Uber Settles Federal Allegations It Deceived Customers About Privacy & Data Security

Image courtesy of Elliott Brown

Uber has reached a deal with the Federal Trade Commission to settle the government’s investigation into the ride-hailing service’s allegedly questionable privacy practices.

As part of the settlement, Uber will implement a comprehensive privacy program and obtain regular, independent audits in order to settle charges that it deceived customers by failing to secure their private, personal information.

In a complaint [PDF] against the San Francisco-based company, the FTC claims Uber failed to closely monitor employee access to customer and driver data, or create reasonable measures to secure users’ personal information that was stored on a third-party server.

Employee Access

In late Nov. 2015, Uber landed in hot water after an executive discussed the idea of digging up dirt on journalists critical of the company.

At the time, Uber executive Emil Michael suggested Uber should spend millions of dollars to hire a team of opposition researchers to spread details of the personal life of Sarah Lacy with PandoDaily – a Silicon Valley site that has a rather contentious relationship with the ride service.

The executive’s comments to Buzzfeed came a month after the journalist wrote an article about her decision to delete Uber’s app after a promotion by the company in France offered to pair riders with “hot chicks.” The journalist encouraged others to ditch the app, too.

Related: “Security As An Afterthought:” 3 Frightening Privacy Claims From Former Uber Staffers

While the Uber executive issued an apology for his remarks, saying they were supposed to be off the record, the company was the subject of intense scrutiny from once-loyal users after additional reports suggested the company used an internal aerial tracking tool, dubbed “God View,” that allowed employees to easily track riders.

In an attempt to resolve these issues, Uber assured customers that it had a “strict policy prohibiting” employees from accessing rider or driver data, unless the company has a legitimate business purpose to do so. According to Uber, at the time, legitimate business purposes included:

• Supporting riders and drivers in order to solve problems brought to their attention by the Uber community.
• Facilitating payment transactions for drivers.
• Monitoring driver and rider accounts for fraudulent activity, including terminating fake accounts and following up on stolen credit card reports.
• Reviewing specific rider or driver accounts in order to troubleshoot bugs.

Uber promised customers that employee access to information would be closely monitored on an ongoing basis.

The company even developed an automated system to monitor employee access to consumer personal information. However, the FTC claims the company stopped using it less than a year after it was put in place.

According to the complaint, from approximately Aug. 2015 until May 2016, Uber did not follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately the first six months of this period, the company only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives.

During this time, the complaint alleges that company did not monitor internal access to personal data unless an employee specifically reported a co-worker had engaged in inappropriate access.

Data Storage

Additionally, the FTC complaint alleges that Uber failed to provide on claims that all customer information was “securely stored within our databases.”

In several instances, the FTC claims Uber’s customer service reps assured customers of the strength of the company’s security practices.

“Your information will be safely and used only for purposes you’ve authorized,” a rep said, according to the complaint. “We use the most up-to-date technology and services to ensure that none of these are compromised.”

“I understand that you do not feel comfortable sending your personal information via online,” another rep allegedly said. “However, we’re extra vigilant in protecting all private and personal information.”

Despite this, the FTC claims the company’s actual security practices failed to prevent unauthorized access to customers’ personal information.

Until Sept. 2014, Uber failed to implement reasonable access controls to safeguard data stored in third-party databases, such as requiring engineers and programmers to use distinct access keys to access personal information of drivers and customers, according to the complaint.

Instead, Uber allowed employees to use a single key that gave them full administrative access to all the data, and did not require multi-factor authentication for accessing the information.

In addition, Uber stored sensitive consumer information, including geolocation information, in plain readable text in database back-ups stored in the cloud, the complaint states.

As a result of these alleged failures, the FTC claims an intruder was able to access personal information about Uber drivers in May 2014, including more than 100,000 names and driver’s license numbers that were stored in a datastore operated by Amazon Web Services, according to the complaint.

Uber did not discover this intrusion until Sept. 2014, the complaint alleges, and only then did the company take steps to prevent further unauthorized access.

While Uber initially identified nearly 49,000 drivers affected by the breach, the company discovered in the summer of 2016 that an additional 60,000 drivers’ information was accessed.

The Settlement

Under today’s settlement, Uber is prohibited from misrepresenting how it monitors internal access to consumers’ personal information, and from misrepresenting how it protects and secures that data.

The company is required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company.

Additionally, Uber is required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.

Acting FTC chairman Maureen Ohlhausen noted on a call today that while the settlement does not include a penalty, Uber could be fined if it is found to violate the agency’s order.

Consumerist has reached out to Uber for comment on the settlement. We’ll update this post if we hear back.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.