We Asked 29 Tech Companies If Their Employees Can Access Your Personal Data

Privacy policies rarely mention the weakest point in any company's security infrastructure: its employees.

Traditionally, privacy worries for consumers and tech companies have been limited to keeping information secure from third parties or hackers. But a series of internal abuses show that tech company employees often have universal access to user information, as well as reason — be it pure voyeuristic curiosity or, in the worst cases, a vendetta — to look at our whereabouts, spending, and of the most private corners of our lives.

Fears of employee data abuse are founded, from the highest levels of government intelligence down to car-sharing apps. In 2013, reports revealed over a dozen instances in the past 10 years in which National Security Agency employees abused NSA surveillance to collect data on love interests, referred to internally as "Loveint." At tech companies, where security measures and training are largely more relaxed, employees surveilling the location histories of ex-lovers, real-time tracking roommates, and looking at activity logs of friends of friends, is not only a plausible fear, but a new reality. Just last month, a New York Uber executive was investigated and reprimanded for tracking the whereabouts of a BuzzFeed News reporter without her permission.

For all the careful consideration and legal maneuvering of tech company terms of service and privacy policies, those documents rarely mention the weakest point in any company's security infrastructure: its employees. Clear, plainspoken explanations of employee access to user data are rarely, if ever, present in a privacy policy. But the reality is that thousands of tech company employees across the world now have unfettered access to our most personal data.

BuzzFeed News reached out to 29 major technology companies, including social networks, fitness trackers, and dating, payment, messaging, music, mapping, and music apps with 10 specific questions about their internal privacy policies with regard to user data.

Out of the 29 companies, only 13 responded. Of the 13 that responded, three companies didn't offer comment. Responses from the other 10 manifested a wide range of views: Some took the inquiry seriously, others offered boilerplate responses, and a significant percentage of the companies chose to remain silent. All told, the collective responses offer a complex and, in many cases, unsettling survey of the current data privacy landscape.

BuzzFeed News sent the same set of 10 straightforward questions to all 29 companies. Here is the list in full:

* Do you have a privacy policy regarding employee access to user

location, financial, and other account data? If so what is it? Are

there any exceptions to that policy and what is a comprehensive list

of those exceptions?

* How many, and which types of, employees currently have access to

users' account data?

* What is the process to gaining that access? Is there more than one

level of permission? What are they and the respective processes to

obtain them?

* Do the CEO and other senior executives have personal access to all

user data? Do interns?

* What are the repercussions of violating the privacy policy or

accessing a user's account without permission? Has this policy ever

been enforced, and if so can you provide an example?

* How does the company monitor employee access to user accounts?

* What steps, if any, does the company take to de-identify users in

its databases?

* Does the company share or sell user data that includes identifying

information to other parties; and if so, how is that confidentiality

protected?

* Does the company have a plan for transfer of user data if the

company changes hands?

* Are there any procedures in place to notify users and the public to

changes in the terms of service?

Splitwise, My Fitness Pal, Skype, Tinder, GroupMe, Hinge, WhatsApp, Pandora, Kik, Viber, OkCupid, Line, Rdio, Waze, and Foursquare did not respond to multiple emails from BuzzFeed News editors and reporters inquiring about employee policies regarding user data and privacy. Together these companies represent billions of individual user accounts that ask for, receive, and store troves of personal data ranging from location and movement logs, financial information, private communications, and sexual orientation/dating history.

Gett, which excoriated its rival Uber for its recent scandalous business tactics provided no comment to BuzzFeed News. "I've just got off the phone speaking to our lawyer and basically been told that we have no comment," CMO Rich Pleeth said via email.

Sleepcycle, a paid alarm-clock app that uses a smartphone accelerometer to track a user's movements throughout the night, could not provide a spokesperson in BuzzFeed News' 36-hour window for comment. "Given the timing, I do not have a spokesperson available, so we do not have anything to add to your query at this time. However, you can find more on Sleep Cycle's privacy policy here," a spokesperson for the company wrote.

Scruff, a popular gay dating app and rival to Grindr, declined to comment for this story, noting that the company "recently worked on a contributed piece for Huffington Post's Gay Voices blog that addresses SCRUFF's views on user privacy and security." The piece, by Scruff's CEO and lead programmer, straightforwardly addresses Scruff's geolocation technology. It does not, however, answer information about employee access and permissions with regard to user data, both real-time and stored logs.

