Uber, uber bad.

It seems that Uber, the global transportation technology company, is having issues with keeping itself out of trouble. Last year, Uber agreed to pay a fine of 20,000 USD as well as adopting a more stringent privacy practice after news reports established that Uber was allowing corporate employees to access passengers’ rides and logs of their trips through the ” God View” app. The company agreed to purge passengers’ information from its system and to limit their mobile app’s access to a selected few and only for ” legitimate business purposes” as part of a stricter privacy regulation. Nonetheless, it was just this August when Uber then agreed to 20 years of privacy audits by the Federal Trade Commission (FTC) after they were found to have misrepresented their practices to consumers by data mishandling, privacy and security complaints dating back to 2014 and 2015. However, a mere three months later, numerous media outlets reported a significant data breach jeopardising 57 million users and drivers’ privacy.

What happened?

Uber, under the guidance of then CEO Travis Kalanick, found that the company experienced a massive data breach implicating 50 million riders and seven million drivers’ information around the world. The information, according to Uber, contains names, email addresses and phone numbers. This also includes 600,000 driver’s driving license numbers in the United States. Uber’s current CEO, Dara Khosrowshahi, maintains that there was no evidence to believe that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded during this. Despite releasing this information themselves, it should be noted that this hack took place almost a full year ago.

Although it is required for companies to notify government agencies when privacy breaches occur under the Data Privacy Act of 2012, Uber instead chose to pay the “hackers” off with 100,000 USD, to get rid of the data, in hopes of keeping the breach a secret. The hackers were also allegedly required to sign non-disclosure agreements. Furthermore, Uber executives decided to attempt to hide the payment by disguising it as a part of Uber’s ” bug bounty” program. This program has, in its lifetime, been responsible for 778 bugs being identified resulting in a pay-out of over 1.3 million USD. Court documents imply that this amount of money is suspect and its use of this program to pay ransom means that this entire sum is made ” suspect as other potential payoffs” or that Uber “is releasing heavily flawed software for public use”.

What does this mean for Uber?

Uber, as of 21st November, has since been hit with several federal lawsuits claiming that the ride-sharing company failed at the implementation and maintaining of adequate security systems, especially in light of the previous data breaches the company has experienced. The incident in question refers to a situation in 2014 where an unauthorised third party gained access to an Uber database which was holding over 50,000 drivers’ names and license numbers across multiple states in the US. Interestingly, how the hackers accessed the database in 2014 is similar to the breach which occurred in 2016. According to court documents, the attackers had managed to access a private GitHub repository which, while password protected, was still breached. This indicates either “a very weak password or the fact that the user credentials for the repository were found in a previous unrelated data breach”. After the 2014 attack, “Uber specifically promised regulators that it would use two-factor authentication on services like GitHub”. A two-factor authentication, in this case, would require an extra verification code delivered via text message to a specific phone number. This step is in addition to the password, providing an additional layer of security. However, the 2016 situation indicates that Uber failed to implement this measure. Once the hackers obtained access to the GitHub repository, they were able to use obtained credentials to access data stored on an Amazon Web Service account. From there they discovered the archive containing the data which they used to extort money from the company.

This is not new

In recent years, the academic world seems to be focusing more on the conflicts between privacy protection and profit (Agre and Rotenberg). With the emergence of Big Data and Cloud Computing, privacy concerns are becoming more pressing in both the public and the private sector. For example, in healthcare, and – in this case – Uber. Lowry et al. argued that” Many organisations have suffered privacy breaches, largely caused by poor governance and a lack of understanding by management”(193-273). This sentiment is echoed by Accenture and Ponemon who claim that organisations not only have issues understanding how and where information goes, but also when it comes to establishing ownership and accountability when it comes to said information. Additionally, some academics claim that data-driven companies often prioritise their customers’ data in comparison to safeguarding their privacy (Greenaway et al.589-590). A possible explanation can be found in theory by Yan et al., who argue that some service providers may intentionally lag behind on privacy protection issues to cut cost and survive in highly competitive business environments. Essentially,” profit is usually the highest priority for most starter-level sharing service companies”(2).

Consumers’ trust abused?

Despite all the issues above, consumers still seem to have no problems providing their personal information to many companies. Furthermore, they also readily accept terms and conditions, often even without reading them. In fact, according to Chandramohan et al., over 90% of users accept user agreements without knowing that their personal data might be abused (37-54).

