Uber’s privacy violations a cautionary tale for others
February 2015 | EXPERT BRIEFING | DATA PRIVACY
Launched in 2009, Uber – the taxi-hailing app – exploded into existence with the bold claim that it offers its customers the ‘safest ride on the road’. However, recent revelations in Forbes, the Washington Post and others have highlighted that safety doesn’t necessarily equate to security.
Data privacy 101
Uber consciously developed a tool it calls ‘God View’ which, when used legitimately, allows tracking of all Uber customers in real time. However, Forbes reported that Uber often used this function as entertainment in parties showing the Ubers in a city and the silhouettes of waiting Uber users who had flagged cars. While a strong sales gimmick, one party attendee reported that real-time information was used and as a result individuals were identifiable.
Another article in The Washington Post cited an instance in which Uber senior executives examined the travel records of reporters who might write critically about the company, with Uber Senior Vice President Emil Michael going so far as speaking publicly of his desire to spend $1m to dig up information on “your personal lives, your family”. The same article also cited an Uber 2012 blog (interestingly no longer available) in which a company official analysed ride data to predict overnight sexual liaisons, which Uber dubbed “Rides of Glory”.
And it’s not just employees who have too much access, if a Post source is to be believed. He interviewed for a job at Uber in 2013 and enjoyed unfettered access to customer data for a day – including for hours after the interview ended – just as if he were an employee.
If any of these allegations are true, not only are they a gross invasion of privacy, but the company could potentially be in violation of both the UK’s Data Protection Act (DPA) and the EU Privacy Directive, and may be exposing themselves to serious risk.
In the case of the DPA, it is fair to say that Uber breaches many of its principles. For example, principle three states “Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”. Principle seven states “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
Under EU law, “personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organisations which collect and manage personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law”.
In Uber’s case, even if one can find its privacy notice on its website, it likely wouldn’t include statements like, “Uber reserves the right to use your ridership data to track your every movement, predict your sexual activities, or humiliate you as the company sees fit”.
Time to take consumer privacy seriously
While the alleged behaviour of Uber’s executives is highly inappropriate, what could a more conscientious organisation do to protect the privacy of customers?
For one, companies need to be familiar with the local laws that govern privacy and customer data, and have documented policies and practices in place to govern the handling of this sensitive data – and ensure that employees are trained accordingly. The data collected by Uber, including name and credit card information, are personal details regulated by many privacy laws across the globe. Given the allegations, other details such as current location and regularly travelled locations (such as home and place of work) may not fall under current legislation, but will likely become areas that legislators look to broaden protection to in the future.
Second, no organisation should give all employees unfettered access to such a vast trove of customer (or employee) data, unless it is pertinent to their role. The fact that Uber gave not just employees, but also interviewees, unlimited access to customer data is shocking, and its reported misuse of travel details for personal agendas have opened the company up to scrutiny by regulatory agencies around its privacy practices.
The potential for abuse is vast, with open access to this kind of information. Not only could Uber employees credibly conduct attacks like the one suggested against reporter Sarah Lacy. It also invites the possibility of both cyber and physical stalking, abuse of credit card data, and corporate and government espionage based on the physical movements of riders – not to mention the basic fact that the more people who have access to this data, the more likely it is to leak publicly or be misused in another manner.
Uber serves as a good cautionary tale to all businesses, and a reminder to evaluate current data access and usage policies. What every organisation should take away from the Uber situation is that customer data should be closely guarded, and access granted only when absolutely necessary for an employee to do its job.
In addition to controlling what applications employees have access to, organisations should also look to employ granular security methods such as content classification and encryption to restrict who can access personal and other sensitive data, and control what authorised users can do with it. For example, you may want to ensure payment card details can’t be emailed or downloaded to the desktop. And non-employees, even ones that you’re thinking of hiring, should never be allowed unrestricted access to corporate data and networks. Finally (and perhaps most importantly), it’s imperative to set an example from the top down, and communicate to all employees the value, the sensitivity and the sanctity of customer data.
Customers are the lifeblood of any business, and those who do not respect and appreciate the ones they serve are likely to find themselves the targets of those same customers.
Kurt Mueffelmann is president and CEO of Cryptzone. He can be contacted on +1 (855) 427 9789 or by email: firstname.lastname@example.org.
© Financier Worldwide