#BalticBrief: Russian Ridesharing Service Possible Data Risk
Newly introduced Yandex Taxi app faces allegations of spying on users in the Baltics
#BalticBrief: Russian Ridesharing Service Possible Data Risk
Newly introduced Yandex Taxi app faces allegations of spying on users in the Baltics
[facebook url=”https://www.facebook.com/urministerija/videos/2203751572974811/” /]
At this early stage, a measure of whether the public awareness efforts and recommendations from the National Center for Cyber Security deterred potential app downloads. According to the official Yandex Taxi statistics, 10,000 new users joined the app in Lithuania during the first few days. In Estonia, the app started operating in May and had 50,000 users by August. In Latvia, the app was operational since March and accumulated 50,000 users by August.
Permissions
The complete list of the permissions needed to install the Yandex Taxi app on the Android platform was available on the Google Play page. @DFRLab investigated the permission list and compared it with the two other main ridesharing apps in Lithuania: Taxify and Uber.
Both apps shared many of the same permissions. However, Yandex Taxi — unlike Taxify — required permission to “add or remove accounts”, “record audio”, “create accounts and set passwords”, “connect and disconnect from Wi-Fi”, “read sync settings”, “use the accounts on the device”, “toggle sync on or off”, “full network access”, and “change your audio settings”.
The suspicions were not far-fetched, as many of these permissions have previously been labeled for abuse on various technology related websites.
In the case of Uber, the list of unique permissions between the Yandex and Uber declined.
Both apps shared most of the same permissions. Yandex Taxi went further than Uber by requesting to “add or remove accounts”, “create accounts and set passwords”, “read sync settings”, “use the accounts on the device”, and “toggle sync on or off”.
A number of these permissions where quoted by Lithuanian officials, who stated that permission “to take pictures and videos”, “to record audio”, “to read the contents of your USB storage”, “to create accounts and set passwords”, and others were excessive and suspicious. Yandex’s global strategy director Aram Sargsyan, denied the allegations and responded, “processes and stores data of European Union users strictly according to EU regulations.”
The side-by-side comparisons revealed that Taxify is providing ridesharing services without some of the debated permissions. Yandex Taxi ties to the Kremlin were also publicly debated and raised even more eyebrows in Lithuania. Yandex was accused by Russian opponents to President Vladimir Putin, like Alexey Navalny, of being loyal to the Kremlin. Navalny, also recently complained that Yandex News hid reports on his recent nationwide anti-corruption protests from its newsfeed. In response, Yandex said its results are automatically generated by algorithms and denied that any manipulation was possible.
Last year, Uber said it was merging with Yandex in Russia and five other ex-Soviet republics, as it cedes control of the Russian market. The companies agreed to form a new joint venture by combining their ride-hailing services in Russia, Azerbaijan, Armenia, Belarus, Georgia, and Kazakhstan. Yandex will own about 59 percent and Uber roughly 37 percent of the combined company and Yandex. Taxi Chief Executive Tigran Khudaverdyan will become the CEO of the combined business.
Conclusion
The introduction of the Yandex Taxi service in Lithuania received an unprecedented reaction from the public and Lithuanian officials. More information should be available soon as Lithuanian National Center for Cyber Security started conducting an in-depth analysis of the app.
Comparison of permissions required by market competitors showed that both Yandex and Uber required a longer list of permissions than Taxify, which provides effectively the same service. Furthermore, Uber and Yandex Taxi announced the merging of efforts in Russian and five other post-soviet states, in which Yandex would have a larger share of the combined business. The merger will decrease the possibility for users to choose alternative ridesharing services.
Follow along for more in-depth analysis from our #DigitalSherlocks.