The U.S. government on Tuesday issued sweeping new penalties against Uber for its privacy and security practices, alleging the company “deceived consumers” by allowing its employees to access riders’ most personal information, including the details of their trips.
The lapses at Uber date back to 2014, including the so-called “God View” mishap and the later theft of its drivers’ data by hackers. In a resulting settlement with the Federal Trade Commission — an investigation first reported by Recode in June — Uber must now submit to 20 years of privacy checkups by outside auditors.
Future mistakes in the way Uber handles its riders’ and drivers’ sensitive personal details could then result in steep fines.
In the eyes of the FTC, Uber erred beginning in 2014, when reports first surfaced that the ride-hailing company’s workers had taken advantage of an internal tool, known as “God View,” which had allowed some employees to spy on the whereabouts of politicians, celebrities and others using its services. The news came at a time when one of Uber’s top executives — since-departed Emil Michael — even suggested hiring “opposition researchers” to track journalists critical of the tech giant.
That November, Uber issued a public statement pledging it had a “strict policy prohibiting all employees at every level from accessing a rider or driver’s data,” the FTC recounted in its complaint. Months later, it decommissioned the tool entirely.
But the FTC contends in its settlement Tuesday that Uber actually “has not always closely monitored and audited its employees’ access to Rider and Driver accounts.” That includes a period between August 2015 until May 2016, the FTC said, when Uber “did not timely follow up on automated alerts concerning the potential misuse of consumer personal information.”
And for six months during that time, Uber “only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives,” the agency found.
The FTC also took issue with Uber’s claims about its security practices, years after a major data breach allowed hackers to abscond with information about the company’s drivers.
For years, Uber stressed it had taken great steps to protect its driver and rider data — all stored using Amazon’s cloud service. Until 2015, however, some of that information was saved as “clear, readable text, including in database back-ups and database prune files, rather than encrypting the information,” the FTC said.
But it’s the 20 years of privacy checkups — completed by a third party, then submitted by the watchdog agency — that could prove most onerous for the company. In recent years, the FTC has brokered similar settlements with the likes of Facebook, Google and Twitter, including for mishaps related to mishandling users’ data.
“Uber failed consumers in two key ways: First by misrepresenting the extent to which it monitored its employees’ access to personal information about users and drivers, and second by misrepresenting that it took reasonable steps to secure that data,” said Maureen Ohlhausen, the acting chairwoman of the FTC, in a statement.
“This case shows that, even if you’re a fast-growing company, you can’t leave consumers behind: You must honor your privacy and security promises,” she said.
For its part, Uber stressed on Tuesday that it already remedied the issues raised by the FTC, including hiring a chief security officer.
“The complaint involved practices that date as far back as 2014,” a spokesman said. “We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs.”
This article originally appeared on Recode.net.