Bolt, a ride-hailing app loaded with trackers
After analyzing the Molotov IPTV app, the video chat apps Houseparty and Zoom, the e-commerce site Fnac, the address-sharing app Mapstr and the route-planning app Citymapper, let's now look at a well-known ride-hailing service: Bolt (formerly Taxify or Txfy).
Bolt is an Estonian company that has quickly expanded around the world, reaching more than 150 cities in 35 countries by December 2019. One of Uber's main competitors, it also offers a scooter service as well as home delivery ("Bolt Food"). To analyze the tracking present in its iOS app, I followed these steps:
- Close the various background applications.
- Launch Charles Proxy and enable tracking.
- Launch the Bolt application, then browse inside the app: simply enter a destination address, without ordering a ride.
- Export the logs from my Charles Proxy session to my computer, in order to easily analyze the requests sent by Bolt.
Several third-party companies are tracking you, thanks to Bolt:
- Google : via Firebase Crashlytics (crash reporting) and Firebase Remote Config (which lets Bolt customize the app without redeploying it). No surprise there, since Google is present in most apps. But Bolt goes further: it sends Firebase not only your pseudonymized data (identifiers), but also identifying data: your first name, last name, email address and phone number.
- Appsflyer : an analytics and attribution tool that lets Bolt understand which advertising campaigns are working.
- Segment : the “Tag Manager” already mentioned in the article on HouseParty, a real hub for your personal data. Segment is there to transmit your journey through the Bolt app and your user profile to other marketing companies. Here, Bolt sends Segment, among other things, your first name, your last name, your email, your phone number, but also your GPS geolocation (longitude, latitude).
- CleverTap : via the wzrkt.com domain, a personalized analytics and messaging tool for applications. Here too, Bolt sends your first name, your last name, your email, your phone number, but also your GPS geolocation (longitude, latitude).
- tune : attribution tools that let Bolt understand which ad campaigns are working.
A vague privacy policy, in contradiction with the GDPR
Bolt flouts the GDPR by sending my personal data to multiple third-party companies, without asking for my consent or even informing me first. More seriously, as we have just seen, Bolt leaks identifying data (name, email), personal data (phone number) and sensitive data (geolocation) to several third parties. Now let's read its privacy policy.
On the support page "Collection and processing of personal data", it was indicated (the article has now disappeared):
Who is the data shared with? Your data (name, geolocation) is only revealed to a driver registered on the Bolt platform and only for the duration of the trip. Your phone number is not visible to the driver. If you have forgotten an item at the end of the ride, contact our customer service via your app. For further details on the processing of your personal data, please refer to our Passenger Privacy Policy.
As seen above, this is a lie by omission: your name and geolocation, as well as your phone number and email, are shared with other companies such as Google, Segment and CleverTap.
If we now look at the passenger privacy policy, the information is again minimal. In section 4. Destinataires, we can read:
Depending on the passenger's location, personal data may be disclosed to companies and partners of the Bolt Technology OÜ group (local subsidiaries, representatives, affiliates, agents, etc.). The processing of personal data by companies and partners of the Bolt Technology OÜ group will be carried out under the same conditions as those established in this privacy statement.
Who are these “companies and partners”? What are the legal bases for processing? Bolt provides no details.
Identifying personal information transferred to Google
Bolt uses Google's toolbox for app developers: Firebase. Your personal data leaks through a call to the domain https://firebaseremoteconfig.googleapis.com. This is the Remote Config tool, which allows Bolt to customize its app without having to redeploy the application.
Different use cases are handled by Remote Config, such as A/B testing, launching beta versions, or adapting messages according to the user's language, etc. None of these use cases should require leaking personal data.
If we read the Remote Config documentation, Google does not elaborate on the type of data transmitted, only:
Don't store confidential data in Remote Config parameter keys or parameter values. It is possible to decode any parameter keys or values stored in the Remote Config settings for your project.
However, this is exactly what Bolt does with my personal data, which I consider confidential: name, email and phone number. We can also note in the Remote Config documentation that it does communicate with Google Analytics (which, in its app version, is part of the Firebase toolbox):
You can use Remote Config to provide variations on your app's user experience to different segments of your user base by app version, by Google Analytics audience, by language, and more.
If we now read Firebase's “Protect your data” page specific to Google Analytics:
Prohibition on sending personal information Our contracts prohibit customers from sending personal information to Google Analytics. Customers should follow these best practices to ensure that no personal information is sent to Google Analytics.
And here is Google's (restrictive) interpretation of personal information:
It therefore seems that Bolt, in addition to not respecting the GDPR, does not respect the Google Firebase contract. And that Google has not taken measures to control how businesses use its tools.
Personal data also leaked to CleverTap
CleverTap is a personalized analytics and messaging tool, which boasts of providing "a unified view" of its clients' users (including Bolt). Here is a screenshot of their tool (available on their site) to better understand how they surface your personal information:
So, if a Bolt employee logs in to CleverTap, they will access my file, filled with my name, my email address, my mobile number, and my various interactions with Bolt (including my GPS coordinates). Again, I have not given any permission, nor do I have any information on how CleverTap uses my personal data. And again, I did not connect to Bolt via Facebook!
What do the CleverTap terms of use say (i.e. the terms for its business service, used by Bolt)? In summary: anything goes. In section 7, Confidentiality:
Client may capture Personal Information and send it to the Platform. “Personal Information” means information provided by Client or collected by Company under the Terms, which information identifies or can be used to identify, contact, or locate the person or device to whom that information pertains. Personal Information includes name, address, phone number, fax number, email address, social security number, or other government issued identifier, and credit-card information
Note also that CleverTap had already been identified via this tweet by Elliot Alderson, a security researcher, 2 years earlier:
Segment, the hub of your personal data
I had already written about Segment in the Houseparty analysis. This tool is a "Tag Manager" for applications: Segment collects your browsing data and your personal data, then redistributes them to other tools used by Bolt. As with Google and CleverTap, Bolt chooses which personal data to pass to Segment. Again, nothing illustrates the point better than screenshots from the Segment website:
My profile is now in Bolt's Segment tool, with my name, my email, my phone number, my interactions with the Bolt app and my geolocation (GPS coordinates). And Segment can then redistribute my information to a myriad of other companies, the "destinations" (activated by Bolt; I have no way of knowing where my personal data leaks next):
In this case, Bolt could very well use Google Firebase, CleverTap and Segment by transferring "simple" pseudonyms (user identifiers) to them, informing you in advance that it uses these service providers, and requesting your consent. However, Bolt does none of this and instead leaks personal and sensitive personal data.
How can we fight this invasion of your privacy? If “shaming” can sometimes work (Zoom removed Facebook tracking under pressure), nothing will really change without changes to the rules of the App Stores (currently far too permissive on third-party tracking) or without significant action (a.k.a. heavy sanctions) from regulatory authorities like the CNIL.