NiceRide released the data for the last season. This information contains the start site, end site, and dates and times. The data also contains a unique user ID. Does anyone think this raises privacy issues?

If you are a regular user, and I know where and when you typically pick up your bike and where your drop it, I can figure out pretty quickly what your Subscriber ID is. From there I can tell where you went and when.

When combined with other sources of data, this information becomes even more usable.

Here is a sample screen shot:



https://t.co/L4fxKSa6

Yes.

I can believe that there is reasonable public interest in knowing about how people are using NiceRide. I don't believe there is reasonable public interest in knowing how a person uses NiceRide throughout the season. The data is not de-identified enough. A court may or may not agree with me, but I'm pretty sure the court of public opinion will not be pleased.

If they'd kept a consistent subscriber ID for a single day, so that one could see the pattern of check-ins and check-outs for a whole ride, I'd call that ok, but that isn't what they did; according to the readme, that's the user's subscriber id for the season. So if someone used NiceRide consistently through the year, I can find out who you are and where you were and where you might be next year.

MN recognizes the public disclosure of private facts tort, and I'd think this would qualify. It might also be a violation of their contract with subscribers.

TL;DR *facepalm*

ETA: There is also the question of what can be done with that Subscriber ID. If it is a user's actual Subscriber ID, it may be possible to do hinky things with it; the Nice Ride contract forbids users from sharing their ID. It's probably hashed or something, but may be recoverable (since I'm not a subscriber, I have no way to check). I also looked at the contract regarding confidentiality; it just says "NRM will comply with the Privacy Policy maintained at www.niceridemn.org, but the Privacy Policy is about information collected on the website only. So damned if I know.

can you link to the data without an url shortener plz.

+ 1

People like me really like the actual links. That way I choose if it's a site I should be going to before I click the link.

No hard feelings. Nothing personal. Just prefer the full link. I know people that won't click url shortened links at work because they worry about their job.

Links to a 7.5M zip file

https://niceridemn.egnyte.com/h-s-inter ... e2f74045be

I never heard of egnyte.com, either, so here's the link to their front page:

https://www.egnyte.com/

I'm going to think about this a bit.

Ok, I'm back half a second later. I believe it's irresponsible for this data to be released to the public. I should not be able to have this data on my computer. I do not believe that the people that made this information public are qualified to have the data. If they were they wouldn't have released it. It wouldn't be on my computer.

Egnyte's a legitimate cloud-based file sharing service for small/medium businesses; I've used them before in my consulting work.

Interesting, despite having rented twice, I have the same subscriber ID, presumably because I used the same credit card for both 24 hour subscriptions.

Check out where I went, if you feel like it: HO85QIR2VS

Or a better example, can anyone figure out what I was doing or where I was going?

After looking at some of the data, I can see the possibility of trying to tie a Subscriber ID to a particular person. It is a little far fetched though as to what someone would do with it. If someone was nefarious, and already knows enough of your nice ride habits in person, to be able to figure out your subscriber ID in the first place, what more are they going to yield from looking at summer 2012's data?

I want to clarify what I meant.

Look this id up.

2VPKT568K9


You can see the places this person went and when. You can see their patterns. If you know when they were at a particular location getting a bike you can see everywhere else they go. Subscriber id's should not be included in the data they released.


The big talk on privacy right now is license plate tracking data. This is actually quite a bit worse.

2VPKT568K9 appears to be a student or staff at the U.

So, if you knew the person behind 2VPKT568K9 well enough already, to be able seperate 2VPKT568K9 from other subscribers that are U staff or students with similar usage patterns, such as 8D2UCT5IYY, then what additional information is the data going to provide you, that you would't already have?

Seems like this data provides a useful tool if I wanted to stalk 2VPKT568K9.

Because I've been stalking them I can identify the person connected with 2VPKT568K9.

I might know they work or attend the U but I might not know where else they go. Now I do.

You know where they went to within a many-block radius, sure.

I'm HO85QIR2VS. Where did I go?

I was network security programmer and data miner on a network operations security team at a very large institution (a couple hundred thousand people between employees and contractors) before I grew weary of corporate America. I dealt with very large amounts of private and sensitive data. I have a qualifying opinion on the matter as far as what is professional goes.


Really common sense wins out over that though. People don't like people to have information on where they have been and where they go and when... They like it even less when this data has been made public.


This data should not have been released with identifiers for people. It is irresponsible.

I do not know where you went, but I suck at knowing what is at different streets around here.

But I know that you did not travel alone.
That you do not have a NiceRide subscription but that you paid with the same credit card each time.
And that you used the bikes on two occasions - a Saturday and Sunday in September and a Saturday in October.


Here is an example of the danger:

Let's say I take a bike out every morning near my house and ride it to work. My ex-wife knows I do this. She uses this information to figure out my subscriber ID because I am the only one who daily takes that bike from there and rides to the location near my work. Using my ID she looks at my other activity. She sees that I am riding places in the middle of the day. She sees that I am riding places when I told her I was out of town. She sees that I am riding around when I told her I was too sick to take the kids. She sees that I am riding to a place where I spent Saturday night and ride away the next morning. I just do not want her knowing that shit and I did not pay NiceRide to tell her.

Forgot that one.