Uber goes Big Data, shares customers’ data with a hotel chain

library
crime | hacking | security

Uber has joined the rank of Big Data sellers, up there with Facebook, Google and Visa.

The product: data about customers’ movements, where they shop, where they work, where they go and much more.

This is how it started: about a month ago, Uber users who are also “preferred guests” of Starwood Hotels Resorts were given the chance to earn “Starpoints” whenever they climb into an Uber ride.

Redeemable for free stays! Upgrades! Air miles! Gift cards! VIP access to exclusive music, sports and culture events!

All they have to do: link their Uber and Starwood accounts and thereby agree to sign away every scrap of (incredibly) personal (and quite valuable) data that Uber has on them.

As Forbes’s Ron Hirson – a frequent Uber user and occasional Starwood guest – described recently, there’s a good reason why one of Uber’s late-round investors decided that the startup’s $42 billion valuation (about £28.2 billion) was a bargain: it’s rumored to have 800% annual growth, and given the mountain of data it’s sitting on, it’s well on its way to becoming a Big Data company on par with the likes of Google, Facebook or Visa.

It’s not hard to see why Uber data is marketing gold. As Hirson notes, Uber is right up there with the other people/organisations who know his location at all times:

There are only four people/organizations in the world who know my location at all times: my wife (because I tell her), Apple (because Siri), the NSA (because NSA), and now Uber.

Since the service Uber has built is so convenient, and increasingly essential to my life, Uber knows where I live, where I work, where I eat, where I travel, where I stay/visit and when I do all these things.

If free stays, upgrades, gift cards, etc., etc., sound like a good swap for your comings and goings, including mappings of your patronage of airlines, restaurants, car rental agencies, hotels and much, much more, you might want to take a close look at the terms of the deal.

As detailed in section 4.5 of those policies, Starwood is gaining access to every scrap of your data, which may include your name, address, email address, picture, and:

Uber Usage data (including, without limitation, member number, product, fares, length of ride, date, pick-up and drop-off location, and pick-up and drop-off time), and other account information regarding Participant’s use of Uber’s services.

…all of which may be used by Starwood for marketing purposes.

There’s nothing inherently wrong with being marketed at, though it can be annoying as hell. At any rate, you can always opt out of the marketing aspect of the new program.

But as we noted on Safer Internet Day, whenever we give away personal details that are typically only known to, say, your significant other, Siri, or the NSA, we run the risk of it falling into the hands of cybercrooks.

A crook, in turn, is able to learn enough about you to guess your passwords; to answer your security questions at websites or banks; or to trick people into thinking that he/she knows you well and is a trusted insider in your circle.

We put together a series of graphics showing what could go wrong when we share, for example, location data:

or data about our hobbies and interests:

Uber is a darling among startups because it has access to both its users’ geolocation and their movements, which in turn show where they shop, whom they visit, where they work, where they live, and more.

Starwood is just the start.

Imagine all the businesses to which those Uber drivers chauffeur us. Imagine how interested Starwood would be to know that Forbes’s Hanson chose to stay at a hotel that wasn’t a Starwood property.

Imagine how the marketing department would rev up to make sure that such loss of patronage doesn’t get a heavy dose of “come back!” marketing.

Such data is practically money in the bank.

But that’s just the yellow bar in our graphs, signaling marketing annoyance.

Skip to the red part, and we get into the truly dark parts of the forest when it comes to data oversharing: i.e., social engineering attacks fueled by familiarity with our movements/hobbies/workplace, or emboldened stalkers who know where we are and when, can see when our apartments are left vacant, or can figure out when our children are home alone.

Does Starwood, or any future business that enters into data-sharing with Uber, have ample security to ensure that our data wouldn’t escape into the wild, to be used in such nefarious ways?

Does Uber, for that matter?

Apparently not.

As it is, Uber on Wednesday succeeded in getting a court to force GitHub to hand over the web access logs for two pages that will show each and every user who spotted a supposedly secret database access key that had somehow ended up in a couple of Gists in a public area of GitHub.

The key was allegedly used to delve into Uber’s internal database of driver names and license plates.

The more data about us that’s out there, the more possibilities that the data companies will get hacked in similar fashion to how Uber was hacked, or that the hotels we stay at will get hacked, or that the restaurants we eat at will get hacked, or the banks.

The more data we sign over, the more potential there is for crooks to get at us, armed with the data that we willingly handed over.

As we said on Safer Internet Day, we have a choice about handing over that data.