Uber agrees to privacy audits

FTC investigation questioned safety of customer data

By Cecilia Kang

New York Times

WASHINGTON — Uber has agreed to two decades of privacy and security audits to settle federal accusations that it did not keep promises to protect customer data.

The Federal Trade Commission announced the settlement with Uber, a ride-hailing company, Tuesday, ending an investigation that began in 2014 when the company promised to strengthen its privacy and security. The promises were made after a public outcry over reports that Uber employees were peering into the travel logs of customers.

The company will not face financial penalties from the deal, its second settlement with the commission this year. In January, Uber agreed to pay the commission $20 million over accusations that it deceived drivers by exaggerating potential earnings. The company has also been under investigation by the Department of Justice on suspicion of using a tool to evade law enforcement.

“This case shows that, even if you’re a fast-growing company, you can’t leave consumers behind: You must honor your privacy and security promises,’’ said Maureen K. Ohlhausen, the acting chairwoman of the FTC.

The federal scrutiny has added to the pressures on Uber, a company that has undergone several public business crises in recent months, including the ouster of its chief executive, Travis Kalanick, an employee exodus, and lawsuits from a competitor and an investor.

In the privacy case, the FTC accused Uber of two violations. The first stemmed from the company’s announcement in 2014 that it had developed an automated system to monitor employee access to consumer personal information.

The extra privacy measures were announced in response to news reports that some Uber employees were using a tool known as “God View’’ to track trips taken by users. On its website and in a statement, Uber announced that it had “a strict policy prohibiting all employees at every level from accessing a rider or driver’s data.’’ It said, “The only exception to this policy is for a limited set of legitimate business purposes.’’

But the commission said it found that the company did not live up to that promise.

In its complaint, the commission said that Uber stopped using its automated system of monitoring employee access to information less than a year after it was announced and that when it was in place, the company rarely monitored it.

“The system was not designed or staffed to effectively handle ongoing review of access to data,’’ the commission said.

The FTC also said that Uber had not done enough to protect consumer data stored with a third-party cloud vendor, Amazon Web Services.

Uber’s lax practices led an intruder to access the personal information, including names, driver’s licenses, and some banking and Social Security numbers of 100,000 Uber drivers.

Uber said it strengthened its privacy and security measures in recent years.

“We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs,’’ the company said in a statement.