Privacy struggles of Uber, Lyft hold lessons for companies that collect location data

28 November 2014. By Mike Swift.

Few pieces of information are more sensitive than a person’s physical location and his or her movements. An entity that controls that information can track where a person goes, how frequently she goes there, and even log the times she tends not to be at home.

An entity that held that kind of location information on large numbers of people could even develop patterns of association between people, linked to the places they frequent, developing a digital portrait that might be far more intimate and revealing than tracking the Internet pages they visit. Imagine the rich possibilities for marketers, for law enforcement, or for spouses who suspect an unfaithful partner.

The value of that location data is one reason why fast-growing mobile app transportation companies like Uber and Lyft have created such a powerfully disruptive business model, one that is pressuring legacy taxi companies in cities around the world. Uber celebrated its fourth birthday earlier this year by announcing a venture capital funding round that valued the company at about $17 billion.

Uber and Lyft may well be offering better, cheaper — and, they argue, safer — transportation services than traditional taxis. But the sensitivity of the personal data they have been collecting about their users has been on display in recent days like never before, as reports surfaced that an Uber executive had suggested the location data held by his company could be used to dig up dirt on a journalist critical of the company. Another report said that an internal software tool called “God view” that allows real-time tracking of the movements of any Uber customer is widely available to workers at the San Francisco-based startup.

The reports about Uber swiftly drew the attention of US Senator Al Franken, one of the key privacy hawks in Congress, and the backer of a bill that would restrict the disclosure of location information to third parties without user consent.

“To whom is the so-called ‘God view’ tool made available and why?” Franken demanded in a confrontational letter to Uber CEO Travis Kalanick that included a long list of pointed questions about Uber’s privacy practices. Uber has until Dec. 15 to respond.

Uber quickly went into damage-control mode, announcing the same day that it had hired Hogan Lovells lawyer Harriet Pearson, “one of the most respected data privacy experts in the world,” to advise its in-house legal team.

No doubt Pearson will have her hands full. It is virtually certain that the US Federal Trade Commission and perhaps state attorneys general are investigating whether Uber violated its stated privacy policies through “God view” or other abuse of location data about its users. An FTC spokesman, following agency policy, declined to comment about a possible investigation.

Both Uber and Lyft are already in trouble with the California Public Utilities Commission by refusing to share with regulators the same kind of granular location and ride data they collect about their users.

Such information, one Lyft executive told the CPUC at a recent hearing, is the proprietary “crown jewels” of the companies. It is simply too sensitive to be shared with regulators, said David Estrata, Lyft’s vice president for government relations, even though the CPUC requested it under seal. As a result of that stance, senior executives with both Uber and Lyft have been ordered to attend separate hearings Dec. 11 before the CPUC under the threat of fines or even the revocation of their approval to operate in California.

Lyft subsequently provided information that it said was responsive to the CPUC. But that has not excused Lyft executives from the show-cause hearing; Uber has yet to provide the information to the CPUC. “Part of being responsive is filing on time. The hearing is an opportunity to look at whether there ought to be any sanctions,” said CPUC spokesman Christopher Chow.

The lesson for US Internet and mobile app companies is that any location data they collect and store about consumers is a regulatory and litigation powder keg. They must not only be exceedingly careful about sharing it with third parties such as advertising networks and data brokers, but they must also erect walls within a company to make sure that such information is only available to a limited number of employees for specific business purposes.

They would also be well advised, following the FTC’s recent push for the de-identification of data, to make sure that their data is anonymized or aggregated whenever possible, so it is not possible to trace information back to a particular individual.

Lyft did make a move like that last week, saying in a press statement that it had developed “tiered access controls that further limit access to user data to a smaller subset of employees and contractors. Ride location data is restricted to an even smaller subset of people.”

Garcia suit

Lyft has one problem Uber does not: It is facing litigation filed this year in US district court in San Francisco in which plaintiff Miguel Garcia alleges that the company shared personal information such as his gender, age, zip code and other data with a third-party analytics company called Mixpanel.

Garcia, under Ninth Circuit case law, does not have to show harm from Lyft’s informationsharing. To win standing to pursue litigation in privacy cases like this, an allegation of a statutory violation of the type Garcia alleges is sufficient to confirm Article III standing in the Ninth Circuit. Lyft has not denied that it shared Garcia’s information with Mixpanel. Rather, the company argues in a motion to dismiss Garcia’s lawsuit that the California privacy statute cited in the suit does not apply to Lyft’s purpose in sharing Garcia’s information with Mixpanel, something done to help Lyft and co-defendant Enterprise Holdings “in optimizing their ridesharing
service.”

“Plaintiff attempts to fabricate a class action lawsuit based on the thinnest of allegations and a strained reading of a narrowly-tailored provision of the California Privacy Act that has no application to the facts alleged,” Lyft and Enterprise said.

The suit focuses on a former Lyft service called Zimride, which offers ridesharing services for commuters. A Lyft spokeswoman said “the lawsuit is without merit and we look forward to resolving it quickly and effectively.”

The motion to dismiss is awaiting a ruling by US District Judge Saundra Armstrong, which is expected sometime during the first two months of 2015. In the meantime, a US magistrate judge, saying Armstrong’s ruling is not likely to be dispositive of the full case, has allowed evidence discovery to begin in the case.

One of Garcia’s lawyers, Jay Edelson, said in an interview that the sharing of Garcia’s information shows that the ridesharing companies don’t value consumers’ privacy in the same way as other industries do.

“You never see hotel companies saying, ‘We’re going to disclose, for any purpose, what guests were staying in our hotels at one time.’ You never see airline companies saying, ‘These were the people flying with us.’ It is a different sensibility with these new technology companies. They view private information as a commodity that can be exploited,” Edelson said.

Google and Apple both learned hard lessons about the sensitivity of location data in 2011, when security researchers discovered that Apple’s iPhone and Google’s Android mobile software were both relaying back location data about their users.

The problem blew up so rapidly that a seriously ill Apple CEO Steve Jobs, on medical leave and just a few months before his death later that year, had to get involved to de-escalate the controversy.

Google and Apple satisfied regulators and the public by showing that the location they collected was anonymized, was not stored indefinitely, that users could opt out of the data collection and
that the location information was not used for any purpose but to fine-tune the accuracy of the valuable location services offered on the companies mobile platforms.

Uber and Lyft would be wise to declare that they follow similar practices with their rapidly growing storehouse of location data.