Spotify responded to the initial inquiry but never provided answers to the survey.

Eight of the 10 respondents opted to send a blanket statement instead of addressing BuzzFeed's questions individually. Many providing a link to the company's privacy policies, most of which do not explicitly address employee access to data.

Jawbone:


We take the security and protection of users data very seriously, with strict processes in place governing the handling of all user data internally. More information on our privacy policy can be found here: https://jawbone.com/legal/privacy.

We don't sell individual user data. We only share individual user data with their consent (for example to allow users to link with a 3rd party app or service) or in a small number of limited exceptions, as outlined in our privacy policy.

Jawbone's privacy policy does not explicitly detail how employees access data, stating only that, "We use commercially reasonable efforts to help protect your personal information from unauthorized access, use, or disclosure." The company also notes in the policy that, "Even though we have taken steps to protect your personal information, you should know that neither we nor any company can fully eliminate security risks."

Fitbit:

Jawbone's chief competitor Fitbit responded with a link to the company's privacy policy as well as an article featuring Sen. Chuck Schumer praising Fitbit's privacy standards. The company also included a statement from James Park, CEO and co-founder of Fitbit:


As the market leader in connected health and fitness, we have always been committed to protecting consumer privacy and keeping data safe. We have spent the last several months updating our privacy policy to clarify our practices and provide transparency for our customers. While our policy was updated, our practices have not changed. It has always been our policy not to sell user data; we have never sold personal data and we do not share personal data unless a user specifically directs us to do so, or under the limited exceptions described in our privacy policy http://www.fitbit.com/privacy.

Fitbit's privacy page is extensive, but does not directly address safeguards for employee access to user data. "Fitbit uses a combination of technical and administrative security controls to maintain the security of your data. If you have a security-related concern, please contact Customer Support," the page reads.

GrubHub:

GrubHub responded that "employees are only allowed access to personal information that may be necessary to fulfill their job responsibilities (e.g., customer service inquiries). Full statement:

GrubHub is committed to protecting the privacy of our diners. As stated in our privacy policy (https://www.grubhub.com/legal/), employees are only allowed access to personal information that may be necessary to fulfill their job responsibilities (e.g., customer service inquiries), and GrubHub does not sell personal information to third parties.

In addition, any employee who breaches their obligation of confidentiality by disclosing non-public information is subject to disciplinary action, up to and including termination.

Venmo:


We take users' privacy extremely seriously. Since Venmo joined the eBay family in December of last year, its employees are bound by eBay's strict privacy policy: http://www.ebayprivacycenter.com/privacy

The company also provided a link to its FAQ page for privacy.

Inside that FAQ, eBay notes that "we train our employees on how to protect and secure your information." There is no mention of specific safeguards protecting data from employees.

Secret:

Secret provided its privacy policy noting that "the relatively minimal information users provide to Secret is encrypted and stored on physically secure servers. The overwhelming majority of Secret employees do not have the technical or physical ability to access these databases and, as a result, cannot access any private user data."

In terms of employee access, the company responded that "the handful of employees who need access, as part of their jobs working our infrastructure and internal tools, must abide by our internal Data Use Policy. This policy requires that all data access be for the legitimate business reasons stated in our public Privacy Policy. There are no exceptions to this requirement and we monitor access to ensure accountability."

Whisper:

While the company notes that it does collects very little information on its users, it also states, "We further have controls in place on our internal systems."

Our privacy policy covers our collection and use of user information (whisper.sh/privacy). Most of the information that we have is publicly displayed with Whispers themselves. Whispers by design are public and accessible to anyone via the app or our website. As to the very limited forms of non-public user information that we have to operate the service, this doesn't include information such as names, emails, passwords, usernames, phone numbers or device id's, which we do not collect or use, and we further have controls in place on our internal systems.

Slack:

The internal communications company told BuzzFeed News that, unlike many consumer-facing apps, "Slack is an agnostic platform upon which companies can decide their own policies." The company notes that "in all cases, we strive to make a team's internal policy settings transparent to the team's members."

