
FTC says Uber took a wrong turn with misleading privacy, security promises - artsandsci
https://www.ftc.gov/news-events/blogs/business-blog/2017/08/ftc-says-uber-took-wrong-turn-misleading-privacy-security
======
johnmarcus
This isn't an uber problem - it's a startup tech problem - no one wants to
take security seriously because it's a cost sink that only averts risk, does
not actually make a company revenue. I have seen ssn's store insecurely, open
api's with customer data, old frameworks and languages that no longer receive
security patches. Nearly every startup says they take security seriously,
because that's the right answer to say, but very very very few actually do.
This is just another minor blip in the otherwise very large system of data
available everywhere. Your data is not safe, trust me on that.

~~~
5706906c06c
I've done InfoSec for a bunch of startups, none seem to grasp the importance
of security by design and how it can play an integral role in the business.
It's exhausting to have to battle a neon-haired developer that wants to just
write code (rightfully so,) not following a process or standards often
engaging in arguments just to be right. Imagine one person going asking an
entire engineering org to create security priorities until business gets a
hold of those and comes back to yell at you for delaying sprints, yep, that's
InfoSec for you. Also, any business that says "We take security seriously"
isn't. That's a boilerplate they plucked out of the legalese to CYA.

~~~
CaptainZapp
I certainly agree with your comment, since it reflects my experience in a lot
of cases. But

    
    
      "We take security seriously"
    

Why would such a statement legally cover your ass? From a legal perspective it
sounds as dubious as warnings on a Truck "Stay back 10 metres. Truck is not
responsible for damage"

~~~
5706906c06c
I can't disagree. However, it doesn't deter businesses from using it as it
demonstrates intent to maintain certain security posture, regardless of how
ill-conceived that posture might be. That said, the statement is touchy feely,
and will more than likely not hold true in the court of law when pressure
tested.

------
CaptainZapp
It may be a good idea to not pull such a shitty in an EU country from May
2018.

According to the General Data Protection Regulation (2016/679). Appart from
regular audits you may run into the following consequences :

a fine up to 20000000 EUR or up to 4% of the annual worldwide turnover of the
preceding financial year in case of an enterprise, whichever is greater
(Article 83, Paragraph 5 & 6[18]).

Ask companies like Microsoft, Volkswagen, Renault, Daimler or Google and they
can you assure you that the responible entities don't look kindly at corporate
bullshit PR statements, which the likes of Uber seem so fond of.

~~~
malandrew
The GDPR is going to be a big blow for the European tech startup scene. For
companies in the US, they can just enter Europe once they've addressed its
requirements. European companies on the other hand need to implement it from
day one.

The fine is interesting because it is easy to minimize by creating a
subsidiary per country. That very effectively shields annual worldwide
turnover.

------
hkothari
The craziest part to me:

"As a result of the failures described in Paragraph 18, on or about May 12,
2014, an intruder was able to access consumers’ personal information in plain
text in Respondent’s Amazon S3 Datastore using an access key that one of
Respondent’s engineers had publicly posted to GitHub, a code-sharing website
used by software developers. The publicly posted key granted full
administrative privileges to all data and documents stored within Respondent’s
Amazon S3 Datastore."

[https://www.ftc.gov/system/files/documents/cases/1523054_ube...](https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf)
Page 5

------
tareqak
From the article:

 _For a particular six-month period, Uber only monitored access to the account
information of a select group. Who? Certain high-profile users, including Uber
executives._

 _What was the upshot? In May 2014, an intruder used an access key an Uber
engineer had publicly posted on a code-sharing site to access the names and
driver’s license numbers of 100,000 Uber drivers, as well as some bank account
information and Social Security numbers. The FTC says Uber didn’t discover the
breach for almost four months._

 _The proposed settlement prohibits Uber from misrepresenting its privacy and
security practices. It also requires Uber to put a comprehensive privacy
program in place and to get independent third-party audits every two years for
the next 20 years. You can file a public comment about the settlement until
September 15, 2017._

