Uber on Tuesday agreed to improve its privacy and security practices and to allow outsiders to monitor its progress for 20 years. The agreement with the Federal Trade Commission would resolve complaints stemming from a 2014 incident in which a hacker gained access to the names and driver’s license numbers of more than 100,000 Uber drivers.
The company won’t have to pay a fine, or at least it won’t so long as audits show that the company is making good on its promises to ensure customers’ and drivers’ privacy and security.
That may seem like a weak punishment, especially considering that it is Uber’s second FTC settlement this year, following a January agreement to repay drivers $20 million for misleading them about how much money they could make. But it reflects the FTC’s limited enforcement powers. An FTC spokeswoman explains that the agency can’t levy a fine for an initial violation.
“People always complain that this is a slap on the wrist compared to Europe,” says Woodrow Hartzog, a professor of law and computer science at Northeastern University School of Law. “But there’s only so much the FTC can do.”
“We are pleased to bring the FTC’s investigation to a close,” an Uber spokesman said in a statement. “We’ve significantly strengthened our privacy and data security practices since (2014) and will continue to invest heavily in these programs. In 2015, we hired our first chief security officer and now employ hundreds of trained professionals dedicated to protecting user information.”
The agreement is not toothless. After all, it gives the FTC oversight over the company’s privacy and security practices for 20 years. Such agreements—called consent decrees—have become the de facto standard for the FTC to regulate privacy practices at tech companies. The agency has entered into similar 20-year agreements with Google, Facebook, and Snapchat, among others.
“The FTC has basically gone around collecting these consent decrees from a ton of companies,” says William McGeveran, a professor at University of Minnesota Law School. “Because they run for 20 years, even the ones from the early Bush administration are still enforced. This increases the FTC’s future leverage over Uber, and that’s worth something.”
In 2012, for example, the FTC fined Google $22.5 million for violating a 2011 settlement. “Facebook, I think, has gotten a lot better since the FTC went after them,” McGeveran says.
In Uber’s case, the FTC alleged in a complaint that the company claimed to follow “standard, industry-wide, commercially reasonable security practices” but often did not. For example, Uber left user data unencrypted on a cloud service that many people within the company could access, according to the FTC’s complaint. Plus the engineers who had access all used the same encryption keys. That’s a bit like leaving all its users’ personal data in unlocked filing cabinets inside a building for which every employee has a key. All it would take for an outsider to gain access was for an employee to leave their key in plain sight. That’s exactly what happened in May 2014, the FTC complaint says, when someone breached Uber’s server using an encryption key that an engineer accidentally posted to a public website.
Tuesday’s agreement may not be the end of Uber’s problems with the FTC either. Hartzog says a recent paper by University of Washington law professor Ryan Calo and multidisciplinary researcher Alex Rosenblat of the research institute Data & Society points to other potential privacy concerns, such as monitoring how much battery power remains on a user’s device, because users with little juice might be willing to pay more for a ride.
“When a company can design an environment from scratch, track consumer behavior in that environment, and change the conditions throughout that environment based on what the firm observes, the possibilities to manipulate are legion,” Calo and Rosenblat write. “Companies can reach consumers at their most vulnerable, nudge them into overconsumption, and charge each consumer the most he or she may be willing to pay.”
Going after Uber and similar companies over less-visible privacy practices will be harder than making the case that led to Tuesday’s settlement, however. Consent decrees are a safe way to make a case stick, Hartzog explains. Given the FTC’s limited powers, it will be harder to convince a judge that a harsher penalty is warranted.