Although this should not be a problem, as there is a reasonable expectation that this information will be adequately safeguarded, this often appears not to be the case.Especially in the case of Uber, where a recent study found that the Uber mobile app not only tracks a consumer’s location for more than the already controversial 5 minutes, it goes on for 11 minutes after the end of the ride. Not only that, but it also tracks rides provided by their competitor, Lyft ( Hayes et al. Vol 2167). This was discovered in an experiment where the user checked both Uber and Lyft, before deciding to go with the latter. This evidences that even if the consumer is fully aware of and in agreement with the Terms of Service for a company, said company may still go beyond their stated limits.

Rebuilding the trust

In order to compensate for the loss of trust regarding privacy protection and data security, there are several steps Uber could take. According to Yan et al.,” While it is difficult to provide an absolute privacy- safe environment without sacrificing service quality, it is possible to increase the protection levels of privacy through a joint effort of all participants, platforms and governments”(19). For starters, Uber could start viewing themselves not as owners, but instead stewards of the data they have been entrusted with. An internal paradigm shift such as this would motivate the company to go above and beyond regulatory standards. According to a 2015 survey by Accenture and Ponemon, these organisations which exhibit a “culture of caring” are far less likely to experience privacy breaches. If Uber does not manage to curb these issues, the impact on the company’s reputation could be a key element in loss of trust (Featherman et al.219- 229; Acquisti et al.)

Moral of the story

In conclusion, Uber seems to have (had) a number of issues concerning privacy protection. These issues were not adequately resolved at any point leading to the eventual mass hack of 57 million customers’ data. Uber needs to through an internal paradigm shift and revaluates their role when it comes to the information in their possession. If they fail to do this, this could have adverse effects on the company in both the short and long term. However, the responsibility should also partly be assigned to the consumers. In the digital age, privacy will always be a sensitive topic. Much information is shared with relatively little thought, and both company and hackers will gladly make use of this. Though it is understood that some sacrifice of personal information in exchange for better services has to be made, consumers should be warier and attempt to educate themselves about these issues.  There will never be an absolute protection of privacy, but with a concerted effort of all involved parties, we should be able to protect it as much as possible.

References:

Accenture and Ponemon. 2015. “How Global Organizations Approach the Challenge of Protecting Personal Data”. http://www.ponemon.org/local/upload/file/ATC_DPP report_FINAL.pdf
Acquisti, Alessandro, Allan Friedman, and Rahul Telang. “Is there a cost to privacy breaches? An event study.” ICIS 2006 Proceedings (2006): 94.

Agre, Philip E., and Marc Rotenberg, eds. Technology and privacy: The new landscape. Mit Press,
1998.

Chandramohan, Dhasarathan, et al. “A new privacy preserving technique for cloud service user endorsement using multi-agents.” Journal of King Saud University-Computer and Information Sciences 28.1 (2016): 37-54.

Featherman, Mauricio S., Anthony D. Miyazaki, and David E. Sprott. “Reducing online privacy risk to facilitate e-service adoption: the influence of perceived ease of use and corporate credibility.” Journal of Services Marketing 24.3 (2010): 219-229.

Greenaway, Kathleen E., Yolande E. Chan, and Robert E. Crossler. “Company Information Privacy Orientation: A Conceptual Framework.” Information Systems Journal 25.6 (2015): 579-606. Web. 20 Nov. 2017.

Hayes, Darren R., Christopher Snow, and Saleh Altuwayjiri. “Geolocation Tracking and Privacy Issues Associated with the Uber Mobile Application.” Proceedings of the Conference on Information Systems Applied Research ISSN. Vol. 2167. 2017.

“How Global Organizations Approach the Challenge of Protecting Personal Data.”Www.ponemon.org. N.p., 2009. Web. 25 Nov. 2017. <How Global Organizations Approach the Challenge of Protecting Personal Data>

Lowry, Paul Benjamin, et al. “Leveraging fairness and reactance theories to deter reactive computer abuse following enhanced organisational information security policies: An empirical study of the influence of counterfactual reasoning and organisational trust.” Information Systems Journal 25.3 (2015): 193-273.

Yan, Ke, et al. “Emerging Privacy Issues and Solutions in Cyber-Enabled Sharing Services.” arXiv preprint arXiv:1711.07172 (2017).