Food delivery service Glovo: tracking riders’ private location and other infringements
A recent investigation by Tracking Exposed shows that Glovo’s subsidiary in Italy, Foodinho, registers couriers’ off-shift location and shares it with unauthorized parties. The delivery app provider has also been found to have created a “hidden” credit score for their riders.
Throughout the last years, regulators and labor unions have put Glovo and other delivery apps under scrutiny. The app providers are suspected of not employing their freelance couriers and thereby depriving them of their rights. The introduction of the Rider Law in Spain two years ago sped up the actions to regulate their employment status and the European Union is heading in the same direction with its proposal of the Platform Workers Directive.
However, Glovo is still accumulating fines worth millions of euros for labor law infringements. How much the company indeed paid is unclear as the fines are suspended pending appeal. Glovo is also facing charges in Spain for leaving thousands of couriers on self-employment contracts.
It’s not only about the employment status
Claudio Agosti’s and Gaetano Priori’s most recent research at Tracking Exposed (now operating as part of the Reverse Engineering Task Force), which they shared with AlgorithmWatch, shows how riders also suffer privacy violations and a misuse of their personal data by the Glovo Courier application. In addition, the company might have created its own scoring system to evaluate the couriers' performance and possibly bases defining decisions on the scores.
After four years of in-depth research into the dynamics of the service and a technical analysis that involved reverse engineering the Foodinho Courier app, the researchers found what they call a “hidden rating score” that does not match any of Glovo’s public scoring, like the ”Excellence score” that any rider can look up in their app and that somehow defines the ratings they receive from customers.
“We can argue that this value is neither the so-called 'Excellence Score’ nor the ‘Glovo score’. We therefore speak of a hidden rating because it is clearly present in the infrastructure but does not appear on the interface or documentation,” they state in their main report.
However, this second (and out of sight) score was active and rated the courier’s performance. But how? When AlgorithmWatch asked the company about the score, they declined to comment.
In fact, in countries like Spain, the Excellence score has supposedly been removed along with other app features in order to comply with requirements of the Rider Law. For example, couriers are now allowed to decide free of penalty if they want to accept orders or not whereas before, their scores could be affected negatively if they decided not to take them.
Privacy invasion outside working hours
The researchers are also expecting Glovo to be scrutinized for malpractice in handling couriers’ personal data. They denounce that the platform registers their riders’ off-hours location and shares it with Google and unauthorized third-party trackers, along with personal and identifiable information.
Although Google is supposed to receive some information related to the app’s usage ― its tracking tool Firebase is integrated in most of Glovo’s mobile apps ― the researchers are concerned about the fact that the metrics are not only linked to the name and email of the rider but also other personal data.
Other recipients of this data are, according to their analysis, two companies that are not reflected in Glovo’s privacy policy: Braze and mParticle. These are just two more fishes in the digital-app-ecosystem’s vast ocean of companies sucking off and digesting personal data for profit. “They receive personal data (phone number, ID, generalities, email, and geolocation) even though, in our test, the user was not working a shift,” the authors say.
Including such trackers in mobile applications is more than common, while the companies doing so rarely communicate their practice. A similar investigation into budget-tracking apps, conducted in Europe and Mexico, also revealed the presence of these predatory trackers without any notice to the users: The financial applications were passing on information to banks and credit services. Failure to properly communicate data transfers is enough to trigger a sanction by data protection authorities.
Drowning in fines
Glovo’s Italian partner Foodinho is already under scrutiny from Garante, the Italian Data Protection Authority, for not managing their personal data appropriately. It received a fine of 2.6 million euros in 2021 but has yet to pay it as it is pending appeal. Even so, Agosti and Priori have shared their findings with Garante and expect the agency to impose a corresponding sanction.
“We consider this decision a landmark ruling, as to our knowledge it is the first time that a data protection authority has fined a company for violating Art. 22 GDPR in an employment context,” the authors conclude.
Garante is expected to issue its own analysis of Glovo’s app later this year, possibly based on Tracking Exposed’s new findings.
Naiara Bellio (she/her)
Head of Journalism
Naiara Bellio covers the topics privacy, automated decision-making systems, and digital rights. Before she joined AlgorithmWatch, she coordinated the technology section of the Maldita.es foundation, addressing disinformation related to people's digital lives and leading international research on surveillance and data protection. She also worked for Agencia EFE in Madrid and Argentina and for elDiario.es. She collaborated with organizations such as Fair Trials and AlgoRace in researching the use of algorithmic systems by administrations.