Why a battle between tech visionaries, privacy advocates, Uber, and transportation officials is about much more than scooter data

Imagine if, in the future, you rent an electric scooter, Uber or Lyft ride, or a little further in the future, an autonomous car. Imagine if your city can help your trip happen more smoothly by sending your vehicle information about road closures or traffic; or ask these vehicles not to travel in too great numbers just past your house; or monitor to make sure the companies operating them aren’t breaking the rules.

Or…

Imagine if, in the future, governments are giving ICE information about who is taking these rides, and where, and they use it to set up stings. Or, unscrupulous administrators are analyzing who travels to a controversial church, or a certain kind of political protest, which makes people afraid to attend and speak up.

Does the first scenario sound great? Or the second frightening? Which is more so?

Some city governments including Washington, DC and Los Angeles are finding themselves at loggerheads with a coalition of privacy advocates, civil rights groups, and Uber. They’re fighting over a new rules that require scooter companies to share information about trips, in real time, with the cities’ transportation agencies using a standard format called Mobility Data Specification, or MDS.

MDS simply created a mechanism for companies’ computers to pass information to cities’ computers about, for instance, when a scooter was rented or what route a bike traveled. And cities can pass data back to companies, such as about a street being closed. Cities can use the information to better plan street projects, study the equity impacts of new services, and check on whether companies are obeying the rules.

Some cities and companies don’t see eye to eye about how much information should be transmitted about your trip, or someone else’s, and how often — months later, a day later, or just seconds later. In LA, that dispute has turned into a federal lawsuit by Uber; in DC, a public campaign on social media claiming the District Department of Transportation (DDOT) wants to track riders.

Opponents of the new rules argue that they were rolled out too hastily, without public input or even awareness. They say cities have not articulated a real need for collecting this data in real time and for individual trips, as opposed to just aggregate statistics like how many trips there were or which streets they used most.

Supporters say cities need to better manage how systems like scooters operate in the public space, and that cities have been long been keeping data, like tax and hospital records, private; so what’s the problem?

Some people on each side have also accused the other of acting in bad faith. Are the groups warning about privacy violations really just being paid by Uber? But, are the people building and defending this data standard just looking to create opportunities for lucrative contracts for themselves?

While the battlefield right now is scooters, opponents of this proposal warn that it could expand to ride-hailing and future autonomous vehicles, letting governments track people on those modes of travel as well. It’s supporters say the exact same thing, only with a different tone of voice — they are enthusiastic about the ways data sharing could help cities manage traffic and detect companies flouting the rules on ride hailing and future autonomous vehicles.

Why cities started asking for data

Officials felt they had been asleep at the switch during the rise of Uber and Lyft.

Cities have always collected some data about movement. In most cities, taxis kept paper logs of their trips. Regulators used these to ensure drivers weren’t cheating their passengers, a not-uncommon occurrence. Cities that wanted to count vehicle movement had to pay transportation consultants to stand on corners and keep tallies, or install cameras and pay someone to watch the feeds.

Suddenly digital technology in taxis, in drivers’ pockets, and in apps caused a seismic shift. Google Maps or Uber knew quite well how much traffic was concentrated in different places. Companies like INRIX gathered GPS data and offered it for sale.

Governments also had brand new questions. A massive share of travel was suddenly through Uber and Lyft, and transportation agencies didn’t know how much. Were they the cause of ridership drops on transit? Growing traffic congestion? Or were those because of other factors?

Transportation technologist Kevin Webb saw this as a dynamic likely to grow. He saw a trend toward more and more trips happening on “platforms,” private companies that supervise huge fleets. They make many decisions such as how much to pay drivers and when (such as “surge” pricing), how to route cars, how to assign people to pools, or where to drop bikes and scooters. These decisions profoundly affect whether and how public road networks function, yet companies were making these decisions out of sight of the public.

“As we build something transformative, it’s important to consider the ways we can make it work for the public purpose,” Webb said at the 2019 CTS Transportation Conference in Minnesota. “We saw that in the past with railroads and then roads, but today it is less about the actual physical infrastructure and more about the information layers on top of that. For example, ride-sharing services such as Uber are building data infrastructure on top of the road network.” And, Webb said, cities need to be alert to whether platforms accumulate too much power and keep ensure “that everyone can participate” in this market for mobility.

Cities catch up on ride-hailing, bikes, and scooters

Some cities like New York required ride-hailing companies to disclose the same information taxi companies did. In DC, a 2014 law that legalized ride-hailing forbade the taxi regulators from collecting any information, but in 2018, DC reversed course. Ride-hail companies had to give the DC Department of For-Hire Vehicles data files, once a quarter, about the trips they take.

