A former forensic investigator at Uber has told courts how employees were able to use the company's vehicle-tracking technology to follow the whereabouts of ex-lovers and look up trip information on celebrities.
Ward Spangenberg, who worked at the ride-hailing firm between March 2015 and February 2016 as an information security specialist, alleges that Uber showed a flagrant disregard for data security during his time at the firm and failed to protect sensitive information on both customers and employees.
He also claims that Uber routinely destroyed data that it was legally required to keep and remotely encrypted on its computers during office raids so that authorities could not access information stored inside and use it as evidence.
Spangenberg, a seasoned information security professional with more than 15 years' worth of experience in security operations, made the allegations in a signed court declaration against Uber in May this year. Spangenberg is suing the firm for age discrimination and whistle-blower retaliation after being fired by the company in February.
The declaration raises questions over security procedures at Uber, where customer privacy was reportedly frequently overlooked and even abused by corporate employees.
In 2014, the company found itself under investigation following revelations that it used an internal tool called "God View", which allows Uber vehicles and their passengers to be tracked in real-time. It was later revealed that the tool was used by an Uber executive to track the location of a BuzzFeed reporter without her permission.
However, former Uber security professionals told Reveal that this policy was never properly enforced, with Uber instead relying on an honestly policy by which employees agreed not to abuse their position. As a result, the company continued to enable "broad access" to the God View feature.
"Uber's lack of security regarding its customer data was resulting in Uber employees being able to track high-profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses," Spangenberg wrote in his court declaration.
"I also reported that Uber's lack of security, and allowing all employees to access this information (as opposed to a small security team) was resulting in a violation of governmental regulations regarding data protection and consumer privacy rights."
The Uber app was recently criticised by users after an update allowed it to track users' location even after journeys had finished. Previously the app would only be able to track a user while the app was being used but now it will record GPS data in the background. A privacy disclaimer pop-up said it would keep tabs on a user's location when a journey is requested and five minutes after it had ended. The reason for this was to "improve pick-ups, reliability and enhance safety", but didn't offer users an option to opt out, which resulted in backlash from those concerned about privacy.
An Uber spokesperson told IBTimes UK claims that employees have unmitigated access to passenger data was "absolutely untrue".
"This is based on more than simply the honour system: we have built entire systems to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs," they said. "This could include multiple steps of approval—by managers and the legal team—to ensure there is a legitimate business case for providing access.
"What's more, if an employee has access to some customer data, she does not have access to all customer data. Access is granted to specific types of data based on an employee's role. All data access is logged and routinely audited, and all potential violations are quickly and thoroughly investigated."
Spangenberg also alleges that payroll information for Uber employees was contained in an unsecure Google spreadsheet, including drivers' social security numbers. In late 2014, the personal details of 50,000 drivers were leaked thanks to a security key that was stored on a public GitHub page.
Uber is additionally accused of destroying electronically-stored information that was subject to litigation holds – that is, data that might be pertinent to legal proceedings against the company.
Spangenberg said he was responsible for remotely-encrypting Uber's computers when its Quebec offices were raided under suspicion of tax evasion in May 2015. Court records show that the computers retrieved by investigators had indeed been remotely encrypted and rebooted.
According to court filings Uber fired him for violating a code of conduct, although it adds that the company has "been unable to articulate any provision it contends Spangenberg actually violated."
Uber claimed this was due to Spangenberg re-imaging – or reformatting – his computer, although the filing adds that "this was an action (he) and numerous others have undertaken multiple times during his employment with Uber".
Uber said in court documents that it "generally denies each and every allegation" made by Spangenberg. Uber's spokesperson told IBTimes UK: "The key point here is that much of the piece refers to statements from years ago and we have since significantly updates our technical controls to limit employee access to data.
"The primary claim in the piece – that employees enjoy unfettered access to Uber's back-end – is absolutely not true.