
We Can't Trust Uber - applecore
http://www.nytimes.com/2014/12/08/opinion/we-cant-trust-uber.html
======
mehwoot
_according to The Washington Post, the company was so lax about such sensitive
data that it even allowed a job applicant to view people’s rides, including
those of a family member of a prominent politician._

worries me a lot more than

 _a 2012 post on the company’s blog that boasted of how Uber had tracked the
rides of users who went somewhere other than home on Friday or Saturday
nights, and left from the same address the next morning._

Obviously Uber has this sort of data, and it can use it in various aggregated
ways. What's more important than demonstrations of what information they could
pull out of this is how serious they are about protecting it from access,
either from people who want to buy that information or employees simply
snooping around. I don't care if someone uses my data in an aggregate way to
do something (e.g. facebook) as long as I am not personally identified.

~~~
tzmudzin
Why would you believe the data was aggregated, and not available in
individualized form in the latter case?

~~~
nemothekid
Because the blog post was publicly posted (and had been available for 2 years
before Uber's recent PR trouble), and the data that was presented was on an
aggregate level.

If you are asking if the blog poster had access to the individualized data, I
imagine he did as he was a data scientist at Uber - but I don't see how that
is something to be alarmed about.

~~~
tzmudzin
They _published_ the data in an aggregated form, but they have _profiled_ the
customers on individual basis.

Now contrast this e.g. to the principles of data protection that Germany has
imposed...([http://en.wikipedia.org/wiki/Bundesdatenschutzgesetz](http://en.wikipedia.org/wiki/Bundesdatenschutzgesetz))

~~~
nemothekid
I'm not sure I quite get what you mean. How do you produce an aggregate
without profiling customers on an individual basis?

Secondly, I don't see how a company like Uber can use their data to power
something like surge pricing while following the exact letter of the BDSG.

~~~
tzmudzin
...so maybe they should keep their hands off the aggregates as well?

For the surge pricing, I'm a bit at a loss, because you don't need personally
identifiable data for it, just a request counter per area ID, right? Maybe I
don't understand it right though...

Also, the reasoning should be the other way around: if I cannot provide a
service respecting the basic privacy of my users, I should not be providing a
service.

------
Thrymr
Previous HN discussion on the (now deleted) "Rides of Glory" post:
[https://news.ycombinator.com/item?id=8644080](https://news.ycombinator.com/item?id=8644080)

They also seem to have deleted other blog posts that people have criticized,
e.g. "Uberdata: How prostitution and alcohol make Uber better" [2].

Internet Archive links:

[1]
[https://web.archive.org/web/20140827195715/http://blog.uber....](https://web.archive.org/web/20140827195715/http://blog.uber.com/ridesofglory)

[2]
[https://web.archive.org/web/20120524052917/http://blog.uber....](https://web.archive.org/web/20120524052917/http://blog.uber.com/2011/09/13/uberdata-
how-prostitution-and-alcohol-make-uber-better/)

~~~
gwintrob
That part of the article stuck out for me. The authors then draw a comparison
to OKCupid "experiment[ing] on its users", but Uber is writing blog posts with
anonymized data. I do agree that Uber should be extremely careful with
securing its data, but I'd be interested to read more data analysis.

------
sillysaurus3
_Uber argues that it’s doing only what other technology companies regularly
do. That may be true but it only underlines why we need oversight mechanisms
that cover all of them._

Such as?

If you're giving your data freely to companies, I don't understand what kind
of oversight mechanism could or should protect you.

Imagine a hypothetical oversight mechanism, then imagine the consequences to
tech companies. Imagine the consequences to startups. Not Uber; I'm talking
about tiny, early-stage startups.

Airbnb and Dropbox have enriched my life. I'd hate for regulatory burden to
prevent such startups from forming in the first place.