There is no information about the identity of the rider, just where it went, when, and whether it used a shared car. As one privacy-protecting tactic, the start and end locations are rounded off to a number of decimal places, so nobody can tell precisely where the trip started or ended. (Disclosure: I was part of a group negotiating over this law and advocated for the data sharing rule.)

Many officials in cities across the nation felt they had been asleep at the switch during the rise of Uber and Lyft. When dockless bicycles, e-bikes, and then scooters suddenly burst onto the scene in 2018, they didn’t want to make the same mistake again. (These services were also less popular and thus easier to regulate.) Among cities which allowed the devices, most demanded permits to operate and most required the companies to disclose at least some data.

For “micromobility” services, the technical term for the dockless bikes and scooters, there were two types of data: the locations of the bikes or scooters available for rental, and then information on how and where people ride them.

First, the locations. Publicly run bikeshare systems generally had a public data file that would list where the docks were and for each one, how many bikes and open slots there were. This became a standard known as the General Bikeshare Feed Specification, or GBFS. When dockless micromobility erupted, some cities including DC required companies to offer the same information.

Why is that useful? A big reason is so you don’t have to open a lot of proprietary apps to find the bikes and scooters. In 2019, DC had eight companies (Bird, Bolt, Jump, Lime, Lyft, Razor, Skip, and Spin) operating scooters alone. Typically, someone who wants a scooter wants a scooter, not only a single company’s if it’s much farther away than another. Apps like Transit, first built to help figure out which bus or train to take and how to get there, offered a valuable service in directing people to a scooter or e-bike and comparing them to the bus, a car, or walking.

This works where cities, including DC, have required the companies to publicly publish the locations of bikes or scooters sitting on the street, waiting to be rented, in an up-to-date GBFS file. (When dockless bicycles first emerged, I convened a working group which recommended this.) “Washington, DC is the gold standard here: their strong open API requirement makes it easy to compare and combine multi-modal options,” the Transit team wrote.

Trip data goes much deeper

The second type of data looks at individual trips. Cities need to, for instance, know if companies are putting all of the vehicles in certain neighborhoods, perhaps upper-income ones, and neglecting others, or where they are being ridden and where they’re not. Some of them impose caps on the numbers of vehicles, which includes ones being ridden as well as those parked. If cities can know what routes people take, not for individual people but in the aggregate, they can understand which roads people feel safe riding on and which they don’t.

Unlike the GBFS vehicle locations, this isn’t public. Instead, operators give data files directly to the city departments of transportation.

Or, they use neutral third parties. Webb is co-director of SharedStreets, a nonprofit which has agreements with Uber and Lyft to take in data files and give cities tools to then analyze the data. For instance, DC doesn’t get ride-hail data down to which building a vehicle stopped in front of, but can use SharedStreets’ visualization tools to know where the pick-ups and drop-offs happen, then consider installing special loading zones in those areas. Meanwhile, DC doesn’t need to actually have a list of which trips stopped in front of which building — data which has real privacy implications.

A standard format emerges

The Mobility Data Specification is a standard way for cities and mobility companies, like scooter providers, to share information. MDS allows them to share a wide variety of information; whether they have to or not is up to cities who regulate these providers.

Having a standard is not controversial. Companies, cities, and advocates on all sides of this battle agree that it simplifies the task for everyone if a company can share data in one consistent way with many cities.

“It’s important we are all speaking the same language.”

For companies, they can write software code one time and output data for many cities instead of having to do a custom job for every one. Cities benefit from a standard because if one city or a private software company writes a tool to, say, turn data into a useful map, other cities could use that same software tool on their own data files.

GBFS is the standard for those public files of parked vehicles; MDS, for the deeper trip-level data that isn’t public.

“It’s important we are all speaking the same language,” said Stefanie Brodie, a former DDOT researcher and now Senior Researcher at Toole Design Group. While at DDOT, Brodie was responsible for the first data requirements when dockless bikes and scooters first emerged but before MDS. “It’s a positive step that we have a data standard where all providers are giving the data in the same way, cities and states that are getting the data are seeing it in the same way.”

MDS does a lot more than just hand trip records over like the taxi logs of old. It goes two ways. Mobility companies can transfer data through MDS to the cities, but also, cities can hand information back. Cities can tell a company, for instance, that “there’s a permit for a parade, or there is a forest fire bearing down” on the area where the scooters are parked, said Gabe Klein, a partner at transportation consultant CityFi and former head of the DC and Chicago transportation departments.

