Table Of ContentUnited States Senate
‘November 1, 2014
Mr. Travis Kal
Chie! Tixeeativ
Uber Technolo, Ine
1435 Market Soe
San Francisco, CA 94103
Dear Mr. Kahinick:
| am writing in eopacd to reports of eeseut comments aad setions by top Ler excoutives
concerning jouzalists. The 1oports suggest a troubling distcgaré for customers’ priva
seat dal
including the ns to protect their sansi
(On November 17, Buzzleed reported that Uber’s Senior Vice-President of Business Linil
Michael recentiy made statements supzesting thst Ubor might mine private information to (argct
a journalist who had criticized the company. Company spokeswornan Naisi Hourdajian
responded by insisting that such actions would violate Uher’s policies. She claimed, in part
thal “execubives Iovkiny at jourmalists* (rave logy .. would be clear violations ol ur privacy
and data access plies.” She further asserted thal “aecess to and use of data is pected oly
fr legitimate business purposes.” snd thet the compaay “regulavty monitoe(s] and auclts that
crday, Ms, Hourdjian sought to siness that Ther permits raployees 10
Ina blog post yest
nia for only “Tite set oF lepitimate business purposes.” She
cues riers! or divers
provided several exsenples of Teyitimate business purposes,” but the “nied se” was not Fully
described. Accosding to the pos, the “policy is also clea that acess te idcr and diver accounts
is being closely monitored and sucited by dats sooty specialists on an ongoing basis, ane ony
vialalions othe pokey wall sul diseiplinaryaetcm.”?
However, the policies male uvailable on your website (hips sww uber conf
USMlegalfusw privacy) do not in suy clear way match or support what Your company has statod in
the wake of Mr. Michael's reported statements. This rises serious concerns for me about the
scope, hanspareney, and enlanceabilty of Uher's policies. Moreover, i! is unclear whal sleps if
fany, Jona have laker lo ensure th your pieies are adequately communicated io all enplayees,
ccotfactors, zl aliiates, and to ensure that such policies are Tully enforced.
{am especially uoabled hecause there unpears fo be evidenoe of practices inconsistent
with the policy Ms. Heucajiaa articulated, Lt has boou reported thats tool known as “God view"
is “widely available to most Ubor caxporato cmplayes to track the
an Sith, ir eran Sgt igen jp Bit an doar, Buzzed News {New
gine buszted combeosmibiuberexovutvestggei ge piu ou
Mis thers ans Peivay Pay (Nn. 2015 # ip agnosia.
jon of Uber eostomers who have requested wr serves, Th a eas! ome incident, w corporate
tnployee reper admitted 1 using dhe tool to crack a jaursalist. The journalist's permission
dad not beet requested, aad te circuinstanees of the slacking do not suggest any Jeglimate
business punpose. Inceed, it appears that on prior occasions your company fis condoned use of
purpases.
customers’ data for questions:
In Fight of these camgerns, I especially request thal you ares the Fallewing questions
1. Mr, Michuel, senior executive is reported ty have made statements suggesting that
Uber might use private information to target journalists oe othess who have critiqued the
ccompany—that your company has since stated axe flatly contrary to company policies. To
‘hat do you altefute such a failure at your earnpuny’s highest level to hee your awa,
policies!
2. Whar Mr. Michnel is reported to have said sounds like i was intended 10 have a chilling
effect on joumalisis vovering Uber. Was any disciplinary aetiom taken as result of Me
‘Michues statements?
rivacy policy do you address the “Jimited set of
3. Where in your}
oss lo riders’ snd drivers’ Gals, including
punpeses" thal may justify employees’ nee
sonsitive geolucation dala?
4. ‘To whom isthe so-called "Ciod view" tool made available and why’? What steps see you
taking to limit access?
Jha you may shane eustarmers pera imlimmlin al asi
ans.” On shi
“Youur privacy paliey stl
inlarmatin with your" parent, subsidiaries und allilates fe interial
basis do you determine what constitutes legitimate “intemal reasous”? Why scen't these
standauds st ovt Zor customers?
sanally idenfiable information”
6. Your privacy poliey sates that you may share “non
with third pasties For “usiness purposes.” What does that mean exactly? Why aren't
customers asked to attnustively consent to this use oftheir infoumatiow’” Ata minimum,
may they opt out ofthis information shaving?
7. Your policies suggest that eustomers® personal information and usage information,
inclnding geolocation data, is maintained indefinitely indeed even after an acemun is
teutninated, Why’? What limits are you consideting imposing? In pactioulal, when an
sccount is tonsinated, why isa’t this inZoumation dclered as soon ss pouding chneges ox
other fransnetions] dispares are esate
con sarath yan
aca, View's Ubu iret
Food News Now 18, 2001), ace buzz
lop new yooh exevive for priv
See Ubon, se of CMa 26, 2062)
achnptslog. ube comdesoelory
8. Wha tnining is proviled to employees, ws well us contrac and alilates, lo ensure
that your company’s policies, as well ay elevant slate andl federal laws, ate being
followed? in Lipnt of Mr. Michael's zeent comments, how do you plea co improve this
9. Your spukesivoman has cepreseuted that your “poliey is clear that access o data is
ronitored and audited by data security specialists on an ongoing basis.” Where in your
company polices is this discussed? How is this monitoring condueted? How equenlly
ae audits completed? Aue customers informed if their information has bon
inappraprintely neocssed?
10, Under what cireumstances would an employee face dieipline for a violation af Ubee's
privacy policies? Mave any disciplinary been taken ov tis basis?
ould appncetste responses to those questions by Decembsr 15, 2014. Thnk you for
_your prompt allentinn to Uxis important matter, and please dono hesitate lo contact re, oF
Samantha Chaitet on ay stall, et (202) 224-5641
Sincerely,
MP rerahm—
Sonttor AL Fisnken
Chairman, Sabuornmitice sn Privacy
Technology, and dhe Lew
