Sen. Franken Presses Car Service Uber to Clarify its Data Privacy Policies
Senator Says Recent Comments by Uber Exec Show Disregard for Journalists & Customers, Raise Serious Privacy Concerns
Today, U.S. Sen. Al Franken (D-Minn.) pressed Uber—a popular car service company that uses a GPS-based smartphone application to connect passengers with drivers—to clarify its data collection practices.
Earlier this week, it was reported that a top Uber executive made statements seemingly suggesting that the company may be able to use its vast storage of customers' data to target journalists who criticize the company. Although Uber has since walked back these remarks, Sen. Franken said that the reported statements raise serious concerns about Uber's privacy policies.
In a letter sent today, which you can read here or below, Sen. Franken pressed the CEO of Uber to explain what steps the company has taken to ensure that its privacy policies are adequately communicated and enforced. Sen. Franken also asked the company to explain how widely it uses its so-called "God View," which reportedly allows Uber's corporate employees to track riders' locations.
"I am writing in regard to reports of recent comments and actions by top Uber executives concerning journalists. The reports suggest a troubling disregard for customers' privacy, including the need to protect their sensitive geolocation data," wrote Sen. Franken. Later, he continued, "This raises serious concerns for me about the scope, transparency, and enforceability of Uber's policies. Moreover, it is unclear what steps, if any, you have taken to ensure that your policies are adequately communicated to all employees, contractors, and affiliates, and to ensure that such policies are fully enforced."
Sen. Franken has long been an advocate of protecting consumers' privacy, especially in light of new technologies. Earlier this year he reintroduced his Location Protection Privacy Act, which would ban so-called stalking apps once and for all and give consumers more control over their private location information.
You can read the full text of today's letter here or below.
November 19, 2014
Mr. Travis Kalanick
Chief Executive Officer
Uber Technologies, Inc.
Dear Mr. Kalanick:
I am writing in regard to reports of recent comments and actions by top Uber executives concerning journalists. The reports suggest a troubling disregard for customers' privacy, including the need to protect their sensitive geolocation data.
On November 17, BuzzFeed reported that Uber's Senior Vice-President of Business Emil Michael recently made statements suggesting that Uber might mine private information to target a journalist who had criticized the company. Company spokeswoman Nairi Hourdajian responded by insisting that such actions would violate Uber's policies. She claimed, in particular, that "‘executives looking at journalists' travel logs ... would be clear violations of our privacy and data access policies." She further asserted that "[a]ccess to and use of data is permitted only for legitimate business purposes," and that the company "regularly monitor[s] and audits that access."[1]
In a blog post yesterday, Ms. Hourdajian sought to stress that Uber permits employees to access riders' or drivers' data for only a "limited set of legitimate business purposes." She provided several examples of "legitimate business purposes," but the "limited set" was not fully described. According to the post, the "policy is also clear that access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violations of the policy will result in disciplinary action."[2]
However, the policies made available on your website (https://www.uber.com/en-US/legal/usa/privacy) do not in any clear way match or support what your company has stated in the wake of Mr. Michael's reported statements. This raises serious concerns for me about the scope, transparency, and enforceability of Uber's policies. Moreover, it is unclear what steps, if any, you have taken to ensure that your policies are adequately communicated to all employees, contractors, and affiliates, and to ensure that such policies are fully enforced.
I am especially troubled because there appears to be evidence of practices inconsistent with the policy Ms. Hourajian articulated. It has been reported that a tool known as "God view" is "widely available to most Uber corporate employees" and allows employees to track the location of Uber customers who have requested car service.[3] In at least one incident, a corporate employee reportedly admitted to using the tool to track a journalist. The journalist's permission had not been requested, and the circumstances of the tracking do not suggest any legitimate business purpose. Indeed, it appears that on prior occasions your company has condoned use of customers' data for questionable purposes.[4]
In light of these concerns, I respectfully request that you address the following questions:
- Mr. Michael, a senior executive, is reported to have made statements-suggesting that Uber might use private information to target journalists or others who have critiqued the company-that your company has since stated are flatly contrary to company policies. To what do you attribute such a failure at your company's highest level to heed your own policies?
- What Mr. Michael is reported to have said sounds like it was intended to have a chilling effect on journalists covering Uber. Was any disciplinary action taken as a result of Mr. Michael's statements?
- Where in your privacy policy do you address the "limited set of legitimate business purposes" that may justify employees' access to riders' and drivers' data, including sensitive geolocation data?
- To whom is the so-called "God view" tool made available and why? What steps are you taking to limit access?
- Your privacy policy states that you may share customers' personal information and usage information with your "parent, subsidiaries and affiliates for internal reasons." On what basis do you determine what constitutes legitimate "internal reasons"? Why aren't these standards set out for customers?
- Your privacy policy states that you may share "non-personally identifiable information" with third parties for "business purposes." What does that mean exactly? Why aren't customers asked to affirmatively consent to this use of their information? At a minimum, may they opt out of this information sharing?
- Your policies suggest that customers' personal information and usage information, including geolocation data, is maintained indefinitely-indeed even after an account is terminated. Why? What limits are you considering imposing? In particular, when an account is terminated, why isn't this information deleted as soon as pending charges or other transactional disputes are resolved?
- What training is provided to employees, as well as contractors and affiliates, to ensure that your company's policies, as well as relevant state and federal laws, are being followed? In light of Mr. Michael's recent comments, how do you plan to improve this training?
- Your spokeswoman has represented that your "policy is ... clear that access to data is monitored and audited by data security specialists on an ongoing basis." Where in your company policies is this discussed? How is this monitoring conducted? How frequently are audits completed? Are customers informed if their information has been inappropriately accessed?
- Under what circumstances would an employee face discipline for a violation of Uber's privacy policies? Have any disciplinary actions been taken on this basis?
I would appreciate responses to these questions by December 15, 2014.
Sincerely,
