
Uber employees used the platform to stalk celebrities and their exes - kevcampb
http://www.businessinsider.com/uber-employees-stalked-celebrities-ex-employee-claims-2016-12
======
taneq
A few days ago (on the discussion of the Uber app tracking users' movements
after the end of their ride) an Uber employee commented on their data
handling: [0]

> Individual users' data is very closely guarded internally. It's immensely
> difficult to look at user data without specific access. Overwhelmingly, this
> data is queried in aggregate and fed into machine learning systems. The risk
> of abuse is exceptionally low.

Obviously this doesn't add up. What gives?

[0]
[https://news.ycombinator.com/item?id=13085775](https://news.ycombinator.com/item?id=13085775)

~~~
hibikir
I don't know about Uber, but I've worked at a lot of places that had sensitive
data. A common patterns is to fail to treat employees like attackers, and
protect data in ways that are very beatable by a motivated employee. Some
examples that hopefully have been fixed:

-A company had a specific dataset that would be worth millions: The kind of things that a wikileaks might want to publish, and would make the papers. I was supposedly unable to access the app that displayed it, but I had access to the tables. For legitimate business reasons, I took the data out, put it in my company laptop, and stuck a search engine on top. There were no logs of my activity, and nobody came to ask why in the world I was doing something like this.

-At another place, they were saving credit cards, encrypted, but their idea of saving encryption keys was to put them in a file that only root could access. Well, everyone had access to create batch jobs (yes, even phone reps), and batch jobs ran as root, so anyone could walk out with the lot. I had to do a lot of work to convince them that yes, this was not PCI compliant.

-Another system had relatively well protected data, only available to people with access. Except they had single sign on, and some of they systems that took credentials did so in the clear. Peek at network traffic, steal credentials, and then do whatever you want as anyone you want! They had a process where you were never supposed to leave your computer unattended, and if you did, team members would go into your computer and send an email to the team promising cake, and you'd have to bring it as punishment for your security problems. Imagine their surprise when people were sending emails promising cake while they were using their computers.

-A phone company having cell call metadata in the clear, in a DB any developer could query. There was another system with billing information, equally accessible. So search for your favorite person in one, and go to the other and see who they call, when they call, and from where. Isn't that convenient?

So I don't believe anyone's claims about their data security unless they come
from someone that has some security knowledge and has tried to evaluate the
security pretending to be a real attacker. And even in that case, I'll
probably want a team of them. Otherwise, I'll assume there are major flaws
that nobody has found, just because nobody has cared enough. I have yet to
find an employer where this was not the case.

~~~
drvdevd
> Otherwise, I'll assume there are major flaws that nobody has found, just
> because nobody has cared enough

Unfortunately, this is the state of 99% of all software, everywhere, it would
appear. And I'm dubious about that extra 1%.

[Edit] and lets not forget, you can _care a lot_ and still have this be the
case

------
KuhlMensch
> Uber would not give more details on its technical controls. In practice, the
> security sources said, Uber’s policy basically relies on the honor system.
> Employees must agree not to abuse their access. But the company doesn’t
> actually prevent employees from getting and misusing the private information
> in the first place, the security sources said.

If true, that is fantastically ludicrous.

It seems I wasn't paying attention, in 2014 - as this "God view" news passed
me by. I will be keeping a closer eye on this as it plays out.

Uber obviously seems to be in a strong position, but going only by this
article, Uber might fare poorly in a multi-region privacy-legislation legal
battle (war?).

~~~
dx034
It's exactly what an employee writes in another comment here:

> every time I access production systems, I have a ton of messages telling me
> that our access is being completely tracked and we are prohibited from doing
> anything that was mentioned in the article.

There is probably a small department doing random checks on data access. But
with several thousand people (including support staff) accessing data, the
chance of being noticed is extremely low.

------
johansch
This seems like a good place to tell Uber users that the only way of removing
your credit card details from your Uber account is to either:

a) plead with Uber's customer service to do so

or

b) add another payment method (like another credit card)

This, of course, is horribly bad practice. I can only imagine that they
arrived at this very peculiar arrangement after extensive A/B testing - Uber
has hired plenty of FB folks and those people tend to be really into that kind
of thing. I haven't seen this kind of outright customer-hostility from a large
Internet company.. well, ever, before.

So, no, I'm not surprised that this company is doing other unethical things -
it sort of seems interwoven into their DNA.

