Traditionally, privacy worries for consumers and tech companies have been limited to keeping information secure from third parties or hackers. But a series of internal abuses show that tech company employees often have universal access to user information, as well as reason — be it pure voyeuristic curiosity or, in the worst cases, a vendetta — to look at our whereabouts, spending, and of the most private corners of our lives.
Fears of employee data abuse are founded, from the highest levels of government intelligence down to car-sharing apps. In 2013, reports revealed over a dozen instances in the past 10 years in which National Security Agency employees abused NSA surveillance to collect data on love interests, referred to internally as "Loveint." At tech companies, where security measures and training are largely more relaxed, employees surveilling the location histories of ex-lovers, real-time tracking roommates, and looking at activity logs of friends of friends, is not only a plausible fear, but a new reality. Just last month, a New York Uber executive was investigated and reprimanded for tracking the whereabouts of a BuzzFeed News reporter without her permission.
BuzzFeed News reached out to 29 major technology companies, including social networks, fitness trackers, and dating, payment, messaging, music, mapping, and music apps with 10 specific questions about their internal privacy policies with regard to user data.
Out of the 29 companies, only 13 responded. Of the 13 that responded, three companies didn't offer comment. Responses from the other 10 manifested a wide range of views: Some took the inquiry seriously, others offered boilerplate responses, and a significant percentage of the companies chose to remain silent. All told, the collective responses offer a complex and, in many cases, unsettling survey of the current data privacy landscape.
BuzzFeed News sent the same set of 10 straightforward questions to all 29 companies. Here is the list in full:
location, financial, and other account data? If so what is it? Are
there any exceptions to that policy and what is a comprehensive list
of those exceptions?
* How many, and which types of, employees currently have access to
users' account data?
* What is the process to gaining that access? Is there more than one
level of permission? What are they and the respective processes to
* Do the CEO and other senior executives have personal access to all
user data? Do interns?
accessing a user's account without permission? Has this policy ever
been enforced, and if so can you provide an example?
* How does the company monitor employee access to user accounts?
* What steps, if any, does the company take to de-identify users in
* Does the company share or sell user data that includes identifying
information to other parties; and if so, how is that confidentiality
* Does the company have a plan for transfer of user data if the
company changes hands?
* Are there any procedures in place to notify users and the public to
changes in the terms of service?
Splitwise, My Fitness Pal, Skype, Tinder, GroupMe, Hinge, WhatsApp, Pandora, Kik, Viber, OkCupid, Line, Rdio, Waze, and Foursquare did not respond to multiple emails from BuzzFeed News editors and reporters inquiring about employee policies regarding user data and privacy. Together these companies represent billions of individual user accounts that ask for, receive, and store troves of personal data ranging from location and movement logs, financial information, private communications, and sexual orientation/dating history.
Gett, which excoriated its rival Uber for its recent scandalous business tactics provided no comment to BuzzFeed News. "I've just got off the phone speaking to our lawyer and basically been told that we have no comment," CMO Rich Pleeth said via email.
Scruff, a popular gay dating app and rival to Grindr, declined to comment for this story, noting that the company "recently worked on a contributed piece for Huffington Post's Gay Voices blog that addresses SCRUFF's views on user privacy and security." The piece, by Scruff's CEO and lead programmer, straightforwardly addresses Scruff's geolocation technology. It does not, however, answer information about employee access and permissions with regard to user data, both real-time and stored logs.
Spotify responded to the initial inquiry but never provided answers to the survey.
Eight of the 10 respondents opted to send a blanket statement instead of addressing BuzzFeed's questions individually. Many providing a link to the company's privacy policies, most of which do not explicitly address employee access to data.
Fitbit's privacy page is extensive, but does not directly address safeguards for employee access to user data. "Fitbit uses a combination of technical and administrative security controls to maintain the security of your data. If you have a security-related concern, please contact Customer Support," the page reads.
GrubHub responded that "employees are only allowed access to personal information that may be necessary to fulfill their job responsibilities (e.g., customer service inquiries). Full statement:
In addition, any employee who breaches their obligation of confidentiality by disclosing non-public information is subject to disciplinary action, up to and including termination.
The company also provided a link to its FAQ page for privacy.
Inside that FAQ, eBay notes that "we train our employees on how to protect and secure your information." There is no mention of specific safeguards protecting data from employees.
While the company notes that it does collects very little information on its users, it also states, "We further have controls in place on our internal systems."
The internal communications company told BuzzFeed News that, unlike many consumer-facing apps, "Slack is an agnostic platform upon which companies can decide their own policies." The company notes that "in all cases, we strive to make a team's internal policy settings transparent to the team's members."
The company recently changed its privacy policies which contained extensive "human-readable summaries, complete histories (and diff files where possible) for older versions of the relevant documents." The company also provided detailed FAQs.
In terms of employee access to user data, Slack issued the following statement, noting that: "Neither the CEO nor any other executive has access to all user data. Any access is logged and spot audited and there are several layers of technical controls & permissions which prevent unauthorized access."
We have four different outside companies providing various kinds of external security and process evaluation, from penetration testing and a very active bug bounty program to evaluation of internal policies and controls as part of SOC-2 audits (which includes everything from physical access control, hard drive encryption and security settings on all computers to extensive employee background checks). Neither the CEO nor any other executive has access to all user data. Any access is logged and spot audited and there are several layers of technical controls & permissions which prevent unauthorized access. We'd treat any violation of internal policies and controls regarding user data the same way we'd treat embezzlement or any other kind of fraud.
In terms of employee access to user data, Jacobs noted that:
Employee access to user data is doled out very carefully by a Systems team with deep expertise in PII (personally identifiable information) data. The general rule is that employees only have access to data that they directly need for their job. For this reason, senior executives (CEO, CFO, etc) and most other employees have zero access to any user data. Only employees who help users debug issues with our product may at times have access to some user data. For example, if a user experiences a GPS problem while running with RunKeeper, an employee in Support or Engineering may access that data in order to help the user with their problem.
Of the 29 companies BuzzFeed News contacted with our employee data and privacy survey, only two (Hipchat and Lyft) responded directly to all 10 questions. A Hipchat support representative provided detailed answers to each of BuzzFeed's questions; however, these answers were actually from the perspective of a user accessing his or her own data, not access on the part of HipChat or its owner, Atlassian.
In the wake of the Uber scandal, the company changed its internal employee access policies last month, including "the development of tiered access controls that further limit access to user data to a smaller subset of employees and contractors. Ride location data is restricted to an even smaller subset of people."
Lyft noted that employees in roles with duties that require access to user data, such as Trust & Safety or Customer Support, have access to the level of data required by their specific job requirements. Furthermore, an internal team reviews which employees require access to user data as a part of their specific job duties. If employees violate Lyft's internal policies with regard to user data, they "would be subject to disciplinary action, including termination and legal action."
The company told BuzzFeed News it has established an internal monitoring system that "records access to user data and logs the event, including the identification of the particular authorized user who accessed the data, for auditing purposes." The company also said that it takes steps to anonymize users by "randomly assigning a number to each user and ride that we use to reference data throughout our systems."
While the lack of responses from many of these tech companies are by no means admissions of guilt, they are frustrating and potentially concerning, especially at smaller, rapidly growing companies, where lack of oversight and pressure to scale can force employees into unexpected roles for which they may not fully qualified.
As these companies grow and become integral in our everyday lives, simply knowing who has access to our data feels like the bare minimum when it comes to online security.
Ben Smith and Johana Bhuiyan also contributed reporting to this story.