Consumer Cases
In re: Uber Privacy Policy
Background on Uber
Uber is an American company that allows consumers to arrange transportation and other third-party services by way of a smartphone application. The app connects local drivers and riders by utilizing riders’ phone GPS capabilities. According to recent estimates, Uber has more than 8 million users and 160,000 drivers active on its service worldwide. The company currently operates in approximately 150 U.S. markets and is estimated to be valued at $41 billion.
To request a ride, Uber passengers select which kind of car service they would like to request on the Uber app and then enter in their location and destination address either manually or through the app’s automatic GPS or Wi-Fi location detector. The app alerts users when a car has been confirmed and shows the driver’s name, license plate number, route, and estimated time of arrival. After the ride is completed, a receipt is emailed to customers. Passengers and drivers rate each other, as an incentive to both encourage good customer behavior and provide feedback on drivers.
EPIC’s Complaint
On June 22, 2015, EPIC filed a formal complaint with the Federal Trade Commission regarding the impact on consumer privacy of Uber’s upcoming privacy policy changes and advertising techniques. As of July 15, 2015, Uber is replacing its current privacy policy to include changes to its collection of consumer location data, access to contact data, and its advertising practices. Uber alleges that “users will be in control: they will be able to choose whether to share the data with Uber.” However, not all users have the ability to control the data collected by the Uber app, and critics have characterized the proposed changes as being overly intrusive, especially due to Uber’s recent privacy protection failures. Uber is significantly expanding the potential uses of user information for advertising purposes, and has made clear that it intends to incorporate the data of Uber users into “potential new use cases.” The proposed changes confuse Uber customers’ understanding of the use of their location data and their exposure to advertising, and constitute an unfair and deceptive trade practice, subject to investigation by the Federal Trade Commission.
The Federal Trade Commission Act (“FTC Act”) prohibits unfair and deceptive acts and practices, and empowers the Commission to enforce the Act’s prohibitions. Under the Act, a business practice is deceptive if it “involves a representation, omission or practice that is likely to mislead the consumer acting reasonably under the circumstances,” and is “material,” or meaningful to the consumer. Unfair acts under Section 5 are those that “cause[] or [are] likely to cause substantial injury to consumers which [are] reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”
Legal Theories
EPIC charges Uber with Deceptive Representation regarding User Control
EPIC charged Uber with deceptive representation in violation of Section 5 of the Federal Trade Commission Act for their misleading portrayal of user privacy control. While Uber’s new easy-to-read policy initially received accolades, such plain language makes it easy to see exactly how much information Uber is acquiring from its users. While Uber purports to commit to user privacy in official statements, it remains unclear whether or not users can in fact choose to withhold data from Uber.
One of the major changes in the new policy allows Uber to conduct real time tracking of passengers while the app is not in use. While the app is running in the foreground or background, Uber is able to collect information of your precise location. Even if location services or GPS is disabled, Uber can still derive a user’s location from their phone’s IP address. Another significant change in the policy permits Uber to access users’ address books. Uber may not only access but store names and contact information from the address book and use it to “facilitate social interactions” and send out promotional communications. Users and experts have characterized the new policy changes as being overly intrusive, especially due to Uber’s recent privacy protection failures.
In response to criticism about the changes to the privacy policy, an Uber spokesperson attempted to clarify that tracking passengers in real time and accessing users’ address books are merely “potential new use cases” of its customers’ data. In other words, how Uber will utilize the large amount of newly collected is data has yet to be determined.
Uber’s representations about user control are misleading. Uber stated that if the company ever launches the controversial features, the app would still work if the user chooses not to opt in. However, the new privacy policy relies on iOS permission systems through which Uber users may opt in to the collection of certain data. When a user installs the Uber app on their phone, the iOS platforms will alert the user that Uber wants to access certain types of information at which point you can consent, or not consent, to that request. Other platforms, such as Android, only notify the user of the request, but use of the app itself constitutes consent. Once Android users use the app, they cannot stop or modify Uber’s access to their information.