~~~
bigmofo
When you lose your credit card and you call your credit card company and them
them that you lost it, they issue you a new card with new numbers; this way
anybody that had the information on the card would not be able to make further
transactions. I would consider the card lost when a company would not delete
the credit card information on my request to delete the information.

~~~
singlow
A new number doesn't necessarily prevent charges from vendors who had the old
one. _For your convenience_ the banks actually allow new charges on the old
cards after they are cancelled. I assume they whitelist vendors that have good
reputations or filter based on patterns of charges against your account which
you have not disputed.

Verizon was able to charge against my old account for over a year. I kept
getting snail mail letters from my bank telling me that the card I was using
had been cancelled and that I needed to update it, but I kind of just wanted
to see how long they would let it go.

In other cases, the bank will actually update the vendor with your new card
number so that subscriptions are not interrupted.

~~~
ranman
>In other cases, the bank will actually update the vendor with your new card
number so that subscriptions are not interrupted.

That's apparently a feature:
[https://usa.visa.com/dam/VCOM/download/merchants/visa-
accoun...](https://usa.visa.com/dam/VCOM/download/merchants/visa-account-
updater-product-information-fact-sheet-for-merchants.pdf)

~~~
cm2187
Even if it is stolen? This thing is massively dangerous. It ensures your
credit card details are stored all over the place for them to be leaked or
stolen, with no way for the consumer to clean this up.

~~~
brianwawok
In theory they would make sure it was an account you used before the theft.

~~~
cm2187
Yeah but letting services expire with the credit card unless you still use
them is not a bad way to get rid of all the services you subscribed thinking
it could be useful but never used.

Reminds me of what was done in the military (I think it was in a European
country). Officers were spending their time writing reports that were never
read. They introduced a policy under which for a given time everyone should
stop writing reports until someone complained that they were not receiving it.
And if that didn't happen this type of report would be scrapped.

~~~
zeven7
Hmm, I feel like in my job I write a lot of things that no one ever reads
(issue notes, extra commit information, comments) with the expectation that
it'll be helpful information if I or someone else ever does need to look to
figure out why I did something.

And it has been helpful. I mean maybe about 1% of it is read later at some
point and helps clarify a situation. 99% of it is never seen again. That 1% of
the time it's really helpful to have it.

------
JumpCrisscross
Don't forget that Uber now requires you allow them to access your location,
even when you aren't using their app [1].

Side note: consider the value to foreign (or domestic) intelligence agencies
of this weakly-guarded pot of gold.

[1] [http://www.theverge.com/2016/11/30/13763714/uber-location-
da...](http://www.theverge.com/2016/11/30/13763714/uber-location-data-
tracking-app-privacy-ios-android)

~~~
michaelvoz
Disclaimer: I work for Uber. However, my opinions are mine. I am also not
defending nor attacking in any way Uber gathering location data.

With that out of the way - you know your cell phone carrier already has this
data right? They have way better data than Uber ever will about all your
habits, including establishing relationships based on who you call, which
sites you visit, who you are signed up on a plan with, etc etc. A much more
weakly guarded pot of gold, I would say.

~~~
onion2k
I'll agree with your point as soon as Uber signs up to the same level of
regulatory restrictions as every phone carrier enjoys. The fact is that there
are laws that strictly prohibit my phone carrier doing certain things with
data about my usage. Case in point, the stalking that the article mentions - I
don't think employees of my phone carrier can do the same thing. _Technically_
they could because they have the necessary data, but they don't because
regulations have been put in place to stop them.

