Recently, the Federal Trade Commission settled with Uber, the result of a three-year investigation that began after news reports alleged Uber employees were improperly accessing customer data. You may recall hearing the word "Godview" tossed around, which referred to the company's alleged display of its customers' locations in real time. The FTC also alleged that Uber failed to "provide reasonable security" to prevent unauthorized access to customer data stored in the cloud, resulting in a breach in May 2014. The settlement requires Uber to implement a comprehensive privacy program and undergo audits every two years for the next 20 years, among other things.
On a media call to discuss the settlement, FTC Acting Chairman Maureen Ohlhausen said the settlement demonstrates "companies must honor their promises about how they’re going to protect customer's information," whether it be a fast-moving startup or a 200-year-old firm. She said, going forward, "our order requires a culture of privacy sensitivity for Uber," and that it's "going to make them take privacy into account every day to comply with our order's provisions."
But Melanie Ensign, who does privacy and security communications at Uber, said the company was taking privacy into account long before the settlement came into play, hiring its first chief security officer, Joe Sullivan, in 2015 — whose responsibilities include privacy — and building teams with shared responsibility for demonstrable privacy metrics. Officially, privacy at Uber is a shared responsibility between the CSO and the legal team. Ensign was brought on in October to help educate users about choices they can make to impact their privacy while using the app.
So how does privacy work, on an operational level, at a company that has struggled with headlines related to its decisions on privacy? And what has changed?
Menotti Minutillo is the manager of privacy engineering at Uber, and he was hired a year and a half ago. He runs the privacy engineering team, which is responsible for building user-facing functionalities and the consumer pieces of any product as they relate to privacy. It's currently a team of seven with plans for additional hires. Everyone on the team has a software engineering background.
That team was responsible for the recent release of its open source differential privacy project, a collaboration with researchers at UC Berkeley, which essentially allows Uber employees, such as data analysts, to conduct search queries in a more privacy sensitive way without having to completely rebuild the databases themselves. It's based on a model called "Elastic Sensitivity," developed by the researchers. It's a sophisticated and complex model, but, boiled down, it essentially adds "noise" to search queries to help protect user data from potentially being re-identified, exposing sensitive information about them.
"This is not the only piece of tech in place to protect user data that Uber holds on to," Minutillo said. "So you [hypothetically] have the authority to access a piece of user data as part of your job; this is an additional layer on top of that."
Minutillo said when he was hired, privacy was very early on presented as a priority. "We identify ourselves as being a data-driven business and want to do right by users," he said. "And that doesn't necessarily always make it to the consumer; they may not know that that's happening."
Uber sees using differential privacy as key to its future relationship with customers. It's a way to do privacy without requiring the very high computational costs that can be associated with anonymizing data sets without skewering results.
"When I first joined," Minutillo said, "they said, 'This isn't a two-month sprint kind of project; we're going to see if this is an area that has a practical application at our scale.'"
Zach Singleton is a product manager at Uber and leads the effort to build the in-app privacy settings and account-deletion feature. His job is to vet potential products via official proposals and then to either facilitate in building the product or advising on it.
The formal process for new products or features goes like this: A request for comments is submitted, meant to inform the goal timeline and scope of what the product will be. That document is sent to the technical engineers, as well as Singleton. Then, a group of stakeholders meets to discuss potential concerns.
"We're moving toward this concept of privacy design, where privacy is considered very early on in the product development process, and ever since I've been here in the last year, I've seen a big shift," Singleton said. "At first, it was me parsing through these RFCs and reading through products built to understand the implications for privacy and areas where I need to consider where choice is being considered, and legal was doing the same. Now that has shifted, and those teams are coming to us directly and telling us things we need to look at. That's a tremendous shift for the company."
Ensign says that comes from the top. "Any time that we're able to move the needle for privacy, the CSO is the first one to champion that message. He's very communicative about it across the entire organization."
"The top-level metric is trust," Singleton added. He said he has watched the company's focus on privacy grow since his onboarding. "Privacy has become one of the cool things to work on at Uber. Pretty much half our engineering team at Uber is people who saw the work going on here, the opportunity to contribute and be on the front lines and wanted to be a part of that. And I don't see that really changing at all going forward."
The company recognizes that it has got to make up for some of its privacy missteps in recent years, and that's part of these changes, Ensign said.
"We know there's a bit of a halo effect in terms of things the company did in the past, and I think the key lesson there is it's important to have seasoned and trained professionals working on these problems," she said. "There's an acknowledgment of where the company was before we had a centralized security and privacy organization. A lot of what we've seen, even though we've seen it recently come to the surface, they are mistakes or missteps from years and years ago. So what we've seen as we've brought in these very experienced and passionate professionals here working on these issues, that will change the culture of the company. I feel like this is a very different approach than the Uber we remember."
But why not just hire a chief privacy officer? Wouldn't that be, if nothing else, a great PR move for a company trying to recover from its former privacy missteps?
"I would say our model is working," Singleton said of the shared responsibility for privacy across teams, versus a privacy office. "It's effective for us. I think it's public we're looking for a new CEO, that'll be that person's responsibility to come in and not only explore this area but every area of our company, and where things are working effectively."'
Ensign added, "Regardless of if we ever have a CPO at Uber, there are people on the hook." It's in their performance metrics, evaluated on a biannual basis, that the company "moves the needle on trust and whether or not users feel we have their back in terms of privacy. There are executives on the hook at the c-suite level, then entire teams where all our objectives and key results are based on this."
Regarding the settlement, Ensign said many of the changes the company has made since the FTC's investigation began should likely satisfy the agency, "and the remainder will be covered as we continue working toward GDPR compliance. Every major tech company has entered into a consent decree with the FTC, and we consider this a step forward in our development as a company."
photo credit: osseous December 25, 2016, via photopin (license)