Bolt, a VTC doped with trackers
After the analysis of the Molotov IPTV app, video chat apps Houseparty and Zoom, from the e-commerce site Fnac, of the Mapstr address and route sharing app Citymapper, let's now look at a well-known VTC: Bolt (ex Taxify or Txfy).
Bolt is an Estonian company that has quickly expanded around the world to be present in more than 150 cities in 35 countries in December 2019. One of Uber's main competitors, it also offers a scooter service as well as home delivery ("Bolt Food"). In order to analyze the tracking present on its iOS app, I followed the following steps:
- Closing the various background applications.
- Launching the application Charles Proxy and enabling tracking.
- Launch the Bolt application, then navigate in the App: just type a destination address, without ordering a ride.
- Export logs from my Charles Proxy session to my computer, in order to easily analyze the requests sent by Bolt.
Several third-party companies are tracking you, thanks to Bolt:
- Google : via Firebase Crashlytics (crash report) and Firebase Remote Config (allows you to customize Bolt without having to redeploy the app). No surprise in the sense that Google is present in the majority of Apps. But Bolt goes further, because it not only sends your pseudonymized data (credentials) to Firebase, but also nominative data: your first name, last name, email address and phone number.
- Appsflyer : analytics and attribution tool, allows Bolt to understand which advertising campaigns are working.
- Segment : the “Tag Manager” already mentioned in the article on HouseParty, a real hub for your personal data. Segment is there to transmit your journey on the Bolt app and your user profile to other marketing companies. Here Bolt sends among others to Segment your first name, your last name, your email, your telephone number, but also your GPS geolocation (longitude, latitude).
- CleverTap : via the wzrkt.com domain, personalized analytics and messaging tool for applications. Here too, Bolt sends your first name, your last name, your email, your telephone number, but also your GPS geolocation (longitude, latitude).
- tune : attribution tools, allows Bolt to understand which ad campaigns are working.
A vague privacy policy, in contradiction with the GDPR
Bolt is flouting GDPR by sending my personal data to multiple third-party companies, without asking for my consent or even informing me first. More seriously, as we have just seen, Bolt leaks nominative (name, email), personal (telephone number) and sensitive (geolocation) data to several third parties. Now let's read its privacy policy.
On the support page "Collection and processing of personal data", it was indicated (the article has now disappeared):
Who is the data shared with? Your data (name, geolocation) is only revealed to a driver registered on the Bolt platform and only for the duration of the trip. Your phone number is not visible to the driver. If you have forgotten an item at the end of the race, contact our customer service via your App. For further details on the processing of your personal data, please refer to our Passenger Privacy Policy.
As seen previously, this is a lie of omission: your name and geolocation, as well as your phone number and email are shared with other companies such as Google, Segment and CleverTap.
If we look now passenger privacy policy, the information is again minimal, we can read in the section 4. Destinataires :
Depending on the passenger's location, personal data may be disclosed to companies and partners of the Bolt Technology OÜ group (local subsidiaries, representatives, affiliates, agents, etc.). The processing of personal data by companies and partners of the Bolt Technology OÜ group will be carried out under the same conditions as those established in this privacy statement.
Who are these “companies and partners”? What are the legal bases for processing? Bolt provides no details.
A transfer of nominative personal information to Google
Bolt uses Google's toolbox for App developers: Firebase. Your personal data leaked via domain call https://firebaseremoteconfig.googleapis.com, this is the tool Remote Config which allows Bolt to customize its app without having to redeploy the application.
Different use cases are managed by Remote Config, such as A/B testing, launching beta versions, messaging differentiated according to the user's language, etc. Use cases which should not require leaking personal data.
If we read Remote Config documentation, Google does not elaborate on the type of data transmitted, only:
Don't store confidential data in Remote Config parameter keys or parameter values. It is possible to decode any parameter keys or values stored in the Remote Config settings for your project.
However, this is what Bolt does with my personal data, which I consider confidential: name, email and phone number. We also note in the Remote Config documentation that it communicates well with Google Analytics (which, in its version for Apps, is part of the Firebase toolbox):
You can use Remote Config to provide variations on your app's user experience to different segments of your user base by app version, by Google Analytics audience, by language, and more.
If we now read the page “Protect your data” from Firebase specific to Google Analytics:
Prohibition on sending personal information Our contracts prohibit customers from sending personal information to Google Analytics. Customers should follow these best practices to ensure that no personal information is sent to Google Analytics.
And here is the (restrictive) interpretation of personal information according to Google :
It therefore seems that Bolt, in addition to not respecting the GDPR, does not respect the Google Firebase contract. And that Google has not taken measures to control the use of its tools for businesses.
Personal data also leaked to CleverTap
CleverTap is a personalized analytics and messaging tool, which boasts of providing "a unified view" of its clients' users (including Bolt). Here is a screenshot of their tool (available on their site) to better understand how they highlight your personal information:
So, if a Bolt employee connects to CleverTap, they will access my file, filled with my name, my email address, my mobile number, and my various interactions with Bolt (including my GPS coordinates). Again, I have not given any permission, nor do I have any information on how CleverTap uses my personal data. And again, I didn't connect to Bolt via Facebook!
What do the CleverTap terms of use (i.e. their service for businesses, used by Bolt)? In summary: anything goes. In section 7, Confidentiality:
Client may capture Personal Information and send it to the Platform. “Personal Information” means information provided by Client or collected by Company under the Terms, which information identifies or can be used to identify, contact, or locate the person or device to whom that information pertains. Personal Information includes name, address, phone number, fax number, email address, social security number, or other government issued identifier, and credit-card information
Note also that CleverTap had already been identified via this tweet by Elliot Alderson, a security researcher, 2 years ago already:
Segment, the hub of your personal data
I had already written about Segment in Houseparty analysis, this tool is a "Tag Manager" for applications: Segment will collect your browsing data and your personal data to redistribute them to other tools used by Bolt. As with Google and CleverTap, Bolt chooses which personal data to pass to Segment. Again, nothing better than screenshots of the Segment website To illustrate the point:
My profile is now in Bolt's Segment tool, with my name, my email, my phone number, my interactions with the Bolt app and my geolocation (GPS coordinates). And Segment can then redistribute my information to a myriad of other companies, the "destinations" (activation carried out by Bolt, I have no way of knowing to whom my personal data leaks next):
In this case, Bolt could very well use Google Firebase, CleverTap and Segment by transferring "simple" pseudonyms (user identifiers) to them, informing you in advance of the use of these service providers, and requesting your consent. However, Bolt does none of this, and on the contrary will leak personal and sensitive personal data.
How to combat this invasion of your privacy? If “shaming” can sometimes work (Zoom removing Facebook tracking under pressure), nothing will really evolve without changing the rules of the App Stores (currently far too permissive on third-party tracking) or without significant action (a.k.a. heavy sanctions) from regulatory authorities like the CNIL.