Uber has _demonstrated_ that they can't be trusted with personal data, so I'm
quite sure the government will be considering implementing some regulation in
their industry too. That's a shame really, because I'm sure most of us would
prefer companies weren't restricted by regulation and were just sensible and
ethical _by default_ , so laws weren't necessary.

~~~
mindcrime
_Uber has demonstrated that they can 't be trusted with personal data_

And the telecom carriers haven't? Please.

[https://en.wikipedia.org/wiki/Room_641A](https://en.wikipedia.org/wiki/Room_641A)

~~~
ajdlinux
The NSA using the power of the state to persuade a telco to intercept some
stuff for them is somewhat different from having random employees of a private
company just deciding to arbitrarily browse through their corporate databases.

~~~
mindcrime
True. The State has a lot more power on its side, making the former scenario
much more of a threat.

~~~
AlexandrB
Except the NSA is an arm of a democratically elected government. Tell me when
the public Uber elections start.

~~~
mindcrime
_Except the NSA is an arm of a democratically elected government._

Yes, and look what that's gotten us so far.

------
ProfessorLayton
I've begun to ditch apps that I've perceived as going downhill regularly, and
its been working out pretty well. Uber, Youtube, Facebook/Instagram, and
Twitter have decent mobile sites.

I can even silo whatever service I want into its own browser to limit
tracking, and all location/permissions/etc are all sandboxed by the browser.

A huge bonus is battery life + ad blocking.

~~~
kbart
Agreed 100%. I don't get it why anybody would need dozens of apps to spam you
ads, drain battery life and collect your contacts, location data and whatnot
when you can easily access the same services via a browser without all these
mentioned drawbacks. An anecdote, but after cleaning my girlfriend's phone
(she's asked for it), its battery life increased nearly _twice_ and cell data
usage was reduced by ~30%.

------
firloop
This article merely re-reports this source:
[https://www.revealnews.org/article/uber-said-it-protects-
you...](https://www.revealnews.org/article/uber-said-it-protects-you-from-
spying-security-sources-say-otherwise/)

Mods should probably change the OP to link there.

------
sargun
Let me ask a question of everyone complaining: why not use Lyft? I switched.

Yeah, their prices are a little more than uber's, and their wait times are a
bit higher, but these are functions of scale.

~~~
kbart
_" Let me ask a question of everyone complaining: why not use Lyft? I
switched."_

Because Lyft is not so widely available. For example, only Uber is available
where I live, though I still prefer traditional taxi because of (usually)
better price, more reliable service, availability for short rides and privacy.

------
sidchilling
I seriously don't understand why the updated Uber app asks to access my
location all the time -- as opposed to only when I'm using the app. Not only
is it not required but it's a huge drain on the phone's battery, potentially
decreasing the battery's life.

Now I'm from a third-world country and can't afford to buy a $1000 phone every
year, so I have to be careful with the life of my phone.

The turnaround this, I found, is to disallow location to the Uber app when not
using the app and allowing access only when I use the app. This, however, is a
pain and the Uber app behaves weird if I do so (the previous trip does not end
after hours of it actually ending).

Very poor UX from Uber, potentially dangerous, definitely unethical. This is
definitely a trend -- startups start with being caring of its customers, but
once they grow big, they become callous and even malicious when it comes to
users (I don't ask of them to give every customer personal support, but not
mis-using customers is the least I can expect).

~~~
jc4p
I'm with you on this. I don't get why Apple can't mandate a "Only when in app"
option. The description for why they require it says they use the location
while in app or for a few minutes after the trip is over.

