Ridesharing behemoth Uber agreed Tuesday to institute “a culture of privacy” in how it handles personal information from its passengers and drivers, following a Federal Trade Commission investigation that revealed the company misrepresented its internal data access policies and failed to take reasonable security measures to safeguard data in the cloud.
The FTC announced the proposed settlement — which does not include any monetary penalty on Uber — in a press call held by the agency’s acting chairwoman, Maureen Ohlhausen.
The settlement, she said, will last for 20 years and “requires a culture of privacy at Uber” — which has to appoint a privacy officer, institute a privacy program and get it audited by an independent third party.
FTC officials say that they don’t have the power to impose monetary penalties — except for violations of existing orders. The commission also generally doesn’t seek financial redress for consumers unless there is a tangible and easily calculable direct harm, which there rarely is in privacy cases.
Uber executives have publicly forecast that an FTC consent order would likely cost the company $5 million a year.
The message from the case, Ohlhausen said, was plain: “Companies must protect customers’ data at every stage … They must collect it securely, store it securely” and ensure that it can only be accessed securely by authorized personnel.
She added that, in the FTC’s eyes, Uber drivers, who the company insists are independent contractors even if they work full time, count as the company’s consumers. “To the extent that the drivers are individuals who use the platform, we consider them protected by the FTC Act” just like riders are, she said.
According to Ohlhausen, the case first arose after press reports in November 2014 which alleged that Uber management had considered hitting back at journalists who wrote about the company — using data about their personal lives harvested from its ride-sharing app. Subsequent reporting revealed a feature in Uber’s technology called God View which allowed staff throughout the company to view the activities of named users.
In response to the the firestorm of criticism, Uber issued a statement claiming it monitored employee access to customer and driver personal data very closely. But in reality, the FTC complaint says, the company actually abandoned its automated monitoring system after only eight months and “only monitored access to account information belonging to a set of high-profile internal users, such as Uber executives.”
Then, as the investigation proceeded, the company publicly disclosed a major breach of personal data from nearly 110,000 drivers — including names, postal and email addresses, social security and driver’s license numbers. The FTC complaint says this sensitive personal information was stored unencrypted in an Amazon Web Services S3 cloud, and access to it was not limited, auditable or protected by two-factor identity authentications, despite Uber’s boasts that it used best practices.
“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said Ohlhausen.
Under its agreement with the commission, Uber must:
- Stop misrepresenting how it monitors its employees’ and contractors’ access to consumers’ personal information
- Stop misrepresenting how it protects and secures that data
- Implement “a comprehensive privacy program” that protects the security and confidentiality of personal information collected by the company and “addresses privacy risks related to new and existing products and services”
- Obtain within 180 days, and every two years thereafter for the next 20 years, an independent, third-party audit certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC’s consent order
In a statement emailed to reporters, the company said it was “pleased to bring the FTC’s investigation to a close.”
Noting that the conduct in the complaint dated back to 2014, the company claimed to have “significantly strengthened our privacy and data security practices since then,” adding it would “continue to invest heavily in these programs. … This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information.”
The FTC will publish the complaint and proposed settlement in the Federal Register, where it will be open for public comment for one month, “after which the commission will decide whether to make the proposed consent order final.”