Bolt, a ride-hailing app loaded with trackers
After analyzing the Molotov IPTV app, the video chat apps Houseparty and Zoom, the e-commerce site Fnac, the address-sharing app Mapstr and the route-planning app Citymapper, let's now look at a well-known ride-hailing service: Bolt (formerly Taxify or Txfy).
Bolt is an Estonian company that has quickly expanded around the world, reaching more than 150 cities in 35 countries by December 2019. One of Uber's main competitors, it also offers a scooter service as well as home delivery ("Bolt Food"). To analyze the tracking present in its iOS app, I followed these steps:
- Close any apps running in the background.
- Launch Charles Proxy and start recording traffic.
- Launch the Bolt app, then move around in it: just enter a destination address, without booking a ride.
- Export the logs from my Charles Proxy session to my computer, to make it easy to analyze the requests Bolt sends.
So, thanks to Bolt, several third-party companies are tracking you:
- Google: via Firebase Crashlytics (crash reporting) and Firebase Remote Config (which lets Bolt customize the app without redeploying it). No surprise there, since Google is present in most apps. But Bolt goes further: it sends Firebase not only your pseudonymized data (identifiers), but also identifying data: your first name, last name, email address and phone number.
- Appsflyer: an analytics and attribution tool that lets Bolt understand which advertising campaigns are working.
- Segment: the “Tag Manager” already mentioned in the article on Houseparty, a true hub for your personal data. Segment's job is to relay your activity in the Bolt app and your user profile to other marketing companies. Here, Bolt sends Segment, among other things, your first name, your last name, your email, your phone number, and also your GPS location (longitude, latitude).
- CleverTap: via the wzrkt.com domain, a personalized analytics and messaging tool for apps. Here too, Bolt sends your first name, your last name, your email, your phone number, and also your GPS location (longitude, latitude).
- Tune: attribution tools that let Bolt understand which ad campaigns are working.
A vague privacy policy, at odds with the GDPR
Bolt flouts the GDPR by sending my personal data to multiple third-party companies, without asking for my consent or even informing me first. More seriously, as we have just seen, Bolt leaks identifying data (name, email), personal data (phone number) and sensitive data (geolocation) to several third parties. Now let's read its privacy policy.
The "Collection and processing of personal data" support page stated the following (the page has since been taken down):
Who is the data shared with? Your data (name, geolocation) is only revealed to a driver registered on the Bolt platform and only for the duration of the trip. Your phone number is not visible to the driver. If you have forgotten an item at the end of the ride, contact our customer service via your app. For further details on the processing of your personal data, please refer to our Passenger Privacy Policy.
As seen above, this is a lie by omission: your name and geolocation, as well as your phone number and email, are shared with other companies such as Google, Segment and CleverTap.
Turning now to the passenger privacy policy, the information is again minimal. Section 4. Recipients reads:
Depending on the passenger's location, personal data may be disclosed to companies and partners of the Bolt Technology OÜ group (local subsidiaries, representatives, affiliates, agents, etc.). The processing of personal data by companies and partners of the Bolt Technology OÜ group will be carried out under the same conditions as those established in this privacy statement.
Who are these “companies and partners”? What are the legal bases for processing? Bolt provides no details.
Identifying personal information transferred to Google
Bolt uses Google's toolkit for app developers: Firebase. Your personal data leaks through a call to the domain https://firebaseremoteconfig.googleapis.com. This is the Remote Config tool, which lets Bolt customize its app without redeploying it.
Remote Config handles a range of use cases, such as A/B testing, rolling out beta versions, tailoring messages to the user's language, and so on. None of these should require leaking identifying personal data.
In the Remote Config documentation, Google says little about the type of data transmitted, only:
Don't store confidential data in Remote Config parameter keys or parameter values. It is possible to decode any parameter keys or values stored in the Remote Config settings for your project.
Yet this is exactly what Bolt does with my personal data, which I consider confidential: name, email and phone number. The Remote Config documentation also makes clear that it does talk to Google Analytics (whose app version is part of the Firebase toolkit):
You can use Remote Config to provide variations on your app's user experience to different segments of your user base by app version, by Google Analytics audience, by language, and more.
Now turning to Firebase's “Protect your data” page, the one specific to Google Analytics:
Prohibition on sending personal information Our contracts prohibit customers from sending personal information to Google Analytics. Customers should follow these best practices to ensure that no personal information is sent to Google Analytics.
And here is Google's (restrictive) interpretation of personal information:
So it seems that Bolt, on top of breaching the GDPR, is also breaching its Google Firebase contract, and that Google has done nothing to police how businesses use its tools.
Personal data also leaked to CleverTap
CleverTap is a personalized analytics and messaging tool that boasts of giving its clients (Bolt among them) "a unified view" of their users. Here is a screenshot of their tool (taken from their site) that shows how they put your personal information front and center:
So if a Bolt employee logs in to CleverTap, they will pull up my record, complete with my name, my email address, my mobile number, and my various interactions with Bolt (including my GPS coordinates). Here again, I gave no permission, and I have no idea how CleverTap uses my personal data. And remember, I didn't even sign in to Bolt through Facebook!
What do the CleverTap terms of use say (i.e. the terms for its business service, used by Bolt)? In summary: anything goes. In section 7, Confidentiality:
Client may capture Personal Information and send it to the Platform. “Personal Information” means information provided by Client or collected by Company under the Terms, which information identifies or can be used to identify, contact, or locate the person or device to whom that information pertains. Personal Information includes name, address, phone number, fax number, email address, social security number, or other government issued identifier, and credit-card information
Note, too, that CleverTap had already been flagged in this tweet by security researcher Elliot Alderson, fully two years ago:
Segment, the hub of your personal data
I had already written about Segment in the Houseparty analysis. This tool is a "Tag Manager" for apps: Segment collects your browsing data and your personal data, then redistributes them to other tools used by Bolt. As with Google and CleverTap, Bolt picks which personal data to hand Segment. Here again, nothing illustrates the point better than a few screenshots from the Segment website:
My profile is now in Bolt's Segment tool, with my name, my email, my phone number, my interactions with the Bolt app and my geolocation (GPS coordinates). And Segment can then redistribute my information to a myriad of other companies, the "destinations" (activated by Bolt; I have no way of knowing where my personal data leaks next):
As it happens, Bolt could perfectly well use Google Firebase, CleverTap and Segment by passing them "plain" pseudonyms (user identifiers), telling you up front that it relies on these providers, and asking for your consent. But Bolt does none of this, and instead leaks identifying and sensitive personal data.
How do we fight this invasion of your privacy? "Shaming" can sometimes work (Zoom dropped Facebook tracking under pressure), but nothing will really change without an overhaul of the App Stores' rules (currently far too permissive on third-party tracking), or meaningful action (a.k.a. heavy fines) from regulators like France's CNIL.