Tech firms spend serious time and money trying to secure their employees and infrastructure from hackers. But gig economy companies like Uber and Lyft pay far less attention to cybersecurity for their contractors and, in some cases, encourage insecure behaviour, researchers say—potentially exposing workers to greater risk of identity theft and phishing attacks.
The ways that tech platforms communicate with their gig workers often encourage or reinforce shoddy security practices, according to research by Kendra Albert, a fellow at Harvard Law’s Cyberlaw Clinic, and Elizabeth Anne Watkins, a PhD researcher at Columbia University.
“Gig work platforms don’t just externalise their security costs, they sometimes actively make their workers less secure,” Albert told attendees on Tuesday at Enigma, a cybersecurity conference in Santa Clara, California, where they presented the research.
Ride-hailing apps, cleaning companies, and food delivery services often require workers to upload their driver’s licenses, insurance information, and other personal data. Sometimes this data ends up leaking—as was the case with a 2015 breach at Uber that exposed Social Security numbers and driver’s licenses. As a gig worker, “you’re engaging in a set of behaviours that might increase your risk,” Albert said.
Although companies often give their employees security training, the same practices don’t extend to gig workers, the researchers found. This leaves contractors with the responsibility to educate themselves about how the company they work for stores the data they hand over, how to detect phishing emails and scams, and how to defend themselves against identity theft if a company they contract with suffers a breach.
“Current gig work models are exacerbating trends towards a digital security divide,” Albert said.
In addition to having less corporate support and protection, gig workers are also prime targets for scammers, according to Albert. “There’s an epidemic of Uber and Lyft drivers being common targets for phishing scams,” Albert said.
Some scammers will tell drivers that their accounts will be deactivated if they don’t immediately hand over their login credentials. Because threats of deactivation are common in the ride-hailing industry, these messages appear more legitimate. “It’s believable because that’s what the systems that are in place already do,” Albert said. “Distrust makes some security problems worse.”
During their presentation of the research, Albert called on tech companies to think more carefully about the ways they communicate with workers in order to encourage more secure behaviour.
“How do the systems you design, test, and study allocated security risk?” they asked. “Is it to those with the least power to say no?”