[BreachExchange] Uber said it protects you from spying. Security sources say otherwise

[Audrey McNeil]

https://www.revealnews.org/article/uber-said-it-protects-
you-from-spying-security-sources-say-otherwise/

For anyone who’s snagged a ride with Uber, Ward Spangenberg has a warning:
Your personal information is not safe.

Internal Uber employees helped ex-boyfriends stalk their ex-girlfriends and
searched for the trip information of celebrities such as Beyoncé, the
company’s former forensic investigator said.

“Uber’s lack of security regarding its customer data was resulting in Uber
employees being able to track high profile politicians, celebrities, and
even personal acquaintances of Uber employees, including
ex-boyfriends/girlfriends, and ex-spouses,” Spangenberg wrote in a court
declaration, signed in October under penalty of perjury.

After news broke two years ago that executives were using the company’s
“God View” feature to track customers in real time without their
permission, Uber insisted it had strict policies that prohibited employees
from accessing users’ trip information with limited exceptions.

But five former Uber security professionals told Reveal from The Center for
Investigative Reporting that the company continued to allow broad access
even after those assurances.

Thousands of employees throughout the company, they said, could get details
of where and when each customer travels. Those revelations could be
especially relevant now that Uber has begun collecting location information
even after a trip ends.

Ward Spangenberg, who was hired by Uber in March 2015, says he frequently
objected to what he believed were reckless and illegal practices.
Spangenberg was fired and is now suing the ride-hailing behemoth. Credit:

Courtesy of Ward Spangenberg

Spangenberg is suing the San Francisco-based ride-hailing behemoth for age
discrimination (he’s 45) and whistleblower retaliation. He has worked
information security jobs for a variety of tech companies. Uber tasked him
with helping develop security procedures and responding to problems from
around the world.

In addition to the security vulnerabilities, Spangenberg said Uber deleted
files it was legally obligated to keep. And during government raids of
foreign Uber offices, he said the company remotely encrypted its computers
to prevent authorities from gathering information.

After beginning in March 2015, Spangenberg said he frequently objected to
what he believed were reckless and illegal practices, and Uber fired him 11
months later.

“I also reported that Uber’s lack of security, and allowing all employees
to access this information (as opposed to a small security team) was
resulting in a violation of governmental regulations regarding data
protection and consumer privacy rights,” he stated in the declaration,
referring to requirements that companies notify consumers of any breach of
personal information.

Michael Sierchio, a tech industry veteran who was a senior security
engineer at Uber from early 2015 until June of this year, agreed that Uber
had particularly weak protections for private information.

“When I was at the company, you could stalk an ex or look up anyone’s ride
with the flimsiest of justifications,” he said. “It didn’t require anyone’s
approval.”

In a statement, Uber said it maintains strict policies to protect customer
data and comply with legal proceedings. It acknowledged that it had fired
employees for improper access, putting the number at “fewer than 10.”

“We have hundreds of security and privacy experts working around the clock
to protect our data,” Uber said in a statement.

“This includes enforcing strict policies and technical controls to limit
access to user data to authorized employees solely for purposes of their
job responsibilities, and all potential violations are quickly and
thoroughly investigated,” the company said.

Uber would not give more details on its technical controls. In practice,
the security sources said, Uber’s policy basically relies on the honor
system. Employees must agree not to abuse their access. But the company
doesn’t actually prevent employees from getting and misusing the private
information in the first place, the security sources said.

Uber has a history of data problems

As Uber has rapidly grown to more than 40 million users worldwide, the
gig-economy giant has also been dogged by leaks, hacks and privacy scandals.

In 2014, BuzzFeed reported that an Uber official had tracked its reporter’s
movements without her permission, around the same time another executive
suggested digging up dirt on critical journalists. The controversy – and an
entrepreneur’s claim that he was tracked as well – drew attention to the
company’s internal God View tool, which provided a real-time aerial view of
Uber cars in a city and details of who was inside of them.

Uber came under fire in 2014 for its internal “God View” feature, which
provided a real-time aerial view of citywide Uber cars and details of who
was inside of them.

Credit: Courtesy of Uber

It later came out that a data breach that year exposed the personal
information of more than 100,000 drivers.

After the embarrassments of 2014, Uber hired chief security officer Joe
Sullivan, a prominent tech figure who previously held that post at Facebook
and used to be a federal prosecutor. His team drew heavily from Facebook,
including chief information security officer John “Four” Flynn.

The Federal Trade Commission, the consumer protection agency, is
investigating Uber’s information security practices and recently deposed
Sullivan, according to security sources.

Spangenberg and Sierchio – as well as three other former Uber security
professionals granted anonymity to confirm their accounts – describe a
startup culture that pushed back against security protections in favor of
unbridled growth.

“Early on, ‘growth at all costs’ was the mantra, so you can imagine that
security was an afterthought,” said Sierchio, whose tech career includes
designing video games for Atari in the early 1980s.

Even after Uber assembled a security team, the pushback continued when
employees raised concerns, he said.

“One of the things I was told is, ‘It’s not a security company,’” Sierchio
said. Spangenberg said he was told the same thing.

