Uber settles complaint from FTC alleging it made deceptive statements regarding consumer privacy, data storage

WASHINGTON, D.C. — Uber Technologies and the Federal Trade Commission have reached a settlement in the FTC’s complaint that the firm made deceptive privacy and data security claims regarding personal information and consumer data stored in the cloud, according to a release issued by the FTC Tuesday.

Under the settlement, Uber agreed to implement a comprehensive privacy program and obtain regular, independent audits, the FTC release said.

In its complaint, the FTC alleged that Uber failed to live up to its claims that it closely monitored employee access to consumer and driver data and that it deployed reasonable measures to secure personal information it stored on a third-party cloud provider’s servers.

“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said FTC Acting Chairman Maureen K. Ohlhausen. “This case shows that, even if you’re a fast growing company, you can’t leave consumers behind: you must honor your privacy and security promises.”

In the wake of news reports alleging Uber employees were improperly accessing consumer data, the company issued a statement in November 2014 that it had a “strict policy prohibiting” employees from accessing rider and driver data – except for a limited set of legitimate business purposes – and that employee access would be closely monitored on an ongoing basis.

In December 2014, Uber developed an automated system for monitoring employee access to consumer personal information, but the company stopped using it less than a year after it was put in place. The FTC’s complaint alleges that Uber, for more than nine months afterwards, rarely monitored internal access to personal information about users and drivers.

The FTC’s complaint also alleges that despite Uber’s claim that data was “securely stored within our databases,” Uber’s security practices failed to provide reasonable security to prevent unauthorized access to consumers’ personal information in databases Uber stored with a third-party cloud provider. As a result, an intruder accessed personal information about Uber drivers in May 2014, including more than 100,000 names and driver’s license numbers that Uber stored in a datastore operated by Amazon Web Services.

The FTC alleges that Uber did not take reasonable, low-cost measures that could have helped the company prevent the breach. For example, Uber did not require engineers and programmers to use distinct access keys to access personal information stored in the cloud. Instead, Uber allowed them to use a single key that gave them full administrative access to all the data, and did not require multi-factor authentication for accessing the data.

In addition, Uber stored sensitive consumer information, including geolocation information, in plain readable text in database back-ups stored in the cloud.

Under its agreement with the Commission, Uber is:

  • Prohibited from misrepresenting how it monitors internal access to consumers’ personal information;
  • Prohibited from misrepresenting how it protects and secures that data
  • Required to implement a comprehensive privacy program that addresses privacy risks related to new and existing products and services and protects the privacy and confidentiality of personal information collected by the company; and
  • Required to obtain within 180 days, and every two years after that for the next 20 years, independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order.