When I was getting ready to leave for work today, I got out of the shower and
grabbed my phone and saw a alert saying Uber has been using my location in the
background. I hadn't opened the app since last week, last time I needed a
ride. I'm sure it could've just been an errant push notification coming in
late and waking the app up in the background, but I'm spooked.

~~~
giovannibajo1
That popup is standard for any app that is approved to potentially use
location in background and you don't use often. I think it's meant to
discourage apps to ask location in background altogether

~~~
madeofpalk
When they migrated to this style of permission it seemed like a bit of a
missed opportunity to give the user the option of choosing "no, only when the
app is open"

~~~
willstrafach
Uber removed the "only when open" ability unfortunately, so that would not be
relevant here.

~~~
madeofpalk
No, I mean Apple shouldnt have given app developers the option to not allow
"only when open". So app developers request the highest amount of permission,
and either that (or less) would be granted:

    
    
        Uber would like to access your location at all times
    
                  [Yes, allow in the background]
                       [Yes, only when open]
    
                      [No, deny all together]

------
Animats
Operationally, "God Mode" doesn't need to show who the passenger is. It's
reasonable to have info about where all the cars are and their status and
destination available to everyone involved with dispatching, but passenger
identity? Sloppy.

Do they still have "Ride of Glory" detection?

------
logicallee
I think it's time for the government to give you as many names as you want to
give out to companies, and there's no reason for anyone who isn't suing you
for it to know which of your aliases go together. Also aliases should be
shared, to further conflate things. (nothing should stop my friends and i from
sharing an alias and persona - companies should be legally forced to bend over
backwards and enable this, for everyone. For example Google should be legally
forced to allow you to create a new gmail inbox with a new name in a single
click and not have it tied on any way to the old name.) Also credit card
companies should be forced to give you as many cards in whatever names that
you ask for. Nobody who isn't suing you should have a right to know your true
name. They shouldn't even have it on record. If they wanna know something
about you, they should ask you.

It works for writers, celebrities, etc - why not the rest of us.

EDIT to clarify: this is a serious comment, you can read it literally.

~~~
tedunangst
You don't need the government to give you a new name to start using a new
name. You pick one and start using it.

~~~
JumpCrisscross
Register an LLC (using your real name). Get a domain for the LLC and register
a pseudonymous email address. Get a debit card and have the issuing bank give
you a John Doe card. You sign as your LLC from now on, no government
intervention needed.

~~~
logicallee
Pretty much my point is that this should take me 17.5 seconds, starting right
now.

1) go to my online banking and sign in

2) pick a name and request a card for it.

They should be legally forced to send me one.

The point is I can use that for amazon dildo purchases, and no creep at amazon
would get to see that I'm (whoever.)

I get that this is possible: it needs to be simple.

~~~
hrehhf
But it is that simple. In my case, I got a card for a family member. But there
is no verification done so you can literally get a card with any name on it.
It is still tied to your identity through the bank.

~~~
logicallee
But they may not like it when you have 73 active cards/names - so making this
a mandatory thing would affect banks' processes. Also even if you're being
literal and can do it in 17 seconds (i.e. after opening a new tab, 30 seconds
from now you can have a card in the name of Mary Smith on its way to you) I
and I think most people using online banking don't have it so smooth.

~~~
hrehhf
I timed it and it took about 25 seconds to go from the Chase login prompt to
the "Add authorized user" page where you can get another credit card added to
an existing account. So, I admit its not quite as fast as you would like.
There is a caveat if you pay an annual fee: you pay the fee for each card. My
accounts have no annual fee.

