How Uber drives a fine line on security and privacy
Scandal-plagued Uber on Friday announced new privacy-controlling tools that give users, among other things, a simple way to remove their account information and trip details from Uber’s servers.
An Uber representative told The Parallax that these changes have been in the works for at least seven months and denied that they are connected to #deleteuber. The movement, which was initially triggered by ride price surges surrounding massive protests against President Trump’s executive order banning refugees and immigrants from several countries, reportedly led to about 200,000 account deletions and a flood of customer support calls.
Through the new privacy settings menu, accessible under Settings in the user profile, Uber users can also adjust push notifications, including those for trip status alerts and ads, and manage location settings, including when the company or friends can view their locations.
“If somebody was going to someplace sensitive or private—if it got out, it could be anywhere from embarrassing to impacting on somebody’s safety.”—Mark Loveless, senior security researcher, Duo Security
Ride-sharing competitor Lyft, which alongside Uber last year received high marks from the digital-privacy advocacy organization Electronic Frontier Foundation for how it has handled user data, declined to comment for this story.
Securing the “essentially plaintext,” unencrypted location data shared between cell phones, apps, and networks, says geolocation security expert Mark Loveless, senior security researcher at Michigan-based Duo Security, would be challenging for any company. While Uber encrypts geolocation data once it has access to it, the data, if exposed, poses risks to the very people relying on it to use apps like Uber’s.
“If somebody was going to someplace sensitive or private—if it got out, it could be anywhere from embarrassing to impacting on somebody’s safety,” Loveless says.
Uber, whose struggles with ethical choices and corporate culture have drawn outsize attention since the takeoff of #deleteuber, commands a vast trove of its customers’ most sensitive data: the locations of their homes, places of employment, and movements throughout the day and night; their credit card numbers; and, increasingly, the contact information and locations of their friends and family.
READ MORE ON UBER
Uber, self-driving cars, and the high cost of connectivity (opinion)
In the gig economy, a cybersecurity divide
Uber isn’t the only company fingerprinting devices. Here’s why
How to protect what your car knows about you
When taking Uber or Lyft, is your ride-sharing data buckled up?
The responsibility of protecting that information alongside its customers’ physical well being, Uber says, has driven it to build a security team of more than 500 employees that gets involved with every stage of product development.
“Before a single line of code is written,” says Uber’s chief information security officer, John “Four” Flynn IV, Uber’s security team is invited to participate in the design of the product. “And every project here at the company goes through that process,” he says. “It was just the right thing to do.”
Of course, the concentrated building of the Uber security team, beginning with the hiring of Joe Sullivan as chief security officer, began about a year after the company suffered a data breach in May 2014 involving more than 50,000 driver records.
Flynn says Uber’s top-to-bottom approach to security is reflected in the way it encourages its security team to “roll up its sleeves” and patch vulnerabilities identified through its bug bounty, an ongoing contest with cash payouts for hackers to find flaws in its software, without involving engineers from other teams.
“That way, it feels more empowering, Flynn says, “and less adversarial.”
Uber also encrypts all user credit card information, whether from business or consumer clients, rendering it inaccessible by hackers or even Uber employees because it’s been turned into an electronic token, says Simi Sohi, a senior security strategist who leads security assurance for Uber for Business.
“When you put your credit card number into the app, you’re the last person who sees it,” she says.
Until the company similarly protects customers’ location data, its continued collection and storage of customers’ locations makes it a ripe target for government agencies, including those in intelligence and law enforcement, as well as hackers, says Joseph Jerome, a policy counsel who focuses on data and privacy at the Center for Democracy and Technology, a digital-rights nonprofit.
“Uber’s entire business is location. You can see every trip you’ve taken, and that goes back years now. Our to them is, Why can’t you let people delete that? Or, Why aren’t you deleting it over time?” he says. Neither Lyft nor Uber allows its customers to delete their ride history without deleting the app.
“There’s nothing stopping a company from taking precise information and making it into less precise information,” Jerome says. “And you see Uber gives that option to users superficially, where they can specify an intersection for pick-up, and not an address. But they’re collecting it on the back end.”
In accordance with laws in the jurisdictions in which it operates, Uber fulfills “tailored and specific” law enforcement requests regarding the locations of specific individuals, says Steffi Bryson, a senior public-policy associate who works closely on security-related issues.
“The vast majority of our requests come from local police departments about very specific incidents that took place on the Uber platform,” she says.
The ride-sharing company, meanwhile, has largely ignored laws and arguably put many non-customers at physical risk by, until recently, violating a California state regulation that requires $150 permits to test self-driving cars. At least two Uber self-driving cars, whose underlying technology Google alleges was stolen by former company executive Anthony Levandowski, have crashed.
On the other hand, Bryson says, the company has helped the National Highway Transportation Safety Administration by submitting regulatory guidance on how to better protect cars from hackers.
“There was just a fundamental lack of understanding [at the agency] of how the technology works and how it’s developing,” she says. “And at the same time, there’s an interest to build in certain safeguards.”
“When you put your credit card number into the app, you’re the last person who sees it.”—Simi Sohi, senior security strategist, Uber.
Whatever its intentions, Uber’s technological turns still seem slightly speedier than its customers’ perceptions, if not the law. In December, an update to the app told users that it now collects user location data up to five minutes after a ride ends. Although users can disable Uber’s location tracking, doing so forces them to type in their location.
While Uber says the post-ride data collection is designed to “improve pickups, drop-offs, customer service, and to enhance safety,” the privacy implications of Uber knowing where you are, even when you’re not in an Uber car, are “creepy,” says Willow Brugh, a disaster and crisis response expert and MIT Media Lab researcher who has worked to keep geolocation data private as it connected citizens to civic infrastructure in Tanzania.
Brugh, who says she keeps track of much of the data she produces in her digital life, predicts that at some point, Uber will suffer another major hack that puts its customers at risk. Until then, she says, they should have better insight into how much of their personal data the company is collecting—and thus what those risks are.
“I don’t think there’s a technical intervention” except to not collect user geolocation data, Brugh says. “There’s no way to keep it from going poorly.”
Updated at 5:00 p.m. PST to clarify how Uber’s December 2016 update changes the functionality of the app.