Ride-sharing giant Uber’s ability to monitor users’ movement without their knowledge is exposing what some critics call a gaping hole in the nation’s privacy laws.
Unlike some other types of data, regulators cannot limit what companies are able to do with information about customers' location, which could show where people live, sleep and travel.
As more and more smartphone applications track people’s movements, privacy advocates say that’s creating a recipe for disaster.
“Right now we protect health data, we protect financial data, we protect kids’ data, but location isn’t protected,” said Alvaro Bedoya, the executive director of Georgetown University’s Center on Privacy and Technology.
“As long as a company is not deceiving you about how they’re using the data, they can pretty much do whatever they want with it,” he added.
Multiple outlets have reported about the company's internal “God View” tool that allows executives to check in on the location any Uber car or customer who has requested a ride.
A story by BuzzFeed News this week recounted how one executive used the service to track a journalist on her way to an interview. Earlier this year, Forbes reported that the company has shown a map of all the current Uber rides in any given city during parties as a way to entertain guests.
A separate BuzzFeed story revealed that one executive had considered hiring investigators to dig up dirt on critical journalists. Presumably, their location histories would be fair game in those investigations.
The Uber controversy is “the first concrete instance of misuse of location data where folks are realizing ‘Wow, these companies really could misuse the data,’” said Bedoya.
Though the news caused a firestorm for the ride-hailing company and led to a concerned letter from Sen. Al Franken (D-Minn.), the behavior does not seem to have crossed any legal lines.
It is completely legal for a company to collect, review and share information about a customer’s location without their affirmative consent.
What is illegal is for a company’s policies to be “unfair and deceptive” to consumers, a tricky and hard to define term that is enforced by the Federal Trade Commission (FTC).
And it’s not just Uber that is raising concerns about troubling practices.
Lyft, one of Uber's competitors, reportedly routinely granted employees access to customers’ data.
On Friday, Lyft changed its policy to create “tiered access” that limits who can see customers’ data, including information about their location.
A 2010 investigation by The Wall Street Journal found that 47 percent of popular apps transmitted a smartphone’s location in some way.
Last year, the FTC settled with a company called Goldenshores Technologies, which made a popular flashlight app for Android devices. Even though the sole purpose of the app was to turn a person’s phone into a flashlight, it also collected people’s geolocation data without their knowledge or consent.
The rise of smartphones, connected cars and other devices makes the issue only more important in the years to come.
“There are certainly an increasing number of devices doing this that we wouldn’t have expected too many years ago,” said Gautam Hans, policy counsel with the Center for Democracy and Technology.
Franken has repeatedly pushed a bill that would change the current law, but it has so far failed to gain much traction.
His Location Privacy Protection Act would require companies to get people’s permission before collecting their data or sharing it with other companies, make them more transparent about how consumers' data is being used and call for the federal government to do additional research on the issue.
The legislation is specifically targeted at “stalking apps,” which allow some people — such as an angry ex-lover — to secretly track others, but would likely also prohibit many ways that tech companies collect and share data.
“Had Sen. Franken’s law been in place, this whole ‘God View’ thing would’ve been illegal,” said Bedoya, who is a former Franken staffer. “The idea of disclosing people’s precise whereabouts to non-employees — which is apparently what they did at that party — would have been illegal.”
Critics say that the bill is far too broad and threatens to punish new, growing sectors of the economy because of potential hypothetical abuses that have yet to be seen.
“We can write narrow criminal statutes to target bad acts and bad actors rather than targeting technology itself, which is essentially neutral and in many cases its benefits outweigh its potential burdens,” said Tim Sparapani, a vice president at the Application Developers Alliance. The trade group counts Lyft but not Uber among its members.
Franken plans to reintroduce the bill again during the next Congress, his office said, though the odds of it moving forward seem dim.
Still, Uber has been quick to show that it's taking people's privacy concerns seriously, even without legislation.
After Franken sent his letter on Wednesday, the company brought on privacy experts at the Hogan Lovells law firm to “conduct an in-depth review and assessment of our existing data privacy program and recommend any needed enhancements.”
For many major companies, fear of public shaming could be the biggest incentive to make sure their policies align with people’s expectations.
“It’s not only because there are privacy policies that Uber will not misuse this information,” said Carl Szabo, policy counsel at the online commerce trade group NetChoice. “It’s because they know that they rely on public trust, and once that’s eroded that’s very hard to get back.
“I find it very unlikely that a business would risk losing so much for so little gain.”