This isn't a hypothetical concern. The finance industry is so regulated that
you can't easily form a finance startup without having a lot of connections or
a lot of money. Same for the healthcare sector, as far as I've heard.

~~~
sdrothrock
> If you're giving your data freely to companies, I don't understand what kind
> of oversight mechanism could or should protect you.

This argument doesn't make much sense to me.

What if I said,

> If you're giving your money freely to banks, I don't understand what kind of
> oversight mechanism could or should protect you.

I think the crux of the issue is that if I get a car ride with Uber, I have a
reasonable expectation that I am paying for the service of a car ride. There
is no reasonable expectation on my part that I'm giving them money for a car
ride AND ALSO giving them the information about me/my ride to use freely,
regardless of what the TOS may say.

The expectation on the customer's part is that ride remain private, much like
anything that goes on in the doctor's office. The reality, of course, does not
match that expectation, which is why I think there should be some hypothetical
oversight mechanism that manages the differences between the customer's
expectation and Uber's reality.

Just because Uber has data on me doesn't mean that I have given it to them to
do whatever they want with it.

~~~
sillysaurus3
I'd like to be clear that I totally agree with you: data given to a service
you pay for should remain private.

All I'm saying is that if you enact regulation to try to enforce this, you're
going to cause a lot of unintended consequences. It may even prevent the
Airbnb's and Dropbox's of the future from forming altogether.

Are you sure adding another law is the right response?

~~~
sdrothrock
> Are you sure adding another law is the right response?

I'm not sure, but I do think that it would be beneficial to have an
overarching framework that could be used to protect information that is
commonly believed to be "private." I've thought about it a bit more and
instead of simply "transportation companies may do this and not this in
situations A, B, and C," I feel like we need a modern day "Bill of Information
Rights" and a general reform in how anyone -- government included -- can
collect, use, or distribute information without explicit permission.

~~~
nemothekid
Piggybacking off the parent comment something like the "Bill of Information
Rights" sounds very similar to "The Right to be Forgotten"

Sure in this context it sounds like a great idea, but down the line it becomes
a tool for the rich with time to censor information.

------
DigitalSea
Quite a sensationalist headline. Basically what this article is saying is that
Uber have all of this info on where you came from, where you are going and
that we should not trust them because they do not have processes in place to
ensure users information on trips taken is kept private.

While I do not disagree with the amount of data that Uber have, a company like
Facebook and Google arguably know more about us than we do ourselves. Why
should we distrust Uber more than any other company? However, I STRONGLY
believe that companies with data like Uber should be held accountable to very
high standards and any breach of privacy of said data would result in severe
penalties. This is not just an Uber problem, this is a big data problem and
one many companies have.

I recently quit using Uber in favour of other services like Lyft because I do
not believe in Uber's lack of ethics and the way they do business. However, I
don't think it is fair they are being targeted as much by the media as they
currently are. As much as I dislike Uber, I don't think it is fair to single
them out as some lone wolf operating in the wild big data wilderness. We need
to be reasonable and stick to the facts, not speculation.

This article really tells us nothing, gives us no true reason other than a
single incident (as far as I am aware of) of a privacy breach of a journalists
trip to the Uber offices for an interview. There have been other reported
incidents of data breaches, but without conclusive evidence, it could just be
hearsay.

I am not saying that there is not an issue with companies like Uber and
improper practices with data. I am also not denying that Uber have not had
incidents where data has been viewed by employees or other reasons, however I
am saying there is a lot of false reporting going on at the moment. We need to
remain reasonable and non-objective, let the truth and facts speak for
themselves. Lets not hate on a company just because everyone else is.

As this article points out, this is not specifically an Uber problem, and as
such, I think the title is an inaccurate and deliberate click-bait attempt to
get more viewers.

~~~
smacktoward
_> While I do not disagree with the amount of data that Uber have, a company
like Facebook and Google arguably know more about us than we do ourselves. Why
should we distrust Uber more than any other company?_

I believe the point of the article was that we should _not_ distrust Uber more
than any other company; we should distrust them all equally, i.e. assume they
are _all_ misusing or failing to secure our personal data until an audit by a
trusted third party (an "information fiduciary") can prove otherwise.

 _> However, I do believe that companies with data like Uber should be held
accountable to very high standards and any breach of privacy of said data
would result in severe penalties. This is not just an Uber problem, this is a
big data problem and one many companies have._

The problem is that there is no incentive for the companies to treat customer
data responsibly, while there are substantial commercial incentives for them
to misuse it, or at best to reduce the amount they spend on securing it to the
absolute minimum possible that they can get away with. And since users are
poorly informed and have little power, these incentives will continue to be
misaligned until third parties exist with the market or legal muscle to create
negative incentives around misusing information strong enough to outweigh the
positive ones.

