Uber Technologies, Inc.; Analysis To Aid Public Comment, 39582-39584 [2017-17526]

Download as PDF 39582 Federal Register / Vol. 82, No. 160 / Monday, August 21, 2017 / Notices FEDERAL TRADE COMMISSION [File No. 152 3054] Uber Technologies, Inc.; Analysis To Aid Public Comment Federal Trade Commission. Proposed consent agreement. AGENCY: ACTION: The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations. DATES: Comments must be received on or before September 15, 2017. ADDRESSES: Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write: ‘‘In the Matter of Uber Technologies, Inc., File No. 152–3054’’ on your comment, and file your comment online at https:// ftcpublic.commentworks.com/ftc/ ubertechconsent by following the instructions on the web-based form. If you prefer to file your comment on paper, write ‘‘In the Matter of Uber Technologies, Inc., File No. 152–3054’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC– 5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Ben Rossen (202–326–3679) and James Trilling (202–326–3497), Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the asabaliauskas on DSKBBXCHB2PROD with NOTICES SUMMARY: VerDate Sep<11>2014 18:37 Aug 18, 2017 Jkt 241001 full text of the consent agreement package can be obtained from the FTC Home Page (for August 15, 2017), on the World Wide Web, at https:// www.ftc.gov/news-events/commissionactions. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before September 15, 2017. Write ‘‘In the Matter of Uber Technologies, Inc., File No. 152–3054’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at https://www.ftc.gov/policy/publiccomments. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ ubertechconsent by following the instructions on the web-based form. If this Notice appears at http:// www.regulations.gov/#!home, you also may file a comment through that Web site. If you prefer to file your comment on paper, write ‘‘In the Matter of Uber Technologies, Inc., File No. 152–3054’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC– 5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible FTC Web site at https://www.ftc.gov, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical PO 00000 Frm 00027 Fmt 4703 Sfmt 4703 records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the public FTC Web site—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from the FTC Web site, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. Visit the FTC Web site at http:// www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before September 15, 2017. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/siteinformation/privacy-policy. Analysis of Agreement Containing Consent Order To Aid Public Comment The Federal Trade Commission has accepted, subject to final approval, an agreement containing a consent order from Uber Technologies, Inc. (‘‘Uber’’). The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission again will review the agreement and the comments received E:\FR\FM\21AUN1.SGM 21AUN1 asabaliauskas on DSKBBXCHB2PROD with NOTICES Federal Register / Vol. 82, No. 160 / Monday, August 21, 2017 / Notices and will decide whether it should withdraw from the agreement or make final the agreement’s proposed order. Since 2010, Uber has operated a mobile application (the ‘‘App’’) that connects consumers who are transportation providers (‘‘Drivers’’) with consumers seeking those services (‘‘Riders’’). Riders book transportation or delivery services through a publiclyavailable version of the App that can be downloaded to a smartphone. When a Rider requests transportation through the App, the request is conveyed to a nearby Uber Driver signed into the App. Drivers are consumers who use the App to determine which ride requests they will accept. Uber collects a variety of personal information from Drivers, including names, email addresses, phone numbers, postal addresses, Social Security numbers, driver’s license numbers, bank account information, vehicle registration information, and insurance information. With respect to Riders, Uber collects names, email addresses, postal addresses, and detailed trip records with precise geolocation information, among other things. In November 2014, Uber was the subject of various news reports describing improper access and use of consumer personal information, including geolocation information, by Uber employees. One article reported that an Uber executive had suggested that Uber should hire ‘‘opposition researchers’’ to look into the ‘‘personal lives’’ of journalists who criticized Uber’s practices. Another article described an aerial tracking tool known as ‘‘God View’’ that displayed the personal information of Riders using Uber’s services. These reports led to considerable consumer uproar and calls by consumers to stop using Uber’s services. In an effort to respond to consumer concerns, Uber issued a statement describing its policies concerning access to Rider and Driver data. As part of that statement, Uber promised that all ‘‘access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violations of the policy will result in disciplinary action, including the possibility of termination and legal action.’’ As alleged in the proposed complaint, Uber has not monitored or audited its employees’ access to Rider and Driver personal information on an ongoing basis since November 2014. In fact, between approximately August 2015 and May 2016, Uber did not timely follow up on automated alerts concerning the potential misuse of VerDate Sep<11>2014 18:37 Aug 18, 2017 Jkt 241001 consumer personal information, and for approximately the first six months of this period only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives. During this time, Uber did not otherwise monitor internal access to personal information unless an employee specifically reported that a coworker had engaged in improper access. The proposed complaint alleges that Uber’s representation that it closely monitored and audited internal access to consumers’ personal information was false or misleading in violation of Section 5 of the FTC Act in light of Uber’s subsequent failure to monitor and audit such access between August 2015 and May 2016. The proposed complaint also alleges that Uber failed to provide reasonable security for consumer information stored in a third-party cloud storage service provided by Amazon Web Services (‘‘AWS’’) called the Amazon Simple Storage Service (the ‘‘Amazon S3 Datastore’’). Uber stores a variety of files in the Amazon S3 Datastore that contain sensitive personal information, including full and partial back-ups of Uber databases. These back-ups contain a broad range of Rider and Driver personal information, including, among other things, names, email addresses, phone numbers, driver’s license numbers and trip records with precise geolocation information. From July 13, 2013 to July 15, 2015, Uber’s privacy policy described the security measures Uber used to protect the personal information it collected from consumers, stating that such information ‘‘is securely stored within our databases, and we use standard, industry-wide commercially reasonable security practices such as encryption, firewalls and SSL (Secure Socket Layers) for protecting your information—such as any portions of your credit card number which we retain . . . and geo-location information.’’ Additionally, Uber’s customer service representatives offered assurances about the strength of Uber’s security practices to consumers who were reluctant to submit personal information to Uber. As described below, the proposed complaint alleges that the above statements violated Section 5 of the FTC Act because Uber engaged in a number of practices that, taken together, failed to provide reasonable security to prevent unauthorized access to Rider and Driver personal information in the Amazon S3 Datastore. Specifically, Uber allegedly: • Until approximately September 2014, failed to implement reasonable PO 00000 Frm 00028 Fmt 4703 Sfmt 4703 39583 access controls to safeguard data stored in the Amazon S3 Datastore. For example, Uber (1) permitted engineers to access the Amazon S3 Datastore with a single, shared AWS access key that provided full administrative privileges over all data stored there; (2) failed to restrict access to systems based on employees’ job functions; and (3) failed to require multi-factor authentication for access to the Amazon S3 Datastore; • Until approximately September 2014, failed to implement reasonable security training and guidance; • Until approximately September 2014, failed to have a written information security program; and • Until approximately March 2015, stored sensitive personal information in the Amazon S3 Datastore in clear, readable text, rather than encrypting the information. As a result of these failures, on or about May 12, 2014, an intruder was able to gain access to Uber’s Amazon S3 Datastore using an access key that one of Uber’s engineers had posted to GitHub, a code-sharing site used by software developers. This key was publicly posted and granted full administrative privileges to all data and documents stored within Uber’s Amazon S3 Datastore. The intruder accessed one file that contained sensitive personal information belonging to Uber Drivers, including over 100,000 unencrypted names and driver’s license numbers, 215 unencrypted names and bank account and domestic routing numbers, and 84 unencrypted names and Social Security numbers. Uber did not discover the breach until September 2014, at which time Uber took steps to prevent further unauthorized access. The proposed consent order contains provisions designed to prevent Uber from engaging in similar acts and practices in the future. Part I of the proposed order prohibits Uber from making any misrepresentations about the extent to which Uber monitors or audits internal access to consumers’ Personal Information or the extent to which Uber protects the privacy, confidentiality, security, or integrity of consumers’ Personal Information. Part II of the proposed order requires Uber to implement a mandated comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of consumers’ personal information. E:\FR\FM\21AUN1.SGM 21AUN1 39584 Federal Register / Vol. 82, No. 160 / Monday, August 21, 2017 / Notices Part III of the proposed order requires Uber to undergo biennial assessments of its mandated privacy program by a third party. Parts IV through VIII of the proposed order are reporting and compliance provisions. Part IV requires dissemination of the order now and in the future to all current and future principals, officers, directors, and managers, and to persons with managerial or supervisory responsibilities relating to the subject matter of the order. Part V mandates that Uber submit a compliance report to the FTC one year after issuance of the order and submit additional notices as specified. Parts VI and VII require Uber to retain documents relating to its compliance with the order, and to provide such additional information or documents necessary for the Commission to monitor compliance. Part VIII states that the Order will remain in effect for 20 years. The purpose of this analysis is to aid public comment on the proposed order. It is not intended to constitute an official interpretation of the complaint or proposed order, or to modify in any way the proposed order’s terms. