The Cost of Two $1 Bike Rides by Alex Lau
In February 2018, bike sharing was finally introduced to denizens of San Diego, making their presence known overnight, and without much forewarning, as multicolored bicycles seemed to sprout on public and private land all across the city. Within weeks of their arrival, multitudes of people could be seen taking advantage of the flexibility these pick-up-and-go bikes provided, and most people liked the idea of offering alternatives to cars for getting around town. Not as widely discussed was the large amount of information these companies gather through payment information, logging of bike pick-up and drop-off locations, and potentially a vast store of other less obvious metadata.
Recently my wife and I grabbed two orange bikes standing on the grass just off the sidewalk, deciding to ride to the nearby UCSD campus. After each of us paired a payment method to the Spin app, and off we went. We hit a snag while pedaling up a one-mile incline that is normally imperceptible behind the wheel of a car, but forced us to pedal at a moderate jogging pace in the bikes’ first gears. We finally got off the bikes short of the campus, grateful that the service allowed us to drop-off a bike as easily as we had picked them up. After walking them over to a wide part of the sidewalk and securing the wheels with the built-in locking mechanism, we began to walk the rest of the way. Maybe we wouldn’t be competing in the Tour de France, but we got in a little exercise, had some fun riding bikes together, and tried out a new bike app for very little money.
Within a minute of leaving the bikes, we both received text messages and e-mails informing us that we did not leave the bikes in an approved designated area, and that our profiles may suffer hits if the bikes were not parked well. While trying to understand what constituted a designated area in a neighborhood already littered with bike shares, we began wondering to one another what information we had just handed over to Spin and what kind of profile the company was building on us.
There have been articles in the press about the potential dangers of inadvertent data leakage with ride-sharing apps, using a situation where a high-level executive of a well-known public company uses a ride share to visit the doctor, or perhaps more revealing in this hypothetical, an outpatient cancer therapy center. This type of information could be accidentally or even purposely exposed, invading the rider’s privacy and perhaps used to hurt the company’s stock price. While I doubt my bike app is angling to embarrass me in the tabloids one day, some of the same data that can leak out of ride-sharing habits extends to the simple bike app.
Note: You cannot drop off anywhere.
(https://fifi.myportfolio.com/spin-branding)
In the case of our quick ride, one could begin to imagine how Spin might start to learn personal details about my wife and me both individually and as two users that share some sort of connection. While we each paid through Apple Pay, keeping private some of the payment details from Spin, we had to provide phone numbers and e-mail addresses. Even without providing a street address, repeat uses of the app may build Spin a picture of which neighborhood we live in. When we had the chance to read through Spin’s privacy policy, we found most of it to be in the realm one expects: if you use our service, we have access to your info. A few other items were a little bit more concerning including Spin reserving the right to use our personal information to pull a driving record and to assess our creditworthiness. Although we had assumed there might be some method of ensuring a rider cannot abuse a bike or cause an accident without being exposed to some liability, neither of us thought that might include pulling a driving record. Other areas of the privacy policy mention that a user’s private information is Spin’s business asset, and may be disclosed to a third party in the event of a corporate restructuring or bankruptcy.
Although I am not privy to how Spin uses their user data, if I were in their position I can understand the business reality of protecting the company’s assets and satisfying insurance obligations for running a business where almost anyone with a smartphone and credit card can pick up a bike with no human intervention. But even though the policy may state what the company can do with personal data, I would want to err towards the option of least intrusion, or least potential harm. I find it hard to justify using a user’s information to run a detailed background check on their credit history and driving record for building a user profile, but if a user is involved in an incident, such actions may be required. (If the incident is severe, privacy may not be possible or guaranteed regardless if legal action is involved.) I do worry that the lines between which actions are viewed as ethically right or wrong in relation to user data may shift especially if the company was facing financial hardship.
While the privacy policy opened my eyes about what our cheap novelty really cost us, I would be naive not to assume every other app and non-app service I use daily has similar wording. It can be worryingly easy to handwave away such concerns as the price for participation and access to these services, however. Instead as data professionals, we need to take advantage of our expertise to examine and understand the potential benefits and pitfalls of how other organizations use our user data, and lend our voices where needed to minimize potential areas for abuse.
Spin Privacy Policy: https://www.spin.pm/privacy