Ridesharing company Uber is making headlines again, this time bringing into question the privacy of their customers and their employees. Last week, Uber agreed to settle with the Federal Trade Commission for failing to protect consumers’ sensitive data and privacy. Although they are not required to pay a settlement, they are required to hire a privacy auditing firm to oversee its privacy practices every two years for the next two decades. Any violations stemming from those visits may result in financial penalties.
These accusations alleged that Uber not only misled the public about its efforts to bolster privacy, but also failed to implement basic security measures on their apps. The core of the government complaint comes down to two issues:
- “God View.” A proprietary program developed by Uber, this app allowed employees to closely monitor the location of riders and drivers in real-time, without their permission or knowledge. This includes being able to pinpoint their location on a map, as well as recalling rider logs and documentation. Uber was criticized heavily in 2014 when it was revealed that executives were using it to snoop on riders.
- Lack of security. A massive data breach in 2014 resulted in the release of hundreds of thousands of drivers’ names and driver license numbers. The FTC alleges that this was due to the lack of basic security practices, such as two-factor authentication. Additionally, they found that customer information was not only stored online, but in an unencrypted format, making it incredibly easy for hackers to parse and utilize.
Since the breach in 2014, Uber maintains that it has improved their data security, installing safeguards to prevent breaches and protect data.
Has Uber Improved Their Privacy Policies?
Uber’s relationship with “God View,” however, is a bit more complicated. After it made headlines in 2014, resulting in a $20,000 fine by New York Attorney General Eric Schneiderman, Uber stated it would strengthen its efforts to enforce abuse of “God View,” even building a system to police employee access. However, according to the FTC, Uber abandoned the tool after less than a year, and thus abandoned any monitoring on employees’ use of the tool.
Uber’s battle with consumer data privacy has been as tumultuous as its ongoing internal struggles, which include recent claims of sexual harassment, a toxic workplace culture, and the departure of top executives, including chief executive Travis Kalanick. After the original kerfuffle in 2014, “God View” gained publicity again last year when Uber’s former forensic investigator Samuel Ward Spangenberg made allegations that employees were using the app to track celebrities, politicians and “stalk exes” without the approval of executives.
This was also confirmed by senior security engineer Michael Sierchio, who claimed thousands of employees could still gain access to real-time rider information – even after the company settled with the New York Attorney General.
While these could rationally be dismissed as baseless accusations from disgruntled former employees, Uber’s recent reputation may put more weight on their allegations than initially thought.
What is Grey-Balling?
In March, it was revealed that Uber was taking measures to prevent law enforcement officials from hailing rides in cities where the ridehailing service was banned or otherwise restricted. Using a tool code-named “Greyball,” Uber was able to identify plainclothes officers requesting rides on their apps, and display “fake” versions of the app on their phones – effectively allowing the company to operate in a city where it was banned.
Although “greyballing” is technically legal, its controversial use by companies such as Uber may push policymakers to restrict or ban such practices outright.