Klein was part of the team that proposed and designed MDS, originally for the Los Angeles Department of Transportation. He said the features came from real concerns LA leaders had about allowing scooters at all. “Scooters did not yet exist, [and the contract] was really around AVs and drones,” he said. “Within 72 hours of the contract being signed, suddenly Bird was dropping scooters in Santa Monica. We had to pivot. … We had councilmembers saying, you better not allow these in Brentwood, in Beverly Hills; some councilmembers were saying ‘over my dead body, we don’t trust LADOT.’”

“We needed to have data, we needed to know where any of these things are at any given time,” Klein added. “After the ride hail debacle, they didn’t trust Uber … In Venice Beach they cordoned off [access to scooters] but scooters were going there anyway; with MDS they were able to verify that, and in real time they were able to go and collect those scooters.”

Enforcing rules is another reason for MDS, explained Jascha Franklin-Hodge, executive director of the Open Mobility Foundation, a nonprofit which now stewards the MDS standard after LA handed it off. OMF’s members include agencies in 25 cities in four countries, plus eight private companies. “Cities … need to be able to understand at a given moment in time how many vehicles does a company have, where are they deployed, does it meet the equity requirements, meet the caps? … Vehicles that are illegally parked must be moved within a certain amount of time after the company is notified. Cities need to be able to know, okay, we know the vehicle is here and we told you about it at that time, and you moved it at that time.”

Data goes real-time. Why?

A key shift with MDS is that it allows passing data much closer to real-time. The DC law around ride-hail data requires companies to hand over files every three months. The 2019 micromobility permits required it monthly. On the other hand, Los Angeles, the first to use MDS, asks for information on vehicle pick-ups and drop-offs within 5 seconds and full routes within 24 hours.

Public GBFS data is not enough, said Franklin-Hodge, and neither are data feeds provided weeks or months later. Cities need more detailed data and quickly, he and Klein argued. “Even with MDS we had instances where some companies were sending false feeds for some months,” Klein said. “Because cities have the data they can actually go and verify what’s going on.”

In its initial 2020 permit rules, DC required even more immediate data: vehicle locations “as close to real-time as possible, but with no more than a 3 minute delay” and the full route “no more than 2 hours after the completion of a trip,” as quoted in a letter Jump (then part of Uber) sent to DDOT expressing opposition to the new rules.

“DDOT has not offered a clear rationale for why it needs real-time on-trip data,” said the Jump letter. “DDOT suggests it might be necessary for special event and emergency planning,” it continued, but argued that this can be addressed with the existing real-time GBFS feeds (which aren’t under controversy) or can communicate with the operators the old-fashioned way, by directly calling or emailing them to ask them to deal with special events. The Jump letter said, “We have built a track record of working with DDOT for a variety of purposes, including special events like the World Series, without providing real-time on-trip vehicle data.”

Privacy advocates warn of abuses

DDOT’s and LA’s data sharing rules alarm organizations that have been fighting for digital privacy for years. Writing to DDOT, the Center for Democracy and Technology, a technology policy nonprofit that fights for individual rights, said, “The data … DDOT seeks to compel could reveal an individual’s visit to a house of worship, Planned Parenthood, a political protest or a sensitive meeting such as Alcoholics Anonymous. Patterns in the data could reveal social relationships and personal habits including when people leave for work, run errands, and where they like to go.”

Advocates are particularly worried about governments being able to turn the data tracking scooters into data tracking individual people. “It is easy to use location data to re-identify individuals,” said the American Civil Liberties Union’s DC chapter, CDT, and others in a March letter. They added, “it is especially concerning that the District has made no commitment to avoid using the data to re-identify or track individuals.”

“We’re moving from traffic signals and stop signs to Waze and Apple Maps.”

The privacy-focused organizations are not saying cities don’t need to know something about where scooters and e-bikes are traveling, but they think real-time, individual vehicle data isn’t necessary. Instead, they argue, cities can get aggregate data, such as total numbers of trips that happen between one general area and another, or how many vehicles use a particular road over time.

“Turning our cities into surveillance cities is not necessary to achieve the laudable planning goals of city and regional transportation agencies,” wrote Jamie Williams of the Electronic Frontier Foundation, a nonprofit which defends individual freedoms and privacy online, about LA’s data-collection rules. Williams said, “What we need are ‘smart enough cities’ — cities that harness the power of data and technology in a way that respects everyone’s privacy interests.”

Does aggregating meet cities’ needs?

All sides agree privacy is important, and all sides also agree governments need to understand something about the bike and scooter services, and maybe in the future ride-hailing or autonomous vehicles. Even the companies themselves expressed no reservations about sharing data for specific purposes like enforcing the rules. DDOT is “entitled as a regulator to have insights powered by data that reflects how people are using these devices,” said Colin Tooze, Director of Public Affairs for Uber.

