Uber and Lyft unintentionally sent gig workers’ SSN numbers to Meta and TikTok

Credit: Unsplash+.

When a person applies to work for Uber or Lyft they must fill out several online forms detailing important information, including their date of birth and their driver’s license.

Applicants must also provide more sensitive information such as their Social Security number.

New Northeastern research has revealed that until just recently those ride-hailing companies had been unintentionally sending that data to TikTok and Meta — two of the world’s largest social media companies.

David Choffnes, a Northeastern University professor of computer sciences and cybersecurity expert, is one of several researchers who uncovered security issues with tracking pixels, which are analytics tools that follow users around the web.

Tracking pixels are small lines of code embedded in images on a site’s interface. They allow companies to see users’ behavior and collect valuable information for advertising efforts.

“Almost every website you visit these days has trackers on it,” Choffnes says. “If you ever wondered if you’ve been on Facebook or Instagram and you see ads that were very relevant to a website you were just looking at, it’s because Meta, the parent company, has trackers on a bunch of websites. They know who you are and what websites you are visiting. The same is true for TikTok. The same is true for Google, and a number of other companies in that marketplace.”

Companies like Uber and Lyft have been incentivized to add these trackers to their website because in exchange Meta, TikTok and others provide these companies with free tools that allow them to analyze their own web traffic, Choffnes explains.

What Choffnes and his colleagues uncovered was that these pixels were inadvertently collecting data from private application web forms and then sending that data directly to Meta and TikTok.

“The issue here is that companies are deploying tracking in many cases to help with targeted ads, understanding the effectiveness of ads, and ultimately monetization. Because of the way these things are configured, often these companies are slurping up a lot of data about individuals, including stuff we put into web forms where there is no warning that says, ‘Hey, your data is also going to be sent to Facebook when you click submit.’”

Choffnes and his colleagues were able to uncover these vulnerabilities by going through the same process an interested worker would when signing up to be a driver of the services. Notably, they only discovered the issue was present when they applied using Uber or Lyft’s desktop website.

They were inspired to conduct the experiments because they were interested to see how vulnerable gig workers are when sharing their personal data to gain employment, he says.

“The larger context was looking at gig worker privacy and how that is a group of individuals that often don’t have a choice in terms of how much of this online tracking they are exposed to, so we were trying to quantify just how much of their personal data is exposed, which parties are getting it, and what kind of data is exposed,” he adds.

For Uber and Lfyt’s part, Choffnes says that when the researchers shared their findings with the companies, they quickly worked to fix the vulnerabilities.

“The word that was used in our correspondence was ‘unintentional,’” says Choffnes. “They did not intend to do this. Once they knew what the issue was, yes, it was just a configuration option. These pixels do not have to collect data from web forms,” he says.

“You can tell them not to, but it’s kind of telling that they seem to be on by default, whether it was just an oversight by someone who initially configured it for their website or whether these website owners when they sign up for these pixels are guided toward turning them on.”

Choffnes and his colleagues propose that companies should not treat worker data in the same way they handle the data of general consumers.

To apply for a job, you have to share such data as your tax ID, Social Security number, mailing address and phone number, he highlights.

“It’s much different when you’re just a consumer of that service,” he says. “If you want somebody to deliver your food, you need a credit card, an email address, and that’s it.”

However, the way things are presently configured at most websites, these companies are treating worker data and consumer data in roughly the same way.

These companies must do a much better job of implementing purpose limitation statements, he highlights, which are essentially written out statements that explicitly state how the company plans to use the data of its employees, and keep their word.

So, what can workers do to protect themselves against their personal data being shared without their consent?

In Europe, under the General Data Protection Regulation (GDPR), companies are required to set purpose limitations. However, no such rules exist in the United States, and we do not have any type of federal data privacy laws that would protect these workers, Choffnes highlights.

Choffnes stresses that more needs to be done to make these companies more accountable and transparent with their actions.

“We need more transparency and advocacy for privacy in general,” he says. “If we don’t want companies like Meta and TikTok to be gathering our personal data from web forms, we should make it illegal.

It should not be allowed without a prominent disclosure that before you hit send says, ‘Wait, I’m about to send that data to a bunch of other people too. Are you OK with that?’

Even then that sounds pretty terrible, and maybe it shouldn’t happen at all.”

Written by Cesareo Contreras/Northeastern University.