EPIC Charges Uber with Deceptive Representation regarding Ability to Opt Out of Targeted Advertising
EPIC further charged Uber with deceptive business practices in violation of Section 5 of the FTC Act because of the company’s policy change regarding targeting advertising. In addition to its overall assurances about data privacy, Uber told customers in 2013 that they would be able to opt out of targeted ads. Customers would reasonably assume that this is still the case. In fact, Uber customers can no longer opt out of targeted ads. As a result, users’ personal information may be disclosed to parties they do not intend or expect to share it with. Uber’s failure to provide a means of opting out of targeted advertising in its new privacy policy therefore constitutes a deceptive act or practice in violation of Section 5.
EPIC Charges Uber with Deceptive Representation Regarding Data Protection
EPIC also charged Uber with engaging in deceptive business practices in violation of Section 5 of the FTC Act in representing that its users’ Data Would be Protected by Robust Security Measures. Uber claims in its new privacy policy that it will “take appropriate measures to protect [users’] personal information.” But Uber has a history of poor data security. Uber’s database was hacked in early 2014, exposing tens of thousands of its drivers’ information, but the company did not discover the breach for months and took an additional five to notify its drivers. Uber has yet to release what its practices for securing its users’ and drivers’ personal information are. Multiple security experts have stated that Uber is the largest ever “cyber-espionage target” of its kind (taxi, car service, or other such private entity) and likely vulnerable to attacks.
In addition, Uber has a history of allowing people within and without the company to have unrestricted access to its customers’ personal information. Toward the end of 2014, individual employees could use “God View,” an “easily accessible” internal company tool, to obtain a specific rider’s real-time and historic location data without notifying or requesting that rider’s permission. Potential employees have also been granted access to Uber’s “God View” in their visits to the company, allowing non-Uber employees to temporarily track friends, co-workers, or politicians’ family members. While Uber has stated that its employees can access and use customers’ information only for “legitimate business purposes,” it has not disclosed what those purposes might be. In the past, one of the official reasons Uber used riders’ personal information for was to map customers’ “Rides of Glory” by tracking one-night stands and subsequent “walks of shame.” Uber’s opaque data security practices prevent customers from determining whether Uber is actually taking “appropriate measures” to protect their data.
EPIC charges Uber with Representation and Unfair Trade Practice regarding its Tracking of Users’ IP Addresses
EPIC charged Uber with an unfair business practice in violation of Section 5 of the FTC Act. EPIC explained that tracking users by their IP address without their knowledge “poses potential safety risks” and “undermines consumers’ decision-making autonomy.” It therefore causes substantial injury to consumers that is outweighed neither by countervailing consumer benefit nor competition. In order to avoid the injury, users must either delete the app or cease to use Uber’s services. As such, the injury is not reasonably avoidable.
EPIC has also charged Uber with a deceptive practice. As Uber represents that users will be able to choose whether to share location data to Uber. This statement will likely mislead reasonable consumers into believing they can choose not to disclose location data with Uber after downloading the app.
Resources
- Letter from EPIC Exec. Dir. Marc Rotenberg to FTC Comm’r Christine Varney (Dec. 14, 1995)
- Julia Horwitz & Marc Rotenberg, Privacy Rules for Uber, The Huffington Post (Dec. 12, 2014)
- Federal Trade Commission, FTC Charges Deceptive Privacy Practices in Google’s Rollout of Its Buzz Social Network (Mar. 30, 2011)
- Fed. Trade Comm’n, FTC Policy Statement on Deception (1983)
- Fed. Trade Comm’n, FTC Policy Statement on Unfairness (1980)
- Craig Timberg, et al. Uber Executive Stirs Up Privacy Controversy, Wash. Post (Nov. 18, 2014)
- Craig Timberg, Is Uber’s Rider Database a Sitting Duck for Hackers?, Wash. Post (Dec. 1, 2014)
- Sam Frizell, What Uber Still Won’t Say About Your Data, Time (Jan. 30, 2015)
- Eric Newcomer, Uber Broadens Rider Privacy Policy, Asks for New Permissions, Bloomberg, (May 28, 2015)
- Hogan Lovells, Review and Assessment of Uber’s Privacy Policy (Jan. 2015)
Support Our Work
EPIC's work is funded by the support of individuals like you, who allow us to continue to protect privacy, open government, and democratic values in the information age.
Donate