Uber to bend over, take privacy probe every two years for next 20 years

FTC forces taxi app upstart to let in auditors after complaints of data security cockups


Uber and America's trade watchdog have reached a settlement following claims the taxi app maker lied about the extent to which its staff can mine customers' personal info for fun.

The Federal Trade Commission's formal complaint [PDF] against the troubled San Francisco biz slammed the upstart's God View – a program that displayed every driver's and passenger's movements live during a party – and its staff for allegedly looking through user accounts for no good reason. Pop siren Beyonce was among the celebs and normal folk who had their records pried up by nosy Uber workers, it is claimed.

"Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data," the biz said in response to the claims. "The only exception to this policy is for a limited set of legitimate business purposes. Our policy has been communicated to all employees and contractors."

Uber said it had set up a system to detect unauthorized accesses to ensure customers' data remained out of the hands of prying staff, and the FTC notes it did so in December. However, this monitoring system was never finished nor staffed, the FTC found, and in August 2015 Uber stopped using it altogether and didn't install a new one until May 2016.

As well as this lapse in customer privacy, Uber was also slack with security, according to the watchdog. Despite repeated statements on its website claiming to protect people's information, the FTC found that Uber wasn't doing so – and so did at least one hacker.

On May 12, 2014, an Uber engineer uploaded to GitHub the keys to an Amazon S3 bucket containing internal records on thousands of drivers. Someone spotted the key and used it to access over 100,000 unencrypted names and driver’s license numbers, 215 unencrypted names and bank account and domestic routing numbers, and 84 unencrypted names and Social Security numbers from the AWS bucket.

Uber didn’t even discover the mistake until September 2014 and was tardy in warning its cabbies, the FTC found. Some drivers didn't get a warning letter about the break-in until July 2016, after it found the intrusion was more widespread than first thought. It was initially thought that 50,000 drivers were exposed by the Git cockup – the real number turned out to be double that.

“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC acting chairman Maureen Ohlhausen today.

“This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”

As part of the settlement [PDF] Uber promises to protect its customer and driver data more carefully, and will hire a third party auditor to check that it's doing so every two years for the next two decades. It can be fined $40,654 per offense if it breaks the settlement. ®

Narrower topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022