In a letter sent to the agency Monday morning, the group, which is known as EPIC and is based in Washington, said that Uber had “a history of abusing the location data of its customers.” EPIC said in its complaint that the coming changes were unfair, deceptive and posed a “direct risk” of consumer harm.
“A company that has a bad reputation for misusing personal information should not be allowed to change its policy so it can gather more data,” Marc Rotenberg, the executive director of EPIC, said in a phone interview.
Uber on Monday said in a statement that there was “no basis for this complaint.” It added: “We care deeply about the privacy of our riders and driver-partners, and have significantly streamlined our privacy statements in order to improve readability and transparency.”
The stakes could be high for Uber, which is based in San Francisco and has made completely clear its global aspirations to upend existing consumer transportation systems. To date, Uber has raised nearly $6 billion (roughly Rs. 38,135 crores) in venture capital and is valued at more than $40 billion; the company has plans to raise at least $1 billion (roughly Rs. 6,355 crores) more, according to a person with knowledge of the company’s plans, which could value it at $50 billion (roughly Rs. 3,17,792 crores).
In just five years, Uber has swelled to serve more than 300 cities in 57 countries and works with tens of thousands of drivers who complete millions of trips a day for Uber.
Uber’s reputation is still recovering from public censure last year after allegations surfaced that company employees had mishandled trip data about individual consumers to track their locations, and inappropriately shared an internal tool – colloquially known as “God view” – that showed users taking trips in real time. Sen. Al Franken, D-Minn., subsequently wrote a letter to Uber’s chief executive, Travis Kalanick, saying: “The reports suggest a troubling disregard for customers’ privacy, including the need to protect their sensitive geolocation data.”
Aside from privacy watchdog groups, Uber is also under attack from coalitions of drivers who claim that the company is unfairly exploiting workers without employing them, using a so-called “1099” designation as contract workers. Last week, Uber received a flurry of attention after a former driver who sued the company for reimbursement of expenses was deemed an employee, not a contractor, by the California labor commissioner’s office.
Uber’s policy changes may have been intended to ward off government interference with its privacy practices. But the complaint from EPIC is likely to reignite public discussion over the service’s use of customer data.
Among other things, the letter asked the FTC to halt Uber’s collection of any customer location details that are not required to deliver a service; to require Uber to delete location information once a ride has been completed; and to require Uber to publish specific details about the system it uses to profile and evaluate customers.
In a recent post on the Uber website, Katherine Tassi, Uber’s managing counsel of data privacy, wrote that the updated policy was intended to more clearly and concisely explain the kinds of details the company gathered and how it used them.
“In the interest of transparency,” she cited two changes in particular: In addition to asking permission to obtain access to a customer’s location when the Uber app is running in the foreground, the updated policy allows the company to ask for location details when its app is running in the background; the company may also ask for access to a user’s contact list and use that information to send marketing promotions to contacts.
“In either case, users will be in control,” Tassi wrote. “They will be able to choose whether to share the data with Uber.”
But the EPIC letter contended that Uber had deceptively reassured consumers that they would be in control of their data when the updated policy actually deprived them of that control.
The updated policy, for instance, says that even if consumers deny Uber access to their precise location information from their devices, it will not limit the company’s “ability to derive approximate location from your IP address” – which is the numerical address assigned to users’ Internet connections and relayed when users visit an app or website.
In other words, even if certain customers expressly decline to share their whereabouts, Uber’s updated policy allows the company to collect some location information anyway.
“With a cellphone, the IP address might get you a city or part of a city,” said Jonathan Mayer, a computer scientist and lawyer at Stanford University. “But, if you are using a landline address, that could in fact be incredibly precise – to an exact address or part of a building, depending on how it is configured.”
Mayer said that his office IP address locates him on the fourth floor in a certain section of the Gates Computer Science Building at Stanford.
In the letter, EPIC also contended that Uber had deceptively suggested that users would have control over their contact lists. For instance, if people who use Android devices give Uber access to their contact list and use the app, the complaint says, they will not be able to rescind that permission.
The complaint also said that, by regularly sending “unsolicited” text messages to customers and people on their contact lists, Uber may be violating a federal law that prohibits making phone calls that involve ads or telemarketing without prior express written consent.
“These updated statements don’t reflect a shift in our practices, they more clearly lay out the data we collect today and how it is used to provide or improve our services,” Uber said in its statement.
The FTC generally reads letters from consumer groups. In the past, public complaints from groups with the stature of EPIC have put pressure on companies to change their practices. It was at EPIC’s annual awards dinner this month that Tim Cook, the chief executive of Apple, delivered a speech rebuking the tech industry for poor data privacy and security practices.
“We welcome complaints from consumers and consumer groups and review them carefully,” said Justin Cole, a spokesman for the FTC.
He declined to comment on whether the agency was investigating Uber’s privacy practices.