What’s Wrong with Uber’s New Privacy Policy?

Is too much transparency a good thing?

Last week, Uber announced anew privacy statement which was basically to tell the world that they have reworded their privacy policy in simple language making it absolutely clear as to what they intend to do with user data collected from the app.

But while Uber’s attempt is to appearfair and transparent, it is also telling each one of us in ‘simple’ words that if you ‘allow’ Uber access to your personal information, your contacts, usage and preference information, device details as well as call and SMS data – they can do whatever the hell they want with it!

You would wonder: Why does a taxi company such as Uber gather a plethora of user details? The answer is a no-brainer. The company obviously markets itself as a taxi aggregator or a user platform and not just a taxi player. But while Uber successfully built and launched an innovative product which was an instant hit among consumers, they forgot to tighten their privacy policies which puts user data under legal scrutiny as well as risk being played at the hands of an Uber employee.

Feature: Why Uber’s a Disruptive Tech Player

Not So Uber Cool After All

Take for instance, the case of Olivia Nuzzi, a writer with The Daily Beast who reported an uncomfortable exchange on a ride with an Uber driver and ended up giving him a bad rating which cost him his job. But he had enough information on her to find out about her organization and send her an email. “I had previously been under the impression that the only personal information Uber provided to drivers about riders was a first name, so I was a bit confused as to how this driver had enough information about me to find out my employer,” she says in her article.

And this is not a solo incident. In November last year, a Buzzfeed News reporter Johana Bhuiyan hitched an Uber ride to travel to a meeting with Josh Mohrer, general manager of Uber New York. As soon as she arrived at the company’s Long Island City headquarters, the reporter said she found Mohrer waiting for her. “I was tracking you,” Mohrer said.

In another incident, during one of Uber’s launch party, the company demonstrated its tool called God View, which lets them see all of the Ubers in a city and the silhouettes of waiting Uber users who have hitched Uber cars. But an attendee at a launch party in Chicago said that Uber showed them the whereabouts and movements of 30 Uber users in New York in real time.

Also Read: Five Good Reasons to Delete the Uber App Right Now

What Kind of Data is a user likely to share with Uber

Therefore, to summarise Uber’s new privacy policy, if users decide to ‘allow’ access to their data, Uber can access your smart device camera, photo and video library. It gets read and write access to your SD card and is able to read your contacts. It can also collect details from Facebook or Google wallet or your Paytm wallet and track your phone including its motion sensors and finally share your full profile details with drivers, advertisers as well as Uber’s marketing team.

In case you’re an android user, you’re shown a list of permissions that the app requests.

iOS users are a little fortunate because you’ll see contextual dialogs asking you to approve certain permissions that the app requests and you’ll have the choice to opt out of each iOS permission on an individual basis.

What Uber’s Revised Policy Says It Can Do with Your Data

Uber states that they may share user information with drivers to enable them to provide the services you request. For example, they share your name, photo (if you provide one), average user rating given by drivers, and pickup and/or drop-off locations with drivers. So how can we ensure that an incident such as the one with the Daily Beast reporter is not repeated?

Some of the other information that Uber collects about you may be used to provide, maintain, and improve their services, perform internal operations, send or facilitate communications between you and a driver or send information about products, services, promotions, news, and events. It may also share your information with vendors, consultants, marketing partners, and other service providers or respond to a request for information by a competent authority and any law enforcement officials, government authorities, or other third parties if you violate their User Agreement.

How Do Indian Users Ensure Privacy of their Data

In India, Uber first launched operations in Bangalore in September 2013, and has extended its presence in Delhi, Hyderabad, Chennai, Mumbai, Pune, Ahmedabad, Chandigarh, Jaipur and Kolkata. Since its launch, it has constantly been under the government scanner for issues related to tax, legal and criminal negligence.  So the best Uber can do is not violate the almost non-existent privacy and data protection laws that India has.  According to Prashant Mali, president-Cyber Law Consulting, clause 5 of The reasonable security practices rules of 2011 formed under Section 43A of The IT act, 2000, states that if a company such as Uber shares the data further except to government agencies/ law enforcement agencies, customers can file compensation complaint against the company with Adjudication officer for compensation of up to Rs 5 crore. “Additionally, a criminal complaint can be filed under s72 (A) of same Act,” he says.

What Experts Have to Say

“Any privacy policy should say how your privacy is protected. Most privacy policies, however, say how your privacy is violated. They are a disclaimer to all the violations to your privacy, all consequent breaches of security and of any liability for such events,” says Dr. Anupam Saraph, innovator, professor and an advisor in governance, informatics and strategic planning.

At the very least, Saraph says, every app should allow the user to receive notification or view an audit trail of data collected for every transaction as well as any other time any data on the users’ device was accessed, for what purpose and who may potentially have had access.

According to Mishi Choudhary, technology lawyer and legal director at Software Freedom Law Center, Uber is not the only application that is collecting this data. Almost all of the applications that users rely on collect vast swaths of data about their users but it is either buried under legal jargon or (allowing access) the only way to use a particular app. In fact, many quietly update their policies and sneak in snippets that may attract undue attention of their users.

However, she says, gullible or cognitively dissonant users look elsewhere and click “accept”. “That’s why we need clear laws about data collection by corporates and truth in labelling. Once everyone knows it in clear terms what is being done with their data, users can decide if they wish for different vendors to have a robust personal profile of them and do whatever they like with it, share with advertisers or the NSA,” says Choudhary, who is also the executive director at SFLC.in, a donor supported legal services organization that brings together lawyers, policy analysts, technologists, and students to protect digital freedom.

So whether or not Uber is attempting to be transparent in its new privacy policy, the fact remains that it is still soliciting a lot of information from app users. So if you sign up for it, be aware of what you sign away.

Footnote: Uber is yet to respond to queries about the privacy policy at the time of publishing this article.