How Bike-Sharing Services And Electric Vehicles Are Sending Personal Data To The Chinese Government
from the why-we-can't-have-nice-things dept
A year ago, Techdirt wrote about the interesting economics of bike-sharing services in China. As the post noted, competition is fierce, and the profit margins slim. The real money may be coming from gathering information about where people riding these bikes go, and what they may be doing, and selling it to companies and government departments. As we warned, this was something that customers in the West might like to bear in mind as these Chinese bike-sharing startups expand abroad. And now, the privacy expert Alexander Hanff has come across exactly this problem with the Berlin service of the world’s largest bike-sharing operator, Mobike:
data [from the associated Mobike smartphone app] is sent back to Mobike’s servers in China, it is shared with multiple third parties (the privacy policy limits this sharing in no way whatsoever) and they are using what is effectively a social credit system to decrease your “score” if you prop the bike against a lamp post to go and buy a loaf of bread.
Detailed location data of this kind is far from innocuous. It can be mined to provide a disconcertingly complete picture of your habits and life:
through the collection and analysis of this data the Chinese Government now likely have access to your name, address (yes it will track your address based on the location data it collects), where you work, what devices you use, who your friends are (yes it will track the places you regularly stop and if they are residential it is likely they will be friends and family). They also buy data from other sources to find out more information by combining this data with the data they collect directly. They know what your routines are such as when you are likely to be out of the house either at work, shopping or engaging in social activities; and for how long.
As Hanff points out, most of this is likely to be illegal under the EU’s GDPR. But Mobike’s services are available around the world, including in the US. Although Mobike’s practices can be challenged in the EU, elsewhere there may be little that can be done.
And if you think the surveillance made possible by bike sharing is bad, wait till you see what can be done with larger vehicles. As many people have noted, today’s complex devices no longer have computers built in: they are, essentially, computers with specialized capabilities. For example, electric cars are computers with an engine and wheels. That means they are constantly producing large quantities of highly-detailed data about every aspect of the vehicle’s activity. As such, the data from electric cars is a powerful tool for surveillance even deeper than that offered by bike sharing. According to a recent article from Associated Press, it is an opportunity that the authorities have been quick to seize in China:
More than 200 manufacturers, including Tesla, Volkswagen, BMW, Daimler, Ford, General Motors, Nissan, Mitsubishi and U.S.-listed electric vehicle start-up NIO, transmit position information and dozens of other data points to [Chinese] government-backed monitoring centers, The Associated Press has found. Generally, it happens without car owners’ knowledge.
What both these stories reveal is how the addition of digital capabilities to everyday objects — either indirectly through smartphone apps, as with Mobike, or directly in the case of computerized electric vehicles — brings with it the risk of pervasive monitoring by companies and the authorities. It’s part of a much larger problem of how to enjoy the benefits of amazing technology without paying an unacceptably high price in terms of sacrificing privacy.
Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Filed Under: bike sharing, china, electric vehicles, gdpr, location, location info, privacy
Comments on “How Bike-Sharing Services And Electric Vehicles Are Sending Personal Data To The Chinese Government”
Alexander Hanff
If that’s the same Alexander Hanff who got busted in the UK for running a BitTorrent site a dozen or so years ago, I’ve got to wonder how that case ever turned out. Maybe it’s something he’s trying hard to forget, and hopefully he didn’t lose too many years of his life over it.
Re: Alexander Hanff
He never lost any years, the lawsuit was unenforceable in the U.K. so he just ignored it. For the last 12 years he has been fighting for stronger privacy laws with significant success.
And do you think...
the US government isn’t getting the same type of data?
Re: And do you think...
So far, they haven’t quite gotten organized about it, so no, not quite yet, not on everyone all the time. But, try threatening the president, or making an NSA leak, and they will find you with that data.
Anonymized and controlled transmissions
Dear Mr Moody:
The big issue I see with all these IoT devices (bikes, cars, vehicle to vehicle and vehicle to infrastructure communications, etc) is twofold:
a) *nothing* is anonymous — I can’t think of a protocol that doesn’t require some kind of unique address somewhere
b) *complete* loss of control over the datalinks to the endpoints. (not that ALPR isn’t the same issue).
Looking at you Tesla, but I don’t *want* your remote software updates or real-time tracking. And I don’t want the vulnerability surface that the remote RF/Cellular/Internet data link presents. I can bring my own “infotainment”/”smartphone”/whatever for that.
Re: Anonymized and controlled transmissions
The bigger issue is that companies and governments just have to keep all the data so that they can build profiles of people. It’s one thing to know where a bike or vehicle is now, and quite another to keep a history of where its been. The first can be a benefit to people in the vent of a crash being detected, the second is what marketeers desire to manipulate people, and governments to control people.
Re: Anonymized and controlled transmissions
My wife just bought a new car that she really likes, but the bells and whistles bother me a lot. She handed me a key fob for me, and the car senses when the fob is in the car to adjust seat and settings for me. That disturbs me, since the car is connected, acts as a wifi hotspot, and also has a blackbox to track the car’s data.
Don’t think I’m not aware that just carrying a smartphone means that I’m tracked. I’m not comfortable with it, though I know that the data would (should) just prove that I’m one of the most boring people in the world and clear me if there were ever in the need. Still, we should have some privacy.
> They know what your routines are such as when you are likely to be out of the house either at work, shopping or engaging in social activities; and for how long.
Really sucks to be a spook these days. First thing, give up your Pokemon Go account…
Re: Re:
Bellingcat, bellingcat…don’t forget the fitbit!
no such thing as a free lunch, er cheap bike sharing.
This is why we can’t have nice tech things anymore. Every business and government decided that there was data to parse from everyone even if not useful at the moment.
Re: no such thing as a free lunch, er cheap bike sharing.
Agreed. In addition I have noticed more businesses who want to scan your drivers license prior to purchase, typically things like booze, pharma, and smoking material where there is an age restriction. They claim it is to address fake ids with wrong info. I find this excuse to be rather weak and a bit dishonest. Surely photo/face id/recognition will soon follow. I doubt anyone is considering the future problems this will cause.
Nope.
I will NOT. EVER. buy a car that has a data uplink – I’d sooner revert to riding a bike if I must (it’s tons more fun anyway only a helluva lot less convenient). And yes, my phone’s GPS is OFF 99.999% of the time. So are “location services”. And apps that ask for location permissions unceremoniously get the boot. Yeah, my mobile carrier must have a fairly good idea where I go, not much I can do about that – others though… good luck.
So go on, ask me whether I would use this service…
If you own and/or use a personalized tracking device(PTD), don’t act surprised when you are tracked. Sadly, too many things are becoming PTDs. Used to be primarily smartphones. Now cars, TVs, Blue Ray players, watches, and even scooters are PTDs. Pretty much anything with ‘Smart’ in its description is probably a PTD.
I am worried to hear it. Is it risky for us?