“If you see something, say something,” the San Francisco Bay Area’s official transit safety app advises users. But some San Francisco commuters claim the app was secretly watching them.
The BART Watch app bills itself as a crime-reporting tool. The app, available on the iTunes and Google Play stores, allows riders on the Bay Area Rapid Transit system to confidentially report suspicious activity, call transit police, and check train times. But a new lawsuit claims the confidential reporting app isn’t so anonymous.
The federal class action, filed Monday, claims the BART Watch app collects users’ locations and identifying information without consent and transmits them to law enforcement, in ways that allegedly rival the capabilities of controversial phone-tracking equipment like the Stingray.
In a statement to The Daily Beast, BART said its app was not using the technology inappropriately.
“We want to make clear we are not using ELERTS system for any other purpose than responding to security and safety reports made by our riders,” BART spokesperson Alicia Trost said of the app. She said the app’s location-tracking services were opt-in. “BART does not use ELERTS system to randomly track users. An app’s user location information is only available if the user selects the option to share their location information. And then, BART only receives the user’s location when the user is reporting an incident. There is no default setting—the user needs to agree. For all users, sharing their contact information and location information is optional.”
But immediately upon installation, the BART Watch app opens a popup window with a “location required” message prompting users to enable location tracking. The app also repeatedly prompts users to enter their full name, email, and phone number, although this information is optional, the app notes.
Even without submitting their name, users might be handing over more information than they realize, Edelson PC, a law firm specializing in digital privacy rights alleges in the lawsuit. The firm claims to have discovered proof that the BART Watch app collects phones’ International Mobile Equipment Identity numbers, which function as a device’s unique fingerprint, and uses the numbers “to periodically track their [users’] locations,” their lawsuit alleges.
Transit apps do not typically collect IMEIs, and Google’s “#1” rule for app developers is to “avoid using hardware identifiers” like IMEIs, the lawsuit notes.
Using phones’ unique fingerprints, developers “also programmed the App to periodically transmit each transit user’s clientid and precise location information to their servers,” the lawsuit claims, highlighting sections of the app’s code that purportedly shows the app sending users’ coordinates to BART servers. The app allegedly transmits users’ locations and unique IDs to police even when they select an option that allows them to file an “anonymous” police report.
That’s troubling news for the tens of thousands of Californians who have downloaded the app. Even if users do not input their name or phone number, the app still gives authorities snooping services comparable to those of controversial devices like Stingray, a phone-tracking machine that reveals nearby phones’ unique fingerprints, the lawsuit alleges.
Chris Conley, a policy attorney focusing on technology and civil liberties at the ACLU of Northern California said the lawsuit’s claims were alarming, although the ACLU has not independently verified them.
“It would be very concerning if the government were collecting unique IDs for devices that people carry everywhere,” Conley told The Daily Beast, adding that even a GPS tracker can reveal a trove of private information. “Location can tell you a lot about a person,” including their political affiliation, sexual orientation, and relationship status, Conley said.
And if users input their personal information, the app could be used in conjunction with Stingrays to create an even larger database of Californians’ personal information.
“Defendants have amassed a trove of data through the App. BART, or any of the agencies it shares resources with, now have the ability to match previous nondescript numerical identifiers with personally identifying information,” the suit alleges.
“Operators of Stingray devices would normally see only unique cellular identifiers without any other personally identifiable information associated (e.g., name or email) with the numbers. But by collecting tens of thousands of IMEIs along with other identifying information, it is possible to deanonymize that data.”
BART said fears of the system being used alongside a Stingray were unfounded.
“It is also worth noting, since it is referenced in the lawsuit, that BART does not have a Stingray system,” Trost said. But while the transit authority does not own a Stingray, the San Francisco and Oakland police departments have both owned the controversial device for years, Sacramento’s ABC 10 revealed in a 2014 report. BART serves both cities.
BART referred all technical questions about the app to its developer, ELERTS, which did not return The Daily Beast’s request for comment on Tuesday.