Digital Rights Foundation report reveals the disturbing side of unregulated Careem and Uber in Pakistan

Careem and Uber have made transportation a lot easier in Pakistan. Despite all the benefits, several reports from customers, especially females customers, have pointed out severe issues with these services. A new report published by Digital Rights Foundation (DRF) looks at the various privacy concerns and issues faced that have been identified over the years with these services.

The report titled, “Ride-Sharing Apps and Privacy in Pakistan: A detailed study on the practices of Uber and Careem” discusses different aspects of the services. It starts by looking at how the services have managed to stay unregulated through all these years. As mentioned, the services were halted in 2017 but were up within 48 hours after an undisclosed agreement was reached.

The report criticizes Careem and Uber for storing user data which includes not only their names, but also the places they visit frequently, their location and data in their phones. The report pointed out that these services enjoy liberty as there is no law of personal data protection.

“This leaves companies largely unregulated in Pakistan, especially in the absence of personal data protection legislation”

Another point highlighted by the report is the lack of uniformity in policy implementation by the services. It states that while both Careem and Uber asked for police reports from recent employees, drivers working with these services for more than 1.5 years stated that there was no such requirement. The finding does raise concerns and begs the question, “can we trust these services in light of such careless behavior and policy implementation?”

Another aspect the report tackled was the harassment faced by female drivers. One of the female drivers from their focus group said that she had to block over 250 numbers after the rides had ended. It pointed out that the notion of being “brave” was problematic in itself and cited lack of support from management in such cases. The situation is expected to improve though after Uber, following in Careem’s footsteps, has started masking the phone numbers of both riders and drivers from each other.

Perhaps one of most shocking findings came when DRF asked Careem why they collected “Mac address, IP address, SMS data, transaction information, browsing history information, searching history information, and registration history information.” Careem responded by saying that they did not collect all such information even though they could if required. They said that by collecting MAC address, they were able to identify the captain and client and help them in case of emergency.

Talking to DRF, Careem said that they store user data for a period of five years but did not have a process for automatically deleting the data once the period has elapsed. Careem further talked about the fact that users could opt out of sharing their data with third parties by simply uninstalling the app.

The problem isn’t just collecting data and sharing it with 3rd parties. The other repercussion of collecting so much data is that any hack will now result in huge amounts of personal data being compromised. In the report Careem did emphasize on how important security was, but judging by past events, hacks are unavoidable. Last year, hackers were able to get personal data from 14 million Careem users. So sharing personal information with Careem can result in that information getting in the wrong hands.

Digital Rights Foundation is a research-based non-government organisation which focuses on ICTs to support human rights, inclusiveness, democratic processes, and digital governance.