Blog Post

Uber touts “strict” privacy rules, but terms suggest broad access

Car-sharing service Uber, already under fire for a plan to attack journalists, appears to be scrambling to get ahead of another potential PR nightmare — this one related to its allegedly cavalier use of customers’ personal information.

On Tuesday evening, Uber published a blog post stating it has a “strict policy prohibiting all employees at every level from accessing a rider or driver’s data” and that it relies on careful privacy standards to preserve the trust of its users. Those claims, however, may not be reflected in Uber’s existing privacy policy, which dates from July 2013, and is (for now) still posted on the company’s website.

One item that stands out is Uber’s claim that it shares “Personal Information” (defined to include name, email address and phone number) and the location with companies — presumably black car dispatchers — associated with its drivers:

We also provide some of your Personal Information (such as your first name and your photo, if you have chosen to upload your photo to your profile) to the driver/partner who accepts your request for transportation so that the driver may contact and find you, and to those users with whom you have agreed to split the fare for a particular trip. The companies for which drivers work (that are providing the transportation service) are also able to access your Personal Information, including your geo-location data [my emphasis]

Uber and its drivers must, of course, have access to some customer information, including current location, for the service to operate in the first place. Still, the drafting above suggests the company is not exactly enforcing a “strict policy” over who can get its hands on information about customers and where they are.

These type of legal niceties are especially relevant in light of alarming allegations that Uber staff have wowed party guests with a “God view” feature that shows the exact name and location of everyone using the service at a given time. As Tim Lee at Vox explains, the company is in possession of a staggering amount of data, including the travel habits of politicians, and does not appear to be practicing the level of data hygiene that usually goes with such control.

There is also one other item in the existing privacy policy that might unnerve users: Uber retains all the data about you and your travel habits even if you quit the service:

Even after your account is terminated, we will retain your Personal Information and Usage Information (including geo-location, trip history, credit card information and transaction history) as needed to comply with our legal and regulatory obligations, resolve disputes, conclude any activities related to cancellation of an account (such as addressing chargebacks from your credit card companies), investigate or prevent fraud and other inappropriate activity, to enforce our agreements, and for other business reason. [sic][my emphasis]

The policy does add that Uber will eventually anonymize the data but it doesn’t say how or when. Also, the phrase “and for other business reason” [sic] appears to provide the company with a lot of latitude to poke through the data of not just customers — but ex-customers too.

As noted above, the fact that Uber is announcing a “strict policy” on privacy, but without new legal language, suggests this is for now a PR exercise. And who knows? It may work. But first, Uber will have to get top on its current crisis, for which CEO Travis Kalanick described today in a 13-part mea culpa on Twitter: