What Uber Still Won’t Say About Your Data

3 minute read
Travis Kalanick, chief executive officer of Uber Technologies Inc., gestures as he speaks during the Institute of Directors (IOD) annual convention at the Royal Albert Hall in London, U.K., on Oct. 3, 2014.
Travis Kalanick, chief executive officer of Uber Technologies Inc., gestures as he speaks during the Institute of Directors (IOD) annual convention at the Royal Albert Hall in London, U.K., on Oct. 3, 2014.Chris Ratcliffe—Bloomberg/Getty Images
By Sam Frizell

Uber, the massively popular car-hailing company, has acquired a reputation for being overly cavalier about data privacy. Last November, Uber vice president Emil Michael suggested investigating journalists critical of Uber to find dirt in their “personal lives.” A venture capitalist said his private location data was broadcast to a large audience at a Chicago Uber launch party. And a Buzzfeed reporter in November was tracked on her way to an interview with New York’s top Uber executive.

Uber has since refocused its attention on riders’ privacy, rewording its data policy and hiring an outside attorney to conduct an investigation.

“At Uber, protecting the personal information of riders is a core responsibility and company value,” said Uber CEO Travis Kalanick in a Friday statement. “Delivering on that value means that privacy is woven into every facet of our business, from the design of new products to how we interact with riders, drivers and the public at large.”

The results of that audit were released Friday. The investigation, led by Harriet Pearson, a Washington, D.C. attorney at Hogan Lovells with an impressive history of arbitrating privacy and security issues, agreed with Kalanick’s own assessment: Uber has a strong privacy policy. Her six-week investigation at Uber involved reviewing hundreds of documents and interviewing Uber’s leadership. It ultimately resulted in an exculpatory report that Pearson called “comprehensive.”

“In our view, Uber has dedicated significantly more resources to privacy at this point in its age as a company given its sector and size than other companies that we’ve observed,” said Pearson in an interview with TIME. Uber is about six years old, it’s valued at more than $41 billion.

The saga has raised important questions about how private companies access our personal information, from our credit card data to our precise location. A lot of Uber’s data can be really useful: The company uses it to settle internal disputes, fix bugs or help cities plan traffic patterns, as it has done in Boston, for example.

But in the age of the Snowden National Security Agency revelations, consumers are particularly sensitive about how their personal information is used. Uber has promised to follow the report’s recommendations, such as expanding employee training and making its policies more transparent. But the audit still left some questions unanswered, according to Bruce Schneier a fellow at Harvard University’s Berkman Center for Internet & Society.

“I saw nothing in their statements” to alleviate privacy concerns, says Schneier of Uber’s report. “Anytime you put this kind of surveillance power in peoples hand, they look up their enemies and friends… If the culture is not, ‘we don’t do this,’ than you do it.”

Here’s what we still want to know more about.

How many employees at Uber can see my personal data?

Uber says access is limited to employees who have a reason to need it, like those investigating fraud, answering user-driver inquiries or conducting trip analyses, said Katherine Tassi, Uber’s managing counsel for privacy, in an interview. But Tassi doesn’t have an exact figure.

“There’s no one particular number of employees that have access to user data,” she said.

