"Where are you?"
It’s a question Uber drivers and passengers are all too familiar with in their attempts to coordinate a pickup location.
The ride hailer hopes to solve this problem with a new policy that allows it to track a user's location from the initiation of a trip up to five minutes after they reach their destination, even if the mobile application is running in the background.
But internet privacy and civil liberty advocates are concerned at how much personal data Uber is asking users to blindly share with it.
“Some people choose to disclose a lot of information. That’s their choice. Others do not. That’s their choice. They key is to always respect the decisions people make,” says Marc Rotenberg, president and executive director of the Boston-based Electronic Privacy Information Center (EPIC). “When Uber decides – having said to several million customers in the US, ‘You can choose to be tracked while you’re using the service, but you don’t have to be tracked all the time’ – then changes that without people knowing it, it takes away the users’ opportunity to make that decision.”
In anticipation of Uber’s new policy, EPIC filed a complaint with the Federal Trade Commission (FTC) in June 2015. In the complaint, the internet privacy advocate charges Uber with “unlawful and deceptive trade practices,” citing the ride hailer's previous misuse of customer data.
Since Uber considers itself a digital service that pairs drivers with passengers, knowing where its users are is inherent to its success. But the ride hailer has been muddled in questions over how it monitors the location of its users and secures their information. In the past, Uber attempted to resolve these complaints by trying to be more sensitive to the privacy of its users.
But this newest policy has EPIC and other internet privacy advocates claiming Uber has much more access to users’ personal data than it is letting on. The policy also renews the debate over how much access not just Uber, but other digital services, including Google and Amazon, should have, and who should regulate them to keep them in line.
Uber previously collected data from a user only if the application was open on their smartphone. If a user accepts this new policy, part of a recent application update, Uber can track their location even when the application is running in the background. That means Uber can see where you end up after you leave the car, as NPR writes.
On its website, Uber says it does this “to improve pickups, drop-offs, customer service, and to enhance safety.”
Users can choose not to share their geo-location, which would mean they would have to manually enter in their pickup location and destination for each trip.
Naked Security, a cybersecurity news site, expands on Uber's claims that the additional tracking is in the interest of rider safety. For instance, if a rider has to cross the street to reach his or her destination, the Uber driver hasn't dropped the rider off at the exact location and exposes the rider to additional risks, such as getting hit by a car when crossing the street.
Uber has said it plans to monitor the location of riders only during and immediately after a ride. But Greg Leppert, who is affiliated with Harvard University’s Berkman Klein Center for Internet and Society, is concerned about the amount of data Uber could conceivably gather.
“Uber is forcing users to trust that it will abide by self-imposed restrictions on collection, and that it’ll use that data responsibly not only today, but far into the future,” writes Mr. Leppert in an email to The Christian Science Monitor on Monday.
Leppert mentions cybersecurity expert Bruce Schneier’s description of data as a “toxic asset,” which should be collected infrequently and disposed of as soon as it has fulfilled its purpose. “Instead of taking this prudent approach, Uber appears to view data collection as a casual commodity easily justified in the name of product experience,” writes Leppert.
Uber has faced scrutiny before for how it manages the personal data of its users. In 2014, a BuzzFeed reporter, Johana Bhuiyan, alleged Uber’s New York general manager, Josh Mohrer, told her when the two met at the company’s New York headquarters that he had just been “tracking” her Uber ride. This prompted an investigation by the New York Attorney General’s Office into Uber executives’ ability to access riders’ locations, known internally as “God View,” according to CBS News. In January 2016, Uber reached a $20,000 settlement for that case and a separate incident last year involving a data breach by an unauthorized third party.
At the same time, Uber tried to change how its employees regard privacy, which Keith Chen, Uber’s chief economic researcher, talked about with NPR’s Shankar Vedantam in May. Dr. Chen said the company implemented procedures to limit the intrusiveness of its data collection, including the appointment of a privacy officer, and training and services for employees.
“We do have access to a tremendous amount of data,” said Chen. “We have to take very seriously this responsibility that we're becoming a big part of how people move around the world. And we just want to be very careful with that.”
But the new app policy Uber also previewed in May has angered privacy advocates as well as the public. In EPIC’s FTC complaint, commenters said they deleted the app out of privacy concerns.
"I do not want to be tracked and, I certainly don’t want to give Uber permission to access my contacts,” one commenter wrote.
These concerns are consistent with American attitudes about digital privacy. In a 2015 survey by the Pew Research Center, a vast majority of respondents said the amount of personal data an app collects could make or break whether they download it or delete it from their phone. After they discovered how much personal information an app required, 6 in 10 respondents said they chose not to install it. Another 43 percent said they uninstalled an app they had previously downloaded.
But Uber isn’t the only digital company to spark privacy fears. Google has often drawn criticism for how it collects and stores information. In 2014, it faced a lawsuit in California from plaintiffs who alleged the company violated wiretapping laws by scanning their emails. It’s also widely known Google stores users’ search history and saves audio recordings of questions they ask through Google’s voice search or the voice-activated assistant, Google Now, as Wired reports. On-command digital listening devices such as Amazon’s Alexa and Google Home have also prompted debates about whether they are listening in to conversations in the kitchen, living room, or bedroom and storing that information.
Dealing with these concerns has also proved challenging for regulators. The FTC has largely become responsible for overseeing digital privacy in the United States, although EPIC has said Washington should adopt internet privacy laws instead. The European Union has a set of rules on internet privacy that will take effect in 2018, but they ask businesses to adopt strict regulations over the next two years.
But society will also have to decide what’s OK and what’s not.
"What are the right ways to set the dials so we can maintain privacy and also enjoy these new technologies?” Trevor Hughes, chief executive of the International Association of Privacy Professionals (IAPP), told the Monitor recently. “We can foresee that there will be flash points, but they haven’t happened yet."
The FTC has not moved on the EPIC complaint against Uber. Sen. Al Franken (D) of Minnesota, who previously has been critical of Uber, told NPR he plans to look at the issue further.