X

Uber accused of tracking celebs, politicians

A former Uber employee files a lawsuit claiming his co-workers used the ride-hailing app to track Beyonce and ex-girlfriends, among others.

Shara Tibken Former managing editor
Shara Tibken was a managing editor at CNET News, overseeing a team covering tech policy, EU tech, mobile and the digital divide. She previously covered mobile as a senior reporter at CNET and also wrote for Dow Jones Newswires and The Wall Street Journal. Shara is a native Midwesterner who still prefers "pop" over "soda."
Shara Tibken
3 min read
gettyimages-585139324.jpg

Uber is facing a new lawsuit by a former employee.

Getty Images

First there were worries about Uber's "god view." Now there are concerns the company is tracking celebrities and others through its ride-hailing app.

In the latest lawsuit against Uber related to data privacy and security, former employee Samuel Ward Spangenberg alleges the company doesn't "have regard for data protection." He says Uber collected data regarding every ride users requested, their name, username and email, their pickup location, the amount paid, the device used to access the app and other information riders didn't know was being collected.

Uber then allowed all employees to access information like ride tracking data of "high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends, and ex spouses," Spangenberg said in a court declaration from October, via the Center for Investigative Reporting.

The declaration also said Uber destroyed documents it legally was required to keep, and it would cut off connectivity in its offices so law enforcement officials couldn't access Uber's information during government raids.

Uber denied Spangenberg's allegations, saying it built an entire system to limit employee controls over customer data and issuing the statement posted at the end of this post.

After Spangenberg filed his declaration in October, a judge ruled the case should be heard in private arbitration, meaning there will be no public jury trial for all but one of the former Uber employees' claims. As a result, the resolution of the case may never become public.

Spangenberg, 45, worked as a forensic investigator at Uber. He's suing his former employer for age discrimination and whistle-blower retaliation, according to the Center for Investigative Reporting. He said he was fired after working at Uber for 11 months for bringing up concerns about his employer's security practices.

In 2014, reports broke that Uber executives used a feature called "god view" to track journalists and other people without their knowledge. The feature allowed employees to see logs of Uber customer activity, though Uber's data privacy policy said it prohibited "all employees at every level from accessing a rider or driver's data." Also that year, Uber discovered that a security breach had exposed the data of 50,000 drivers across the US.

The New York attorney general's office launched a probe into Uber's data privacy protections and the 2014 data breach, and in January 2016 ordered it to pay a $20,000 fine. The fine was for the data breach, but the settlement also focused on rider privacy.

Uber said in a statement Monday:

"Uber continues to increase our security investments and many of these efforts, like our multi-factor authentication checks and bug bounty program, have been widely reported. We have hundreds of security and privacy experts working around the clock to protect our data. This includes enforcing strict policies and technical controls to limit access to user data to authorized employees solely for purposes of their job responsibilities, and all potential violations are quickly and thoroughly investigated.

It's absolutely untrue that 'all' or 'nearly all' employees have access to customer data, with or without approval. And this is based on more than simply the 'honor system:' we have built entire system to implement technical and administrative controls to limit access to customer data to employees who require it to perform their jobs. This could include multiple steps of approval -- by managers and the legal team -- to ensure there is a legitimate business case for providing access.

What's more, if an employee has access to some customer data, she does not have access to all customer data. Access is granted to specific types of data based on an employee's role. All data access is logged and routinely audited, and all potential violations are quickly and thoroughly investigated.

Many employees are in operational roles and have legitimate reasons to access customer data. For example, our anti-fraud experts have access to trip data so they can investigate allegations of scams and compromised accounts. Some employees have access to driver profiles in order to check the validity of insurance documents required by law. If a rider requests a refund, an authorized customer support representative would access to data needed to credit that rider's account. In the case of a traffic incident, a dedicated member of our safety team needs to access customer data to conduct a proper investigation and help the affected parties reach resolution."

CNET's Dara Kerr contributed to this report.