Published On: Fri, Apr 6th, 2018

Ritual, a meal-ordering app, accidentally reveals government staffing information

Spread the love

Ritual is a meal-ordering app that allows users to piggyback off of other orders that are happening in their offices. On March 16th, one Verge writer decided to test the Ritual capabilities against privacy rumors, and discovered that the app unintentionally revealed a wealth of government staffing information that was easily accessible to anyone who used the free ritual app.

The premise for the app is simple enough. When a user’s colleague starts an order, others in the office are notified. This meal-tracking algorithm allows multiple orders to be combined into one. Instead of using location tracking to determine the origin of a user, the app only requires that you type in the name of a business or manually add the address.

Verge writer Ashley Carman searched for the US Department of Homeland Security and saw a list of locations around the country auto-populate. Carman selected a location at random, and the app delivered a listed of floors where each of her “colleagues” worked. Carman was able to view their names, along with their profile photos.

While many national government agency addresses are public information, specific details about their work environment are not. Typically, the floors government employees work on is unlisted for security purposes. According to Carman, during a visit to the Department of Homeland Security, the security guard wouldn’t even disclose whether the agency had an office, much less which floors they worked on. This clearly indicates that the DHS does not want this level of detailed information disclosed.

To view sensitive information, users aren’t required to confirm employment with any specific company. All they need to create an “in-office” order is their email address. When it comes to privacy for national security, this can create major concerns. Spies, hackers, or any individual with harmful intent is able to not only learn about where each government employee works, but where they tend to order from, too. This is why it’s so critical for government employees to be careful of what employee information is being broadcasted.

Privacy is a major concern in a tech-centric economy where hacking exploits are at an all-time high. When it comes to high-profile businesses and government centers, all bases must be covered, from dedicated web hosting to comprehensive daily backups to strong security software and systems. In a statement that the Ritual sent to the Verge, they explained that users couldn’t hop in on any order pooled from an office without being welcomed, but noted why listing floors and highly-specific locations could be an issue.

“…We understand the concerns that have been flagged and are reviewing the process and protocol internally to determine the best way forward,” Ritual said in the statement.

Ritual isn’t the first app to raise privacy concerns. Another app, Strava, accidentally revealed military bases around the world for its in-app fitness tracker. The app utilizes a user’s GPS location to track where and when they’re exercising and reinforce healthy habits. In November, they released a heat map that showed the activity of people around the world, which contained information from a collective one billion activities.

Ritual, a meal-ordering app, accidentally reveals government staffing information

Nathan Ruser, an analyst at the Institute for United Conflict Analysts, pointed out that if you cross-referenced the heatmap with known locations of military bases, you were able to discern regular running routes for military personnel. While military bases are already clear on Google maps, Strava took things a bit further by revealing how people move around those bases. The heat map was able to display common exercising routines for American bases in Syria and Afghanistan, aa possible CIA base in Somalia, Area 51, and the he UK’s Mount Pleasant airbase in the Falkland Islands.

In response to the privacy concerns, Strava announced that only registered users would be able to see popular routes, and routes would not be shown unless they were used often by other users. Lastly, users are also able to opt-out of the heat map option.

While it’s impossible for new tech companies like Strava and Ritual to predict every possible outcome in their modest efforts to advance in their respective industries, their experiences are a stark reminder about the realities of open data. Businesses need to consider their moves and privacy concerns much more carefully, and government businesses should rethink their limitations on mobile usage and on-site technology.

About the Author

- Paul Linus is an eminent online journalist who has been writing news, features and editorials on different websites from across the world for about a decade. He can be contacted at

Composite Start -->