At a recent dinner, Uber Senior Vice President Emil Michael suggested that Uber could spend “a million dollars” to hire opposition researchers to dig up dirt on journalists who were critical of the company, a service for hailing taxis, private cars or ride-shares. According to BuzzFeed: “That team could, he said, help Uber fight back against the press — they’d look into ‘your personal lives, your families,’ and give the media a taste of its own medicine.” He mentioned specifically focusing on the private details of the life of journalist Sarah Lacy. Lacy’s response is here. Michael has apologized for his comments, and Uber CEO Travis Kalanick has said Michael’s comments “were terrible and do not represent the company.”
If Uber were to investigate journalists or other critics, it would not be the first company to do so. Two cases involved Germany’s Deutsche Bank and Hewlett-Packard. In 2009, Deutsche Bank fired two executives because of a scandal in which bank executives hired investigators who spied on board members and a shareholder. In early 2006, then-Hewlett-Packard Chair Patricia Dunn hired private investigators that used “pretexting” to acquire the personal phone records of board members and journalists in an effort to locate the source of leaks to the media. (“Pretexting” is a fancy word for “pretending to be someone else in order to get his or her personal information” — in this case, phone records.) There were various criminal and Congressional investigations. Dunn said she didn’t know that the investigators were pretexting, and the charges against her were eventually dismissed. The scandal prompted Congress to pass the Telephone and Records Privacy Act of 2006, which prohibits pretexting to gather phone record data (with exceptions for law enforcement).
BuzzFeed also reported that another Uber executive, the general manager of Uber NYC, did something that also raises privacy questions. During an e-mail exchange with a journalist, the Uber executive “accessed the profile of a BuzzFeed News reporter, Johana Bhuiyan, to make points in the course of a discussion of Uber policies. At no point in the email exchanges did she give him permission to do so.” This raises the specter of an insider misusing or abusing his data-access privileges to invade the privacy of an individual. We’ve talked before about the problems that arise when insiders abuse or misuse their access to individuals’ data. There have been many such cases.
Recently, the Indiana Court of Appeals upheld a $1.4 million jury verdict for a Walgreens pharmacy customer whose prescription information was provided to her ex-boyfriend, who was then dating a Walgreens pharmacist. Last year, the National Security Agency’s Inspector General revealed in a letter (pdf) to Sen. Chuck Grassley (R-Iowa) that there were cases “in which NSA personnel intentionally and willfully abused their surveillance authorities.” Here’s just one of at least six cases that were referred to the Justice Department for further action. It occurred on the insider’s “first day of access” to the signals intelligence (SIGINT) data. The person, a member of the military, “queried six e-mail addresses belonging to a former girlfriend, a U.S. person, without authorization.”
Such insider misuse or abuse of data access cases also have occurred in: Minnesota, where 104 officers from 18 agencies in the state accessed one woman’s “driver’s license record 425 times in what could be one of the largest private data breaches by law enforcement in history”; Tucson, Ariz., where University Medical Center officials fired three employees for violating privacy of patients connected to the shooting rampage by Jared Loughner; New York City, where a police sergeant pleaded guilty “to illegally entering a federal database and giving information from a terrorist watch list to an acquaintance to use in a child-custody case in Canada”; Massachusetts, where the state auditor found misuse by law enforcement officials of the criminal records system (police pried into the personal data of Patriots’ quarterback Tom Brady, actor Matt Damon, then-Boston Celtics player Paul Pierce and others); and the U.S. government, where the State Department found that federal employees repeatedly snooped into the passport files of entertainers, athletes and other high-profile Americans. The cases aren’t confined to the United States; for example, they’ve occurred in Canada, New Zealand and the UK.
And corporations sometimes say that they have the right to access customers’ data without their knowledge. For example, in March, Microsoft admitted that it had accessed e-mails in a journalist’s Hotmail account as it sought to investigate the source of leak of information. Microsoft, which said it would revise its policy after an uproar over its actions, claimed it had to right to read Hotmail users’ e-mail. And that month the Guardian reported that the terms of service for Yahoo, Google and Apple also said they had the right to read the e-mail of people who used the companies’ e-mail services.
Amid the uproar over the comments and actions by Uber executives, company spokeswoman Nairi Hourdajian wrote a blog post to clarify the company’s privacy policies, but it raised more questions. Hourdajian wrote, “Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data,” but went on to say, “The only exception to this policy is for a limited set of legitimate business purposes.” She listed examples of “legitimate business purposes,” but that raises the question of what else could be considered such by Uber. In another blog post, Uber said it has hired law firm Hogan Lovells to “conduct an in-depth review and assessment of our existing data privacy program and recommend any needed enhancements.”
Sen. Al Franken (D-Minn.), chairman of the subcommittee on Privacy, Technology and the Law of the Senate Judiciary Committee wanted more information from Uber. He sent a letter (pdf) questioning Uber on its privacy policies, especially in regard to who can access customers’ travel logs. Franken wrote: “The reports [about Uber executives’ comments and actions] suggest a troubling disregard for customers’ privacy, including the need to protect their sensitive geolocation data. […] This raises serious concerns for me about the scope, transparency, and enforceability of Uber’s policies. Moreover, it is unclear what steps, if any, you have taken to ensure that your policies are adequately communicated to all employees, contractors, and affiliates, and to ensure that such policies are fully enforced.” He continued by asking for more specific information from Uber about its privacy and data-access policies.