Uber will impose sweeping privacy reforms and submit to 20 years of outside monitoring, but pay no fine.
SAN FRANCISCO — Uber must beef up its privacy protections and submit to 20 years of outside monitoring after failing to safeguard both drivers’ and passengers’ sensitive information, federal regulators said Tuesday.
The penalties — announced as part of a settlement the San Francisco-based ride-hailing company reached with the Federal Trade Commission — are in response to a controversial internal platform known as “God view, ” which Uber employees allegedly used to track the location of riders. Regulators also fault Uber for a 2014 data breach that exposed driver names, their driver’s license numbers, bank account numbers and Social Security numbers.
“Companies must honor their promises about how they’ re going to protect consumer information, ” FTC Acting Chairman Maureen Ohlhausen told reports in a conference call Tuesday. “Companies will be held accountable for their promises.”
Uber did not immediately respond to a request for comment.
The company will pay no monetary fine. But Ohlhausen said the FTC could impose a fine if the company violates the terms of the settlement.
She touted the deal’s requirement that Uber implement a comprehensive “soup to nuts” privacy program, which the company must have reviewed by an outside auditor every two years for 20 years.
The FTC accused Uber of misleading drivers and passengers about how it was using and storing their personal information. In 2014, media reports surfaced about the company’s use of a platform called “God view, ” which showed the real-time locations of Uber riders. Uber employees used the platform to track celebrities, politicians and even ex-boyfriends and girlfriends, sometimes showing it off to visitors as a parlor trick, The Guardian reported.
In November 2014, Uber issued a statement assuring riders that it had a “strict policy prohibiting” that kind of spying, and promising that employees’ access to user data would be monitored going forward. But the FTC claimed the company did not keep its word. Uber developed an automated system for monitoring employee access to customer information in December, but it wasn’ t designed to handle the capacity of requests, according to the FTC complaint. In August of 2015, Uber abandoned that system and began work on a new one, but for six months, the company failed to follow-up in a timely manner on automated alerts to the potential misuse of user data, the FTC claimed. Regulators said Uber only monitored access to a handful of high-profile users, such as Uber executives.
Regulators also claimed that while Uber told riders their data was “securely stored within our databases, ” in reality, the company failed to protect sensitive information stored in a third-party database operated by Amazon Web Services, the FTC said. Uber didn’ t encrypt the information, and it allowed employees to access the data with a single, shared key, according to the complaint.
As a result, a hacker broke into the database in May 2014 and accessed information including more than 100,000 names and driver’s license numbers of Uber drivers, 215 names and bank account numbers, and 84 names and social security numbers, according to the complaint.
“Consumers who share their sensitive information with companies expect robust protection, ” Ohlhausen said. “This case illustrates my continued commitment to hold companies to their promises.”
The settlement will be subject to public comment for one month before becoming final.
This isn’ t the first time Uber has landed on the wrong side of the FTC. Uber in January agreed to shell out $20 million to settle claims that the company misled drivers with promises of wages that were higher than it could deliver.