The complaint: [https://www.ftc.gov/enforcement/cases-
proceedings/152-3054/u...](https://www.ftc.gov/enforcement/cases-
proceedings/152-3054/uber-technologies-inc)

Links from complaint:

 _Agreement Containing Consent Order (19.87 KB)_
[https://www.ftc.gov/system/files/documents/cases/1523054_ube...](https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_agreement.pdf)

 _Decision and Order (57.66 KB)_
[https://www.ftc.gov/system/files/documents/cases/1523054_ube...](https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_decision_and_order.pdf)

 _Complaint (35.88 KB)_
[https://www.ftc.gov/system/files/documents/cases/1523054_ube...](https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint.pdf)

 _Complaint Exhibits A and B (1.2 MB)_
[https://www.ftc.gov/system/files/documents/cases/1523054_ube...](https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_complaint_exhibits_a-b.pdf)

 _Analysis of Proposed Consent Order To Aid Public Comment (56.14 KB)_
[https://www.ftc.gov/system/files/documents/cases/1523054_ube...](https://www.ftc.gov/system/files/documents/cases/1523054_uber_technologies_analysis.pdf)

Press release: _Uber Settles FTC Allegations that It Made Deceptive Privacy
and Data Security Claims_ [https://www.ftc.gov/news-events/press-
releases/2017/08/uber-...](https://www.ftc.gov/news-events/press-
releases/2017/08/uber-settles-ftc-allegations-it-made-deceptive-privacy-data)

Settlement agreement quote:

 _Under its agreement with the Commission, Uber is:_

 _prohibited from misrepresenting how it monitors internal access to
consumers’ personal information;_

 _prohibited from misrepresenting how it protects and secures that data;_

 _required to implement a comprehensive privacy program that addresses privacy
risks related to new and existing products and services and protects the
privacy and confidentiality of personal information collected by the company;
and_

 _required to obtain within 180 days, and every two years after that for the
next 20 years, independent, third-party audits certifying that it has a
privacy program in place that meets or exceeds the requirements of the FTC
order._

~~~
wadkar
> prohibited from misrepresenting how it monitors internal access to
> consumers’ personal information;

I don't understand why one would need an agreement between Uber and the FTC
explicitly mentioning this. Is it not illegal if a company misrepresents its
compliance to the regulator?

> required to implement a comprehensive privacy program … > required to obtain
> within 180 days, and every two years after that for the next 20 years,
> independent, third-party audits certifying that it has a privacy program in
> place that meets or exceeds the requirements of the FTC order

This is worth noting, it clearly alludes to a need for "privacy champion" (or
"privacy engineer/compliance officer/deputy CIO") for any business that deals
with sensitive (to regulatory compliance) personal information. It's not
enough to write a token "/about/privacy.html" and relegate any and all of the
system requirements that arise due to regulatory compliance.

I hope other startups take note of this, and plan to allocate resources to
this in their roadmap. I don't care when exactly you plan to do it - make sure
it's there in your TODO list of things before the regulator comes knocking on
your doors.

Also, I was unable to find any number or estimate of cost of compliance
mentioned in the settlement. I would really prefer when a government agency
agrees to settle with a business they make it public how much the business was
fined as well as the future cost of compliance. This information would
hopefully make it clear to future businesses to take privacy issues seriously.

~~~
dragonwriter
> I don't understand why one would need an agreement between Uber and the FTC
> explicitly mentioning this. Is it not illegal if a company misrepresents its
> compliance to the regulator?

Breach of a consent order is a fast track into the court supervising the
order, and the terms are usually more specific (and thus easier to
demonstrate) than the underlying law, and violating the consent order can risk
basically reopening the original litigation with it full potential
consequences (not just those for the narrow violation the provision of the
order at issue would involve under the bare law), so often consent orders will
have restrictions that are special cases of restrictions that already exist in
law.

~~~
DannyBee
Right, this is completely about keeping it within the continuing jurisdiction
of the court

------
gigavinyl
Just enough example of how truly awful Uber is.

