Uber submits to privacy audits for 20 years

Uber is to face 20 years of privacy audits after settling Federal Trade Commission (FTC) complaints that it deceived customers and didn't protect their personal data securely enough.

The ride-hailing firm has agreed to roll out a privacy programme that tackles any privacy risks to Uber's services, and protects people's personal information, as well as subjecting itself to a third-party audit every two years for the next 20 years.

It comes after alleged privacy breaches dating back to 2014 that led the FTC to file two complaints with the company.

"Uber failed consumers in two key ways: first by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data," said the FTC's acting chairman, Maureen Ohlhausen.

The FTC claims Uber allowed its employees to access personal customer and driver records after it decided to stop using a self-developed solution that monitored employee access to its customers' data. The monitoring platform was only in operation for less than a year and after it terminated the use, it didn't introduce any other process to monitor access.

Although at the time, Uber said its data was securely stored in its database, it has since transpired this wasn't the case and it actually failed to provide any kind of system that prevented unauthorised access to customers' confidential information.

Responding to media reports that Uber employees were improperly accessing customer data, Uber issued a statement in November 2014 saying a "strict policy" forbade such access to customer and driver information except for certain business purposes, and that their access would be closely monitored.

The following month it developed an automated system to monitor employee access to customer data, but the FTC claimed it stopped using this system less than a year later, and rarely monitored access for nine months afterwards.

Meanwhile, the FTC also claimed that while Uber said people's data was "securely stored within our databases", its security measures did not prevent unauthorised access to databases stored in Amazon Web Services' cloud. That allegedly enabled an intruder to steal 100,000 names and driver's license numbers from Uber's database in May 2014.

"This case shows that, even if you're a fast growing company, you can't leave consumers behind: you must honour your privacy and security promises," Ohlhausen said.

Clare Hopping
Freelance writer

Clare is the founder of Blue Cactus Digital, a digital marketing company that helps ethical and sustainability-focused businesses grow their customer base.

Prior to becoming a marketer, Clare was a journalist, working at a range of mobile device-focused outlets including Know Your Mobile before moving into freelance life.

As a freelance writer, she drew on her expertise in mobility to write features and guides for ITPro, as well as regularly writing news stories on a wide range of topics.