What You Need to Understand About Uber Data Collection, Sharing, and Security
by Reese Kimmons, MS ISA
You’ve got a busy day ahead, you’re running late, and now you find that your car will not start. You need to get to the office, so you decide to give Uber a try. You download the app to your phone and send your ride request.
You’re in a hurry, so you don’t take time to go through all of those terms and conditions and privacy policies.
Besides, you’re just requesting a ride to work. How much information could possibly be collected and shared out?
In addition to exploring some of the main points included in the Uber privacy summary, this article examines Uber’s data security and sharing practices as well as its breach history.
You are, of course, asked to provide a fairly significant amount of data when you download and install the Uber app. (We’ll talk about that more in the next section.)
You should know, however, that Uber doesn’t just collect data on their app users and rideshare customers. The company also gathers information about their rideshare and delivery drivers along with customers who receive deliveries via their Uber Eats, Postmates, and Cornershop services.
Basically, information about your activities will be collected whenever you use any of Uber’s apps, features, or websites anywhere in the world. If your organization uses Uber’s services and you are the one who uses the app on the company’s behalf, Uber also collects your personal contact information.
Let’s say you do not have the Uber app and never intend to get it. All you need to do to is order something from a website or app that uses Uber for its deliveries and you’ll make it onto Uber’s list of individuals whose data is being collected.
You may not even be aware that Uber is providing the delivery services. Uber refers to these individuals as “guest users.” Even if a friend or family member provided your information to have something delivered to you, your guest user data will be collected and used.
Perhaps with the rise of the gig economy and everything that’s been going on since 2020, you once considered driving for Uber. You began completing an application to be a driver, but you decided against it and exited the application before it was completed. Uber will still retain whatever personal information you entered before you exited the application.
What data is initially collected?
Those who create Uber profiles in order to use Uber apps and services, or to drive for the company, may be asked to provide a great deal of data including a profile picture, banking and/or payment card information, a driver’s license number or information from other forms of government identification, date of birth, gender, vehicle and insurance information, emergency contacts, and even medical data as evidence that they are healthy enough to provide services for the company.
Uber may also collect and store criminal history data in connection with the background checks it performs on potential service contractors.
Uber collects transaction information. When you use Uber services, the company collects data about the type of services requested, transaction amounts, merchant information, delivery data and more.
If you receive a promo code from Uber and you give that code to another user, Uber will create an association in its records between you and the other user. The company also collects information about third-party sites you visit before using its services.
Uber allows its customers to communicate with one another and with service providers using the Uber app. If you use this functionality, however, you should know that the company will be gathering information about your texts, voice calls, file transfers, and other communications conducted via the app.
Recommended reading: What is Data Privacy Week and Why it’s Important
How Uber uses your data
Uber states that its primary purpose for collecting so much data is to ensure reliability of its services. They also state that collecting this data allows them to provide a higher level of safety and security to their customers and to improve customer support.
Uber says it does not sell customer data, but admits that the data is used to send targeted advertisements and other marketing and non-marketing communications to its users including communications regarding promotions and features, services, contests and sweepstakes, studies and surveys, and news and events.
The company may send this information via email, text, ads, ads on third-party sites, push notifications, and in-app communications.
Uber shares customer data with its partners, including Meta/Facebook and TikTok (owned by the Chinese company, ByteDance Ltd). The data shared includes hashed customer email addresses, information about how customers use Uber services, and individual device and user identifiers, claiming that it does so to improve ads for its services.
Uber may also share user data including user names, locations, and ratings with other users.
There are steps you can take to opt out of some of this data collection and sharing, but doing so will very likely limit the functionality of your Uber app. See the Marketing Choices section of the privacy summary for more details.
How does Uber store customer data?
Uber doesn’t provide many details about how or where it stores user data, but, being a world-wide organization, it operates what it refers to as “data controllers” in multiple nations. Uber’s policy also gives it the ability to transfer data from one nation to another should the need arise.
Uber breaches and security incidents
The unfortunate reality about data collection is that the companies gathering their users’ data, often without the users’ knowledge, may not be effectively securing that data.
You, as an informed consumer, can take all the steps necessary including using a VPN and other security tools and still find that, despite your best efforts to secure your devices and home network, your information was lost in a data breach.
Uber has a history of data security issues. The most recent incident in August of 2020 resulted in the exposure of the personal data of 579 Uber Eats customers and 100 delivery drivers. The stolen data was found on the Dark Web.
Uber’s application includes functionality known as “God View” that allowed its employees to perform unauthorized tracking of celebrities and well-known athletes in 2017. A complaint was filed and Uber was forced to enter into a settlement with the U.S. Federal Trade Commission. Terms of the FTC settlement require that Uber submit to regular privacy audits for the term of 20 years.
In October 2016, the personal information of 57 million Uber account holders was compromised. Uber paid the attackers $100,000 to keep the breach a secret, but that didn’t happen.
Also compromised were the license plate and drivers license numbers of 600,000 users.
The Uber CEO never denied knowledge of the breach, but claimed that no Uber systems were compromised. Rather, the CEO claimed that two individuals outside of the company compromised cloud storage systems belonging to third parties and being used by Uber.
Uber has suffered breaches and had data security issues dating back to 2011.
We decided to make Uber the subject of this article because it is the most successful of the rideshare service providers.
Other ride services and apps also collect and share large volumes of user data and have written policies so lengthy that users rarely, if ever, read them.
The U. S. National Cybersecurity Alliance built a tool specifically to help consumers understand the privacy and data sharing policies and protections offered by ride share services, websites, banking apps, email services, browsers, healthcare apps, online dating and social media sites, and much more.
The site includes links to privacy policies of all of those apps and entities and can be very informative to anyone considering installing a new application or signing up for a new service.
About the Author:
Reese Kimmons is an experienced IT executive with an AAS in Applications Programming, a BS in IT Management and an MS in Information Security and Assurance. During his time in the IT industry, Reese has earned certifications in ethical hacking, forensics investigations, ISO/GIAC, and Cisco networking.