It’s not just intelligence agencies that are prone to abuse by workers wanting to spy on innocent people. As part of a wrongful termination lawsuit, ex-Uber engineer Ward Spangenberg states that Uber didn’t do enough to stop employees from spying on customers following the ‘God View’ probe. Reportedly, staffers used easily accessible trip data to snoop on the activities of everyone from celebrities to politicians and ex-partners. Sources for the Center for Investigative Reporting even claim that Uber relies primarily on "the honor system" to prevent abuse — allegedly, there’s not much to stop a rogue worker from looking at your information.
Spangenberg was officially fired for violating policies by reformatting his work computer and accessing email that covered his performance review, but he disagrees. He claims that it’s common for employees to reformat their PCs, and that he was testing a program that searched company email. These were really just pretexts for firing someone who’s not only relatively older (currently 45 years old), but who blew the whistle on shoddy security practices. On top of the surveillance abuse, Uber reportedly deleted files it was legally required to keep, and encrypted computers in non-US offices to prevent police from getting information.
Not surprisingly, Uber isn’t having any of this. In a statement, it tells us that it’s "absolutely untrue" that most employees have access to trip info, and that there’s an "entire system" with both procedural and technical limits on what workers can access. It also has "hundreds" of team members who protect data through procedural and technical means. Just having access to some data doesn’t mean that an Uber staffer can see all of it, and some employees (such as the anti-fraud and safety teams) need that info to do their jobs. You can read the full statement below.
Former security engineer Michael Sierchio disputes the claim that Uber properly enforced its policies. Also, Spangenberg insists that he was asked to encrypt PCs during a Revenu Quebec tax evasion raid, and a judge noted that Uber appeared to be obstructing justice in that case. In other words, the lawsuit is far from settled — you may not get a better answer until there’s a ruling.
- "Uber continues to increase our security investments and many of these efforts, like our multi-factor authentication checks and bug bounty program, have been widely reported. We have hundreds of security and privacy experts working around the clock to protect our data. This includes enforcing strict policies and technical controls to limit access to user data to authorized employees solely for purposes of their job responsibilities, and all potential violations are quickly and thoroughly investigated.
- "It’s absolutely untrue that "all" or "nearly all" employees have access to customer data, with or without approval. And this is based on more than simply the "honor system": we have built entire system to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs. This could include multiple steps of approval—by managers and the legal team—to ensure there is a legitimate business case for providing access.
- "What’s more, if an employee has access to some customer data, she does not have access to all customer data. Access is granted to specific types of data based on an employee’s role. All data access is logged and routinely audited, and all potential violations are quickly and thoroughly investigated.
- "Many employees are in operational roles and have legitimate reasons to access customer data. For example, our anti-fraud experts have access to trip data so they can investigate allegations of scams and compromised accounts. Some employees have access to driver profiles in order to check the validity of insurance documents required by law. If a rider requests a refund, an authorized customer support representative would access to data needed to credit that rider’s account. In the case of a traffic incident, a dedicated member of our safety team needs to access customer data to conduct a proper investigation and help the affected parties reach resolution."