Homegrown ride-hailing service Pathao has been the centre of attention in social media last week. Pathao was slapped with two grave allegations: improper hogging and storing of private data from users including SMS and contact list, and illegally charging extra fare from the passengers. For today, let's look at the data privacy issue:
The first revelation of the improper fetching and storing of SMS and contact list data came to light after Ashik Ishtiaque Emon, a self proclaimed security researcher uploaded a video showing how Pathao has been fetching and storing information. According to the video, Pathao is forwarding the sensitive information of the users which includes hardware details to a third-party server in California. Storing and forwarding of these information abroad is a violation of the newly minted ride sharing guidelines. The most alarming part is fetching of information (such as installed apps) without even getting the approval of the user. Another thing Emon pointed out is that Pathao only informs the user about location seeking information but when the permission box pops up (a Google safety protocol to ensure users consent), it sneakily takes location, and SMS and contact access related permission. You might be wondering whether this happens every time you install the device and the answer is no. It happens every time you open the app and it will fetch all the new info (i.e. could be all the new SMSs you got since the first install). The implications of these data fetching might be catastrophic. Imagine your banking, social media, MFS, email related OTP will get fetched to Pathao. If this was done by a social media app, then the entire process would have still raised eyebrows but would have been still been understandable. But for a ride-hailing service, unwarranted fetching and storing of these data is totally uncalled for and violates all ethical practices.
After the video was uploaded, it has been shared several thousand times online and the drama didn't stop there. Later Emon removed the video from his social media pages. In an interview later with Ekushey TV, he said that he did it as Pathao wanted to come 'to an arrangement' with him. Initially, he agreed, but later he realised that he would be able to forgive his conscience hence he re-uploaded it again. We contacted Pathao about this but they didn't deny or confirm anything as of today.
In a press brief issued later, Pathao said they are ensuring the optimum security of the stored data and they are following all the best practices. We didn't get a response either when we approached Pathao regarding what data privacy and security compliance certification or standards have the ride-hailing company has obtained so far.