Newly introduced Yandex Taxi app faces allegations of spying on users in the Baltics
On July 26, Yandex Taxi officially launched operations in Lithuania, offering affordable ridesharing services to its users. Days after the launch, users reacted to the new app and expressed on social media suspicions of unlawful data gathering. Lithuanian authorities reacted quickly and issued a public warning on using the service, which quoted an exceptionally long list of permissions that the app requires to confirm before the installation.
The Lithuanian National Cyber Security Centre started to perform an extended analysis of the application, which is yet to be released.
@DFRLab looked at the open source data surrounding the app allegations.
Reaction in Lithuania
Yandex Taxi’s launch on Sunday was met by unprecedented reactions across Lithuanian society. On the same day, Lithuanian Facebook users and columnists expressed concerns at the extraordinary phone access required by app.
Soon after, Lithuania’s Prime Minister, Minister of Economy, and Members of Parliament publicly urged citizens not to use the app and called on Lithuania’s State Security Department to investigate. Lithuania’s Ministry of Foreign Affairs, in cooperation with Lithuania’s National Center for Cyber Security released an informative video, which explained the potential risks caused by the app.
At this early stage, a measure of whether the public awareness efforts and recommendations from the National Center for Cyber Security deterred potential app downloads. According to the official Yandex Taxi statistics, 10,000 new users joined the app in Lithuania during the first few days. In Estonia, the app started operating in May and had 50,000 users by August. In Latvia, the app was operational since March and accumulated 50,000 users by August.
The complete list of the permissions needed to install the Yandex Taxi app on the Android platform was available on the Google Play page. @DFRLab investigated the permission list and compared it with the two other main ridesharing apps in Lithuania: Taxify and Uber.
Both apps shared many of the same permissions. However, Yandex Taxi — unlike Taxify — required permission to “add or remove accounts”, “record audio”, “create accounts and set passwords”, “connect and disconnect from Wi-Fi”, “read sync settings”, “use the accounts on the device”, “toggle sync on or off”, “full network access”, and “change your audio settings”.
The suspicions were not far-fetched, as many of these permissions have previously been labeled for abuse on various technology related websites.
In the case of Uber, the list of unique permissions between the Yandex and Uber declined.
Both apps shared most of the same permissions. Yandex Taxi went further than Uber by requesting to “add or remove accounts”, “create accounts and set passwords”, “read sync settings”, “use the accounts on the device”, and “toggle sync on or off”.
A number of these permissions where quoted by Lithuanian officials, who stated that permission “to take pictures and videos”, “to record audio”, “to read the contents of your USB storage”, “to create accounts and set passwords”, and others were excessive and suspicious. Yandex’s global strategy director Aram Sargsyan, denied the allegations and responded, “processes and stores data of European Union users strictly according to EU regulations.”
The side-by-side comparisons revealed that Taxify is providing ridesharing services without some of the debated permissions. Yandex Taxi ties to the Kremlin were also publicly debated and raised even more eyebrows in Lithuania. Yandex was accused by Russian opponents to President Vladimir Putin, like Alexey Navalny, of being loyal to the Kremlin. Navalny, also recently complained that Yandex News hid reports on his recent nationwide anti-corruption protests from its newsfeed. In response, Yandex said its results are automatically generated by algorithms and denied that any manipulation was possible.
Last year, Uber said it was merging with Yandex in Russia and five other ex-Soviet republics, as it cedes control of the Russian market. The companies agreed to form a new joint venture by combining their ride-hailing services in Russia, Azerbaijan, Armenia, Belarus, Georgia, and Kazakhstan. Yandex will own about 59 percent and Uber roughly 37 percent of the combined company and Yandex. Taxi Chief Executive Tigran Khudaverdyan will become the CEO of the combined business.
The introduction of the Yandex Taxi service in Lithuania received an unprecedented reaction from the public and Lithuanian officials. More information should be available soon as Lithuanian National Center for Cyber Security started conducting an in-depth analysis of the app.
Comparison of permissions required by market competitors showed that both Yandex and Uber required a longer list of permissions than Taxify, which provides effectively the same service. Furthermore, Uber and Yandex Taxi announced the merging of efforts in Russian and five other post-soviet states, in which Yandex would have a larger share of the combined business. The merger will decrease the possibility for users to choose alternative ridesharing services.
Lukas Andriukaitis is a Digital Forensic Research Associate at the Atlantic Council’s Digital Forensic Research Lab (@DFRLab).
Follow along for more in-depth analysis from our #DigitalSherlocks.