Whether it’s Uber or the NSA stories of staff spying on people for a variety of reasons... it always comes down to people who seem to have access to things that they probably shouldnt have gotten access to in the first place. Users should be protected by having their data encrypted and anonymized so no other human being (staffers, governments or hackers) can connect an ID to the data. This way they can still access the data and use it for what ever work related purpose, with less risk of these things happening
This works until you need some kind of ombudsperson. At some level the data needs to be accessible and audit-able, otherwise what am I to do if my driver just drops me off at a different place than where I asked, or doesn't pick me up.
You need to know that I was in their vehicle, otherwise how can they charge me if I ruin their car. You need to know they were my driver.
There absolutely should be data privacy guarantees that are as strong as possible. But "encrypt and anonymize everything" doesn't work. (edit: and note, I think this is an unfortunate truth, but still a truth).
Obviously when you make a support request your record should be displayed for the customer service agent, but this is the other way around where they can seek out people. I don't think that's a valid use case and there's the obvious abuse case.
Right, but the solution to that isn't 'encrypt everything', its 'define reasonable (and this definition may vary, but its certainly not "none") access controls for user data and pii'.
You could completely anonymize when certain key variables are met. In your example, when the ride is successfully completed and both parties confirmed this, the data can be anonymized.
Sadly there is money moving on both sides of this transaction. Depending on the state/country, there may be requirements to retain this data in a certain way or to report it to the government.
When you are moving money (especially when you are moving lots of money) you start having to deal with KYC, risk models, and all other kinds of fun.
> At some level the data needs to be accessible and audit-able, otherwise what am I to do if my driver just drops me off at a different place than where I asked, or doesn't pick me up.
You're seriously arguing that cryptography has no technical means for a driver to send an unrepudiatable attestation of intent to drive from A to B at time C to an anonymous passenger? And that an ombudsman armed with driver GPS data cannot compare the attestation to the GPS data and instead needs identification data on the passenger in order to verify whether the driver went to the correct drop-off?
> You need to know that I was in their vehicle, otherwise how can they charge me if I ruin their car.
By using one of the growing number of datasets to figure out the person's identity after the fact. E.g., same thing you do if you get in a fender-bender or get cut off by a cyclist.
You can even have a multi-hour buffer for an in-vehicle cam which you consult if somebody ruins your car. But the likelihood of someone ruining the driver's car without the driver noticing is so unlikely that there is just no way it justifies collecting and keeping a company-wide database of identity data on every single passenger.
> You need to know they were my driver.
Who is arguing for driver data to be anonymous? I think nobody.
Same for GNU Taler, where the merchant data isn't private but the customer data can be.
In fact, same for E-cash from the 90s. Look up blinded tokens, they are quite fascinating from a technical perspective.
> You're seriously arguing that cryptography has no technical means for a driver to send an unrepudiatable attestation of intent to drive from A to B at time C to an anonymous passenger? And that an ombudsman armed with driver GPS data cannot compare the attestation to the GPS data and instead needs identification data on the passenger in order to verify whether the driver went to the correct drop-off?
There are at least three things you need here:
(1) the agreed trip, and
(2) that the passenger showed up and got in,
(3) that the passenger did not make some demand that ended the driver's obligation to make the agreed trip en route.
What do you do when you pay with 20$ for something, but get change for 10$? Why are "argue with them", "accept the loss and move on", "karate chop" and infinite other things not among the options?
> You need to know that I was in their vehicle, otherwise how can they charge me if I ruin their car. You need to know they were my driver.
How did taxi drivers handle that for the last nearing 100 years? People before us managed sticky situations without destroying human civilization, so can we.
Well, back in the old days if we wanted to complain we'd write it down on a piece of paper, wrap that piece of paper inside another piece of paper, and then put that in an unlocked box out in our yard.
That's similarly how we'd order products, out of magazines. Only in that case on the paper we'd include things like our bank account information that we'd put in the unlocked box in our yard.
I'm not suggesting that things can't or shouldn't be better. I think it's just important to have a realistic perspective on where we are in this continuum of service vs privacy.
I generally agree with you, but I think it should be pointed out that unauthorized access to that unlocked box carries severe punishment. A big part of the problem with things like this is that not only are there no controls preventing access to private info, but there are also few if any consequences.
How much control do you think there was in the businesses that got those wrapped pieces of paper with your banking account information? Sure, there are penalties while it's in the box in your yard, but not really once it was at its destination. I bet it's much more strict today than it was a few decades ago.
> What do you do when you pay with 20$ for something, but get change for 10$? Why are "argue with them", "accept the loss and move on", "karate chop" and infinite other things not among the options?
Well, some of them are illegal for the aggrieved party to employ, and in any case not providing better options than that list, for a party facilitating and profiting from the transaction, who is thus not an uninvolved third party, will greatly increase the risk of legal liability and PR damage.
Because otherwise people, on forums such as this one, will argue (loudly) that the information is clearly available in $ABC's systems and refuses to act on it. And I'm not sure those people are wrong.
> if my driver just drops me off at a different place than where I asked...
"Hey, this isn't the right place. Take me where you said you would please."
> ...or doesn't pick me up.
"Hey gran, I'm going to be late for lunch, the darn taxi driver hasn't turned up. I'm calling another firm - guess I'll see you when I get there."
> otherwise how can they charge me if I ruin their car
They will prevent you from departing, and demand cash. If you refuse, they'll either call in law enforcement, or in some places, call in several of their colleagues. In either case, they get their money one way or another.
Look, I'm deliberately being a little flippant here, but none of the problems you outline are in any way unsolved. I'm struggling to think of any situation where any of this data needs to be recorded, never mind viewed later.
Human interaction has dealt with all these obstacles for millennia, and new ways of mediating it don't turn them into new obstacles.
I don’t completely disagree but there are some ways to handle at least parts of what you’re talking about. For example, either persistent or ephemeral pseudonyms (yet still uniquely identifiable, at least for a time) and threshold decryption if at least 2 out of the 3 parties agree to some kind of privilege escalation (most likely would be either lyft and rider or lyft and driver, but rider-driver is interesting).
> Is your issue with Lyft's business model, or my
> comments about encryption?
Both, as it goes :)
I think you're using the word need in a much more narrow context than I am. Without Lyft/Uber/whoever convincing their customers that they're needed, there is no need for the data to be recorded in the first place.
And most of the time, you'd still get to Gran's when you said you would.
I know very few people who would tolerate not being able to get a refund. I know many who would end up giving up fighting for it, but would never use the service again.
And, lets bring it up to something more relevant. The driver steals from or assaults a passenger. Having that data would be key in actually bringing charges against the driver.
