Former Uber security professionals told Reveal from The Center for Investigative Reporting that the ride-hailing company continued to allow broad access to users’ information after it assured the public it had strict policies prohibiting access. (Animation by Morgan Schweitzer)
This story was produced by Reveal from The Center for Investigative Reporting, a nonprofit news organization based in the San Francisco Bay Area. Learn more atrevealnews.org and subscribe to the Reveal podcast, produced with PRX, atrevealnews.org/podcast.
For anyone who’s snagged a ride with Uber, Ward Spangenberg has a warning: Your personal information is not safe.
Internal Uber employees helped ex-boyfriends stalk their ex-girlfriends and searched for the trip information of celebrities such as Beyoncé, the company’s former forensic investigator said.
“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” Spangenberg wrote in a court declaration, signed in October under penalty of perjury.
After news broke two years ago that executives were using the company’s “God View” feature to track customers in real time without their permission, Uber insisted it had strict policies that prohibited employees from accessing users’ trip information with limited exceptions.
But five former Uber security professionals told Reveal from The Center for Investigative Reporting that the company continued to allow broad access even after those assurances.
Thousands of employees throughout the company, they said, could get details of where and when each customer travels. Those revelations could be especially relevant now that Uber has begun collecting location information even after a trip ends.
Spangenberg is suing the San Francisco-based ride-hailing behemoth for age discrimination (he’s 45) and whistleblower retaliation. He has worked information security jobs for a variety of tech companies. Uber tasked him with helping develop security procedures and responding to problems from around the world.
In addition to the security vulnerabilities, Spangenberg said Uber deleted files it was legally obligated to keep. And during government raids of foreign Uber offices, he said the company remotely encrypted its computers to prevent authorities from gathering information.
After beginning in March 2015, Spangenberg said he frequently objected to what he believed were reckless and illegal practices, and Uber fired him 11 months later.
“I also reported that Uber's lack of security, and allowing all employees to access this information (as opposed to a small security team) was resulting in a violation of governmental regulations regarding data protection and consumer privacy rights,” he stated in the declaration, referring to requirements that companies notify consumers of any breach of personal information.
Michael Sierchio, a tech industry veteran who was a senior security engineer at Uber from early 2015 until June of this year, agreed that Uber had particularly weak protections for private information.
“When I was at the company, you could stalk an ex or look up anyone’s ride with the flimsiest of justifications,” he said. “It didn’t require anyone’s approval."
In a statement, Uber said it maintains strict policies to protect customer data and comply with legal proceedings. It acknowledged that it had fired employees for improper access, putting the number at “fewer than 10.”
“We have hundreds of security and privacy experts working around the clock to protect our data,” Uber said in a statement.
“This includes enforcing strict policies and technical controls to limit access to user data to authorized employees solely for purposes of their job responsibilities, and all potential violations are quickly and thoroughly investigated,” the company said.
Uber would not give more details on its technical controls. In practice, the security sources said, Uber’s policy basically relies on the honor system. Employees must agree not to abuse their access. But the company doesn’t actually prevent employees from getting and misusing the private information in the first place, the security sources said.
Uber has a history of data problems
As Uber has rapidly grown to more than 40 million users worldwide, the gig-economy giant has also been dogged by leaks, hacks and privacy scandals.
In 2014, BuzzFeed reported that an Uber official had tracked its reporter’s movements without her permission, around the same time another executive suggested digging up dirt on critical journalists. The controversy -- and an entrepreneur’s claim that he was tracked as well -- drew attention to the company’s internal God View tool, which provided a real-time aerial view of Uber cars in a city and details of who was inside of them.
It later came out that a data breach that year exposed the personal information of more than 100,000 drivers.
After the embarrassments of 2014, Uber hired chief security officer Joe Sullivan, a prominent tech figure who previously held that post at Facebook and used to be a federal prosecutor. His team drew heavily from Facebook, including chief information security officer John “Four” Flynn.
The Federal Trade Commission, the consumer protection agency, is investigating Uber’s information security practices and recently deposed Sullivan, according to security sources.
Spangenberg and Sierchio -- as well as three other former Uber security professionals granted anonymity to confirm their accounts -- describe a startup culture that pushed back against security protections in favor of unbridled growth.
“Early on, ‘growth at all costs’ was the mantra, so you can imagine that security was an afterthought,” said Sierchio, whose tech career includes designing video games for Atari in the early 1980s.
Even after Uber assembled a security team, the pushback continued when employees raised concerns, he said.
“One of the things I was told is, ‘It’s not a security company,’ ” Sierchio said. Spangenberg said he was told the same thing.
As disclosures about God View sizzled on the internet in 2014, the company posted a statement saying that, “Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes."
