A couple months after Strava unintentionally exposed military base locations, another app named Ritual is exposing government agencies’ locations and workers’ restaurant routines. Ritual promises to streamline takeout by letting co-workers piggyback off each others’ orders. Users get a notification when their colleagues are ordering from somewhere, and they can then tack their own order onto that one. The app doesn't use location tracking to determine where users work. Instead, users can type the name of a business and then choose an address from those listed or manually add an address. (Users also don’t have to join a team at first and can keep their orders private.)
I typed in the US Department of Homeland Security, for example, and saw a list of the agency’s locations around the country. I picked one at random and then saw a list of floors where my “colleagues” worked. I could see their names, as well as their profile photos. I could also do this for any other business, like Palantir or Booz Allen Hamilton.
National security agencies’ locations might not be entirely private, but often times, the floors on which they operate are unlisted. When I visited DHS in Washington, DC a couple years ago, the security guard wouldn’t confirm whether the agency had an office in the building and definitely wouldn’t disclose the floor.
I signed up using my personal email account and didn't need to verify my employer in any way. Users don't have to broadcast their orders to the whole office — they choose whether or not they want to every time they order — but that’s the entire point of the app, and they likely aren't assuming that people other than their co-workers could be lurking. The app has to approve employer changes, but users can pick a different outpost address at any time.
Bad data privacy: On the "social [meal] ordering app" Ritual, you can join any company without email verification and see which office floor users work on at places like @DHSgov, @LockheedMartin, @PalantirTech, and the Pentagon. pic.twitter.com/fZrwPCGJaw— Caitlin Tran (@caitlinsays_) March 16, 2018
If I were a spy hoping to figure out where people worked, Ritual might be able to give me a clue. If I wanted to poison employees, well, I also now know where they tend to order from and when. It’s a little conspiratorial, I know, but Russian agents just openly poisoned an ex-spy in Britain. Government agencies and their employees need to watch how, where, and to whom locations are being broadcasted.
Another app, Strava, just dealt with similar privacy issues. The company lets users share their workouts with others through a public heat map. Government employees unintentionally mapped the perimeters of military bases around the world. Since the locations were exposed, Strava made it easier for employees to hide their location data and to make public data private.
Ritual issued a comment to The Verge today and said:
“When you join Ritual, you are a completely private user. This is the default sign up flow.
The feature being referred to is Piggyback, which is an opt-in service where users can create and join a team-based channel arranged around their workplace. For example, if you and I work together, we can join that group and if I decided to share my intent to order lunch, it would invite you to add your order. Users can remove themselves from their team channel at any time via the app.
That said, we understand the concerns that have been flagged and are reviewing the process and protocol internally to determine the best way forward.”
Update 3/16, 1:04 PM ET: Updated with Ritual comment.