Privacy Concerns in the Sharing Economy: The Case of Uber

Telecommunications Privacy Peer-to-Peer
By Sabreena Khalid – Edited by Insue Kim 91ea09a6535666e18ca3c56f731f67ef_400x400Following scandals earlier this month revolving around the use of personal user information, the 30 billion dollar tech giant, Uber, hired Harriet Pearson, former chief privacy officer at IBM, to “conduct an in-depth review and assessment of [the] existing data privacy program." USA Today. The public relations fiasco was sparked by one of the company’s senior executives suggesting that the company invest in opposition research targeted at critics, particularly at one journalist denouncing the company’s allegedly mysoginistic practices. BuzzFeed and ars technica provide further commentary and details.  The executive has since apologized for his statements. At the same time, the company took another blow when revelations surfaced that its New York general manager was accessing the Uber travel data of another journalist without her permission. Slate provides further details. Further, reports of the company using a “God view” tool to track customers’ location at a launch party resulted in a harsh letter from Senator Al Franken questioning Uber’s privacy policy. Uber’s recent hire of Pearson is part of the company’s attempt to regain consumer trust in its business and privacy policies. According to BuzzFeed and Slate, the company has explicitly distanced itself from the acts of both officers, stating that it does not conduct any kind of opposition research on journalists, and that it restricts all employees’ access to driver or user data except for “a limited set of legitimate business purposes”. The story brings attention to the larger and more pertinent issue of the handling and usage of personal user information by tech companies in the sharing economy. Uber’s privacy policy states that the app can gather and use users’ geo-location data for a variety of purposes, including “internal business purposes”. S. 1(b) Uber Privacy Policy. The privacy policy, however, does not define what these purposes are. So far, the company has reportedly used it for purposes such as tracking 30 of its most “notable users” to display an activity map at a launch party. It is reported that these users did not know their location coordinates were being used in such a way. Ars technica. Uber has also tracked a journalist’s location as she arrived at the Uber headquarters in New York, unbeknownst to her. Slate.  According to Uber’s Privacy Policy, the (automatically) collected geo-location data can additionally be used “to prevent, discover and investigate violations of this Privacy Policy or any applicable terms of service or terms of use for the Mobile Application, and to investigate fraud, chargeback or other matters.” S. 1 (e) Uber Privacy Policy. The Policy also allows the company to “access, use, preserve, transfer and disclose” information—as determined necessary or appropriate by Uber—“to prevent or stop activity” that poses a risk of being “an illegal, unethical, or legally actionable activity.” S. 3(e)(vi) Uber Privacy Policy. Whereas the use of loosely-defined terms such as “other matters,” “investigate” and “prevent” has been common in privacy policies of many companies dealing with online users’ personal information, the discretion that such loosely defined terms grant companies is a legitimate cause for concern. In Uber’s case in particular, the unfettered right to “prevent” violations or illegal activities perhaps implicates that personal information can be accessed anytime, without judicial oversight, on the pretext of thwarting violations which may or may not occur. Moreover, the fact that Uber may retain personal information for an indefinite period of time is a major source of alarm for many. The sharing economy thrives on trust and reputation. For Uber, the ability to detect the location of millions of drivers and users is a key feature based on which the app operates. Despite the company’s attempts at projecting a privacy-friendly corporate image, its privacy policy is lacking in many respects. In many instances, it contradicts the company’s public position devoted to privacy rights, representing a larger trend of many tech companies failing to live up to their words or ideals on privacy. Federal regulation of tech companies’ privacy policies may be a solution. But first, a good place to start may be to review policies for weaknesses and inadequate protections, and to ensure compliance of the policy at all levels of management.