“God view” agreement reached in Uber privacy probe

In this week’s article we examine an agreement reached between the New York State Attorney General and Uber Technologies, Inc.

In this week’s article we examine an agreement reached between the New York State Attorney General and Uber Technologies, Inc. on January 5, 2016 “requiring (Uber) to adopt data-security protection practices to protect its riders’ personal information, amid concerns the company secretly tracked customers’ whereabouts (ends) investigations into allegations that Uber displayed riders’ personal information in an aerial view internally known as ‘God view’ and into a data breach where drivers’ names and license numbers were accessed by an unauthorized third party” [Orzeck, Uber, NYAG Strike Deal Ending Privacy Probe Over Rider Data, law360.com (1/6/2016)].

Travel Law Update

Terror Targets Update

Turkey

In Steinmetz, Ongoing terror operation in Istanbul, www.eturbonews.com (3/3/2016) it was noted that “Two female militants are trapped in a building, following an attack on people in Istanbul, Turkey…these two female terrorists threw two grenades at the police station”.

Israel

In US tourist killed, 13 injured as Palestinian terrorists go on bloody rampage in Israel, www.eturbonews.com (3/8/2016) it was noted that “Three attacks by Palestinians in the space of just over an hour and a half have left one dead and at least 13 injured across Israel, in incidents that included a mass stabbing in Jaffe during a visit by the US vice-president, Joe Biden. Israeli police later confirmed that the person killed in the coastal city next to Tel Aviv was a 29-year-old American tourist”.

You Cruise, You Might Lose

In FAQ: You Cruise, You Might Lose, certerjd.org (1/12/2016) it was noted that “While no one wants to think about it, occasionally things can go very wrong on a cruise. There have been a number of recent ship disasters…But the vast number of cruise tragedies do not make the news. Only when something terrible happens do most people think about their legal options and learn about the cruise industry’s vast legal protections. Indeed, the cruise industry has more immunity from wrongdoing than virtually any other industry in America, and certainly more than other industries that transport people, on whom we rely for our safety. As the New York Times recently put it, ‘Few places on Earth are as free from legal oversight as the high seas’ This FAQ explains some of the reasons why”. See also: Dickerson, The Cruise Passenger’s Rights and Remedies 2014: The Costa Concordia Disaster: One Year Later, Many More Incidents Both on Board Megaships and During Risky Shore Excursions, 38 Tul Mar. L.J. 515 (Summer 2014).

Cruise Passenger Awarded $1.1 Million

In Ampel, Woman Awarded $1.1 Million in Cruise Dining Room Fall, law.com (3/7/2016) it was noted that “A Fort Lauderdale jury awarded $1.1 million to a woman who tripped on a mop bucket aboard a Costa Cruise ship, fracturing her arm and shoulder… (the lawsuit claimed that) the crew was negligent for leaving the bucket in the dining area with no warning signs”.

Hoverboards Go Boom

See Cendrowski, Boom Goes The Hoverboard Fad, Inside the copycat factories that fueled the boom and caused the bust, fortune.com/hoverboard-industry (3/7/2016).

World’s Longest Zip Line

In Steinmetz, Guinness World Record certifies the world’s longest zip line, eturbonws.com (3/4/2016) it was noted that “Toto Verde CEO Jorge Jorge…announced the opening of Toro Verde’s newest attraction, ‘El Monstruo’…The attraction was certified by the Guinness World Records as the world’s longest zip line at 7,234 feet-and approximately 1,200 feet in height”. For a discussion of zip line accidents during cruise line shore excursions see Smolnikar v. Royal Caribbean Cruises, Ltd., 787 F. Supp. 2d 1308 (S.D. Fla. 2011).

Water Taxi Explosion In Thailand

In Steinmetz, Update: No dead reported in water taxi explosion in Bangkok, Thailand, www.eturbonews.com (3/5/2016) it was noted “As reported in Thai Media at least 60 people were injured on Saturday when the engine on gas-powered Bangkok commuter boat exploded, pitching several passengers into Khlong Saen Saep”.

Disappearing Sands In Kenya

In Steinmetz, Chinese company accused of willfully destroying Kenya’s best beach, www.eturbonews.com (3/3/2016) it was noted that “The nightmare of sandless Diani beaches is looming large again after a Chinese company, the China Roads and Bridge Corporation, decided to appeal a decision by the Kenyan environmental tribunal that no more dredging was permitted off Diani beach without a full environmental and social impact assessment. A hearing before the High Court has reportedly been scheduled for Friday”.

