TECH

Can Uber Keep Your Data Safe? It's Trying.

The company is beefing up its security team to prevent future data breaches.

A few years ago, Uber published a blog post analyzing some of its late-night riders. The post isolated those riders who had hailed an Uber on a weekend night and then called for another ride, within a short distance of the original dropoff, 4-6 hours later. 

What this created was a map of Uber-facilitated one-night stands, or, as the company called them, “Rides of Glory.”

The data revealed a lot of interesting things. One-night stands peaked on holidays like Cinco de Mayo and Tax Day, dipped on Valentine’s Day, and originated in certain party-heavy neighborhoods. 

But to readers, the research revealed a gut-busting revelation: Uber, apparently, can track when we have sex.
 

The backlash against the post eventually led the company to remove it. But it was a harrowing reminder of how much information Uber has on us, and how many conclusions about our behavior can be drawn from that data. Tracking an Uber user's ride history can unearth where they live, where they work, who they hang out with and, yes, maybe even who they're sleeping with. Uber data could show someone who is cheating on their spouse, reveal employees who are slacking off on the job or give a stalker unlimited ammunition. It's a data set with particularly terrifying privacy repercussions. 

Uber is not unaware of the issue. The ride-share service, valued at $50 billion, is beefing up its security team, hiring 25 new employees by the end of the year in a move to increase the department to 100 people, according to a Financial Times report on Sunday. It’s part of Uber’s overall effort to tighten data security as the company grows.

"Uber is in more than 330 cities and 60 countries around the world and continues to expand rapidly,” the company said in a statement to The Huffington Post. “We are scaling teams -- including the security team -- across the company to match our growth, not in reaction to any events."

In April, Uber also hired Joe Sullivan, formerly Facebook’s chief security officer, to oversee the company’s safety and cybersecurity. 

But as the "Ride of Glory" blog post demonstrated, Uber has a historically tricky relationship with its riders’ personal information. After a Buzzfeed reporter exposed that Uber employees had accessed her ride history without her permission, the company clarified its internal privacy policy, eliminating employees' ability to access user or driver data without a specific purpose. 

In March, Motherboard found Uber accounts, containing a user name and password, for sale on dark web messaging boards for as little as $1. Uber denied that the accounts came from a company breach and encouraged its riders to keep their personal phones and log-in information secure.

But at the time, the company was actually in the midst of a real hack, which compromised the personal information -- including names and license plate numbers -- of up to 50,000 current and former drivers. The company discovered the security lapse, which happened in May 2014, in September of that year, but waited five months to notify its drivers. Uber offered them one year of free "ProtectMyId" monitoring from credit report firm Experian to soften the blow. The affected drivers filed a class-action lawsuit against Uber in March.  

Though 50,000 is a lot of people, it's not a ton compared to how many have been affected by other big data breaches. When a cybercriminal hacked into Target's point of sale terminals, they jeopardized the credit card information of 110 million customers. In 2014, hackers exposed almost 56 million credit cards of Home Depot customers.

But Uber and other ride-sharing services know something that retail outlets don't track: your location. 

Stephen Boyer, co-founder of security evaluation company BitSight Technologies, says that, according to Bitsight's index, technology firms rank equally with retail companies in terms of security preparedness -- that is to say, not great. But technology services like Uber, which deal in locational information, have a unique set of security parameters. 

"They’re kind of a retailer," Boyer said. "But I'm not familiar with any rules or regulations as to how locational information gets processed. It's a relatively recent phenomenon that companies have this kind of information on everywhere you go." 

Though several states have enacted laws that protect geolocation data from surveillance, federal legislation has stalled in Congress. 

For its part, Uber is trying to establish trust with its users. In January, just before it announced its hack, the company hired an outside team to evaluate its privacy standards. The resulting report found that Uber was doing pretty well, and gave the company 10 areas where it could improve. 

The company took to its blog to respond to the report: "While Uber is encouraged by these findings, we fully acknowledge that we haven’t always gotten it right."  

CONVERSATIONS