Now add that all this location data was not held by a battle-hardened company with tons of lawyers and security experts, such as Google. Instead, this data was held by a start-up that was growing with viral exuberance – and with so few privacy protections that it created a “God View” to display the movements of riders in real-time and at least once projected such information on a screen for entertainment at a company party.
And let’s not forget that individual employees could access historical data on the movements of particular people without their permission, as an Uber executive in New York City reportedly did when he pulled the travel records of a Buzzfeed reporter who was working on a story about the company.
Wouldn’t that strike you as a hacking opportunity of remarkable awesomeness?
It’s a safe bet that you’re not alone. Security experts say no taxi company, no car service, no private entity of any kind has ever presented the kind of cyber-espionage target that Uber now does.
“It’s a huge trove of data that could be used for a whole number of uses,” said Christopher Parsons, a digital privacy expert at Citizen Lab, a research center at the University of Toronto.
Uber declined to discuss how it protects user data when queried by The Washington Post, saying in a statement, “As a matter of security, we don't discuss publicly the details of our security.”
To take just one possible example, Uber has become particularly popular among the political class in Washington. During this year’s mid-term Congressional campaigns, Uber accounted for more than 60 percent of rides costing less than $100, according to Hamilton Place Strategies, which culled records from Federal Election Commission reports.
Wouldn’t detailed data on such rides be handy for a foreign power eager to map the relationships among various Washington players? It could potentially show both a history of contact and real-time movements as meetings are convening.
Then there are the personal travels of government officials and their families. A person who had a job interview in Uber’s Washington office in 2013 said he got the kind of access enjoyed by actual employees for an entire day, even for several hours after the job interview ended. He happily crawled through the database looking up the records of people he knew – including a family member of a prominent politician – before the seemingly magical power disappeared.
“What an Uber employee would have is everything, complete,” said this person, who spoke on the condition of anonymity for fear of retribution from the company.
A more sophisticated – and malicious – person with that access could have scraped data on a massive scale, then used powerful analytical software to learn things that Uber users might want to keep private, for professional or personal reasons.
Even putting aside the potential for spying by foreign governments, what about corporate espionage? Or research by activists eager to show that a particular lawmaker – or top staffers -- were too close with a certain company? Or a divorce lawyer eager to show that a wayward spouse was too cozy with a friend across town?
James A. Lewis, a cyber-security expert with the Center for Strategic and International Studies, said the widespread use of government cars insulates the highest government officials from exposure of their professional movements, likely limiting the national security risk from cyber-theft of Uber’s database. But Lewis said plenty of personal details on the rest of us are likely vulnerable in an era when major U.S. corporations seem to get hacked every other week.
For Uber riders out there, Lewis says there may be a pragmatic solution: Disguise your true destination by requesting a ride to another nearby address instead when traveling to your sensitive meetings or romantic rendezvous. Walk that extra block if necessary to cover your tracks, as if you were in a spy movie. And assume that anything that ends up in a database eventually might get stolen by someone who doesn’t have your best interests at heart.
“Most people,” Lewis said, “have really bad operational security.”