Using Ride-Sharing Services Invite Many Privacy Perils

By Tammy Joyner

Cyber-hail an Uber or Lyft ride and you enter an unchecked digital world that knows your whereabouts and much of your personal life.

Ride-share services use cellphones, GPS, credit and debit cards — founts of personal information.

They can sell that information if they choose, with your authorization (Hint: read the fine print) — and there’s little you can do about it, experts say.

“Any company that has your data, we’re pretty much at their mercy,” Steve Lasky, a corporate security and risk expert in Alpharetta, Ga., told Digital Privacy News. “Data and information are power. It’s like catnip.”

People don’t realize how much information they unwittingly hand over when they ride-share, said digital government expert Beatriz Botero.

“These types of companies are relatively serious about the privacy of their users,” said Botero, a fellow at the Berkman Klein Center for Internet & Society at Harvard University.

“The problem is when you sign up, you typically authorize them to know where you go — and they have your credit cards.”

Uber Commands Market

The ride-sharing market is dominated by Uber Technologies Inc., which has 69% of the $56 billion market, according to Second Measure, which tracks consumer data. Uber posted nearly $13 billion in net revenue last year.

But Lyft is grabbing more of the market. The company projected 2019 net revenue of about $3.5 billion and now accounts for 30% of the market, data-analyzer Statistica reports.

Both companies are based in San Francisco.

Safeguarding Your Privacy

  • Before using a rideshare service, read online reviews and news articles about the company.
  • Check the privacy notice. It should explain what the company plans to do with your data, how that data is transmitted, saved and stored and how it plans to transmit it to third parties.
  • Close the rideshare app when you’re not using it. If you don’t turn off the app, the company can track your whereabouts for hours, days — even weeks.
  • Check your smart phone’s setting and make sure the location is disabled. Only enable it when using it.
  • Don’t use a social media site to sign up or access ride-share companies. Doing so gives them access to your social media data. Any third party that buys data from a ride-share firm also has access to your information. 

Sources: Beatriz Botero, Dan Dunkel and Steve Lasky.

Uber insists customers have more oversight regarding their data than they think. 

“Some data is required in order to provide the service, but riders have control over what they share,” Melanie Ensign, Uber’s global head of security, privacy and engineering communications, told Digital Privacy News.

“We can’t send a car to you unless you tell us where to send it, but you don’t have to share GPS data from your phone,” she added. “You can type in a cross street or landmark.”

Lyft’s Data-Collection Policy

A Lyft spokesman said it collected rider data to “improve people’s lives with the world’s best transportation.”

That includes “your identity (so we know who you are), payment information (so we can charge riders properly and pay drivers) and location (so we can enable pickups (and) understand ride routes,” the spokesman said.

Both companies insisted that they do not sell customers’ personal data, though their privacy policies allow them to “share” the information with law enforcement and government agencies when legally required.

“We do not sell user data to anyone,” Uber’s Ensign said, noting that the company has an automated process for deleting customers’ accounts and personal data in its app and online.

The Lyft spokesman told Digital Privacy News that it shares “some” personal information “with third-party services that help power our business,” including data centers to store information and “background-check providers to run checks on drivers.”

What Uber Collects

If you venture down the rabbit hole of Uber’s privacy notice, you’ll find it ends up knowing more about you than your best friend does.

It’s a laundry list of your life: your name, email, phone number, username, password, address, bank details including your check, driver’s license, birthday, signature, and photo.

Once the Uber app is open and on your mobile device’s screen, Uber knows your location. (If you don’t want that data collected, manually enter your starting point.)

Other tidbits: Services you request, order details, delivery information, date and time the service was provided, the amount charged, distance traveled and payment methods.

Date and time of access, functions of the app or page views, browsers, sites or services from a third party used before interacting with Uber’s services.

Auditing Programs Watch Employees

To deter internal theft, Lyft and Uber last year installed auditing programs to warn employees they’re being monitored if they look at customers’ personal data, Lasky noted.

Despite the various security efforts, these companies have not been immune to breaches. Hackers hit Uber in 2016, exposing millions of customers’ data.

Driver phones can be hacked, too, but Uber said it could not divulge riders’ information — since operators only see the first names of their customers.

They also can only see the general pickup and drop-off locations on their phones once the ride is completed, which also is effective when devices are compromised Ensign said.

Outside of California’s Consumer Privacy Act, which took effect in January, consumers have little recourse against ride-sharing companies’ data-collecting, experts say. 

“Protecting your privacy and data,” Lasky warned, “is going to come down to the consumer.”

Tammy Joyner is an Atlanta-based writer.