Information Security, Top News

Lyft investigates allegations of employees snooping on riders

The US ride-hailing company Lyft said on Thursday that it’s investigating allegations that its employees have snooped on riders, including looking up the trip data of their exes, famous actresses, porn stars or other famous users, such as Facebook founder Mark Zuckerberg.

The story was first reported by the technology news site The Information.

The publication said that somebody claiming to be a current or former Lyft employee made the allegations on an anonymous app called Blind, where people can gossip about their employers.

Lyft emailed a statement to Reuters in which it said that if the allegations are true, they’re offenses worth getting fired for:

The specific allegations in this post would be a violation of Lyft’s policies and a cause for termination.

CNN Tech reports that hours after the report, Lyft cofounders Logan Green and John Zimmer emailed employees. The subject line was “Upholding trust.” CNN Tech obtained the email, which said:

Our company’s values are based on creating a healthy environment of trust and accountability. If we find a violation, we will take appropriate action.

The news immediately drew comparisons to Uber’s “God view” mode, which tracks riders and displays their information in an aerial view.

Uber has a history of bristling at criticism of its security practices, and its history is littered with violating journalists’ privacy: one executive suggested spending $1 million to mine personal data for dirt to discredit a journalist who criticized the company, for example.

In another incident, Uber found itself having to investigate yet another exec for poking at yet another journalist’s personal data (twice) and tracking her movements without her permission.

Uber’s tracking of that reporter, BuzzFeed’s Johana Bhuiyan, is what triggered a data privacy investigation by New York Attorney General Eric Schneiderman into Uber’s use of the God View tool.

In November 2014, Uber responded by re-stating its privacy policy, including that it had deployed an automated tool to monitor employee access to God View as a way of deterring abuse.

The US FTC later discovered that tool was in use for less than a year, abandoned for reasons that weren’t clear. Separately, around the same time, the New York Times also discovered that Uber started using a tool called Greyball to track officials investigating the company’s operations in a number of cities.

Part of the 2016 settlement over Schneiderman’s investigation was a requirement that Uber encrypt rider geolocation information and that it adopt multifactor authentication that would be required before any employee could access especially sensitive rider personal information.

Uber said it introduced a “strict policy prohibiting” employees from accessing sensitive information, but the FTC in 2017 issued a complaint calling the company’s enforcement of the policy into question. Uber settled the complaint with the FTC, agreeing to privacy audits every two years until 2037 as part of the agreement.

CNN Tech said that in its statement about the allegations regarding its own employees’ God View-ish tendencies, Lyft said that some employees, such as engineers, have access to customer data. A source familiar with Lyft’s policies told the publication that that data includes details such as pickup and drop-off locations.

Lyft said its employees are required to undertake training and sign a confidentiality and responsible use agreement upon joining the company.

From the statement:

[Lyft’s policies] categorically prohibit accessing and using customer data for reasons other than those required by their specific role at the company. [They also] bar them from accessing, using, or disclosing customer data outside the confines of their job responsibilities.

The company didn’t provide a timeline for its investigation, but it did note that queries into Lyft’s rider data lookup system are logged. Thus, if the allegations are true, it shouldn’t be hard to find out who’s been God-Viewing Mark Zucerkberg or their exes.


Source : Naked Security

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend