Uber employees used the company’s lax tracking system to monitor the whereabouts of “high profile politicians, celebrities, and even personal acquaintances,” according to a declaration in a lawsuit filed against Uber by its former forensic investigator.
Former forensic investigator filed suit
The declaration was revealed today by a Center for Investigative Reporting article detailing security standards at the company. The article also cites former employees who say “thousands” of employees had access to Uber’s tracking data, as well as personal information on other employees and drivers, with few protections in place to prevent improper access and misuse.
The lawsuit was filed by Ward Spangenberg, who worked on security systems at Uber starting in March 2015. The suit claims the 45-year-old Spangenberg dealt with age discrimination, as well as retaliation for blowing the whistle on alleged security lapses and other problems at the company. He was fired 11 months after he started.
The declaration also alleges that Uber would shut down connectivity in the office during law enforcement raids to stifle investigators, and improperly destroyed documents related to pending litigation.
If true, the allegations could potentially run afoul of a settlement Uber made in January with New York Attorney General Eric Schneiderman. As part of the settlement, Uber agreed to “designated employees with a legitimate business purpose,” and conduct regular assessments of the effectiveness of that program. It’s unclear whether Spangenberg’s allegations would constitute a breach of that agreement; reached by The Verge, a representative from Schneiderman’s office said, “we’re looking into it.”
Uber first dealt with a tracking controversy after its use of a tool called “God View,” which allowed employees to track riders as they moved, was revealed by BuzzFeed in 2014. Spangenberg told CIR the company did put in place some privacy protections during his time there, and has renamed the tool “Heaven View.” According to CIR, at least some employees — “fewer than 10,” Uber said — have been fired for improper use of tracking.
Uber says it enforces “strict policies and technical controls to limit access to user data”
“Uber continues to increase our security investments and many of these efforts, like our multi-factor authentication checks and bug bounty program, have been widely reported,” Uber said in a statement to The Verge. “We have hundreds of security and privacy experts working around the clock to protect our data. This includes enforcing to authorized employees solely for purposes of their job responsibilities, and all potential violations are quickly and thoroughly investigated.”
The company says approval “by managers and the legal team” is required for employees to access data, and, although some employees are given legitimate access to data, that access is compartmentalized to what employees need for their jobs.
But Uber has recently felt increased pressure over its tracking capabilities, after a new version of its app was released that can track users even when they are not using the app. The new allegations may inflame those concerns even further.
Update 12:05 PM ET: Includes statement from Uber spokesperson.
Update 2:19PM ET: Includes statement from AG Schneiderman’s office.