Uber isn’t going to win any corporate do-gooder awards. In recent news stories it has been characterized as a ruthless, money-bloated raptor of a company that will do anything to win. Still, there’s no need to be alarmed about every accusation of skullduggery that critics direct at the ride-sharing platform.
The latest complaints are a case in point. They were lodged at the FTC on Monday by the Electronic Privacy Information Center (EPIC), and ask federal regulators to impose an injunction to restrict Uber from implementing a new privacy policy on July 15. According to EPIC, the policy is a deceptive trade practice because it misleads consumers about how the company will use customers’ contact lists, location data, and other personal information.
But is the Uber policy so bad as to merit a federal investigation? There’s the rub. The company’s new privacy policy is actually pretty good in many respects. It’s shorter, clearer and doesn’t have any nasty surprises – but it also fails to fix the most dangerous part of Uber’s data practices.
Uber improves (a little)
Uber performed an appalling series of privacy gaffes last year – tracking journalists, flaunting a “God View” of its customers at parties, failing to protect data, and so on – but it’s been trying to get its act together, and has made some progress. In recent months, for instance, the company says it has deep-sixed the “God View” trick, and it also commissioned a law firm to propose some privacy guidelines.
And last month, a lawyer from Uber said in a blog post that company would even heed some of the firm’s advice by making the new privacy policy shorter, easier-to-read and available in more languages. As for the new policy itself, it’s not exactly a ringing privacy manifesto, but nor did its publication elicit the “oh, my god, they did what?!?” reaction that has greeted many of Uber’s other business decisions.
In light of this modest progress, EPIC’s “deception” accusations (set out in the FTC complaint) ring a little hollow.
Take for instance, EPIC’s gripes in the complaint (embedded below) that Uber is being deceptive about collecting customers’ location data. First off, is anyone surprised that an app for summoning taxis can know your whereabouts? This would be like using Google Maps and objecting to it using your GPS position when you navigate.
To be fair, EPIC’s complaint also points out that Uber might ask for data when the app is not in use, and that it currently uses customer IP addresses to determine location. The latter charge, however, does not really rise to the level of “deceptive” since it’s a common practice among apps, and since an IP address from a mobile phones typically won’t disclose an exact location.
“We have always disclosed our collection of location information – it is core to our product (we are a location-based service),” said an Uber spokesperson, by email. “EPIC’s allegations about IP tracking are misleading; we receive IP addresses as part of the traffic data that all apps receive.”
As for EPIC’s claim that the new Uber policy could one day allow the company to collect more information about users’ location and contact lists, well, that day will only come sometime in the future – and Uber will (perhaps) have the good sense to inform its customers what it is doing.
Could the Uber policy be better? Sure. Does it merit a federal investigation? Hardly. Except for one thing.
Location, location, location
The part of the EPIC complaint that deserves a deep stare from regulators concerns how Uber uses customers’ location data – not present location, but past location. Under Uber’s current and future privacy policy, the company reserves the right to compile a complete travel history: every Uber trip you take, for an indefinite amount of time.
The folly of this is plain. Hired car trips are often used for sensitive personal matters like late night affairs, secret business meetings or discreet visits to the STD clinic. But under Uber’s rules, the company compiles a personal dossier for every single trip taken by every customer.
The database that Uber possesses is known among security types as a “honey pot” that can attract all sorts of snoops, from the U.S. government to Chinese hackers. And those hazards are in addition to whatever intrusive uses – marketing, third party partnerships, etc –that Uber itself might make of the information.
Uber, meanwhile, can’t even offer a plausible reason for why it insists on storing this information.
“[It’s] a benefit to riders to be able to keep track of their trip history,” was the best explanation I could get. If that’s the real reason, then surely Uber would let those users who don’t wish to have this “benefit” delete the information?
No dice. And worse, even former Uber customers can’t delete the data for sure. All Uber can promise is that it will eventually delete personal information if you quite the service – unless it deems there are “account issues.”
So there you have it. Uber’s new privacy policy is not really a big deal – except for the fact it lets Uber maintain its dangerous, colossally flawed data retention policy.
The solution is easy enough. As Julia Horwitz, the lawyer who authored the EPIC complaint, suggests, Uber should delete trip data after a ride is complete. Or at least allow its customers an easy way to do so themselves. If not, the FTC should step in.
You can read EPIC’s complaint for yourself below (I’ve underlined some of the relevant bits). Keep in mind, this is just EPIC’s suggestion for the sort of complaint the FTC should bring against Uber – there’s no indication for now if the agency will get involved one way of the other.
