Companies including Uber that depend on workers classified as independent contractors are lobbying for laws to protect that system. Meanwhile, a California court ruling sides with workers who sued, saying they should be considered employees of the companies. Credit: Syafiq Adnan/Shutterstock.com

Blackmail. Espionage. Hacking.

These are the potential threats that worry Claire Gartland, of the Electronic Privacy Information Center, about former Uber employees’ description of how the ride-hailing giant handles customer data.

More on Uber

The security professionals told Reveal from The Center for Investigative Reporting that Uber gave thousands of employees access to where and when each customer travels. Gartland called that “extremely alarming.”

Trip information, for instance, could reveal whether someone is having an affair, which she said could become grist for blackmail. (She noted that several years ago, Uber compiled data on trips that appeared to be overnight trysts, which the company called “Rides of Glory.”)

Access to the data also could allow other governments or criminals to spy on politicians, she said.

“The idea that Uber is so cavalierly taking very little responsibility for protecting your information should be concerning to everyone,” she said.

Uber’s reach is vast. It has more than 40 million users and operates in dozens of countries, including Brazil, Russia and Singapore.

And this is not the first time privacy concerns have been raised. The Electronic Privacy Information Center, or EPIC, filed a complaint in June 2015 calling for a federal investigation into Uber’s data collection.

Gartland, director of EPIC’s consumer privacy project, said the Reveal story raises questions about whether Uber is adhering to its January settlement with New York Attorney General Eric Schneiderman that required the company to limit access to location information.

“It seems like they’re just completely ignoring their legal responsibilities,” Gartland said.

Uber says it is in compliance. However, a spokeswoman for the attorney general responded to Reveal’s report by saying, “We are looking into this allegation.”

The company, meanwhile, put out a staff-wide email last week pushing back on the story, stating, “Much of the information is out of date and doesn’t accurately reflect the state of our practices today.”

“Like every fast-growing company, we haven’t always gotten everything perfect,” wrote chief information security officer John “Four” Flynn. “But without the trust of our customers we have no business. That’s why we continue to make major improvements to our security systems and policies to ensure that rider and driver data is protected.”

Uber declined to provide Reveal with more details about how it restricts access to data. The company has instituted reforms in recent years, like a pop-up message warning employees not to abuse their access. But the security sources, including former forensic investigator Ward Spangenberg, say Uber’s policies ultimately don’t prevent employees from getting and misusing the private information.

In 2014, the company came under fire for its internal “God View” tool, which provided an aerial view for tracking customers in real time.

“It’s pretty problematic that after having a huge controversy over ‘God View,’ Uber’s response was not, ‘Let’s put in access controls.’ It was more of just changing our policies, saying, ‘You shouldn’t do this,’ ” said Chris Conley, policy attorney for the ACLU of Northern California, in reaction to Reveal’s story.

“That’s even more concerning,” he said, “considering their recent decision to extend location tracking after people end their ride.”

California lawmakers also said they were taking notice, including Sen. Hannah-Beth Jackson, chairwoman of the state Senate Judiciary Committee, which handles privacy and consumer issues.

“These allegations raise important questions,” said Jackson, D-Santa Barbara, in a statement, “and if they are true, are very disturbing in light of the increasing amount of personal data being collected by ride-sharing apps like Uber.”


Will Evans can be reached at www.revealnews.org. Follow him on Twitter: @WillCIR.

Will Evans is a senior reporter and producer for Reveal, covering labor and tech. His reporting has prompted government investigations, legislation, reforms and prosecutions. A series on working conditions at Amazon warehouses was a finalist for a Pulitzer Prize and won a Gerald Loeb Award. His work has also won multiple Investigative Reporters and Editors Awards, including for a series on safety problems at Tesla. Other investigations have exposed secret spying at Uber, illegal discrimination in the temp industry and rampant fraud in California's drug rehab system for the poor. Prior to joining The Center for Investigative Reporting in 2005, Evans was a reporter at The Sacramento Bee. He is based in Reveal's Emeryville, California, office.