An article at Business Insider highlights a court filing by a former Uber employee which claims that Uber's employees have access to customer trip information, and are using it to spy on exes and celebrities.
The story provides a summary of a more complete report into this issue by Reveal News.
The story cites the experience of Ward Spangenberg, Uber's former forensic investigator who was fired from the company last February. Spangenberg is suing Uber, alleging wrongful termination, defamation, and age discrimination.
In a stunning October court declaration, Spangenberg alleges that Uber employees freely accessed trip information about celebrities and politicians and helped one another spy on ex-boyfriends and ex-girlfriends by tracking where and when they traveled. Spangenberg, who worked at Uber for 11 months, said the company's lack of security violated consumer-privacy and data-protection regulations.
Reveal spoke with five former Uber employees who also said employees could easily track customers — they estimated the number of employees with such access was in the thousands.
Related Stories
Uber, the master of routing around regulations and exploiting legal loopholes, has found a rather big hole undermining a letter recently sent by the California Department of Motor Vehicles demanding that the company obtain a permit to test "self-driving cars" in San Francisco. Uber is arguing that the cars it plans to use in San Francisco are not truly autonomous and thus don't require a permit to operate:
Uber's position is that the semi-autonomous car system it is testing here is really no different from current advanced driver assistance systems available now for owners of Teslas and other cars that help with parking and collision avoidance. In that light, Uber doesn't believe it needs a permit because what it's working on doesn't meet the DMV requirements for a truly autonomous vehicle, which would be one that drives without the active, physical control or monitoring of a human being.
The permitting process "doesn't apply to us" because "you don't need to get belts and suspenders or whatever else if you're wearing a dress," Anthony Levandowski, who runs Uber's autonomous car programs, said in a press call Friday afternoon. "We cannot in good conscience" comply with a regulation that the company doesn't believe applies to it, he said.
The DMV cease-and-desist letter said that under the California Vehicle Code, an autonomous vehicle must have a permit to ensure that "those testing the vehicle have provided an adequate level of financial responsibility, have adequately trained qualified test drivers on the safe operation of the autonomous technology; and will notify the DMV when the vehicles have been involved in a collision." If Uber does not confirm immediately that it will stop its launch and seek a testing permit, DMV will initiate legal action, DMV attorney Brian Soublet wrote in a letter addressed to Levandowski.
The Uber "self-driving cars" will have not one, but two people at the front capable of taking control of the car.
Previously: Uber to Begin Picking Up Passengers With Autonomous Cars Next Month
Former Uber Employee Claims Widespread Privacy Problems
Uber's Self-Driving Cars to be Tested in San Francisco
(Score: 1, Funny) by Anonymous Coward on Wednesday December 14 2016, @12:08AM
Since when do you have expectation of privacy when driving, riding in a taxi, riding in a bus, walking on a sidewalk. Celebrities who want not to be noticed are welcome to stay indoors with their giant piles of money and expensive vibrators.
(Score: 0) by Anonymous Coward on Wednesday December 14 2016, @12:13AM
I was right with you up until "expensive vibrators". If my dollar store vibrator isn't good enough for them then they aren't good enough for me.
(Score: 0) by Anonymous Coward on Wednesday December 14 2016, @12:19AM
So the word "pubic" in the subject didn't immediately tip you to the trolling, and you needed to read until the last word. Iiiinteresting.
(Score: 0) by Anonymous Coward on Wednesday December 14 2016, @12:37AM
When I'm in a big meeting, I always set my vibrator to ringtone mode.
(Score: 2) by edIII on Wednesday December 14 2016, @02:27AM
"For the last time Mrs. Johnson! Stop humming the Flight of the Valkyries!"
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 1, Funny) by Anonymous Coward on Wednesday December 14 2016, @12:10AM
Oh my, this is a rather shocking development. No one even speculated that this type of thing would ever be possible.
(Score: 4, Insightful) by GungnirSniper on Wednesday December 14 2016, @12:32AM
Having unrestricted access to customer data is quite common in IT and even in non-medical environments for most customer-facing employees. Only at the biggest companies, who have likely had prior abuses of this info, are there restrictions. Even then it is only logging, so unless there is some harassment as a result it doesn't get noticed.
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 0) by Anonymous Coward on Wednesday December 14 2016, @01:18AM
Most people are decent, but not having adequate protective measures / restrictions makes it easy to be compromised by a criminal. Having patient / personal data connected to the web is just a bad idea. It should require physical human interaction or somesuch barrier for data to be available over the public net.
I like the idea of having a secure usb drive that I can take to whichever doctor I'd like instead of having to request that your own data be made available from one place to another.
(Score: 2, Touché) by Anonymous Coward on Wednesday December 14 2016, @02:05AM
> Only at the biggest companies, who have likely had prior abuses of this info, are there restrictions
You mean, companies like uber? [theverge.com]
(Score: 5, Interesting) by edIII on Wednesday December 14 2016, @02:48AM
Some small guys have the restrictions working just fine.
Restrictions are being built in to some platforms. There are some 15-25k per month SAAS offerings designed for medium sized businesses that contain such countermeasures.
Technically, it's not terribly difficult to track record level changes with before/after changelogs accompanied by security credentials used. There's a tutorial in the PostgreSQL wiki that explains how, so it's not like super secret sauce or anything. Likewise, it's not terribly difficult to block an employee from accessing more than 100 accounts in a day with a simple query before processing an API request for that data, or to run a report showing how many records an employee has accessed in a given week. Snoopers show up like a sore thumb in that graph.
Any platform that is being "gamified" like Zurmo is already using those countermeasures to provide data for "achievements". If Bob is absolutely fucking crushing it, somebody is going to ask how he can do the work of 50 people eventually. That's not hyperbole either, some agents have been caught in the insurance field simply because a smart DOI officer can tell that *nobody* can do 250 insurance applications in a day correctly.
When you also track phone calls, emails, and txt messages with a ticketing system, it's not difficult to associate each and every access of the customer record with a ticket. No ticket, but still accessed? Why was it accessed when there was no need? Higher level reports will look at the records in aggregate, and use their own security credentials, so a record accessed without an actual need associated with it is also a very big tip-off. You can create a venn diagram with record accesses and tickets. Easy to visualize.
These things are not impossible until you explain it to an executive and the costs. Then at that point, "you've explained a solution seeking a problem". It's literally not a problem for the executives until PROFIT is endangered, and they're fundamentally unable to care about the customer's privacy or needs until a wallet is speaking to them. Ohhh, those executives? Of course their security credentials aren't logged, and their reasons are also perfectly valid to access a record. So it also depends on who is doing the accessing and who is asking for a report......
Very, very few corporations take business data security seriously, and those are usually heavily regulated by government to create that enthusiasm to do the obvious. However, the technology and methods are already known and available to even small businesses and outfits that utilize larger open source platforms.
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Wednesday December 14 2016, @10:00AM
Unless I can use Uber anonymously (pay cash, etc.) and without having to use their proprietary software, then it is worthless.
(Score: 2) by Nuke on Wednesday December 14 2016, @10:18AM
No comment.