Stop trusting your employees. Uber's "God view" proves you can't

In 2014, inside Uber’s headquarters, a culture of impunity had a name: “God View.” It’s exactly what it sounds like. An internal map, pulsing with the real-time locations of every car and every customer. For a company obsessed with growth at all costs, it was a powerful tool. For some employees, it was a toy.

They used it to spy on ex-girlfriends. They used it to track politicians and celebrities, including Beyoncé. When one journalist was running late for a meeting with a New York executive, he casually pulled up her location on God View to impress his guest. He wasn't fired. He was just another employee using the tool.

This wasn’t a bug. It was a feature. A feature born from the most dangerous delusion in the tech world: the belief that internal tools are somehow less important, less risky, and can be secured ‘later’.

Let’s be honest. Your company probably has its own version of God View. It might not be as blatant, it might not have a cool, ominous name, but it’s there. It’s the admin panel that gives half the company access to sensitive user data. It’s the customer support dashboard where any agent can browse the entire customer database, no questions asked. It’s the brittle, hard-coded if user.is_admin() check that stands between a curious employee and a PR catastrophe.

And it’s a ticking time bomb.

The Uber scandal wasn’t the result of a few “bad apples.” That’s the easy excuse, the one that lets executives sleep at night. The real failure was systemic, a rot that started from first principles. It was a failure to ask the most basic questions.

The first question: Who really needs to see this data? In the case of God View, the real-time location of every single customer, the answer was almost nobody. A developer debugging a specific geographic issue? Maybe, for a limited time, with a specific justification. A customer support agent helping a user find their ride? Absolutely, but only for that specific user and that specific ride. An executive trying to show off? Never.

Uber’s system, like so many internal tools, couldn't make these distinctions. It was a blunt instrument in a world that requires surgical precision. It relied on coarse, outdated ideas of roles instead of dynamic, context-aware attributes. This is the difference between saying "This person is a support agent" and saying "This support agent can only view the data for the customer whose ticket they are currently assigned to." One is a barn door; the other is a vault.

The second, and perhaps more damning, question: If someone does misuse their access, how would you know? In the early days of God View, it seems the answer was, "You wouldn't." There was no meaningful audit trail. No immutable log of who was looking at what, and why. Policies on paper are meaningless without enforcement. Without a detailed, unchangeable record of every single access decision, accountability is a fantasy. You can't punish what you can't prove.

This chaos is the natural endpoint of the way most companies build internal software. We convince ourselves that moving fast is more important than being secure. We hard-code authorization logic directly into the application because it’s quick. if user.role == 'support': show_data(). Simple. But now, what if you need to create a new `Support Tier 2’ role with slightly different permissions? You have to go back to the code. What if your legal team wants to review all the rules for accessing PII? They can't. They don't read Python. Your security policies are now trapped, brittle and invisible, scattered across a dozen services, managed by no one.

This is not a scalable or defensible way to operate. The solution is not to write better if statements. The solution is to change the paradigm. You must rip your authorization logic out of your application code.

Think of it like this: your application should focus on what it does best: booking a ride, processing a payment, serving a user profile. It shouldn't also be the judge, jury, and executioner for who gets to do what. That job belongs to a dedicated, centralized service. A service whose entire purpose is to answer one question: "Does this user have permission to perform this action on this resource?"

When your authorization logic is centralized and managed as code in simple and readable policy files the world changes. Suddenly, your security rules are no longer buried in the codebase. They live in one place. They can be version-controlled in Git, tested like any other piece of software, and reviewed by your compliance team without needing a developer to translate.

This isn’t a far-off dream. This is what we built Cerbos to do. It’s open-source, it’s stateless, and it’s built on this fundamental principle of decoupling and hundreds of companies are already using it.

So, what do you do now? Don't tell me your company is different. Don't tell me you trust all your employees. Trust is not a security strategy.

Find your God View. I guarantee you have one. It’s the tool everyone is a little too quiet about, the one with frighteningly broad permissions. That's your starting point. Don't try to boil the ocean. Pick one critical action in that tool: viewing a customer's personal information, exporting a list, deleting a record.

Now, rip the logic for that single action out of the application. Write a simple, human-readable policy for it. Integrate a call to a decoupled authorization service like Cerbos. In a few hours, you will have made that one action infinitely more secure, auditable, and manageable. Then, you do the next one. And the next.

Uber learned this lesson in the most public and painful way possible, through FTC investigations and shattered user trust. You have the benefit of learning from their mistakes. The path they took, prioritizing growth over security, internal convenience over user privacy is a well-trodden road that ends in disaster. It's time to choose a different path. Stop making excuses. The tools are here. The blueprint is clear. Get to work.