Uber Says It Won’t Look At User Data Except For “Legitimate Business Purposes”

While much of the fallout from BuzzFeed’s recent Uber expose has focused on vice president Emil Michael’s suggestion that the company could dig up dirt on critical journalists, the story included something that could be equally concerning — the fact that Uber’s New York City manager accessed the profile of a BuzzFeed reporter without their permission.

On some level, the fact that a company can access its customer data may not be all that shocking. But it’s a reminder that Uber has detailed information about your comings and goings, and probably has a pretty good idea about where you live. And it doesn’t instill much faith that the company is being careful about who gets access to that information. Not helping things: A follow-up story in San Francisco magazine claiming that the magazine reporter had been warned by anonymous sources that Uber executives might access her rider logs.

The company tried to address those concerns in a blog post stating that it has “a strict policy prohibiting all employees at every level from accessing a rider or driver’s data.” There is, however, an “exception” for “a limited set of legitimate business purposes.”

What do those purposes include? The post points to solving community problems (?), facilitating payments, monitoring for fraudulent activity, and troubleshooting bugs as “examples.” The post concludes:

Uber’s business depends on the trust of the riders and drivers that use our technology and platform. The trip history of our riders is confidential information, and Uber protects this data from internal and external unauthorized access. As the company continues to grow, we will continue to be transparent about our policy and ensure that it is properly understood by our employees.

I think the question now is: What constitutes a “legitimate business purpose”? As the post itself acknowledges, the uses described above are just examples.

I mean, I suppose it’s understandable that Uber isn’t going to fence itself in by naming every single instance where it might access user data, but “legitimate business purposes” seems pretty broad. And if the goal was to make sure people don’t freak out about privacy, I’m not sure this is the most effective way to do it.