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 2017–17526 Filed 8–18–17; 8:45 am] BILLING CODE 6750–01–P DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION [OMB Control No. 9000–0179; Docket 2017– 0053 Sequence 5] Submission for OMB Review; Service Contracts Reporting Requirements Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Notice of request for public comments regarding an existing information clearance. asabaliauskas on DSKBBXCHB2PROD with NOTICES AGENCY: Under the provisions of the Paperwork Reduction Act, the Regulatory Secretariat Division will be submitting to the Office of Management and Budget (OMB) a request to review and approve a new information collection requirement for Service Contracts Reporting Requirements. A notice published in the Federal Register SUMMARY: VerDate Sep<11>2014 18:37 Aug 18, 2017 Jkt 241001 at 82 FR 24349 on May 26, 2017. No comments were received. DATES: Submit comments on or before September 20, 2017. ADDRESSES: Submit comments in response to OMB Control 9000–0179, by any of the following methods: • Regulations.gov: http:// www.regulations.gov. Submit comments via the Federal eRulemaking portal by searching the OMB control number. Select the link ‘‘Submit a Comment’’ that corresponds with OMB Control 9000–0179 at the ‘‘Submit a Comment’’ screen. Please include your name, company name (if any), and ‘‘OMB Control 9000–0179’’ on your attached document. • Mail: General Services Administration, FAR Secretariat (MVCB), ATTN: Ms. Joanne Sosa, 1800 F Street NW., Washington, DC 20405. Instructions: Please submit comments only and cite OMB Control 9000–0179, in all correspondence related to this case. Comments received generally will be posted without change to http:// www.regulations.gov, including any personal and/or business confidential information provided. To confirm receipt of your comment(s), please check www.regulations.gov, approximately two to three days after submission to verify posting (except allow 30 days for posting of comments submitted by mail). FOR FURTHER INFORMATION CONTACT: Mr. Curtis E. Glover, Sr., Procurement Analyst, Office of Acquisition Policy, at 202–501–1448 or via email at curtis.glover@gsa.gov. SUPPLEMENTARY INFORMATION: A. Purpose Section 743(a) of Division C of the Consolidated Appropriations Act, 2010 (Pub. L. 111–117) requires executive agencies covered by the Federal Activities Inventory Reform (FAIR) Act (Pub. L. 105–270), except DoD, to submit to the Office of Management and Budget (OMB) annually an inventory of activities performed by service contractors. DoD is exempt from this reporting requirement because 10 U.S.C. 2462 and 10 U.S.C. 2330a(c) already require DoD to develop an annual service contract inventory. House Report 111–366 notes, in connection with section 743, that, ‘‘in the absence of complete and reliable information on the extent of their reliance on service contractors, Federal agencies are not well-equipped to determine whether they have the right balance of contractor and in-house resources needed to accomplish their missions. Therefore, this rule intends to PO 00000 Frm 00029 Fmt 4703 Sfmt 4703 supplement agency annual service contract reporting requirements with the contractor provided service contract reporting information. The information is to be submitted pursuant to clauses 52.204–14 and 52.204–15. Certain prime service contractors will provide annually— a. The contract number, and, as applicable, order number; b. The total dollar amount invoiced for services performed during the previous Government fiscal year under the contract; c. The number of contractor direct labor hours expended on the services performed during the previous Government fiscal year; and d. Data reported by subcontractors. The prime contractor shall require each first-tier subcontractor performing under the contract to provide annually— a. The subcontract number (including subcontractor name and if available, Unique Entity Identifier number; and b. The number of first-tier subcontractor direct-labor hours expended on the services performed during the previous Government fiscal year. In order to invoice the government for time-and-material/labor-hour (T&M/LH) and cost-reimbursement contracts, contractors already track labor hours expended, so the rule will cover T&M/ LH and cost-reimbursement contracts over the simplified acquisition threshold. Fixed price contracts are covered if the estimated total value is at $500,000 or more in FY 2016 and thereafter. For indefinite-delivery contracts, including but not limited to, indefinitedelivery indefinite-quantity (IDIQ) contracts, Federal Supply Schedule (FSS) contracts, Governmentwide Acquisition contracts (GWACs), and multi-agency contracts, reporting requirements will be determined based on the expected dollar amount and type of the orders issued under the contracts. The burden has increased from the one in Federal Register Notice 78 FR 16268 dated March 14, 2013 due to more respondents being included in the overall total based on FY 2016 FPDS data. The threshold for Fixed-price contract reports are now covered if the estimated total value is at $500,000 or more. B. Annual Reporting Burden Respondents: 111,172. Responses/respondent: 1. Total annual Responses: 111,172. Preparation hours per response: 2. Total response burden hours: 222,344. E:\FR\FM\21AUN1.SGM 21AUN1

