Ride-hailing services have vital information about both their drivers and their readers on file. For drivers, they have license and vehicle information, as well as personal information used for payment. For passengers, a location-based app knows where users are, creating a Marauder’s Map of cars and people in a city. NeW York State has settled with ride-hailing company Uber for $20,000 over a 2014 breach, and the company also agreed to encrypt and limit access to passenger location information.
“God View” was a tool that would allow Uber staff to see every user on the system, giving them the ability to track someone in a vehicle in real time. While that might have useful customer service applications, when the tool’s existence was revealed in a 2014 Buzzfeed story, many users weren’t comfortable with the existence of the tool or potential misuses.
A reporter for that site received logs of her personal Uber trips from the New York general manager, which was not a legitimate business use of access to that data. The same manager was waiting for her at the door when she later visited Uber’s New York office, explaining that he had tracked her arrival using God View, knowing the exact time she would be arriving at the door.
Before the Buzzfeed story, a venture capitalist recounted in a blog post that he was riding in an Uber vehicle in New York City when he received text messages with his exact location from someone attending an Uber launch party in a different city. He and other “notable” people taking Uber rides at that moment were being show to party guests in real time. Is that a legitimate business use of data?
Users of the service were understandably uncomfortable to learn about this. By January 2015, that version of the tool had apparently been retired and replaced with one that allowed real-time system viewing, but without users’ personal information.
That’s not what the $20,000 settlement is for, though. In an unrelated privacy issue, hackers gained access to information about the service’s drivers, including their names and license numbers.
“We are pleased to have reached an agreement with the New York Attorney General that resolves these questions and makes clear our commitment to best practices that put our community first,” an Uber spokesperson told Bloomberg in a statement.
“I strongly encourage all technology companies to regularly review and amend their own policies and procedures to better protect their customers’ and employees’ private information,” NY AG Eric Schneiderman said in a statement.
Uber drivers are neither customers nor employees; they’re independent contractors, which is the subject of a class action lawsuit against the company in California that will be tried later this year.
Uber Reaches Accord With New York Over Tracking Rider Data [Bloomberg]
Uber settles ‘God View’ allegations [USA Today]