Uber Unfair Competition Lawsuit

In D’Annunzio, Taxi Co.’s Unfair Competition Suit Against Uber Survives, law.com (3/8/2016) it was noted that “Pared down to the single issue of whether Uber made false representations to the public that Philadelphia’s taxi companies weren’t guaranteed to be insured while on the road, a federal judge has allowed the cab companies’ unfair competition lawsuit against Uber to move forward”

Uber Drivers Faking Vomit?

In Tempey, Are Uber Drivers Faking Vomit In Their Cars To Collect Hundreds Of Dollars?, gothamist.com (3/2/2016) it was noted that “A frequent user of the ride-share service Uber is swearing off the company after she says her driver accused her of vomiting in his car to stick her with a $200 cleaning fee, and backed it up with faked photos of the alleged barf”.

Airbnb In New Orleans

In Walker, Airbnb Pits Neighbor Against Neighbor in Tourist-Friendly New Orleans, nytimes.com (3/5/2016) it was noted that “With crime, potholes and the Saints, the home-sharing economy has become one of the city’s default topics, bickered about in countless informal conversations, through snarky signs (‘Won’t You B&B My Neighbor?’) and increasingly in public forums where city officials and the citizenry argue over what to do about it. Everyone has an opinion. Some are distraught at revelers leaving ‘floors covered with vomit’ in residential buildings and ‘short-term strangers’ squeezing out long-term residents. But just as passionate are people who say renting rooms on Airbnb has brought them enough cash to rehabilitate properties or cover the mortgage after a layoff or after Hurricane Katrina”.

Horseback Riding In The City

In Denney, City Not Liable for Woman’s Horseback Injury, Panel Says, newyorklawjournal.com (3/8/2016) it was noted that “A Manhattan appeals court has dismissed a lawsuit by a woman who was thrown from a horse during a recreational ride at a New York City-owned stable in the Bronx…Citing the decision… Quintanilla v. Thomas School of Horsemanship, 129 A.D. 3d 815 (2d Dept. 2015), the panel said being thrown from a horse that is acting in an unintended manner is an inherent risk of horseback riding…The Bronx Equestrian Center was (found) not reckless when (Ms. X) was thrown, which caused her to suffer a traumatic brain injury”.

Travel Law Article: Uber Privacy Probe

In an Assurance Of Discontinuance (Assurance) In the Matter of the Investigation by Eric T. Schneiderman, Attorney General of the State of New York (NYAG), of Uber Technologies, Inc. (Uber), Assurance No: 15-185 (1/5/2016) it was noted that the NYAG “commenced an investigation pursuant to, inter alia, Executive Law 63(12) and General Business Law (GBL) 349(b), into the protection of geo-location information by, and the breach of driver private information of, Uber. This Assurance contains the findings of NYAG’s investigation and the relief agreed to by NYAG and (Uber)”.

Findings

Collection Of Data

“2. Uber owns and operates a mobile application platform that allows riders to connect with drivers for trips using their mobile phone. Uber collects certain personal information from riders including name, email address, phone number and payment instrument (which is stored by a third-party payment service). Uber also collects information from drivers to determine whether they meet the requirements to use the Uber platform, including driver licensing information, vehicle registration…and vehicle inspection documentation, as well as information related to their use of the Uber platform”.

Geo-location Information

“3. Uber also collects the geographic location of their riders and drivers in real time (Geo-location information). Uber collects precise Geo-location Information passed from a rider’s mobile device if the rider chooses to authorize that collection. As soon as a driver begins a trip, Uber collects the precise Geo-location Information of the route of the trip from the driver’s mobile device”.

“4. Prior to the emergence of the technology underlying Uber’s service, New York consumers could hire a taxi or commercial vehicle by hailing one on the street and paying in cash, thereby not providing personal information or any Geo-location Information passed from a mobile device”.

Uber’s “God View”

“5. On November 20, 2014,the NYAG wrote a letter to Uber out of concern regarding how it collects, maintains and discloses its Geo-location Information including display of the information in a system providing an aerial view of the cars driving within a city, formerly known internally at Uber as ‘God View’…(In response Uber’s lawyers reviewed) the company’s privacy program…against a set of privacy standards, such as the expectations of the U.S. Federal Trade Commission (FTC), the Fair Information Practice Principals and the American Institute of CPAs Generally Accepted Privacy Principals”.

