A leading privacy group has asked the US Federal Trade Commission (FTC) to put the brakes on Uber’s upcoming new privacy plan – a plan that sets the ride-hailing app maker up to collect even more customer data than it already does.
The Electronic Privacy Information Center (EPIC) filed a 23-page complaint on Monday in which it notes that the new User Privacy Statement, set to go into effect on 15 July, says the company will try to collect location data on users even when the app is running in the background.
From the new policy:
When you use the Services for transportation or delivery, we collect precise location data about the trip from the Uber app used by the Driver. If you permit the Uber app to access location services through the permission system used by your mobile operating system ("platform"), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.
Not to worry, Uber’s Managing Counsel of Data Privacy Katherine Tassi said in a recent post: users are still “in control”:
In either case, users will be in control: they will be able to choose whether to share the data with Uber.
Tassi said that tracking passengers in real time and accessing users’ address books are merely “potential new use cases” of Uber’s customer data.
Users will be firmly in control, she reiterated:
We are not currently collecting this data and have no plans to start on July 15. ... If we decide to ask for these permissions, users will be in control and choose whether they want to share the data with Uber.
EPIC calls these assurances deceptive. In fact, the group said in its complaint, the updated policy will actually deprive users of control.
As far as the location data goes, Uber’s collection of precise location information when the app is operating in the background means that on iOS phones, Uber may be able to collect location data even after a user quits the app.
Even if a user disables the GPS location services on their phone, Uber may still collect approximate location from riders’ IP addresses, EPIC says – a fact that runs counter to Uber’s claims that users are in control.
When it comes to Uber getting its hands on users’ contact lists for marketing purposes, the FTC has already received complaints from “People who have never driven for or even used the service”, according to Motherboard, but who said that they’re still being deluged with text messages from Uber and have been unable to make them stop.
EPIC lists a hosts of user complaints about the frequency of the spam, the difficulty of unsubscribing, and the fact that users never gave their permission to have their contacts’ details shared.
One such, from user DanielMiami:
This is disturbing, my girl just text me saying she received a text message from uber [sic] saying I invited her to become a driver.
"UberMSG: Congratulations! Your friend Daniel wants you to be an Uber partner. Both of you can make money when you APPLY HERE: t.uber.com/cashec"
1. How did they get her phone number?
2. That's not even my referral promo code
Do they have access to our contact list in our phones?
- Sharing customers’ movements with a big hotel chain, just like a Big Data mogul;
- Giving a job applicant access to customer data for an entire day,
- Displaying its so-called “God view” of customers for entertainment at a launch party,
- Looking up a journalist’s private trip info (twice) because she was late, and
- Gleefully detailing how it tracks users’ one-night stands – or what it calls “Rides of Glory”.
Marc Rotenberg, the executive director of EPIC, told the New York Times that, given its history of mishandling data, Uber hasn’t earned the right to collect even more:
A company that has a bad reputation for misusing personal information should not be allowed to change its policy so it can gather more data.
EPIC’s complaint asks the FTC to halt Uber’s collection of any customer location details not required to deliver a service; to require Uber to delete location information once a ride has been completed; and to require Uber to publish specific details about the system it uses to profile and evaluate customers.Follow @NakedSecurity