Uber Settles Lawsuit with FTC, Agrees to Privacy Audits
In order to settle a lawsuit brought by the Federal Trade Commission (FTC), Uber has agreed to have its privacy practices audited for the next twenty years.
The BBC reported that Uber will need to have its privacy controls reviewed by an independent auditor every two years. Uber faces fines if it fails to comply.
According to the FTC's complaint, Uber was the subject of news reports alleging that the company had improperly accessed and used consumers' personal information.
For example, one 2014 article stated that an Uber executive had suggested hiring "opposition researchers" and journalists to look into the personal lives of journalists who criticized Uber's business practices.
Another article reported on an internal tracking tool, called "God View," that displayed the personal information of consumers using Uber.
Uber reportedly took steps to protect consumer information in response to these articles, but the FTC charged that it didn't do enough:
Despite Respondent’s [Uber's] representation that its practices would continue on an ongoing basis, Respondent has not always closely monitored and audited its employees’ access to Rider and Driver accounts since November 2014. Respondent developed an automated system for monitoring employee access to consumer personal information in December 2014 but the system was not designed or staffed to effectively handle ongoing review of access to data by Respondent’s thousands of employees and contingent workers.
The FTC said that the company stopped using the automated system after a year.
Also, charged the FTC, Uber didn't follow up in a timely manner on automated alerts about the potential misuse of consumers' personal information.
In general, concluded the FTC, despite assuring consumers that their data was secure Uber "failed to provide reasonable security to prevent unauthorized access to Rider and Driver personal information..."
As a result, an intruder was able to access consumer's personal information via a data breach using an access key publicly posted by an Uber engineer to the code-sharing site GitHub.
According to the FTC,
The intruder accessed one file that contained sensitive personal information belonging to Uber Drivers, including over 100,000 unencrypted names and driver’s license numbers, 215 unencrypted names and bank account and domestic routing numbers, and 84 unencrypted names and Social Security numbers. The file also contained other Uber Driver information, including physical addresses, email addresses, mobile device phone numbers, device IDs, and location information from trips the Uber Drivers provided.
Since Uber represented that its data was reasonably secure, and since Uber didn't actually provide consumers with secure data storage, its representations were false and misleading and thus violated the Federal Trade Commission Act, 15 U.S.C. § 45(a), according to the FTC.
The Act prohibits unfair or deceptive business practices.
Uber will not pay any financial penalties as a result of this latest FTC settlement. In January, Uber agreed to pay $20 million to settle charges that it deceived drivers by exaggerating what they could expect to earn.
According to the New York Times, Uber has strengthened its privacy and data security measures in recent years.