criticbrazerzkidai.blogg.se - Old version anonymizer universal

On every request, the API provides a response containing different, randomly generated IDs.

ID rotation in this context means that we retire the old ID after each trip and use a new one – a somewhat similar meaning that cryptographic key rotation has.

How can you protect against this? As mentioned above, GBFS says the ID “MUST be rotated to a random string after each trip” and the ID “SHOULD only be rotated once per trip”. Otherwise, it could be used for unintentional purposes. An organization with healthy data protection policies must ensure not to publish any sensitive data. When working with public APIs, the data is freely available on the internet, without consideration of the usage. After scooter2 disappears, one can search for its ID later to see the person’s location. Let’s say there are two scooters nearby: ID scooter1 and ID scooter2. Imagine a scenario where you want to track what your child is doing in the afternoon – are they visiting the library, or are they going out with friends? In reality, this makes vehicle IDs sensitive data, because they can be used to track users, even though data about vehicles that are rented is not published on the API. On subsequent requests, one may be able to match the entity’s data to their previously seen versions. Generally, Bike IDs, our vehicle IDs, and all universal IDs are used to uniquely identify an entity. Use of persistent vehicle IDs poses a threat to user privacy. MUST be rotated to a random string after each trip to protect user privacy (as of v2.0). Nevertheless, if you read the standard carefully the following is noted for bike_id:

What is the problem?Īny time you implement a public-facing API, on top of making sure it stays available and protected from overuse and abuse, the critical questions to consider are: whether you’re publishing user data and whether you’re protecting that data properly.Īt first glance, the GBFS standard doesn’t have any user data, since it’s only sharing information about vehicles. In our use case, the most important feature is sharing our vehicles’ (electrical scooters, bikes and mopeds) location data. GBFS is a standard created for sharing the micromobility system information on public APIs. The Data sharing team within TIER takes care of multiple integrations and APIs, one of which is an API that implements the General Bikeshare Feed Specification ( GBFS). In this blog post we raise our concerns about public-facing APIs and ways to address them. We need to ensure that integrations we make are safe and secure, the same applies to API implementations. One of our goals is to prevent any kind of information leak and data breach.