Mobike is a bad deal for Privacy

Earlier this week I was giving a speech on Data Ethics in Copenhagen when I was approached by one of the participants who wanted to ask me about a service they recently started using in Berlin called Mobike.

They were concerned that the app which is required to use the service (which is a dock less bicycle sharing service) was collecting all their location data and sending it back to China (where Mobike is based). They also mentioned that the App had a form of discriminative pricing whereby if you broke their “rules” your monthly subscription price would increase.

Obviously this piqued my interest for a number of reasons. At first glance of the app it was obvious that there is a scoring system similar to the controversial Chinese Social Credit system and in order to determine your score minor infringements (such as not parking in a public parking zone) were being constantly monitored — in fact other users of the service are encouraged to report bikes parked in unauthorized zones. If you think this sounds creepy, it is because it is.

Another issue which I was concerned about was how they are sending this data to China in a way which is not compliant with EU law. When you read the Mobike privacy policy (which states it is the same policy for all users outside the People’s Republic of China irrespective of which country you may be in), Mobike have taken the position that:

Location Information:When you use bicycle-rental services, we collect precise location data about the trip from the MOBIKE app. If you permit the MOBIKE app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.

Just hang on a second and re-read that. So Mobike will collect precise location data about the trip from the app, irrespective of whether or not you consent and they may also collect precise location data about your device if you do consent. Perhaps it is just me, but if you need to use the app in order to use the bike, collecting precise location data about the trip is also collecting precise location data about your device because your device will be on your person throughout the trip…

But more importantly, they are collecting this data irrespective of consent and on Android devices consent is assumed simply if you use the Mobike App:

Android devices will notify you of the permissions that the MOBIKE app seeks before you first use the app, and your use of the app constitutes your consent.

What’s more, this data is sent back to Mobike’s servers in China, it is shared with multiple third parties (the privacy policy limits this sharing in no way whatsoever) and they are using what is effectively a social credit system to decrease your “score” if you prop the bike against a lamp post to go and buy a loaf of bread.

So let’s talk about the big blue elephant in the room, covered in yellow stars — the General Data Protection Regulation (GDPR).

First and foremost, China does not have an adequacy decision from the EU Commission and for good reason — China’s track record when it comes to respecting fundamental rights on freedom of speech, privacy and data protection is… well let’s just say it is not stellar. Chinese companies routinely share information with the Chinese Government and the Chinese Government is an active investor in many Chinese companies (especially those which operate in the Western Hemisphere).

That means that in order to send personal data of this nature back to China they are required to have an appropriate safeguard in place. Under the GDPR those safeguards are Standard Contractual Clauses, Binding Corporate Rules and Codes of Conduct or Certifications. But in the case of Mobike they are relying on consent (and consent which is arguably invalid under the GDPR definition of consent).

The problem here is that consent is only permitted as a means to facilitate transfer of personal data to third countries (countries outside of the EU which do not have an adequacy decision) as a very limited, temporary measure. It is regarded as a derogation, which means it should be restricted in most cases to a single use or limited use for a limited number of data subjects (usually a single data subject). It is not permitted to use consent as the normal course of operations which means sending this data to China for all users in the 200 cities they operate in, is illegal under the GDPR.

And speaking of GDPR, the privacy policy of Mobike is also in breach of the GDPR. Whereas they mention Data Subject rights, there is no comprehensive information about international transfers (just that you consent to them), there is no information about the third parties they share the data with (just generic categories of whom they might share it with), there is no information about the legal bases they use for processing personal data.

Furthermore there is no information about their Data Protection Officer (just a generic support email address) and GDPR requires that companies operating in the EU which do not have an office in the EU are required to appoint a representative in one of the EU member states in which they operate — it does not appear that Mobike have done this either.

Their policy is also not compliant with the ePrivacy Directive as it gives itself carte blanche permission to harvest substantial data from your mobile device without any appropriate legal basis and also share that with pretty much whomever they choose; including sending that back to China as well.

So now we have a bicycle sharing service which is collecting significant amounts of special category personal data (which is afforded a higher level of protection under the GDPR), sharing it pretty much every where and with everyone and sending that data back to China in breach of the GDPR and ePrivacy Directive.

But I get it, you just want to ride a bike for 8 euros a months and don’t care about all of this, right? So what if I tell you that through the collection and analysis of this data the Chinese Government now likely have access to your name, address (yes it will track your address based on the location data it collects), where you work, what devices you use, who your friends are (yes it will track the places you regularly stop and if they are residential it is likely they will be friends and family). They also buy data from other sources to find out more information by combining this data with the data they collect directly. They know what your routines are such as when you are likely to be out of the house either at work, shopping or engaging in social activities; and for how long.

I can not stress enough the risks associated with the mass surveillance of movement and China are a country with a long history of using this type of data for less than pleasant purposes.

Perhaps most shocking about all of this however, is that Mobike are present in over 200 cities globally and so far it seems that none of these municipalities have conducted appropriate due diligence checks from a data protection and privacy perspective with most cities on record as stating that is between the user and Mobike. Even Berlin — the very last city on this great planet that I would have expected to allow this type of service to slip in under the radar — with World War II and the Stasi barely a blink in time past; have allowed Mobike to setup a surveillance and social credit system right under their noses.

Mobike are not GDPR or ePrivacy compliant — it is far beyond time that such compliance should be required before public authorities allow such services to exist in their communities because if they don’t, the laws we create to protect our fundamental rights are effectively rendered useless.

Equally concerning is that none of this data is even required to be kept or shared in order for Mobike to conduct the business of renting bicycles. The distance traveled can be calculated and applied to a user without the need to store and share the precise location data; the location of a bike can be stored without attaching that to user data — by following very basic principles of Privacy and Data Protection by Design (a legal requirement under the GDPR) many of the concerns raised by Mobike (and several other bike sharing services — Mobike are not the only concern here…) could and should have been avoided. However it seems that none of this was even considered during the development of the service and instead the service just harvests as much data as it can and then sends it off to China.

This is not acceptable and I urge all municipalities to conduct a full review of all ride sharing services they have deployed in their communities because our fundamental rights are NOT for sale.