Privacy policies rarely mention the weakest point in any company’s security infrastructure: its employees.
Traditionally, privacy worries for consumers and tech companies have been limited to keeping information secure from third parties or hackers. But a series of internal abuses show that tech company employees often have universal access to user information, as well as reason — be it pure voyeuristic curiosity or, in the worst cases, a vendetta — to look at our whereabouts, spending, and of the most private corners of our lives.
Fears of employee data abuse are founded, from the highest levels of government intelligence down to car-sharing apps. In 2013, reports revealed over a dozen instances in the past ten years in which NSA employees abused NSA surveillance to collect data on love interests, referred to internally as “Loveint.” At tech companies, where security measures and training are largely more relaxed, employees surveilling the location histories of ex-lovers, real-time tracking roommates, and looking at activity logs of friends of friends, is not only a plausible fear, but a new reality. Just last month, a New York Uber executive was investigated and reprimanded for tracking the whereabouts of a BuzzFeed News reporter without her permission.
BuzzFeed News reached out to 29 major technology companies, including social networks, fitness trackers, and dating, payment, messaging, music, mapping, and music apps with ten specific questions about their internal privacy policies with regard to user data.
Out of the 29 companies, only 13 responded. Of the 13 that responded, three companies didn't offer comment. Responses from the other ten manifested a wide range of views: some took the inquiry seriously; others offered boilerplate responses, and a significant percentage of the companies chose to remain silent. All told, the collective responses offer a complex and, in many cases, unsettling survey of the current data privacy landscape.
BuzzFeed News sent the same set of ten straightforward questions to all 29 companies. Here is the list in full:
location, financial, and other account data, if so what is it? Are
there any exceptions to that policy and what is a comprehensive list
of those exceptions?
- How many, and which types of, employees currently have access to
users' account data?
- What is the process to gaining that access? Is there more than one
level of permission? What are they and the respective processes to
- Do the CEO and other senior executives have personal access to all
user data? Do interns?
accessing a user's account without permission? Has this policy ever
been enforced, and if so can you provide an example?
- How does the company monitor employee access to user accounts?
- What steps, if any, does the company take to de-identify users in
- Does the company share or sell user data that includes identifying
information to other parties; and if so, how is that confidentiality
- Does the company have a plan for transfer of user data if the
company changes hands?
- Are there any procedures in place to notify users and the public to
changes in the terms of service?