Uber admits it failed on consumer privacy, settles with FTC

Uber Violated Privacy Policy, FTC Says

Uber Violated Privacy Policy, FTC Says

In its complaint, however, the FTC alleged Uber abandoned the system within a year and thereafter "rarely monitored" the use of God View by employees. Earlier this year, Uber agreed to pay $20 million to settle a complaint that it misrepresented and exaggerated potential driver earnings and auto financing terms, through its Vehicle Solutions Program.

After news reports that employees were improperly accessing consumer data, Uber said in November 2014 that it had a strict policy prohibiting workers from accessing information about customers or drivers.

Under the new agreement with the FTC, Uber has to do some very simple things: stop "misrepresenting how it monitors internal access to consumers' personal information" and "misrepresenting how it protects and secures that data".

But it's the 20 years of privacy checkups - completed by a third party, then submitted by the watchdog agency - that could prove most onerous for the company. The FTC complaint said that a system Uber developed to monitor employee access to user data was "not designed or staffed effectively".

"This case shows that, even if you're a fast growing company, you can't leave consumers behind: you must honor your privacy and security promises".

Uber was also under investigation for a God View tool which provided its employees access to user data. That includes a period between August 2015 until May 2016, the FTC said, when Uber "did not timely follow up on automated alerts concerning the potential misuse of consumer personal information".

As part of this recent settlement, Uber "neither admits nor denies" any wrongdoing, but has agreed to implement the changes ordered by the FTC.

Separately, the FTC alleges that Uber did a poor job of securing its data.

"The complaint involved practices that date as far back as 2014", a spokesman said.

It fixed other issues after the discovering the breach, including previously allowing engineers and programmers to use a single key to access data stored in Amazon S3 with full administrative rights; not restricting access to data based on job function; and not requiring multi-factor authentication to access the data. In fact, the company hired its first Chief Security Officer in 2015 and now employs hundreds of professionals to ensure that their user information is protected.

In a statement forwarded via e-mail, an Uber representative announced that the company is relieved to bring FTC's investigations to a close finally. Uber is also prohibited from misrepresenting its privacy practices to consumers.

Uber has settled with federal regulators that accused the start-up of "deceptive privacy and data security claims". "This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information".

Recommended News

We are pleased to provide this opportunity to share information, experiences and observations about what's in the news.
Some of the comments may be reprinted elsewhere in the site or in the newspaper.
Thank you for taking the time to offer your thoughts.