Few tech companies can rival Uber in its combination of blurred ethical lines and data-fueled power to invade people's privacy. The same rideshare service that's been rocked by scandals, threatened in the past to investigate unfriendly journalists, and tracked the location of users as a party trick has all the location data it needs to follow your daily habits, love affairs, and doctor visits.

You might think that's the Faustian bargain of using a ridesharing app like Uber or Lyft in the first place. But one team of cryptography researchers argues it doesn't have to be this way. They've demonstrated that you can have your surge-priced pickups without giving up your privacy.

Private Car

A team of the cryptographers at the Swiss Federal Polytechnic Institute in Lausanne and Lausanne University have developed a prototype for a software system they call ORide, designed to make possible all the features of a ridesharing service while dramatically minimizing the location data it collects. In fact, the "O" stands for "oblivious." The team built ORide such that no one but the rider and driver for any single trip knows their whereabouts---not even the ridesharing company.

While only a proof of concept, ORide hints at an alternate reality where app-enabled car services don't list ubiquitous location-tracking as a prerequisite. The researchers say they even hope it might be adopted by a ridesharing service in an increasingly competitive industry. Privacy can be a powerful selling point.

"This makes it impossible for an attacker, an eavesdropper, or the ridesharing service itself to make use of the location data that goes beyond the function of the service," says Jean-Pierre Hubaux, one of the Lausanne Polytechnic researchers who created ORide, and plans to present it at the Usenix Security conference later this summer. "With modern cryptography it's possible to conceal this information and yet still enable the machinery to work as requested."

ORide, Take It Easy

In a detailed paper that outlines their prototype system, the researchers explain the cryptographic sleight of hand that enables its location-hiding. The key is a mathematical trick they call "somewhat-homomorphic encryption." Homomorphic encryption is a system that allows computations to be performed on data even while it's encrypted---add an encrypted two plus an encrypted two, for instance, and you get an encrypted sum that can be decrypted to reveal a four. (Fully homomorphic encryption makes computations take millions of times longer, but the Lausanne researchers' say their "somewhat-homomorphic" scheme allows them to perform a few simple calculations with almost no added processing time.)

ORide's ride-hailing process begins by encrypting the locations of drivers and riders on their phones with that semi-homomorphic encryption layer. The service receives those encrypted coordinates and performs a proximity calculation on them to identify the nearest car to any waiting rider, and lets the rider choose to hail it---but without the server hosting the ORide service ever knowing the unencrypted coordinates of either user. Once it makes a match, ORide launches an end-to-end encrypted conversation between the two users' phones so that they can locate each other.

When a driver picks up a rider, their phones establish a short-range connection using a radio protocol like Bluetooth, which it uses to verify that the right driver is at the location and that no one has intercepted their encrypted conversation. The rider and driver then map out the best route to the rider's destination, and each confirms the route on his or her own device. They need to determine the route ahead of time, since ORide's privacy guarantees mean the ridesharing service itself won't ever see the path and can't monitor it in real-time.