Uber Just Agreed To 2-Decades Of FTC Privacy Audits
The Federal Trade Commission and Uber announced a settlement today which allows the FTC two decades of privacy and security audits. This announcement is the next step in Uber settling disputes with the FTC – the second settlement they've made this year. In January of this year, Uber agreed to a settlement of $20-million for exaggerating potential earnings in effort to draw in drivers.
The settlement today seems to end an investigation that started back in the year 2014. It was back then that Uber was in some hot water over several incidents, one of which revealed the God Mode View once again appearing in the news – like this Forbes article on how God Mode was used for party-goers entertainment.
One of the biggest privacy news bits from 2014 that sparked the investigation that continues today involved doxing. It was back then that Uber wasn't doing great after the story about their potential doxing of critical journalists was leaked.
Uber was also under investigation (and may well still be by other organizations) over accusations of a sort of secret method for blocking people they called "grayballing." If a user is grayballed, they'd be unable to see any real cars, instead seeing the app populated by ghosts. This would allow Uber to avoid running in to police officers (or other law enforcement that'd (potentially) find them operating in a zone not allowed by a city's laws.
In January of 2015, Uber agreed to do some internal auditing of their own privacy practices. It came back favorable! That should not come as a big surprise to any of our readers here today.
After promising to strengthen both its privacy and security in 2014, Uber remained under investigation by the Federal Trade Commission through this week. According to the FTC PDF announcement of the settlement, both "God View" and the doxing are mentioned.
"Respondent has engaged in a number of practices that, taken together, failed to provide reasonable security to prevent unauthorized access to Rider and Driver personal information," said the document distributed by the FTC. They also mentioned the September 2014 breach of rider and driver information. The full order can be accessed through the FTC under Uber Technologies Decision and Order.
In the document the FTC orders that Uber undergo Privacy Assessments by a Third Party. "It is further ordered that, in connection with its compliance with the Provision of this Order titled Mandated Privacy Program, Respondent must obtain initial and biennial assessments," said the FTC document.
The assessments have a reporting period that includes, first, "the first 180 days after the issuance date of the Order for the initial Assessment." After that, "each 2-year period thereafter for 20 years after the issuance date of the Order for the biennial Assessments." Full requirements of Uber's privacy assessments can be found in the "Uber Technologies Decision and Order" link above.