It is always a bit unsettling when dubious activities of leading companies are unveiled. This effect is magnified when company executives take a defensive stance instead of explaining questionable actions and policies. The privacy scandal of Pathao from last November has left its residue in the average person’s mind. The revelation that the Pathao app copies private data from customers’ phones, provoked both the inherent doubt of such technology and newfound suspicion about the company’s motives in people.
The subsequent vague responses from Pathao’s social media page and its Vice President didn’t do much to help the case they were trying to make. Customer feedback amounted to demands of boycotting the product, and it is safe to say Pathao hasn’t really come out of the event with as polished an image as they’d like.
One oopsie to the other
The ensuing attempts by Pathao at ameliorating the damage done weren’t exactly astute. The reason the scandal happened in the first place was because Pathao couldn’t respond appropriately to the accuser. It was one person who unearthed the bones in their closet, one person swinging like a pendulum between self-interest and public wellbeing. Pathao pushed him over the edge by threatening with dubious legal action.
This resulted in the guy going public with information that was later corroborated by news portals and security experts. An update was made to the app that allegedly doesn’t steal your data anymore. But if anyone is still using the previous version of the app, we’re afraid your data are still being copied to Pathao servers.
The Bug Bounty Program
It seemed like Pathao would simply wait for the negative attention to die down, as people would resort to the service anyway. But on February 12th, they did something worth noting.
Pathao introduced a bug bounty program, challenging researchers from all over the world to attempt to discover bugs in the app and report them for unspecified rewards that are “not only monetary”, as written in the Medium PathaoEngineering article.
Such programs are always welcome. It’s reassuring to see companies being confident about the integrity of their technology. And such programs are commonplace for many other prominent companies.
What struck me is that in the very first paragraph, the case was made in the context of security breaches in prominent developers and their platforms. I just want to point out that Pathao can’t exactly claim the high ground when the context of the discussion is internet security.
Moreover, the issue we had with Pathao’s security system was never attributed to a bug, a mistake in their algorithm. Their security breach issues were seemingly very deliberate in nature. No one from Pathao stated that copying user data was a mistake or the result of a vulnerability in the system of the app. Attempts were made instead to justify the act. So, my raised eyebrow at this news might not be completely attributable to cynicism.
Not sure how to feel about this
Pathao has had its fair share of blunders. Even today, Pathao riders are more willing to deal with desperate customers directly than use the app as they should. And Pathao hasn’t really done much to mitigate situations like that.