Agencies

[Federal Register Volume 82, Number 160 (Monday, August 21, 2017)]
[Notices]
[Pages 39582-39584]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-17526]



[[Page 39582]]

=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 152 3054]


Uber Technologies, Inc.; Analysis To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis to Aid Public Comment describes both 
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.

DATES: Comments must be received on or before September 15, 2017.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write: ``In the Matter of Uber 
Technologies, Inc., File No. 152-3054'' on your comment, and file your 
comment online at https://ftcpublic.commentworks.com/ftc/ubertechconsent by following the instructions on the web-based form. If 
you prefer to file your comment on paper, write ``In the Matter of Uber 
Technologies, Inc., File No. 152-3054'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite 
CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex 
D), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Ben Rossen (202-326-3679) and James 
Trilling (202-326-3497), Bureau of Consumer Protection, 600 
Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for August 15, 2017), on the World Wide Web, at 
https://www.ftc.gov/news-events/commission-actions.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before September 15, 
2017. Write ``In the Matter of Uber Technologies, Inc., File No. 152-
3054'' on your comment. Your comment--including your name and your 
state--will be placed on the public record of this proceeding, 
including, to the extent practicable, on the public Commission Web 
site, at https://www.ftc.gov/policy/public-comments.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/ubertechconsent by following the instructions on the web-based 
form. If this Notice appears at http://www.regulations.gov/#!home, you 
also may file a comment through that Web site.
    If you prefer to file your comment on paper, write ``In the Matter 
of Uber Technologies, Inc., File No. 152-3054'' on your comment and on 
the envelope, and mail your comment to the following address: Federal 
Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., 
Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment 
to the following address: Federal Trade Commission, Office of the 
Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 
5610 (Annex D), Washington, DC 20024. If possible, submit your paper 
comment to the Commission by courier or overnight service.
    Because your comment will be placed on the publicly accessible FTC 
Web site at https://www.ftc.gov, you are solely responsible for making 
sure that your comment does not include any sensitive or confidential 
information. In particular, your comment should not include any 
sensitive personal information, such as your or anyone else's Social 
Security number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure that your comment does not include 
any sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the public FTC Web site--as legally required by FTC Rule 
4.9(b)--we cannot redact or remove your comment from the FTC Web site, 
unless you submit a confidentiality request that meets the requirements 
for such treatment under FTC Rule 4.9(c), and the General Counsel 
grants that request.
    Visit the FTC Web site at http://www.ftc.gov to read this Notice 
and the news release describing it. The FTC Act and other laws that the 
Commission administers permit the collection of public comments to 
consider and use in this proceeding, as appropriate. The Commission 
will consider all timely and responsive public comments that it 
receives on or before September 15, 2017. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Agreement Containing Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, an agreement containing a consent order from Uber 
Technologies, Inc. (``Uber'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission again will review the 
agreement and the comments received

