The Need for Speed: When Apps Inspire Dangerous Behavior

Photo for ISLAT 1-croppedBy Nadia Daneshvar

Mobile apps may be designed with good intentions, but what happens when those aims lead to dangerous user behavior? This is the case for Strava, a popular cycling app whose promotion of speed led to deadly consequences and spurred new questions regarding the responsibilities of app developers.

Strava lets users record cycling data using a smartphone or GPS device and upload that information to track, analyze, and share with friends or the public. The app records where cyclists rode and how long and how fast they rode. It then compares a user’s times with personal records as well as the fastest times of other users.

The app also tracks a cyclist’s performance on “segments”—any stretch of road, path, or trail mapped out by a user for the purpose of a multiplayer competition of who can go the fastest, whether up a hill, down the street, or on a descent. Strava compares each user’s times on a particular segment to the times of everyone else who has ridden it before and uploaded the data to the app. The fastest riders are given the title “King of the Mountain” (“KOM”) or “Queen of the Mountain” (“QOM”).

Although the app may record data virtually, the cycling and decisions of users are very much in the real world. A Strava employee admitted that Strava does not account for safety, danger, stop signs, speed limits, or the fact that in order to beat certain KOM records, users would have to break the law. But, after at least three people have died in incidents related to the Strava app, perhaps we should expect Strava app developers to account for such factors, adjusting app design to comply with the realities—including the laws and regulations—of the real world.

On June 19, 2010, William “Kim” Flint, Jr., an avid Strava user, died after he hit an SUV while speeding downhill on a Strava segment on South Park Drive, the steepest road in the East Bay area of San Francisco. Flint had learned that his record was taken by another rider shortly before the accident, and Flint had set out to reclaim his KOM title when he hit the car. He was going too fast to stop.

Despite this incident, in 2012 Strava began fueling even more competition, sending alerts notifying users that their record was broken: “Uh oh! [another Strava user] just stole your KOM….Better get out there and show them who’s boss!” Since then, they changed the message to: “Uh oh! [another Strava user] just stole your KOM….Get out there, be safe and have fun!”

On March 29, 2012, Chris Bucchere was tracking himself using Strava while riding a segment known as the “Castro Bomb” when he hit and killed a pedestrian, 71-year-old Sutchi Hui, who was crossing the street with his wife. According to Bucchere, as he entered the intersection where he hit Hui, he was “way too committed to stop.” According to a witness, “he crouched down to push his body weight forward and intentionally accelerated,” milliseconds before hitting Hui. Bucchere was charged with a felony for vehicular manslaughter. He later pled guilty.

On September 18, 2014, Jason Marshall, an avid Strava user, hit and killed a pedestrian, Jill Tarlov, in Central Park as he was illegally speeding downhill in lanes reserved for pedestrians and child cyclists. According to a witness, Marshall did not stop or slow down at all, but instead yelled to Tarlov to “Get out of the way!” Hours before the accident, Marshall had recorded 32.2 miles of cycling in Central Park, with his highest speed at 35.6 MPH, which is over the 25 MPH speed limit for bikes in Central Park. Marshall had fastidiously recorded every one of his previous rides that year—yet there was no Strava record of his ride that fateful afternoon.

What can be done to avert such tragedies?

Education

Educating the general public about these tragic examples of light-hearted biking gone wrong could help reduce them. The day after Tarlov’s death, Bike Snob NYC launched a “#noStrava” hashtag on Twitter as a “gesture of respect” to Tarlov’s family, arguing that Strava shamelessly capitalizes on cyclists’ competitive inclinations.

Take away the leader board

Strava’s leaderboard is what gives rise to the spirit of competition that has arguably contributed to all of these tragedies. Furthermore, Strava’s arrangement of the cycling data on the leaderboards is problematic. As Suffolk University’s Professor Michael Rustad noted: “[I]t’s like Strava is creating a drag race. [Strava is] not just posting what third parties do—they’re organizing it…. Its [undifferentiated-skill-level] leaderboards are comparable to taking people from the bunny slopes up to the black-diamond run. Even ski trails are marked by degrees of difficulty.”

Legal action against the rider

Some might also consider taking legal action against the rider. As noted, Bucchere was charged with a vehicular manslaughter felony. Additionally, the Huis brought a civil suit against him (which was later dismissed). This approach might make riders think twice before risky riding, nudging them to consider the legal and moral consequences of their actions.

Legal action against the developer

The parents of Kim Flint filed a wrongful death suit, deciding that “enough is enough.” In the complaint, they claimed Strava was negligent, and “breached their duty of care by: (1) failing to warn cyclists competing in KOM challenge that the road conditions were not suited for racing and that it was unreasonably dangerous given those conditions; (2) failing to take adequate measures to ensure the KOM challenges took place on safe courses, and (3) encouraging dangerous behavior.” The complaint went on, “It was foreseeable that the failure to warn of dangerous conditions, take safety measures, and encourage dangerous behavior would cause Kim Flint Jr. to die since Kim Flint Jr. justifiably relied on [Strava] to host a safe challenge. Had [Strava] done the aforementioned acts, Kim Flint Jr. would not have died as he did.”

