Uber settled FTC allegations that it failed to protect users and driver data from access by company employees and outside hackers, despite its pledges to do so. As part of the settlement, Uber will face 20 years of privacy audits, the FTC said.
The FTC’s complaint stems from two November 2014 Buzzfeed stories, one that quoted a top Uber executive (since fired) saying the company might hire opposition researchers to dig up personal data on journalists and another that said Uber employees were using an internal tool called “God View” that let them track users’ whereabouts, including a Buzzfeed reporter.
Uber responded to the reports by publicly outlining a policy “prohibiting all employees at every level from accessing a rider or driver’s data.” The FTC complaint said that a system Uber developed to monitor employee access to user data was “not designed or staffed effectively.” By August 2015, Uber stopped following up on alerts from the system and began tracking the access of only a handful of employees, the FTC’s complaint said.
In addition, Uber stored unencrypted personal data of users and drivers on Amazon’s S3 cloud service, despite assuring both that Uber was “vigilant” in securing the data. In May 2014, the complaint said, after an Uber engineer shared an access key on GitHub, an intruder was able to access the unencrypted names and driver’s licenses of more than 100,000 Uber drivers, as well as some bank account and Social Security numbers.
“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC acting chairman Maureen K. Ohlhausen in a statement.
The FTC, which said Uber’s lapses violated the Federal Trade Commission Act, ordered Uber to stop misrepresenting its efforts to protect personal data, to implement a comprehensive privacy program, and to submit to privacy audits every two years for the next 20 years. Failing the audits could lead to further penalties, including heavy fines.
Uber accepted the order as part of the settlement, but neither admitted nor denied the allegations in the complaint.
The settlement is the latest in a long string of legal headaches for Uber, which is being sued by Google’s Waymo unit for stealing trade secrets and is facing another lawsuit from drivers alleging they were systematically short-changed by its algorithms. Uber’s board is also divided by a lawsuit that investor Benchmark filed against founder and ex-CEO Travis Kalanick last week.
Last year, Uber settled a separate complaint with New York’s Attorney General over the “God View” spying technology, paying a $20,000 fine. In January, Uber agreed to pay $20 million to the FTC to settle separate claims that it misled drivers about both potential earnings and the cost of leasing cars from the company.
Most of Uber’s legal battles emerge from a culture of risk-taking and aggressiveness that Kalanick fostered at the company for years. On a conference call discussing the settlement, the FTC’s Ohlhausen indicated the order was meant to promote change in that culture. “Our order requires a culture of privacy and sensitivity at Uber,” she said. “It will make them take privacy into account everyday.”
Ohlhausen said other companies using Uber’s on-demand business model would also be subject to similar privacy standards. “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises,” she said.