IN FOCUS
by Matthew W. Daus, Esq. President, International Association of Transportation Regulators Distinguished Lecturer, University Transportation Research Center, Region 2 Contact: mdaus@windelsmarx.com 156 West 56th Street, New York, NY 10019 T. 212.237.1106 • F. 212.262.1215

UBER – THE SPY WHO DOESN’T LOVE US

It is about time that the arrogance and Wild West approach of Uber is facing appropriate criticism. This turn of events in the media started with the Washington Post’s report that the transportation smartphone app company, Uber, had an employee allegedly share what’s called a “God View” allowing the company to track the movements of actual individuals.[1]

This follows recent articles about “#Ubergate” - that Uber is misusing and possibly exploiting private passenger data. It was reported that Uber senior VP Emil Michael suggested that his company could spend $1 million on digging up dirt about unfavorable reporters and threatened the misuse of passenger data in this regard.[2] A day later, a senior editor at San Francisco Magazine wrote that she was warned by sources at Uber that execs could be spying on her via her Uber usage.[3]

The editor was cautious to say that she did not know whether her information was accessed or whether her sources were just being overzealous in warning her. The general sense, however, is that accessing users’ private data is fairly easy at Uber, and that “the company stokes paranoia in its employees about talking to the press.”

Some call this activity lawful tracking and consumer data collection, while others feel that it is nothing short of spying and an invasion of privacy. If Transportation Network Companies are engaging in the collection, use and monitoring of data which is not pursuant to a legitimate business or regulatory purpose, with personal details and customer information so readily available that an intern or a job applicant (or possibly a hacker) could get their hands on it, there is a potential privacy and security issue.

This raises the question of what kind of spy we are dealing with? Is our culprit the cunning, sophisticated and seductive spy who appears in every James Bond movie or are we dealing with a clumsy joker or goofy spy such as Maxwell Smart (Don Adams) from Get Smart or Austin Powers? I think the answer here is probably a little bit of all of them.

There is no question that the Austin Powers or Maxwell Smarts of the TNC world are immature, aggressive or potentially rogue, cocky and inexperienced employees doing things that are not well thought out, and just plain stupid. But there is a more nefarious part to this, a James Bond type villain, possibly Goldfinger, who seeks to turn the collection of data and tracking of the whereabouts of passengers using TNC apps into gold.

This data value capture probably supports a large portion of the alleged multi-billion dollar valuation of companies such as Uber as well as Lyft. Of all the issues to surface during the TNC debate so far, whether criminal background checks, insurance, accessibility, unfair competition, etc.., nothing could be quite as damning or damaging economically to the new breed of data hungry TNCs than government passing regulations limiting the collection or use of such data.

These concerns have caught the attention of United States Senator Al Franken from Minnesota, who recently served as chairman of a Senate subcommittee that focuses on privacy, technology, and the law. On November 19, 2014, Senator Franken wrote a letter to Uber CEO Travis Kalanick posing a series of questions about how the company handles its users’ information and how it plans to treat journalists.[4]

Among other things, Senator Franken questioned Uber’s lack of transparency in its privacy policy which states Uber may share customers’ personal and usage information with its “parent, subsidiaries, and affiliates for internal reasons,” without any further explanation. Further, the letter questioned Uber’s indefinite storage of consumer data, and asked Uber to justify why it does not delete consumer information immediately after a transaction.

The Federal Trade Commission (“FTC”) and other regulators have become increasingly concerned with the privacy implications of mobile and geolocation data and mobile app data security. While no law currently exists on the collection of geolocation information without consumer consent, it is unlawful for companies’ privacy policies to be “unfair and deceptive” under the FTC’s long standing rules and regulations.

In the FTC’s seminal 2012 report, Protecting Consumer Privacy in an Era of Rapid Change (“2012 Privacy Report”), the Commission made plain its “particular concerns of location data in the mobile context” and called on “entities involved in the mobile ecosystem to work together to establish standards that address data collection, transfer, use, and
disposal, particularly for location data.”[5]

Since then, the FTC has issued further guidelines advising mobility app companies on best practices with respect to the development of privacy policies and practices.[6] Further, the recent Sony hacking scandal has put the federal government on high alert that cyber terrorism is a very real concern that can seriously threaten our way of life.[7]

Whether changes are on the way on a national legislative level, it is completely within the power of state and local legislators or government transportation regulators to require, as a condition to the licensure of TNCs, that privacy protections be put into place.

When I was Commissioner of the NYC TLC, we enacted regulations, working closely with the New York Civil Liberties Union, that required the vendors which were authorized to install the taxicab technology systems (the credit card machines, screens, monitors and GPS systems referred to as “TPEP” system) in NYC yellow taxicabs, to adhere to strict security and privacy protocols. This was done in order to protect the public from credit card fraud, identity theft, and other unlawful hacking of such data. See Chapter 76 of the TLC Rules and Regulations.

For example, TLC Rules require that TPEP providers establish an information security policy, prior to developing a system design, which policy must be disseminated to its employees and relevant third parties and which are reviewed and updated at least annually.[8]

Further, data categorized as private or confidential must not be transitioned to removable media without TLC approval.[9] A copy of these NYC rules and regulations can be found at:

www.nyc.gov/html/tlc/downloads/pdf/rule_book_current_chapter_76.pdf.

The NYC TLC is entitled to only a limited amount of data which includes the data relative to taxicab pick-up and drop-offs, as well as certain GPS location information. The TLC does not typically obtain, and is generally shielded from reviewing, breadcrumb data, or the GPS pings of the taxicab and its location throughout the route in between pick-up and passenger drop-off. This is precisely the type of information, the tracking of a passenger trip, that Uber was alleged to have been monitoring as part of its “God View.”

