Uber settles U.S. allegations over data privacy

WASHINGTON/SAN FRANCISCO (Reuters) - Uber Technologies Inc [UBER.UL] has agreed to two decades of audits after U.S. regulators found the ride-services company failed to protect the personal information of drivers and passengers and deceived the public about efforts to prevent snooping by its employees.

The Federal Trade Commission on Tuesday announced a settlement with Uber that requires the San Francisco-based company to implement a privacy program and conduct an audit every two years for the next 20 to make certain it meets the FTC requirements.

“Our order requires a culture of privacy sensitivity for Uber,” FTC Acting Chairman Maureen Ohlhausen said on a call with reporters. “It’s going to make them take privacy into account every day.”

The settlement reflects Uber’s latest attempt to move past a series of crises, including an internal probe of sexual harassment allegations, the departure of CEO Travis Kalanick and other top executives and a high-stakes lawsuit over its autonomous car designs.

Uber is now consumed by in-fighting among a divided board of directors and angry shareholders after an investor lawsuit was filed against Kalanick, who was ousted in June. [nL1N1KX21E]

An Uber spokesman said in an emailed statement that the company was pleased the FTC investigation had ended, adding: “We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs.”

The FTC started its Uber probe following media reports in late 2014 that revealed a program dubbed “God View,” which allowed company employees to monitor the real-time locations of customers who had requested a ride through the app. Around the same time, Uber executive Emil Michael, who has since left the company, suggested Uber should hire opposition researchers to investigate journalists who had been critical of the company.

Following the uproar over God View, Uber claimed in 2015 that it had a “strict policy prohibiting” employees from accessing rider and driver data. But in fact, Uber enforced that policy for only about eight months, said Ben Rossen, FTC staff attorney.

The FTC also investigated a massive data breach in May 2014 in which more than 100,000 names and license numbers of Uber drivers were stolen.

The FTC said Uber “did not take reasonable, low-cost measures that could have helped the company prevent the breach.” For example, Uber allowed its engineers and programmers to use a single key that gave them full administrative access to all the data, the agency said.

Uber noted that the issues covered in the FTC investigation occurred years ago, and in 2015 the company hired its first chief security officer and “now employ hundreds of trained professionals dedicated to protecting user information.”

Not covered by the FTC investigation was Uber’s use of the software tool “Greyball” to avoid enforcement of local taxi laws, to which it admitted in March.

Ohlhausen declined to say whether the FTC was investigating that matter. Reuters reported in March that the U.S. Department of Justice opened a criminal investigation of Uber’s use of Greyball. [NL1N1I52JA]