Uber said it protects you from spying. Security sources say otherwise
An internal audit team searched for abnormalities in all the database activity to nab employees tracking customer data illicitly, said Spangenberg, who assisted the investigations. Those they caught were referred to HR to be fired, he said.
“If you knew what you were doing, you could get away with it forever,” Spangenberg said. “The access is always there, so it was a matter of whether you got caught in the noise.”
Many employees, Uber said, need access for reasons such as providing customer refunds and investigating traffic accidents. The company added that it blocks some teams of employees from getting the data without approval, though it did not specify which teams or how the approval process works.
Drivers’ personal details, including Social Security numbers, were also available to all Uber employees, Spangenberg said in his declaration.
Spangenberg said he argued for shutting off access to sensitive data for those who didn’t need it.
“I would say, ‘We can’t keep this information, you can’t allow this information to be stored like this, you can’t leave it all connected like this,’” he said.
Uber, in its statement, said, “We have made significant investment in tightening our access controls during the past several years. Allegations that simply acknowledging our policy in a pop-up window would provide access to customer data for unauthorized employees are not correct in our current environment.”
According to his lawsuit, Uber told Spangenberg he was fired for violating a code of conduct and reformatting his computer, which erases everything on it. He said he deleted and began rebuilding his laptop because it had crashed, and that it was common practice.
He also got in trouble for accessing emails that dealt with his own job performance review. Spangenberg said he was only testing out a program to search company emails. The whole thing was a pretext, he said, to get rid of him.
In court filings, Uber responded that it “generally denies each and every allegation” made by Spangenberg.
Lawsuit says Uber destroyed documents
Spangenberg accuses Uber of destroying information he believed it was obligated to preserve. “Uber routinely deleted files which were subject to litigation holds, which was another practice I objected to,” his declaration says.
A company can face legal penalties or be held in contempt of court for scrubbing evidence it was supposed to keep.
Among his duties, Spangenberg said he was also a point person when foreign government agencies raided company offices abroad.
“Uber would lock down the office and immediately cut all connectivity so that law enforcement could not access Uber’s information,” his declaration states.
In May 2015, for example, the tax agency Revenu Quebec raided Uber’s Montreal office to gather evidence of tax evasion. Spangenberg said he worked from San Francisco to encrypt the office’s computers.
“My job was to just make sure that any time a laptop was seized, the protocol locked the laptops up,” he said.
Indeed, Quebec investigators – armed with a warrant to copy information from Uber computers – went back to a judge to say the computers had been remotely restarted and apparently encrypted, according to court records. They got permission to take the computers with them, but the machines are of little value if the information on them stays encrypted.
Efforts to encrypt data once a government search is in process “raises red flags and serious concerns,” said Judith Germano, a cybersecurity expert and former federal prosecutor.
A company could argue it was protecting sensitive information, she said. But if a judge determined it was a deliberate effort to hide evidence, the judge could impose legal sanctions or fines, and order the company to decrypt the data.
In its statement, Uber said, “We’ve had robust litigation hold procedures in place from our very first lawsuit to prevent deletion of emails relevant to ongoing litigation.” Uber said it has an obligation to protect personal information and that “we cooperate with authorities when they come to us with appropriate legal process.”
Uber challenged the Quebec search warrants in court, but in May, a Canadian judge wrote in French that Uber’s actions had “all the characteristics of an attempt to obstruct justice,” suggesting that “Uber wanted to shield evidence of its illegal conduct.” Uber is still appealing.
Looking back, Spangenberg describes a tangle of questionable practices and gaping vulnerabilities.