TLC on the wrong trip with tracking
For the past two years, New York’s Taxi & Limousine Commission has tracked the exact start time and location of every single trip people have taken in for-hire vehicles. That’s black cars, local car services, Uber, you name it. And many of these trips have been publicly disclosed online because the government has failed to adequately protect the privacy of this information.
At the time TLC started this data collection, I wrote that this requirement could imperil individual privacy, and that “if the TLC proposes at a later date to collect additional information (such as dropoff location) as well, that would raise further privacy concerns, given the sensitivity of location information.”
Now the TLC wants to do just that. The agency is proposing rules to collect the end time and dropoff location of each trip as well, giving it a complete picture of exactly where everyone in New York City is coming from and going. This is a major privacy and security risk.
The TLC argues that it needs this data to prevent fatigued driving. But while there may be some connection between fatigued driving and trip duration, the TLC hasn’t demonstrated any connection between fatigued driving and its desire to know where all these trips end. Whether riders are going home, to their office or anywhere else, all that should be relevant to TLC to measure fatigue is how long it took to get them there — rather than the pickup and dropoff location.
Not only does the TLC not need this destination location data for its stated purpose; the collection and retention of this mass of personal trip data by the government is deeply troubling for a number of reasons. Previous instances of widespread data collection by the TLC demonstrate how the information collected can be revealing about individuals.
The City of New York acknowledged another risk recently — namely, that data collected by the government for a particular purpose can subsequently be utilized for very different purposes by actors with different motivations. This month, citing concerns that data in its possession could be used to target undocumented immigrants, the city reversed its policy of collecting personal records from applicants for municipal ID cards, and even sought to destroy copies of records it had previously collected, with the mayor declaring that where people’s personal privacy is involved, there would be “a real fight.”
Here too, the better solution would be for the TLC not to collect this sensitive data — data that catalogue the intimate details of people’s trips to their homes, their doctors’ offices, immigration lawyers’ offices, Planned Parenthood centers and any number of other places New Yorkers go to conduct private business.
Rather, the city can require companies to maintain their own databases, protected by strong security measures. By doing so, the TLC would limit the scope of its own data collection, ensuring that it would be less likely to suffer a catastrophic data breach — an unfortunately common reality these days.
As I detailed in a report last year for the Center for Democracy & Technology, government regulation is necessary to promote safety, equal access and nondiscrimination. Regulators will often need data to verify that companies are complying with those regulations.
But in requiring companies to provide data, government agencies like the TLC should clearly state the reason for requiring the data, should limit the scope of requests to data which is necessary for the stated purpose (here, driver fatigue), should give special consideration to privacysensitive data types (such as financial, location, residential or demographic data), and should consult with consumer privacy groups and data experts to help protect against any unintended consequences of collection of such data. An appropriate balance between regulatory goals and individual privacy needs to be struck.
The TLC has not done that here, and doesn’t appear to be aware of the consequences of its data collection. Before the city finds itself in possession of another sensitive data set it wishes it didn’t have, it should direct the TLC to stop and learn about the potential unintended consequences of its actions.