As disclosures about God View sizzled on the internet in 2014, the company
posted a statement saying that, “Uber has a strict policy prohibiting all
employees at every level from accessing a rider or driver’s data. The only
exception to this policy is for a limited set of legitimate business
purposes.”

Lawmakers, including Sen. Al Franken, D-Minnesota, demanded details about
those “legitimate business purposes.” Franken later wrote he was “concerned
about the surprising lack of detail in their response.”

Sierchio, who said he was pushed out in June, said the company’s policy
limiting access was “never enforced.”

After an investigation by New York Attorney General Eric Schneiderman, Uber
settled in January and promised to “limit access” to real-time trip data
“to designated employees with a legitimate business purpose.”

Even after the attorney general settlement, Spangenberg and Sierchio said
thousands of employees could still search Uber’s database to get real-time
ride information. The company said it complies with the settlement.

Uber did adopt some reforms. There was a pop-up message warning employees
that their activity was being monitored, but few took it seriously,
Spangenberg said. Another change flagged searches for customers considered
“MVPs.” But that didn’t protect anyone not labeled an MVP, Spangenberg said.

It also changed the name of God View to Heaven View, Spangenberg said.

NEWSLETTER SIGNUP

Subscribe to Reveal's email newsletter for a first look at new
investigations, behind-the-scenes glances at our reporting, occasional
newsroom antics and much more.

An internal audit team searched for abnormalities in all the database
activity to nab employees tracking customer data illicitly, said
Spangenberg, who assisted the investigations. Those they caught were
referred to HR to be fired, he said.

“If you knew what you were doing, you could get away with it forever,”
Spangenberg said. “The access is always there, so it was a matter of
whether you got caught in the noise.”

Many employees, Uber said, need access for reasons such as providing
customer refunds and investigating traffic accidents. The company added
that it blocks some teams of employees from getting the data without
approval, though it did not specify which teams or how the approval process
works.

Drivers’ personal details, including Social Security numbers, were also
available to all Uber employees, Spangenberg said in his declaration.

Spangenberg said he argued for shutting off access to sensitive data for
those who didn’t need it.

“I would say, ‘We can’t keep this information, you can’t allow this
information to be stored like this, you can’t leave it all connected like
this,’” he said.

Uber, in its statement, said, “We have made significant investment in
tightening our access controls during the past several years. Allegations
that simply acknowledging our policy in a pop-up window would provide
access to customer data for unauthorized employees are not correct in our
current environment.”

According to his lawsuit, Uber told Spangenberg he was fired for violating
a code of conduct and reformatting his computer, which erases everything on
it. He said he deleted and began rebuilding his laptop because it had
crashed, and that it was common practice.

He also got in trouble for accessing emails that dealt with his own job
performance review. Spangenberg said he was only testing out a program to
search company emails. The whole thing was a pretext, he said, to get rid
of him.

In court filings, Uber responded that it “generally denies each and every
allegation” made by Spangenberg.

Lawsuit says Uber destroyed documents

Spangenberg accuses Uber of destroying information he believed it was
obligated to preserve. “Uber routinely deleted files which were subject to
litigation holds, which was another practice I objected to,” his
declaration says.

A company can face legal penalties or be held in contempt of court for
scrubbing evidence it was supposed to keep.

Among his duties, Spangenberg said he was also a point person when foreign
government agencies raided company offices abroad.

“Uber would lock down the office and immediately cut all connectivity so
that law enforcement could not access Uber’s information,” his declaration
states.

In May 2015, for example, the tax agency Revenu Quebec raided Uber’s
Montreal office to gather evidence of tax evasion. Spangenberg said he
worked from San Francisco to encrypt the office’s computers.

“My job was to just make sure that any time a laptop was seized, the
protocol locked the laptops up,” he said.

Indeed, Quebec investigators – armed with a warrant to copy information
from Uber computers – went back to a judge to say the computers had been
remotely restarted and apparently encrypted, according to court records.
They got permission to take the computers with them, but the machines are
of little value if the information on them stays encrypted.

Efforts to encrypt data once a government search is in process “raises red
flags and serious concerns,” said Judith Germano, a cybersecurity expert
and former federal prosecutor.

A company could argue it was protecting sensitive information, she said.
But if a judge determined it was a deliberate effort to hide evidence, the
judge could impose legal sanctions or fines, and order the company to
decrypt the data.

In its statement, Uber said, “We’ve had robust litigation hold procedures
in place from our very first lawsuit to prevent deletion of emails relevant
to ongoing litigation.” Uber said it has an obligation to protect personal
information and that “we cooperate with authorities when they come to us
with appropriate legal process.”

Uber challenged the Quebec search warrants in court, but in May, a Canadian
judge wrote in French that Uber’s actions had “all the characteristics of
an attempt to obstruct justice,” suggesting that “Uber wanted to shield
evidence of its illegal conduct.” Uber is still appealing.

Looking back, Spangenberg describes a tangle of questionable practices and
gaping vulnerabilities.

“The only information, truthfully, that I ever felt was safe inside of Uber
is your credit card information,” he said. “Because it’s not stored by
Uber.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161213/effa3018/attachment.html>