Data privacy concerns in ridesharing: What you need to know

In today’s fast-paced world, rideshare services have taken over and become part of a new way of life. This dynamic form of transportation is the new normal in heavily populated cities and countries around the globe given it’s a convenient and cost-effective method of getting passengers from point A to B without having to actually own or rent a vehicle. While rideshares have been a highly sought-after option for short-distance travel throughout the past decade, concerns regarding the lack of user privacy and exploitation of data have also been increasing.  

What type of information do rideshare providers collect?

Practically every rideshare company gathers geographical data using location-based tracking technology to precisely identify the whereabouts of drivers and customers when pickups are requested. This form of real-time location monitoring is possible due to our GPS-enabled smartphones, but problems occur when rideshare providers mishandle or misuse their stakeholders’ information and also when customers don’t deactivate location access after using a rideshare service. Accidentally leaving your location turned on allows organizations such as Uber and Lyft to store 24/7 information on your every move, anytime and anywhere. 

Other pieces of information that rideshare providers tend to harvest include drivers’ and users’ personal data (name, address, phone number, date of birth, vehicle information, etc.) and financial data (payment information, bank routing numbers, etc.). Examples of inconspicuous data collected regularly includes details related to customer behavior (product/service purchases and online browsing histories).

The 2016 security incident that impacted rideshare giant Uber serves as an example of how individuals’ sensitive information can fall into the hands of cybercriminals in a matter of seconds. Even though Uber was convinced their data was safe, hackers gained access to thousands of driver's license numbers, email addresses, and names in Uber’s cloud-storage system after finding credentials embedded within code that was uploaded to a public site by the firm’s employees. 

To make matters worse, the company didn’t acknowledge the breach right away. Instead, Uber made a $100,000 payment requesting that the attackers delete the data and stop the situation from being revealed publicly. Exposure of the credentials could have been easily avoided, but this incident shows how effortlessly vast amounts of private details can be stolen without proper data protection measures in place. 

What is done with our data? 

Although many rideshare firms gather information for research and development purposes, they also reserve the right to sell or share data as long as it’s listed in their company’s privacy policy, unless the user specifically chooses to opt-out. While this may help reduce the risk of personal information being exposed, a majority of users neglect their data privacy when using rideshare services because opting out requires extra navigation through an app to get to the settings page, a task that seems like a hassle for many. 

Rideshare providers typically sell or share information with third parties or company partners who then use the data to enable personalized, targeted advertising through different mediums, including apps and websites. In some instances, information can be stored even if an account is deleted unless you submit a written request asking the business not to do so. Recently, online privacy laws have been established to better protect consumers from excessive information-sharing, but such regulations only apply to a limited number of U.S. states.

Here's an interesting yet alarming story on how one leading rideshare provider made wrongful use of its customers’ information. Back in 2011, a rideshare company hosted an exclusive launch party in which they displayed the names, locations, and destinations of 30 riders within the city in real-time. This was meant to be a demonstration of how the firm can track the whereabouts of its users in an anonymized manner, except the data that they exposed was entirely identifiable. The intentional act received some criticism from the media after it was disclosed publicly, but it raises concerns about how some organizations would deliberately risk their users’ privacy and lose their trust. 

What boundaries are being set by rideshare providers to secure users’ information?

Over the past few years, some rideshare firms have implemented differential privacy policies, an approach that anonymizes aggregated data when it’s used for statistical analysis so that the privacy of individuals can’t be breached. As more organizations in the rideshare space adopt formal privacy frameworks such as differential privacy, these changes should help limit concerns about information sharing and selling, especially as the use of rideshares continues to rise. 

How to best protect yourself/your identity 

Before choosing a rideshare service, some proactive steps to consider taking to protect your information include reviewing the company’s privacy center/policy and researching different corporations to get background information on their past activities. Assessing a business’s privacy page can help users determine the types of data the firm might collect and how they intend to use it. Doing research on each company can also help reveal past or current issues that may be worth considering prior to selecting a rideshare provider.

Once you’ve started ridesharing, revisit your account on the provider’s app or website to adjust your privacy settings. In many cases, there’s an option to opt out of having your data shared with third parties, and you may also be able to modify your preferences so that your driver is unable to view an address after a trip has concluded which further limits the spread of personal information. 

Until the entire rideshare industry can ensure proper collection and storage of personal information, absolute trust between firms and customers won’t exist, but the least that users can do is learn best practices for adequately protecting their data.