Uber has agreed to two decades of audits after U.S. regulators found that the company failed to protect the personal information of drivers and passengers and deceived the public about efforts to prevent snooping by its employees.
The Federal Trade Commission on Tuesday announced a settlement that requires the San Francisco-based company to implement a privacy program and conduct an audit every two years for the next 20 years to make certain it meets the FTC requirements.
“Our order requires a culture of privacy sensitivity for Uber,” FTC Acting Chairman Maureen Ohlhausen said on a call with reporters. “It’s going to make them take privacy into account every day.”
An Uber spokesman said in an emailed statement that the company was pleased the FTC investigation had ended, adding: “We’ve significantly strengthened our privacy and data security practices since then and will continue to invest heavily in these programs.”
The FTC started its Uber probe following media reports in late 2014 that revealed a program dubbed “God View,” which allowed company employees to monitor the real-time locations of customers who had requested a ride through the app. Around the same time, Uber executive Emil Michael, who has since left the company, suggested Uber should hire opposition researchers to investigate journalists who had been critical of the company.
The FTC said the company “did not take reasonable, low-cost measures that could have helped the company prevent the breach.” For example, Uber allowed its engineers and programmers to use a single key that gave them full administrative access to all the data, the agency said.
The ride-share company noted that the issues covered in the FTC investigation occurred years ago, and in 2015 the company hired its first chief security officer (CSO) and “now employ hundreds of trained professionals dedicated to protecting user information.”