Shuddle, the only rideshare company that caters to kids, gave its passengers a little more autonomy this week with the launch of its new smartphone app. With just a few taps, kids as young as 8 years old can use the ShuddleMe app to arrange for a vetted driver to pick them up and take them home, to soccer practice, or anywhere they need to go.
Nick Allen, who also started another rideshare company, Sidecar, launched Shuddle late last year, and has always strongly emphasized its passengers’ safety as a priority. Even on the new app, parents – who previously had to order Shuddle rides for their kids – must approve the trips their kids order on ShuddleMe. The company stresses that its drivers are subject to background checks, offers insurance coverage of up to $1 million, and gives parents a real-time GPS tracking option to follow the ride’s progress. So far, the service is available only in San Francisco Bay Area.
But digital privacy experts warn Shuddle’s young customers’ data may be less secure.
Sascha Meinrath, founder of technology policy organization X-Lab, is troubled by what this means for users' privacy. "They track everything you do, not just while you are logged into their service – but potentially even after you've logged out," Mr. Meinrath said.
The location data collected from customers is determined by GPS on their devices, which can be accurate within 50 feet. Shuddle says it retains this data, but does not specify for how long. The only way a user can ensure that his or her data is deleted is to request that Shuddle remove it, even after an account with the company is terminated.
Yet best practice for companies, Meinrath says, is to only store this kind of personal data and location profiles as long is necessary to complete the service. In this case, he said, that would mean deleting data after every ride.
Retaining this much sensitive information, says cybersecurity lawyer John Kennedy of Wiggin and Dana LLP, could have real-world security implications if there are inadequate security measures. If attackers targeted the system, they could potentially gain access a treasure trove of personal data – including the pictures and maps of general movements of young people – which could put users in danger.
Data security for rideshare companies has come into the spotlight most recently with the announcement of Uber's updated location tracking, which logs users' whereabouts even when the app isn't open. The Electronic Privacy Information Center, an advocacy group, filed a complaint with the Federal Trade commission saying that Uber's new policy is "unlawful and deceptive." Uber has come under fire for previously over treatment of customer data, including suggesting that it would hire researchers to dig up and spread personal details of a journalist's Uber usages who was critical of the company.
"Passenger safety and security guides everything we do. Parents are always in control, and we get consent before collecting personal information on children under 18, which is required for us to transport them safely and securely," Shuddle said. "Our practices are in accordance with the [Federal Trade Commission’s] US Children’s Online Privacy Protection Act (COPPA) and at any time, users can request that their personal information be deleted."
In reality, phrases such as that usually mean targeted advertising. "In the language of privacy policies," Mr. Kennedy said, "the phrase, 'to better personalize our services' often means better targeted advertising specifically directed at the user’s behavior."
Because Shuddle knowingly collects data from children, the company must follow rules outlined in the Children’s Online Privacy Protection Act (COPPA) of 2000 for disclosing which information it collects from children under 13 and getting express permission from parents for that information. Lawyers say Shuddle, which masks the phone number of the child when the driver calls, appears to be in compliance with this. Review site Yelp, for instance, was fined last year for failing to properly block out under 13 users from having their data collected for features like “checking in” at a location, even though users disclosed their age when signing up.
But commercial partnerships could become problematic if the data sold to third parties is not anonymized to the standard COPPA sets. Because Shuddle shares aggregate user data to third parties – some of which could serve ads – both Shuddle and the third party could be held liable under COPPA if the third parties abuse the kids’ data in any way.
The only way to protect against this, Kennedy says, would be to ensure the data provided to the third parties would need to be completely anonymized according to COPPA standards. Shuddle, though it emphasizes it complies with COPPA, does not specify precisely how it anonymizes its data when it’s provided to third parties.
Shuddle will also share with law enforcement and private parties not just anonymized data, but all user data about both the account holders and the passengers in several situations. For instance, Shuddle says it can, "at our sole discretion," share the non-anonymized information in any situation that it feels is necessary to protect the "property, rights, and safety" of Shuddle, a third party, or "the public in general."
It does not give any examples beyond this.
The broad wording of the section, Kennedy says, could be intentional; Shuddle may want to protect itself legally under as many circumstances as possible since it deals with children.