The main battle is over how detailed the data should be. If cities only want to know which roads scooter riders are using, then data like the percentage of trips that used each road would answer that. The companies could give cities that information, and only that. But then, if cities want to see if it’s different by time of day or day of week, they’d have to go back to the companies for a more granular data set. And now what about during snowstorms? Go back again.

“If data is aggregated before I touch it, I lose options of what to do or analyses to run,” LADOT head Seleta Reynolds told David Zipper in Slate a year ago. Reynolds said over time, LA and other cities could learn what they do and don’t need, and cut back. And perhaps some city officials felt it was eaiser to require data on the front end when micromobility services were new than after they had become more firmly entrenched, as happened with ride-hailing.

Critics, meanwhile, feel it’s not enough for cities to collect anything they might need eventually, even if they don’t know how to use it yet or, perhaps, have the research resources to dig into it. Not when personal privacy could be at risk.

Uber tried to address this with a tool called UberMovement, which let city officials, essentially, query Uber’s database but only actually receive the conclusions rather than the raw data. SharedStreets’ approach is to be a neutral third party that has the data, including from multiple companies, and to build tools cities can use to answer questions. Each of these approaches can answer some questions for cities, but not all.

It’s not just about scooters

For the creators of MDS, scooters aren’t the end goal. They envision cities being able to manage digitally connected vehicles of all types, like ride-hailing today and, most of all, autonomous vehicles tomorrow.

Williams said, “Think this won’t impact you if you don’t use shared bikes or scooters? Think again. Cities hope to use MDS as a model for regulating all forms of connected vehicles — including cars — in the future.”

It’s like how political ads either use ominous music for an attack or peaceful, happy music for a positive ad about the candidate. “Cities hope to use MDS as a model for regulating all forms of connected vehicles — including cars — in the future” … EFF would put a “dun dun DUN” after that, while others would score it to an optimistic and exciting soundtrack.

After all, to advocates, cars pose plenty of problems that need solving. Open Mobility Foundation’s Franklin-Hodge said, “Look at the opportunities and challenges presented to cities by ride hailing and potentially robo-taxi services in the future. The challenges have become very clear in the last few years. There’s a significant issue of congestion, made worse by empty ride-hailing vehicles circling around. There are potential safety considerations … ride-hailing companies can’t operate safely because there’s no space at the curb to let them pick up and drop off.”

“There’s a need for management on the part of cities,” he continued. “Some of that is about accommodating services and some is about, maybe the way those services are operating is creating too much negative externality. Regardless of what you see in that, the only way that cities can start to manage this is with data.”

This is part of a long-standing battle of data privacy

Advocates’ concerns about mobility data stem from a long history of growing government data collection. Just decades ago, law enforcement could track someone by having police officers stake out their homes and tail them, or interviewing people who might have seen them, but the advancement of technology has made it possible for someone sitting in a room to “ping” a cell phone and see where someone is, or, since the phone company and maps applications keep a record, where they’ve been.

“Who will stop federal immigration authorities from getting a hold of MDS data to ramp up arrests and deportations?”

That kind of thing seems cool on the cop shows when the hero uses this to catch a murderer, and those shows sometimes even depict the main characters bending some rules and thwart a terrorist in the nick of time. But, privacy advocates note, it’s a lot less exciting if law enforcement officers start digitally following everyone who attends a particular kind of political protest.

One could imagine some law enforcement agents, seeing a protest by people whose political views don’t align with their own, keeping tabs on those protestors, looking for information that can lead to other unrelated criminal charges or public embarrassment. If that sounds far-out, well, the FBI did it in the 1960s, including trying to get Martin Luther King, Jr. to kill himself. And the targets of the FBI’s infamous COINTELPRO project didn’t kindly carry around personal tracking devices everywhere they went to simplify the FBI’s job.

Perhaps that’s why the DC bureau of the Southern Christian Leadership Conference, the civil rights organization first led by MLK, also sent a letter about this issue to DC officials. It says:

What will prevent Metro PD from accessing MDS and targeting Black neighborhoods for over-surveillance under the guise of crime prevention? Who will stop federal immigration authorities from getting a hold of MDS data to ramp up arrests and deportations among the District’s undocumented population? And even if DDOT employees acted with the soundest moral code, there is no foolproof way to keep this data from falling into the hands of bad actors.

The SCLC’s Southern California group raised similar concerns about Los Angeles’s activities. Its CEO, William D. Smart Jr., drew a link from tracking MLK in 1963 to New York City’s “stop and frisk” program today and ICE officers “arrest[ing] an undocumented immigrant by tracking his location through a social media page.”

