One day after it started selling memberships, Portland’s new bike-share system has apologized to its first 400 members for inadvertantly letting any of them pull up a virtually complete list of other members’ names.
In an email circulated to those early members on Wednesday, the city said that no other information had been made public. By way of apology, it also offered an additional free month of bike-share membership to everyone who signed up before the city fixed the problem at noon Wednesday.
City spokesman John Brady said Wednesday that the issue stemmed from the “social function on the website that allows people to look up friends.” But the function also let people search by member number.
“I think what happened is someone realized that the member numbers were sequential, entered member numbers, and was able to get the first members’ names,” Brady said.
“I think what happened is someone realized that the member numbers were sequential, entered member numbers, and was able to get the first members’ names.”
— John Brady, Portland Bureau of Transportation
In response, the city has now changed the account numbers of those 400 early members and changed the default setting for new members from “public” to “private.” This means someone will no longer be able to look up virtually every member’s name, only those who opt in to making their membership status public.
The issue was first publicly discussed in a BikePortland subscriber post (since edited) by Ted Timmons. In that post published Wednesday morning, Timmons speculated on the number of people who had signed up for the system in the first 24 hours, and mentioned that another early member, Alan Kessler, had gotten a full list of members.
After Timmons’s post went up, I emailed Brady and Biketown to ask if they knew that a full list of members’ names and Biketown ID numbers could be so easily compiled. They didn’t.
By noon on Wednesday, Kessler had spoken with city officials to explain how he got the list of members.
“All of the people who signed up in the first hours were chatting on Twitter, sort of excited, figuring out who was hipper than who and trying to figure out who signed up,” Kessler said. “We were searching names we knew to try to find out member numbers. … And realized that if you actually searched for member numbers itself, you could actually generate a list of everybody who had signed up.”
Kessler said he basically wanted “to see how successful Biketown was being.”
“I didn’t publicize the names, I didn’t broadcast it,” Kessler said. “But on the other hand, the site doesn’t make any effort to make it private, so it didn’t feel like private information that needed to be protected, necessarily. … it was a feature of the site that you could look at everybody.”
Advertisement
Kessler (who works as a patent attorney) added that Biketown’s website would be more secure in general if something as public and predictable as a member number weren’t also being used as security credentials.
“If they want to make it more secure, they should use a much larger number where most of the numbers don’t correspond to real accounts,” Kessler said. He said that’s what the U.S. Postal Service does. “They also should not use the member number that is used in the web interface as a security credential. … That’s actually something I told PBOT this morning.”
Here’s the email circulated Wednesday by Biketown:
Dear…,
Thank you again for signing up for BIKETOWN. We’re excited to have you as a member!
We need to tell you about an issue that we discovered this morning. Social Bicycles, our technology vendor, offers a social feature that allows you to search by name or bike share membership number to find friends so you can share your rides and your BIKETOWN milestones. The only information that is available via this function is name, membership number and if you’ve uploaded one, a photo. All other information remains private and fully secure.
We’ve learned that this function was turned on by default, and as a result, members were able to obtain the names and member numbers of other members. We care about your privacy and realize that some of you may not want this information searchable.
Therefore we are taking the following steps:
The sharing settings for all BIKETOWN members have been switched to private and this will be the default going forward.
We will change the member numbers of everyone who signed up before 12 pm today. This is when we discovered the issue.
We apologize for this mistake, and as a sign of how seriously we take your privacy, we will credit your account with an additional month free.If have any questions or concerns, please email us at customerservice@biketownpdx.com.
Sincerely,
The BIKETOWN Team
“There wasn’t a malicious intent here,” Brady said Wednesday, summarizing Kessler’s actions. But “privacy is a really sensitive subject, and there are people who want to keep that to themselves.”
I asked Brady if Biketown member IDs will change so they will no longer be assigned sequentially.
“I’m certainly hoping so, yes,” he said.
Brady said that as of 2:20 p.m. Wednesday, the system had registered 428 members.
— Michael Andersen, (503) 333-7824 – michael@bikeportland.org
Our work is supported by subscribers. Please become one today.
Thanks for reading.
BikePortland has served this community with independent community journalism since 2005. We rely on subscriptions from readers like you to survive. Your financial support is vital in keeping this valuable resource alive and well.
Please subscribe today to strengthen and expand our work.
They have another snafu they could clear up to attract more members: allow people to use this with family members under the age of 18!!
minimum age elsewhere is 16, it seems. (NYC and DC)
¯\_(ツ)_/¯
Sure, it’d be great, but lets get it launched and add on.
16 years old is commonly referred to as ‘the age of consent’. It’s one reason you can’t see your teen’s medical records without their permission.
wellll, age of consent is for sex. age of majority is for things that are more legal/contractual, which is why credit cards (mostly) have a minimum age of 18.
Also, the age of consent (for sex) in Oregon is 18. Have we already forgotten the little scandal as Sam Adams took office? (The great irony is that some of the alleged meetings took place in Washington, where the age is 16 and thus perfectly legal).
Note I was careful on disclosure, too- I didn’t give away the user IDs in my post, instead I talked about being the “first” or “fourth” to sign up. But yeah, someone didn’t configure Elasticsearch correctly, I’m guessing.
