Did Lyft Employees Use the App for Accessing Confidential Passenger Information?

An anonymous post on “Blind” suggests that employees are using a software app called “God View Tool” (GVT) which is built into the Lyft management system, that allows the viewer the ability to see a customer’s movements through the course of their relationship with Lyft.

Lyft is reported to take the post seriously and is investigating all employees access to the GVT in order to ascertain whether its use was abused by any specific employee. The use of a GVT can be tracked to specific access points, and the files accessed are logged. This is standard IT security oversight for all companies. Whether an employee checked up on Mark Zuckerberg, Facebook’s CEO or other popular people is yet to be seen.

The use of GVT for “spying” is illegal as it constitutes an invasion of privacy. The reason such a tool exists is to back up claims of driver or passenger complaints, and for law enforcement that might want to track a specific person under investigation. However, in most cases, a court order would have to be issued to allow access to such data.

According to the post, quite a few employees used the GVT to view exes, family members, and famous people. According to Lyft’s spokesperson “The specific allegations in this post would be a violation of Lyft’s policies and a cause for termination.” This is not the first-time GVT has been abused, in 2014 Uber used it to track social media and news reporters, as well as being part of their Greyballing process.

Of course they did! Heck, if I worked for a company that had access to such information, I would also be tempted to check up on my GF, our Mayor and the next door neighbors hot wife!
Just kidding, in reality, I have worked for a company that had access to travel information and yes, employees do look stuff up. The only way you can stop such an issue from occurring is to monitor screen access points and SQL request. Also, once a person has been flagged for looking up another persons file without probable cause (such as a registered complaint, or customer service ticker) the system should red flag IT and they can start to monitor that persons activities.
This can be done when client screens are linked to direct query access routines, such as initial application, updating information during an application and handling specific issues that have a CS tag or ticker attached to them, which gets added to the individual file. Once a file is accessed without probable cause, the system should log it (they do anyway) but rather then wait for log checking, an immediate flag should be sent to IT to request a reason why the file was viewed by the employee.