Ruby Zefo, Uber's first chief privacy officer, has big ambitions as leadership transition continues
21 December 2018. By Mike Swift.
No visitor to Uber Technologies can miss is how crowded it is. Everywhere, coders are crammed shoulder to shoulder, tapping keyboards at long, shared tables. Every glass-walled conference room is full. There are so many people moving around in the aisles that it’s hard to avoid the perception that there are more people than seats for them to work.
Like a human icebreaker, Ruby Zefo, clad in Uber’s black corporate colors, clears a path through the clots of coders in Uber’s San Francisco headquarters. Uber’s chief privacy officer explains as she walks that the fast-growing tech company is at a moment of transition, forced to endure the crowding until it can complete construction of a new corporate campus elsewhere in San Francisco.
Uber, of course, is charting a more difficult transition than just building a new corporate campus.
In the eyes of regulators and the public, Uber is trying to establish itself as a maturing company that places the highest value on legal compliance and the safety of its customers. That means erasing the image of a “Lord of the Flies” culture under deposed CEO Travis Kalanick where a massive data breach was covered up, there were credible allegations that female employees were serially harassed, and a dirty-tricks squad was allegedly assigned to disrupt the mobile apps of competitors.
Zefo is Exhibit One in that transformation. Five months after new General Counsel Tony West lured her from Intel to become Uber’s first chief privacy officer, Zefo says her goal is to take privacy and data security at Uber far beyond just obeying the laws of the United States, the European Union and other regulatory blocs where Uber operates.
“From my point of view, basic compliance with the law is low-hanging fruit. My ambition is to create a set of principles for Uber on privacy that would go beyond just compliance,” she says.
Nor should Uber drivers and riders in Europe, where the company must comply with the new General Data Protection Regulation, have superior privacy protections than drivers and riders in the US, which has yet to pass a national data protection law. Zefo wants a set of universal privacy principles for Uber to apply everywhere the company operates.
It’s difficult to imagine West, a high-ranking official at the US Department of Justice during the Obama administration who supervised the DOJ’s civil rights efforts, picking someone with better qualifications to flip the switch at Uber on privacy.
“Without question, Ruby is one the trust leaders in the privacy world,” said Trevor Hughes, the president and CEO of the International Association of Privacy Professionals (IAPP), where Zefo serves on the board of directors. “Both her experience, but also her visibility — her leadership — are really at the top of our profession.”
It is because of her impeccable credibility that Zefo has been peppered with questions from friends and associates about how she is coping at Uber. The sub-text for those questions is, of course: “Is it really that toxic at Uber?” The reality, Zefo says, is that it’s not. And it never was. What happened because of the leadership of the company shouldn’t reflect badly on the people lower in the organization.
“I’ve been welcomed with open arms,” Zefo said after she displaced from a conference room a squatter dodging the Uber HQ crowds. On privacy, “it turned out there was already a team of great people here, just chugging along.”
Zefo is one of several high-profile legal and compliance hirings since West joined new CEO Dara Khosrowshahi at Uber just over a year ago.
At about the same time Zefo joined in July, Uber also hired Scott Schools from the DOJ to be the company’s chief of compliance and top ethics officer. Schools had been called “the most important unknown person in DC” for his work as associate deputy attorney general at the DOJ, where he was seen in the early days of the Trump Administration as an apolitical voice of conscience.
Uber in August also hired Matt Olsen, a former general counsel at the National Security Administration, to be its chief trust and security officer. Uber fired Joe Sullivan, its previous chief security officer, after Khosrowshahi took the reins of the company last year and was forced to immediately tell the Federal Trade Commission and other regulators around the world the Uber had suffered a breach affecting the personal data of about 57 million users, but had kept the information secret for a year.
The data breach cover-up was one of several regulatory disasters that were extremely costly to Uber financially and reputationally. The company paid a $148 million settlement to US state attorneys general in September; it was hit with a 400,000 euro fine from France yesterday, and has paid even bigger fines to the Netherlands and UK this fall.
West’s hiring of a group of senior executives with long and proven ethical histories such as Zefo from Intel, Schools from the DOJ, and Olsen from the NSA show that Uber under West and Khosrowshahi is committed to a culture of compliance. But even as they have taken their new roles at Uber, they must still deal with the fallout of the Kalanick years.
The morning Zefo hosted an MLex reporter at Uber, the company was hit by an antitrust suit by one of its former rivals, the now-defunct Sidecar, alleging that Uber’s top leadership interfered with the mobile apps of Sidecar and other competitors by submitting fraudulent passenger requests that appeared to come from people actually seeking a Sidecar ride, but who were actually Uber employees trying to damage the quality of Sidecar’s service.
