Uber Settles With New York AG After ‘Playing God’ With Data

New York Attorney General Eric Schneiderman on Thursday announced a deal that would require Uber to encrypt geolocation information about its riders, as well as enhance its data security practices.

The AG opened an investigation into Uber in 2014, in response to allegations that the service had tracked riders and displayed their locations in an aerial format, known internally as the “God View.”

The AG’s office opened another investigation early last year, after Uber notified it that an unauthorized third-party had accessed the names and driver’s license information of Uber drivers as early as May 2014, although the company did not discover it until the following September, according to legal documents obtained by the E-Commerce Times.

“We are committed to protecting the privacy of consumers and customers of any product in New York State, as well as that of any employee of any company operating here,” Schneiderman said.

New Data Rules

The settlement requires that Uber encrypt rider geolocation information, adopt multifactor authentication before any Uber employee can access sensitive rider information, and engage in other protection practices, according to the AG’s office.

The settlement also requires Uber to pay a US$20,000 penalty for failing to provide timely notice to drivers and to the AG’s office regarding the September 2014 data breach.

“We are deeply committed to protecting the privacy and personal data of riders and drivers,” Uber said in a statement provided to the E-Commerce Times by spokesperson Matt Wing. “We are pleased to have reached an agreement with the New York Attorney General that resolves these questions and makes it clear our commitment to best practices that put our community first.”

We’ve Been Expecting You

Buzzfeed reporter Johana Bhuiyan in 2014 discovered that her Uber ride had been tracked as she traveled to the company’s Long Island City headquarters while on assignment to interview its New York general manager.

She had not given prior consent to the tracking, and it was against company policy to do such a thing, according to a Buzzfeed exclusive report.

The AG’s office mentioned the Buzzfeed article in its announcement of the settlement; however, Wing declined to comment on the incident.

Uber last year posted a privacy policy that mentioned the hiring of law firm Hogan Lovells to review the company’s privacy practices.

Uber conducts annual privacy and security training, has an employee designated to supervise it, and takes other steps that already comply with the AG agreement, it said.

Companies often fail to protect sensitive customer data, according to Charles Duan, staff attorney at Public Knowledge, who pointed to the AT&T breach in which call center employees had access to customer data, including 280,000 Social Security numbers.

“I expect that many consumers will now start to think twice before hitting that Uber request button,” he told the E-Commerce Times. “Uber’s ride service is largely based on the idea that it’s better than taxis, and now they’ve shown that taxis are actually superior in at least one respect — namely, privacy and anonymity.”