I also checked US Bank and American Express and you are correct, the process
is not smooth at all. US Bank wants me to print, sign, and mail it! American
Express wants to verify identity of the additional user using an SSN. That
makes no sense of course, because they might not even have an SSN and the main
account holder is still contractually obliged to pay the account balance.

~~~
logicallee
I was very impressed with your report of Chase's behavior (and while 25
seconds might be an inconvenience of course it's acceptable.) It sounds like a
gold standard. Of course, it's not practical to do that 72 times (for example
every time you want to order a dildo from Amazon), due to the wait to get the
card (it's not instant), but practically today people could use Chase fine to
make companies not follow them. Do you think you can choose a name such as
Donttrackme McSpammer? I realize this is pretty much the opposite of the term
"John Smith" as for example the Uber driver would see that you went out of
your way to call yourseld Donttrackme (there is zero chance it's an actual
first name) but the adcantage is that it would not appear fraudulent.

Since you don't have an annual fee, can you order a card in the name of
Donttrackme McSpammer (or any other similar name that couldn't be mistaken for
a real name) and see if you get it?

Thanks for having taken the time to check the other two sites as well. I
appreciate it!

------
lamontcg
Uber seems to be company founded by sociopaths with a hiring process that
stacks the company with sociopaths.

~~~
abvdasker
Tell us how you really feel

------
danso
Creating an audit system and locking down "God" mode seems like something that
would save Uber a lot of major headaches down the road. How often do Uber
employees need to legitimately track someone's information other than in
response to a customer request? I'm guessing about as often as the average
Google employee needs access to a specific user's search history, which is to
say, fairly rarely.

Without locking down such access, you get incidents like these (and this was
even when Google purportedly had strong auditing):
[http://www.pcmag.com/article2/0,2817,2369188,00.asp](http://www.pcmag.com/article2/0,2817,2369188,00.asp)

> _Google this week confirmed that it fired an engineer who accessed the Gmail
> and Google Voice accounts of several minors and taunted those children with
> the information he uncovered._

The public sector has its fair share of these too:
[http://articles.orlandosentinel.com/2013-01-22/news/os-
law-e...](http://articles.orlandosentinel.com/2013-01-22/news/os-law-
enforcement-access-databases-20130119_1_law-enforcement-officers-law-
enforcers-misuse)

Here's a URL to the plaintiff's declaration:
[https://www.documentcloud.org/documents/3227535-Spangenberg-...](https://www.documentcloud.org/documents/3227535-Spangenberg-
Declaration.html)

Lots of tidbits there...including how all payroll information is apparently
contained in an "unsecure Google spreadsheet"

~~~
dx034
I guess the audit system is there, it's just a lot of log files. That's a
point where they could use simple rules or ML to flag up possible misuse. E.g.
support staff accessing profiles that aren't related to a ticket they were
working on. Or a developer tracking a single rider/driver with same last name
or address (or really any developer getting data for one rider only).

Won't have a 100% success rate but I guess it could prevent most cases of
abuse. It's not that different from what banks do to detect internal fraud.

------
blairanderson
Vote with your fingers and delete the app

~~~
Crosseye_Jack
I would also request an account deletion

    
    
      Menu -> Help -> Account And Payment -> Account Settings and Ratings -> Delete my Uber Account -> Fill in the form.
    

Oh on iOS you will need to turn on location tracking otherwise the nag screen
about how wonderful enabling location services is seems to prevent the app
showing the menu button...

EDIT: Oh you can still press the Menu Button, its just the nag screen has a
strong tint to it and I had my brightness low. Doh.

------
omouse
Can't wait for a class-action lawsuit.

This is precisely why it makes sense to keep database data encrypted even to
admins and why it makes sense for ride-sharing companies to be co-operatives
or non-profits.

Profit-seeking companies engage in bad behaviours all the time.

~~~
AlexandrB
> Can't wait for a class-action lawsuit.

Except Uber now has arbitration clauses in both it's driver and passenger
service agreements. It remains to be seen how well it will hold up in court
[1], but I wouldn't count my chickens yet.

[1] [https://consumerist.com/2016/08/02/judge-shreds-uber-says-
co...](https://consumerist.com/2016/08/02/judge-shreds-uber-says-company-cant-
prove-riders-are-giving-up-right-to-sue/)

------
retox
Everything I hear about this company is sickening. Bros with toys and no
morals.

------
mschuetz
"stalk celebrities and their exes" sounds to me like it could mean:

\- stalk celebrities, as well as the exes of said celebrities

\- employees stalk their exes and also some celebrities

It's obviously the latter but couldn't the same sentence imply the former as
well? Is their a better way to formulate this sentence in a non-ambiguous way?

