After a 14-month investigation, Uber and New York Attorney General Eric Schneiderman have reached a settlement regarding Uber’s aerial “God View” tool. God View allowed a wide range of Uber employees to access customer data and track the location of Uber riders and customers. The New York AG’s investigation into Uber’s privacy and security practices was prompted by reports that an Uber executive used God View to track an Uber customer’s ride for his own personal reasons and without the rider’s permission. Uber has maintained that the executive who accessed God View to locate the rider did so because she “was 30 minutes late to a meeting,” though the company acknowledges that he exhibited “poor judgment” in making the decision to violate her privacy.
The investigation was subsequently expanded to include Uber’s September 2014 discovery of a data breach that affected some of its drivers. The company failed to report that incident to the New York AG’s office until February 26, 2015. The law requires that data breaches be disclosed to the people affected by them and to authorities “in the most expedient time possible and without unreasonable delay.”
Per the settlement, Uber will pay a $20,000 fine for its failure to report unauthorized third-party access to drivers’ personal information in a timely fashion and must also revise its privacy practices. The settlement requires geolocation data for both drivers and passengers to be encrypted and password protected. Additionally, God View access will be limited to a specific small group of employees and it may only be used for “legitimate business purposes.” The settlement specifically provides: “Uber has represented that it has removed all personally identifiable information of riders from its system that provides an aerial view of cars active in a city, has limited employee access to personally identifiable information of riders, and has begun auditing employee access to personally identifiable information in general.”