~~~
DigitalSea
> _I believe the point of the article was that we should not distrust Uber
> more than any other company_

If that was their point, then the title they selected, "We Can't Trust Uber"
does a pretty poor job at explaining that consumers should distrust companies
like Uber, Google and Facebook equally. The title insinuates and singles out
Uber solely, but then the article does mention other companies like Facebook
and the power and data that they have. Seems the title was for click-bait
purposes.

There definitely needs to be some kind of change on a regulatory level. I
agree, the problem is these companies lack incentives to be responsible and
treat data like a bank protecting its consumers money (a poor analogy given
the GFC and all, but still).

------
marcus_holmes
As the article says, this has got almost nothing to do with Uber, and
everything to do with a regulatory regime that allows companies to do anything
they like with data they collect.

Maybe the USA should start looking at the Data Protection / Privacy laws
implemented by Europe and the rest of the world, instead of just dismissing
them as socialist welfare-state hippy-dippy bullshit regulation getting in the
way of business.

~~~
jsprogrammer
Better yet, skip all the business and political bullshit and just build the
open solution with the appropriate security baked in.

Don't trust businesses, don't trust politicians, trust the code and the
process that runs it.

~~~
anigbrowl
Technology can and will be gamed. So can laws and policies, but but I' think
it's naive to assume that social technology that has evolved over thousands of
years can be replaced overnight with computer code.

~~~
jsprogrammer
Probably not overnight, but possibly years and decades.

There's no need to eliminate social behavior, that's arguably the entire
'point'. What we likely can do is, identify places where code is more
appropriate and use it.

------
brohoolio
I'm not going to use the service. Everything that keeps coming out about Uber
has been super shady.

I'm not the only one. Big Uber proponents who I know have stopped using their
service.

It's not going to stop the masses, but if stories like this keep coming out
without policy fixes they are going to lose their edge. All they are is a
dispatch service.

~~~
jsprogrammer
It seems like Uber could be easily replaced with an open solution. Anyone
working on it?

~~~
nostrademons
The hardest part of Uber or any sharing-economy company isn't the technology,
it's building the two-sided market. This requires boots on the ground and
people who are paid to go out into the community and manually sign up drivers;
it's hard to do this unless you have the capital to hire these people.

~~~
jsprogrammer
Why couldn't you just provide the market tools, similar to early eBay?

~~~
nostrademons
Because the tools are useless unless other people are using them. Someone
comes across your open-source Uber alternative on GitHub, says "But what can I
_do_ with it?", and the answer is absolutely nothing unless there's a critical
mass of drivers in your area.

Basically all of the competitive advantage in Uber's business model is in
creating that critical mass of drivers.

~~~
jsprogrammer
I guess I'm assuming that drivers would want a fair and open system.

