How Bike-Sharing Services And Electric Vehicles Are Sending Personal Data To The Chinese Government

from the why-we-can't-have-nice-things dept

A year ago, Techdirt wrote about the interesting economics of bike-sharing services in China. As the post noted, competition is fierce, and the profit margins slim. The real money may be coming from gathering information about where people riding these bikes go, and what they may be doing, and selling it to companies and government departments. As we warned, this was something that customers in the West might like to bear in mind as these Chinese bike-sharing startups expand abroad. And now, the privacy expert Alexander Hanff has come across exactly this problem with the Berlin service of the world's largest bike-sharing operator, Mobike:

data [from the associated Mobike smartphone app] is sent back to Mobike's servers in China, it is shared with multiple third parties (the privacy policy limits this sharing in no way whatsoever) and they are using what is effectively a social credit system to decrease your "score" if you prop the bike against a lamp post to go and buy a loaf of bread.

Detailed location data of this kind is far from innocuous. It can be mined to provide a disconcertingly complete picture of your habits and life:

through the collection and analysis of this data the Chinese Government now likely have access to your name, address (yes it will track your address based on the location data it collects), where you work, what devices you use, who your friends are (yes it will track the places you regularly stop and if they are residential it is likely they will be friends and family). They also buy data from other sources to find out more information by combining this data with the data they collect directly. They know what your routines are such as when you are likely to be out of the house either at work, shopping or engaging in social activities; and for how long.

As Hanff points out, most of this is likely to be illegal under the EU's GDPR. But Mobike's services are available around the world, including in the US. Although Mobike's practices can be challenged in the EU, elsewhere there may be little that can be done.

And if you think the surveillance made possible by bike sharing is bad, wait till you see what can be done with larger vehicles. As many people have noted, today's complex devices no longer have computers built in: they are, essentially, computers with specialized capabilities. For example, electric cars are computers with an engine and wheels. That means they are constantly producing large quantities of highly-detailed data about every aspect of the vehicle's activity. As such, the data from electric cars is a powerful tool for surveillance even deeper than that offered by bike sharing. According to a recent article from Associated Press, it is an opportunity that the authorities have been quick to seize in China:

More than 200 manufacturers, including Tesla, Volkswagen, BMW, Daimler, Ford, General Motors, Nissan, Mitsubishi and U.S.-listed electric vehicle start-up NIO, transmit position information and dozens of other data points to [Chinese] government-backed monitoring centers, The Associated Press has found. Generally, it happens without car owners' knowledge.

What both these stories reveal is how the addition of digital capabilities to everyday objects -- either indirectly through smartphone apps, as with Mobike, or directly in the case of computerized electric vehicles -- brings with it the risk of pervasive monitoring by companies and the authorities. It's part of a much larger problem of how to enjoy the benefits of amazing technology without paying an unacceptably high price in terms of sacrificing privacy.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: bike sharing, china, electric vehicles, gdpr, location, location info, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 11 Dec 2018 @ 4:12pm

    Alexander Hanff

    If that's the same Alexander Hanff who got busted in the UK for running a BitTorrent site a dozen or so years ago, I've got to wonder how that case ever turned out. Maybe it's something he's trying hard to forget, and hopefully he didn't lose too many years of his life over it.

    link to this | view in thread ]

  2. identicon
    Pixelation, 11 Dec 2018 @ 7:15pm

    And do you think...

    the US government isn't getting the same type of data?

    link to this | view in thread ]

  3. identicon
    Christenson, 11 Dec 2018 @ 7:21pm

    Anonymized and controlled transmissions

    Dear Mr Moody:
    The big issue I see with all these IoT devices (bikes, cars, vehicle to vehicle and vehicle to infrastructure communications, etc) is twofold:
    a) *nothing* is anonymous -- I can't think of a protocol that doesn't require some kind of unique address somewhere
    b) *complete* loss of control over the datalinks to the endpoints. (not that ALPR isn't the same issue).