“God View” Deleted

“7. Uber has represented that it has removed all personally identifiable information of riders from its system that provides an aerial view of cars active in a city, has limited employee access to personally identifiable information of riders, and has begun auditing employee access to personally identifiable information in general”.

Uber’s New Privacy Policy

“8. On July 15, 2015, Uber updated its privacy policy regarding how it collects Geo-location Information. Among other things, it reserved the right to collect Geo-location Information from riders even when the Uber app is not open in the foreground.

(The new privacy policy regarding Location Information provides): When you use the Services for transportation or delivery, we collect precise location data about the trip from the Uber app used by the Driver. If you permit the Uber app to access location services through the permission system used by your mobile operating system (platform) we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address”.

Not Currently Collecting

“9. Uber has represented to the NYAG that it is not currently collecting Geo-location Information from the rider Uber app when the app is closed or in the background. Uber further represented that if it does so, it will adopt additional notification and messaging to riders regarding this collection, and permit riders to opt out without having to give up using the Uber service”.

The Uber Data Breach

“10. On February 26, 2015, Uber provided notice to NYAG and the affected drivers about a data breach that was discovered by Uber in September 2014 and that occurred on or about May 12, 2014 (the Data Breach)”.

“11. Uber represents that in the fall of 2014, a former employee of a competitor of Uber provided information to it suggesting that someone at the competitor company had access to what the competitor believed to be an Uber security key”.

“12. Upon investigation by Uber, on September 17, 2014, Uber discovered that in early 2014, an Uber engineer posted an access ID for Uber’s third-party cloud storage service on Github.com, a website designed to allow software engineers to collaborate. The engineer did not realize that the post was accessible to the general public”.

“13. Uber investigated use of this access ID. Uber represented that its investigation revealed a use of the access ID on or about May 12,2014, by someone associated with an IP address that Uber could not readily attribute to authorized Uber personnel, to access a stored, ’pruned’ copy of an Uber database located on servers of Uber’s third-party cloud storage provider. Although Uber had deleted most personal information and ‘salted and hashed’ passwords within the file before it was stored, the file contained driver’s license numbers capable of being matched to driver names stored elsewhere within the file”.

“14. Uber represented that it removed the GitHub posts and revoked the permission of the access ID and reissued access IDs to authorized users of that account. Uber also increased its use of encryption, implemented additional developmental controls that require multi-factor authentication, hired additional security personnel and enhanced security training”…

“18. By not providing notice to affected New York residents and the NYAG about the Data Breach in the ‘most expedient time possible and without unreasonable delay’, Uber violated (General Business Law) (GBL) 899-aa(2)(providing for expeditious disclosure of computer security system breaches). Uber did so knowingly or recklessly in violation of GBL 899-aa(6)(a)”.

Conclusion

“Whereas, (uber) neither admits nor denies NYAG Findings (1)-(18) above; Whereas NYAG is willing to accept the terms of this Assurance pursuant to New York Executive Law 63(15) and to discontinue its investigation; Whereas the parties each believe that the obligations imposed by this Agreement are prudent and appropriate”

“19. (Uber) shall comply with consumer protection and data security laws Executive Law 63(12), GBL 349 and GBL 899-aa”.

“20. (Uber) shall provide notice of data security beaches to affected New York residents and the NYAG when and in the manner required by GBL 899-aa (2) and (8)”.

“21. (Uber) shall maintain, and to the extent already in place shall continue to maintain, reasonable security policies and procedures designed to protect private information as defined in GBL 899-aa (1)”.

Justice Dickerson has been writing about travel law for 39 years including his annually updated law books, Travel Law, Law Journal Press (2016) and Litigating International Torts in U.S. Courts, Thomson Reuters WestLaw (2016), and over 400 legal articles many of which are available at nycourts.gov/courts/9jd/taxcertatd.shtml. Justice Dickerson is also the author of Class Actions: The Law of 50 States, Law Journal Press (2016). For additional travel law news and developments, especially in the member states of the EU, see IFTTA.org.

This article may not be reproduced without the permission of Thomas A. Dickerson.

About the author

Avatar of Linda Hohnholz

Linda Hohnholz

Editor in chief for eTurboNews based in the eTN HQ.

Share to...