Popular ride-sharing mobile application Uber was recently made to pay a $20,000 fine in New York, following a 14-month investigation into a 2014 incident that exposed information that included names and license numbers of over 50,000 present and former drivers. Uber Technologies, Inc., the billion-dollar startup behind the app, also received flak after it was found that the app could snoop on its riders’ locations without consent.
“We are committed to protecting the privacy of consumers and customers of any product in New York State, as well as that of employees of any company operating here. I strongly encourage all technology companies to regularly review and amend their own policies and procedures to better protect their customers’ and employees’ private information,” Atty. General Scheiderman noted. “This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including the real-time locations of riders in an Uber vehicle.”
Aside from the penalty for not disclosing the September 2014 breach to involved parties and the Attorney General’s office, the settlement also served as an edict to revamp and bolster its controversial data privacy and security measures. Under the agreement, Uber was mandated “to encrypt rider geo-location information, adopt multi-factor authentication that would be required before any employee could access especially sensitive rider personal information, as well as other leading data security practices.”
Around the same time the probe commenced on November 2014, Uber spokesperson Natalia Montalvo noted in a memo, “Our business depends on the trust of the millions of riders and drivers who use Uber. The trip history of our riders is important information and we understand that we must treat it carefully and with respect, protecting it from unauthorized access.” This was in reference to the debate on the “unlawful” existence of their “God view tool, an aerial tracking system that collected and displayed personal information of its consumers.
You download, they collect: Privacy in mobile apps
Uber has grown leaps and bounds from when it started in 2010. Now, the app is readily available in over 300 cities in 60 countries, and is downloaded and used by 8 million people. The company estimates that one million rides are getting booked through the app on a daily basis. Interestingly, earlier this month, reports said that San Francisco’s largest taxi company, Yellow Cab Co-Op is close to filing for bankruptcy given the challenges that sprung from tech-based rivals like Uber and Lyft. With the app’s reach and rapid growth, it is safe to say that issues like data privacy are becoming a major concern.
In mid-2015, a study showed how smartphone adoption has grown on a global scale. The number of smartphone users have surpassed the 2 billion mark, with a projected number of mobile app downloads close to 200 billion. Given these massive figures, it’s no longer surprising to know that mobile apps have now become a new frontier for cybercrime, and we’re now at a point where cybercrime isn’t limited to the usual malware and different scams anymore. The more alarming issue at hand is how users have willingly become accomplices to abuse, especially when it comes to data privacy.
Mobile advertising has made it possible to download a lot of popular apps for free. Unfortunately, it’s often at the expense of the user who clicks “yes” in order to use their desired apps. Free mobile apps usually have ad libraries where data collected from using the app is stored. Often, this information–data that includes contact lists and location—are shared to third parties to enable delivery of targeted ads.
In Android devices, “Permissions” is where app developers outline the kind of personal information their apps get from their users, as well as the methods by which they get this information. The user grants these permissions to make them function properly. In turn, these apps gain insight on the user’s device from browsing behavior, media-use, social media habits, and personal networks.
Data unknowingly collected by mobile apps from its users is one thing. But becoming willing victims is a different story. According to a report done by Pew Research Center, 6 out of 10 smartphone app users choose not to install apps because of concerns about the sharing of personal information. In a separate study by the Global Privacy Enforcement, a majority of the 1,211 popular apps reviewed requested too many permissions from their users without comprehensively explaining how the app—or the company behind it—collects and uses personal information.
Guarding your own data
The fact that not everyone is aware of—or is willing to find out—the conditions stipulated in the permissions of apps before they allow access is a cause for concern among security and privacy advocates. PrivacyGrade.org aims to raise awareness about the data that users allow their apps to take. The site gives corresponding grades to apps from social networks (Facebook, Instagram), to entertainment and games (YouTube, Fruit Ninja).
Tools and support in safeguarding privacy are available, but developing your own security mindset to stay safe from privacy threats is key. This involves an active search for information before clicking “Accept” on every app you download. Neglecting the little things like checking the permissions or data an app requires could have huge repercussions.
Being informed and aware is the best defense against privacy abuse. Go through the conditions shared by the developers before you willingly accept them. These could be traps set up to allow you to be a victim. Finally, see if the app has an “opt out” button, or options to select which data you would not like these apps to access.
Come talk to us at Infosecurity to find out more on mobility and safety.