I looked at the first 500 by hand, but I then wrote a script to explore it further. There are more lines of regex to clean up the jsonb than there are in the “hack”.
Maybe somebody could come & present on this @ the Elastic Search meetup. 😉
I didn’t keep good enough notes :/
Thanks Alan for getting us all another free month! 🙂
You’re welcome, but if I’m being honest that’s the part I feel bad about. I’d prefer that PBOT keep the $5k rather than distribute it among those most eager to pay. I hate for them to start with that much more red ink.
As privacy breaches go, this one is pretty teeny. Good to fix it, though.
dude, I wish I had gotten in on that, 2 free months! My name is everywhere on the internet anyways.
I feel bad about the “extra month” because the money could be better used. I’d be happy to donate my free months to help with low-income support.
I was one of the people chatting on Twitter last night. I agree that no one had any malicious intent, we were all just really excited and tried to figure out just how early we all signed up for BIKETOWN. Agree with Adam, thanks Alan for getting us all another free month!
Good clean up on the privacy, yay for the second month, and I’m entertained that I was #15. Spent today on mass transit (in fact on bus right now) wishing I had a heavy orange bike to pedal across the east side.
I love this title: snafu is the perfect acronym for this (Situation Normal, All F*#%@^ Up). It is perfectly normal for Portland to take years to roll something out, and this is ten years of planning and preparing, only to have forgotten to consider people with disabilities. And then they tout this as a “transit component” but don’t allow anyone the age of 18 to use it! And then the privacy glitch. I was super excited to hear bike sharte was finally going to launch, but the discriminatory policies and the rigid pricing schemes are a significant obstacle. I would love a BP follow up with Hoyt -McBeth about why no kids.
I wonder if part of the drive for no kids is not wanting to deal with the Oregon Helmet law, although that is 16 and under.
maybe, but the City had well over 10 years to identify this problem and work toward a solution. Situation Normal (PBOT focused on re-inventing some small part of the wheel) All Fuck@d Up (completely ignoring a massive portion of the people they are supposed be serving)
In the coming months after its debut, depending on the success of bike share in Portland, management of the system could likely be adapted for use by people 18 years and younger.
In fact, I think I’m wondering if the system’s policy doesn’t allow an adult to rent a bike share bike for people of these ages. For example, unless the policy prohibits doing so, an adult of a family with a couple teenagers, out for a little tour of the city, could probably check out bike share bikes, and they could all go for a ride, despite some of the riders being under the age of being able to check the bikes out themselves.
Helmet use, and the helmet use law is another question. Relative to bike share in Portland, enforcement of the helmet use law, probably will depend on the people running the system, and the city of Portland. In general, how often in Portland, does a kid under the age of 16, get stopped and cited for not using a bike helmet while riding a bike? Rarely, I expect. So it’s likely that Portland police wouldn’t be citing bike share users under the age of 16 that aren’t using bike helmets, unless the city got after them to do so.
Not everyone that rides a bike, is so blase about helmet use. Many people want to use one, for whatever little or great benefit that use of bike helmets while riding, offers the wearer in the event of a fall from a bike. What availability of bike share in Portland, is able to help find out about how this feeling about bike helmet use, plays out in actual use of bike share in this city, may be interesting.
The Bike Town website directly addresses this scenario and says (paraphrase) “go rent somewhere else”. They literally provide a link to Portland Bike rental shops.
BTW thanks for the compensation.
maybe, but the City had well over 10 years to identify this problem and work toward a solution. Situation Normal (PBOT focused on re-inventing some small part of the wheel) All F#ck@d Up (completely ignoring a massive portion of the people they are supposed be serving)
Nitpicky detail:
the attractive person riding a biketown bike, shown in what looks to be an official BIKETOWN promo photo at the top of this story, is wearing her helmet in a very casual style, way back on her head…which is incorrect for gaining the safety benefit the helmet is designed to offer.
I’ll say my understanding has been that correctly worn, the helmet should cover the wearer’s forehead. The bottom edge of the helmet should be like an inch or so above the wearer’s eyebrows. It’s fine to occasionally push the helmet back for a change in airflow and so on, but in general use while actually riding, it should be forward on the person’s head.
Just occurs to me that the person on the bike in the photo, may not have been actually riding the bike when the photo was snapped, but instead, paused to the side of the new Tillikum bridge, looking out over the river to the south. Windy up there, which may account for why her shirttail is flapping.
As the vast majority of BIKETOWN customers will likely not be wearing helmets, perhaps the woman in the photo should have been helmet-free.
Oh, the OUTRAGE! A minor lapse in security that may not actually have leaked private info of a fairly small number of subscribers into the wrong hands.
On the other two issues, Biketown is following the EXACT SAME MODEL (no use by minors, no adaptive bikes) as EVERY OTHER BIKESHARE system in the world. But in Portland, that’s an OUTRAGE!
I’m going to speculate that use by minors raises liability and insurance issues that can’t be gotten around. A minor cannot release liability for injuries or otherwise enter into a binding contract. Thus, insurance may not be available at an affordable price, for a bikeshare system that permits use by minors. No inside knowledge but from my past life as a lawyer, I suspect this may be what is going on.