Uber Settles 'God View' And Data Breach Investigation - InformationWeek
Mobile // Mobile Applications
05:05 PM
Connect Directly

Uber Settles 'God View' And Data Breach Investigation

Uber has reached an agreement with New York's Attorney General to implement stronger privacy and security controls. Additionally, the company will pay a $20,000 fine to resolve a data breach issue.

Google, Tesla, Nissan: 6 Self-Driving Vehicles Cruising Our Way
Google, Tesla, Nissan: 6 Self-Driving Vehicles Cruising Our Way
(Click image for larger view and slideshow.)

Ride-hailing company Uber has agreed to a settlement with New York Attorney General Eric T. Schneiderman over the company's tracking system, referred to internally as "God View," that provided real-time access to information about affiliated vehicles, drivers, and passengers. The settlement requires Uber to take steps to protect customer data. Separately, the company has agreed to pay $20,000 for failure to provide notice of a data breach disclosed in Feb. 2015.

The New York State Office of the Attorney General (NYAG) opened an investigation into Uber's privacy practices following a Buzzfeed report that claimed Uber New York general manager Josh Mohrer had tracked Buzzfeed reporter Johana Bhuiyan without her knowledge or consent. The investigation found  Uber's "God View" tool.

During the course of the investigation, Uber removed personal information from its tracking application.

Under the agreement, Uber will keep location data in a password-protected system and will encrypt the data in transit. It will employ an approval process and technical controls that limit access to location data to employees with a legitimate business need for the information. It will designate one or more employees to oversee its privacy and security program.

(Image: Uber)

(Image: Uber)

Uber has also agreed to conduct privacy and data security training for employees handling privacy information, to adopt access control technology like multi-factor authentication, to audit its internal controls to ensure their effectiveness, and to disclose its practices for handling rider location information in its privacy policy.

The $20,000 fine is a consequence of Uber's failure to report a data breach in a timely manner, as required by New York business law. In Feb. 2015, Uber revealed that in Sept. 2014 it had discovered a data breach that occurred in May that year.

According to the Assurance of Discontinuance that summarizes the NYAG's findings, Uber was informed that a competitor had access to an Uber security code. The company's investigation found that an Uber employee had inadvertently posted the security code to Uber's cloud storage account on GitHub and that someone using an IP address not associated with any authorized Uber personnel had accessed a "pruned" copy of an Uber database.

"Although Uber had deleted most personal information and 'salted and hashed' passwords within the file before it was stored, the file contained driver's license numbers capable of being matched to driver names stored elsewhere within the file," the NYAG's filing states.

[Read Autonomous Vehicles vs. Helping Humans Drive Better.]

The filing says that Uber updated its privacy policy in July 2015 to cover how it handles location information. The company's current policy allows Uber to collect a user's location through mobile operating system mechanisms, following initial consent, even when the Uber app has been closed. (The app runs as a background process.)

The filing says that Uber doesn't currently collect location information when its app is closed and that the company has committed to notifying users and providing an option to opt-out if it starts doing so. The company also reserves the right to derive a user's location from his or her IP address, a method less precise than using geolocation APIs.

The settlement formalizes many practices and policies that have already been in place for some time. The company's commitment to use client data only for a legitimate business purpose, for example, dates back to a prior privacy policy update in Nov. 2014. The update followed a Buzzfeed report that one of the company's executives had suggested hiring opposition researchers to find embarrassing information about reporters who had criticized the company.

"We are deeply committed to protecting the privacy and personal data of riders and drivers," an Uber spokesperson said in an emailed statement. "We are pleased to have reached an agreement with the New York Attorney General that resolves these questions and makes clear our commitment to best practices that put our community first."

**Elite 100 2016: DEADLINE EXTENDED TO JAN. 15, 2016** There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 15, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/8/2016 | 8:13:49 PM
I'm glad this breach has made the people responsibly held accountable.

It's a bit scary to consider Uber allowed people to be tracked user their system for nefarious reasons, but it sounds like the company is aware that this is not something they should let management do. 
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Annual IT Salary Report 
Base pay for IT professionals has remained flat this year with a median annual salary of $88,000 for staff and $112,000 for management. However, 58% of staff and 62% of managers who responded to our survey say they're satisfied with their compensation. Download this report to find out which positions earn the highest compensation.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll