Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Tuesday December 13 2016, @11:25PM   Printer-friendly
from the ...-now-you-see-me-again dept.

An article at Business Insider highlights a court filing by a former Uber employee which claims that Uber's employees have access to customer trip information, and are using it to spy on exes and celebrities.

The story provides a summary of a more complete report into this issue by Reveal News.

The story cites the experience of Ward Spangenberg, Uber's former forensic investigator who was fired from the company last February. Spangenberg is suing Uber, alleging wrongful termination, defamation, and age discrimination.

In a stunning October court declaration, Spangenberg alleges that Uber employees freely accessed trip information about celebrities and politicians and helped one another spy on ex-boyfriends and ex-girlfriends by tracking where and when they traveled. Spangenberg, who worked at Uber for 11 months, said the company's lack of security violated consumer-privacy and data-protection regulations.

Reveal spoke with five former Uber employees who also said employees could easily track customers — they estimated the number of employees with such access was in the thousands.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by GungnirSniper on Wednesday December 14 2016, @12:32AM

    by GungnirSniper (1671) on Wednesday December 14 2016, @12:32AM (#441100) Journal

    Having unrestricted access to customer data is quite common in IT and even in non-medical environments for most customer-facing employees. Only at the biggest companies, who have likely had prior abuses of this info, are there restrictions. Even then it is only logging, so unless there is some harassment as a result it doesn't get noticed.

    Starting Score:    1  point
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Wednesday December 14 2016, @01:18AM

    by Anonymous Coward on Wednesday December 14 2016, @01:18AM (#441107)

    Most people are decent, but not having adequate protective measures / restrictions makes it easy to be compromised by a criminal. Having patient / personal data connected to the web is just a bad idea. It should require physical human interaction or somesuch barrier for data to be available over the public net.

    I like the idea of having a secure usb drive that I can take to whichever doctor I'd like instead of having to request that your own data be made available from one place to another.

  • (Score: 2, Touché) by Anonymous Coward on Wednesday December 14 2016, @02:05AM

    by Anonymous Coward on Wednesday December 14 2016, @02:05AM (#441123)

    > Only at the biggest companies, who have likely had prior abuses of this info, are there restrictions

    You mean, companies like uber? [theverge.com]

  • (Score: 5, Interesting) by edIII on Wednesday December 14 2016, @02:48AM

    by edIII (791) on Wednesday December 14 2016, @02:48AM (#441140)

    Some small guys have the restrictions working just fine.

    Restrictions are being built in to some platforms. There are some 15-25k per month SAAS offerings designed for medium sized businesses that contain such countermeasures.

    Technically, it's not terribly difficult to track record level changes with before/after changelogs accompanied by security credentials used. There's a tutorial in the PostgreSQL wiki that explains how, so it's not like super secret sauce or anything. Likewise, it's not terribly difficult to block an employee from accessing more than 100 accounts in a day with a simple query before processing an API request for that data, or to run a report showing how many records an employee has accessed in a given week. Snoopers show up like a sore thumb in that graph.

    Any platform that is being "gamified" like Zurmo is already using those countermeasures to provide data for "achievements". If Bob is absolutely fucking crushing it, somebody is going to ask how he can do the work of 50 people eventually. That's not hyperbole either, some agents have been caught in the insurance field simply because a smart DOI officer can tell that *nobody* can do 250 insurance applications in a day correctly.

    When you also track phone calls, emails, and txt messages with a ticketing system, it's not difficult to associate each and every access of the customer record with a ticket. No ticket, but still accessed? Why was it accessed when there was no need? Higher level reports will look at the records in aggregate, and use their own security credentials, so a record accessed without an actual need associated with it is also a very big tip-off. You can create a venn diagram with record accesses and tickets. Easy to visualize.

    These things are not impossible until you explain it to an executive and the costs. Then at that point, "you've explained a solution seeking a problem". It's literally not a problem for the executives until PROFIT is endangered, and they're fundamentally unable to care about the customer's privacy or needs until a wallet is speaking to them. Ohhh, those executives? Of course their security credentials aren't logged, and their reasons are also perfectly valid to access a record. So it also depends on who is doing the accessing and who is asking for a report......

    Very, very few corporations take business data security seriously, and those are usually heavily regulated by government to create that enthusiasm to do the obvious. However, the technology and methods are already known and available to even small businesses and outfits that utilize larger open source platforms.

    --
    Technically, lunchtime is at any moment. It's just a wave function.