CONCEPT Cited by 1 source
Ephemeral sensitive data¶
Definition¶
Ephemeral sensitive data is information that is (a) provided by the user at runtime for a specific interaction, (b) sensitive enough that durable storage materially raises the breach surface, and (c) not needed after the interaction completes — so the system deliberately scopes its lifetime to the interaction and destroys it afterwards.
Canonical controls for ephemeral sensitive data:
- Never persist beyond the interaction scope — "trip", "session", "transaction" — and delete at end of scope.
- Audience-of-one — only the single counterparty that needs it can read it.
- User-controlled visibility — the user can see what was shared and revoke it at any time.
- Anti-exfiltration hardening — e.g. block screenshots on screens that render the data.
Canonical instance — Lyft gate codes¶
Lyft's 2026-04-23 write-up codifies the full set of controls for gate codes:
"We also know that sharing a gate code feels more sensitive than sharing a pickup pin — it's access to where you live, and your privacy is important to us. So we built in privacy controls that let you view or delete your instructions at any time after sharing. Gate codes are never stored between trips, and only your matched driver ever sees them on their navigation screen on their way to pick you up. To further ensure your gate codes stay protected, we implemented safeguards to prevent screenshots."
Mapping the controls:
| Control | Lyft's implementation |
|---|---|
| Interaction-scoped lifetime | Not stored between trips. |
| Audience of one | Only the matched driver on this trip. |
| User-controlled visibility | Rider can view or delete at any time after sharing. |
| Anti-exfiltration | Screenshots blocked on the driver's banner. |
Why this shape matters¶
The typical alternative is to persist the gate code as a user preference — "remember this for future trips at this community". That's a different shape with different threat model: if Lyft's rider-profile store is compromised, gate codes leak. Ephemeral per-trip storage trades user convenience (re-entry every trip) for a strictly smaller breach surface.
Lyft explicitly flags that the non-sensitive kind of gate instruction (e.g. "call apt building concierge") might move to persistent rider-scoped storage in future work — but the sensitive codes stay ephemeral. The concept split — persistent preferences vs ephemeral sensitive data — is the critical design move.
Seen in¶
- sources/2026-04-23-lyft-smarter-pickup-experience-for-gated-communities — first wiki instance; gate codes as ephemeral sensitive data.
Related¶
- patterns/ephemeral-per-trip-sensitive-input — the implementing pattern (including screenshot prevention as hardening).
- concepts/gated-community-pickup — the originating problem.
- systems/lyft-rider-app
- companies/lyft.