[[Page 39583]]

and will decide whether it should withdraw from the agreement or make 
final the agreement's proposed order.
    Since 2010, Uber has operated a mobile application (the ``App'') 
that connects consumers who are transportation providers (``Drivers'') 
with consumers seeking those services (``Riders''). Riders book 
transportation or delivery services through a publicly-available 
version of the App that can be downloaded to a smartphone. When a Rider 
requests transportation through the App, the request is conveyed to a 
nearby Uber Driver signed into the App.
    Drivers are consumers who use the App to determine which ride 
requests they will accept. Uber collects a variety of personal 
information from Drivers, including names, email addresses, phone 
numbers, postal addresses, Social Security numbers, driver's license 
numbers, bank account information, vehicle registration information, 
and insurance information. With respect to Riders, Uber collects names, 
email addresses, postal addresses, and detailed trip records with 
precise geolocation information, among other things.
    In November 2014, Uber was the subject of various news reports 
describing improper access and use of consumer personal information, 
including geolocation information, by Uber employees. One article 
reported that an Uber executive had suggested that Uber should hire 
``opposition researchers'' to look into the ``personal lives'' of 
journalists who criticized Uber's practices. Another article described 
an aerial tracking tool known as ``God View'' that displayed the 
personal information of Riders using Uber's services. These reports led 
to considerable consumer uproar and calls by consumers to stop using 
Uber's services. In an effort to respond to consumer concerns, Uber 
issued a statement describing its policies concerning access to Rider 
and Driver data. As part of that statement, Uber promised that all 
``access to rider and driver accounts is being closely monitored and 
audited by data security specialists on an ongoing basis, and any 
violations of the policy will result in disciplinary action, including 
the possibility of termination and legal action.''
    As alleged in the proposed complaint, Uber has not monitored or 
audited its employees' access to Rider and Driver personal information 
on an ongoing basis since November 2014. In fact, between approximately 
August 2015 and May 2016, Uber did not timely follow up on automated 
alerts concerning the potential misuse of consumer personal 
information, and for approximately the first six months of this period 
only monitored access to account information belonging to a set of 
internal high-profile users, such as Uber executives. During this time, 
Uber did not otherwise monitor internal access to personal information 
unless an employee specifically reported that a co-worker had engaged 
in improper access. The proposed complaint alleges that Uber's 
representation that it closely monitored and audited internal access to 
consumers' personal information was false or misleading in violation of 
Section 5 of the FTC Act in light of Uber's subsequent failure to 
monitor and audit such access between August 2015 and May 2016.
    The proposed complaint also alleges that Uber failed to provide 
reasonable security for consumer information stored in a third-party 
cloud storage service provided by Amazon Web Services (``AWS'') called 
the Amazon Simple Storage Service (the ``Amazon S3 Datastore''). Uber 
stores a variety of files in the Amazon S3 Datastore that contain 
sensitive personal information, including full and partial back-ups of 
Uber databases. These back-ups contain a broad range of Rider and 
Driver personal information, including, among other things, names, 
email addresses, phone numbers, driver's license numbers and trip 
records with precise geolocation information.
    From July 13, 2013 to July 15, 2015, Uber's privacy policy 
described the security measures Uber used to protect the personal 
information it collected from consumers, stating that such information 
``is securely stored within our databases, and we use standard, 
industry-wide commercially reasonable security practices such as 
encryption, firewalls and SSL (Secure Socket Layers) for protecting 
