Skip to content
EPIC asks FTC to slam the brakes on Uber's upcoming data grab
Naked Security Naked Security

Uber wants even more customer data – EPIC asks FTC to slam on the brakes

Uber wants location data when the app's running in the background (even when it's off on iOS), location data from IP address, and users' contact lists.

EPIC asks FTC to slam the brakes on Uber's upcoming data grabA leading privacy group has asked the US Federal Trade Commission (FTC) to put the brakes on Uber’s upcoming new privacy plan – a plan that sets the ride-hailing app maker up to collect even more customer data than it already does.

The Electronic Privacy Information Center (EPIC) filed a 23-page complaint on Monday in which it notes that the new User Privacy Statement, set to go into effect on 15 July, says the company will try to collect location data on users even when the app is running in the background.

From the new policy:

When you use the Services for transportation or delivery, we collect precise location data about the trip from the Uber app used by the Driver. If you permit the Uber app to access location services through the permission system used by your mobile operating system ("platform"), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.

Another change to Uber’s privacy policy is that the company may also ask for access to a user’s contact list and then send marketing promotions to users’ contacts.

Not to worry, Uber’s Managing Counsel of Data Privacy Katherine Tassi said in a recent post: users are still “in control”:

In either case, users will be in control:  they will be able to choose whether to share the data with Uber.

Tassi said that tracking passengers in real time and accessing users’ address books are merely “potential new use cases” of Uber’s customer data.

Users will be firmly in control, she reiterated:

We are not currently collecting this data and have no plans to start on July 15. ... If we decide to ask for these permissions, users will be in control and choose whether they want to share the data with Uber.

EPIC calls these assurances deceptive. In fact, the group said in its complaint, the updated policy will actually deprive users of control.

As far as the location data goes, Uber’s collection of precise location information when the app is operating in the background means that on iOS phones, Uber may be able to collect location data even after a user quits the app.

Even if a user disables the GPS location services on their phone, Uber may still collect approximate location from riders’ IP addresses, EPIC says – a fact that runs counter to Uber’s claims that users are in control.

When it comes to Uber getting its hands on users’ contact lists for marketing purposes, the FTC has already received complaints from “People who have never driven for or even used the service”, according to Motherboard, but who said that they’re still being deluged with text messages from Uber and have been unable to make them stop.

EPIC lists a hosts of user complaints about the frequency of the spam, the difficulty of unsubscribing, and the fact that users never gave their permission to have their contacts’ details shared.

One such, from user DanielMiami:

This is disturbing, my girl just text me saying she received a text message from uber [sic] saying I invited her to become a driver.

"UberMSG: Congratulations! Your friend Daniel wants you to be an Uber partner. Both of you can make money when you APPLY HERE:"

1. How did they get her phone number?

2. That's not even my referral promo code

Do they have access to our contact list in our phones?

Beyond these upcoming privacy policy changes and the extra data Uber will be getting, the company already has a lousy reputation for misusing data, EPIC said in its complaint, outlining a long, messy history that’s included, among other things:

Marc Rotenberg, the executive director of EPIC, told the New York Times that, given its history of mishandling data, Uber hasn’t earned the right to collect even more:

A company that has a bad reputation for misusing personal information should not be allowed to change its policy so it can gather more data.

EPIC’s complaint asks the FTC to halt Uber’s collection of any customer location details not required to deliver a service; to require Uber to delete location information once a ride has been completed; and to require Uber to publish specific details about the system it uses to profile and evaluate customers.

Image of Uber courtesy of eskay / Shutterstock.


I thought about using Uber when I was in San Diego, CA, a couple of weeks ago and my truck was being worked on after I blew out the front shocks on the Baja500 racecourse, but I flagged down a taxi instead.

I won’t consider using Uber again, ever! It seems there are always ulterior motives these days.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!