Uber is an American company that allows consumers to arrange transportation and other third-party services by way of a smartphone application. The app connects local drivers and riders by utilizing riders’ phone GPS capabilities. According to recent estimates, Uber has more than 8 million users and 160,000 drivers active on its service worldwide. The company currently operates in approximately 150 U.S. markets and is estimated to be valued at $41 billion.
To request a ride, Uber passengers select which kind of car service they would like to request on the Uber app and then enter in their location and destination address either manually or through the app’s automatic GPS or Wi-Fi location detector. The app alerts users when a car has been confirmed and shows the driver’s name, license plate number, route, and estimated time of arrival. After the ride is completed, a receipt is emailed to customers. Passengers and drivers rate each other, as an incentive to both encourage good customer behavior and provide feedback on drivers.
The Federal Trade Commission Act (“FTC Act”) prohibits unfair and deceptive acts and practices, and empowers the Commission to enforce the Act’s prohibitions. Under the Act, a business practice is deceptive if it “involves a representation, omission or practice that is likely to mislead the consumer acting reasonably under the circumstances,” and is “material,” or meaningful to the consumer. Unfair acts under Section 5 are those that “cause or [are] likely to cause substantial injury to consumers which [are] reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
EPIC charges Uber with Deceptive Representation regarding User Control
EPIC charged Uber with deceptive representation in violation of Section 5 of the Federal Trade Commission Act for their misleading portrayal of user privacy control. While Uber’s new easy-to-read policy initially received accolades, such plain language makes it easy to see exactly how much information Uber is acquiring from its users. While Uber purports to commit to user privacy in official statements, it remains unclear whether or not users can in fact choose to withhold data from Uber.
One of the major changes in the new policy allows Uber to conduct real time tracking of passengers while the app is not in use. While the app is running in the foreground or background, Uber is able to collect information of your precise location. Even if location services or GPS is disabled, Uber can still derive a user’s location from their phone’s IP address. Another significant change in the policy permits Uber to access users’ address books. Uber may not only access but store names and contact information from the address book and use it to “facilitate social interactions” and send out promotional communications. Users and experts have characterized the new policy changes as being overly intrusive, especially due to Uber’s recent privacy protection failures.
EPIC Charges Uber with Deceptive Representation regarding Ability to Opt Out of Targeted Advertising
EPIC Charges Uber with Deceptive Representation Regarding Data Protection
In addition, Uber has a history of allowing people within and without the company to have unrestricted access to its customers’ personal information. Toward the end of 2014, individual employees could use “God View,” an “easily accessible” internal company tool, to obtain a specific rider’s real-time and historic location data without notifying or requesting that rider’s permission. Potential employees have also been granted access to Uber’s “God View” in their visits to the company, allowing non-Uber employees to temporarily track friends, co-workers, or politicians’ family members. While Uber has stated that its employees can access and use customers’ information only for “legitimate business purposes,” it has not disclosed what those purposes might be. In the past, one of the official reasons Uber used riders’ personal information for was to map customers’ “Rides of Glory” by tracking one-night stands and subsequent “walks of shame.” Uber’s opaque data security practices prevent customers from determining whether Uber is actually taking “appropriate measures” to protect their data.
EPIC charges Uber with Representation and Unfair Trade Practice regarding its Tracking of Users’ IP Addresses
EPIC charged Uber with an unfair business practice in violation of Section 5 of the FTC Act. EPIC explained that tracking users by their IP address without their knowledge “poses potential safety risks” and “undermines consumers’ decision-making autonomy.” It therefore causes substantial injury to consumers that is outweighed neither by countervailing consumer benefit nor competition. In order to avoid the injury, users must either delete the app or cease to use Uber’s services. As such, the injury is not reasonably avoidable.
EPIC has also charged Uber with a deceptive practice. As Uber represents that users will be able to choose whether to share location data to Uber. This statement will likely mislead reasonable consumers into believing they can choose not to disclose location data with Uber after downloading the app.
- Letter from EPIC Exec. Dir. Marc Rotenberg to FTC Comm’r Christine Varney (Dec. 14, 1995)
- Julia Horwitz & Marc Rotenberg, Privacy Rules for Uber, The Huffington Post (Dec. 12, 2014)
- Federal Trade Commission, FTC Charges Deceptive Privacy Practices in Google’s Rollout of Its Buzz Social Network (Mar. 30, 2011)
- Fed. Trade Comm’n, FTC Policy Statement on Deception (1983)
- Fed. Trade Comm’n, FTC Policy Statement on Unfairness (1980)
- Craig Timberg, et al. Uber Executive Stirs Up Privacy Controversy, Wash. Post (Nov. 18, 2014)
- Craig Timberg, Is Uber’s Rider Database a Sitting Duck for Hackers?, Wash. Post (Dec. 1, 2014)
- Sam Frizell, What Uber Still Won’t Say About Your Data, Time (Jan. 30, 2015)