Uber Safety: You're On Your Own

in #security8 years ago

Two horror stories are circulating on social media about people who have been beaten up and robbed after getting into what they thought was an Uber taxi. My subsequent questions on Twitter and my own experience of Uber leads me to come to the conclusion that Uber doesn't care about the safety of passengers in any active sense.

In this video, published by Uber, they make the claim that every driver is properly trained and vetted. Maybe, maybe not. Most of the drivers who I have used seem to be reasonably competent, but one definitely was not. More on that later.

But is Uber safe? It depends on what you mean by safety. If you use public transport in South Africa you have the choice between buses, minibus taxis, metered taxis and trains. Many buses are not roadworthy, and some bus drivers have been known to have been fired from one depot, only to be hired by another depot of the same large bus company. I used to work for a company that monitored complaints from motorists and passengers of commercial vehicles and buses. One passenger complained that the driver was speeding, so he stopped the bus and threw the passenger off. She was left stranded on the side of the road, and called Drive Report to report what happened. There is a continuous stream of news reports of bush crashes on our roads.

In Joburg we have ReaVaya, which is "better" than the normal municipal buses, but it's a logistical nightmare. It took my wife three weeks to get a smart card "ticket" and load funds into it. That was because the stations often run out of smart cards, or are offline and can't load cash into the card. They told my wife that if she traveled halfway across Joburg there was a station that might have stock of smart cards. Of course she couldn't use the bus to get there either. #WTF

Minibus taxis are used by millions of people every day, and they literally take their life into their hands getting on a taxi. Drivers are often reckless, vehicles are often unlicensed, and the cops are scared of the taxis. I have been involved in three collisions with minibus taxis, all of them caused by bad or reckless driving. The only safety you have as a passenger is that there are usually a dozen other people in the vehicle, so its safety by numbers: if something goes wrong, passengers will stick up for one another. But this doesn't help in the event of an accident or taxi war-related shootings.

The last time I took a metered taxi was 30 years ago, and it was really expensive then. Not much has changed, except that taxi drivers have become more aggressive in soliciting passengers at bus stations and airports. I avoid them like the plague. I'd rather hire a car.

So by comparison, Uber seems like a safer bet. You get to rate the driver, and the driver rates you as a passenger. But that's where the wheels fall off. The Uber app can't (or won't) tell me whether I have used the driver before. The app tells me the vehicle make and model, and registration, but not the colour. I requested this a year ago and nothing has changed. It can't be that difficult to add, and would make spotting the Uber vehicle a bit easier. Many Uber drivers don't display their license in the window, or even have their phone on the dashboard where it can be seen, because the metered taxi drivers at airports and railway stations attack them if they think they are an Uber driver. So an Uber vehicle looks exactly like a private vehicle. And that's one of the problems with Uber.

Another problem with Uber is the lax security of the apps and the back end. Uber claims that drivers have to use "two factor authentication" to log in. But the second factor is the phone that belongs to the driver. So if the driver logs in using a user name and password, all the second factor can do is confirm that he is using his own phone. It can't confirm who the driver is, and there is no time-out or re-authentication during the day. So if I abduct a driver, force him to sign in and then take his car and his phone I can pick up fares indefinitely until he escapes. The implication on Twitter is that Uber is lax about kicking drivers off the system if they resign or are fired. I have no way of confirming this.

What I can confirm is that Uber doesn't actively monitor any of the trips. The fact that you can see where the vehicle is, is only as a result of them recording the trip. If the trip takes longer than expected, no red flags go up at Uber HQ, and no intervention is made. Last year my wife took a trip from Melville to Cresta, which usually takes about 15-20 minutes and costs around R70-R80. The driver in this case was an idiot or wasn't properly trained. When he dropped her off he didn't end the trip, and kept the meter running for the next 3 days. Yes, three days later I cancelled the trip because I needed to catch a lift to the gym, and it told me that I was already "on trip". Then Uber duly billed me for the three days, and wondered why the R3,100 card charge was declined. The next time I tried to return home from gym they refused until I had paid the bill. That's where things got even more interesting.

There is no number you can call to speak to a real human at Uber. You can only contact drivers. If you want to "speak" to someone at Uber you leave a message on the app (e.g. email) or try your luck with Twitter. Fortunately I managed to get a response on Twitter when I DM'd them. They don't always respond, or can take hours to respond, in spite of Uber Cape Town GM Anthony le Roux's claim of half an hour. What would have happened if I had been stuck at gym and unable to get a response from Uber? Walk home?

My friend Sally Polack discovered that someone was using her credit card information to make trips. She doesn't have a smart phone, and all her enquiries with the bank and Uber via email were stonewalled. No one could tell her who was using her card, or whether they had done anything to prosecute the person concerned. I guess they just wrote it off as the cost of doing business. She got her money back from the bank's credit card division. Contrast that with their claim "Our specially-trained incident response teams are available around the clock to handle any urgent concerns that arise." Nice if you can get in touch with this "team".

That brings us to the nub of the matter: what should you do if something bad happens to you while you are in the vehicle? Their answer: "In the event of an emergency, we ask riders to contact the national emergency line - 10111." In other words, you're on your own, chump.
Image of Tweet

Until Uber actually has a ride monitoring service, the best you can do is "Share your ETA" with a friend, and arrange with them ahead of time to call you while you are on your trip to make sure that everything is OK. Of course, I have no idea what to suggest if it isn't OK. If the driver's phone is faulty or he switches off his phone then you have no idea where the vehicle is. There's no vehicle tracking such as Tracker in Uber vehicles.
Route Map

Here's an example of a "trip" from home to gym where the driver's phone was faulty. The squiggle route shown here was actually recorded once he dropped me off. It's not even 1km long.

Help button

So what should Uber do that they aren't doing? The most obvious change would be to record both the driver's location and the passenger's location, and show both on the "Share my ETA" map and the billing record. If the trips appear to differ, then a real-time monitor alarm should sound in their control room, and they should call the passenger to find out if everything is OK. If not, they can the report the matter directly to the correct branch of police (flying squad or whatever) in the vicinity.

This would mean they would have to equip SAPS sector vehicles and flying squad vehicles with an app that allows Uber to know their location and request help in an emergency. If SAPS aren't able to do this, there are plenty of security companies and vehicle recovery services that might be willing to do so. The real-time monitoring of both passenger and driver would also prevent idiot billing like the examples shown above.
Another layer of security would be to add vehicle tracking to Uber vehicles, independent of the driver's phone. Many of these tracking systems come with a "panic button" feature, which the passenger could press, such as in the case of an accident or other emergency.

The Uber app could also have a panic button, possibly with some kind of code the passenger could enter to prove it wasn't pressed accidentally. We've all made phone calls from our pockets or handbags without realising it. And you don't want too many false positives.

Speaking of false positives, my 3 year old niece has managed to summons an Uber to their front door. My wife has managed to summons an Uber when all she wanted was a quote, so there is work to be done on the app UI for non-technical users. A random 4-digit confirmation code would prevent this.

One more thing: Please publish a phone number for emergencies. I welcome comments from readers for any other ideas.
(Originally published on my blog: http://donnedwards.openaccess.co.za/2016/08/Uber-safety-youre-on-your-own.html)