In the gig economy, a cybersecurity divide

What if Edward Snowden had been an NSA employee and not a Booz Allen contractor? Would he have kept the documents he had on the government’s spying apparatus to himself? Not likely, but those questions go to the heart of the tension between the gig economy and cybersecurity.

The initial findings of new research presented at the Enigma conference in January indicate that contractor-employees of “gig” services like Uber, Lyft, TaskRabbit, Handy, Fiverr, and Foodora are generally less safe online than full-time employees of other companies. Why? Because the companies they contract with aren’t communicating or enforcing best security practices as intensely.

Kendra Albert, a clinical fellow at Harvard Law School and one of the researchers behind the as-yet unpublished study, says traditional companies commonly install security or device management software on employees’ phones and laptops; gig services, on the other hand, rarely do this for their contractors. Gig worker app platform requirements such as uploads of identity or insurance documentation give the companies reason to trust their contractors, but the companies do little with their platforms to reciprocate that trust, Albert says.

“The mistrust that these platforms put in their workers have security consequences,” Albert says. And while cybersecurity training may not come close to stopping phishing attacks and other employee-targeted cybercrime, some claim that it is effective in reducing the success rate of those attacks.

Wombat Security, which runs an employee-training program based on research from Carnegie Mellon University, claims to have reduced employee susceptibility to phishing by 64 percent and saved its clients money. One of its clients, MSA Safety, reports that its employee cybersecurity training failure rate dropped from 25 percent to less than 8 percent in one year.

The gig economy’s investment in cybersecurity education and protection is hard to quantify, but it isn’t hard to see that it’s important. Scammers have stolen earnings from Uber drivers and used Moonlighting to trick job applicants into revealing sensitive personal data. Handy has tracked its cleaners’ locations for hours before or after gigs. And purported employers have used Amazon.com’s Mechanical Turk platform to phish and violate the privacy of gig workers.

In 2016, according to the Pew Research Center, 8 percent of Americans earned money from a gig platform. And more than half of them said the money they earned from gigs was “essential” to their survival. The National Bureau of Economic Research also concluded that year that “all of the net employment growth” in the United States between 2005 and 2015 was in “alternative work arrangements,” including online platform-driven gig jobs.

As the gig economy continues to spread to industries as complex as corporate legal counsel, controversial ride-sharing juggernaut Uber bears a lot of the blame for the gig economy’s impact on security, says Elizabeth Anne Watkins, a communications Ph.D. candidate at Columbia University who worked on the research with Albert.

Uber’s startup success has largely paved the way for an increasingly robust gig economy, Watkins says, but that success has also seen the security knowledge gap between gig workers and full-time employees grow into a chasm.

“White-collar workers have access to more security training, and have been documented as being more likely to take that advice home to their friends and family,” Watkins says. Knowledge of cybersecurity best practices, she adds, is “not making it across the digital divide.”

“Thinking about the power dynamics of the systems these companies create is important,” Watkins says. “Many of these companies treat all of these workers the same. Somebody at TaskRabbit or Uber who’s been there since the beginning is treated the same as somebody who’s joined last week.”

Uber is now taking steps to lead its “like Uber, but for” followers in better protecting contractors, says Melanie Ensign, head of security and privacy communications for the company.

“We have seen drivers targeted more often than riders because it’s more financially lucrative for the hacker,” Ensign says. In 2016, the personal details of 600,000 Uber drivers were breached alongside those of 57 million Uber customers, potentially resulting in millions of dollars of estimated losses.

Uber now warns drivers about phishing scams during the sign-up process, and stresses cybersecurity during its in-person driver meetups, she says. It also offers its drivers IT support, and reimburses them for losses they’ve sustained in Uber-related hacks or scams.

There are “economic consequences” for the security choices companies make, Albert and Watkins say. Companies whose business models depend on gig workers “have a lot of responsibility and obligation,” and they “need to think about the consequences before it’s too late.”