EPIC Files Complaint Against Uber's Approach to Privacy

Lately, Uber has been making headlines worldwide—a suspension in France, protests in South Africa, the defeat of a mayor in New York City.

The world is embroiled in a debate over the extent to which Uber should coexist with traditional taxi services and the louder the conversation becomes, the more distracted users are from the real issue: privacy.

Yes, Uber can feel like a win-win for driver and passenger alike, but its convenience comes at a cost.

Last month, the Electronic Privacy Information Center (EPIC) filed a complaint with the United States Federal Trade Commission regarding the presentation and content of Uber’s revised Privacy Policy, which went into effect July 15. The complaint criticized as deceptive a May 28 statement from Uber which claimed “users will be in control: they will be able to choose whether to share the data with Uber” when in fact, several clauses of the Privacy Policy show just how little control users have over their data. 

Farewell, privacy: Uber's permissions for Android

Of note, Uber retains the right to track user location, regardless of permissions, and Android users must opt-in to all data requests in order to use the service:

• If you permit the Uber app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.

• The iOS platform will alert you the first time the Uber app wants permission to access certain types of data and will let you consent (or not consent) to that request. Android devices will notify you of the permissions that the Uber app seeks before you first use the app, and your use of the app constitutes your consent.

 

EPIC has further taken issue with Uber’s excessive collection of data, which ranges from contacts in a user’s phone to device information to permanent log records, especially given the young company’s questionable record regarding security, which includes launch parties that share private data and a 2014 breach of drivers’ records that took 4 months to discover and another 5 months to disclose. 

Recent breaches from Anthem to OPM prove that hackers know where to go for data that matters. Uber’s database of 8 million users worldwide has been described as “a sitting duck for hackers” and as its records of who-went-where-when-and-with-whom-and-what balloons, it only grows more desirable.

EPIC’s request includes an investigation into Uber’s business practices, a cessation of contact information collection and the deletion of location data upon trip completion, measures that would make Uber’s database far less attractive to hackers and far less marketable for the company itself.

Because, who knows what Uber might do with all that data? Determine the best city for a one-night stand? Orchestrate a massive political campaign? Offer it to the mayor of New York? The possibilities are endless.