After the Philippines Land Transportation Franchising and Regulatory Board (LTFRB) ordered Uber to cease operations, Uber cited “overwhelming rider and driver demand” in deciding to continue to operate. Uber filed a motion for reconsideration, asking LTFRB to revisit its decision, but the regulator indicated that Uber drivers were still not allowed to pick up passengers while that request was underway. Nonetheless Uber continued service.
Misrepresented its monitoring of employee access to data, steps taken to secure data
In a press release, the FTC summarized its privacy-related complaint against Uber.
For example, Uber told the public that the company “has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes.” Uber claimed access was “closely monitored and audited by data security specialists on an ongoing basis.” Uber made strong claim in its privacy policy such as “We use the most up to date technology and services” to protect customer data, and “we’re extra vigilant in protecting” customer data” via “the highest security standards available.”
In contrast, the FTC found that Uber “has not always closely monitored and audited its employees’ access to Rider and Driver accounts” in that the security system “was not designed or staffed … effectively.” The FTC continued: “In approximately August 2015, Respondent ceased using the automated system it had developed in December 2014 and began to develop a new automated monitoring system. From approximately August 2015 until May 2016, Respondent did not timely follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately the first six months of this period, Respondent only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives.”
The FTC also criticized Uber for letting engineers use shared access keys with full administrative privileges to all data in Uber’s Amazon Web Services database, rather than requiring that each program and each engineer use a separate key. Uber further failed to restrict access based on employees’ job functions, and failed to require multi-factor authentication to access data. Until March 2015, Uber stored sensitive personal information in AWS in clear text without encryption.
Driver names and license numbers improperly secured
In September 2014, Uber experienced a data breach resulting from an Uber engineer posting an access code which let an unauthorized third party accessed driver names and driver license numbers. Uber failed to notify affected drivers or the state of New York for seven months.
The New York Attorney General described the breach and Uber’s handling of the situation:
The Attorney General found that in early 2014 an Uber engineer posted an access ID for Uber’s third-party cloud storage on Github.com, a website designed to allow software engineers to collaborate. The post was accessible to the general public. On May 12, 2014, someone unaffiliated with Uber accessed the database that included Uber driver names and driver license numbers. Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and Schneiderman’s office until February 26, 2015. General Business Law § 899-aa requires notice be provided to affected individuals and various government agencies including Schneiderman’s office “in the most expedient time possible and without unreasonable delay.”
As part of a settlement with the New York Attorney General’s office, Uber promised to implement multi-factor authentication for any employee could to access especially sensitive rider personal information, among other improved data security practices. Uber also paid a $20,000 penalty for failing to timely notify drivers and the State of New York.
A subsequent FTC investigation and settlement found that more than 100,000 drivers were affected. The FTC reported that in addition to 100,000+ names and driver’s license numbers, Uber also revealed 215 names and bank account numbers with routing numbers, and 84 names and security numbers. Furthermore, the FTC found that Uber’s efforts to notify affected drivers were piecemeal and incomplete: The company initially notified less than half of the drivers affected, whereas others were notified some 16+ months later.
Refused to provide driver names to San Francisco city government
When the city of San Francisco demanded that Uber provide it with drivers’ names and contact information so the city could demand that drivers obtain business licenses and pay applicable fees, Uber claimed that disclosures would violate drivers’ right to privacy. In a June 2017 ruling, Superior Court Judge Richard Ulmer disagreed, ruling that the city Treasurer and Tax Collector had legal authority to demand the information. He said compliance would not be unduly burdensome, and that any drivers who wished to challenge license requirements could do so on their own.
Lyft provided the data to San Fransisco without litigation.
Vehicle financing terms inferior to company marketing promises
The Federal Trade Commission flagged Uber providing drivers with financing terms inferior to what its marketing materials promised. The FTC said drivers received worse rates on average than consumers with similar credit scores would otherwise obtain. Uber further promised that its leases provided unlimited mileage, though there were actually mileage limits. Details in the FTC’s complaint.
Uber paid $20 million to settle these claims (along with claims about exaggerated annual and hourly earnings). The funds were used to provide refunds to affected drivers
Recruited drivers with exaggerated earnings claims
The Federal Trade Commission flagged Uber exaggerating the yearly and hourly income drivers could make in certain cities. For example, Uber claimed on its site that uberX drivers’ annual median income was more than $90,000 in New York and more than $74,000 in San Francisco — but the FTC found that the actual medians were $61,000 and $53,000 respectively, and that less than 10 percent of all drivers in those cities earned the amounts Uber touted.
The FTC also alleged that Uber made false hourly earnings claims in job listings on Craigslist and elsewhere. In eighteen different cities where Uber advertised hourly earnings on Craigslist, fewer than 30% of drivers earned the promised amount. In some cities, as few as 10% of drivers earned the promised amount. Details in the FTC’s complaint.
Uber paid $20 million to settle these claims (along with claims about vehicle financing terms). The funds were used to provide refunds to affected drivers.
Obstructed government raids
Former Uber employee Samuel Spangenberg alleged that when regulators raided local Uber offices, Uber’s standard response included severing all network connections so that law enforcement could not access documents stored on Uber servers outside the premises.
Vehicle inspections
Uber operated without vehicle inspections required by applicable local, state, and/or national governments. Details coming soon.
Driver verifications
Uber operated without driver verifications required by applicable local, state, and/or national governments. Details coming soon.