The Supreme Court puts the brakes on digital location surveillance

To really understand this issue and where it might be going, we need to delve into a bit of legal nerdery.

For years, the predominant legal doctrine in the United States allowed almost any law enforcement activity around tracking people through their digital behavior. This grew out of some cases in the 1970s, where law enforcement officials got phone company logs (Smith v. Maryland) and bank records (United States v. Miller). The Supreme Court said at the time that since police were not searching and seizing this information from a person themselves or their home but rather getting it from a third party (the phone company or bank), and since people had voluntarily given up that information, it wasn’t protected by the Fourth Amendment and didn’t require a warrant.

In the 40 years since, people started leaving a lot more personal information in the hands of third parties, including cloud documents, cloud photos, emails (which are somewhat protected under a separate law), search histories, map and driving or transit directions histories, and much more. For a while, the Supreme Court kept saying that law enforcement access to more information was just the same old “third party doctrine.”

Then, in the 2012 case United States v. Jones, the court held that police putting a GPS device on a car (owned by a DC nightclub owner, as it happens) without a warrant was not constitutional. While the actual holding in that case was pretty narrow, meaning the court wasn’t opining broadly but only talking about physically putting devices on cars, Justice Sonia Sotomayor wrote some things that to privacy advocates sounded like the start of completely rethinking Smith and Miller. She said in a concurring opinion:

[The third party doctrine] is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellular providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medications they purchase to online retailers. …

I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy.

She’s arguing that if the law only recognizes a privacy interest in information someone never allows outside their home, then in a digital world, that would mean nearly no privacy at all. (In that time period, because I follow this issue, I did buy a storage device that sits in my house to place financial documents and photos on… but it’s been far more cumbersome than putting things in the cloud. And, I need to back it up somewhere!)

All nine justices agreed the specific GPS tracker in Jones was illegal, but Sotomayor’s more expansive comments presaged a larger potential shift of jurisprudence. In 2018, the court struck a huge blow against the third party doctrine in Carpenter v. United States. There, Chief Justice John Roberts joined the court’s four liberal justices in saying that police violated the Fourth Amendment by collecting months of cell phone location information based on what towers the defendant’s phone had connected to.

Roberts wrote, “When Smith was decided in 1979, few could have imagined a society in which a phone goes wherever its owner goes, conveying to the wireless carrier not just dialed digits, but a detailed and comprehensive record of the person’s movements.” He continued, “The time-stamped data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations,’” quoting Sotomayor in Jones.

There have been cases in the same vein in DC law as well. The DC Court of Appeals ruled in 2017, a year before Carpenter, that police needed a warrant to use a “cell site simulator,” a device which pretends to be a cell tower and gets people’s phones to connect to it so that police can track where they are.

Do law enforcement privacy laws relate to scooter data?

OK, but DDOT isn’t the police, and it wants scooter data for transportation planning purposes, not criminal investigation. Also, unlike a cell phone, MDS doesn’t track individual people. Does that make it different?

Franklin-Hodge says all of the local government officials involved in MDS also support privacy about people’s personal movement. “The design of MDS has been, from day one, [protective of privacy]… there is no mechanism within MDS for transmitting personally identifiable information like names addresses or even” customer identification numbers, he said.

Privacy advocates argue this isn’t good enough. Zipper, currently a Visiting Fellow at the Harvard Kennedy School’s Taubman Center for State and Local Government, summarized the concern:

A study in Nature concluded that data sets with time stamps of the kind collected through MDS can reveal a user’s identity with as few as four data points. A recent New York Times article explained how cellphone data can be de-anonymized and used for purposes that individuals never intended or even knew about. And in the transportation world, researchers in 2014 were able to identify actor Bradley Cooper’s taxi trips from a data set released by the New York City Taxi and Limousine Commission. By collecting data on tens of thousands of daily trips — maybe more — MDS could magnify the risks of such scenarios.

Klein says that’s not untrue, though he doesn’t think governments will habitually do it. “There’s no field in MDS to track” personal information, he said. “Could you use three or four more data sources” in combination to de-anonymize the information? “Sure, that’s always possible.”

But, Klein said, “Cities have been keeping sensitive private information for centuries.” Franklin-Hodge echoed this. “I’m a former city CIO. I got a look at all of the types of data that cities stored and collected. We worked with a lot of data that’s a hell of a lot more sensitive. We’re sitting on ambulance data, student records, sensitive financial data from applicants for public housing.”

The real big idea: air traffic control, on the ground?