The company recently changed its privacy policies which contained extensive "human-readable summaries, complete histories (and diff files where possible) for older versions of the relevant documents." The company also provided detailed FAQs.

In terms of employee access to user data, Slack issued the following statement, noting that: "Neither the CEO nor any other executive has access to all user data. Any access is logged and spot audited and there are several layers of technical controls & permissions which prevent unauthorized access."


We have four different outside companies providing various kinds of external security and process evaluation, from penetration testing and a very active bug bounty program to evaluation of internal policies and controls as part of SOC-2 audits (which includes everything from physical access control, hard drive encryption and security settings on all computers to extensive employee background checks). Neither the CEO nor any other executive has access to all user data. Any access is logged and spot audited and there are several layers of technical controls & permissions which prevent unauthorized access. We'd treat any violation of internal policies and controls regarding user data the same way we'd treat embezzlement or any other kind of fraud.

Runkeeper:

Runkeeper responded with a message from its CEO and founder, Jason Jacobs, which included a link to the company's privacy policy regarding data collection.

In terms of employee access to user data, Jacobs noted that:

Employee access to user data is doled out very carefully by a Systems team with deep expertise in PII (personally identifiable information) data. The general rule is that employees only have access to data that they directly need for their job. For this reason, senior executives (CEO, CFO, etc) and most other employees have zero access to any user data. Only employees who help users debug issues with our product may at times have access to some user data. For example, if a user experiences a GPS problem while running with RunKeeper, an employee in Support or Engineering may access that data in order to help the user with their problem.

Of the 29 companies BuzzFeed News contacted with our employee data and privacy survey, only two (Hipchat and Lyft) responded directly to all 10 questions. A Hipchat support representative provided detailed answers to each of BuzzFeed's questions; however, these answers were actually from the perspective of a user accessing his or her own data, not access on the part of HipChat or its owner, Atlassian.

When asked about the Altassian employee access to user information, a spokesperson responded: "One of Atlassian's five core values is 'Don't $%&* the customer', and it influences everything we do. We have a robust privacy policy in place which governs Atlassian's access to sensitive customer data, and we abide by this policy. Our policy is designed to ensure that we strike the right balance between protecting customer data and allowing us to help customers as needed."

Uber's biggest rival, Lyft, responded extensively to each of BuzzFeed News' questions, noting, "Lyft also has a longstanding internal privacy policy which prohibits employees or contractors from accessing any user personal information except to the extent such use is necessary to do their job. In addition to this policy, all access and updates to user and ride data has been and will continue to be attributed to an authorized user, recorded, and available for audit internally as part of maintaining our stringent privacy standards."

In the wake of the Uber scandal, the company changed its internal employee access policies last month, including "the development of tiered access controls that further limit access to user data to a smaller subset of employees and contractors. Ride location data is restricted to an even smaller subset of people."

Lyft noted that employees in roles with duties that require access to user data, such as Trust & Safety or Customer Support, have access to the level of data required by their specific job requirements. Furthermore, an internal team reviews which employees require access to user data as a part of their specific job duties. If employees violate Lyft's internal policies with regard to user data, they "would be subject to disciplinary action, including termination and legal action."

The company told BuzzFeed News it has established an internal monitoring system that "records access to user data and logs the event, including the identification of the particular authorized user who accessed the data, for auditing purposes." The company also said that it takes steps to anonymize users by "randomly assigning a number to each user and ride that we use to reference data throughout our systems."

Lyft maintains that it does not sell user data. Its privacy policy describes how data may be shared with third parties. "We require these entities not to use Your information for any other purpose," the company said. In the event that the company changes hands, Lyft notes that Your personal information may be passed on to a third party in the event of a transfer of ownership or assets, or a bankruptcy.

While the lack of responses from many of these tech companies are by no means admissions of guilt, they are frustrating and potentially concerning, especially at smaller, rapidly growing companies, where lack of oversight and pressure to scale can force employees into unexpected roles for which they may not fully qualified.

As these companies grow and become integral in our everyday lives, simply knowing who has access to our data feels like the bare minimum when it comes to online security.

Ben Smith and Johana Bhuiyan also contributed reporting to this story.

Skip to footer