Uber Staff Still Stalking Customers, Claims Suit
Dec 17, 2016 11:00 AM PT
The controversy over Uber staff using the company's tech to track people's movements was reignited this week when information in a pending lawsuit began circulating in the tech press.
Uber employees can pull customer data at will, alleged Ward Spangenberg, the company's former forensic investigator, in a court declaration filed earlier this fall as part of his bid to prevent the firm from forcing his case into arbitration.
Uber staffers have been able to track high-profile politicians, celebrities and ex-significant others, Spangenberg said.
His original complaint, filed in the Superior Court of California in San Francisco, centers on his dismissal from the company.
Uber continues to allow broad access to users' trip information, five security professionals formerly employed at the company told Reveal.
That has been going on, they said, in spite of Uber's assertions two years ago that it had policies prohibiting such actions, following news that executives were taking advantage of its "God View" feature to track customers in real time without their permission.
Uber's Side of the Story
"It's absolutely untrue that 'all' or 'nearly all' employees have access to customer data, with or without approval," maintained Uber spokesperson Sophie Schmidt.
"We have built entire systems to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs," she told TechNewsWorld. "This could include multiple steps of approval -- by managers and the legal team -- to ensure there is a legitimate business case for providing access."
Access is granted "to specific types of data based on an employee's role," Schmidt asserted. All data access is logged and routinely audited, and all potential violators are "quickly and thoroughly investigated."
Uber employees must acknowledge and agree to the company's data access policy, CIO John Flynn emphasized in a memo sent earlier this week.
Violators have been terminated, he reminded them.
"We want our security and privacy practices and technology to be world-class, and we're moving quickly toward that goal," Flynn said. It's "the responsibility of each and every one of us to protect" customer and driver data.
However, Uber's defense in the Spangenberg case relies mainly on procedural issues.
"It's not logical for any company to proclaim that they are secure because they sent an email telling employees what to do," remarked John Gunn, VP of communications at Vasco Data Security.
"In the real IT world you don't need these types of emails, because you've implemented limitations on access to sensitive data [that] you monitor and enforce," he told TechNewsWorld.
The Need for Privacy
The latest revelation follows news that Uber has tracked customers even after they left its vehicles.
Uber "needs to come clean on whether [the privacy violations] occurred ... and needs to have full disclosure of how it uses customer data," said Michael Jude, a program manager at Stratecast/Frost & Sullivan.
Frost's research "indicates that people take personal security very seriously," he told TechNewsWorld.
On the other hand, "consumers are becoming less concerned about exposing details about their personal information," noted Michael Patterson, CEO of Plixer.
"They don't like the invasion, but they like the services and appear to be willing to compromise," he told TechNewsWorld.
Still, high-profile Uber customers, including celebrities, could be at risk, suggested Csaba Krasznay, product manager at Balabit, pointing to Kim Kardashian's robbery in Paris in October as an example.
"We can protect ourselves by not letting Uber and other apps use our smartphone's GPS data," Krasznay told TechNewsWorld. "It only takes one click."
Or consumers can decline to install the Uber app, use a VPN from their smartphone to a company in-house phone system to call Uber, or use a company credit card under someone else's name, Plixer's Patterson suggested.
Ultimately, responsibility for this problem rests on the CEO's shoulders," said Frost's Jude, and the CEO "should take personal responsibility for fixing it."