The Bird scooters that dropped in Ann Arbor this September and have continued to flock around campus are really akin to the common pigeon. They populate the sidewalks in droves and weave in and out of crowds of pedestrian students. They have their typical nesting areas, practically stacked on top of each other outside of the Modern Languages Building, Ross School of Business and other places that are just a bit too far from the other side of campus. City officials have tried to control them, but still they zip and zoom in every direction. They have become, at the same time, an exciting new mode of transportation and a menace to society, but what Bird riders may not realize is how the scooters might be feasting on their data.
Bird, a startup out of Santa Monica, connects its electric scooter service to a free app on your phone. Once you have downloaded the app, uploaded your payment information and a snapped a picture of your driver’s license, you are ready to ride. The rides cost $1 per ride plus $0.15 per minute and have become a source of transportation for the awkward “last mile” of the urban commute where a destination is too far to walk yet not far enough to drive. Bird’s environmental mission is to provide cities with a clean, car-free transportation alternative.
Though a majority of the data security issues that I have written about are tied to the internet and the regulation of firms that operate on the digital sphere, with the prospect of “smart cities” and data-driven urban planning, it is important that we turn our attention to “the internet of things.” Simply put, this concept is the idea of connecting any and every possible device to the internet to streamline its use for consumers and more easily configure the data for the companies that provide the service.
Bird doesn’t just collect data from mobile phones, however — the scooters themselves are prodigious data collection machines, specifically for highly valuable location data. The company automatically collects the precise GPS location of its scooters, the routes riders take and the rental status of its scooters. The information collected is also directly associated with a user’s individual account, making it possible for Bird to “personalize” content for a specific user in the form of reports, recommendations and feedback according to user preferences.
In its Privacy Policy, Bird makes sure to distinguish between the personalized content that they provide based on individual users and the “anonymous or aggregate information” that they are able to use for “any purpose.” The personalized content establishes the connection between Bird and its e-scooter enthusiasts, however, this aggregate data is also of huge value to cities, developers and businesses vying to apply the analysis of usage patterns to the development of their smart city initiatives. The wording of “any purpose” also implies the wide scope of Bird’s ability to use its data in any way it wants.
Because Bird claims to be playing a role in shaping the green cities of tomorrow, it should be as open as possible with its aggregate data. It has actually been pretty good about this, providing cities with its GovTech platform that monitors how citizens are using the scooters and putting forth possible solutions for unwanted activity. For example, geofencing will notify riders of locations in a city where Birds are prohibited, and the Community Mode allows individuals to report incidents of unsafe activity or poor parking.
We should also stop and think, despite the supposed inherent value of Bird’s data, whether scooters really are a viable alternative for “last mile” transportation. From a sustainability perspective, riding an electric scooter uses only 1 to 2 percent of the carbon dioxide emissions that driving a car the same distance does. The individual consumer choice is never that simple, though, and Bird introduces extraneous costs that the average rider doesn’t think about. All the scooters have to be rounded up by trucks overnight and charged by workers with their own vehicles. In addition, these fun new scooters might be replacing lower emission options such as walking, riding a bike or using public transportation. There is just not enough data right now beyond the extrapolations of e-scooter companies to judge their long-term environmental impact.
Beyond aggregate data, regulators should also curtail the amount of unnecessary personal information that Bird is collecting from its users. Bird uses persistent data tracking to record every move riders make from the moment they get on a scooter to the moment they get off, meaning that if you took a scooter to a protest, a religious service or a sensitive medical appointment, the scooter would know. Bird is operating under the assumption that people want extremely personalized experiences on their scooters, when in fact most riders just use their services to get from point A to point B.
The company could still de-identify all of the precise GPS data and use it to achieve the goal of a city with fewer cars, but it would be hard to convince Bird executives to do this because the data would suddenly lose commercial value to advertisers. There is no need for the Birds of the future to suggest possible destinations based on my preferences; I am just trying to get to class. The data that Bird collects might also fall into the hands of governments attempting to use the technology to surveil their citizens. Bird says loosely that it shares its data based on the “good-faith” belief that such action is necessary to comply with the law, leaving this transfer of personal data including photos and GPS tracking up to its discretion.
It also seems that Bird doesn’t prioritize data protection overall. In the brief section on “How we protect your information” in its Privacy Policy, Bird says it takes measures to protect user information while also forcing the user to acknowledge that Bird cannot guarantee the transfer of personal information and that it is all “at your own risk.” Essentially Bird reserves the right to do whatever it wants with the information you provide, and if anything goes wrong it’s your problem. The rules are a bit more stringent concerning international users, especially for European Union data on subjects living under the umbrella of the General Data Protection Regulation.
As with any tech startup claiming to offer revolutionary new services for cheap, the value and concern lies in data. Scooters are fun, but the data security challenges surrounding them could become a pest.
Alexander Satola can be reached at apsatola@umich.edu.