The sharing economy has revolutionized the ways we do everything from how we get home from the bar to where we stay on vacation. But a new study shows there's a secret risk to this app-enabled world.
A report released on Thursday by the Electronic Frontier Foundation (EFF) found that people who've jumped on the sharing-economy bandwagon might want to think twice about which companies they entrust with their private data.
The EFF's “Who Has Your Back?” report analyzes how sharing-economy companies, including Lyft, Uber, and Airbnb, handle government requests for user data. The goal of the report is to both inform users about which companies actively work to keep their data private and pushing these firms to do better.
The report looked at 10 sharing-economy companies—vacation rental providers Airbnb, FlipKey, and VRBO, ride-hailing apps Uber, Lyft, and GetAround, on-demand delivery services Postmates and TaskRabbit, as well as the car-sharing service Turo.
The EFF rated each of the companies in six categories ranging from requiring law enforcement officials provide a warrant before handing over users' personal or location data to informing users when government officials access their data (when they are legally allowed to do so).
The companies were also judged on whether their annual transparency reports—if they release them at all—disclose the overall volume of government data requests they receive, and if they actively lobby lawmakers for stronger online privacy protections.
The results, by and large, were not encouraging.Uber and Lyft were the only two companies to get a perfect score. Half of the companies surveyed didn't earn a single star.
The reason for these low rankings, explained the report's author, EFF Senior Staff Attorney Nate Cardozo, is that these sorts of issues are ones sharing-economy firms largely haven't spent much time thinking about.
“The thing that stood out the most [to me] is that this industry is pretty immature,” Cardozo said. “A number of the companies are still of the mindset that if they bury their head in the sand and pretend there's no such thing as law enforcement, law enforcement will do them the same favor and not come knocking.”
The Daily Dot named Cardozo one of the “heroes who saved the Internet in 2015” because the Who Has Your Back? report, which the San Francisco-based digital-rights group has issued every year since 2011, pushes companies to update their privacy policies to achieve better scores. The EFF works with companies to craft polices to ensure that user privacy is protected whenever possible.
That coordination, along with broader cultural shifts in the tech industry, is visible in the reports over time. The first Who Has Your Back report—which featured tech giants like Google, Microsoft and Facebook—was a sea of empty spaces where stars could be.By 2015, however, most of the companies included in the report were doing most of the things EFF hoped they would be doing. Since advocacy is an important part of the report's overall mission, the EFF decided to switch focus to sharing-economy firms, which it suspected hadn't put many of the same policies in place. In addition, the type of user data collected by the companies evaluated in this year's report is especially sensitive.
“With companies like Uber, and even companies like TaskRabbit or InstaCart, or certainly companies like Airbnb, the type of information they have—where you are, where you sleep, what you buy—those types of information are really sensitive,” Cardozo said. “We all sort of intuitively know that law enforcement is going to be requesting that type of data from the companies that have it.”
While companies cannot avoid requests from law enforcement, they can take steps to protect their users from audacious requests.
“Uber can demand, not just any legal process, but ... a full search warrant based on probably cause,” Cardozo said. “Airbnb can refuse to turn its app into a GPS tracking device unless they're served with a warrant. It's those sort of protections that who has your back is designed to both monitor and encourage.”
It's likely not a coincidence that Uber and Lyft are the only companies that received perfect scores. While many of the other sharing-economy firms may have not given considerable thought to systematizing the way they deal with government, the two leading ride-hailing apps have sophisticated and comprehensive public-policy operations.
Uber's government-relations effort is run by David Plouffe, who managed Barack Obama's 2008 presidential election campaign. As such, the company understands that gaining a reputation as a responsible steward of user data can differentiate it from competitors. However, Uber has a long way to go on that front.
Following a series of high-profile scandals surrounding privacy, such as a “God view” feature that allowed Uber employees to see the location of everyone in a given city that has the Uber app installed on their smartphone, the company's reputation on privacy isn't exactly sterling. According to a survey conducted by Morning Consult, only 18 percent of respondents were confident in Uber's ability to keep their personal information and data secure. For reference, that's 19 points lower than Home Depot's score on the same question—and Home Depot was the victim of the one of the largest data breaches in history.
While Uber is ahead of the curve among their sharing-economy brethren, it should be noted that Uber, like Lyft, issued its transparency report after being contacted by the EFF about the lack of doing so in the past.
Cardozo said that releasing a transparency report, which showed the company disclosing data to the government on up to 1.6 million riders, allowed Uber to frame the disclosure as “the government is demanding Uber turn over all this data” rather than “Uber turning over all this data to the government.”
“That's the point of transparency reports,” Cardozo explained. “The point of transparency reports isn't so the company is being transparent, even though it's also that. The point of transparency reports is that the government is really bad at transparency and isn't telling us when they're coming, how often they're coming, and what they're looking for. It sucks, but we're forced to rely on the companies to tell us that information and give us that data. Uber did it. Uber's transparency report threaded that needle pretty damn well.”
The Daily Dot reached out to all five companies that received a zero-star rating on the report, but only a representative from Postmates responded.
Postmakes spokesperson April Conyers said that the company had begun to update its privacy practices well before the EFF reached out to them; however, those efforts, which would have garnered Postmakes a higher score, were not completed before the report's deadline.
“We unfortunately couldn't make their deadline, but have taken all of their recommendations as we've prepared our new policy statement,” Conyers said. “We will definitely be sharing with them, once it's final.”
If Postmates follows through, they're certainly going to have more stars on next year's report. For Cardozo, that's a big step in the right direction.