Uber agrees to 20 years of privacy audits to settle FTC data mishandling probe

The legacy of Travis Kalanick’s fast and loose management style at Uber continues to serve up fresh embarrassments for the embattled, still CEO-less company.

Today the ride-hailing giant has settled a Federal Trade Commission investigation into data mishandling, privacy and security complaints that date back to 2014 and 2015 — ostensibly agreeing with the FTC’s complaint that it misrepresented its practices to consumers.

The FTC said Uber has agreed to put in place a comprehensive privacy program, including undergoing regular independent privacy audits.

The FTC’s order extends for a period as long as 20 years.

In its complaint docket the FTC cites news reports in 2014 of Uber’s so-called ‘God view’ real-time interface that had apparently allowed its employees to spy on users’ rides, and Uber’s response at the time — when it claimed to have “a strict policy prohibiting all employees at every level from accessing a rider or driver’s data”, and to be “closely” monitoring and auditing this policy.

“Despite [Uber’s] representation that its practices would continue on an ongoing basis, [Uber] has not always closely monitored and audited its employees’ access to Rider and Driver accounts since November 2014,” the complaint states. “[Uber] developed an automated system for monitoring employee access to consumer personal information in December 2014 but the system was not designed or staffed to effectively handle ongoing review of access to data by [Uber’s] thousands of employees and contingent workers.”

The FTC also calls out a subsequent automated monitoring system that Uber developed, stating: “From approximately August 2015 until May 2016, [Uber] did not timely follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately the first six months of this period, [Uber] only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives. During this time, [Uber] did not otherwise monitor internal access to personal information unless an employee specifically reported that a co-worker had engaged in inappropriate access.”

The complaint also details problems with Uber’s data security practices, with the FTC asserting that despite Uber’s privacy policy claiming consumers’ personal information was “securely stored within our databases”, and despite its customer service representatives offering frequent “assurances” about the strength of its security practices, nonetheless  the company “failed to provide reasonable security to prevent unauthorized access to Rider and Driver personal information”.

Among the security failures the FTC alleges in the complaint are that Uber failed —

  • to require the use of distinct access keys, “instead permitting all programs and engineers to use a single AWS access key that provided full administrative privileges over all data in the Amazon S3 Datastore”;
  • to restrict access to systems based on employees’ job functions
  • to require multi-factor authentication for access to the Amazon S3 Datastore;

Uber also did not implement “reasonable security training and guidance” until around September 2014, according to the FTC. Nor did it have a written information security program until that date.

Until approximately March 2015 Uber is alleged by the FTC to have stored sensitive personal information in its Amazon S3 Datastore in clear, readable text — rather than encrypting the information.

The venture-backed company, which has raised some $8.81 billion in funding to date, could have “prevented or mitigated” various security failures through “relatively low-cost measures”, the FTC asserts, adding that the lack of reasonable security provided for consumers’ personal information stored in Uber’s databases — including geolocation information — created “serious risks” for Uber users.

The FTC’s complaint also alleges that Uber’s various security failures also led directly to a data breach.

In May 2014 an intruder was able to access consumers’ personal information in plain text in Uber’s Amazon S3 Datastore — using an access key that one of its engineers had publicly posted to GitHub. A file containing sensitive personal data of more than 100,000 Uber drivers’ was accessed during this breach.

The existence of the breach was not discovered by Uber until September 2014, according to the FTC.

More details on the breach from the FTC complaint:

The publicly posted key granted full administrative privileges to all data and documents stored within Respondent’s Amazon S3 Datastore. The intruder accessed one file that contained sensitive personal information belonging to Uber Drivers, including over 100,000 unencrypted names and driver’s license numbers, 215 unencrypted names and bank account and domestic routing numbers, and 84 unencrypted names and Social Security numbers. The file also contained other Uber Driver information, including physical addresses, email addresses, mobile device phone numbers, device IDs, and location information from trips the Uber Drivers provided.

In its decision and order docket, the FTC orders a prohibition against “misrepresentations” by Uber pertaining to how it monitors or audits internal access to consumers’ personal Information; and to the extent to which it protects the privacy, confidentiality, security, or integrity of any personal information it handles and stores.

The mandated privacy program that Uber has agreed to put in place must be documented, both in content and implementation, in writing, and include what the FTC describes as “controls and procedures appropriate to [Uber’s] size and complexity, the nature and scope of [Uber’s] activities, and the sensitivity of the personal information” — including identifying “reasonably foreseeable risks” (so, in other words, a formal risk assessment process); and the design and implementation of “reasonable controls and procedures to address such risks and regular testing or monitoring of the effectiveness of those controls and procedures”.

Uber has also agreed to external privacy audits by an independent expert to assess its compliance with the FTC order — with an initial assessment due 180 days after the order, and then one every two years for the next 20 years.

The FTC’s order also requires Uber to submit its own compliance reports — beginning in a year’s time, and “sworn under penalty of perjury”.

The company has also agreed to create certain records for a period of 20 years and retain each for a period of five years — including keeping records of all consumer complaints.

In a statement responding to the FTC’s order, an Uber spokesperson told us: “We are pleased to bring the FTC’s investigation to a close. The complaint involved practices that date as far back as 2014. We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs. In 2015, we hired our first Chief Security Officer and now employ hundreds of trained professionals dedicated to protecting user information. This settlement provides an opportunity to work with the FTC to further verify that our programs protect user privacy and personal information.”

The FTC said the vote to issue the administrative complaint and accept Uber’s consent agreement was unanimous — further noting that it issues administrative complaints when it has “reason to believe” that the law has been or is being violated, and it appears that a proceeding is in the public interest.

It will now (“shortly”) publish a description of the consent agreement package in the Federal Register, and open the agreement for public comment for 30 days — beginning today and continuing through September 15, 2017, after which it will decide whether to make the proposed consent order final.

FTC consent orders issued on a final basis carry the force of law with respect to future actions, and each violation of such an order may result in a civil penalty of up to $40,654, it adds.