Few tech companiescan rival Uber in its combination of blurred ethical lines and data-fueled power to invade people's privacy. The same rideshare service that's been rocked by scandals, threatened in the past to investigate unfriendly journalists, and tracked the location of users as a party trick has all the location data it needs to follow your daily habits, love affairs, and doctor visits.
You might think that's the Faustian bargain of using a ridesharing app like Uber or Lyft in the first place. But one team of cryptography researchers argues it doesn't have to be this way. They've demonstrated that you can have your surge-priced pickups without giving up your privacy.
A team of the cryptographers at the Swiss Federal Polytechnic Institute in Lausanne and Lausanne University have developed a prototype for a software system they call ORide, designed to make possible all the features of a ridesharing service while dramatically minimizing the location data it collects. In fact, the "O" stands for "oblivious." The team built ORide such that no one but the rider and driver for any single trip knows their whereabouts—not even the ridesharing company.
While only a proof of concept, ORide hints at an alternate reality where app-enabled car services don't list ubiquitous location-tracking as a prerequisite. The researchers say they even hope it might be adopted by a ridesharing service in an increasingly competitive industry. Privacy can be a powerful selling point.
"This makes it impossible for an attacker, an eavesdropper, or the ridesharing service itself to make use of the location data that goes beyond the function of the service," says Jean-Pierre Hubaux, one of the Lausanne Polytechnic researchers who created ORide, and plans to present it at the Usenix Security conference later this summer. "With modern cryptography it's possible to conceal this information and yet still enable the machinery to work as requested."
In a detailed paper that outlines their prototype system, the researchers explain the cryptographic sleight of hand that enables its location-hiding. The key is a mathematical trick they call "somewhat-homomorphic encryption." Homomorphic encryption is a system that allows computations to be performed on data even while it's encrypted—add an encrypted two plus an encrypted two, for instance, and you get an encrypted sum that can be decrypted to reveal a four. (Fully homomorphic encryption makes computations take millions of times longer, but the Lausanne researchers' say their "somewhat-homomorphic" scheme allows them to perform a few simple calculations with almost no added processing time.)
ORide's ride-hailing process begins by encrypting the locations of drivers and riders on their phones with that semi-homomorphic encryption layer. The service receives those encrypted coordinates and performs a proximity calculation on them to identify the nearest car to any waiting rider, and lets the rider choose to hail it—but without the server hosting the ORide service ever knowing the unencrypted coordinates of either user. Once it makes a match, ORide launches an end-to-end encrypted conversation between the two users' phones so that they can locate each other.
When a driver picks up a rider, their phones establish a short-range connection using a radio protocol like Bluetooth, which it uses to verify that the right driver is at the location and that no one has intercepted their encrypted conversation. The rider and driver then map out the best route to the rider's destination, and each confirms the route on his or her own device. They need to determine the route ahead of time, since ORide's privacy guarantees mean the ridesharing service itself won't ever see the path and can't monitor it in real-time.
Based on that route, the two phones then compute a "fare report," signed with a secret key stored on both the rider's and driver's phones, which makes it nearly impossible to fake. The fare report contains the length of the route and a unique piece of data identifying the rider known as "certificate." (As a kind of safety mechanism, the rider receives a copy of the driver's certificate, too, which ORide suggests they should send to an email address or cloud storage account.) Any time after the ride, the driver can send that fare report to the ridesharing service provider as proof that the ride took place, cashing it in for the fare that the service then charges to the rider's account.
Just as with Uber and Lyft, the rider and driver can also follow up by rating each other with a score that's tied to their real, persistent identities. But while the ORide system stores those identities—it's not designed to be fully anonymous, only to obfuscate location—it can never tie them to any particular place or route.
Losing location awareness altogether seems like it may offer privacy in exchange for safety and convenience: By tracking users' routes, after all, ridesharing services like Uber and Lyft can also resolve disputes over service between riders and drivers, help riders find lost items left in cars, and provide evidence if either the rider or driver robs or harms the other. But ORide's creators argue their system takes that accountability problem into account. In the case of an disagreement, crime, or lost item, the rider and driver both have access to the other's unique ID certificate. (The rider stores it in his or her own email or storage account, while the driver has it included in the fare report.) And in the case of one of those emergencies, either one can show that certificate to the ridesharing service and provably identify the other. "Based on that, the service could trace the rider or driver of that ride, and we can guarantee accountability," says Anh Pham, one of the Lausanne researchers.
When WIRED shared the researchers' ORide paper with Uber and Lyft, the latter declined to comment. But Uber replied in a statement that it carefully restricts and audits its employees' access to customer data. "We have built entire systems to implement technical and administrative controls that limit access to customer data to those employees who require it to perform their jobs," read a 2016 internal memo an Uber spokesperson shared.
Uber also argues against ORide's notion that a system that has no knowledge of users' locations could be as safe or convenient as one that does, regardless of ORide's accountability claims. "Location information is essential for providing a safe experience for both riders and drivers," Uber's spokesperson wrote in an email, pointing out that Uber even lets passengers share their route and estimate arrival times with friends. To Uber's point, monitoring users' locations in real time almost certainly would allow a service provider to respond to disputes and emergencies far more quickly than ORide's more convoluted system of retrieving stashed certificates to serve as proof that a rider or driver misbehaved or has your lost phone.
Implementing ORide would also involve real sacrifices in efficiency. While its somewhat-homomorphic encryption would likely add less than a second to the app's functions, it might also significantly slow down pickups: ORide's encrypted proximity computations can only handle straight line measurements, and don't account for complex routes on tangled city streets, so cars may sometimes end up being much further away from riders than they appear to be.
But ORide nonetheless shows that another ridesharing system that values privacy remains possible and even practical by some measures. It effectively highlights just how much privacy Uber and Lyft users sacrifice in the name of convenient pickups. And ORide creator Jean-Pierre Hubaux argues that even beyond that ideological purpose, it might actually be adopted. For any ridesharing company considering implementing the system, he claims, its efficiency and convenience drawbacks may still be worth the competitive advantage ORide's privacy offers. An extra minute of waiting for a pickup may be better than sharing your every movement with a Silicon Valley startup. "One ride-hailing service operator may want to increase its appeal by enriching its service with this feature, to say 'we care about your privacy,’" says Hubaux. "It’s a way to raise the standard of human dignity."