See Uber Protests From Around the World

French Taxi drivers burn tires as they protest in the southern city of Marseille on June 25, 2015 as they demonstrate against UberPOP, a popular taxi app that is facing fierce opposition from traditional cabs.
French Taxi drivers burn tires as they protest in the southern city of Marseille on June 25, 2015 as they demonstrate against UberPOP, a popular taxi app that is facing fierce opposition from traditional cabs. Anne-Christine Poujoulat—AFP/Getty Images
French taxi drivers protest Uber
Police officers in riot gear attempt to flip a car back onto it's wheels at Porte Maillot on June 25, 2015 in Paris. Protesters blocked roads to airports and train stations, overturning cars and setting tires on fire.Guillaume de Senneville—Demotix/Corbis
Hundreds of taxi drivers gather next to the Olympia Stadium to protest ride-sharing apps on June 11, 2014 in Berlin.
Hundreds of taxi drivers gather next to the Olympia Stadium to protest ride-sharing apps on June 11, 2014 in Berlin.Sean Gallup—Getty Images
A demonstrator kicks a car, suspected of being a private taxi during a 24 hour taxi strike and protest in Madrid on June 11, 2014.
A demonstrator kicks a car, suspected of being a private taxi during a 24 hour taxi strike and protest in Madrid on June 11, 2014. Paul White—AP
A taxi driver listens to speeches by his colleagues, during an Europe-wide protest of licensed taxi drivers against taxi hailing apps that are feared to flush unregulated private drivers into the market, in front of the Olympic stadium in Berlin on June 11, 2014.
A taxi driver listens to speeches by his colleagues, during an Europe-wide protest of licensed taxi drivers against taxi hailing apps that are feared to flush unregulated private drivers into the market, in front of the Olympic stadium in Berlin on June 11, 2014. Thomas Peter—Reuters
Taxi drivers hold a banner during a protest in Barcelona on June 11, 2014.
Taxi drivers hold a banner during a protest in Barcelona on June 11, 2014. Josep Lago—AFP/Getty Images
London taxi's line up on The Mall during a protest against a new smart phone app, 'Uber' on June 11, 2014 in London.
London taxi's line up on The Mall during a protest against a new smart phone app, 'Uber' on June 11, 2014 in London.Dan Kitwood—Getty Images
Taxi drivers park their cars and honk the horn in protest on Pennsylvania Avenue, bringing street traffic to a stop as they demand an end to ride sharing services such as Uber X and Lyft on June 25, 2014, in Washington.
Taxi drivers park their cars and honk the horn in protest on Pennsylvania Avenue, bringing street traffic to a stop as they demand an end to ride sharing services such as Uber X and Lyft on June 25, 2014, in Washington.PAUL J. RICHARDS—AFP/Getty Images
An Italian taxi driver distributes leaflets reading "Don't take an illegal taxi, take a white regular taxi" during a protest on June 11, 2014 in Rome.
An Italian taxi driver distributes leaflets reading "Don't take an illegal taxi, take a white regular taxi" during a protest on June 11, 2014 in Rome.ANDREAS SOLARO—AFP/Getty Images
Taxis drivers block a highway outside Paris, near Roissy on June 11, 2014, as they take part in a demonstration to protest the growing number of minicabs, known in France as Voitures de Tourisme avec Chauffeurs (VTC).
Taxis drivers block a highway outside Paris, near Roissy on June 11, 2014, as they take part in a demonstration to protest the growing number of minicabs, known in France as Voitures de Tourisme avec Chauffeurs (VTC). Fred Dufour—AFP/Getty Images

How does Uber prevent its employees from looking at my data?

Uber gives employees access to customer data based on their responsibilities, while others are locked out through technical controls. “We noticed those kinds of controls at various levels” at Uber, said Pearson.

The report indicates Uber uses a combination of passwords, informal rules and employee monitoring to restrict access. In any case, according to Pearson, the company has a well-developed system for monitoring who is accessing your data and when.

So has Uber explained its recent privacy missteps?

Not fully. “We’re not going to comment on those specific instances that were in the press, but in general, we’re an organization of human beings and human beings make mistakes,” says Tassi. Pearson says her investigation only examined Uber’s privacy program and its structure, not particular incidents. So we don’t actually know how common it is for Uber employees to tap into your data, despite the company’s policy.

Do Uber employees ever get in trouble for doing fishy things with users’ data?

Uber won’t say. We know that Uber “disciplined” New York executive Josh Mohrer in November for tracking that Buzzfeed reporter’s ride, but we’re not sure how. Other than that, we don’t have any evidence Uber employees committed any other privacy violations.

Are Uber employees taught not to spy on me?

Uber talks informally with its employees about protecting customer data. Employees get “communications” from the senior team on handling riders’ data, Tassi said, and new Uber hires have to accept the company’s data access policy.

But when pressed, Uber didn’t say whether there’s a formal training program for employees, merely saying it was “in early stages of development.” That training “needs further formalization,” said Tassi.

More Must-Reads from TIME

Contact us at letters@time.com