Uber agrees to 20 years of privacy audits to settle FTC charges

Reuters Uber app and a taxi sign on the groundReuters
Uber has agreed to 20 years of privacy audits to settle FTC charges over how it handles customer and driver data

Uber has been ordered to introduce tougher measures to protect the privacy of its drivers and their customers, to settle charges brought by a regulator.

It also had to agree to have the effectiveness of the stricter controls assessed by an independent auditor every two years for the next 20 years.

The charges relate to God View, a software program that enabled the ride-sharing company to monitor real-time locations of customers and drivers.

Uber faces fines if it fails to comply.

The US Federal Trade Commission began investigating Uber following allegations about the God View program in the media in 2014.

After the investigation started, Uber developed an automated system for monitoring employee access to customer and driver personal data.

However, the FTC said the company had stopped using it eight months after it had been put in place.

Concerns were also raised over a 2015 breach that exposed personal data about more than 100,000 Uber drivers.

"Uber failed consumers in two key ways: first by misrepresenting the extent to which it monitored its employees' access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data," said FTC acting chairman Maureen Ohlhausen, who presided over the settlement.

"Our order requires a culture of privacy sensitivity for Uber.

"It is going to make them take privacy into account every day."

Uber said it was pleased that the FTC investigation had ended.

"We have significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programmes," an Uber representative said.

Comparitech security researcher Lee Munson said: "While such an agreement with the FTC may sound incredibly arduous, Uber will probably benefit from a necessary change in approach which will stand it in good stead for the incoming EU General Data Protection Regulation, which threatens stiff penalties for companies that are lax with employee and customer data."

Fines and lawsuits

Apart from the FTC investigation, Uber was also sued by the New York attorney general over the God View allegations.

And, in January 2016, Uber agreed to encrypt all rider geo-location data, as well as to pay a penalty of $20m (£16m) to settle concerns over how it had handled the data breach.

One year later, the FTC ordered Uber to pay a further $20m over claims the company had misled drivers about the potential income they could earn.

Separately, Uber's former forensic investigator Ward Spangenberg has been suing the company over alleged age discrimination and whistleblower retaliation.

In a court declaration from December 2016, Mr Spangenberg alleged that Uber had let its employees spy on celebrities and ex-partners.