Uber, the ride-hailing giant, agreed this week to implement a comprehensive privacy program and to undergo 20 years of privacy and data security audits in order to settle allegations by the Federal Trade Commission (FTC) that Uber did not keep its promises to protect customer data. The FTC had alleged two separate failures by Uber: first, misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second, misrepresenting that it deployed reasonable measures to secure personal information it stored on a third-party cloud provider’s servers. This week’s settlement made clear the FTC’s view that being an early-phase company is no excuse for weak data protection measures or misleading statements regarding consumer data privacy.
The settlement resolved an investigation that began in November 2014, after a series of media reports alleging improper access and use of customer personal information by Uber employees caused an outcry among consumers. One article reported that an Uber executive (now former) had suggested that the company hire “opposition researchers” to look into the “personal lives” of journalists who had raised questions regarding Uber’s business practices. A second article described an internal tracking tool, known as “God View,” that displayed the personal information of riders using Uber’s services.
In response to the resulting uproar, Uber issued a statement declaring that “Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business interests. . . . The policy is also clear that access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violation of the policy will result in disciplinary action. . . .” Uber also developed and deployed, in December 2014, an automated system for monitoring employee access to consumer personal information.
The FTC’s complaint alleged that Uber’s monitoring system was not designed or staffed to scale to support review of access to personal data by Uber’s thousands of employees and contractors, and that in August 2015 Uber ceased to use the system at all while developing a new monitoring system. According to the FTC, Uber also failed to follow up on automated alerts regarding possible improper access during that time. Instead, Uber monitored only access to account information belonging to Uber executives.
In May 2014, an attacker accessed consumer personal information in Uber’s Amazon S3 Datastore using an access key that had been publicly posted by an Uber engineer. The attacker accessed a file containing sensitive personal information of more than 100,000 Uber drivers, including unencrypted names and driver’s license numbers, and bank account and Social Security numbers for hundreds of individuals. Uber learned of the breach in September 2014, and took steps to limit further unauthorized access. However, Uber did not notify affected individuals until February 2015; Uber later learned that the initial notification of more than 40,000 individuals significantly undercounted those affected, and it then sent breach notification letters to an additional 60,000 Uber drivers in the summer of 2016.
Under its agreement with the FTC, Uber is prohibited from misrepresenting how it monitors internal access to customers’ personal information, and how it protects and secures data. Uber is also required to implement a comprehensive privacy program and to submit to annual third-party audits.