After the City of San Francisco requested records about driver safety, disability access, and other operations, via a subpoena, Uber objected and refused to cooperate. San Francisco City Attorney Dennis Herrera summarized Uber’s approach: “Unfortunately, Uber is doing what it always seems to do: raise obstacles and drag its feet— all while continuing to flout the law.”
Judge said Uber abused attorney-client privilege
San Francisco district Judge William Alsup criticized Uber’s practice of including lawyers in discussions strategically — using the lawyer’s presence to claim that discussions were privileged if Uber wants to keep the content confidential, but claiming that the attorney did not attend in the capacity of an attorney if that advances Uber’s interests. Alsup explains:
Uber has indulged in the slick practice of including its lawyers in meetings and communications and deciding after the fact if a lawyer was actually included for the purpose of providing legal advice, all in accordance with what happens to be convenient for Uber’s case. Where, as here, the contents of a meeting prove advantageous for Uber to reveal, it readily claims that the lawyer did not attend the meeting in their capacity as a lawyer. But where the contents of a meeting would hurt Uber’s litigation position, Uber is quick to conceal the facts under claims of privilege.
Alsup concluded that he will not “indulge this pattern of convenience.”
Full order from Judge William Alsup and full order from Magistrate Judge Jacqueline Scott Corley. Waymo v. Uber litigation docket.
Charged passengers almost $900 for a single ride
Milwaukee passengers accepted a 8.6 surge and a quoted price of approximately $200 to get to the specified destination. When they asked the driver to make other stops, he agreed. Uber calculated the adjusted route at $898 — a price which the passengers were never told about and never accepted. When the passengers complained, Uber said the charge was correct. The passengers pointed out that they could have rented a limo for the whole night, getting better service at lower cost.
Driver pondered opportunities to take advantage of a drunk female passenger
A San Jose passenger recorded an Uber driver’s remarks while driving:
My dream is to have some drunk chick by herself also going home at the end of my shift and she wants me to come in. That would be the perfect ending to my day. … Half the work is already done, man. She’s isolated and she’s drunk. … I will get really drunk too and then I can’t be held responsible.
Uber indicated that it banned the driver from further rides for Uber.
Raised prices during transit malfunctions
When trains were out of service Uber sometimes charged far higher prices.
For example, during an August 15, 2017 train service disruption in Chicago, Uber charged as much as five times its normal prices. A spokeswoman for Chicago’s Business Affairs and Consumer Protection department remarked: “It is unfortunate that at least two ride-share companies chose to take advantage of this morning’s difficult commuter situation.” Under pressure, Uber refunded passengers who paid a surge in this period.
Judge said Uber lawyers “misled the court”
San Francisco district judge William Alsup said he would tell the jury that Uber lawyers “misled the court” and withheld documents. He explained that he was “inclined to tell the jury…that [Uber] was ordered to come clean, ordered to come clean again, and did not come clean — finally in June or July came clean.” Alsup continued: “You misled the judge time and time again.”
Fined for operating without permits in Philippines
The Philippines Land Transportation Franchising and Regulatory Board (LTFRB) fined Uber for 5 million Philippine pesos (about US$97,000) for letting some drivers operate without permits. Uber and fellow TNC Grab defended their action by citing passenger demand, explaining that if the did not add new drivers, they would be unable to serve passenger requests. But LTFRB Chairman Martin Delgra III pointed out that this purpose did not excuse the companies from complying with applicable laws.
According to the LTFRB, of the 10,054 active drivers that Uber submitted, less than 2,000 had active and valid permits.
LFTRB Tweet alerting drivers to the obligation to cease operations, and encouraging Uber to “to extend financial assistance” to drivers because drivers “would not have suffered the current predicament were it not for the predatory actions of respondent Uber.”
The LTFRB subsequently offered to lift the one-month suspension if Uber paid a penalty of 190 million pesos ($3.7 million). Senator Grace Poe, a Philippines legislator favoring improving transport, said the hefty fine should “make Uber rethink its actions and re-evaluate its strategy in testing the extent of government regulations.”
Ignored Philippines regulator’s order to cease operation
After the Philippines Land Transportation Franchising and Regulatory Board (LTFRB) ordered Uber to cease operations, Uber cited “overwhelming rider and driver demand” in deciding to continue to operate. Uber filed a motion for reconsideration, asking LTFRB to revisit its decision, but the regulator indicated that Uber drivers were still not allowed to pick up passengers while that request was underway. Nonetheless Uber continued service.
Misrepresented its monitoring of employee access to data, steps taken to secure data
In a press release, the FTC summarized its privacy-related complaint against Uber.
For example, Uber told the public that the company “has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes.” Uber claimed access was “closely monitored and audited by data security specialists on an ongoing basis.” Uber made strong claim in its privacy policy such as “We use the most up to date technology and services” to protect customer data, and “we’re extra vigilant in protecting” customer data” via “the highest security standards available.”
In contrast, the FTC found that Uber “has not always closely monitored and audited its employees’ access to Rider and Driver accounts” in that the security system “was not designed or staffed … effectively.” The FTC continued: “In approximately August 2015, Respondent ceased using the automated system it had developed in December 2014 and began to develop a new automated monitoring system. From approximately August 2015 until May 2016, Respondent did not timely follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately the first six months of this period, Respondent only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives.”
The FTC also criticized Uber for letting engineers use shared access keys with full administrative privileges to all data in Uber’s Amazon Web Services database, rather than requiring that each program and each engineer use a separate key. Uber further failed to restrict access based on employees’ job functions, and failed to require multi-factor authentication to access data. Until March 2015, Uber stored sensitive personal information in AWS in clear text without encryption.
Driver names and license numbers improperly secured
In September 2014, Uber experienced a data breach resulting from an Uber engineer posting an access code which let an unauthorized third party accessed driver names and driver license numbers. Uber failed to notify affected drivers or the state of New York for seven months.
The New York Attorney General described the breach and Uber’s handling of the situation:
The Attorney General found that in early 2014 an Uber engineer posted an access ID for Uber’s third-party cloud storage on Github.com, a website designed to allow software engineers to collaborate. The post was accessible to the general public. On May 12, 2014, someone unaffiliated with Uber accessed the database that included Uber driver names and driver license numbers. Uber discovered the breach in September 2014 but did not provide notice to the affected drivers and Schneiderman’s office until February 26, 2015. General Business Law § 899-aa requires notice be provided to affected individuals and various government agencies including Schneiderman’s office “in the most expedient time possible and without unreasonable delay.”
As part of a settlement with the New York Attorney General’s office, Uber promised to implement multi-factor authentication for any employee could to access especially sensitive rider personal information, among other improved data security practices. Uber also paid a $20,000 penalty for failing to timely notify drivers and the State of New York.
A subsequent FTC investigation and settlement found that more than 100,000 drivers were affected. The FTC reported that in addition to 100,000+ names and driver’s license numbers, Uber also revealed 215 names and bank account numbers with routing numbers, and 84 names and security numbers. Furthermore, the FTC found that Uber’s efforts to notify affected drivers were piecemeal and incomplete: The company initially notified less than half of the drivers affected, whereas others were notified some 16+ months later.