Sophos Cloud Optix
At the heart of the recent privacy kerfuffle about the, shall we say, rather exuberantly managed Uber lies one very tempting data stash.
After all, as it has a history of boasting about, the ride-sharing company has online databases full of deep, rich, and quite intimate travel data – all of which is likely making cyber crooks and spies salivate.
As the Washington Post pointed out on Monday, the tastiest data about Uber customers include GPS-precise travel details about government officials in Washington, financiers in London, and entrepreneurs in San Francisco.
In other words, Uber knows where the movers-and-shakers go, when they go, where they go, and who else went to the same place at the same time.
Is this information guarded closely by a company that has the hard-won chops to protect data, along with a battalion of lawyers and a ton of security experts on hand?
Alas, says the Post’s Craig Timberg, it is not. At Uber, it is guarded instead by…
A start-up that was growing with viral exuberance – and with so few privacy protections that it created a 'God View' to display the movements of passengers in real-time and at least once projected such information on a screen for entertainment at a company party.
On top of all that comes word from a Post source who says he interviewed for a job at Uber in 2013 and enjoyed unfettered access to customer data for a day – including for hours after the interview ended – just as if he were an employee.
Here’s what went down, according to the Post:
He happily crawled through the database looking up the records of people he knew – including a family member of a prominent politician – before the seemingly magical power disappeared.
"What an Uber employee would have is everything, complete," said this person, who spoke on the condition of anonymity for fear of retribution from the company.
And just how does that jibe with Uber’s privacy policy?
That policy is a somewhat slim one lacking much detail – one that Uber swears was hanging around somewhere in the company all this time, perhaps in a broom closet, as opposed to, say, being glued together and slapped up online right when the privacy outrage blossomed.
In fact, US Senator Al Franken, chairman of the Senate Subcommittee on Privacy, Technology and the Law, in November made a point of trying to get some flesh to put on that privacy policy skeleton, sending over a letter with 10 pointed questions for Uber CEO Travis Kalanick about how Uber’s handling its sensitive data store.
When the Post first asked Uber about its privacy policy, the company sent a statement saying that security is far too precious to publicly discuss:
As a matter of security, we don't discuss publicly the details of our security.
But after the Post’s article was online for a few hours on Monday, Uber sent this updated statement about how it’s trying to review and improve privacy measures:
Our data privacy policy applies to all employees: access to and use of data is permitted only for legitimate business purposes. Data security specialists monitor and audit that access on an ongoing basis. Violations of this policy do result in disciplinary action, including the possibility of termination and legal action.
Legal action? Huh. Well, no wonder that job applicant chose to remain anonymous.
Whether or not Uber plans to take such legal action against upper management who’ve tried to impress reporters by showing off private information (and mulling digging up and publishing dirt on reporters it doesn’t like) is another question – one on Senator Franken’s list, in fact.
James A. Lewis, a cyber-security expert with the Center for Strategic and International Studies, told the Post that the highest government officials tend to use government cars, which likely shields their professional movements from the eyes of cyber spies who might use it to threaten national security.
Rather, it’s us ordinary people that are the sitting ducks.
That would include Peter Sims, the writer, entrepreneur, and former VC investor who got a call while he was riding in an Uber car.
The caller had a blast telling Sims where his car was at the moment, keeping a running update of his movements and informing him he was one of a few notables being tracked for the amusement of partygoers at a Chicago Uber launch.
Lighten up – it’s a party! It’s fun! She said, telling him it was a “cool” event and that he should have been honored to have been featured.
Wheeeee! Fun-fun! Oh, look, there goes your privacy, right out the window.
Oh, darn, look, it was lying in the road and got run over by an Uber car.
Don’t bother to call an ambulance.
It’s sounding like that privacy was dead as soon as you got into that first Uber ride.
Image of Uber courtesy of 360b / Shutterstock.com.
The only reason one should use this “service”–ever–is if Jason, Freddy, or Pinhead is chasing you with a pitchfork, chainsaw, or other potentially deadly object: otherwise, take a real cab…
Wow that is the first time I can say that it seems your article was partly written by Jon Oliver. I’m still smiling. Nice ending
Uber concerns me in many ways. I don’t see a reason to keep information about your passenger after that passenger has agreed to the price and left the curb. I can understand wanting to know where the taxis are so they can be routed to the next customer but the only reason to keep passenger information is because they can.
My one questions here is does Peter Sims still take Uber when he wants a ride?
Peter Sims writes that after the incident, he began to scale back us of the service, and now he doesn’t use it at all. He says this:
“Much as I am impressed with the product design and many aspects of the user experience, I’ve given up on being able to trust the company, and am no longer using the service. It’s a bit of a bummer, to be honest, and I hope that the board steps up and cleans up the way the company approaches doing business.
“The irony is that Uber not only can be a great company without resorting to the hyper-competitive tactics that have gotten it into trouble, it risks a massive downfall if consumers lose trust due to less than ethical tactics.”
Frankly, I question whether consumer distrust will trump consumer apathy, particularly given how the company keeps on growing like a weed.
I, for one, deleted the free-ride coupon they had extended a few months ago, and I don’t plan to use the service—at least, not until they become quite a bit more sophisticated in terms of both sexist weirdness and security/privacy.
Add “if” in there somewhere. 🙂