How Uber Can Protect Consumer Privacy

Uber knows who you are, your email address and your credit card number. As consumers, we willingly offer up and share all of this information with the company because the data is what makes Uber so great — enabling them to deliver a service as complex as transportation with a touch of a button.

In recent weeks, Uber’s move to start tracking users’ location in the background (even if the app is not running) has privacy groups on the offensive. Some, like Electronic Privacy Information Center (EPIC), are calling for the FTC to ban this data collection altogether.

Advocating to ban data collection is the wrong approach; after all, it is data that has helped Uber create a product that is wildly loved and used by millions. In fact, they are far from the first company to request always-on location data (countless other apps gather location in the background, such as Google, RunKeeper, FourSquare and Facebook Messenger).

Even Apple knows where you go frequently — unless you take active steps to change your privacy settings. The issue at hand is not the collection of data, nor is it the data itself, but rather what Uber plans to use the data for and how the data is collected.

How Is The Data Used?

Asking for background location isn’t inherently evil, especially if it is used to create a better consumer experience. However, Uber needs to clearly explain why they need the data and how it will benefit the user. Then it is up to consumers to decide if the value exchange warrants sharing their data.

That’s why Uber, as a first order of business, needs to explain to consumers how it plans to use the data. Consumers and advocacy groups would likely be much less nervous, and dare I say even excited, if Uber articulated some amazing service that this data will empower.

For instance, Uber might be using always-on location to anticipate when you might need a car, better distributing cars so there is less wait time, or coordinating so the service senses you leaving the office and has one waiting outside — awesome.

But the less explanation Uber provides about why it’s collecting this data, the less this appears like a legitimate exchange and the more it risks violating expectations of privacy.

How Is Uber Collecting Background Location?

When a user provides permission for always-on location, they are essentially allowing Uber to collect location data 24/7. In addition, this permission setting allows Uber to collect other data, like raw accelerometer and gyroscope streams.

This is a scary proposition, because when this data is combined with the information Uber already knows about you, like email address, a very detailed picture can be painted of who you are. This combination of personally identifiable information (PII) and raw sensor data is scary.

Consumer protection agencies are right to be concerned about raw sensor data and PII being combined, especially when it relates to Uber. There have been a couple of high-profile and worrisome instances of Uber being careless with consumer privacy: showing their “Godview” feature at company parties and threatening to use the data to target the company’s critics. And there’s the additional concern that Uber’s wealth of information about you provides an irresistible target (or “honeypot”) for hackers.

To further protect consumer privacy and ensure that neither Uber nor anyone else can ever know too much about you, Uber should ensure that raw sensor data is never be combined with PII. Uber, and really all companies asking for always-on location, should separate the raw data they are collecting and sanitize it before combining it with PII.

Uber’s latest controversy is just the beginning. Over the next few years, a lot of functionality will move into the background and more sensor data will be exposed. Now is the time to establish the practices for how best to protect consumer privacy around background sensor data; namely, all apps requesting this data should be upfront about why they are collecting it, provide an easy mechanism for consumers to opt-in or out and ensure that the data is never combined with PII data.

If apps comply with this basic framework, I believe everyone will win. Consumers will be better off because they will have access to better services, apps will be properly serving the needs of consumers and advocacy groups will know they have helped protect consumer privacy.