-
Share this story
-
Copy Link
Link Copied! -
Email
-
Facebook
-
LinkedIn
-
Twitter
-
WhatsApp
-
Reddit
Recent research conducted by Northeastern University has exposed significant security vulnerabilities faced by gig workers applying for driving positions with popular ride-hailing services, Uber and Lyft. The study, which was published after extensive research, highlights alarming flaws in how personal data is handled during the application process.
As part of the application process for either service, candidates are required to submit a variety of important personal details, including their date of birth, driver’s license information, and particularly sensitive data such as their Social Security number—crucial for background checks that these companies conduct.
This compelling study from Northeastern unearthed the concerning fact that, until recently, both Uber and Lyft were unintentionally transmitting this highly sensitive information directly to TikTok and Meta, two of the world’s largest social media platforms.
David Choffnes, a Northeastern University professor specializing in computer sciences and cybersecurity, played a pivotal role in uncovering these risky oversights. Along with his team, he examined how tracking pixels—small snippets of code embedded in web interfaces—were inadvertently siphoning off applicant data.
Tracking pixels serve as analytics tools that meticulously monitor user behavior across different websites, enabling corporations to collect advertising and consumer insight data. “Almost every website you visit these days has trackers on it,” says Choffnes. “Whenever users notice targeted ads on platforms like Facebook or Instagram that relate closely to their recent online activity, it’s due to these clandestine tracking mechanisms embedded in various sites.”
These tracking mechanisms are appealing to Uber and Lyft because they provide free analytical tools in exchange, which helps these companies to improve their understanding of website traffic and user patterns.
However, what emerged from Choffnes’ research was particularly alarming: these pixels were inadvertently capturing data from confidential application forms and forwarding that information directly to Meta and TikTok. “The real concern lies in how companies implement these trackers; they are often utilized for targeted advertising and boosting revenue, but the configurations can lead to the unintended collection of sensitive personal information without proper user warnings,” he explains.
To validate their findings, Choffnes and his colleagues replicated the application process as potential gig workers, a method that dramatically highlighted the vulnerabilities in the system, especially when using the desktop versions of the Uber and Lyft websites.
Driven by an interest in the privacy risks that gig workers face while providing their personal data in hopes of employment, their investigative efforts aimed to quantify how exposed these individuals are, who accesses this information, and the types of personal data that are leaked in the process.
When the researchers disclosed their findings to Uber and Lyft, both companies promptly took action to remedy the vulnerabilities identified. “They characterized the data leaks as ‘unintentional,’”, Choffnes noted. “Once they were made aware of the issue, it turned out to be a mere configuration oversight, with these pixels being capable of collecting data from web forms if not properly managed.”
Choffnes emphasizes that a distinction must be made regarding how companies handle worker data compared to consumer data. The application processes for jobs often require individuals to share sensitive information, such as tax identification numbers and Social Security numbers, which is markedly different from the minimal information needed for average consumer transactions.
Despite the current setup on most websites treating worker and consumer data similarly, Choffnes advocates for a more conscientious approach, insisting companies need to craft explicit purpose limitation statements that clearly outline how employee data will be used and ensure that these commitments are honored.
In context, the absence of overarching data privacy regulations akin to the General Data Protection Regulation (GDPR) in Europe leaves many American gig workers unprotected, especially security measures adopted by their employers.
Choffnes underlines the urgent necessity for an increase in corporate accountability and transparency regarding the handling of sensitive data. “We need to advocate strongly for privacy measures,” he states emphatically, “and if we are to prevent corporations like Meta and TikTok from harvesting our personal information through such informal channels, we must establish laws that prohibit this type of behavior, mandating clear disclosures before sensitive data submissions,” he concludes.
How can companies better ensure the protection of sensitive personal information during recruitment processes, according to David Choffnes?
**Interview with David Choffnes, Northeastern University Professor and Cybersecurity Researcher**
**Editor:** Thank you for joining us today, David. Your recent study uncovered alarming security vulnerabilities in the application processes for Uber and Lyft. Could you summarize what you found?
**David Choffnes:** Thank you for having me. Our research revealed that both Uber and Lyft were unintentionally sending sensitive personal information, including Social Security numbers, directly to Meta and TikTok through tracking pixels embedded in their application websites. This process raises significant privacy concerns for gig workers whose data is being mishandled.
**Editor:** That’s quite concerning. Can you explain a bit more about what tracking pixels are and how they led to this data leak?
**David Choffnes:** Absolutely. Tracking pixels are small snippets of code used by companies to analyze user behavior on their websites, enabling them to gather insights for advertising. Unfortunately, in this case, Uber and Lyft were using these tools in a way that captured applicants’ sensitive information from their forms and transmitted it to third parties without proper consent.
**Editor:** It sounds like a complex issue. What prompted your team to examine the application process for these ride-hailing services in the first place?
**David Choffnes:** Our research was motivated by an interest in the privacy risks that gig workers face when they provide personal data to companies in hopes of employment. We wanted to quantify not only how exposed these individuals are but also to identify who has access to their data and what exactly is being shared.
**Editor:** After revealing these findings to Uber and Lyft, what kind of response did you receive from them?
**David Choffnes:** Both companies took immediate action upon being informed. They recognized the seriousness of the issue and moved quickly to address the vulnerabilities that our research highlighted. This shows a willingness to improve their data handling practices, which is crucial in protecting user privacy.
**Editor:** What do you think should be the next steps for Uber, Lyft, and other companies that handle sensitive information?
**David Choffnes:** The next step should involve a comprehensive review of their data privacy practices, especially concerning how they implement tracking mechanisms. They need to ensure that sensitive information is not being collected or transmitted without clear consent and that applicants are fully informed about how their data is used.
**Editor:** It seems like there is a critical need for greater awareness of these issues among users. How can gig workers better protect themselves when applying for jobs with these services?
**David Choffnes:** Gig workers should be vigilant when sharing personal information online. They should look for clear privacy policies, understand the implications of data sharing, and inquire about how their information will be used. It’s also important for them to advocate for transparency and robust privacy protections from these companies.
**Editor:** Thank you, David, for shedding light on this important issue. Your research is vital in helping us understand the landscape of digital privacy for gig workers.
**David Choffnes:** Thank you for the opportunity to discuss this. It’s an essential conversation that needs to continue as our reliance on digital platforms grows.
