2018 Best Best & Krieger LLP

Mitigating Transportation Technology Risks: Privacy, Data

and CybersecurityBB&K Transportation Technology Webinar Series

November 8, 2018

@smartertranspo

Company/BestBestKrieger

CHALLENGING ISSUES FOR DISCUSSION • Safe Integration – What is safe

enough?• Preemption• Regulation of Right-of-Way

• Connection to broadband deployment

• Interoperability• Tax and Revenue

• Paying for infrastructure • Privacy and Data Sharing • Terms of Use (i.e. mandatory

arbitration) • TNC Regulations • Equity • Public Trust / Adoption

TO BE THINKING ABOUT…

• Do we have/need a privacy policy?

• Are we collecting data on our system users? (i.e. do you have an app or online payment system?)

• Does GDPR apply?

• Are software contractors selling user data?

• Do we have the right protections in contracts?

• How to promote collaborative data sharing with private/public pilot projects around emerging technologies?

• What is our vision for integration of technology into transportation system?

EDUCATION AND TRUST

2018 Best Best & Krieger LLP

GREG RODRIGUEZ@smartertranspo

Best Best & Krieger LLP

Washington, D.C.

greg.rodriguez@bbklaw.com

www.bbklaw.com

Washington State Transportation Center

• A cooperative program to connect WSDOT

with the UW and WSU

• Use university expertise and capabilities to

help solve agency problems

– We often help with agency data issues

Washington State Transportation Center

• A cooperative program to connect WSDOT

with the UW and WSU

• Use university expertise and capabilities to

help solve agency problems

– We often help with agency data issues

Everyone Wants Data

• “ “Without big data analytics, companies are

blind and deaf, wandering out onto the web

like deer on a freeway.” – Geoffrey Moore

Public Vs. Private Sector

• Many public sector staff view it as the public’s

right to have access to the private sector’s

data

– “They operate on our infrastructure!”

• But private sector pays far more attention to

collection and use of data

– Public sector often ignores their own data

Private Sector

• Businesses are exposed to risks sharing data

– Loss of proprietary information to competitors

– Loss of control of customer interaction

– Loss of data value (through public release)

– Loss of trust from their customers

• Risk of increased regulatory burden, decrease in

profitability, increase in liability due to analysis of

business practices

How will the data be used?

• Can the private sector trust the public sector

to not give away their business secrets?

• How are the data to be used?

– Public FOMO versus Business fear of misuse

Trusted Data Repositories

• Proposed by multiple groups, intent is to

provide data to a single, trusted data source

– Issue: cost to operate

– Control of the data and its uses (governance)

• Data quality / integrity

• Data security

• Auditing and accountability

Summary (1)

• Sharing can be good, but is complex and can

impose considerable risk to businesses and

the privacy of data subjects

• Think/talk through allowable uses, and

understand the other sector’s risk/reward

position

Summary (2)

• Define the data to be shared

• Define the uses (and users) that are allowed

with that data

• Adopt policies on subject privacy and data

security

• Create audit and accountability procedures

BBK WebinarPrivacy, Data, and Cybersecurity

Jan Whittington

BBK Webinar

November 8, 2018

University of Washington, Seattle

Are We Sharing Data Yet?

Collective Action ProblemPublic benefits appear obvious

Private “costs” (to individual orgs) appear large

+ Institutional barriers

+ Concern about proprietary data

+ Investment to make shared data “useful”

“What are the benefits to my organization/firm?”

Trusted Data ProblemProtecting the data (security)

Protecting the data subjects (privacy)

Allowing for business competitiveness

Privacy in Location Data

Why Privacy?

