Thursday morning, New York Attorney General Eric Schneiderman is expected to announce the settlement of his office's 14-month investigation of Uber's privacy practices and the company's use of a "God View" tool to track riders. The investigation, which began in November 2014, initially focused on Uber's use of a real-time "aerial" tracking system called God View that used personal information to identify riders using the platform, including this reporter.
As part of the settlement, Uber has agreed to pay a penalty of $20,000 to the attorney general's office for its failure to report unauthorized third-party access to drivers' personal information in a timely fashion. The ride-hail company has also agreed to adopt more rigorous privacy and security practices. These practices include password-protecting and encrypting the geo-location data of Uber riders and drivers, limiting access to that information to designated employees with "legitimate business purposes", and incorporating multi-factor authentication and other "protective technologies" to secure personal information.
The New York AG's investigation into Uber's privacy and security practices was prompted by a series of BuzzFeed News reports that revealed Uber New York general manager Josh Mohrer had accessed this reporter's ride logs and later used "God View" to track this reporter's ride without permission. According to a copy of the settlement obtained by BuzzFeed News, Uber purged some rider information from its God View system during the course of the investigation.
The settlement reads: "Uber has represented that it has removed all personally identifiable information of riders from its system that provides an aerial view of cars active in a city, has limited employee access to personally identifiable information of riders, and has begun auditing employee access to personally identifiable information in general."
The investigation was subsequently expanded to include Uber's September 2014 discovery of a data breach that affected some of its drivers. The company failed to report that incident to Schneiderman's office until February 26, 2015.
According to the investigation, the data breach occurred "on or about May 12, 2014" when an Uber engineer posted an access ID to the company's third-party cloud service onto Github unaware that the information would be publicly available. According to the settlement, Uber told Schneiderman and his office that the data breach was only discovered in September because "a former employee of a competitor informed Uber that someone at the competing company had access to an 'Uber security key.'"
Uber said it quickly revoked the existing access ID and issued a new one. The company also said that it "increased its use of encryption, implemented additional developmental controls that require multi-factor authentication and hired additional security personnel and enhanced security training."
However, law requires that data breaches be disclosed to the people affected by them and to authorities "in the most expedient time possible and without unreasonable delay." Because Uber failed to do so until February 26, 2015, the company has been slapped with a small fine of $20,000.
"In the event the Assurance is voided or breached, Respondent expressly agrees and acknowledges that this Assurance shall in no way bar or otherwise preclude NYAG from commencing, conducting or prosecuting any investigation, action or proceeding," the settlement reads.
Uber has also agreed to notify the AG's office in the event the company begins collecting GPS information from mobile devices even when the app is closed, which Uber contends it does not do.
"We are deeply committed to protecting the privacy and personal data of riders and drivers," Uber said in statement to BuzzFeed News. "We are pleased to have reached an agreement with the New York Attorney General that resolves these questions and makes clear our commitment to best practices that put our community first.”
“This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including the real-time locations of riders in an Uber vehicle,” said Attorney General Schneiderman. “We are committed to protecting the privacy of consumers and customers of any product in New York State, as well as that of employees of any company operating here. I strongly encourage all technology companies to regularly review and amend their own policies and procedures to better protect their customers’ and employees' private information.”
Here's the AOD: