Pando

Wow. Uber gave a job interviewee full access to its user location data

By Michael Carney , written on December 2, 2014

From The News Desk

Uber is either incredibly stupid or incredibly arrogant, possibly both. This is the only conclusion possible given a recent report by The Washington Post's Craig Timberg in which he reveals that the company gave a job candidate all-day access to its database of historical and real-time user location data as part of an interview.

Comically, Uber responded to the Post's report with a statement saying "As a matter of security, we don't discuss publicly the details of our security.”

It is not uncommon in industries like banking and consulting for interview candidates to be asked to solve a case study or complete mock project to demonstrate their abilities. The key word in this scenario, however, is "mock." In these industries, client confidentiality is of utmost importance and, accordingly, these case studies are typically anonymized if not entirely made up. Uber, it seems, couldn’t be bothered to do the same for its own interview, user privacy be damned.

Uber has spent the last several weeks fending off allegations of wanton disregard for data privacy, following reports that a so-called “God view” mode allowed employees to monitor the movements of the company’s users. The company’s cavalier attitude toward user privacy was called into sharp contrast when a senior executive threatened to conduct opposition research against Pando’s Sarah Lacy and other critical journalists. Shortly after, Senator Franken in his recent letter to the company described Uber as possessing a “troubling disregard for customers’ privacy, including the need to protect their sensitive geolocation data.”

The risks of Uber’s lax data policies were confirmed by revelations that Uber NYC GM Josh Mohrer once told BuzzFeed News reporter Johana Bhuiyan, “I was tracking you,” in reference to her arrival to his office in an Uber car. San Francisco Magazine’s Ellen Cushing too was warned by both current and former Uber employees that the company might access her rider data following a particularly critical string of reporting. And our first hint that Uber might be abusing its data access came via a blog post by former VC Peter Sims, revealing that his location was broadcast in real-time to a room of more than 1,000 people at an Uber party in 2011.

More recently, Uber has made efforts to convince users – including inquiring Senators – that it has shored up its data policies. The company recently updated its user privacy policy and provided the Post with a statement pertaining to its impact:

Our data privacy policy applies to all employees: access to and use of data is permitted only for legitimate business purposes. Data security specialists monitor and audit that access on an ongoing basis. Violations of this policy do result in disciplinary action, including the possibility of termination and legal action.
Whether this policy is effective in limiting access to this data is difficult to ascertain from the outside. What we can say, is that Uber has never stated that it’s eliminated access to this data, or anonymized it, only that the company is monitoring that access to make sure it’s utilized properly. That seems like a minor response to what should be considered a major issue.

This latest report provides more evidence of how bad things have got at Uber but, given how much we already know about the company's willingness to violate user privacy, it sadly comes as no surprise.