Are Uber Employees Stalking Users?

Update: This story was updated on Monday at 6:30 PM to include information from a statement that Uber sent to Vocativ and an internal email sent to Uber employees. 

Uber employees with access to its consumer data might have used private information to track VIP users, including celebrities and politicians as well as employees’ ex-partners, according to a lawsuit filed against the ride-hailing company.

Former Uber employee Samuel Ward Spangenberg is suing the company for age discrimination and retaliation for blowing the whistle on security slips at the company. The 45-year-old began working at Uber in March 2015 and was fired 11 months later.

Spangenberg said in a court declaration that the company’s lack of security was violating governmental regulations regarding data protection and consumer privacy rights, especially since all employees had access to the data rather than just a small security team.

“I complained that Uber did not have regard for data protection, including, among other items, that payroll information for all Uber employees was contained in an unsecure Google spreadsheet.” Spagenberg said in the filing, which was reported by The Center for Investigative Reporting (CIR). “Uber’s lack of security regarding its customer data was resulting in Uber employees being able to track high profile politicians, celebrities, and even personal acquaintance.”

Spangenberg also mentioned that Uber deleted files during government raids and that it would cut all connectivity so that law enforcement could not access documents and any information that was not in compliance with governmental regulations.

This is not the first time Uber has had security and privacy issues. Back in 2014, the company dealt with a privacy violation controversy after a tool dubbed “God View” allowed employees to track any rider at any time without consent.

Uber said it implemented strict policies to stop employees from tracking riders, but Spangeneberg — along with other former employees who spoke with the CIR — said that wasn’t the case. Spangenberg said that “God View” was still used within the company and renamed “Heaven View.”

This lawsuit might inflame concerns of privacy following reports last week that the app can now track users even when they’re not using it.

Uber issued a statement to CIR saying “fewer than 10” employees have been fired for improper use of tracking.

In a statement to Vocativ as well as in an internal email to its staff sent to Vocativ, Uber said that “it’s absolutely untrue that ‘all’ or ‘nearly all’ employees have access to customer data, with or without approval.” It described a system of technical and administrative controls, including managerial and legal approvals, that limit access to customer data only to employees who require it to do their jobs, and then in a limited fashion. The company said that it logs and audits all data access, and “all potential violations are quickly and thoroughly investigated.” Legitimate reasons employees might access customer data, it said, include anti-fraud work and in traffic incident investigations.

The internal company email, sent by Uber’s chief information security officer John Flynn and forwarded to Vocativ by Uber’s communications team, also called the information in the Center for Investigative Reporting piece “out of date” and not accurately reflecting the “state of our practices today.” It acknowledged past flaws, however: “Like every fast-growing company, we haven’t always gotten everything perfect. But without the trust of our customers we have no business,” it said.