Uber Settles 'God View' And Data Breach Investigation - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Applications
05:05 PM
Connect Directly

Uber Settles 'God View' And Data Breach Investigation

Uber has reached an agreement with New York's Attorney General to implement stronger privacy and security controls. Additionally, the company will pay a $20,000 fine to resolve a data breach issue.

Google, Tesla, Nissan: 6 Self-Driving Vehicles Cruising Our Way
Google, Tesla, Nissan: 6 Self-Driving Vehicles Cruising Our Way
(Click image for larger view and slideshow.)

Ride-hailing company Uber has agreed to a settlement with New York Attorney General Eric T. Schneiderman over the company's tracking system, referred to internally as "God View," that provided real-time access to information about affiliated vehicles, drivers, and passengers. The settlement requires Uber to take steps to protect customer data. Separately, the company has agreed to pay $20,000 for failure to provide notice of a data breach disclosed in Feb. 2015.

The New York State Office of the Attorney General (NYAG) opened an investigation into Uber's privacy practices following a Buzzfeed report that claimed Uber New York general manager Josh Mohrer had tracked Buzzfeed reporter Johana Bhuiyan without her knowledge or consent. The investigation found  Uber's "God View" tool.

During the course of the investigation, Uber removed personal information from its tracking application.

Under the agreement, Uber will keep location data in a password-protected system and will encrypt the data in transit. It will employ an approval process and technical controls that limit access to location data to employees with a legitimate business need for the information. It will designate one or more employees to oversee its privacy and security program.

(Image: Uber)

(Image: Uber)

Uber has also agreed to conduct privacy and data security training for employees handling privacy information, to adopt access control technology like multi-factor authentication, to audit its internal controls to ensure their effectiveness, and to disclose its practices for handling rider location information in its privacy policy.

The $20,000 fine is a consequence of Uber's failure to report a data breach in a timely manner, as required by New York business law. In Feb. 2015, Uber revealed that in Sept. 2014 it had discovered a data breach that occurred in May that year.

According to the Assurance of Discontinuance that summarizes the NYAG's findings, Uber was informed that a competitor had access to an Uber security code. The company's investigation found that an Uber employee had inadvertently posted the security code to Uber's cloud storage account on GitHub and that someone using an IP address not associated with any authorized Uber personnel had accessed a "pruned" copy of an Uber database.

"Although Uber had deleted most personal information and 'salted and hashed' passwords within the file before it was stored, the file contained driver's license numbers capable of being matched to driver names stored elsewhere within the file," the NYAG's filing states.

[Read Autonomous Vehicles vs. Helping Humans Drive Better.]

The filing says that Uber updated its privacy policy in July 2015 to cover how it handles location information. The company's current policy allows Uber to collect a user's location through mobile operating system mechanisms, following initial consent, even when the Uber app has been closed. (The app runs as a background process.)

The filing says that Uber doesn't currently collect location information when its app is closed and that the company has committed to notifying users and providing an option to opt-out if it starts doing so. The company also reserves the right to derive a user's location from his or her IP address, a method less precise than using geolocation APIs.

The settlement formalizes many practices and policies that have already been in place for some time. The company's commitment to use client data only for a legitimate business purpose, for example, dates back to a prior privacy policy update in Nov. 2014. The update followed a Buzzfeed report that one of the company's executives had suggested hiring opposition researchers to find embarrassing information about reporters who had criticized the company.

"We are deeply committed to protecting the privacy and personal data of riders and drivers," an Uber spokesperson said in an emailed statement. "We are pleased to have reached an agreement with the New York Attorney General that resolves these questions and makes clear our commitment to best practices that put our community first."

**Elite 100 2016: DEADLINE EXTENDED TO JAN. 15, 2016** There's still time to be a part of the prestigious InformationWeek Elite 100! Submit your company's application by Jan. 15, 2016. You'll find instructions and a submission form here: InformationWeek's Elite 100 2016.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Technology commentator and President of Transworld Data,  4/13/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll