Fresh on the heels of an update allowing Uber to track users' location data for up to five minutes after they've been dropped off, the ride-hail giant now faces allegations that some of its employees willfully abused the privacy of its customers — looking up the trip histories of celebrities like Beyoncé and helping friends stalk ex-girlfriends and ex-spouses. According to The Center for Investigative Reporting, the explosive claim was made, under penalty of perjury, by a former security forensic investigator with the company.
What's more, despite broad assurances by Uber that it had cleaned up its act following the 2014 revelation of an internal feature dubbed "God View" which projected high-profile users' location in real time on a map for employees to see, five former employees told CIR that the abuses continued unabated.
“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” Samuel Ward Spangenberg, a former Uber security employee, explained in a court document from October.
He put it simply to CIR. “When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications. It didn’t require anyone’s approval.” Spangenberg was employed by Uber for 11 months, starting in March of 2015.
Spangenberg, 45, is suing Uber — alleging age discrimination and whistle-blower retaliation. He claims in the court document that he was fired after repeatedly bringing up concerns about Uber's security practices. "I also reported that Uber's lack of security, and allowing all employees to access this information (as opposed to a small security team) was resulting in a violation of governmental regulations regarding data protection and consumer privacy rights," he writes.
The information in question reportedly included "data regarding every ride a user requested, their user name, the location the ride was requested from, the amount they paid, the device used to request the ride (i.e., iPhone, Droid, etc.), the name and email of the customer, and a myriad of other data that the user may or may not know they were even providing to Uber by requesting a ride."
Interestingly, according to Spangenberg, the lax attitude regarding data security did not apply to government attempts to access data. For example, Cnet notes that he claims the company would remotely encrypt its computers during raids of foreign offices by government officials to prevent law enforcement access. “I would be called when governmental agencies raided Uber’s offices due to concerns regarding noncompliance with governmental regulations,” he explains. “In those instances, Uber would lock down the office and immediately cut all connectivity so that law enforcement could not access Uber’s information. I would then be tasked with purchasing all new equipment for the office within the day, which I did when Uber’s Montreal office was raided.”
Uber, for its part, denies all the claims. "It's absolutely untrue that 'all' or 'nearly all' employees have access to customer data, with or without approval," the company said in a statement provided to CNet. "And this is based on more than simply the 'honor system': we have built entire system to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs."
However, because the remainder of the case will be heard in private arbitration, we are unlikely to learn more about this from any of the involved parties. But those who wish to continue to use Uber can take heart that at least their payment information is safe. “The only information, truthfully, that I ever felt was safe inside of Uber is your credit card information,” Spangenberg told CIR. “Because it’s not stored by Uber.”
Enjoy your rides.