[eli]

According to the article an Uber executive did indeed access a journalist's data without her permission, something the spokesperson said was not possible:

"In fact, the general manager of Uber NYC accessed the profile of a BuzzFeed News reporter, Johana Bhuiyan, to make points in the course of a discussion of Uber policies. At no point in the email exchanges did she give him permission to do so."

Or does "rifling" mean something else to you?

[none_for_me_thx]

It wasn't clear what "accessed the profile" meant.

I guess it's talking about the travel logs from 2 paragraphs above?

[aetherson]

I suspect that the information pulled form the journalist's profile was pretty innocuous, or else they would have made more of a big deal about it.

But at the same time, the point isn't that "the Uber GM found some hideously private information about the journalist," the point is that regardless of what their "information policy" is, the GM could access the account of the journalist, and was apparently comfortable doing so based on his own discretion and sense of propriety rather than explicit permission. If his sense of propriety was fine, and the information was innocuous, then that particular event wasn't a big deal. But it kind of makes lie of the idea that another high-level individual at Uber who may have, shall we say, different ideas about propiety could not abuse the information that Uber is entrusted with.

[potatolicious]

Agree. In contrast, when I worked at Amazon, customer privacy was pretty religiously protected.

To access detailed customer information required getting a one-time-use key, which is generated from a request that references other documentation (bug reports, customer support requests, etc) as well as a justification.

This key would only work against a single customer, and expires after some time.

The requests themselves are regularly audited internally to prevent abuse.

This is the level of internal privacy guarantees a company like Uber needs. No employee should have unmonitored, carte blanche access to customer data.

[xorcist]

This is the point.

The fact that the CEO can access data at whim should be very troubling. That means they don't have even the most basic infosec guidelines in place.