Uber Shows How Not to Do a Privacy Report

If you only let the investigators look at your policies and not at what your employees actually do, you’re telling us a lot more about your real privacy views than you realize. And it’s not pretty.

Credit: Jamie Eckle

The Uber privacy report released last week (Jan. 30) is the perfect example of how not to handle a privacy PR disaster — or any privacy policy matters at all.

Uber’s particular privacy PR disaster arose from several clueless incidents. There was the Uber senior executive who said in a speech that the company should consider digging up dirt on a particular critical reporter. Shortly after that, a different Uber executive started off an interview with another journalist by citing her geolocation and travel records. Besides these bizarre, counterproductive interactions with journalists, the company has a history of privacy insensitivity, doing things such as publishing stats on customers engaging in one-night stands.

The Uber privacy report was bought and paid for by Uber, but that’s not the problem with it. Hiring your own probers is fine as long as they have credibility. But their credibility depends on more than just being well credentialed. Credibility is earned by the report’s results, recommendations and — critically — the scope of what the probers are allowed to probe.

Maybe Uber thought having the imprimatur of the Hogan Lovells law firm on its report was all the credibility it needed. Sorry, but that doesn’t cut it, not when the investigation was so limited in scope that the report could not actually address Uber’s privacy issue.

“While it was not in the scope of our review to perform a technical audit of Uber’s data security controls, based on our review of data security policies and interviews with employees, we found that Uber has put in place and continues to develop a data security program that is reasonably designed to protect Consumer Data from unauthorized access, use, disclosure, or loss,” said the report.

Let’s zero in on the key utterance: “it was not in the scope of our review to perform a technical audit of Uber’s data security controls.” Based on the report and its stated methodology, the investigators weren’t trying to see if Uber really obeyed its own written privacy policies. It was merely allowed to see if that written policy was an appropriate policy. But privacy policies, written by lawyers and HR specialists, are rarely the problem. The problem tends to be what employees actually do.

The report, by the way, found that everything it reviewed about Uber was fine. Its only suggestions amounted to “Keep up the good work. The only thing we can suggest is to do more of the same and expand doing it as much as you can.”

Uber announced the report by saying, “We enlisted outside experts from the global law firm Hogan Lovells to thoroughly examine how we safeguard rider data, and we’d like to share their findings with you today. [The attorney in charge] and her team spent 6 weeks reviewing documents and interviewing members of Uber’s executive team and leaders across the entire company. The review was comprehensive and found that overall our Privacy Program is strong.”

Thus far, they’re not scoring many points in the credibility department. In fact, the law firm did not “thoroughly examine how we safeguard rider data.” It examined how Uber is supposed to safeguard rider data, not what Uber actually does. That’s the problem.

A few other notable elements of the report:

• “New personnel must agree to the Company’s policies relating to the appropriate handling of Consumer Data prior to obtaining access to that data.” Sigh! How is getting a new employee to sign that document going to protect customers? Is it one sheet among 40 that the employee is blindly signing, somewhere between a 401(k) allocation form, medical benefit choices and a direct deposit authorization?

1 2 Page 1
NEW! Download the State of the CIO 2017 report