Typically we expect Uber to be on the wrong side of a privacy debacle. But this week, they claim to be defending the privacy of its users from the LA Department of Transportation. Meanwhile, the Ontario Science Centre experiences a data breach that exposed the personal information of 174,000 individuals. Are the upcoming state-level privacy laws the answer to consumers privacy concerns?
Uber claims LA’s data-tracking tool is a violation of state privacy laws.
LA Department of Transportation (LADOT) wants to use Uber’s dockless scooters and bikes to collect real-time trip data. But, Uber has repeatedly refused due to privacy concerns. This fight is coming to a head, as on Monday, Uber threatened to file a lawsuit and temporary restraining order (Source).
Last year, the general manager of LADOT, Reynolds began developing a system that would improve mobility in the city by enabling communication between them and every form of transportation. To do so, they implemented a mobility data specification (MDS) software program, called Provider, in November that mandated all dockless scooter and bikes operating in LA send their trip data to the city headquarters.
Then, a second piece of software was developed, Agency, which reported and alerted companies about their micro-mobility devices. For example, it would send alerts about an improperly parked scooter or imminent street closure (Source).
This would mean the city has access to each and every single trip consumers take. Yet, according to Reynolds, the data they are gathering is essential to manage the effects of micro-mobility on the streets. “At LADOT, our job is to move people and goods as quickly and safely as possible, but we can only do that if we have a complete picture of what’s on our streets and where.” (Source).
Other cities across the country were thrilled by the results and look to implement similar MDS solutions.
In reality, the protocols exhibit Big Brother-like implications, and many privacy stakeholders seem to side with Uber. Determining that LADOT’s actions would in fact, “constitute surveillance.” (Source).This includes the EFF who stated that “LADOT must start taking seriously the privacy of Los Angeles residents.” What’s more in a letter to LA, they wrote that “the MDS appears to violate the California Electronic Communications Privacy Act (CalECPA), which prohibits any government entity from compelling the production of electronic device information, including raw trip data generated by electronic bikes or scooters, from anyone other than the authorized possessor of the device without proper legal process.” (Source)
While Uber seems to have validity in their concerns, there is fear that LADOT will revoke their permit to operate because of their refusal to comply (Source). As of Tuesday, the company’s permit was suspended. But with the lawsuit looming, the public can expect the courts to decide the legality of the situation (Source).
Ontario Science Centre data breach exposes 174,000 names
This week the Ontario Science Centre explains that on August 16, 2019, they were made aware of a data breach that affected 174,000 people. This was discovered by Campaigner, the third-party company that performs the mailings, newsletters, and invitations for the OSC.
Between July 23 and August 7, “someone made a copy of the science centre’s subscriber emails and names without authorization.” (Source)
Upon further investigation, it was learned that the perpetrator used a former Campaigner’s login credentials to access the data. While no other personal information was stolen, the mass number of consumers affected highlights the potentially negative consequences associated with using trusted third parties.
Anyone whose data was compromised in this incident was alerted by the science centre and was encouraged to ask any further questions. In addition, the Ontario Information and Privacy Commissioner, Beamish, was alerted about the breach one-day after the notices began going out to the public.
Moving forward, the Ontario Science Centre is “reviewing data security and retention policies.” alongside Beamish to investigate the incident in full and ensure it is not repeated in the future (Source).
Will more states adopt privacy laws in 2020?
January 1, 2020, marks the implementation of the California Consumer Privacy Act (CCPA). This upcoming law has spread across the media, but soon more state-level privacy laws are expected that will reshape the privacy landscape in America. With a focus on consumer privacy and an increased risk of litigation, businesses are on the edge of their seats anticipating the state’s actions.
Bills in New York, New Jersey, Massachusetts, Minnesota, and Pennsylvania will be debated in the next few months. However, due to the challenge of mediating all stakeholders involved, several of the laws that were expected to have been passed this year were caught up in negotiations. Some have even fallen flat, like those in Arizona, Florida, Kentucky, Mississippi, and Montana. On the other hand, a few states are forming studies that will evaluate current privacy laws and where they should be updated or expanded by digging into data breaches and Internet privacy (Source).
Meanwhile, big tech is lobbying for a federal privacy law in an attempt to supersede state-level architecture (To learn more about this read our blog).
Any way you look at it, more regulations are coming, and the shift of privacy values will create mass changes in the United States and across the globe. This is more necessary than ever, in a new mirror world where Uber claims to be on a mission to protect user privacy and the science centre comes clean about a massive data breach. The question remains, are privacy laws the answer to the data-driven world? Perhaps, 2020 will be the year to make businesses more privacy-conscious.