The TLC typically obtains very important T-PEP data on the number of rides, the taxi fare information, and other general information that include “blips or dots on a screen”. They have no particular identity of passengers or individual taxicab drivers or medallions, unless requested for a specific legitimate regulatory purpose as part of a TLC or other government investigation.

Off-duty locations of taxicabs are completely off limits to the TLC as a privacy safeguard. The TLC agreed with the NYCLU that this safeguard was embodied in the T-PEP vendor
agreements and the TLC rules.

The TLC collects general ridership data to achieve various objectives, not the least of which is to verify that taxicabs are servicing all neighborhoods in the city. As well, the data determines the actual earnings of taxicab drivers and medallion owners which is used to make sound fact based decisions in enacting fare increases. This eliminates the prior guesswork involved in manual trip sheet surveys and other primitive regulatory methods.

The TLC will only receive further breadcrumb data from the T-PEP system if it is specifically requested for a targeted and disclosed purpose (i.e., lost property; stolen cab, etc.). Further, the TLC will only release more detailed data to law enforcement if served with a subpoena.

In 2007, when the installation of GPS in New York City taxicabs was first introduced, some medallion owners and drivers sued the TLC claiming privacy rights violations of the 4th Amendment of the U.S. Constitution. See Alexandre v. NYC TLC, No. 07 Civ. 8175(RMB), 2007 WL 2826952 (SDNY September 28, 2007).

The U.S. District Court for the Southern District of New York found that the contracts between the TLC and T-PEP vendors limited the release of data in such a narrowly tailored manner. It needed to pass constitutional scrutiny. Thus, the Court concluded that the government’s substantial interest in requiring GPS data - to promote taxi customer service, ridership, and passenger and driver safety - outweighed the plaintiffs’ right to privacy due to the TLC’s narrowly tailored collection of such sensitive data.

Fast forward to November 2014, when the TLC passed rules requiring, among other things, that for-hire vehicle (“FHV”) bases submit trip records to the TLC, similar data as that requested of medallion taxicabs. At the public hearing on the rules, representatives from both Uber and Lyft testified in opposition to the proposed rules.

Uber’s NYC manager, Josh Mohrer testified that the collection of data created privacy concerns. Although Uber claimed that these new rules would jeopardize trade secrets and that they were “unconstitutional,”[10] Uber’s own privacy policy[11] allows for the sharing of user information, including location data, in response to legal demands. As a result of Uber’s refusal to produce the mandated information, the TLC briefly suspended five of Uber’s six bases in New York City recently.[12]

The New York Civil Liberties Union has raised concerns about Uber’s privacy policies, or lack thereof,[13] and I have discussed these issues with the American Civil Liberties Union
(ACLU). I also delivered a presentation on January 11, 2015 in Washington, D.C., to the Transportation Research Board of the National Academy of Sciences on TNC privacy issues.

As jurisdictions enact new TNC legislation, or revisit such legislation, it is incumbent on our lawmakers to ensure that appropriate privacy safeguards are inserted into the law in a manner that protects against the inappropriate use of data, or to seek to prevent privacy or security breaches from taking place.

For example, new TNC laws, if not invalidated or repealed for other reasons, should insert new provisions that:

(1) impose restrictions on access to data internally at TNCs and to private third parties without express permission from passengers as to the specific entity or purpose for which such data will be used;

(2) create security safeguards to ensure that hackers cannot access such TNC data which are imposed and monitored by regulators; and

(3) stipulate a requirement, as exists in San Francisco and New York City as well as in various Australian states and elsewhere, for the companies doing business with TNCs or
TNCs themselves to submit electronic trip sheet data while on-duty, pick-up, and drop-off, as well as fare box data at a minimum. By so doing, regulators can ensure compliance with various laws, and analyze industry economics with a solid factual basis.

There is also a message here for passengers using smartphone transportation apps who have options to protest the lack of appropriate privacy safeguards – either demand such
protections, or, until apps like Uber commit to do so, delete any nefarious and insecure apps from your smartphone. In other words and as we would say in computer terms - “Control-Alt-Delete” or “Command-Option-Escape” for Apple Mac users.

1. http://www.washingtonpost.com/blogs/the-switch/wp/2014/12/01/is-ubers-rider-database-a-sitting-duck-for-hackers/

2. http://www.buzzfeed.com/bensmith/uber-executive-suggests-digging-up-dirt-on-journalists

3. http://www.modernluxury.com/san-francisco/story/uber-employees-warned-san-francisco-magazine-writer-executives-might-snoop-her

4. http://www.motherjones.com/documents/1364485-al-franken-letter-to-uber

5. http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf

6. http://www.business.ftc.gov/documents/bus81-marketing-your-mobile-app; http://www.business.ftc.gov/documents/bus83-mobile-app-developers-start-security; http://www.ftc.gov/sites/default/files/documents/reports/mobile-privacy-disclosures-building-trust-through-transparency-federal-trade-commission-staff-report/130201mobileprivacyreport.pdf

7. http://www.nytimes.com/aponline/2014/12/18/us/ap-us-sony-hack-companies-on-alert.html?_r=0

8. See TLC Rule 76-03(a).

9. See TLC Rule 76-03(u)(3)

10. http://m.theepochtimes.com/n3/1183267-for-now-business-as-usual-for-uber-in-nyc-despite-five-base-suspensions/

11. https://www.uber.com/legal/usa/privacy

12. http://nypost.com/2015/01/07/uber-bases-suspended-after-refusing-to-hand-over-trip-records/

13. http://www.capitalnewyork.com/article/city-hall/2014/11/8557041/uber-objects-selectively-data-sharing-requirement

© 2015 TLC Magazine Online, Inc.