Trusted Data Governance

Fair Information Practice PrinciplesTransparency, Individual Participation, Purpose Specification, Data Minimization, Use Limitation, Data Quality/Integrity, Security, Accountability and Auditing

Solving Problems of Public InterestPublic benefits that are widespread and obvious

Protecting Privacy of the Data SubjectProtection against re-identification as well as breach

Individual secure access

Privacy audits

Key Concerns

Handling sensitive data + Low bar of re-identifiability (mathematics)

+ Threat varies geographically (land use and density matter)

+ Query-based solutions (narrow mosaic ‘attack surface’)

Reducing bias in location datasets+ Population

+ Purpose or intention, from public point of view

+ Population represented in the data, and the private intent of its use

Conducting PIAs or risk/benefit analyses+ Low tolerance for risk (merge technical with legal protection)

+ Inform of scenarios/trajectories for re-identifiability and harm

+ Business decisions remain with public-facing firms

Legal context

Institutional EnvironmentAn unsettled area of law

+ Concerns about disposition of data held by firms

+ Carpenter case and third party doctrine

+ Agencies request public ownership of data

Current lack of protection for privacy in geospatial data

Role fit for a UniversityUniversities harnessing research to meet privacy challenge

+ Corporate Affiliate Program for private firms

+ Repository for privacy research on sensitive data

+ Privacy-protected data products on a contractual basis

https://www.uwtdc.org/

Fears about Open Data

https://www.uwtdc.org/

Medicine’s Model

Legal frameworkPhilosophy of mutual interest backed by strong governance:

+ Corporate Affiliate Program for location data privacy research

+ Data sharing and use agreements

+ Products for public consumption developed upon request

Private

Public

TDC

Hosting Heterogeneous Data

Simple ArchitectureMobility data is intrinsically heterogeneous – multiple secure endpoints

+ Triage hosts any files in any format for data that needs TDC protections but has not yet been parsed and processed.

+ Lake hosts json for data that does not necessarily conform to a standard API, but can be represented in a semi-structured data model

+ Warehouse hosts structured data uploaded through one of several standard APIs

Approach

Policies and protocols to address data ownership, access, use, and privacy in the interest of partner organizations and the persons represented by the data;

A neutral third-party hostwith transportation expertise to enable data sharing, analysis, and the development of applications;

Protection from the disclosure of unique traces privacy-preserving research and algorithms and the administrative and legal support available to the UW;

Secure cloud platformsecurity tools such as policy-based encryption key management to track and audit the uses and users of data

For More Information

https://www.uwtdc.org/

Jan WhittingtonPI, Transportation Data CollaborativeDirector, Urban Infrastructure LabAssociate Professor, Urban Design and PlanningUniversity of Washington

janwhit@uw.edu

A trusted third party data platform for monitoring and evaluating mobility services in cities

www.populus.ai

Regina Clewlow, CEO & Co-FounderB&BK WebinarNovember 8, 2018

THE IMPORTANCE OF DATA FOR MANAGING MOBILITY SERVICES

New mobility services (Uber/Lyft, bikeshare, scooters) are being launched in cities at an unprecedented pace.

Cities need data to developed informed policies and transportation plans. Their goals typically are to steer progress towards:

1

2

3

Safety: reducing transportation-related injuries and fatalities.

MOBILITY SERVICE ADOPTION IS ACCELERATING

Equitable access: improving availability and accessibility of transportation services to people of all backgrounds.

Efficiency: prioritizing efficient use of public space, and reducing transportation energy use/ climate impacts.

www.populus.ai

POPULUS MOBILITY MANAGER HELPS CITIES AND PRIVATE OPERATORS WORK MORE SEAMLESSLY TOGETHER - THROUGH BETTER DATA

Populus Mobility Manager

Our platform:

● Integrates and harmonizes live data feeds from all major mobility operators.

● Provides cities with a single, user-friendly dashboard for operational and planning needs.

● Securely analyzes and aggregates data to protect sensitive data, reducing the technical burden on cities.

www.populus.ai

NEAR-TERM OPPORTUNITIES FOR CITIES TO HARNESS MOBILTIY DATA

MONITORING OPERATORS

● Are operators adhering to scooter/bike minimums or maximums?● Are vehicles located in geographic areas that the city has incentivized or

restricted?

MEASUREMENT TO DRIVE DATA-DRIVEN POLICIES

● Are new mobility services expanding equitable access?● Are vehicle utilization rates high enough to justify potential increases in

bike/scooter caps?

NEW DATA FOR TRANSPORTATION PLANNING

● Where might the city place new bike/scooter infrastructure such as docking stations or charging stations?

● Where might the city add new bike/scooter lanes?

www.populus.ai

Questions? Thank you for attending!