“Uber’s senior officers and executives directed clandestine campaigns to submit fraudulent ride requests through its competitors’ ride-hailing apps,” claims the suit from SC Innovations filed in federal court in San Francisco.
Zefo shrugged and declined to comment on the antitrust suit, when asked. But she said that she never would have joined Uber without faith in what Khosrowshahi was able to accomplish as the CEO of Expedia, and without confidence in the cluster of compliance leaders that West has put into place at the top of Uber during the second half of 2018.
“You’ve got a group of ethical, highly accomplished people with a long history of principled behavior,” Zefo said.
Still, the reputational damage inflicted during Kalanick’s leadership when, according to the Sidecar suit and many other allegations, Uber appeared willing to do virtually anything to scale its user base against competitors, will take time to overcome. Particularly in the eyes of regulators such as the FTC, Zefo acknowledged.
“We know we have work to do to rebuild the trust of regulators," she said. "We’re committed to doing it.”
Aristotle on privacy
Asked to talk more about her statement that “privacy is about feelings,” Zefo cited no less an authority than Aristotle. ("He is his own best friend, and takes delight in privacy whereas the man of no virtue or ability is his own worst enemy, and is afraid of solitude,” the Greek philosopher said.)
“There is no scientific standard on which to base privacy rights,” she said. “Privacy laws are based on culture and experience, which is why they are so different globally. And how each person views their own privacy rights is based on their own ethical compass, culture, experiences, and the lens through which they view the world. Sometimes those things are in conflict, which is why some people's feelings about privacy are not always reflected in their behaviors.”
When Zefo was an IP lawyer at Sun Microsystems in 1999, she was in the audience when her CEO, Scott McNealy, uttered the infamous line that Silicon Valley has been trying to walk back ever since.
"You have zero privacy anyway," McNealy told a group of reporters and analysts at a launch event for a new Sun software product. "Get over it."
McNealy’s perhaps too-honest statement, which went viral long before Facebook or Twitter were invented, got some people at Sun thinking. It wasn’t long after that when another Sun lawyer, Michelle Dennedy, came to Zefo and said she wanted to explore privacy law.
Dennedy is now the chief privacy officer at Cisco Systems. And Zefo went on to spend 15 years at Intel, leading the chip-maker's global privacy and security legal practice and then, in the past year, heading the legal department for its Artificial Intelligence products group.
In previous decades, privacy and data protection was hardly a high-profile corporate function. Back then, it was not the pathway to riches and glory within a company that other areas of the law were. Zefo said that it is not a coincidence that so many leaders in privacy law are female, relative to other areas of legal practice.
“Women see that something nobody else wants to do still needs doing and they pick up the ball and go do it,” she said. “Privacy used to be like that before it became popular. I’ve heard so many stories like that from women in privacy, over and over, that that was how they got started. Doing the necessary thing nobody else wanted to do and running with it.”
Sense of humor
At one of Zefo’s first appearances since taking the Uber job, on a panel on privacy and Internet-connected cars at an IAPP conference in October, Zefo proclaimed before a standing-room-only crowd of several hundred people that rather than a smart car and smart house, she drives a “dumb car” and lives in a “dumb house.”
The line, a wry poke at Silicon Valley’s culture of gadgetry, revealed not only Zefo’s sense of humor but her confidence.
Hughes, the IAPP chief, said Zefo’s humor is one of her secret weapons. “If she didn’t have the substantial knowledge that she does have, and she didn’t have the confidence in her own knowledge, I don’t think that humor would come off,” Hughes said. “But it does, and it works, and it is engaging.”
At Uber, the company has unveiled a series of television commercials featuring Khosrowshahi talking about the company’s commitment to the safety of its users and its values. Zefo said that commitment to safety will also be reflected in the company’s conduct on privacy. She said she would love for Uber to release a set of privacy principles publicly sometime in 2019, but whether or not those principles become public she plans to develop them for Uber's use.
Uber’s privacy engineers are developing new features that the ride-hailing company expects to roll out, but Zefo said she could not discuss those products yet or when they will be released.
With the company widely expected to move toward an initial public offering of its stock in 2019, Uber can ill-afford another regulatory stumble. In that sense, Uber’s regulatory risk has perhaps never been greater than right now.
While Khosrowshahi is the public face of Uber, it will be up to the compliance team of Zefo, West, Schools and Olsen to ensure no further regulatory missteps. Meanwhile, the drip, drip, drip of the Kalanick era will continue to fall on Uber.
Only today, Italian officials found that Uber had violated data protection laws, in part because of the data breach it acknowledged last year. Italian officials said a fine against Uber is forthcoming.