Some of this chasm between sides on this issue comes from the way MDS was first dreamed up. The initial proposal to LADOT, from self-described “big data futurist” John Ellis, Gabe Klein, and others, talked about how cities could one day direct all of the vehicles moving around, to operate most smoothly and efficiently, in a sort of citywide, road-based air traffic control system. As CityLab’s Laura Bliss described it, “LADOT could do more than just monitor where drivers and riders were heading: It could control their routes, by sending turn-by-turn guidance.”

“We’re talking about moving from an analog system to a digital system” of transportation, Klein explained. “We’re talking about changing from managing mobility with traffic signals and stop signs to managing it with Waze and Apple Maps. And in the future, something we can’t quite imagine with augmented reality,” the concept where a device’s camera and screen, goggles, or a windshield overlay digital information atop the image of the physical world.

“Even if you centralized all of it, there’s still not enough space for all the cars.”

Webb of SharedStreets thinks this air traffic control idea is “kind of bonkers” and “far-fetched.” He said that controlling vehicles at that level of granularity is very difficult to make work, and if it could, at best cities would “eke out a few percentage points of gains.”

He said that the air traffic control system has actually been moving in the opposite direction, toward giving airplanes and airlines more control over routing outside of really congested airports. “The more control we give to the vehicle the more efficient the network becomes,” he said of the less centrally-planned aviation system, where airlines and pilots can optimize around fuel, wind, and connections in ways air traffic controllers couldn’t.

Most of all, though, he said, “Even if you did it [on streets] and centralized all of it, there’s still not enough space for all the cars.”

Which comes back to the question that the privacy advocates, and Uber, and others have asked: what is the data for? “You need to design the data collection model around the policy questions you want to answer,” said Webb.

If cities don’t clearly articulate their need for data, courts might stop them

Webb fears that if cities “overreach,” courts will strike down any ability they have to collect even more important data from companies, and undermine “substantially more important” regulatory needs.

For instance, Los Angeles had required hotel operators to turn over guest information to police, without a warrant, since 1899. The Supreme Court struck down that law in City of Los Angeles v. Patel in 2015 in an opinion authored by — here’s why I talked about all that Supreme Court stuff earlier — Justice Sotomayor.

New York City required Airbnb and comparable platforms to disclose data about their hosts, in order to monitor whether hosts are complying with new laws designed to prevent what are essentially unlicensed hotels. Airbnb and similar site HomeAway sued, citing Patel among others, and won.

“I think Amazon is the company we should be thinking about, because of impacts on city streets.”

“Cities have to be more responsive to the rights of citizens,” argued Webb. With MDS, “LA has made the same mistake again, said we don’t care so much about citizens’ rights, we care more about regulating the companies. That will ultimately set a precedent that will undermine our ability to do more thoughtful regulation going forward.”

MDS doesn’t cover consumer protection, or labor, or freight delivery

That’s because, Webb said, cities do need to regulate these platforms, but there are “substantially more important battles” than over routing the vehicles to move most efficiently: things like whether drivers are classified as employees or independent contractors, or other labor protections; or consumer protection.

“MDS doesn’t cover that,” he said. “They have no idea how much people are paying. They have no idea if people are being denied service. No idea if the consumer experience aligns with what people are being told in the app.” But, he argued, “These are much more fundamental battles, and the urbanist crowd has been largely oblivious to the significance of them.” He continued:

I’ve been saying to LA, you invest this enormous amount of regulatory infrastructure in Uber and dockless mobility, but these things don’t apply outside the narrow regulatory mandate. Like Amazon, or UPS if they change their employee classifications to be more like Amazon. You have no ability to transition the mandate on passenger protection to, say, logistics companies and cargo delivery because that is a totally different category of regulation. I think Amazon is the company we should be thinking about, because of impacts on city streets.

Webb is arguing that because MDS was developed by transportation planners and engineers, and they think most of all about vehicle movements, then Los Angeles and other cities are putting all of their eggs in this basket of tracking and optimizing that. And if they lose, as they may, especially if they can’t articulate a really good reason for the data they are collecting, they may lose powers that go far beyond traffic flow.

Is all this just a front for Uber?

Franklin-Hodge of Open Mobility says some of the alarm around privacy may be motivated by profit. “There’s a lot of scare tactics out there. There’s a lot of folks that take from the idea of government having that need to manage public space, that government wants to control where people go and want to spy on people. That leap is often made in a very cynical way by companies whose interest primarily is in avoiding regulation than who are particularly concerned about privacy.”

“Both things are true: Uber is strategically using privacy arguments … and many of those privacy arguments are legitimate.”

He pointed out that some of the companies in question have contributed financially to organizations like EFF and CDT, and said such groups “also function as trade associations for tech companies with a particular focus on avoiding a broad swath of various types of government regulations on the tech industry.” (See also my disclosures at the bottom of this article.)

