ORide: A Privacy-Preserving yet Accountable Ride-Hailing Service

Ride-hailing services (RHSs), such as Uber and Lyft, enable millions of riders and drivers worldwide to set up rides via their smartphones. Their advantage over traditional taxi services is due to the convenience of their services, e.g., ride requests at the touch of a button, fare estimation, automatic payments, and reputation ratings. To offer such services, however, RHSs collect a vast amount of sensitive information that puts at risk the privacy of riders and drivers. As a result, a RHS or any entity with access to this data, can infer sensitive information about riders’ and drivers’ activities. For example, the press has reported cases of data misuse to infer one-night stands, look up trip information of celebrities and politicians, revenge attacks against journalists and to determine if drivers have attended a protest.

We propose ORide (Oblivious Ride), a privacy-friendly RHS designed to support all the key features of current RHSs while significantly reducing the sensitive information it collects. ORide relies on modern cryptographic techniques (e.g., somewhat-homomorphic encryption or SHE) and optimizations to enable a RHS to efficiently match riders and drivers without learning their identities and their location information. Notably, ORide offers robust privacy guarantees while still supporting key RHS features such as easy payment, reputation scores, accountability and retrieval of lost items. In addition, our thorough performance evaluation shows that ORide introduces acceptable computational, network, and operational overheads. For example, ORide adds only several milliseconds to ride-hailing operations.

Ride-hailing service overview

With ORide, drivers and riders create anonymous sessions with the RHS. Drivers periodically report the zones they are located in to the RHS (instead of their exact locations). To establish a ride, a rider sends a request to the RHS with the zone where she is located and a temporal SHE encryption key. Next, the RHS broadcast this information to all the available drivers in the rider’s zone (and adjacent zones, if needed). The drivers encrypt their precise locations using the temporary SHE key created by the rider and send their encrypted locations back to the RHS. Due to the properties of somewhat-homomorphic encryption, the RHS can now perform proximity calculations using the encrypted locations of the rider and the drivers without decrypting them. The RHS sends the result of the calculations to the rider, who can then decrypt the results and select the driver of her preference (e.g., the closest driver).

Next, the rider establishes a secure connection with the selected driver to exchange information to set up the ride, e.g., exact pick-up and drop-off locations, reputation scores, and driver’s car model and plate number. Due to the secure connection, the RHS cannot access the information exchanged between the rider and the driver. Moreover, the rider and the driver agree in advance on the route and total fare of the ride and produce a fare report that will be used for payment purposes. Once the rider is physically close to the driver, ORide does a proximity check to validate the identity of the driver and the integrity of the secure connection. After the ride starts, both the rider and the driver end their anonymous sessions with the RHS. Therefore, the RHS does not receive information about the ride path, not even the drop-off location.

At the end of his working day, a driver can submit to the RHS the fare reports collected during the day to receive her payments. The information in the fare reports enables the RHS to determine the real identity of the riders to charge them directly according to their preferred payment method, e.g., credit card. After charging the riders, the RHS proceeds to subtract its service fees and pay the remaining amount to the driver. Once the payment is completed, the rider and driver can rate the reputation of each other, similarly to current RHSs.

The source code of our ORide project can be found here.

Note: We were fortunate that several journalists reported about ORide. Yet, the addressed problem and the techniques used are pretty complex, and their report is not always 100% accurate. For an in-depth understanding, we encourage the reader to check our USENIX Security paper.

For additional information about ORide, please contact Prof. Jean-Pierre Hubaux.

For more details about our research projects, please visit the page of the Laboratory for Communications and Applications 1 (LCA1).