Transportation has come a long way from nomads moving by foot to people riding horses to eventually the everyday citizen traveling by car. Ride-sharing apps, like Uber and Lyft, have grown in popularity and size in recent years, but not without a few bumps along the way.
Beyond the major headlines about taxi union protests and increased safety and business regulations, the data sharing practices of these companies has become a great concern of lawmakers, privacy advocates and consumers. The information customers share with Uber and Lyft, such as credit card data, geolocation and other personally identifiable information (PII), brings into question how ride-sharing companies use it, protect it and share it.
Redefining Personally Identifiable Information
In 2014, a BuzzFeed journalist discovered Uber’s “God View” application. This function showed corporate employees the location of all drivers and riders requesting cars in New York City, even allowing them to follow trips, all without permission from the riders or drivers. And although the company assured only authorized users could access the information for legitimate business purposes, the journalist noticed an Uber executive—although an authorized user—tracking her rides for no understandable business reason.
This controversy challenged the definition of PII. Many believe the definition of PII should include users’ geolocations to prevent misuse of knowing a riders’ location and travel habits. Another incident, in which 50,000 Uber drivers’ names and license numbers were posted to a third party site, reveals the lack of protection of any Uber-collected data, not just locations. The data breach of the driver information also wasn’t handled properly. To add insult to injury, the breach was discovered in September 2014; affected drivers were not notified until February 2015.
Both these instances have prompted lawful action. In New York, the attorney general reached a deal with Uber to settle how the company will move forward in protecting customer data. First, the company was required to pay a $20,000 penalty for failure to notify drivers of the data breach in a timely manner. Furthermore, under the settlement, Uber agreed to encrypt all GPS information, password protect access to this data, strictly control employee authorization to access it, and ensure the “God View” tool had been retired.
In California, a lawmaker recently withdrew a proposal to limit the information Uber, Lyft and the like can share with third parties. The withdrawal was intended to revisit the legislation to strengthen the protection clauses. The revelation of “God View” inspired the lawmakers working on this legislative proposal to redefine PII to encompass all the data ride-sharing companies collect and access.
Third-Party Sharing Practices
Customer data isn’t the only thing Uber has neglected. The company was fined $7.6 million in 2015 for not sharing informative company data with the state of California. This came a year after an announcement that the company would be sharing important reports about usage with cities for urban planning purposes. Ideally, sharing information—with PII removed—would help city officials ease traffic congestion, reform city roads and understand commute patterns.
As we maintain, sharing data is valuable for governments and companies, if for separate reasons. Governments gain insight about company operations and how it affects local economy and daily life. Companies stand to prove their value beyond making profits and providing a service. Working together is better than working against one another.
When Massachusetts was regulating ride-sharing to become a legitimate mode of city transportation, many pointed out data access should be a stipulation of regulation, not just a nice side-effect. The model that holds companies strictly accountable to protect user information, while sharing useful reports, promotes data-driven responsibility.
Setting The Tone
Unfortunately for other ride-sharing companies, Uber has set the tone for laws, regulations and standard practices to take hold. However, fortunately for users, these truths about data collection, protection and privacy have been revealed early as the industry grows and changes.
Customer data should be encrypted when being transmitted, password protected to ensure only the appropriate people have access, and shared only for valid purposes. When sharing other types of data, such as accident reports, accessibility statistics and rider acceptance demographics, all PII should be removed, including the locations and movement of riders and drivers.
Laws and legislation are becoming hyper-aware to the dangers data sharing of ride-sharing companies have brought to consumers and industry. Regulating certain operations and keeping a watchful eye on how customer data is used will keep Uber and its counterparts trustworthy, allowing the data-sharing industry as a whole to obtain a credible reputation. A positive image of this practice will only expand the use of data sharing and improve the world as it uses collective information and knowledge to mitigate and solve problems.
Latest posts by Kobi Freedman (see all)
- Data Sharing Technology Revolutionizes Healthcare - March 14, 2016
- Data Sharing Gets a Ride: How Popular Ride-Sharing Apps Influence Policy On Sharing - March 1, 2016
- Data Ownership Questions Answered by Decentralized P2P Platforms - February 18, 2016