In November, Pathao was embroiled in controversy after allegations were made against the ride-sharing company for illegal data gathering activities. One month later, the situation remains unclear.
Ashik Ishtiaque Emon, a security researcher, uploaded a viral video explaining how Pathao was misusing user data. According to the video, Pathao forwards sensitive user information to a third-party server in California and this data is updated every time you open the app. Contacts and SMS information are also collected in addition to location data.
Pathao later issued a press release clarifying that its data gathering practices were in line with international best practices of similar technology companies. They stated that they did not violate any laws to do so, nor did they plan to. However, in the press release, Pathao also insinuated that the controversy was stirred up by parties jealous of Pathao’s recent success.
Such statements are in poor taste. Even if this is actually the case, such claims are not expected during an official press release of a globally recognized company.
Pathao is correct in saying that companies abroad engage in similar practices. However, this does not excuse the lack of transparency in dealing with consumer data. Security concerns remain since most users do not check user conditions and terms of agreements.
Misuse of user data: An Industry Norm?
Ride-sharing apps have a history of questionable data gathering practices. In 2017, Uber was investigated by the FBI for using a program to track their rival, Lyft’s activity. According to an expose by the Information, Uber used the program between 2014 and 2016. They tracked how many Lyft drivers were available for new rides and the location. Uber created fake Lyft accounts and used it to trick Lyft into thinking that customers were seeking new rides in various locations around a city. This allowed Uber to see which drivers were nearby and what prices they were offering to customers, further, allowing Uber to undercut them.
The effort was part of a larger international strategy to monitor rivals like Ola in India and Didi Chuxing in China. Such practices were not essentially illegal, as the data was purportedly publicly available. Uber also monitored customers’ location data for up to five minutes after ending their trips. This was rollbacked after another controversy and media attention. Admittedly, laws protecting users do not exist yet and there is a lack of regulation. However, the callousness with user privacy is not going unnoticed.
While Pathao, of course, is a different company, the fact remains that ridesharing is a very competitive industry. Firms may be tempted to leverage the large data they have access to, to gain an edge over its rivals. Data-brokering is a very lucrative and growing industry.
Vigilance is necessary
According to the BRTA, none of the ridesharing companies currently operating in Bangladesh has successfully complied with the guidelines introduced earlier this year. These include providing SOS services, updated driver data, call center and data center locations to the government.
Modern services such as Facebook and Pathao are here to stay. However, in light of data issues and scrutiny on social media apps, we need to be more vigilant about what kind of data we are sharing with these services, and how this data is being used. Perhaps, measures similar to GDPR may be required in the future for markets like Bangladesh as well.
See our video on how to change your app permissions to protect your data.