Uber Agrees To 20 Years Of Audits In FTC Privacy Settlement

Uber will launch a new customer privacy program and receive regular audits for the next 20 years to settle charges from the Federal Trade Commission that the company failed to adequately protect the personal information of its customers.

In a statement, FTC acting chairman Maureen Ohlhausen said Uber did not do all that it could have to secure private customer information.

“Uber failed consumers in two key ways,” Ohlhausen said. “First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data. This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”

The original probe, which the FTC opened earlier this summer, was primarily launched in response to two incidents. In May 2014, a hacker managed to breach Uber’s personal database to steal 100,000 names and driver's license numbers. According to the FTC, Uber failed to take basic protections that could have prevented the breach. These included Uber engineers only needing a single key and not requiring multi-factor authentication in order to access the company’s entire customer database. Uber was also found to have stored this customer information in plain text without any secure encryption on its database cloud backups.

More significantly, the FTC also focused on reports of Uber’s internal “god view” mode. The tool, which was initially revealed back in 2014, allowed Uber employees to view and track customer locations without their consent. The FTC found that while Uber publicly said it had policies in place to limit improper access to this data, it had stopped using a system to monitor employee access to “god view” after less than a year. In addition, former Uber executive Emil Michael publicly suggested that the company was capable of getting personal information on journalists.

In response, Uber will now have to guarantee that it will accurately represent how it protects consumer data and monitors employee access to its database. In addition, the ride-hailing company will have to implement a new privacy program to improve its handling of customer data and receive regular third-party audits to ensure that these guidelines are being followed.

In a statement, Uber said it has steadily improved its data security guidelines since 2014 and welcomed the agreement with the FTC.

"We've significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs," Uber said.

For Uber, it’s far from the first time the company has tussled with regulators. In response to the “god view” controversy, Uber was fined $20,000 by New York investigators. In addition, the company was fined $20 million by the FTC earlier this year over allegations it misrepresented potential earnings and costs to potential Uber drivers. With the FTC’s current claim, Uber could be subject to charges of up to $40,654 per violation if it fails to follow the agency’s agreement.

The settlement comes amid continuing behind-the-scenes turmoil for Uber. Earlier this month, Uber investor Benchmark Capital sued former CEO Travis Kalanick in a bid to remove him from the company entirely.

The suit accused Kalanick of making “material misstatements” about the various scandals that have plagued the company throughout this year and in a letter to Uber employees Monday, the firm accused him of creating a “power vacuum” that would allow him to return as CEO. Kalanick resigned from Uber in June after losing a battle from a group of company shareholders. In response to the suit, a secondary shareholder group with past Kalanick supporters called for Benchmark to leave the company’s board of directors.

Uber is also wrestling with its continuing lawsuit with Waymo over allegations the company used trade secrets from former Google engineer Anthony Levandowski in its self-driving car research. Waymo filed a document Monday via IEEE Spectrum that contained around 400 text messages between Kalanick and Levandowski from February to December 2016. Japanese conglomerate SoftBank has also reportedly been aggressively pursuing a purchase of Uber shares in a move that would expand its presence within the ride-hailing market.