Uber might be one of the best ways to hail a taxi in many cities around the world, but it’s also a controversial service that has been plagued by scandals. The latest one concerns the privacy of users, a feature that Uber has apparently disregarded for a long time. The company said it couldn’t access ride data information for its users, but it turns out that does not accurately represent the truth. Uber employees actually have been able to track people using the app, including high-profile customers.
Uber employees helped ex-boyfriends stalk ex-girlfriends, and were even able to access trip information for celebrities like Beyoncé, Reveal News explains. These revelations come from the company’s former in-house forensic investigator Ward Spangenberg.
“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high-profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,”Spangenberg said in a court declaration signed in October. He is now suing Uber for age discrimination and whistleblower retaliation. He’s a 45-year-old security expert who worked for various tech companies, Uber included.
Two years ago, news broke that Uber could use the “God View” feature to track customers in real-time without their consent, but Uber denied those claims. No less than five former Uber security professionals have told Reveal that Uber still able to track users.
The ability to spy on ride data isn’t the only concern related to Uber that Spangenberg brought up. Apparently, the company is deleting files it’s legally obligated to keep, and it has the capability yo remotely encrypt computers during government raids to prevent data extraction. Spangenberg was a point person when it came to remotely locking down Uber computers.
According to the security expert, even drivers’ personal data including Social Security numbers is easily accessible to all Uber employees. However, your credit card data is apparently safe. “The only information, truthfully, that I ever felt was safe inside of Uber is your credit card information,” he said. “Because it’s not stored by Uber.”
Spangenberg objected to the company’s “reckless and illegal practices” and Uber fired him 11 months after he joined the company in March 2015. Uber says it fired Spangenberg because he violated a code of conduct policy and reformatted his computer. The security expert argued that he simply began rebuilding the laptop after a crash.
“When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications,” Michael Sierchio, who was a senior security engineer at Uber, told the site. “It didn’t require anyone’s approval.”
Uber was allegedly more interested in fast growth than enforcing strong security. “Early on, ‘growth at all costs’ was the mantra, so you can imagine that security was an afterthought,” Sierchio added. “One of the things I was told is, ‘It’s not a security company.’”
Sierchio was pushed out of the company in June.
Uber, meanwhile, said it fired fewer than 10 employees who abused the feature, adding that it has “hundreds of security and privacy experts working around the clock to protect our data.” According to security experts, Uber’s policy is based on the honor system, which employees can abuse the system anytime they want.
Uber instated some policies to prevent abuse, but they might not necessarily work if employees know how to avoid them. “If you knew what you were doing, you could get away with it forever,” Spangenberg said. “The access is always there, so it was a matter of whether you got caught in the noise.”
The Reveal’s full report is available at this link, and it’s worth a read.