had this to say: “How the individual companies share their users’ personal information is not dictated in the SDOT permit and is subject to agreement between the users and the companies. As we move to consider the next phase in the bike share program, we will consider data sharing requirements more broadly.”
Representatives in Dallas did not respond to requests for comment.
If all this sounds like unnecessary fear-stoking, you’ve got company. David Levinson, who studies transportation networks and technology at the University of Sydney, dismissed the notion of bikeshare security panic as pure jingoism. “From the people who failed to prevent 9/11, led us into the Iraq War, and have foisted airport security theater on the American public, we have the latest ‘Yellow Peril’ from China…. dockless bikesharing,” he wrote via email.
Investments by foreign companies in the U.S. are generally a welcome thing. Derek Scissors, a resident scholar at the conservative American Enterprise Institute focused on U.S. economic relations with China, closely follows foreign business activities that get blocked by the U.S. government due to national security risks. He doubts dockless bike-sharing companies pose any such a threat. “Just because it’s big data that can give you a sense of transportation patterns—I don’t find that impressive,” said Scissors.
Still, he allowed, coming off the 2015 OPM data theft, in which Chinese government hackers breached the personal data of four million U.S. federal workers, there may be a larger problem. “The Chinese are trying to take our data,” he said. “So why would we want to let them buy it?”
While innovation has often flowed from Silicon Valley to the rest of the world—take the iPhone, Uber, even the Internet itself—dockless bikesharing is one example of how that flow is reversing, and it may be the start of a wave. Didi Chuxing, China’s leading ride-hailing company, is expanding into Mexico this year and has set up an R&D center in Mountain View, California.
Which information is sensitive, and how should it be protected? As zeros and ones become ever more ingrained into daily life, there may be no simple answers. But that doesn’t mean consumers, companies, and governments shouldn’t try to figure them out. That imperative may be stronger when foreign companies known to tango with state governments are in play.
Christopher Tong, a former graduate researcher at UC Berkeley who studied the global expansion of bike-sharing, recently wrote a Medium post about data privacy concerns related to dockless bikes and other new mobility services. Unlike China, which tightly restricts how and where consumer data is stored and used, “there has not been a discussion of forcing companies to keep the data within the U.S.,” he said in an interview. Dockless bikesharing companies, he insists, could be required to store domestic transaction data on servers within the United States.
Local and state authorities could also attach more legal requirements to data collected by private companies, as the E.U. has. Andrew Burt, the chief privacy officer at the data science software company Immuta and a visiting fellow at Yale Law School's Information Society Project, said that companies could also use privacy-enhancing techniques to protect the identities of individuals, as Apple is doing.
These sorts of interventions might make all that dockless bike data a little less valuable to companies and their investors. “There’s always a trade-off between privacy, security, and utility,” Burt said. “The question is how to find the balance.”
After all, even innocuous-seeming data can reveal more than consumers, or even companies, expect. Just look at the case of Strava, the popular fitness tracking app and “social network for athletes.” Last month, an Australian university student discovered (and tweeted) that the company’s “Global Heatmap” inadvertently exposed locations, layouts, and even personnel of overseas military bases and spy outposts around the world by charting the routes of millions of jogs, walks, and bike rides. All of that data had come from fitness fans (including soldiers) who’d “opted in” to the app’s user agreement—which Strava pointed out, as it came under considerable fire from Congress and the U.S. military.
To be sure, the U.S. government has its own long history of surveilling private citizens. Private data exposures are hardly limited to Chinese-based companies—just look at homegrown debacles like the vast Equifax breach, Uber’s past year, or any of the other big 2017 hacks involving retailers, voting data, and email passwords. True digital “privacy” may be akin to magical thinking in the 21st century. “Data is and will be stored and accessed by our ‘friends’ and our ‘rivals,’” said Levinson. “The NSA will track the metadata on your phone call in any case, even if the Chinese don’t get a fractional sample of some bike-share users.”
In other words, most of us consumers have ceded our data privacy long ago. We happily continue to, with each new text message, app download, credit-card swipe, and “smart home” appliance. When it comes to national security concerns, bike-related data misuse probably represents a minor threat, far behind climate change, the resurgent risk of nuclear annihilation, or even the rising number of car crash fatalities.
By bringing cheap, accessible car-free commuting to scale, dockless bikes offer a means of addressing at least one of those issues—albeit at some cost to riders’ privacy, illusory as it may have always been. Ultimately, entrusting our personal data to a server somewhere behind the borders of a frenemy superpower is the kind of thing we do these days; it’s a reflection of the choices and compromises consumers have been willing to make in the pursuit of convenience. Let’s just hope we haven’t chosen poorly.