I submitted comments this week to the New York City Taxi and Limousine Commission as the Director of Privacy at the Center for Internet and Society (CIS). The emergence of new transportation networks and platforms certainly presents privacy challenges and the private companies in these emerging markets certainly have had their share of privacy mis-steps. But there is an equally pressing privacy concern we should not ignore -- governmental agencies collecting information about users of these networks under the guise of public safety regulation. Make no mistake, user privacy ought to be part of any regulatory safety analysis; it isn’t or shouldn’t be a collateral issue or ignored.
In this rulemaking, the New York Taxi and Limousine Commission is considering changing rules that address the risks of fatigued driving and adding trip reporting requirements for for-hire vehicle bases. Ensuring the safety of consumers that use for-hire vehicles is an important agency goal. Ensuring the privacy of those consumers taking for-hire vehicles is an equally important goal. Regrettably, the proposed rule changes to collect precise drop-off and ride-sharing information would neither improve safety nor protect rider privacy. I urged the Commission to reconsider its data collection practices and to narrowly tailor its rules to protect consumer privacy while carrying out its mission, something that is achievable in this specific rulemaking without the collection of precise per-trip location information.
You may not know it, but the Commission already collects precise pick-up location data - the latitude and longitudinal coordinates at the start of every trip, and drop-off location for taxis. That data standing alone in the hands of governmental agencies creates consumer privacy concerns and risks. The Commission previously released detailed historical data covering over 1.3 billion individual taxi and for-hire trips in New York City from January 2009 through June 2016. An analysis of that data has revealed many interesting facts about how consumers use these services, but the privacy implications of the Commission's collection and disclosure practices are the real story and it is chilling. Here’s what the analysis states in regard to the privacy implications of the data that the Commission collected and disclosed:
The first time the TLC released public taxi data in 2013, following a FOIL request by Chris Whong, it included supposedly anonymized taxi medallion numbers for every trip. In fact it was possible to decode each trip’s actual medallion number, as described by Vijay Pandurangan. This led to many discussions about data privacy, and the TLC removed all information about medallion numbers from the more recent data releases.
But the data still contains precise latitude and longitude coordinates, which can potentially be used to determine where people live, work, socialize, and so on. This is all fun and games when we’re looking at the hottest new techno club in Northside Williamsburg, but when it’s people’s homes it gets a bit weird. NYC is of course very dense, and if you take a rush hour taxi ride from one populus area to another, say Grand Central Terminal to the Upper East Side, it’s unlikely that there’s anything unique about your trip that would let someone figure out where you live or work.
But what if you’re going somewhere a bit off the beaten path for taxis? In that case, your trip might well be unique, and it might reveal information about you. For example, I don’t know who owns one of theses beautiful oceanfront homes on East Hampton’s exclusive Further Lane (exact address redacted to protect the innocent):
[aerial map not included]
But I do know the exact Brooklyn Heights location and time from which someone (not necessarily the owner) hailed a cab, rode 106.6 miles, and paid a $400 fare with a credit card, including a $110.50 tip. If the TLC truly wanted to remove potentially personal information, they would have to remove latitude and longitude coordinates from the dataset entirely. There’s a tension that public data is supposed to let people know how well the taxi system serves different parts of the city, so maybe the TLC should provide census tracts instead of coordinates, or perhaps only coordinates within busy parts of Manhattan, but providing coordinates that uniquely identify a rider’s home feels excessive.
The above analysis continues, pointing out the privacy implications of collected drop-off information, using Goldman-Sachs’ offices as one example:
We can isolate all taxi trips that dropped off in that driveway to get a sense of where Goldman Sachs employees—at least the ones who take taxis—come from in the mornings, and when they arrive.
The Commission proposes to collect precise drop-off data on a weekly basis from for-hire services like Uber, Lyft and others. The Commission does not address the privacy implications of the rule or the risks associated with publication of the location data, or even acknowledge the privacy risks identified in the above analysis. There is no privacy assessment whatsoever. The Commission simply asserts that “TLC will maintain the privacy and confidentiality of the additional data that it will be collecting because of these new reporting requirements, as it does with all data currently collected.” That is the problem. The current collection and disclosure of precise location data by the Commission has put consumer privacy at risk and the new collection of data will further do so.
To be lawful, the proposed rule must, to the extent practicable and appropriate, be narrowly drawn to achieve its stated purpose. But the Commission has not explained how precise drop-off data and information on ride-sharing will support fatigue analysis at all. The Commission's notice only suggests that the additional data collection will help with enforcement of its rules: "With drop-off location information, TLC can confirm the accuracy of the FHV records; Drop-off data for FHV trips will also assist TLC in other enforcement actions." The Commission acknowledges that "implementation of the proposed driver fatigue rule is based on calculation of trip times" and that “a calculation based on trip duration provides a more accurate way to identify drivers at risk of fatigue.” It is clear that pick-up and drop-off data actually are ancillary to the purpose of the rule and therefore the rule is not narrowly drawn to address fatigue, as opposed to facilitate enforcement.
Transparency is an important privacy value. In the New York case, consumers largely are unaware that the precise pick-up and drop-off of their trips are or will be logged and reported to the Commission, or that the Commission makes that data available to the public, and perhaps to other governmental agencies. In addition to undertaking its own public privacy assessment of any rule that implicates consumer privacy, I urged that the Commission ought to ensure that users of regulated services understand the collection practices of the regulating agency. The Commission has taken the time to work industry participants on these rules, but there is little evidence that the views of consumers of these services have been told the basic facts about governmental data collection surrounding their trips and how the data is used or disclosed. Consumers are an important stake-holder here and their privacy is an important component of their safety -- every bit as much as driver fatigue.
This rulemaking is a microcosm of a larger administrative agency privacy problem. Take a look at Uber’s most recent Transparency Report. They have been required by various agencies to disclose trip information affecting almost 7 million users and drivers to various agencies across the country. No doubt, regulators need certain information to perform their duties, but these agencies do not conduct privacy impact assessments or employ fair information practices that limit the data collected to protect consumer privacy, nor are the agencies truly transparent about what they do with the data, how long they keep it, who has access to it and whether it is shared with other agencies.
It is a valuable contribution to transparency reporting that these new and emerging networks report on their disclosures to government. But we need regulators to be more sensitive to the privacy implications of their rules. Let’s hope the New York Taxi and Limo Commission listens, and then let’s see if regulators across the Nation pay attention.
*In the interests of full disclosure, as a partner in Perkins Coie LLP, I represented Uber and other transportation network companies on various privacy matters. The firm continues to represent Uber and other companies, but I retired from practice a year ago. My views regarding government collection activities and transparency are well-known and unaffected by prior representations.