“Security As An Afterthought:” 3 Frightening Privacy Claims From Former Uber Staffers

Even if you’re a fan of Uber’s service, it’s often difficult to not take issue with the company’s short history of: disregarding taxi regulations, having questionable screening procedures for drivers, taking a casual approach to customer privacy, and forbidding both its employees and users from bringing lawsuits. Now, several former Uber security staffers are pulling back the veil on what they see as problems at the hugely popular ridesharing service.

The Center for Investigative Reporting’s Reveal News talked to five former Uber staffers — including onetime Uber forensic investigator Ward Spangenberg, who is currently suing the company for wrongful termination — about the apparent underlying issues at Uber, and how the company is and isn’t responding to concerns about the privacy of users’ data.

We recommend you check out the entire story, but here area few takeaways that we found to be of particular interest:

1. They’re Still Tracking You

Two years ago, everyone learned of the so-called “God View” tool that allowed Uber staffers to track users’ rides in real time. After that resulted in some very bad publicity for Uber, the company announced changes to the privacy policy, prohibiting “all employees at every level from accessing a rider or driver’s data” unless there is a “legitimate business purpose” for this tracking.

Uber gave itself some pretty wide latitude about what constitutes a legitimate business purpose — everything from dispute resolution to troubleshooting bugs — and former staffers tell Reveal that employees did abuse this ability to track users.

“When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications,” claims one former Uber senior security engineer, who worked at the company after that Nov. 2014 policy change. “It didn’t require anyone’s approval.”

Others told Reveal that employees are only required to agree to not abuse the tracking system, but a promise is only good if you keep it.

In a statement to Consumerist, Uber counters that this alleged widespread access to tracking information is being exaggerated.

“It’s absolutely untrue that ‘all’ or ‘nearly all’ employees have access to customer data, with or without approval,” claims the company. “And this is based on more than simply the ‘honor system’: we have built entire system to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs. This could include multiple steps of approval — by managers and the legal team — to ensure there is a legitimate business case for providing access.”

2. “Security As An Afterthought”

The former Uber staffers describe a carefree — and potentially careless — approach to privacy and security at the company.

“Early on, ‘growth at all costs’ was the mantra, so you can imagine that security was an afterthought,” the senior security engineer tells Reveal. Both he and Spangenberg claim that they were told by execs that “Uber is not a security company.”

Earlier this year, the company reached a settlement with New York Attorney General Eric Schneiderman over a 2014 data breach. As part of that deal, Uber agreed to beef up both its privacy and security technology.

Among the changes, Uber was supposed to limit access to tracking information to “designated employees with a legitimate business purpose” and “adopt protective technologies for the storage, access, and transfer of private information.”

However, the former security staffers contend that there is still widespread access to this information. Spangenberg tells Reveal that Uber employees generally ignored the pop-up warning alerting them that their activity was being monitored. Additionally, while searches for certain “MVP” users were flagged, he claims that searches for almost all Uber users were not.

In an emailed statement, Uber tells Consumerist that its security team enforces “strict policies and technical controls to limit access to user data to authorized employees solely for purposes of their job responsibilities, and all potential violations are quickly and thoroughly investigated.”

Spangenberg says that while some employees were fired for violating the rules, “If you knew what you were doing, you could get away with it forever.”

The company maintains that employees only have access to the data that they are supposed to have access to.

“For example, our anti-fraud experts have access to trip data so they can investigate allegations of scams and compromised accounts,” says Uber, via email. “Some employees have access to driver profiles in order to check the validity of insurance documents required by law. If a rider requests a refund, an authorized customer support representative would access to data needed to credit that rider’s account. In the case of a traffic incident, a dedicated member of our safety team needs to access customer data to conduct a proper investigation and help the affected parties reach resolution.”

3. Scorched Earth

Say your company is being sued. You will likely receive a “litigation hold” letter putting you on notice to preserve documents — physical paperwork and electronic files — that could be relevant to the lawsuit (even if you’d rather no one ever saw some of them).

In his declaration, Spangenberg says he took “extreme caution” to retain documents that fell under a litigation hold, his bosses at Uber had a different approach.

“Uber routinely deleted files which were subject to litigation holds,” he tells the court, noting that he raised these objections to his bosses.

Additionally, Spangenberg claims that Uber took a scorched earth approach to government raids, leaving nothing for investigators to find and having to start from scratch in the aftermath.

“I would be called when governmental agencies raided Uber’s offices due to concerns regarding noncompliance with governmental regulations,” he explains. “In those instances, Uber would lock down the office and immediately cut all connectivity so that law enforcement could not access Uber’s information. I would then be tasked with purchasing all new equipment for the office within the day, which I did when Uber’s Montreal office was raided.”

Spangenberg tells Reveal that “My job was to just make sure that any time a laptop was seized, the protocol locked the laptops up.”

In the Montreal case, provincial tax investigators alleged that Uber was evading its tax obligations and raided the local office looking for evidence. Spangenberg says the Montreal office computers were remotely encrypted from the company’s headquarters in San Francisco.

If Uber or any company is found to be deliberately destroying or hiding evidence, there could be consequences. However, in a statement to Reveal the company defended its practices.

“We’ve had robust litigation hold procedures in place from our very first lawsuit to prevent deletion of emails relevant to ongoing litigation,” claims the ridesharing company, which maintains that it will “cooperate with authorities when they come to us with appropriate legal process.”

As Reveal points out, the Quebec judge noted earlier this year that Uber’s actions to encrypt its Montreal office computers appeared to be an attempt to obstruct justice.