Uber shows how not to do a privacy report

If you only let the investigators look at your policies and not at what your employees actually do, you’re telling us a lot more about your real privacy views than you realize. And it’s not pretty.

Jamie Eckle/IDG

The Uber privacy report released last week (Jan. 30) is the perfect example of how not to handle a privacy PR disaster — or any privacy policy matters at all.

Uber’s particular privacy PR disaster arose from several clueless incidents. There was the Uber senior executive who said in a speech that the company should consider digging up dirt on a particular critical reporter. Shortly after that, a different Uber executive started off an interview with another journalist by citing her geolocation and travel records. Besides these bizarre, counterproductive interactions with journalists, the company has a history of privacy insensitivity, doing things such as publishing stats on customers engaging in one-night stands.

The Uber privacy report was bought and paid for by Uber, but that’s not the problem with it. Hiring your own probers is fine as long as they have credibility. But their credibility depends on more than just being well credentialed. Credibility is earned by the report’s results, recommendations and — critically — the scope of what the probers are allowed to probe.

Maybe Uber thought having the imprimatur of the Hogan Lovells law firm on its report was all the credibility it needed. Sorry, but that doesn’t cut it, not when the investigation was so limited in scope that the report could not actually address Uber’s privacy issue.

“While it was not in the scope of our review to perform a technical audit of Uber’s data security controls, based on our review of data security policies and interviews with employees, we found that Uber has put in place and continues to develop a data security program that is reasonably designed to protect Consumer Data from unauthorized access, use, disclosure, or loss,” said the report.

Let’s zero in on the key utterance: “it was not in the scope of our review to perform a technical audit of Uber’s data security controls.” Based on the report and its stated methodology, the investigators weren’t trying to see if Uber really obeyed its own written privacy policies. It was merely allowed to see if that written policy was an appropriate policy. But privacy policies, written by lawyers and HR specialists, are rarely the problem. The problem tends to be what employees actually do.

The report, by the way, found that everything it reviewed about Uber was fine. Its only suggestions amounted to “Keep up the good work. The only thing we can suggest is to do more of the same and expand doing it as much as you can.”

Uber announced the report by saying, “We enlisted outside experts from the global law firm Hogan Lovells to thoroughly examine how we safeguard rider data, and we’d like to share their findings with you today. [The attorney in charge] and her team spent 6 weeks reviewing documents and interviewing members of Uber’s executive team and leaders across the entire company. The review was comprehensive and found that overall our Privacy Program is strong.”

Thus far, they’re not scoring many points in the credibility department. In fact, the law firm did not “thoroughly examine how we safeguard rider data.” It examined how Uber is supposed to safeguard rider data, not what Uber actually does. That’s the problem.

A few other notable elements of the report:

• “New personnel must agree to the Company’s policies relating to the appropriate handling of Consumer Data prior to obtaining access to that data.” Sigh! How is getting a new employee to sign that document going to protect customers? Is it one sheet among 40 that the employee is blindly signing, somewhere between a 401(k) allocation form, medical benefit choices and a direct deposit authorization?

When a situation crops up nine months later where it would be useful to know the travel history of a customer, will that signature have any impact? Will it discourage the kind of employee who will be tempted to bend the rules?

• “We understand that after issues with accounts are resolved, standard cancellation procedures are followed, which include deleting personally identifiable information from Company databases containing Consumer Data.”

This is the kind of comment that lawyers love because it sounds like it solves the issue. But as IT knows, once data gets into those databases and gets repeatedly backed up and loaded onto thumb drives and mobile devices and employees take files home and work on them on home computers, well, you can’t get the IT toothpaste back into the database tube.

• But the award for the most tone-deaf utterance in any privacy report goes to this: “Tone at the top cascades from the senior executives through other layers of management and is judged by the words and actions of individual employees at all levels.”This report was prompted by senior execs and senior managers engaging in blatant privacy violations. The most senior exec involved, Emil Michael, Uber’s senior vice president of business, who was the one who said he wanted to investigate a reporter, eventually issued an apology, but was neither fired nor publicly disciplined. The actions of the CEO — who issued a statement about the comments and would presumably have made the decision about any punishment — do indeed speak loudly about the company’s view of privacy.

The report didn’t explore germane questions: How many employees have been disciplined for privacy violations? What was the nature of that discipline? That is how you set the tone from senior management. Employees look and see what happens to people who violate those rules.

• “We reviewed the Uber app available on the iOS and Android platforms and found that Uber provides access to the Company’s Privacy Policy both within the Uber app and via links available in app stores, allowing potential customers to review the Privacy Policy prior to download.”

To what end? Is the report suggesting that this helps protect those privacy rights? Did the investigators ask how often it is downloaded, or the ratio of Uber app downloads to privacy-policy downloads? If they did, did they believe that told them anything about how many downloaders even looked at that policy, or for how long?

This is checklist security, where a company says, “We spelled it all out. ’Tis not our fault if no one looks at it.”

Given Uber’s checkered privacy history, you’d expect a real investigation to turn up at least find one or two issues. But when you limit the scope of an investigation to a review of a published privacy policy, that isn’t going to happen. What you end up doing, though, is reinforcing the perception that Uber treats privacy as nothing more than an annoying form that needs to be filled out.

How seriously does Uber take privacy? Read this report — all the way through — and you’ll have a very good idea.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek and eWeek. Evan can be reached at eschuman@thecontentfirm.com and he can be followed at twitter.com/eschuman. Look for his column every other Tuesday.


Copyright © 2015 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon