Authored by Nadia Kovacs and Julie Koyano, Symantec employees
In cities around the globe, using ridesharing services has become a way of life. Just as “Google” has become a verb, so have “Uber” and “Lyft,” to name just two of the better-known ridesharing companies.
The convenience of always-available cars and drivers paired with easy-to-use apps, plus a selection of ride and pricing options makes for a great blend of technology and transportation. However, because these services require riders’ information, such as real-time location data and a form of payment, they could pose risks to riders’ information and privacy if that information is mishandled.
Ridesharing: the good and the bad
Traditional car services like taxis have fallen in popularity1 in part because ridesharing services offer more conveniences: instantaneous confirmation of ride requests, less-expensive rates, and typically a newer and more varied “fleet” of cars since they employ individual contracted drivers who use their personal cars.
While a popular concept, ridesharing services do have their issues, because they’re not regulated. They still need to comply with local driving regulations; however, it is still within each service’s purview to decide how to conduct background checks for applicants or what type of insurance is needed. Luckily, there’s a human “safety check” system that a lot of these companies use. Each rider can rate their driver, and the driver can rate the passengers in the same manner. If a driver falls below a certain rating, they are unable to drive for the company.
What types of data do ridesharing companies collect?
Ridesharing services like Uber and Lyft rely on GPS-enabled smartphones, since their apps need to know the location of both drivers and ride requestors. However, if riders don’t turn off location access after completing their rides the app could potentially track and collect data around the clock on where the user is, where they go, and, sometimes, even how long they stay there.
In addition to location data, a lot of these services require the user to link to a social networking account, usually Facebook, as a way of verifying identity. By doing so, the user then grants that company access to the personal information that is in their Facebook account.
These services are also cashless, so in order to use them, the user must store a valid credit card in their account.
What can be done with your data?
How’s this for a cautionary tale? A ridesharing company once had a launch party in a new city where they displayed in real-time the full names and destinations of their riders. Luckily, nothing but some extreme heat from the press came from that privacy gaffe. But it did raise the issue of how these ridesharing companies store, handle, and even safeguard riders’ privacy.
Data breaches are increasing as cybercriminals find company databases to be treasure houses of personal information. These breaches can happen during the transmission of this data or even through the third parties once they receive the data. In 2015, Uber suffered one such data breach that exposed the personal information of 50,000 drivers. 2
Before you install that app …
No two companies are alike, and ridesharing services are no exception. Before you commit to choosing a company by installing their app, follow these suggestions:
- Research each company for any online reviews or news stories about them to get a better sense of the company charter, culture, attitudes, and any worrisome issues that customers may be discussing.
Data and privacy shouldn’t be mutually exclusive
In today’s technology-driven world, data collection, privacy, and protection should be at the forefront of everyone’s minds, from consumer to developer. We now live in a world where the paradigm has shifted from bank robberies to data breaches, simply because all of our personal information can be easily accessed in one place from companies that store that data. Uber, for one, is beginning to address this issue.
On July 13, 2017, Uber released an open-source differential privacy tool nicknamed Elastic Sensitivity. Differential privacy means that the identity of individuals is stripped out of user data before it is analyzed, helping to anonymize and protect a person’s privacy. Uber’s new tool alerts their data analysts of the likely privacy implications of any queries they make on Uber data before it can be analyzed. 3
Until all companies, ridesharing or otherwise, are held accountable for how they collect, store, and protect our data, responsibility ultimately falls to consumers to be aware of the companies they conduct business with and to be diligent, educated, and aware of how their data is handled when using services and apps.