Micromobility's open data standard beefed up security this year, easing concerns that it could be used to track users. Dynamic vehicle IDs, a tool that makes it harder to track users, have been mandated by the General Bikeshare Feed Specification and adopted by two of the largest micromobility operators in the U.S.
As shared micromobility use has grown across the U.S., researchers have raised concerns that service providers may not adequately protect user data. The trip information bike-sharing and shared e-scooter companies collect can be used to identify people, they say.
That vulnerability could allow someone to secretly track riders’ locations, retrace their steps, learn their habits — including when they aren’t home — and carry out other unwanted intrusions that may put their privacy or safety at risk, they say.
“It’s a completely valid concern,” said Josée Sabourin, product manager for shared mobility at MobilityData, which began overseeing the GBFS earlier this year.
One solution is dynamic vehicle IDs, whereby each bike or scooter changes its system identification regularly, which can make it harder to track users, said Feiyang Sun, a teaching professor at the University of California, San Diego, in an email.
That’s why GBFS mandated dynamic vehicle IDs nearly a year ago, MobilityData’s Sabourin said, noting that it’s ultimately up to micromobility companies to adopt them.
Lime and Lyft use dynamic vehicle IDs exclusively in their public data feeds in the U.S., company spokespeople said in emails. But it’s unclear how many service providers are 100% in compliance, Sabourin said.
Why data sharing is needed
People took at least 128 million trips on shared micromobility in North America in 2021, up 54% from 2020, according to an August report by the North American Bikeshare & Scootershare Association. More than 230,000 shared micromobility vehicles were operating in at least 298 North American cities in 2021, the report says.
Each bike and scooter trip creates new data that micromobility companies use to ensure compliance with local regulations about the number of vehicles they can operate and where they can provide service, according to a blog post by Jascha Franklin-Hodge, who now oversees Boston’s transportation and public works departments. The companies also use that information to manage their fleets, including parking, and share it with local governments to help officials better understand the role of micromobility in the broader transportation system and plan infrastructure investments such as bike lanes, Franklin-Hodge wrote.
Micromobility services communicate much of that information using GBFS. Nearly 9 in 10 cities in North America require micromobility services to use the open standard, allowing the services to operate across jurisdictions, app developers to build helpful travel planning tools for consumers, and third-party organizations to collect and analyze data.
Brandon Haydu, director of data policy and strategy at Lime, said in an email last month that open data standards like GBFS provide needed transparency for the micromobility industry.
“Open source allows everyone to agree on what is okay to share and allows anyone to see what is being shared. This allows for data privacy groups to provide input as needed,” he said.
Is the data adequately protected?
When someone uses micromobility that follows the GBFS data standard, an internet-connected vehicle will transfer information about its location to the service operator, which often allows others to use that data through an application programming interface, MobilityData’s Sabourin said.
This information is often available to everyone under an open license, allowing anyone to monitor the data and suggest improvements or build an app that can use it. GBFS does not collect user data such as account numbers or usernames, Sabourin said.
“The only information that is displayed is where an available (or disabled) vehicle is located,” she said in an email.
APIs allow two software products to communicate via a technical specification. That enables software developers to connect trip-planning apps like Google Maps with micromobility apps to figure out if any vehicles are available nearby. It also allows cities to use software for curb management and other purposes.
However, micromobility data may not adequately protect consumer privacy because it can be easy to figure out who is traveling, even though the data excludes personal information, said Jan Whittington, an urban planning professor and director of the Urban Infrastructure Lab at the University of Washington, in an email.
“The trips people take across space and time are highly unique,” Whittington said. “It is easy to join these spatial data traces with publicly available data on home or office location to re-identify many individuals at once.”
In a well-known 2013 study, researchers re-identified 95% of 1.5 million people using 15 months of smartphone mobility data. They only needed data from four trips to do it. The same study found that just two randomly selected points could identify more than 50% of users.
“Given the much smaller ridership of a typical bike-share system during a day, it is much easier to identify users with less than four [origin-destination] pairs, especially when the users are near their home neighborhoods,” UCSD’s Sun said.
Micromobility’s Sabourin said that should be less of a concern now that GBFS requires dynamic vehicle IDs.
“There are no stable identifiers in our data set anymore,” she said. If micromobility services follow GBFS’ requirements, each vehicle’s ID will change once someone reserves or rents it, disappearing from the GBFS data feed, Sabourin added.
Although it's possible to routinely download GBFS data to create a historical dataset, it’s unlikely that someone would do it because the feed receives constant updates and the files are “massive,” Sabourin said in an email. “Even then, it would be incredibly difficult to track a single vehicle throughout the day. For example, one dozen vehicles may disappear from the feed one minute, and every minute thereafter, five could reappear, all with different IDs,” she said.
Still, that doesn’t mean all micromobility service operators follow the rules. MobilityData notifies micromobility operators when it discovers that they’re using static vehicle IDs, informing them that they’re risking their users’ privacy, Sabourin said. But it’s up to the companies to do something about it, she said, because only governments have the legal authority to ensure that micromobility companies comply with the GBFS standard.
If MobilityData decides that a micromobility provider isn’t effectively responding to its concerns, the organization may contact the local government directly, Sabourin said, noting that the organization uses a “carrot and stick” approach to ensure compliance.
“We don't like to use the stick as much because that tends to hinder adoption,” she said.
It’s unclear how many local governments check whether micromobility operators use dynamic vehicle IDs or if any cities require them to issue permits, Sabourin said. MobilityData plans to add a feature to its validator tool next year that would automatically check whether a GBFS feed complies with its official specification, she said.
