Shuddle offers Uber for kids, but may put young riders' data at risk

A new smartphone app promising a safe travel option for kids as young as 8 may be a relief for busy parents, but digital privacy experts warn that Shuddle’s young customers’ data may be less secure.

Shuddle, the only rideshare company that caters to kids, gave its passengers a little more autonomy this week with the launch of its new smartphone app. With just a few taps, kids as young as 8 years old can use the ShuddleMe app to arrange for a vetted driver to pick them up and take them home, to soccer practice, or anywhere they need to go.

Nick Allen, who also started another rideshare company, Sidecar, launched Shuddle late last year, and has always strongly emphasized its passengers’ safety as a priority. Even on the new app, parents – who previously had to order Shuddle rides for their kids – must approve the trips their kids order on ShuddleMe. The company stresses that its drivers are subject to background checks, offers insurance coverage of up to $1 million, and gives parents a real-time GPS tracking option to follow the ride’s progress. So far, the service is available only in San Francisco Bay Area.

But digital privacy experts warn Shuddle’s young customers’ data may be less secure.

Shuddle’s privacy policy, they say, may enable the company to collect too much personal information from kids and parents – without specifying how long Shuddle will retain that information – and could pose problems when the data is sold to third parties such as advertisers.

For instance, to use the app, parents are required to create an online profile with the kid's name, cellphone number, e-mail address, and photograph. They can also opt to include their kid’s date of birth. To pick up the kids, drivers can see the first name and last initial of both parent and kid and the kid's photograph and destination. What’s more, the company’s privacy policy says Shuddle "drivers may be able to retain certain information learned over the course of providing a ride" – including after the ride is complete. Shuddle does not give any more details beyond that.

Sascha Meinrath, founder of technology policy organization X-Lab, is troubled by what this means for users' privacy. "They track everything you do, not just while you are logged into their service – but potentially even after you've logged out," Mr. Meinrath said.

The privacy policy can be read broadly, Mr. Meinrath continues, to mean that location data is collected whenever a user is in the app, regardless of whether they are participating in a ride. It also means whenever a parent is accessing the app to check in on a child’s ride, or for any other reason, their location could also be recorded. This information, combined with other personal data Shuddle collects, creates a detailed profile of a kid under 16 – the target passenger for the service.

The location data collected from customers is determined by GPS on their devices, which can be accurate within 50 feet. Shuddle says it retains this data, but does not specify for how long. The only way a user can ensure that his or her data is deleted is to request that Shuddle remove it, even after an account with the company is terminated.

Yet best practice for companies, Meinrath says, is to only store this kind of personal data and location profiles as long is necessary to complete the service. In this case, he said, that would mean deleting data after every ride. 

Retaining this much sensitive information, says cybersecurity lawyer John Kennedy of Wiggin and Dana LLP, could have real-world security implications if there are inadequate security measures. If attackers targeted the system, they could potentially gain access a treasure trove of personal data – including the pictures and maps of general movements of young people – which could put users in danger.

Data security for rideshare companies has come into the spotlight most recently with the announcement of Uber's updated location tracking, which logs users' whereabouts even when the app isn't open. The Electronic Privacy Information Center, an advocacy group, filed a complaint with the Federal Trade commission saying that Uber's new policy is "unlawful and deceptive." Uber has come under fire for previously over treatment of customer data, including suggesting that it would hire researchers to dig up and spread personal details of a journalist's Uber usages who was critical of the company.

Passcode provided Shuddle with a list of questions regarding its privacy policy, but the company refused to comment further than an e-mailed statement.

"Passenger safety and security guides everything we do. Parents are always in control, and we get consent before collecting personal information on children under 18, which is required for us to transport them safely and securely," Shuddle said. "Our practices are in accordance with the [Federal Trade Commission’s] US Children’s Online Privacy Protection Act (COPPA) and at any time, users can request that their personal information be deleted."

Shuddle’s privacy policy says the location data is used to determine fees, give customer support, send promotions, and "for our internal business purposes," but it does not elaborate on the specifics of those intended uses. It also says the data collection is to "improve and personalize our services."

In reality, phrases such as that usually mean targeted advertising. "In the language of privacy policies," Mr. Kennedy said, "the phrase, 'to better personalize our services' often means better targeted advertising specifically directed at the user’s behavior."

Shuddle’s privacy policy does say it may share aggregate customer data with third parties such as advertisers "to deliver relevant advertising and promotional offers to you, your account passengers and to other users of our services." Aggregate data means no personally identifying information – name, birth date, or credit card details, for example – should be shared.

Because Shuddle knowingly collects data from children, the company must follow rules outlined in the Children’s Online Privacy Protection Act (COPPA) of 2000 for disclosing which information it collects from children under 13 and getting express permission from parents for that information. Lawyers say Shuddle, which masks the phone number of the child when the driver calls, appears to be in compliance with this. Review site Yelp, for instance, was fined last year for failing to properly block out under 13 users from having their data collected for features like “checking in” at a location, even though users disclosed their age when signing up.

But commercial partnerships could become problematic if the data sold to third parties is not anonymized to the standard COPPA sets. Because Shuddle shares aggregate user data to third parties – some of which could serve ads – both Shuddle and the third party could be held liable under COPPA if the third parties abuse the kids’ data in any way.

So even though Shuddle's site says users are subject to the third party’s privacy policy, there’s a chance kids’ data could end up in the hands of a company that may not think the stricter rules of COPPA apply to it.

The only way to protect against this, Kennedy says, would be to ensure the data provided to the third parties would need to be completely anonymized according to COPPA standards. Shuddle, though it emphasizes it complies with COPPA, does not specify precisely how it anonymizes its data when it’s provided to third parties.

In fact, experts say, Shuddle has some striking exceptions to the information it says it protects. For instance, the personal information it collects from customers, it says, can be shared with any company that purchases Shuddle in the event of a merger. In that case, the new company could have a significantly different privacy policy than what customers agreed to initially or have a different network of commercial partners.

Shuddle will also share with law enforcement and private parties not just anonymized data, but all user data about both the account holders and the passengers in several situations. For instance, Shuddle says it can, "at our sole discretion," share the non-anonymized information in any situation that it feels is necessary to protect the "property, rights, and safety" of Shuddle, a third party, or "the public in general."

It does not give any examples beyond this.

What’s more, the privacy policy does not say whether or not the company will notify users in the event their data is shared.

The broad wording of the section, Kennedy says, could be intentional; Shuddle may want to protect itself legally under as many circumstances as possible since it deals with children.