In a letter to Senator Al Franken, Uber says it accessed a reporter’s account because “She was 30 minutes late” to a meeting and an executive wanted to know when she’d show up so he could meet her in the lobby.
And flash his iPhone at her. And tell her that he was tracking her, according to a report from The Guardian.
In fact, Uber New York General Manager Josh Mohrer reportedly poked at BuzzFeed reporter Johana Bhuiyan’s personal data twice, on both occasions tracking her movements without her permission.
That’s just one of a rash of eyebrow-raising reports about Uber’s data collection practices and possible misuse of consumers’ data that came to light last month and which prompted Sen. Franken to send the company a letter with 10 pointed questions about the company’s privacy policies.
(Note: Non-US readers might not be familiar with the American use of the term “rider” as used in these letters. Uber, Senator Franken and American media use the term to indicate “passenger”.)
He also asked Uber, which connects passengers with drivers-for-hire using a GPS-based mobile app, to explain how widely it uses its so-called “God View” tool, which allows Uber to track passengers’ locations.
In a 3-page response, Uber’s Managing Counsel of Privacy, Katherine M. Tassi, reiterated what the company’s been saying all along: that it has a “strong culture of protecting rider information” and that the company “prohibits employees from accessing rider information except for legitimate business purposes.”
Franken said in a press release on Monday that while he was glad to get a reply, the letter wasn’t particularly forthcoming with the details he’d asked for.
I am concerned about the surprising lack of detail in their response. Quite frankly, they did not answer many of the questions I posed directly to them. Most importantly, it still remains unclear how Uber defines legitimate business purposes for accessing, retaining, and sharing customer data.
Franken had originally asked what, exactly, would trigger the company to discipline an employee for violating privacy policies and whether any disciplinary actions had been taken on that basis.
In the case of the twice-tracked BuzzFeed reporter, Uber says that Mohrer “believed he had a legitimate purpose for looking at” Bhuiyan’s location as she travelled to his office, but that Uber “regarded his judgment in this instance to be poor” and has “disciplined him accordingly”.
Franken had also asked about Uber SVP of Business Emil Michael having suggested spending $1 million to mine personal data for dirt to discredit a journalist who criticized the company.
Franken had noted in his letter that Michael’s statements sound like they were intended to have a chilling effect on journalists covering Uber and had asked if he’d been disciplined as a result.
Uber mentioned in its letter that if the company had in fact used account details to discredit journalists, it would have been a “gross invasion of privacy” and a “violation of our commitment to our users”, but in fact the executive’s comments were just “ill-considered” given his “frustration with reporters” and “don’t reflect company policies or practices.”
Uber has publicly apologized for the incident, Tassi notes.
With regards to the “God View” function, which allows Uber to see where all of its cars and all of its passengers are at any given time, the letter says that the company’s scaled it back so that only employees in “operations or other areas, like fraud prevention” can use it.
Uber also stated that the company had shown God View to “third parties” in the past because it has a “compelling visual display,” but when showing it to those outside the company, it’s stripped down to “presentation view, which has been available for about a year now and makes rider personal data inaccessible.”
Franken said that he’s “concerned” by the response and will continue “pressing for answers.”
Earlier this month, the senator also sent a letter to Uber competitor Lyft to clarify its own privacy policies.Follow @NakedSecurity