Uber in the privacy spotlight again

Uber is living in interesting times, Chinese-curse style.

From getting sued by the victim of rape by an Uber driver for sharing her medical records with CEO Travis Kalanick, to said CEO going on hiatus in order to figure out just how to be a CEO, on up to 20 Uber employees being fired as the result of a four-month investigation into the company’s toxic sexist culture, yes, times are interesting indeed.

The latest: a potential FTC inquiry into Uber’s data-handling follies.

According to Recode, four sources close to the Federal Trade Commission (FTC) have said that there’s an “inquiry” under way, with FTC investigators focused on data mishaps.

Which data mishaps? Still unknown, but there are numerous possibilities from Uber’s checkered past, such as the company’s misuse of its “God View” tool. God View is a software system that reveals personally identifiable information (PII) of Uber riders, shown in its system in an aerial view of cars active in a city.

Uber has already settled with New York Attorney General Eric Schneiderman after 14-months’ worth of data privacy investigations into two different issues: the first was use of God View; the second was a data breach, caused by Uber itself, that exposed hundreds of Uber driver names, social security numbers, pictures of drivers licenses, tax forms and other sensitive information.

Uber had used God View to spy on the geolocation of politicians, celebrities, and, infamously, of BuzzFeed’s Johana Bhuiyan. Twice. Uber’s tracking of Bhuiyan is what triggered Schneiderman’s investigation into God View.

Or perhaps the FTC is interested in finding out more about the 2014 data breach for which New York fined Uber $20,000: as in, that time when Uber’s driver database found its way onto GitHub, exposing the details of some 50,000 drivers.

Uber discovered that breach in September 2014 but didn’t inform the affected drivers and Schneiderman’s office until February 26 2015.

Or then again, maybe the FTC is just doing what the FTC does: as Recode’s FTC sources said, FTC staff regularly question companies on consumer protection issues such as privacy. Not all of those investigations turn into charges and penalties.

Duly noted. But the FTC’s investigations certainly have the potential to turn into a world of hurt. In January, Uber paid $20 million to settle the agency’s charges that it misled prospective drivers with exaggerated earning claims and claims about financing through its Vehicle Solutions Program. The FTC said that the penalty would be used to refund affected drivers across the country.

Uber is also currently under investigation by the Department of Justice over use of its Greyball tool – basically, a fake version of its app that hides drivers’ locations from competitors or would-be attackers… or from law enforcement, which comes in handy when Uber is operating in cities that are trying to clamp down on the service.

As Recode explains, the FTC doesn’t bring criminal cases, but it can force companies to alter their business practices. In its announcement about the $20 million fine, for example, the agency noted that its “stipulated final orders” have the force of law when approved and signed by a District Court judge.