In particular, Uber is the chief funder behind the Coalition Against Rider Surveillance, or CARS. That’s the group that has been running Twitter ads against LA’s and DC’s data collection plans.

“The fact that [it] is named CARS — you can’t make this stuff up,” said Gabe Klein. “It has nothing to do with active mobility, it has nothing to do with what’s good for cities, and it has nothing to do with people’s individual privacy. And everybody knows it.”

Privacy advocates don’t agree that it’s only about that.

“I think both things are true: Uber is strategically using privacy arguments to avoid revealing information about its business. At the same time, many of those privacy arguments are legitimate,” said Alvaro Bedoya, Director of the Center for Privacy & Technology at Georgetown Law.

Webb agrees. “I think CARS is totally astroturfing — they didn’t even bother to astroturf.” But, he agreed the issue goes far beyond Uber or CARS. “I get kind of annoyed about how this has been framed [in news reports] as DOTs versus Uber. It’s undermining a really substantive and needed conversation around digital privacy.”

CARS spokesperson Keeley Christensen pointed to CARS’ mission statement and that CARS has 23 members “representing a wide range of communities that could be at risk if their location data were misused or compromised by cities (e.g. Asian Americans Advancing Justice, Mi Familia Vota, Southern Christian Leadership Conference, etc.)”

Whom do you trust? Governments, or companies?

To the current and former government officials, they’ll be responsible with the data. To skeptics, government has already shown itself not to be very trustworthy. “If local government had a strong track record of protecting sensitive data against breaches and misuse, it would be one thing. Unfortunately, the cybersecurity track record of local governments is mixed at best,” said Bedoya.

Klein disagrees. “When you talk to these people who think this is the worst thing to ever hit the planet, how many of them have ever worked in local government?” he asked, arguing that among the people who might hold data, local leaders are the “most responsible and responsible for the people who elect them.”

He and others also pointed out that while this debate is over whether governments get the data, companies already have it. Privacy advocates worry about governments sharing data with ICE, but AT&T gave data to the NSA voluntarily, too. Not that privacy advocates don’t also oppose that — EFF, for instance, unsuccessfully sued AT&T over the NSA data sharing and has criticized companies like Facebook for their data practices.

“Would Uber have the same objections if we were willing to pay them for it?”

Klein criticized what he sees as a “libertarian mentality, where you say the private sector should have free rein over their data that they are collecting from their citizens, but the city which has managed the public right-of way for the past 150 years, somehow if they try to move their citizens into the 21st century and partner with the private sector to serve their citizens,” it’s not acceptable.

Personal data is even for sale. Companies like INRIX offer data sets for companies or governments to purchase, including ones of “car data breadcrumbs,” that show where a sample of individual (anonymous) cars travel throughout the city, similar to the data DC collects from ride-hailing companies but based on individual people’s GPS devices. Some political groups were able to identify regular church-goers from their cell phone data and target them with ads.

“Would Uber have the same objections [to disclosing individual data] if we were willing to pay them for it?” asked one government official, who was not authorized to speak on the record.

This is different, in part, because it’s real time, said Uber’s Colin Tooze. “Sensitivities are even more acute when collecting info anywhere close to real time, because then it raises the possibility that you’re not just gaining a retrospective view of how someone is moving through the city, but potentially able to view person’s movements in real time as they are happening. Anything that gets close to surveillance, we think is bad public policy and a really dangerous road for governments to go down.”

“I would stress this is not about Uber not wanting to share data with cities, which is a claim that’s sometimes leveled against us,” he added. “We want to be a partner with cities and collaborate with them on the best way to give them what they need. But we want to be mindful that there are real sensitivities here and our customers have real expectations about the data that they entrust us with.”

“We don’t want to be accidentally creating the next redlining.”

Do cities have a right to know?

“It’s become this sanctimonious argument on cities’ side,” said Webb. “We’re democratically account­able, we’re on the right side, we’re trying to make the city better. That’s not how the constitutional framework works at all. Cities will run into this battle in federal court, saying we’re justified in undermining our citizens’ rights because we are doing good work — that’s a fundamentally uncompelling argument. It shows a complete lack of awareness of ways we’ve used municipal government to undermine citizens.”

Webb referenced how cities used land use policies, including racially restrictive covenants, redlining, “blockbusting,” and other legal tools to segregate cities, helping white families build generational wealth through homeownership while black families could not. Modern transportation officials, at least in DC or any of the other places I talked to people, certainly don’t see themselves as continuing that tradition.

“We don’t want to be accidentally creating the next redlining,” said one official who could not speak publicly. But, “Do I think dockless [micromobility] is the thing that will push this over the line? Probably not.”

