Blackmail. Espionage. Hacking.
These are the potential threats that worry Claire Gartland, of the Electronic Privacy Information Center, about former Uber employees’ description of how the ride-hailing giant handles customer data.
The security professionals told Reveal from The Center for Investigative Reporting that Uber gave thousands of employees access to where and when each customer travels. Gartland called that “extremely alarming.”
Trip information, for instance, could reveal whether someone is having an affair, which she said could become grist for blackmail. (She noted that several years ago, Uber compiled data on trips that appeared to be overnight trysts, which the company called “Rides of Glory.”)
Access to the data also could allow other governments or criminals to spy on politicians, she said.
“The idea that Uber is so cavalierly taking very little responsibility for protecting your information should be concerning to everyone,” she said.
Uber’s reach is vast. It has more than 40 million users and operates in dozens of countries, including Brazil, Russia and Singapore.
And this is not the first time privacy concerns have been raised. The Electronic Privacy Information Center, or EPIC, filed a complaint in June 2015 calling for a federal investigation into Uber’s data collection.
Gartland, director of EPIC’s consumer privacy project, said the Reveal story raises questions about whether Uber is adhering to its January settlement with New York Attorney General Eric Schneiderman that required the company to limit access to location information.
“It seems like they’re just completely ignoring their legal responsibilities,” Gartland said.
Uber says it is in compliance. However, a spokeswoman for the attorney general responded to Reveal’s report by saying, “We are looking into this allegation.”
The company, meanwhile, put out a staff-wide email last week pushing back on the story, stating, “Much of the information is out of date and doesn’t accurately reflect the state of our practices today.”
“Like every fast-growing company, we haven’t always gotten everything perfect,” wrote chief information security officer John “Four” Flynn. “But without the trust of our customers we have no business. That’s why we continue to make major improvements to our security systems and policies to ensure that rider and driver data is protected.”
Uber declined to provide Reveal with more details about how it restricts access to data. The company has instituted reforms in recent years, like a pop-up message warning employees not to abuse their access. But the security sources, including former forensic investigator Ward Spangenberg, say Uber’s policies ultimately don’t prevent employees from getting and misusing the private information.
In 2014, the company came under fire for its internal “God View” tool, which provided an aerial view for tracking customers in real time.
“It’s pretty problematic that after having a huge controversy over ‘God View,’ Uber’s response was not, ‘Let’s put in access controls.’ It was more of just changing our policies, saying, ‘You shouldn’t do this,’ ” said Chris Conley, policy attorney for the ACLU of Northern California, in reaction to Reveal’s story.
“That’s even more concerning,” he said, “considering their recent decision to extend location tracking after people end their ride.”
California lawmakers also said they were taking notice, including Sen. Hannah-Beth Jackson, chairwoman of the state Senate Judiciary Committee, which handles privacy and consumer issues.
“These allegations raise important questions,” said Jackson, D-Santa Barbara, in a statement, “and if they are true, are very disturbing in light of the increasing amount of personal data being collected by ride-sharing apps like Uber.”