The Washington PostDemocracy Dies in Darkness

Is Uber’s rider database a sitting duck for hackers?

(Andrew Harrer/Bloomberg)

Before #Ubergate recedes entirely from the news, let’s pause on one aspect of the story that hasn’t gotten much attention so far: the cybersecurity risk of collecting massive troves of private travel information in online databases.

Imagine for a second that your job is to gather intelligence on government officials in Washington, or financiers in London, or entrepreneurs in San Francisco. Imagine further that there existed a database that collected daily travel information on such people with GPS-quality precision– where they went, when they went there and who else went to those same places at the same times.

Now add that all this location data was not held by a battle-hardened company with tons of lawyers and security experts, such as Google. Instead, this data was held by a start-up that was growing with viral exuberance – and with so few privacy protections that it created a “God View” to display the movements of riders in real-time and at least once projected such information on a screen for entertainment at a company party.

And let’s not forget that individual employees could access historical data on the movements of particular people without their permission, as an Uber executive in New York City reportedly did when he pulled the travel records of a Buzzfeed reporter who was working on a story about the company.

Wouldn’t that strike you as a hacking opportunity of remarkable awesomeness?

It’s a safe bet that you’re not alone. Security experts say no taxi company, no car service, no private entity of any kind has ever presented the kind of cyber-espionage target that Uber now does.

“It’s a huge trove of data that could be used for a whole number of uses,” said Christopher Parsons, a digital privacy expert at Citizen Lab, a research center at the University of Toronto.

Uber declined to discuss how it protects user data when queried by The Washington Post, saying in a statement, “As a matter of security, we don't discuss publicly the details of our security.”

Since #Ubergate began, with reports that a senior company executive had publicly mulled hiring researchers to dig up dirt on critical journalists, the company has apologized and sought to strengthen its privacy policy. But it’s not clear if the company has instituted cyber-security protections on par with the sensitivity of the data it collects.

To take just one possible example, Uber has become particularly popular among the political class in Washington. During this year’s mid-term Congressional campaigns, Uber accounted for more than 60 percent of rides costing less than $100, according to Hamilton Place Strategies, which culled records from Federal Election Commission reports.

Wouldn’t detailed data on such rides be handy for a foreign power eager to map the relationships among various Washington players? It could potentially show both a history of contact and real-time movements as meetings are convening.

Then there are the personal travels of government officials and their families. A person who had a job interview in Uber’s Washington office in 2013 said he got the kind of access enjoyed by actual employees for an entire day, even for several hours after the job interview ended. He happily crawled through the database looking up the records of people he knew – including a family member of a prominent politician – before the seemingly magical power disappeared.

“What an Uber employee would have is everything, complete,” said this person, who spoke on the condition of anonymity for fear of retribution from the company.

A more sophisticated – and malicious – person with that access could have scraped data on a massive scale, then used powerful analytical software to learn things that Uber users might want to keep private, for professional or personal reasons.

(On Monday, after this post was online for several hours, Uber sent an updated statement detailing some steps the company has taken to review and improve privacy measures. "Our data privacy policy applies to all employees: access to and use of data is permitted only for legitimate business purposes. Data security specialists monitor and audit that access on an ongoing basis. Violations of this policy do result in disciplinary action, including the possibility of termination and legal action.")

Even putting aside the potential for spying by foreign governments, what about corporate espionage? Or research by activists eager to show that a particular lawmaker – or top staffers -- were too close with a certain company? Or a divorce lawyer eager to show that a wayward spouse was too cozy with a friend across town?

James A. Lewis, a cyber-security expert with the Center for Strategic and International Studies, said the widespread use of government cars insulates the highest government officials from exposure of their professional movements, likely limiting the national security risk from cyber-theft of Uber’s database. But Lewis said plenty of personal details on the rest of us are likely vulnerable in an era when major U.S. corporations seem to get hacked every other week.

For Uber riders out there, Lewis says there may be a pragmatic solution: Disguise your true destination by requesting a ride to another nearby address instead when traveling to your sensitive meetings or romantic rendezvous. Walk that extra block if necessary to cover your tracks, as if you were in a spy movie. And assume that anything that ends up in a database eventually might get stolen by someone who doesn’t have your best interests at heart.

“Most people,” Lewis said, “have really bad operational security.”