Sen. Franken Blasts Uber Over 'God View' Customer Tracking

Uber, the non-cab cab company, is in the hot seat for potential privacy violations, after a reporter found an executive to be tracking her physical movements via cell phone. And Sen. Al Franken is not pleased with how it’s handling the scrutiny. In fact, he said, Uber appears to be dodging the questions.

The senator, who chairs the Subcommittee on Privacy, Technology, and the Law this week blasted Uber’s privacy policies for being unclear.

“I recently pressed Uber to explain the scope, transparency and enforceability of their privacy policies. While I’m pleased that they replied to my letter, I am concerned about the surprising lack of detail in their response,” Franken said. “Quite frankly, they didn’t answer many of my questions.”

It all kicked off with Uber’s New York general manager, Josh Mohrer.

In November, BuzzFeed News reporter Johana Bhuiyan received an email from Mohrer responding to a question that she asked about the company’s operations. That mail, she said, contained a list of notifications from the Uber app that Bhuiyan herself had received, showing the dates and times that her car had arrived as she was using the service over the previous two weeks. Somehow, Mohrer was able to gather a list of those notifications without her knowledge or permission.

Then, even stranger, she had arranged an interview with Mohrer at Uber’s New York office in November. She arrived, only to find him waiting for her and waving his phone. “I was tracking you,” he told her.

Two former Uber employees told BuzzFeed News about the existence of an internal company tool, ominously called “God View.” This shows the location of Uber vehicles and correlates with data about customers who have requested a car. The information is then kept in logs and clearly can be sliced and diced at will, if Mohrer’s email is any indication.

BuzzFeed also reported that drivers themselves do not have access to God View.

Uber itself appears to have little understanding of the implications of having such a tool readily available to employees, because the behavior has been going on for some time, according to Peter Sims, a venture capitalist.

He reported that in 2011, he was in an Uber car in Manhattan when he began getting text messages from a slight acquaintance, who was at an Uber launch party in Chicago. There, supposedly, on a large public tele-monitor, Sims’ movements were being tracked via God View without his knowledge, for everyone in the room to see.

“After learning this,” he wrote in a blog detailing the incident, “I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a ‘cool’ event and as if I should be honored to have been one of the chosen.”

Further, Uber itself wrote a blog post in 2012 entitled “Rides of Glory,” which detailed an aggregate data correlation exercise tracking Uber riders who appeared to be having one-night-stands in six US cities. Interestingly, that post has now been removed. Most companies perform aggregate data crunching and analysis on customer information, to identify general patterns and trends, in order to improve their business. But with the potential capability of attaching actual customer names and information to that data about one-night stands, the exercise takes on an entirely different, and creepy, dimension.

The firm released its privacy policy in November, when the story first broke. It shows that Uber collects and keeps user information forever, even if they delete their accounts.

“Even after your account is terminated, we will retain your personal information and usage information (including geo-location, trip history, credit card information and transaction history) as needed,” it said. This information will only be used for “legitimate business reasons,” which may include regulatory compliance, fraud prevention, legal dispute resolution and, tellingly, “for other business reasons.”

In a blog though, it said, “Uber has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes. Our policy has been communicated to all employees and contractors.”

Clearly, there is some variation in how one could interpret Uber’s policies. That prompted Franken to write the company a letter asking for clarification. Its response, he said, is unsatisfactory.

“It still remains unclear how Uber defines legitimate business purposes for accessing, retaining, and sharing customer data,” Franken said. “I will continue pressing for answers to these questions.”

What’s Hot on Infosecurity Magazine?