Uber hands over info on 12m passengers, drivers to US officials, cops
Taxi-booking app is upset – abusing customer data is its job
Uber has produced its first transparency report and called for a public debate over the type and amount of data it is obliged to provide to the authorities.
The taxi app company reveals in its report that it received 33 requests from American "regulatory agencies" that covered no less than 11.6 million customers and 583,000 drivers.
The requests came from little-known agencies like California's Public Utilities Commission and the New Orleans Department of Safety and Permits.
Given the small size of requests and the huge number of people involved, it is clear that the agencies put in blanket requests for all user data for their jurisdictions: something that Uber is unhappy about.
"These agencies have the power to force companies to give them information, such as trip data," the company complained. "They may request information about trips, trip requests, pickup and dropoff areas, fares, vehicles, and drivers in their jurisdictions for a given time period."
Uber also complains that it is required to hand over more information because it operates over the internet, noting that the requests "differ or exceed what regulators demand from offline companies."
According to the company, it fought many of the requests for information, handing over 21.2 per cent of them "as required," but managing to reduce the scope of the requests in 42.4 per cent of cases. In 36.7 per cent of cases it "unsuccessfully tried to narrow scope."
The report also outlines requests made by airport authorities – which effectively act as their own jurisdiction – and law enforcement.
There were 34 requests from airport authorities, covering 1.6 million people – again pointing to a blanket data request. Local police were more focused in their requests, asking for specific data on 408 users and 205 drivers – requests that Uber responded to in full in over 80 per cent of the cases.
And then there were the state and federal requests: 368 and 47 respectively. Uber complied in just under 85 per cent of cases and also breaks the figures down by subpoena, search warrant, emergency and court order.
Uber is unusual in that the data it possesses can be of significant value to the authorities, since it includes both high-level and individual data on people's movements over time. Regardless, it is unhappy at the amount of information requested and notes pointedly that it is not told what is done with that information or who it is shared with.
In an accompanying blog post, the company's public policy team notes: "Of course regulators will always need some amount of data to be effective, just like law enforcement. But in many cases they send blanket requests without explaining why the information is needed, or how it will be used.
"And while this kind of trip data doesn't include personal information, it can reveal patterns of behavior – and is more than regulators need to do their jobs. It's why Uber frequently tries to narrow the scope of these demands, though our efforts are typically rebuffed."
It also complains that the agencies' approaches are now too precise due to modern technology. Previously, taxi companies were obliged to provide a paper log with rough pickup and dropoff locations; now they are told to provide GPS coordinates.
"We hope our Transparency Report will lead to a public debate about the types and amounts of information regulated services should be required to provide to their regulators, and under what circumstances," it concludes.
That "debate" has been going on for some time with the agencies themselves, although largely within opaque bureaucracies. We spoke with the agency that has the largest of Uber's datasets, covering 5.4 million individuals – the California Public Utilities Commission (CPUC).
A spokeswoman declined to make a formal statement, but did note that Uber has been vocal about the data requirements for some time. Those requirements are also due to be revised later this month when Commissioner Liane Randolph outlines new "Phase II" regulations for Uber, Lyft and other "transportation network companies." Those regulations will bring Uber more in line with the requirements of the existing taxi industry.
It is fair to assume however, given Uber's response this week, that those requirements will still include blanket user trip requests. There is a Phase III planned, according to the CPUC, although there is not currently a timetable for it.
Let's not forget who we're talking about
Of course, it is all too easy to forget that the number one offender for the use and abuse of Uber customer data has been Uber itself.
This is the company that wrote a blog post in which it identified people it believed had had one-night stands based on their personal data. A senior VP also threatened to use movement data it had on a journalist as a way of discrediting them following a number of critical articles.
But the real reason Uber is upset is that the data it is forced to hand over for free is worth potentially a small fortune, since it allows you to see real-world data on the transportation needs of millions of people. Local authorities could use that data to greatly increase the efficiency of their services, which could eat into the Uber bottom line. And there is of course the risk that the data could find its way to competitors, removing a significant commercial advantage that Uber has over existing transportation companies. ®
Sponsored: Becoming a Pragmatic Security Leader