:format(webp)/cdn.vox-cdn.com/uploads/chorus_image/image/63701819/shutterstock_121082350.0.1510035406.0.jpg)
Uber’s damage control machine kicked into high gear this week after a BuzzFeed report on one senior executive’s regretful rant on journalists included a disclosure that Uber employees have also tracked, without consent, one BuzzFeed journalist’s trip logs.
The ride-hailing company launched an investigation, hired the law firm Hogan Lovells to conduct an internal review on data privacy practices and published for the first time what it said was a longstanding privacy policy that stated “access to and use of data is permitted only for legitimate business purposes.”
Hate to break it to you, but as a journalist who has covered the technology industry for a decade, I can tell you this kind of tracking happens regularly, particularly with early-stage companies. It happens to journalists, and it happens to regular users, too.
For the record, Uber has never presented my personal data to me. But I can recall multiple times when an executive from Lyft, a rival service, punched up my trip log and told me about it. After my very first trip with Lyft, one executive told me the name of the driver who brought me to the cafe where we met.
Asked about the company’s privacy protocol this week, a Lyft spokeswoman said she does have tools to access journalists’ accounts, but she has never used them unless the person is present and has given permission. She said she would look into earlier policies, but has not yet replied to multiple follow-ups.
Lyft appears to be shuffling around its disclosures on privacy this week. The company’s terms of service, which were updated on Wednesday, no longer include its privacy policy. A prominent “privacy” link at the bottom of its site goes to those same terms of service that no longer contain the extensive privacy policy. (See update below.)
More recently, the founder of a food delivery startup told me he couldn’t find an account associated with my corporate email, which he wanted to look up to see my history on the service. When I was working on a story including the social startup Swipe, the founder sent me a screenshot of his own “God view” that included information about other users’ activity, including every time they opened the app, to illustrate that the app was getting early adoption.
I never felt personally threatened in any of these cases, but the seemingly cavalier handling of private data is creepy at best and is certainly a violation of consumers’ trust with services they increasingly depend on.
It is clearly wrong. But is it malicious? I can only speak to my own experience. No. I don’t believe so. In the handful of cases where it has happened to me, these have more to do with adolescent transgressions of young companies which barely have a product, much less the proper controls in place. When I first tried Lyft, nobody had any idea the company would later be valued at hundreds of millions of dollars and help drive a major shift in urban transportation. I also feel that startups have treated some reporters as beta testers or consultants in ways that are not entirely appropriate.
Asked about the “God view” screenshot he showed me a few months ago, Swipe co-founder Marwan Roushdy told me it was an exception to their practice of anonymizing such data. “When you are a startup, you have to be as ethical as possible, but when you grow, I guess you build systems that protect privacy,” he said via email.
At our recent Code/Mobile conference, Nico Sell of the encrypted-messaging startup Wickr called this problem the “minimum viable product disease,” where technology startups release products before properly designing them to be private, or considering future business model implications for users. And that’s a big problem as these companies play a bigger role in our lives.
What’s reassuring is that as companies mature, most move quickly to tighten up privacy policies and punish violations. Facebook, in its early days, had a “superuser” password that employees had access to and misused, and was eventually shut down. Google fired an engineer in 2010 for accessing user accounts.
But it still happens all the time. Just last week, a company quickly apologized to Re/code for accessing a journalist’s data without prior dialogue about it. Basis, which is owned by Intel, said it was concerned about an inconsistent experience Re/code’s Lauren Goode reported while using its new Peak health watch. As a result, a spokeswoman for Basis said the company took the liberty of looking at some of the sleep events she was referring to, to see if “they could determine what the challenge was.”
When Lauren said she was surprised the company did this, Basis apologized immediately for not seeking consent. The company emphasized that it is “not standard practice for Basis to look into any user’s data without their consent, and we can assure you this won’t happen again.”
With the sudden attention on the privacy policies — or lack thereof — of technology startups, when can we expect regulators to weigh in? Sen. Al Franken, Democrat from Minnesota, sent a letter to Uber CEO Travis Kalanick demanding more transparency into its privacy practices.
A Federal Trade Commission spokesman declined to comment about the Uber case, but pointed to a 112-page report from two years ago that suggested companies need to be sensitive about how they handle and use data collected from consumers and how they reuse that information for internal purposes.
While most privacy disclosures buried in many companies’ terms of service statements discuss how companies protect customer data from third parties, these disclosures say little about how it intends to protect your data from itself.
Until companies resolve the issue of how they handle your data internally, you should proceed at your own risk.
Update: After this story posted, a Lyft spokeswoman called to explain that the company’s privacy policy had been removed in error, and would be reposted to its website shortly. She said the changes to the terms of service posted on Wednesday were about Lyft’s fees to drivers, not its privacy policy.
Additional reporting by Lauren Goode and Amy Schatz.
This article originally appeared on Recode.net.
