1. News
  2. Privacy

Software company Expensify admits to outsourcing work containing sensitive data

One expert says consumers who used the company’s service could be vulnerable to cyberattack

Software company Expensify has boasted that it can cut down on the time companies take to produce expense reports by automating the process with artificial intelligence. However, the company recently admitted that the process is being contracted out to a third-party jobs site.

Online security consultant Neal O’Farrell calls the practice a recipe for disaster because it is very vulnerable to cybersecurity attacks. That means much of the personal information found on receipts submitted to Expensify may be at risk.

"It’s a nightmare,” he tells ConsumerAffairs. “You're outsourcing to individuals you don't know…[they] probably don't get more than a few minutes of security training.”

Outsourcing ‘artificial intelligence’ work

In its advertising material, Expensify says that its service can be accomplished with just a few clicks of smartphone. Using the company’s SmartScan feature, an employee simply has to use their phone’s camera to snap a photo of their receipt and upload the data; from there, the company says its artificial intelligence software generates an expense report.

The company recently disclosed that it actually outsources that work to anonymous contractors who manually enter the data from strangers’ receipts into the Expensify application. The admission came after one such worker exposed the practice.

Worse yet, the workers are not even contracted directly by Expensify, but through a third party crowdsourcing job site called Mechanical Turk, and the job (literally) pays pennies.

Transcribing an Expensify receipt pays Mechanical Turk workers between 10 and 12 cents for a set of six receipts, or about 2 cents per receipt, whistle-blower Rochelle LaPlante told The Outline’s Adrianne Jeffries.

Whistleblower forces admission

Since launching in 2009, Expensify has raised $30 million from investors, processed billions of dollars each year, and added Uber, Square, Snapchat, and Instacart to its corporate clientele.

But as its popularity ballooned, some consumers raised concerns that the company’s advertised “automation in the expense reporting process” feature was not really automated.

In 2013, Expensify acknowledged that it had used Mechanical Turk workers in the past to read receipts that the artificial intelligence could not, but the company said the practice was no longer necessary thanks to improved technology.

However, whistle-blower Rochelle LaPlante posted on Twitter last week that she had access to an Expensify customer’s Uber receipt containing their full name and address. In several subsequent blog posts, Expensify CEO David Barrett acknowledged that Mechanical Turk workers are currently involved in the process.

Security risks and red flags

In his admission, Barrett said that Mechnical Turk workers were hired in order help Expensify build a new privacy feature, and that only .0004% of application users had their receipt processed by a Turk worker. 

The new Private SmartScan feature allows companies to find and subcontract their own Mechanical Turk workers to read receipts. Barrett described strict company policies that punish workers who violate Expensify’s terms of service. However, that assurance does not impress O'Farrell.

“Anyone who spends half a night in security knows that policy is not protection.” Human workers are prone to be careless or dishonest, he says. Policies do not take into account whether the workers themselves are vulnerable to hacking, among other problems.

He urges consumers to refrain from using receipt-scanning applications. But with five million users and 300,000 companies as its clients, rapid growth in recent years, and numerous competitors entering the fray, Expensify is not going to make avoiding its services easy.

If a company boss outsources expense work to Expensify, which in turn is outsourcing the work to strangers and does not understand the security risks inherent in that process, "there's not much an employee can do,” O'Farrell says. “Certainly as an employee I would raise the red flag. I would start asking questions."

Vulnerable to hacking

The Expensify news highlights a larger, more troubling problem in the world of artificial intelligence. Many startup companies, with Expensify as just one example, collect so much personal data on their users that they become, in essence, what O'Farrell says is an intelligence agency, and thus a prime target to hackers.

Encryption, or the scrambling of sensitive data, is currently the most bulletproof way to keep hackers or government agencies from accessing consumers’ sensitive information. Yet most corporations do not take the time or hire the right experts to encrypt all that sensitive data, O’Farrell says.  

Equifax, the target of a hack so huge that half the country’s personal data has been exposed, did not encrypt the sensitive data it collected before the glitch, as the company’s former CEO later admitted.

Even if receipt-scanning applications do find a way in the future to completely eliminate the need for human transcribers, O'Farrell says consumers should remain wary.

"Every time you're collecting and storing vast amounts of data there's a risk. One of the biggest risks comes with rush to market. It’s very competitive out there," he says. 

"Companies really have to get to certain points very quickly, and often privacy, security holes, flaws, and weaknesses are overlooked or ignored. Security is an enemy of convenience. And they want their products to be convenient.”

Expensify CEO David Barrett and a company spokesman did not answer messages from ConsumerAffairs asking if they encrypt their own consumer data. Barrett was also not available for interview as of publication.

Take an Identity Theft Quiz. Get matched with an Authorized Partner.