Passengers Say Commuter Rail App Illegally Collects Personal User Data

Many cities’ commuter rail systems now have apps for users to do things like buy tickets, check schedules, and receive alerts. However, users of one system’s mobile app claim it is illegally collecting sensitive information about users’ devices and location.

This is all according to a lawsuit [PDF] filed this week in federal court against San Francisco Bay Area Rapid Transit (BART) and Elerts, the developer of BART Watch, a mobile app for reporting suspicious people and activity to the BART Police.

The plaintiffs contend that BART Watch collects “unique mobile device identification numbers, including International Mobile Equipment Identity (IMEI) numbers,” even though Google’s best practices explicitly advise Android app developers to “Avoid using hardware identifiers” like IMEI.

“[B]y collecting the device identification numbers, locations, and other personal information… Defendants have amassed a trove of data through the App,” alleges the lawsuit. “BART, or any of the agencies it shares resources with, now have the ability to match previous non-descript numerical identifiers with personally identifying information.”

According to Google, the Android version of BART Watch has been installed between 10,000 and 50,000 times.

In a statement to San Francisco’s ABC7, a BART rep claims that the BART Watch app does not “randomly track users. An app’s user location information is available only if the user selects the option to share their location information… And then, BART only receives the user’s location when the user is reporting an incident.”