Sen. Al Franken Not Happy With Uber’s Evasive Responses On Privacy

Last month, as Uber weathered a fresh storm of criticism about its attitude to critics and user privacy — following revelations that a senior Uber exec had floated the idea of spending money to dig up dirt on critical journalists’ private lives — Senator Al Franken posted a public letter to Uber CEO Travis Kalanick, raising concerns about the company’s apparently systematic disregard for privacy and asking that it clarify its privacy policies.

Uber has since written to Franken, with its own letter, and the Senator has posted his response to that on his website. He has also published Uber’s letter to him.

Is the Chairman of the Subcommittee On Privacy, Technology, and the Law happy with Uber now? No, he most definitely is not. Franken is critical of Uber’s response to the concerns he raised around privacy — specifically complaining that it lacks detail and that the company’s three page letter avoids answering some of his questions.

Franken asked several questions of Uber in his open letter, including why the company apparently retains personal customer data such as usage information and geolocation data indefinitely — even after a user deletes their account.

He also probed where in its privacy policy Uber details the “limited set of legitimate business uses” that it said may justify employees accessing riders’ and drivers’ data, including sensitive geolocation data. (Aka the God View interface which shows in real time where Uber users are traveling and which Uber has apparently used as windowdressing to spice up its launch parties.)

In its letter, Uber says its God View interface is an essential business operations tool, and is used for “numerous real-time tasks to keep the service up and running properly” — such as managing supply and demand, by, for instance, messaging drivers that are too closely clustered together to say there are potential rides in another area of town.

On the access point, Uber’s letter admits to using God View for marketing purposes, not just business ops, albeit — more recently — in a dedicated presentation mode that locks out rider data [emphasis mine]:

This tool is now made available only to employees working in operations or other areas, like fraud prevention, where it is necessary to have a real-time view of trips. Because this tool also has a compelling visual display of our business it has sometimes been shown to third parties. In these instances, employees are required to use a “presentation” view, which has been available for about a year now and makes rider personal data inaccessible.

Uber’s letter kicks off by emphasizing its rapid growth — with the tacit implication being that it’s having to nail down privacy policies that perhaps weren’t formally documented in its scramble to drive all over the map, especially now it has a whole lot more employees on its books (it notes it’s grown from 400 employees a year ago to 2,000 now).

It also notes it has “recently engaged” Harriet Pearson, a lawyer at law firm Hogan Lovells which specializes in privacy and cyber security, to conduct an “in depth review and assessment” of its existing data privacy program, and recommend enhancements where necessary.

Responding to Uber’s letter, Franken said it remains unclear how Uber defines “legitimate business purposes” for accessing, retaining, and sharing customer data — despite the company responding at length — adding that he will “continue pressing for answers”.

He writes:

I believe Americans have a fundamental right to privacy, and that right includes the ability to control who is getting your personal location information and who it’s being shared with. I recently pressed Uber to explain the scope, transparency, and enforceability of their privacy policies. While I’m pleased that they replied to my letter, I am concerned about the surprising lack of detail in their response. Quite frankly, they did not answer many of the questions I posed directly to them. Most importantly, it still remains unclear how Uber defines legitimate business purposes for accessing, retaining, and sharing customer data. I will continue pressing for answers to these questions.

Earlier this month Franken also sent a letter to Uber competitor Lyft asking it to detail its privacy practices, saying he expects a response by the end of the year.