Lawmakers, including Sen. Al Franken, D-Minnesota, demanded details about those “legitimate business purposes.” Franken later wrote he was “concerned about the surprising lack of detail in their response.”
Sierchio, who said he was pushed out in June, said the company’s policy limiting access was “never enforced.”
After an investigation by New York Attorney General Eric Schneiderman, Uber settled in January and promised to “limit access” to real-time trip data “to designated employees with a legitimate business purpose.”
Even after the attorney general settlement, Spangenberg and Sierchio said thousands of employees could still search Uber’s database to get real-time ride information. The company said it complies with the settlement.
Uber did adopt some reforms. There was a pop-up message warning employees that their activity was being monitored, but few took it seriously, Spangenberg said. Another change flagged searches for customers considered “MVPs.” But that didn’t protect anyone not labeled an MVP, Spangenberg said.
It also changed the name of God View to Heaven View, Spangenberg said.
An internal audit team searched for abnormalities in all the database activity to nab employees tracking customer data illicitly, said Spangenberg, who assisted the investigations. Those they caught were referred to HR to be fired, he said
“If you knew what you were doing, you could get away with it forever,” Spangenberg said. “The access is always there, so it was a matter of whether you got caught in the noise.”
Many employees, Uber said, need access for reasons such as providing customer refunds and investigating traffic accidents. The company added that it blocks some teams of employees from getting the data without approval, though it did not specify which teams or how the approval process works.
Drivers’ personal details, including Social Security numbers, were also available to all Uber employees, Spangenberg said in his declaration.
Spangenberg said he argued for shutting off access to sensitive data for those who didn’t need it.
“I would say, ‘We can’t keep this information, you can’t allow this information to be stored like this, you can’t leave it all connected like this,’ ” he said.
Uber, in its statement, said, “We have made significant investment in tightening our access controls during the past several years. Allegations that simply acknowledging our policy in a pop-up window would provide access to customer data for unauthorized employees are not correct in our current environment.”
According to his lawsuit, Uber told Spangenberg he was fired for violating a code of conduct and reformatting his computer, which erases everything on it. He said he deleted and began rebuilding his laptop because it had crashed, and that it was common practice.
He also got in trouble for accessing emails that dealt with his own job performance review. Spangenberg said he was only testing out a program to search company emails. The whole thing was a pretext, he said, to get rid of him.
In court filings, Uber responded that it “generally denies each and every allegation” made by Spangenberg.
Lawsuit says Uber destroyed documents
Spangenberg accuses Uber of destroying information he believed it was obligated to preserve. “Uber routinely deleted files which were subject to litigation holds, which was another practice I objected to,” his declaration says.
A company can face legal penalties or be held in contempt of court for scrubbing evidence it was supposed to keep.
Among his duties, Spangenberg said he was also a point person when foreign government agencies raided company offices abroad.
“Uber would lock down the office and immediately cut all connectivity so that law enforcement could not access Uber's information,” his declaration states.
In May 2015, for example, the tax agency Revenu Quebec raided Uber’s Montreal office to gather evidence of tax evasion. Spangenberg said he worked from San Francisco to encrypt the office’s computers.
“My job was to just make sure that any time a laptop was seized, the protocol locked the laptops up,” he said.
Indeed, Quebec investigators -- armed with a warrant to copy information from Uber computers -- went back to a judge to say the computers had been remotely restarted and apparently encrypted, according to court records. They got permission to take the computers with them, but the machines are of little value if the information on them stays encrypted.
Efforts to encrypt data once a government search is in process “raises red flags and serious concerns,” said Judith Germano, a cybersecurity expert and former federal prosecutor.
A company could argue it was protecting sensitive information, she said. But if a judge determined it was a deliberate effort to hide evidence, the judge could impose legal sanctions or fines, and order the company to decrypt the data.
In its statement, Uber said, “We’ve had robust litigation hold procedures in place from our very first lawsuit to prevent deletion of emails relevant to ongoing litigation.” Uber said it has an obligation to protect personal information and that “we cooperate with authorities when they come to us with appropriate legal process.”
Uber challenged the Quebec search warrants in court, but in May, a Canadian judge wrote in French that Uber’s actions had “all the characteristics of an attempt to obstruct justice,” suggesting that “Uber wanted to shield evidence of its illegal conduct.” Uber is still appealing.
Looking back, Spangenberg describes a tangle of questionable practices and gaping vulnerabilities.
“The only information, truthfully, that I ever felt was safe inside of Uber is your credit card information,” he said. “Because it’s not stored by Uber.”
This story was edited by Andy Donohue and copy edited by Nadia Wynter.