Blackmail. Espionage. Hacking.
These are the potential threats that worry Claire Gartland, of the Electronic Privacy Information Center, about former Uber employees’ description of how the ride-hailing giant handles customer data.
The security professionals told Reveal from The Center for Investigative Reporting that Uber gave thousands of employees access to where and when each customer travels. Gartland called that “extremely alarming.”
Trip information, for instance, could reveal whether someone is having an affair, which she said could become grist for blackmail. (She noted that several years ago, Uber compiled data on trips that appeared to be overnight trysts, which the company called “Rides of Glory.”)
Access to the data also could allow other governments or criminals to spy on politicians, she said.
“The idea that Uber is so cavalierly taking very little responsibility for protecting your information should be concerning to everyone,” she said.
Uber’s reach is vast. It has more than 40 million users and operates in dozens of countries, including Brazil, Russia and Singapore.
And this is not the first time privacy concerns have been raised. The Electronic Privacy Information Center, or EPIC, filed a complaint in June 2015 calling for a federal investigation into Uber’s data collection.
Gartland, director of EPIC’s consumer privacy project, said the Reveal story raises questions about whether Uber is adhering to its January settlement with New York Attorney General Eric Schneiderman that required the company to limit access to location information.
“It seems like they’re just completely ignoring their legal responsibilities,” Gartland said.
Uber says it is in compliance. However, a spokeswoman for the attorney general responded to Reveal’s report by saying, “We are looking into this allegation.”
The company, meanwhile, put out a staff-wide email last week pushing back on the story, stating, “Much of the information is out of date and doesn’t accurately reflect the state of our practices today.”
“Like every fast-growing company, we haven’t always gotten everything perfect,” wrote chief information security officer John “Four” Flynn. “But without the trust of our customers we have no business. That’s why we continue to make major improvements to our security systems and policies to ensure that rider and driver data is protected.”
Uber declined to provide Reveal with more details about how it restricts access to data. The company has instituted reforms in recent years, like a pop-up message warning employees not to abuse their access. But the security sources, including former forensic investigator Ward Spangenberg, say Uber’s policies ultimately don’t prevent employees from getting and misusing the private information.
In 2014, the company came under fire for its internal “God View” tool, which provided an aerial view for tracking customers in real time.
“It’s pretty problematic that after having a huge controversy over ‘God View,’ Uber’s response was not, ‘Let’s put in access controls.’ It was more of just changing our policies, saying, ‘You shouldn’t do this,’ ” said Chris Conley, policy attorney for the ACLU of Northern California, in reaction to Reveal’s story.
“That’s even more concerning,” he said, “considering their recent decision to extend location tracking after people end their ride.”
California lawmakers also said they were taking notice, including Sen. Hannah-Beth Jackson, chairwoman of the state Senate Judiciary Committee, which handles privacy and consumer issues.
“These allegations raise important questions,” said Jackson, D-Santa Barbara, in a statement, “and if they are true, are very disturbing in light of the increasing amount of personal data being collected by ride-sharing apps like Uber.”
Will Evans can be reached at www.revealnews.org. Follow him on Twitter: @WillCIR.
Republish our articles for free, online or in print, under a Creative Commons license.
Republish this article
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.
Republish Our Content
Thanks for your interest in republishing a story from Reveal. As a nonprofit newsroom, we want to share our work with as many people as possible. You are free to embed our audio and video content and republish any written story for free under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license and will indemnify our content as long as you strictly follow these guidelines:
-
Do not change the story. Do not edit our material, except only to reflect changes in time and location. (For example, “yesterday” can be changed to “last week,” and “Portland, Ore.” to “Portland” or “here.”)
-
Please credit us early in the coverage. Our reporter(s) must be bylined. We prefer the following format: By Will Evans, Reveal.
-
If republishing our stories, please also include this language at the end of the story: “This story was produced by Reveal from The Center for Investigative Reporting, a nonprofit news organization. Learn more at revealnews.org and subscribe to the Reveal podcast, produced with PRX, at revealnews.org/podcast.”
-
Include all links from the story, and please link to us at https://www.revealnews.org.
PHOTOS
-
You can republish Reveal photos only if you run them in or alongside the stories with which they originally appeared and do not change them.
-
If you want to run a photo apart from that story, please request specific permission to license by contacting Digital Engagement Producer Sarah Mirk, smirk@revealnews.org. Reveal often uses photos we purchase from Getty and The Associated Press; those are not available for republication.
DATA
-
If you want to republish Reveal graphics or data, please contact Data Editor Soo Oh, soh@revealnews.org.
IN GENERAL
-
We do not compensate anyone who republishes our work. You also cannot sell our material separately or syndicate it.
-
You can’t republish our material wholesale, or automatically; you need to select stories to be republished individually. To inquire about syndication or licensing opportunities, please contact Sarah Mirk, smirk@revealnews.org.
-
If you plan to republish our content, you must notify us republish@revealnews.org or email Sarah Mirk, smirk@revealnews.org.
-
If we send you a request to remove our content from your website, you must agree to do so immediately.
-
Please note, we will not provide indemnification if you are located or publishing outside the United States, but you may contact us to obtain a license and indemnification on a case-by-case basis.
If you have any other questions, please contact us at republish@revealnews.org.