Expensify is a popular service for making company expenses easy to process. For example, the app allows you to quickly snap a picture of your receipts using your phone, making it easier to submit expense claims.
It also has a feature named SmartScan – this will read your receipt and automatically complete the expense information. But, in the past week, the security of this feature has been questioned. What if anybody could potentially be reading your receipts?
What’s the issue with SmartScan?
According to Expensify’s own website:
If our OCR technology can’t read the receipt, we will make sure it’s flagged for human review by one of our secure technicians.
(The company’s emphasis there, not mine.)
However, last week, it was found that receipts, traceable to Expensify, were online for anybody to view, via Amazon’s Mechanical Turk service.
I wonder if Expensify SmartScan users know MTurk workers enter their receipts. I’m looking at someone’s Uber receipt with their full name, pick up, and drop off addresses.
— Rochelle (@Rochelle) November 23, 2017
Mechanical Turk lets anyone perform manual tasks in exchange for small amounts of money. It was believed that Expensify were using Mechanial Turk to process SmartScan receipts.
Why is this a problem?
When asked about what information could be seen on these receipts, Ryan Schaffer, Expensify’s Director of Strategy and Marketingsaid:
They don’t see anything that can personally identify you. They see a date, merchant, and amount. Receipts, by their very nature, are intended be thrown away and are explicitly non-sensitive. Anyone looking at a receipt isunable to tell if that receipt is from me, you, your neighbor, or someone on the other side of the world.
Except this isn’t always true. Receipts can take many forms and some contain more information than others. Uber receipts can contain ride information, for example, and I’ve certainly submitted electronic receipts containing order numbers and full contact details. To make this publicly accessible (you don’t even need to sign into Mechanical Turk to see them) is a valid security concern.
How to switch off SmartScan
If you’re an Expensify user, you might be worried by now. Immediately, I’d recommend switching off SmartScan, which you can from your website account.
- Sign into Expensify
- Click your avatar in the top right-hand corner
- Click on the Account Settings button
- On the left-hand menu, click on the option named SmartScanning
- You can now switch off SmartScanning with a simple slider
What is Expensify saying about this?
At the weekend, Ryan Schaffer, Expensify’s Director of Strategy and Marketing, responded to these claims on Twitter. The company also released a blog post, indicating that the receipts were part of a new feature test, which is due to be launched next year. This feature will allow larger clients to do the SmartScan analysis themselves, using Mechanical Turk. Schaffer also reaffirmed that, right now, SmartScan receipts are actioned via Expensify’s own in-house staff.
This does still leave a very important question about security, however. There was evidence of thousands of receipts on Mechanical Turk (which disappeared at the weekend), going back to at least September. Where did these receipts come from? If they’re from Expensify customers, did they know they were part of this test and their receipts would be exposed? When we put this to Ryan, he didn’t respond.
Since then, in an interview with The Verge, Expensify’s CEO, David Barrett, has stated that testing on Mechanical Turk started on 20th September and with only receipts from the company’s own employees. On November 15th, it then started processing 10% of non-paying user receipts that required human review through Mechanical Turk. At this stage, however, only its own staff were able to process them. This then changed on November 22nd when the receipts were opened up to anyone on Turk to process – it was the day after that the receipts were noticed and reported by users on Twitter. He also stated that during this latter processing the receipts (numbering in the hundreds) belonged to three of their employees. This was all clarified in another blog post by Expensify.
So, does this answer the questions being asked? Not quite.
David Barrett is also quoted as saying, “The only users who can access receipts are the Mechanical Turk workers”. Their blog post worded this even stronger…
There was no breach of data. No user data was seen by anybody who hasn’t accepted a binding and enforceable confidentiality agreement. No paying customer after 2013 has had their receipt processed by a Mechanical Turk worker.
What this doesn’t explain is why they were visible by anyone, with or without Turk access. Also, the fact that the visible receipts, all recently dated, came from only three employees does seem… unusual.
At this point you’d expect Expensify to be keeping a low profile to allow this to all blow-over. However, today it has been emailing customers to let them know of a new Terms of Service (TOS), which I’ve been reading into further.
First of all, the TOS screen indicates that it was actually changed on November 14th. This is relevant as it’s the day before Expensify uploaded live receipts into Turk. There are a few changes (I compared the new set to an old version I found online) but two stand out…
Under “Intellectual Property” it now states:
you hereby grant to Expensify a worldwide, royalty-free, non-exclusive license to use data generated as a result of your use of the Expensify Service
There is also a new Confidentiality clause which says:
you will not disclose, transfer, use (or seek to induce others to disclose, transfer or use) any Confidential Information
Whether this would prevent Expensify users, like myself, from disclosing this information in future is something that probably a lawyer could best answer. However, it is concerning the this has suddenly been added.
Main pic credit: ben_osteen/Flickr