Uber Security Head Warns Staff After Latest Tracking Controversy
Amid a new fuss over how its employees access sensitive user data, Uber’s top security executive sent a company-wide email to staff on Monday reminding them of their obligations when it comes to privacy.
“Like every fast-growing company, we haven’t always gotten everything perfect. But without the trust of our customers we have no business,” says the email, obtained by Fortune.
You can read the full email, by chief security officer John Flynn, further below. The memo refers to an article, published Monday by the Center for Investigative Reporting, that describes alleged privacy violations against users such as Uber employees tracking the trips of celebrities like Beyoncé, or using trip history to stalk former partners.
Get Data Sheet, Fortune’s technology newsletter.
The allegations come after a 2014 scandal in which BuzzFeed revealed that Uber employees used a tool they called “God View” to spy on customers’ activities. The scandal led to scrutiny from regulators and Uber eventually paying a $20,000 fine to settle a lawsuit. Uber has also since tightened up its privacy policies.
In the email, Flynn says “much of the information [in the new story] is out of date and doesn’t accurately reflect the state of our practices today.” He then reminds staff that they have instructed repeatedly about Uber’s rules about unauthorized access to user data, and explains the company has hired hundreds of staff dedicated to security and privacy.
The email also disputes a claim in Monday’s article that suggests all Uber employees have access to customer data, or that oversight is based on some sort of honor system.
Uber did, however, acknowledge in the Monday report that some of its employees broke the internal policies, resulting in about 10 of them being fired. Fortune has learned from one employee that a handful of Uber workers were fired earlier this year for accessing the trip data of celebrities.
For more on Uber, watch this Fortune video:
However, the employee also said that only certain teams have access to various levels of customer data, and when these employees do access it, they’re logged, making it difficult to hide their activities.
The details in Monday article are based in large part on a lawsuit filed by a former Uber employee, Ward Spangenberg, who says he was fired early this year for age discrimination. In his lawsuit, Spangenberg says Uber told him he was fired for breaching policies including rebuilding his laptop from scratch (he says it was common procedure when a computer crashes), and for accessing emails related to his performance review (he claims he was testing out an email program). Spangenberg also claims that Uber deleted files it was legally obligated to hold and asked him to cut Internet access to Uber offices during raids “so that law enforcement could not access Uber’s information.”
Here is the memo:
You may have seen a news story today about some of Uber’s privacy and security practices. Much of the information is out of date and doesn’t accurately reflect the state of our practices today, so I wanted to update you on what we’re doing to protect user data.
Like every fast-growing company, we haven’t always gotten everything perfect. But without the trust of our customers we have no business. That’s why we continue to make major improvements to our security systems and policies to ensure that rider and driver data is protected.
For many years, we’ve had a policy prohibiting unauthorized access, and over time, we’ve invested even more in locking down and logging that access. You know about those rules because you signed the agreement when you started at Uber, heard about them during Uberversity training, and receive regular reminders via email and internal all-hands meetings.
Over the past several years, we’ve hired hundreds of security and privacy experts who work around the clock to protect user data. Our team includes experts in authentication, authorization, encryption and access management.
As you’ve probably noticed, particularly in the last year, we’ve significantly strengthened the tools and processes that restrict internal access to user data:
- All employees are required to acknowledge and agree to a data access policy, including at on-boarding. You’re reminded of this policy every time you access internal data tools once you have the required permission (see below). All data access is logged and routinely audited, and all potential violations are quickly and thoroughly investigated. We have terminated employees in the past for violating this policy.
- It’s absolutely untrue that all (or nearly all) employees have access to customer data, with or without prior approval. This is more than simply the “honor system”: we have built entire systems to implement technical and administrative controls that limit access to customer data to those employees who require it to perform their jobs. This could include multiple steps of approval—by managers and the legal team—to ensure there is a legitimate business case for providing access.
- What’s more, this access is granular: if an employee has access to some customerVdata, she does not have access to all customer data. Access is granted to specific types of data based on an employee’s role and the specific purpose at hand.
- Many employees are in operational roles and have legitimate reasons to access customer data. For example, our anti-fraud team have access to trip data so they can investigate allegations of scams and compromised accounts. Some employees have access to driver profiles in order to check the validity of insurance documents required by law. And in the case of a traffic incident, a dedicated member of our safety team needs to access customer data to conduct a proper investigation and help the affected parties reach resolution.
We want our security and privacy practices and technology to be world-class, and we’re moving quickly toward that goal. Every time a rider or driver uses Uber, they entrust us with data that it’s the responsibility of each and every one of us to protect it.
John “Four” Flynn
Chief Information Security Officer