David Zipper summarized the issue this way in a phone interview: “You have some city transportation advocates and leaders who understandably have the attitude of, ‘Give me all the data, as much data as you can and as many different data elements and as real time as possible, because I don’t even know what questions I want to answer with it. And I’m a public servant so I get to decide.’”

“On the other side,” he continued, “you have privacy advocates, you have Uber, a few other skeptics like SharedStreets, who say this is fundamentally not the way to approach privacy, to approach data. You want to start by asking what exact questions you need answers to, and what is the minimum amount of data you need to answer those questions, and what is the minimum amount of time you need to keep that data to answer those questions. Because every step you go beyond will create marginal risk of a privacy intrusion, a hack, and as a public steward of data, your goal must be to minimize the risk of that data you’re imposing on your residents.”

“To be honest, I see it on both sides.”

DC has paused to negotiate

DDOT was not willing to speak about this issue on the record. Uber’s Tooze said that since the initial flurry of public letters about this issue, DDOT has been talking with operators. Meanwhile, it has held off for the moment on insisting companies provide real-time MDS data.

“We have been in close conversation with DDOT,” Tooze said, and “they have been very open to hearing the concerns that we have. … We are optimistic that we can come to a reasonable solution here.” Meanwhile, Uber still has a lawsuit pending against Los Angeles, and didn’t rule out filing one against DC should the negotiations break down.

Tooze emphasized that real-time data is the main concern, but there are others they want to work through, like data security. “Just in the last year alone there have been a significant number of municipal data breaches across the country that highlight the need to make sure that before governments start collecting sensitive data like this, there are protections in place to make sure the data will be safeguarded in the event of a breach,” he said.

And, “There’s a need for policies to govern how the data is handled just in the ordinary course of things,” he added. “Making sure it can’t be sold, can’t be passed to a third party, can’t be accessed buy other government and law enforcement bodies without a warrant.”

Meanwhile, the Open Mobility Foundation has a privacy committee, which has been working on a draft guide about privacy best practices for cities to use MDS while protecting privacy, providing opportunities for public feedback, and minimizing the risk of data breaches.

What about the coronavirus?

What e-bike and scooter companies will do once DDOT makes a decision also will depend on which and how many of them are still in business when coronavirus-related stay at home orders end. DDOT had selected four scooter companies and two e-bike companies (the only two that applied) to operate in 2020.

The industry has already shrunk. Uber sold its Jump division to Lime at the start of May, amid significant layoffs and cost-cutting during the epidemic. Asked whether Uber plans to drop its lawsuit against Los Angeles or its opposition to MDS in DC, Tooze said in an email, “Uber’s position about the dangers of government demands for real-time data on individuals’ movements remains unchanged.”

Robert Gardner, Director of Government Relations for Lime, emailed a statement in response to inquiries: “From our earliest days Lime has supported sharing data with our city partners and taken a collaborative approach. We have encouraged cities to embrace the Mobility Data Specification as a common standard and have always complied with the standard. We’ll apply Lime’s collaborative approach to data-sharing toward our future management of Jump’s operations, while ensuring that all data sharing respects the privacy of our riders.”

Meanwhile, before the coronavirus crisis passes, Americans may start sharing a lot more real-time location data with the government and/or companies like Apple and Google if real-time contact tracing systems become widespread (which, as of this moment, is uncertain). Several of the people interviewed for this article pointed this out. “Contact tracing will be the same conversation,” suggested Tooze. “It’s a very different application of the same concepts.”

“We have serious privacy issues in this country,” said Klein. “Coronavirus and contact tracing are going to expose a lot of this.” On this, fans and foes of MDS alike all agree.

Disclosures: I have a long history of involvement in both data sharing and data privacy, and have worked professionally on transportation issues with several of the people I interviewed. I cheered many of Gabe Klein’s initiatives when he was head of DDOT. Kevin Webb and I teamed up on a transportation tech effort in Arlington, and have worked with SharedStreets to help DC identify places for curbside pick-up and drop-off zones. I worked with David Zipper on a fare integration effort which he wrote about in GGWash, and with Robert Gardner in his previous role at the Washington Area Bicyclist Association. Alvaro Bedoya and I have several mutual friends. As detailed above, I was closely involved with the bill in DC that did require ride-hailing services to share data, though not in real time, and with a public-private working group that recommended strong data sharing for micromobility. Uber and Lyft have sponsored GGWash events and programs (even though we were not on the same side regarding the ride-hailing data bill). I’ve been a member of EFF for many years and one of my oldest childhood friends works there (and first heard about it from me). My wife is the public defender who argued the aforementioned cell-site simulator case at the DC Court of Appeals.