Expensify is a popular app that helps employees quickly submit reports for business-related expenses. Expensify’s standout feature is its SmartScan OCR, or optical character recognition, technology. The feature saves data-entry time by scanning your receipt, verifying that the expense is compliant with your employer’s rules, and then organizing it into an expense report — all automatically. When the technology fails, however, Expensify says it has a team of secure technicians to intervene behind the scenes. But Twitter users grew concerned after the discovery of several Expensify receipts on Amazon’s Mechanical Turk service last week.
Mechanical Turk is a crowdsourcing marketplace where anyone can post tasks that need completing for small sums of money. Twitter user Rochelle found receipts hosted on Expensify.com that were visible on the platform, complete with details about names, dates, addresses, and signatures. One receipt apparently showed Uber pickup and drop-off locations.
In a blog post, the company says those receipts were part of testing its new Private SmartScan feature that allow companies to staff their own team of Mechanical Turk transcribers. Expensify said that it started live testing the system on September 20th, with the initial testing only using Expensify employee receipts. On November 15th, the company began processing 10 percent of non-paying user receipts that require human review on Turk, but access was still limited to its own SmartScan agents. It then opened up access to the receipts to all vetted Turk workers on November 22nd. A day later, after Twitter users voiced their concern, the company stopped the test and returned all the receipts to private SmartScan agents.
“The only users who can access receipts are the Mechanical Turk workers. The only way to access the worker interface (to view receipts) is to be a worker,” Expensify CEO David Barrett said in an interview with The Verge. Turk workers are thoroughly vetted by Amazon, and Barrett says during the 24 hours, hundreds of receipts from three users were open to all of the Turk workers, compared to the routine millions it usually handles.
Expensify says Private SmartScan will allow companies to have better control over who views the receipts processed. The Private SmartScan feature is in early stages of testing though and it won’t be available until sometime next year, and only to customers on the company’s Enterprise Plan. The discovery caused some Expensify users to disable the SmartScan feature in the app, making the expense report service much less useful. “We take our privacy very seriously as a financial company, privacy is an extremely important thing, and so security and privacy are the bedrock of our company,” Barrett said.