Uber under scope over privacy.
Ride-hailing service will be under microscope for 20 years for personal information breach
Uber must beef up its privacy protections and submit to 20 years of outside monitoring after failing to safeguard both drivers’ and passengers’ sensitive information, federal regulators said Tuesday.
The penalties — announced as part of a settlement the San Francisco-based ride-hailing company reached with the Federal Trade Commission — are in response to a controversial internal platform known as “God view,” which Uber employees allegedly used to track the location of riders. Regulators also fault Uber for a 2014 data breach that exposed driver names, as well as their driver’s license, bank account and Social Security numbers.
“Companies must honor their promises about how they’re going to protect consumer information,” FTC Acting Chairman Maureen Ohlhausen told reporters in a conference call Tuesday.
In an emailed statement, an Uber spokeswoman wrote the company is pleased to bring the federal probe to a close. The FTC complaint cites practices dating to 2014, she pointed out.
“We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs,” the spokeswoman wrote. “In 2015, we hired our first Chief Security Officer and now employ hundreds of trained professionals dedicated to protecting user information.
This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information.”
The deal does not include a fine, but Ohlhausen said the FTC could impose one if Uber fails to comply.
She touted the deal’s requirement that Uber implement a comprehensive “soup to nuts” privacy program, which the company must have reviewed by an outside auditor every other year for 20 years.
Forcing Uber to succumb to two decades of monitoring is a “pretty big deal,” said Brian Hofer, chair of Oakland’s Privacy Advisory Commission, a group that advises Oakland’s city leaders on how to protect residents’ privacy rights.
“This is going to force Uber to be mindful about what they’re doing, to change their operations,” he said.
This isn’t the first time Uber has landed on the wrong side of the FTC. Uber in January agreed to shell out $20 million to settle claims that the company misled drivers with promises of wages that were higher than it could deliver.
Tuesday’s settlement stems from the FTC’s accusations that Uber deceived drivers and passengers about how it was using and storing their personal information. In 2014, media reports surfaced about the company’s use of a platform called “God view,” which showed the real-time locations of Uber riders. Uber employees used the platform to track celebrities, politicians and even ex-boyfriends and girlfriends, according to Reveal, a website and podcast from The Center for Investigative Reporting.
In November 2014, Uber issued a statement assuring riders that it had a “strict policy prohibiting” that kind of spying and promised to monitor employees’ access to user data. Uber developed an automated system to police that access in December, but it wasn’t designed to handle the capacity of requests, according to the FTC complaint. In August of 2015, Uber abandoned that system and began work on a new one, but for six months, the company failed to followup in a timely manner on automated alerts to the potential misuse of user data, the FTC claimed. Regulators said Uber only monitored access to a handful of high-profile users, such as Uber executives.
Regulators also claimed that while Uber told riders their data was “securely stored within our databases,” in reality, the company failed to protect sensitive information stored in a third-party database operated by Amazon Web Services. Uber didn’t encrypt the information, and allowed employees to access the data with a shared key, according to the complaint.
A hacker broke into the database in May 2014 and accessed driver information including more than 100,000 names and driver’s license numbers, 215 names and bank account numbers, and 84 names and Social Security numbers, according to the complaint.
Those alleged privacy failings are concerning, Hofer said, but the FTC settlement gives him hope.
“We’re in the golden age of surveillance — people are spying on their employes, their customers, selling data to marketers,” he said. “Orders like this will really help raise public awareness.”