Uber and the Federal Trade Commission (FTC) have settled a complaint regarding the company's privacy and security practices. The settlement will require Uber to implement a new privacy program and submit itself to regular third-party audits to make sure it's protecting its users' data.
The complaint in question alleged that Uber misrepresented its privacy and security programs to riders and drivers. The FTC said Uber failed to stop employees from inappropriately accessing user data, and that the company failed to provide "reasonable security" for the data it stored on Amazon Web Services. These issues would have been worrisome enough on their own, but together, they endangered data from inside and out.
Compromising this information could have been disastrous for Uber drivers and riders. The FTC said in its complaint that Uber collected the "name, email address, phone number, postal address, profile picture, Social Security number, driver’s license information, bank account information (including domestic routing and bank account numbers), vehicle registration information, and insurance information" of its drivers.
Uber also collected the "names, email addresses, postal addresses, profile pictures, and detailed trip records including precise geolocation information" about its riders. Together, all of this information could be used to harm everyone with the Uber app installed on their phone. (The FTC's complaint didn't even cover Uber's decision to "fingerprint" individual smartphones and to hide that practice from App Store reviewers.)
All of this information could have been used to devastating effect. Uber employees and outside hackers alike could have used that personal data to stalk someone, blackmail them, or steal their identity. The FTC's complaint highlighted these risks, and now this settlement is supposed to make sure Uber better protects its users' data. The commission said in a news release that, as a result of this settlement, Uber will be:
- prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
- prohibited from misrepresenting how it protects and secures that data;
- required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and
- required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.
You can find the full agreement between Uber and the FTC here. The public has 30 days to comment on the agreement before it's finalized, so if you think there's something missing, you can let the FTC know any time between now and September 15. Maybe after the agreement goes into effect Uber will live up to the praise it's received for protecting its users' personal information.