Maybe I'm wrong.

~~~
gsnedders
I'd assume most of them are more concerned about having a constant influx of
passengers and getting a fair wage.

------
skybrian
This article mixes up a couple different issues.

First, internal controls: what can employees do when they access the user
database? Beginning startups probably don't have a lot of formal policies and
you're relying on good judgement of the founders and first employees. As a
company grows, they need to guard user data with access restrictions, restrict
root to a few trusted sysadmins, and put in place clear rules about what what
employees with legitimate access to the database are allowed to do. (And of
course if your database gets owned it's all for nothing, so you can't protect
privacy without good security.) It sounds like Uber might be behind on this,
relative to their scale.

Second, what can you do with aggregate reports generated from user data?
Facebook and OkCupid and Uber posted research articles to their blob
summarizing some of their users' overall characteristics. When it's okay to do
this sort of research is debatable, but it's a different issue from invading
the privacy of individual users.

Unfortunately taking a regular taxi may not help [1]. That was screwup rather
than intentionally revealing user data, but by now everyone should know that
publishing anonymized records is really hard and probably shouldn't be done at
all.

[1] [http://research.neustar.biz/2014/09/15/riding-with-the-
stars...](http://research.neustar.biz/2014/09/15/riding-with-the-stars-
passenger-privacy-in-the-nyc-taxicab-dataset/)

------
downandout
_" The problem wasn’t just that a representative of a powerful corporation was
contemplating opposition research on reporters..."_

The Uber corporation did no such thing, and the executive involved wasn't
"contemplating" anything. This individual executive made a colossally stupid,
hypothetical statement during a rant at a party about what he would like to do
to a self-declared enemy of the company that happened to be a member of the
media (a term I use loosely in this case). This rant was reported to Sarah
Lacy (the target of the hypothetical), who, smelling opportunity, then wrote a
blog post about how Uber had hitmen hunting her children while they slept in
their pajamas (seriously, she actually talked about the danger they were in
while they slept in their pajamas).

Of course, when interviewed about it on Bloomberg West, Sarah Lacy was certain
that this was a "plan" and not a hypothetical, but could produce no evidence
of any actions taken or pinpoint any harm that befell her or her sleeping
children. NYT is a little late on this one, but given the nice revenue pop
that Sarah Lacy's wild exaggeration of the story must have brought, I can see
why they are trying to beat this dead horse. Sadly, this story has about as
much significance as the original.

~~~
Borogravia
Actually, Uber already did exactly what the article was talking about, to a
Buzzfeed reporter. You should probably read more carefully.

~~~
downandout
They fed negative stories about the personal lives of reporters and their
families to the media? If you have proof, I'd love to see it. Because that's
what the "threat" and the corresponding publicity were all about. It had
nothing to do with being able to show someone where they've been, which is
common and should be expected with any app _that you authorize your phone to
give location data to_.

Perhaps you should take your own advice about reading more carefully.

------
yafujifide
Although I largely agree with the premise, the author assumes that the only
way to solve this problem is with government regulation. I think a better way
to solve this problem is with decentralization. The problem Uber solves is one
of coordination. This does not require a central intermediary like Uber. It
could be solved in a decentralized manner with p2p networks. With a
decentralized Uber, only you and the driver would know where you started from
and where you went. Privacy would be improved.

~~~
brador
Serious question, how would a decentralised system have dealt with the recent
uber driver rape case?

~~~
pavanred
To provide some context, an Uber driver was arrested on rape charges in Delhi
today. Uber allegedly hired a repeat sex-offender driver without a mandatory
police background verification. [1] And, I agree that a decentralized system
without any regulation or oversight could probably improve privacy but is
definitely not the solution.

[1] [http://www.firstpost.com/living/cab-driver-a-repeat-
offender...](http://www.firstpost.com/living/cab-driver-a-repeat-offender-
uber-should-take-moral-responsibility-for-delhi-rape-1838175.html)

------
zaidf
It's hysterical reading the drama about Uber because it misses the biggest
reason why someone shouldn't use Uber: it's almost always more expensive than
Lyft, at least using Line in San Francisco. This morning I got a lyft ride
from downtown SF to SFO for $18. The Uber _quote_ was $25-32.

------
zeeshanm
Articles like this one remind me of Baudrillard who once famously said the
only way out of this is to unplug and in this "post-modern" society we are the
ones unplugged by these apps. I mean why in the world you can't walk 5 blocks
and have to "hail" uber or lyft or sidecar or hailo or what have you. I know
there are other specific use cases of these apps, too.

------
smhinsey
They don't seem to care much about their users. I had an account I hadn't used
in years, long enough that the credit card associated with it was expired.
This resulted in my account being locked in a way that required me to contact
their helpdesk. After telling me to do the equivalent of power cycling my
machine by going through their password reset screens, which I'd already
tried, they told me that to restore my account I'd need to email them a
picture of my driver's license. This leads me to believe that their support
database is probably a goldmine for identity thieves and generally those
databases are not exactly Fort Knox.

------
general_failure
The title should read 'we cannot trust uber either'. Other companies like fb,
google, do the very same thing except they are more secretive about it

------
ams6110
Opportunity for an Uber-like service that destroys your ride data after you
have reached your destination (why do they need it after that, anyway?)