~~~
x1798DE
I think it's unambiguous if you switch the order: "Employees stalk their exes
and celebrities"

------
nikon
I've switched to using the mobile site[0] now Uber wants to track my location
'Always' on iOS.

[0] [https://m.uber.com](https://m.uber.com)

~~~
seppin
Thanks for this, I deleted the app and this is a good backup when Lyft is
nowhere to be found

------
jokoon
I think there is a need to regulate how data is used in internet companies. I
mean there is the same need for NSA and surveillance, but I'm much more
anxious about how a company can be irresponsible compared to a federal agency.

Every time you have customer's information, the people responsible for giving
access to that data should be held responsible...

------
otterley
Please don't change the original title. The article is quoting an accusation.
No claims have been proved yet.

------
ben_jones
I wonder what it's like working for Uber and hearing this story. I imagine
people form into two camps, with one doubling down their loyalty to the
company (which could be properly placed for all we know), and another that
becomes a little more suspicious walking into work next time.

------
iblaine
In my experience, every private company does this and every public company
does not, due to sox compliance.

------
losteverything
The internet can really blow things out of proportion.

1980's: long distance company has employee(s) poking around messaging system
and sells to newspaper. Few know. All voice over network is stored "searched"
for "key" phrases. Very few know. Moreover there are no blogs or places to
tell ones story.

Now one little confessional outing becomes widespread and thus assumed to be
happening all the time.

I am sure (without facts) that uber is no worse than AT&T back in the day but
now so so so many people can read and tell their stories.

Does anyone really think or expect communication via electricity is truly
protected?

------
sickbeard
Why would beyonce take an uber tho?

~~~
wehadfun
I had same question. Thought these people had person drivers.

------
droopyEyelids
Can we make the rule that it's not OK to post negative stories about
YCombinator companies on this site?

There are a million places to talk negative about everyhing. Here, we're
trying to build things. We know no one is perfect. Lets make this place a
bastion of positivity instead of negativity.

~~~
chippy
You really should not be being downvoted as your opinion is shared (in my
experience) by the majority of struggling startup founders. The founders want
to get big and successful and view negativity by techies as at best needless
pessimism and at worse as symptomatic of a kind of anti-capitalism.

Capitalists who value the free market who are also the bosses and
entrepreneurs see opposition to their money making efforts as an affront to
their very core values.

In my opinion it's the wrong way to think - and the root cause is unchecked
free market capitalism. However, I think it's true that many people think that
to succeed as a startup, money comes before morals. We shouldn't hide that,
but criticise it and voice our concerns.

~~~
umanwizard
Who cares what struggling startup founders believe? This forum isn't
specifically for startup founders and their perspective isn't favored over
anyone else's here.

It just happens to be hosted on a subdomain of a startup accelerator but the
overwhelming majority of people who read it are not involved with startups.

------
beedogs
Did I need another reason to loathe Uber? No, but reasons keep showing up.

------
hyperhopper
> Reveal reports that Uber also changed the name of that tool [from "God
> View"] to "Heaven View."

What a useless change just for the sake of being politically correct. Are
companies going to start removing "God Mode" from video games and calling it
"super mode"? Seems crazy they would muck with naming to be PC even for
internal tools

~~~
swang
calm down. how is this being "politically correct"?

the name was most likely changed because the connotation of a "god view" means
its omnipotent or at the very least omniscient. aka, it knows everything about
you.

so it was most likely changed because of the backlash of the name being
associated with invading your privacy and seeing what you were doing in uber.
this again is why everyone is upset about uber forcing their app to be always
on.

