Meal-Ordering App Ritual Exposes Government Employees’ Office Locations

A couple months after Strava unintentionally exposed military base locations, another app named Ritual is exposing government agencies’ locations and workers’ restaurant routines. Ritual promises to streamline takeout by letting co-workers piggyback off each others’ orders. Users get a notification when their colleagues are ordering from somewhere, and they can then tack their own order onto that one. The app doesn't use location tracking to determine where users work. Instead, users can type the name of a business and then choose an address from those listed or manually add an address.
I typed in the US Department of Homeland Security, for example, and saw a list of the agency’s locations around the country. I picked one at random and then saw a list of floors where my “colleagues” worked. I could see their names, as well as their profile photos. I could also do this for any other business, like Palantir or Booz Allen Hamilton.
National security agencies’ locations might not be entirely private, but oftentimes, the floors on which they operate are unlisted. When I visited DHS in Washington, DC a couple years ago, the security guard wouldn’t confirm whether the agency had an office in the building and definitely wouldn’t disclose the floor.
I signed up using my personal email account and didn't need to verify my employer in any way. Users don't have to broadcast their orders to the whole office, but that’s the entire point of the app, and they likely aren't assuming that people other than their co-workers could be lurking. Piggyback, as Ritual calls it, is also turned on by default. The app has to approve employer changes, but users can pick a different outpost address at any time.
Bad data privacy: On the "social [meal] ordering app" Ritual, you can join any company without email verification and see which office floor users work on at places like @DHSgov, @LockheedMartin, @PalantirTech, and the Pentagon. pic.twitter.com/fZrwPCGJaw
— Caitlin Tran (@caitlinsays_) March 16, 2018
If I were a spy hoping to figure out where people worked, Ritual might be able to give me a clue. If I wanted to poison employees, well, I also now know where they tend to order from and when. It’s a little conspiratorial, I know, but Russian agents just openly poisoned an ex-spy in Britain. Government agencies and their employees need to watch how, where, and to whom locations are being broadcasted.
Another app, Strava, just dealt with similar privacy issues. The company lets users share their workouts with others through a public heat map. Government employees unintentionally mapped the perimeters of military bases around the world. Since the locations were exposed, Strava made it easier for employees to hide their location data and to make public data private.
We’ve reached out to Ritual and will update when we hear back.