A new report has found that Uber gathers more user data than almost any other ride hailing app worldwide. For IRL, Dylan Reeve explores what this means, and how worried it should make us.
Recently, VPN company Surfshark published a blog post titled ‘The most data-hungry ride-hailing and taxi apps‘, in which it looked at popular taxi-style apps worldwide, like Uber and Ola, and ranked them based on an assessment of their privacy impact.
“Ride-hailing has become completely digital over the last decade,” the blog post reported. “And it’s not just money we pay for this convenience, but it’s also our data.”
The study ranked 30 applications from around the world according to the “data sensitivity index” the researchers created. The highest (worst) scoring was GrabTaxi, an app widely used in Singapore and Vietnam, with 114; of the services available in New Zealand, Uber scored highest with 80 points, followed by Ola with 52.8 and Didi with 38.4.
New Zealand’s other major ridesharing provider, Zoomy, was not included in the Surfshark study, but using the framework provided with the research, The Spinoff calculated a score of 31 for Zoomy’s iPhone app.
But are these numbers useful, and what are they really measuring?
What Surfshark has done seems unique: they gathered privacy data from the Apple App Store for each of a number of rideshare apps and created a formula to measure the privacy impact for each one. The data comes from application privacy disclosures that have to be made by software developers who are making apps for Apple devices, and data points are broken into three categories: data used to track you; data linked to you and data not linked to you.
Surfshark uses a pretty simplistic formula: for each of the 32 data points Apple potentially provides details about, they allocated three points for each time it showed up in the “data used to track you” category, two points for “data linked to you” and one point for “data not linked to you”. Add all those up and you get a total. Then, to account for the added privacy implications of sharing your info, they add a 20% penalty for companies that say they share your data with third-party advertisers.
It can all seem pretty daunting and worrisome, and when you see the details laid out, it can be hard to imagine just what a glorified taxi service needs with any of it. In the old days, we called a number and a car turned up. If things went well, the sum total of our communication with the driver was just saying where we were going. So why does Uber collect so much data?
Privacy advocate and NZ Council of Civil Liberties spokesperson Thomas Beagle points out that New Zealand’s Privacy Act contains the principle that companies should only be able to collect the data that they need to use the service offered by the company. “I support the practice of collecting just enough data and no more,” he said. “If companies are failing to do so, we need to look at ways of enforcing the law.”
But who’s to say how much data a company needs in order to run a modern taxicab service? Obviously they need to know who you are. And your credit card info to pay. And I suppose they need your location in order to pick you up. And where you’re going. And maybe your phone number for future contact. And maybe they want a photo of you for your profile. And their programmers probably want info about how well the app runs on your phone.
When the data points are all laid out it can seem excessive, but as you look at each one it is easy to understand what the legitimate use could be. So what does Surfshark’s study really tell us?
Well, not very much. For a start, it relies on Apple’s system of demanding information from developers and showing it to users, which doesn’t actually tell us a whole lot. Firstly, it is largely reliant on an honesty system of sorts, with developers ticking check boxes when they submit their software. Apple would probably catch any big omissions, but mostly they’re relying on what’s supplied. Secondly, as users, we can’t know what actually happens to any of that data once it’s collected: does it just sit in a big file somewhere, or are the software developers using it to build advanced profiles about our day-to-day lives?
Another limitation is that Surfshark was only able to consider the Apple versions of these apps. (At this stage, Google isn’t disclosing the same type of information for Android applications, but they’ve announced plans to implement something similar in the near future.)
The Surfshark study gives you a nice overall number, but not a clear indication of what privacy you might be giving up. Is your real name more or less “private” than your email address? In the Surfshark methodology, there is no differentiation between the sensitivity of information.
“The privacy point-scoring system is a brave attempt at creating an index, but it’s too one-dimensional,” said Beagle. “Most importantly, there’s a big difference between a company collecting the data for itself and passing it on to others, and the 20% surcharge for data sharing doesn’t reflect that.”
All of this raises another question: what can we do about any of this, anyway? You’d assume, given the source of the research, that perhaps using a VPN might protect your privacy in these cases, but nope. Surfshark’s blog post offers no clear answers because, it seems, there aren’t any.
Almost all of the data in question is connected to information you provide when signing up to the application, or is somehow derived from your phone itself. While a VPN could disguise one or two small pieces of information, it does little to preserve your privacy from the developers of applications you’ve chosen to install.
“Most people don’t read privacy agreements, they’re not going to review app privacy settings, and even if they did, it’s not like you can negotiate for a better arrangement,” said Beagle. “If you want to use the same app your friends are using, you have to accept the deal they offer, and that’s that.”
Ultimately, we each make choices about how worried we are about our private data, and which companies we trust with it. Despite improvements from Apple, and eventually Google, we still find ourselves really having only one decision to make about protecting our privacy: use the app or don’t. Beyond that, we don’t get much say in what data our phones will give up: trusting some big company with assorted private data is the trade-off we make in exchange for carrying a super-computer in our pocket – and for getting a cheap ride across town.
Unfortunately, Surfshark’s study, while presenting a simple number to look at, doesn’t actually shed much light on the bigger picture.