~~~
cddotdotslash
"It's like Snapchat but for ride sharing"

------
goodgoblin
The article does well by pointing out that Uber isn't the only company to do
these kinds of things, and in fact almost every corporation engages in some
variation of these tactics. Everyone knows that corporations have the same
psychological profile as sociopaths, but what is fascinating about the recent
Uber revelations is how clumsily they play their part. Sociopaths do not
understand why society is organized the way it is, yet they do understand that
it is important to appear to understand it, to appear to be a good law abiding
citizen. Sociopaths and corporations both take great pains to hide their true
anti-social and parasitic intentions. Once spotted by the herd the sociopath
must restart the painstaking process of making friends, pretending to care
about things real people care about, ingratiating themselves with a community
and building up trust for the sole purpose of betraying that trust in secret
later.

For many reasons, the media is generally content to let the dirty tricks
companies engage in pass by without examination, leaving the machinations of
the sociopathic corporate spiders mostly in the dark. The media earns it's
keep by convincing society that their version of the truth is the best
approximation money can buy.

The mistake Uber made was in threatening a reporter, an action which triggered
a very personal response, the kind of response that humanizes the parties
involved and clearly demonstrates the difference in the kinds of things Uber
is willing to do to advance their goal (blackmail a reporter so they can
replace more cab rides with Ubers) v.s. the kinds of goals people have (to
enjoy Friday night, get home from the airport). Though it likely won't last
long, there is a window of time where incensed reporters may ply their trade
without the usual over-riding concern for their own career, and benefit
society in the process.

Their rate of expansion potentially at risk, Uber will likely respond with a
bill of rider's rights and a corporate pledge to uphold the highest ethical
standards. In time people will be trained to think of Uber and high moral
standards as closely correlated, and all the while the corporate spiders in
the shadows have been watching and learning from Uber's mistake. Eventually
Uber's case will be used in business schools to teach the dos and don'ts of
important subjects like Media Relations (1. never clumsily proclaim your
intent to blackmail reporters. 2. always restore a tarnished reputation
through a combination of both marketing and policy). Boutique marketing firms
will specialize in helping corporations write privacy policies that are made
to be marketed, crafted to neutralize negative impressions long enough to lull
the sheep back to complacency.

~~~
goodgoblin
Did whoever voted me down even read this? I wish I could delete it now, you
people don't deserve this comment.

------
TheM00se
Uber is scum, I hope they get shutdown soon, very soon.

~~~
mcv
This is getting increasingly clear. A year ago I was pretty positive about
Uber, but not anymore. They play dirty. They play dirty wherever they get the
chance. I don't trust them not to use their data to blackmail.

------
swiftydev
We Can't Trust Nytimes

------
suprgeek
Every single recent (and not so recent) item about Uber screams ethically &
morally bankrupt scumbags who would soon as throw you under a bus (or an Uber)
if it meant making a fast buck.

1) In the New Delhi Uber rape case -they failed to verify the driver who was a
repeat offender, they had no call number and no way to access drive logs from
India.

2) As others have pointed out - the concept of privacy at Uber is tragically
laughable (Rides-of-glory, God Mode, Using riders info for non-ride purposes
etc etc)

3) Playing dirty with competitors is encouraged

4) The VP who boasted of hiring a hit team to dig up dirt on Journalists
families is still working at Uber after saying this in a very public forum.

And this is just the recent stuff. Why anyone would patronize this scummy
company is really beyond comprehension.

