This guest post was contributed by Richard Menzies, General Manager, Uber NZ, to mark Privacy Week. It is the first in our Working with Industry series of guest posts. The Working with Industry series do not necessarily reflect the views of our office and are published to inform and stimulate debate on topical privacy issues and developments.
As the adoption and integration of new technologies continues to grow, so does the importance of data protection, security and privacy. Globally as a company, Uber facilitates around 15 million trips every day and operates Uber Eats in more than 200 cities. More and more people look to ridesharing as a safe, affordable and reliable way to get around their cities and have great, tasty food delivered to their door. This year, like every year, Privacy Week is a great chance for all of us to take stock of our digital footprint.
Every one of these trips and deliveries creates a digital footprint - data which can be used to further improve Uber’s services, but that might also include personal information. We have a duty to protect that data and the privacy of our users, and we take that seriously.
Learning from past mistakes
Last year, our new CEO, Dara Khosrowshahi, publicised a security incident that took place in 2016. The incident involved two individuals from outside the company that inappropriately accessed old copies of user data stored on a third-party cloud-based service that we used at the time. The user data included names, email addresses and mobile phone numbers of 57 million Uber users, including approximately 100,000 Kiwis.
Our security engineering team was able to respond quickly and contain the risk for our users and the incident did not breach our corporate systems or infrastructure. We took steps to confirm that the two individuals did not further use or disseminate the information.
In addition to technical improvements made to prevent similar attacks in the future, we recommitted the company to more transparent disclosure practices in the future. Our CEO said at the time: “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”
Uber’s approach to privacy
As Dara emphasised, we are committed to being open and upfront with our users and regulators. Under the direction of Tony West, Uber’s new general counsel, former general counsel for PepsiCo, and former US Associate Attorney General in the Department of Justice, our security and privacy teams are working toward a global standard for data protection and privacy beyond legal requirements. This includes improvements in the way we design and build our products, as well as how we manage all the user data we hold.
New features and products at Uber are developed with a review process to evaluate potential security and privacy risks, even down to the code level. Uber’s security engineering team works with our privacy team to ensure our data practices are not only compliant with applicable law, but also supported by the required engineering capabilities to enforce adoption across the company. Based on the level of sensitivity, we are able to leverage privacy protecting technologies such as differential privacy, which enables data scientists to analyse large data sets without exposing the identity of individual users. As well, we open-sourced these tools to make them available for use by privacy professionals at other organisations.
We’re also bringing privacy to the forefront of our products with user controls inside our mobile apps and websites. For example, users who choose not to share their device’s location information with Uber can choose to turn this off in their privacy settings and manually input their pick-up location. We also built a self-service tool for riders in the app if they choose to delete their Uber account. We are investing more resources in giving users more control over the data they share with us and there will be more features coming later this year.
Long term global vision
We’re learning that we can no longer only build seamless protections behind the scenes in an effort to spare users the technical details. In fact, users are telling us they want to be more engaged in the process, so we are working on products improvements that will better assure our users that we have their back. Our CEO has made it very clear that moving forward, we will stand for safety, and that includes safeguarding the security and privacy of user information. Privacy and security are key business goals for us.
Building for New Zealand
We are particularly pleased to work closer with the Office of the Privacy Commissioner in New Zealand in its pursuit of mandatory breach notifications via the new Privacy Bill. We believe in working with government bodies which can hold all businesses to high standards, and will continue to support local representatives.
In a day and age when data has become an increasingly important cornerstone of modern commercial business, people need to know companies have their best interests at heart when it comes to protecting the privacy of their personal information.
All companies can learn from each other as we develop new technologies that offer better protection for consumers.
Companies owe it to their customers to treat their information with respect and to take every action and precaution possible to protect their privacy. Uber is committed to leading the way both locally and globally.
Image credit: Photo by Elliott Brown via Flickr