Earlier this week, in the wake of comments made by Uber's Senior Vice President Emil Michael that the company might start spying on journalists who criticized their precious app, BuzzFeed News determined that one of its reporters had literally been tracked by Uber's "top New York executive" Josh Mohrer.
Apparently, Mohrer had dug up records of where Buzzfeed reporter Johana Bhuiyan had been traveling while she was using the Uber app. When she first arrived at the Uber offices, he greeted her and allegedly told her: "I was tracking you." Moher also provided Bhuiyan with a screenshot that showed her information about all of her trips that she took using the Uber platform, which is not data that she requested.
The tracking information published by Buzzfeed News only shows the times of when her taxis picked her up and dropped her off, but the backend tool that Moher used to track her, called "God View," reportedly has powerful capabilities to determine the locations of their drivers and customers as well.
So all of this leads to one major question: What good reason does Uber have for developing a God View feature in the first place?
For those of you who didn't grow up playing first person shooters, the term God Mode is a ubiquitous one for video game cheat codes. When activated, God Mode provides the player with a deeply unfair, but nonetheless irresistible, power of invincibility.
Crossing that line between being fair or being all-powerful is what makes cheat codes fun. But when applied to a real world scenario—with the whereabouts and personal information of actual human beings at stake—then the line between fairness and power becomes a moral one, with serious consequences when it is crossed.
Two former Uber employee sources told BuzzFeed News that God View was never available to drivers. But that's not entirely true.
a hacked version of the God View API allows tinkerers to access God View with a bit of coding
In a nine-month-old post in a subreddit for Uber drivers, various users discuss not being able to access God View any longer. According to one comment, posted way before the latest God View revelations, Uber suspended drivers' access to God View because "it gave people too much information, especially their competitors. The interface is still up, though, because why bother spending the time and money to change a website that only the drivers will see."
That same user then linked to a hacked version of the God View API, which allows tinkerers to access God View, which Uber has previously blogged about, with a bit of coding. That Uber hack is still online over at Github.
I was able to verify that there was, in fact, a version of God View available to drivers by looking up the Google Cache version of the God View login page. After looking at the source code of the God View tool, which has also been mirrored on Pastebin, it appears that the background image for the God View interface was a file named "dr_evil.jpg."
While it's unclear if that image actually showed a picture of Mike Myers's lovable antagonist—Google Cache didn't save any images—the wink and nod towards the potentially dangerous, all-encompassing view of Uber's God View is certainly not lost on anyone.
While it's also unclear if this driver-facing version of God View had the same suite of tools that Josh Moher accessed when he was spying on a BuzzFeed journalist, it seems clear the Uber considered it an integral part of its business tools. And, even beyond that, for its staff (senior or otherwise) to be able to access a system that can track individual users—who, unlike a regular taxi, have their personal information attached to their profile—is unacceptable.
Uber has not yet responded to Motherboard's requests for comment. We'll update if we hear back.
such data must be carefully controlled with strict security, privacy, and access safeguards
I reached out to Chris Parsons, a cybersurveillance researcher at the University of Toronto's Citizen Lab, to discuss Uber's God View and the ramifications for users.
"Uber understandably has infrastructure in place to monitor where its drivers are and a business case can be made for some degree of monitoring of how, and how often, their clients use the service," he said. "However, such data must be carefully controlled with strict security, privacy, and access safeguards. At this point it doesn't appear that such have been stringently developed or applied."
And this really is the key. Obviously the protocol needs to keep track of where its drivers are, and where its customers are, in order to put the two in touch and run a smooth business. But for this data to be available, in a free-for-all, to the petty whims of its staff has a huge potential for abuse—especially in light of the vindictive comments made by Uber's Emil Michael about getting revenge on journalists.
"We know that national security and intelligence agencies are deeply interested in where people travel to, and in understanding the movement patterns of individuals regardless of their being identified as 'targets' of government surveillance," Parsons continued. "And Uber's seeming failure to secure its data—to the point where developers have already found ways of querying the data by reverse-engineering Uber's mobile client software—would suggest that an intelligence or security service that was sufficiently motivated could do the same."
This dilemma that surrounds providing a security agency with a platform to monitor a wide array of people as they come and go around an urban area, is one that should have been taken much more seriously by Uber. Given their apparent ignorance towards basic operational security to lock down their data from the prying eyes of staff members, it's painfully clear that steps have not been taken to secure and encrypt this platform from being accessed by even more devious actors.
"There's no evidence that such a security or intelligence service has 'cracked' Uber but past Snowden revelations have revealed that the NSA and its partners are voracious collectors of all kinds of tracking data," Parsons concluded. "There's no reason why these agencies wouldn't be as interested in Uber's data as other services' data that could identify where, and how often, people travel around their cities and around the world."