[1] [http://indianexpress.com/article/india/india-others/after-
vi...](http://indianexpress.com/article/india/india-others/after-victim-went-
to-police-dcp-had-to-download-app-and-book-a-cab-to-find-office/)

~~~
ianhawes
I would say the only item you've brought up that even comes close to "morally
bankrupt" is #3. While Uber has definitely used some dirty tricks to go after
Lyft, my understanding is they've teamed up with them in going after
regulatory issues.

The New Delhi rape case could have just as easily happened to Lyft. The
infrastructure for background checks and criminal records in India is more or
less nonexistent, so I doubt that Lyft would've been able to catch this driver
before he committed a crime any more than Uber would've been able to. The
incident is awful, but not Uber's fault. Moreover, would a taxi company be
held responsible for a driver raping a passenger?

The examples of Uber violating privacy are sketchy at best. It appears that
the god mode app is akin to Google's live search feature which displays
thousands of real-time searches for demonstration purposes. The rides-of-glory
incident was definitely a PR gaffe, but once again, far from morally bankrupt.
If anything it was a play on the OKCupid-style data driven blog posts. I don't
see anyone accusing them of being morally bankrupt.

As for the comments on digging up dirt on journalists, based on whats come out
from OTHER sources at the private dinner (NOT a "very public forum" as you
described it) it was taken out of context.

Its unfortunate that Uber is taking heat for so many things. I use Uber often
and trust them with my data. I think anyone that is seriously troubled by the
recent onslaught against Uber should take a moment to really think about
whether they provide a genuine service or are just scumbags.

~~~
plinkplonk
"The infrastructure for background checks and criminal records in India is
more or less nonexistent"

Duh. Not true. It is not a perfect system, but there _is_ a system of police
verification. If someone has gone to jail for rape, (as this driver has) the
check would bring it up.

Besides the point isn't whether the system is perfect. The point is that Uber
didn't bother using the system or following the laws of the land and plays
fast and loose with claims of "verification of drivers".

From Uber CEO Travis Kalanick "We will work with the government to establish
clear background checks currently absent in their commercial transportation
licensing programs"

He makes it sound like it is the government's fault. No, background checks are
not "currently absent" in transportation licensing.

Police verification of taxi/transport drivers is mandated by law. Uber ignored
this law (as it ignores many laws, all over the world). Now this lowlife
blames the government/Indian laws.

You can't decide not to follow laws because you think them "incomplete", and
then not get blamed when such avoidance bites you in the ass.

What a dick. "Safest rides on the road" my ass.

~~~
general_failure
The police in India are morally bankrupt. A background check by them carries
little value.

~~~
FlyingSnake
I'm sure you've sources to backup your claim.

------
unixpunx
Uber should make a social media website, that way nobody would care. All kind
of shady business or lack of ethics are completely forgotten, as long as
people get to post selfies and show off their socioeconomic status to other
losers lile them.

------
discardorama
Email companies (I won't name names here) have _much_ more sensitive data than
Uber does. How come the same scrutiny isn't brought to bear on them? We do
know that some of the leading ones will mine your emails for targeting. I
remember once I was having a little tiff with the GF, and the ads I saw were
for marriage counselors and therapists. That was creepy.

~~~
Hoffmannnn
They must abide by numerous data privacy, security, and internal access laws,
here and abroad. It just so happens that most of the laws are abroad.

------
neilarmslow
I'm amazed that in all this news coverage, this story hasn't risen to the top.
It's far more relevant than the company in question here.

"Buying news coverage and crying misogyny in the ride-sharing industry"

[https://medium.com/@PersonofAwesome/buying-news-coverage-
and...](https://medium.com/@PersonofAwesome/buying-news-coverage-and-crying-
misogyny-in-the-ride-sharing-industry-dedeec300ae9)

~~~
FeeTinesAMady
That article raises some good points, but the problem here is that Uber is
really, genuinely awful, and the ones in power there are terrible people. See
their fraudent calls to Lyft, the way they lie to drivers about how much money
they'll make, etc.