The Flints’ lawyer argued: “The danger and harm alleged in this case originates out of Strava’s own actions in…manipulating it through its designed software into leaderboards, and then using those leaderboards to encourage cyclists to race at increasingly faster speeds for awards and titles.”

Strava’s attorneys based their argument for the case’s dismissal on the principle that Flint explicitly assumed the risks implied in cycling by agreeing to Strava’s terms and conditions when he joined the network. Strava’s terms and conditions stated: “In no event shall Strava be liable to you or any third party for any direct, indirect, punitive, incidental, special or consequential damages arising out of or in any way connected with… your use of the site.” The case was eventually dismissed on these same grounds.

All three of these deaths received attention from news sources across the country, with writers and the public wondering how this could have happened. Even those changes that Strava made since the deaths in 2010 and 2012 did not fix the problem. Although the Flint case may have been dismissed, Strava has played a role in the promotion of risky and illegal behavior. But where exactly the line lies between user agency and developer responsibility remains to be determined.

Nadia Daneshvar is a former ISLAT Fellow, and is currently a second-year student at The George Washington University Law School.

Poképrivacy: Privacy and Legal Issues in Pokémon GO

Blog Photo CroppedBy Michael Goodyear

When Pokémon GO was released in the United States on July 6 it garnered 15 million downloads in just the first week. Pokémon GO has rapidly become one of the biggest apps ever. Its daily active user total has now outstripped Twitter and on current installs it has beat most other popular mobile app games. But despite its quick rise to fame, Pokémon GO has raised a series of concerns about privacy, from what permissions and personal information the app itself accesses to how the app potentially infringes on personal residences.

Pokémon GO is an augmented reality game that inserts virtual imaginary creatures, Pokémon, onto the physical world via your phone. They can appear anywhere, even on your wife’s hospital bed as she is giving birth. The goal is to catch and train Pokémon as part of one of three teams.

Privacy concerns abound with Pokémon GO, even attracting the attention of Senator Al Franken, the Ranking Member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law. The chief initial concern with Pokémon GO was that iOS users had granted “full access” to their Google accounts. While technically this could include being able to see the contents of Gmail and all other Google programs, in reality Niantic, the company that developed Pokémon GO, only accessed basic account information, such as the name of the user and their Gmail address. More than anything it was a combination of Niantic using an out-of-date version of the Google sign-in process and poor wording that led to this seemingly alarming concern. Niantic has since made an update that fixed this problem, with the app now only requesting access to basic information.

Although this problem has received by far the most press, there are other legitimate concerns about how Pokémon GO handles privacy. The app itself has access to your IP address and the most recent webpage you visited, providing some indicators about your location and habits. In addition, the app tracks your GPS location and has control over your camera. While these are essential to using the app, just consider the possible implications if some third party acquired this data. Unless Niantic’s security is ironclad, there is always the possibility that hackers could get this information and have access to your phone. And with an app as huge as Pokémon GO, hackers will definitely be on the lookout.

Others with malicious intent have already started taking advantage of the app’s security shortcomings. A function of the app is that you can create a beacon, which attracts more players and Pokémon to an area. This has been a hotbed for muggers taking advantage of unsuspecting players. Muggers have used the beacons to lure in players and rob them. Police departments from O’Fallon, Missouri to Australia have expressed their concern over the security risks the app creates, especially when players are paying so much attention to the virtual surroundings on their phone that they are not aware of their physical surroundings.

In addition to beacons created by the players, Niantic itself has created virtual Pokémon gyms, basically battle hubs for players to come and play against other teams for control over the gym and win the accompanying prestige, across the globe. Naturally this makes them fairly popular spots. For this reason, Niantic generally locates the gyms at popular sites, although this occasionally goes awry, from the controversial (Trump Tower and the Westboro Baptist Church) to the just plain dangerous (on the South Korea-North Korea border). And sometimes it even registers people’s homes as gyms. Now, it is not as though Niantic asked the permission of Donald Trump or Boon Sheridan to put a gym on their property, but of course the gym itself is a virtual entity, albeit one with very real consequences. As major draws to players, gyms can attract dozens to hundreds of people, infringing on the privacy and peace and quiet of individuals and businesses. And this brings up a host of legal trespassing issues and questions of attractive nuisances that are bound to be raised, all for the benefit of trying to catch a rare Pokémon.

So while players are battling with their captured Pokémon, they also have to be on the defensive. Mind property laws and don’t infringe on real estate, and protect your privacy and safety, or else it might be your information being captured instead of the Pokémon.

Michael Goodyear, who has a BA in History and Near Eastern Languages and Civilizations from the University of Chicago, is part of the ISLAT team.