Apr 2, 2015 · 3 minutes

Uber has hired Joe Sullivan as its first chief security officer. Or, as it's put in the blog post announcing his hire, "a thought leader to help Uber redefine safety and data security."

Sullivan was previously the executive in charge of data security at Facebook; he has also worked for eBay, PayPal, and the Department of Justice.

Uber chief executive Travis Kalanick explained the rationale behind seeking a chief security officer in a blog post announcing Sullivan's hiring:

It’s easy to see the Uber logo on your phone and think of us as just an app. But in many ways we’ve become a critical part of the infrastructure of cities. We are both in cyberspace and on city streets all at once; a bridge between bits and atoms. And as we get into tens of millions of rides a week, we continue to challenge ourselves to do even better when it comes to safety and data security.
Sullivan won't just focus on keeping Uber's data secure; he will also be tasked with redefining and strengthening Uber users' physical security. Given the rate at which Uber customers are attacked, stalked, and harassed by their drivers, that might be the hardest part of Sullivan's newest gig.

Which isn't to imply that securing the vast amount of information Uber collects through its service will be an easy task. Its applications collect everything from a user's location to their address book, and even though that access isn't used for nefarious purposes, it's still sensitive information.

The task will be made even harder if Sullivan really plans to "help build the culture of a young and growing organization" and "continue building upon the safety and security initiatives that are the backbone of Uber’s success." Why? Because Uber has a history of mishandling its customer information.

A job interviewee was provided with full access to the company's location databases. An executive tracked a journalist's ride because she was running late for a meeting. Another journalist reported that her sources had warned her that Uber executives could use some of the service's tools to spy on her.

All of which makes Sullivan an important hire for Uber. The company gathers too much information not to have a chief security officer, and there obviously needs to be a change at the company, because the only privacy violations that have been made public were all conducted by its executives.

UPDATE: Pando's Mark Ames points out that Sullivan's tenure at eBay saw the company get very close to law enforcement. As Haaretz reported in 2003, and Ames discussed again over a decade later, in December 2013:

“Sullivan tells the audience that eBay is willing to hand over everything it knows about visitors to its Web site that might be of interest to an investigator. All they have to do is ask. ‘There’s no need for a court order,’ Sullivan said, and related how the company has half a dozen investigators under contract, who scrutinize ‘suspicious users’ and ‘suspicious behavior.’”


“‘We don’t make you show a subpoena, except in exceptional cases,” Sullivan told his listeners. ‘When someone uses our site and clicks on the I Agree button, it is as if he agrees to let us submit all of his data to the legal authorities. Which means that if you are a law-enforcement officer, all you have to do is send us a fax with a request for information, and ask about the person behind the seller’s identity number, and we will provide you with his name, address, sales history and other details — all without having to produce a court order. We want law enforcement people to spend time on our site.’ He says he receives about 200 such requests a month, most of them unofficial requests in the form of an email or fax.

“The meaning is clear. One fax to eBay from a lawman — police investigator, NSA, FBI or CIA employee, National Park ranger — and eBay sends back the user’s full name, email address, home address, mailing address, home telephone number, name of company where seller is employed and user nickname. What’s more, eBay will send the history of items he has browsed, feedbacks received, bids he has made, prices he has paid, and even messages sent in the site’s various discussion groups.”