A former Uber employee is suing the ride sharing tech firm claiming that Uber allowed staff to abuse the “God View” feature to spy on high-profile individuals such as Beyoncé as well as private citizens.
Former Uber Forensics Investigator Ward Spangenberg said he complained to Uber, during his employment, that there was a lack of security regarding customer data resulting in the ability for any employee to track individuals at will, according to a sealed court document posted by Reveal News.
“Uber's lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” Spangenberg said in the documents.
The former forensics investigator also noted that Uber collected detailed personal information, including information that users may not have known they were divulging, on every ride requested and also criticized the company for storing employee payroll information on an unsecured Google spreadsheet, storing driver data in an unsecured manner, and other data protection issues.
An email from Uber's Chief Information Security Officer John "Four" Flynn addressed to Uber employees and obtained by SC Media said that much of the information concerning the company's privacy and security practices is out of date and doesn't accurately reflect the state of our practices today.
“It's absolutely untrue that all (or nearly all) employees have access to customer data, with or without prior approval,” Flynn said in the email. “This is more than simply the “honor system”: we have built entire systems to implement technical and administrative controls that limit access to customer data to those employees who require it to perform their jobs.”
Furthermore, Flynn said that access to customer information is granular and only given based on the necessity of the specific purpose at hand. He also mentioned that the company has strengthened the tools and processes that restrict internal access to user data.
“What's more, if an employee has access to some customer data, she does not have access to all customer data,” an Uber spokesperson told SC Media via emailed comments. “Access is granted to specific types of data based on an employee's role.”
The spokesperson added that all data access is logged and routinely audited, and that all potential violations are quickly and thoroughly investigated.
Earlier this month, Uber began requesting users to always allow access to their location data to “improve pickups, drop-offs, customer service, and to enhance safety,” however some privacy advocates expressed concern over the potential for the information to be used for ulterior purposes.