    Looking at you Tesla, but I don't *want* your remote software updates or real-time tracking. And I don't want the vulnerability surface that the remote RF/Cellular/Internet data link presents. I can bring my own "infotainment"/"smartphone"/whatever for that.

    link to this | view in thread ]

  4. identicon
    Christenson, 11 Dec 2018 @ 7:24pm

    Re: And do you think...

    So far, they haven't quite gotten organized about it, so no, not quite yet, not on everyone all the time. But, try threatening the president, or making an NSA leak, and they will find *you* with that data.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 11 Dec 2018 @ 9:51pm

    > They know what your routines are such as when you are likely to be out of the house either at work, shopping or engaging in social activities; and for how long.

    Really sucks to be a spook these days. First thing, give up your Pokemon Go account...

    link to this | view in thread ]

  6. identicon
    bob, 12 Dec 2018 @ 12:42am

    no such thing as a free lunch, er cheap bike sharing.

    This is why we can't have nice tech things anymore. Every business and government decided that there was data to parse from everyone even if not useful at the moment.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 12 Dec 2018 @ 2:21am

    Re: Anonymized and controlled transmissions

    The bigger issue is that companies and governments just have to keep all the data so that they can build profiles of people. It's one thing to know where a bike or vehicle is now, and quite another to keep a history of where its been. The first can be a benefit to people in the vent of a crash being detected, the second is what marketeers desire to manipulate people, and governments to control people.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 12 Dec 2018 @ 7:24am

    Re: no such thing as a free lunch, er cheap bike sharing.

    Agreed. In addition I have noticed more businesses who want to scan your drivers license prior to purchase, typically things like booze, pharma, and smoking material where there is an age restriction. They claim it is to address fake ids with wrong info. I find this excuse to be rather weak and a bit dishonest. Surely photo/face id/recognition will soon follow. I doubt anyone is considering the future problems this will cause.

    link to this | view in thread ]

  9. identicon
    mcinsand, 12 Dec 2018 @ 10:55am

    Re: Anonymized and controlled transmissions

    My wife just bought a new car that she really likes, but the bells and whistles bother me a lot. She handed me a key fob for me, and the car senses when the fob is in the car to adjust seat and settings for me. That disturbs me, since the car is connected, acts as a wifi hotspot, and also has a blackbox to track the car's data.

    Don't think I'm not aware that just carrying a smartphone means that I'm tracked. I'm not comfortable with it, though I know that the data would (should) just prove that I'm one of the most boring people in the world and clear me if there were ever in the need. Still, we should have some privacy.

    link to this | view in thread ]

  10. icon
    Max (profile), 12 Dec 2018 @ 2:39pm

    Nope.

    I will NOT. EVER. buy a car that has a data uplink - I'd sooner revert to riding a bike if I must (it's tons more fun anyway only a helluva lot less convenient). And yes, my phone's GPS is OFF 99.999% of the time. So are "location services". And apps that ask for location permissions unceremoniously get the boot. Yeah, my mobile carrier must have a fairly good idea where I go, not much I can do about that - others though... good luck.

    So go on, ask me whether I would use this service...

    link to this | view in thread ]

  11. icon
    tom (profile), 12 Dec 2018 @ 3:25pm

    If you own and/or use a personalized tracking device(PTD), don't act surprised when you are tracked. Sadly, too many things are becoming PTDs. Used to be primarily smartphones. Now cars, TVs, Blue Ray players, watches, and even scooters are PTDs. Pretty much anything with 'Smart' in its description is probably a PTD.

    link to this | view in thread ]

  12. identicon
    Christenson, 12 Dec 2018 @ 4:02pm

    Re:

    Bellingcat, bellingcat...don't forget the fitbit!

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 20 Mar 2019 @ 3:52pm

    Re: Alexander Hanff

    He never lost any years, the lawsuit was unenforceable in the U.K. so he just ignored it. For the last 12 years he has been fighting for stronger privacy laws with significant success.

    link to this | view in thread ]

  14. icon
    Helmet (profile), 29 Dec 2019 @ 8:27am

    I am worried to hear it. Is it risky for us?

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.