No Privacy Policy for New BART App - Now That’s A Suspicious Activity

Sep 10, 2014
Matt Cagle

Page Media

Bay Area Rapid Transit Police logo

If you see something, say something. Or text something, straight to BART police—along with your contact and location information, and a picture of your face. That’s what “BART Watch,” a new app designed to encourage users to report suspicious activities, would like you to do. But we’re calling out this app for its own suspicious activities - having no privacy policy that explains the sensitive information it collects and may be sharing with others, and for encouraging people to file potentially spurious complaints about innocent residents. BART needs to explain how its app treats user information and rethink what it is asking users to report.  

BART Watch collects a wide array of sensitive information from users yet lacks a privacy policy to explain how it will be used. After installation, the app asks for a user’s contact information, their photo, and access to location. The app also takes advantage of an iPhone feature called “background refresh” to collect information from a user’s phone even when the app is closed. Users are told they can submit an “anonymous” report but that process is left unexplained. And finally, users must agree to a terms of use that allows their submitted information to be shared with other companies by the app developer. What exactly does the app collect? How will BART and its app developer use or share all this sensitive information? We don’t know – we haven’t been able to find an app privacy policy.

BART Watch’s opaque data practices are especially alarming in light of one of its key purposes – to solicit information about “suspicious” and “disruptive behavior” from users. The use of such vague terms raises the risk that government records will be created about innocent residents, including panhandlers and protestors. Recognizing the serious privacy and free speech concerns raised by suspicious activity reporting, the ACLU sued the federal government in June over its controversial program of the same name. While we have no reason to believe the BART Watch app is connected to that federal program, this app’s shady reporting criteria gives us pause.

Through this app, BART is not only encouraging users to submit information about others based on vague terms, it is doing so without explaining how it will treat a wealth of very sensitive information. Without a privacy policy, commuters have no way of knowing the complete picture of what the app collects from their devices, who receives it, or how it is used or shared with other entities. Government-produced apps should at least be as transparent as private ones that are all required by law to have a privacy policy. It’s shocking that while developing this astoundingly expensive $265,000 app, BART failed to properly consider privacy issues. We strongly suggest that BART and its developer address this failure and review the ACLU’s primer and the California Attorney General’s best practices as a next step.

Matt Cagle is a Policy Fellow with the ACLU of Northern California’s Technology and Civil Liberties Project.