your information--such as any portions of your credit card number which 
we retain . . . and geo-location information.'' Additionally, Uber's 
customer service representatives offered assurances about the strength 
of Uber's security practices to consumers who were reluctant to submit 
personal information to Uber.
    As described below, the proposed complaint alleges that the above 
statements violated Section 5 of the FTC Act because Uber engaged in a 
number of practices that, taken together, failed to provide reasonable 
security to prevent unauthorized access to Rider and Driver personal 
information in the Amazon S3 Datastore. Specifically, Uber allegedly:
     Until approximately September 2014, failed to implement 
reasonable access controls to safeguard data stored in the Amazon S3 
Datastore. For example, Uber (1) permitted engineers to access the 
Amazon S3 Datastore with a single, shared AWS access key that provided 
full administrative privileges over all data stored there; (2) failed 
to restrict access to systems based on employees' job functions; and 
(3) failed to require multi-factor authentication for access to the 
Amazon S3 Datastore;
     Until approximately September 2014, failed to implement 
reasonable security training and guidance;
     Until approximately September 2014, failed to have a 
written information security program; and
     Until approximately March 2015, stored sensitive personal 
information in the Amazon S3 Datastore in clear, readable text, rather 
than encrypting the information.
    As a result of these failures, on or about May 12, 2014, an 
intruder was able to gain access to Uber's Amazon S3 Datastore using an 
access key that one of Uber's engineers had posted to GitHub, a code-
sharing site used by software developers. This key was publicly posted 
and granted full administrative privileges to all data and documents 
stored within Uber's Amazon S3 Datastore. The intruder accessed one 
file that contained sensitive personal information belonging to Uber 
Drivers, including over 100,000 unencrypted names and driver's license 
numbers, 215 unencrypted names and bank account and domestic routing 
numbers, and 84 unencrypted names and Social Security numbers. Uber did 
not discover the breach until September 2014, at which time Uber took 
steps to prevent further unauthorized access.
    The proposed consent order contains provisions designed to prevent 
Uber from engaging in similar acts and practices in the future.
    Part I of the proposed order prohibits Uber from making any 
misrepresentations about the extent to which Uber monitors or audits 
internal access to consumers' Personal Information or the extent to 
which Uber protects the privacy, confidentiality, security, or 
integrity of consumers' Personal Information.
    Part II of the proposed order requires Uber to implement a mandated 
comprehensive privacy program that is reasonably designed to (1) 
address privacy risks related to the development and management of new 
and existing products and services for consumers, and (2) protect the 
privacy and confidentiality of consumers' personal information.

[[Page 39584]]

    Part III of the proposed order requires Uber to undergo biennial 
assessments of its mandated privacy program by a third party.
    Parts IV through VIII of the proposed order are reporting and 
compliance provisions. Part IV requires dissemination of the order now 
and in the future to all current and future principals, officers, 
directors, and managers, and to persons with managerial or supervisory 
responsibilities relating to the subject matter of the order. Part V 
mandates that Uber submit a compliance report to the FTC one year after 
issuance of the order and submit additional notices as specified. Parts 
VI and VII require Uber to retain documents relating to its compliance 
with the order, and to provide such additional information or documents 
necessary for the Commission to monitor compliance. Part VIII states 
that the Order will remain in effect for 20 years.
    The purpose of this analysis is to aid public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the complaint or proposed order, or to modify in any 
way the proposed order's terms.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2017-17526 Filed 8-18-17; 8:45 am]
 BILLING CODE 6750-01-P