Uber has agreed to settle for the charges levied against it by the U.S. Federal Trade Commission (FTC), accusing the company of deceiving its riders “by failing to monitor employee access to consumer personal information and by failing to reasonably secure sensitive consumer data stored in the cloud.”
In October of 2014, Uber was alleged to have a ‘God View’ over its riders, able to determine the whereabouts of specific people using its service; by December, it had developed an automated system to monitor its employees’ access to personal user data. FTC alleged in its complaint that the company was seldom using this automated system, and more importantly, was storing the sensitive data insecurely on a third-party service – in this case, Amazon Web Services (AWS).
Among other security failures, FTC alleged that Uber's engineers and executives were using a single AWS access key that provided them with full administrative access to its entire database, resulting in an intruder accessing and stealing personal information of over 100,000 of its drivers' names and license numbers.
Maureen K. Ohlhausen, FTC’s Acting Chairman, said in a statement today:
“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data.”
As part of its settlement, Uber will have to implement a new privacy program as per the FTC’s requirements; this program will cover privacy risks in any upcoming, as well as existing products. In addition, the company will have to obtain independent third-party audits every two years, for the next twenty years, certifying that “it has a privacy program in place that meets or exceeds the requirements of the FTC order.”
Ohlhausen added that Uber’s case ”shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”
In a statement, an Uber spokesperson reiterated on the company’s existing security practices:
"We are pleased to bring the FTC’s investigation to a close. The complaint involved practices that date as far back as 2014. We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs. In 2015, we hired our first Chief Security Officer and now employ hundreds of trained professionals dedicated to protecting user information. This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information."
It's been a busy few months for Uber this year; in February, Alphabet’s Waymo accused the company of stealing confidential trade secrets for its self-driving car project. In March, it was accused of developing and using a tool named ‘GreyBall’ in order to evade the scrutiny of local authorities worldwide.
In May, Uber sacked former Waymo executive Anthony Levandowski, who was the vice president responsible for Uber’s self-driving car project. Soon later, in June, Uber CEO Travis Kalanick resigned due to pressure from the company’s shareholders; the company has since been looking for a new CEO, but it hasn’t been very successful in meeting its criteria.