Uber Settles 'God View' And Data Breach Investigation

Uber has reached an agreement with New York's Attorney General to implement stronger privacy and security controls. Additionally, the company will pay a $20,000 fine to resolve a data breach issue.

Thomas Claburn, Editor at Large, Enterprise Mobility

January 7, 2016

4 Min Read
<p style="text-align:left">(Image: Uber)</p>

Google, Tesla, Nissan: 6 Self-Driving Vehicles Cruising Our Way

Google, Tesla, Nissan: 6 Self-Driving Vehicles Cruising Our Way

Google, Tesla, Nissan: 6 Self-Driving Vehicles Cruising Our Way (Click image for larger view and slideshow.)

Ride-hailing company Uber has agreed to a settlement with New York Attorney General Eric T. Schneiderman over the company's tracking system, referred to internally as "God View," that provided real-time access to information about affiliated vehicles, drivers, and passengers. The settlement requires Uber to take steps to protect customer data. Separately, the company has agreed to pay $20,000 for failure to provide notice of a data breach disclosed in Feb. 2015.

The New York State Office of the Attorney General (NYAG) opened an investigation into Uber's privacy practices following a Buzzfeed report that claimed Uber New York general manager Josh Mohrer had tracked Buzzfeed reporter Johana Bhuiyan without her knowledge or consent. The investigation found  Uber's "God View" tool.

During the course of the investigation, Uber removed personal information from its tracking application.

Under the agreement, Uber will keep location data in a password-protected system and will encrypt the data in transit. It will employ an approval process and technical controls that limit access to location data to employees with a legitimate business need for the information. It will designate one or more employees to oversee its privacy and security program.

Uber has also agreed to conduct privacy and data security training for employees handling privacy information, to adopt access control technology like multi-factor authentication, to audit its internal controls to ensure their effectiveness, and to disclose its practices for handling rider location information in its privacy policy.

The $20,000 fine is a consequence of Uber's failure to report a data breach in a timely manner, as required by New York business law. In Feb. 2015, Uber revealed that in Sept. 2014 it had discovered a data breach that occurred in May that year.

According to the Assurance of Discontinuance that summarizes the NYAG's findings, Uber was informed that a competitor had access to an Uber security code. The company's investigation found that an Uber employee had inadvertently posted the security code to Uber's cloud storage account on GitHub and that someone using an IP address not associated with any authorized Uber personnel had accessed a "pruned" copy of an Uber database.

"Although Uber had deleted most personal information and 'salted and hashed' passwords within the file before it was stored, the file contained driver's license numbers capable of being matched to driver names stored elsewhere within the file," the NYAG's filing states.

[Read Autonomous Vehicles vs. Helping Humans Drive Better.]

The filing says that Uber updated its privacy policy in July 2015 to cover how it handles location information. The company's current policy allows Uber to collect a user's location through mobile operating system mechanisms, following initial consent, even when the Uber app has been closed. (The app runs as a background process.)

The filing says that Uber doesn't currently collect location information when its app is closed and that the company has committed to notifying users and providing an option to opt-out if it starts doing so. The company also reserves the right to derive a user's location from his or her IP address, a method less precise than using geolocation APIs.

The settlement formalizes many practices and policies that have already been in place for some time. The company's commitment to use client data only for a legitimate business purpose, for example, dates back to a prior privacy policy update in Nov. 2014. The update followed a Buzzfeed report that one of the company's executives had suggested hiring opposition researchers to find embarrassing information about reporters who had criticized the company.

"We are deeply committed to protecting the privacy and personal data of riders and drivers," an Uber spokesperson said in an emailed statement. "We are pleased to have reached an agreement with the New York Attorney General that resolves these questions and makes clear our commitment to best practices that put our community first."

**Elite 100 2016: DEADLINE EXTENDED TO JAN. 15, 2016** There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 15, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights