When you trust someone else with your sensitive information, assume that it will inevitably get abused. Business Technology’s resident U.S. blogger Keil Hubert examines what the recent Uber scandals tell us about modern life, and what we can do about the companies that unabashedly violate our trust.
The Dot-Com darling Uber has been getting quite a bit of critical press lately, and deservedly so. Uber is a start-up company that connects private citizens together for personal transportation: instead of hiring a licensed, bonded taxi service, an Uber user signals that they wants a ride via a smartphone app, and another Uber user who feels like offering rides (for money) accepts the summons and couriers the person wanting a ride wherever they want to go. Uber, as the facilitator, takes a cut of the money that the rider pays the driver. The service model seems to work well, and the company is making a profit. What isn’t working for Uber is the recent appalling behaviour of their executives. As National Public Radio’s Geoff Nunberg explained it on 10th December:
‘Uber uses a map view that shows the locations of all the Uber cars in an area and silhouettes of the people who ordered them. The media seized on the term this fall when it came out that the company had been entertaining itself and its guests by pairing that view with its customer data so it could display the movements of journalists and VIP customers as they made their way around New York.
‘Those reports came on top of earlier criticisms of Uber for taking a prurient interest in its customers’ movements. Not long before, an Uber data scientist had blogged about tracking what he called “rides of glory.” Those were the customers who booked rides late on weekend nights and then returned home a few hours later, presumably after one-night stands …
‘Those were awkward revelations for Uber, which has also been under fire for its sharp-elbowed tactics with regulators and competitors and a truculent attitude toward its critics. The so-called sharing economy depends on users providing a company with enough personal information to reassure others that it’s OK to rent to or drive around with. …So it doesn’t look good when the people entrusted with the information come off as a crew of cocky striplings who seem to take privacy and security casually.’
Mr Nunberg’s article expertly summarized the problem in terms of the so-called ‘sharing economy’, but his main argument really speaks to a larger problem in modern life. Every major product and service that we consume, from the time our smartphone’s alarm wakes us in the morning until we send our last text message before lights out, involves providing sensitive information about ourselves to companies. We trust and hope that these people who hold these treasure troves of information about our lives will live up to their public promises to safeguard our data – and to not cynically exploit it for profit or simply for their own amusement.
As another telling example, back in August the Wall Street Journal’s Siobhan Gorman reported that some technicians from the NSA had abused their access to intelligence systems in order to track and to spy on their loved ones:
‘National Security Agency officers on several occasions have channeled their agency’s enormous eavesdropping power to spy on love interests, U.S. officials said.
‘The practice isn’t frequent — one official estimated a handful of cases in the last decade — but it’s common enough to garner its own spycraft label: LOVEINT.’
This shouldn’t come as a surprise. Lord Acton’s famous quote ‘Power tends to corrupt, and absolute power corrupts absolutely’ applies equally to data repository owners as it does to political despots. If your company collects or otherwise has access to user information that can be misused, then it will be misused eventually. This is inevitable. From a strictly pragmatic business perspective, if you’re in a position of power over such resources, then you shouldn’t allow such abuse to happen on your watch. This is more than a legal responsibility – it’s a fundamental matter of setting and maintaining ethical standards of professional conduct for your entire organisation. You are what you allow to happen, right or wrong.
A major component of life spent working in IT services is that you have access to staggering quantities of sensitive content. Email messages and phone calls between trysting lovers, posted letters to and from solicitors, mapped location data from company mobiles, and all manner of confidential employee records fall under our authority as server and network administrators. We have total control over the workstations where content is generated, the servers where content is stored, the networks over which content is transmitted, and the controls through which content is secured. As an essential aspect of keeping the core systems running, we have the technical ability to spy into every user’s life without their knowledge of permission.
Many companies allude to this in their Acceptable Use Policies for company computers and phones. The company warns you up front that you have no ‘reasonable expectation of privacy’ when using company kit or connectivity, and that company reps can access your content at any time without your knowledge or prior permission. Companies selling services to the public often include similar language in their End User License Agreements – those novel-sized text storms that we all ‘accept’ without reading in order to get on with our lives and download the occasional smartphone app.
You’d think that we’d be inured by now to the knowledge that other people always have the ability to pry into our supposedly private lives. Still, there’s a big difference between a sysadmin peeking at a private email during the course of network troubleshooting, and a sales weasel rooting around in our private records in order to humiliate or harm us. The former use-case is a tolerable violation of privacy borne of necessity; the latter is a crass exploitation and an affront.
I talk about this in my book on leading IT departments. Superior access necessitates superior moral conduct in the holder of said access. If we’re going to be trusted with our users’ sensitive information, then we must – I believe – conduct ourselves as paragons of sterling ethical conduct. Our users have to trust that we won’t abuse our authority. That’s why I require control measures like two-man accountability and pre-access approval protocols, and why I enforce the most restrictive ethical conduct policies in the company. These measures map to conventional crime prevention measures involving minimizing opportunities to misbehave and increasing the probability of being caught.
Still, I argued earlier in this column that human nature inevitably compels someone in every company to abuse their authority. Policy and standards aren’t enough to deter everyone. Someone eventually manages to rationalize that they won’t get caught, or won’t be punished if they are caught, or otherwise somehow deserve to break the rules. So, what’s the point? If it’s inevitable, why exert all that effort struggling to prevent it?
I submit that inevitability of abuse is the point; laws and rules don’t prevent misconduct in and of themselves. They merely give voice to what authority considers out-of-bounds, and what will happen to the next soul who violates our edicts. For many people, simply knowing that a ‘red line’ exists is sufficient to motivate them to police their own conduct. For others, only demonstrated enforcement of our rules will convince them that we’re serious – that’s why I advise executives and directors to never publish a rule that they’re not wholly committed to enforcing. Teach your people that you mean what you say.
Finally, there are always going to be a few people who simply insist on breaking the rules. For them, it’s the metaphorical gallows. Detecting, containing, and dispatching these unrepentant malcontents is crucial to maintaining your customers’ trust. Users generally accept there will always be a few bad apples in every organisation. So long as company management is committed to policing its own, users will continue to trust the company with their information.
But then there’s Uber… as Lauren Hodges reported for NPR back in November:
‘The popular ride-service company Uber is in damage control mode after a senior vice president expressed interest in unveiling details about the private lives of journalists in retaliation for unflattering coverage of Uber’s business practices.
‘BuzzFeed reported Monday that Emil Michael, who says he believed his comments were off the record, expressed his feelings during a private dinner in New York about the company’s media critics, some of whom have recently reported that Uber encourages sexist behavior in its executives, along with drivers and clients.’
As consumers and citizens, we understand that bad employees will occasionally violate their oaths and trespass against us. We get upset, but we don’t lose faith in the company overall so long as the company’s upper management swiftly puts a stop to the misconduct. But what happens when the men and women at the very top of the organisation are the ones violating our trust? When there’s no one further up the chain to appeal to for justice? What do we do when the malefactors are utterly immune to censure, and feel no shame about being caught?
That’s where the model collapses. All you’re left with is an appeal to some heavenly judgement beyond death or weight of karma, because our mortal instruments are effetely toothless.
I submit that there’s nothing that can be done, other than to refuse to further fund the company. People like the crew running Uber have demonstrated time and again that their sacred honour simply doesn’t exist; they don’t care how they’re perceived by the public. They’ve become successful and wealthy enough that nothing that the average customer or critic tries to do to them can actually hurt them. The can, at most, be annoyed; they can’t truly be constrained. There are no effective control measures to bring these naughty schoolchildren back into the fold. They have their reputation, their money, their access to the powerful elite, and their allies. We have… pithy tweets. It’s like bringing a feather to a tank fight. Accept that you’re going to be utterly ignored.
This would be a great time to moralize that the ‘invisible hand of the market’ will eventually pressure such companies to reform, since every disgruntled customer represents a lost profit opportunity. That sounds great in the b-school classroom, but it simply isn’t realistic. We’ve known about the bad behaviour of Uber’s Top Men for months, and Uber is still worth over $18 billion by the equally amoral market. They don’t need your business, or mine. They don’t have to care what we think of them. So long as enough people are willing to pay to use their service, they’ll stay rich – and will likely get richer. Their business model will keep making them rich no matter how loathsome the executives act.
That’s the hard truth of the matter. Some people, when given the opportunity to abuse our trust, will do so and there’s effectively nothing that we can do to stop them.
The only effective way to mitigate these people’s ability to misuse our data is to refuse to give it to them. That doesn’t work for an extra-legal entity like the NSA, but it does work for private companies (albeit only for one customer at a time). When a commercial entity like Uber reveals that the people running it are unwilling to live up to our expectations of minimum acceptable ethical conduct, we then need to refuse to do business with them. Simply don’t give them the ability to abuse our trust by denying them our trust. We can’t stop them from abusing others, but we can protect ourselves, one at a time.
Maybe karma will catch up with these people. It probably won’t. Regardless, we all have work to do and places to be. Therefore, the next time you visit the USA, book your ride from one of Uber’s competitors, like Lyft, Curb, or Sidecar. Or just take a taxi. Or walk. Whatever you do, don’t arm a known, unrepentant highwayman like Uber with the bullets that they’ll inevitably use to rob you after you reach your destination.
 Footnotes in the quoted text are exactly as they appeared in the Fresh Air article transcript.
 LOVEINT = ‘Love Intelligence’ in the same way that SIGINT is refers to ‘signals- intelligence.’
 Again, footnotes in the quote are exactly how they were published in the article transcript.
Keil Hubert is a retired U.S. Air Force ‘Cyberspace Operations’ officer, with over ten years of military command experience. He currently consults on business, security and technology issues in Texas. He’s built dot-com start-ups for KPMG Consulting, created an in-house consulting practice for Yahoo!, and helped to launch four small businesses (including his own).
Keil’s experience creating and leading IT teams in the defense, healthcare, media, government and non-profit sectors has afforded him an eclectic perspective on the integration of business needs, technical services and creative employee development… This serves him well as Business Technology’s resident U.S. blogger.