Tuesday, December 13, 2016

Uber Whistleblower on Location Privacy

Will Evans (via Christopher Soghoian, Hacker News):

“Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex-spouses,” Spangenberg wrote in a court declaration, signed in October under penalty of perjury.

After news broke two years ago that executives were using the company’s “God View” feature to track customers in real time without their permission, Uber insisted it had strict policies that prohibited employees from accessing users’ trip information with limited exceptions.

But five former Uber security professionals told Reveal from The Center for Investigative Reporting that the company continued to allow broad access even after those assurances.


In addition to the security vulnerabilities, Spangenberg said Uber deleted files it was legally obligated to keep. And during government raids of foreign Uber offices, he said the company remotely encrypted its computers to prevent authorities from gathering information.

Nick Heer:

In separate news, Uber recently updated their privacy policy to allow tracking users’ location data for up to five minutes after exiting the vehicle.

Oluseyi Sonaiya:

Let’s not forget that Google exposed people’s private information on the basis of an automatic social graph constructed from their email.

All of which is to say that while Uber’s privacy violations are symptomatic of organizational failure, all information caches are vulnerable.

Update (2016-12-15): Anita Balakrishnan (via Slashdot):

It’s absolutely untrue that ‘all’ or ‘nearly all’ employees have access to customer data, with or without approval,” Uber said. “We have built [an] entire system to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs. This could include multiple steps of approval—by managers and the legal team—to ensure there is a legitimate business case for providing access.”

Update (2016-12-20): John Gruber:

I don’t trust Uber. But we can collectively verify that in this case, they’re doing exactly what they say they’re doing.

Update (2016-12-22): John Gruber:

Daring Fireball readers on Twitter started sending me screenshots of their Location Services settings, showing that the Uber app is still checking for their location days or even weeks after they last used the app.

Update (2016-12-27): John Gruber:

I think this might explain it. I’m thinking Apple should change this so that these extensions only load when you tap the “Ride” tab in Maps. As it stands now, they load (and check your location) every time you enter the Maps app, period.

1 Comment RSS · Twitter

[…] don’t trust Uber to use this entitlement responsibly. Nor do I trust App Review to be able to police how the app is […]

Leave a Comment