Uber Technologies, Inc.; Analysis To Aid Public Comment, 18061-18064 [2018-08600]
Download as PDF
sradovich on DSK3GMQ082PROD with NOTICES
Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Notices
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex J),
Washington, DC 20024. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Because your comment will be placed
on the publicly accessible FTC website
at https://www.ftc.gov/, you are solely
responsible for making sure that your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number; date of
birth; driver’s license number or other
state identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure that your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comment to be withheld from the public
record. See FTC Rule 4.9(c). Your
comment will be kept confidential only
if the General Counsel grants your
request in accordance with the law and
the public interest. Once your comment
has been posted on the public FTC
website—as legally required by FTC
Rule 4.9(b)—we cannot redact or
remove your comment from the FTC
website, unless you submit a
confidentiality request that meets the
requirements for such treatment under
FTC Rule 4.9(c), and the General
Counsel grants that request.
The FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
VerDate Sep<11>2014
19:12 Apr 24, 2018
Jkt 244001
public comments that it receives on or
before May 25, 2018. For information on
the Commission’s privacy policy,
including routine uses permitted by the
Privacy Act, see https://www.ftc.gov/
site-information/privacy-policy. For
supporting documentation and other
information underlying the PRA
discussion in this Notice, see https://
www.reginfo.gov/public/jsp/PRA/
praDashboard.jsp.
Comments on the information
collection requirements subject to
review under the PRA should
additionally be submitted to OMB. If
sent by U.S. mail, they should be
addressed to Office of Information and
Regulatory Affairs, Office of
Management and Budget, Attention:
Desk Officer for the Federal Trade
Commission, New Executive Office
Building, Docket Library, Room 10102,
725 17th Street NW, Washington, DC
20503. Comments sent to OMB by U.S.
postal mail, however, are subject to
delays due to heightened security
precautions. Thus, comments instead
can also be sent by email to wliberante@
omb.eop.gov.
David C. Shonka,
Principal Deputy General Counsel.
[FR Doc. 2018–08627 Filed 4–24–18; 8:45 am]
BILLING CODE 6750–01–P
FEDERAL TRADE COMMISSION
[File No. 152 3054]
Uber Technologies, Inc.; Analysis To
Aid Public Comment
Federal Trade Commission.
Proposed consent agreement.
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices. The attached
Analysis To Aid Public Comment
describes both the allegations in the
complaint and the terms of the consent
order—embodied in the consent
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before May 14, 2018.
ADDRESSES: Interested parties may file a
comment online or on paper, by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write: ‘‘Uber Technologies, Inc.’’
on your comment, and file your
comment online at https://
ftcpublic.commentworks.com/ftc/
reviseduberconsent by following the
instructions on the web-based form. If
you prefer to file your comment on
SUMMARY:
PO 00000
Frm 00069
Fmt 4703
Sfmt 4703
18061
paper, write ‘‘Uber Technologies, Inc.’’
on your comment and on the envelope,
and mail your comment to the following
address: Federal Trade Commission,
Office of the Secretary, 600
Pennsylvania Avenue NW, Suite CC–
5610 (Annex D), Washington, DC 20580;
or deliver your comment to: Federal
Trade Commission, Office of the
Secretary, Constitution Center, 400 7th
Street SW, 5th Floor, Suite 5610 (Annex
D), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Ben
Rossen (202–326–3679) and James
Trilling (202–326–3497), Bureau of
Consumer Protection, 600 Pennsylvania
Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for April 12, 2018), on the
World Wide Web, at https://
www.ftc.gov/news-events/commissionactions.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before May 14, 2018. Write ‘‘Uber
Technologies, Inc.’’ on your comment.
Your comment—including your name
and your state—will be placed on the
public record of this proceeding,
including, to the extent practicable, on
the public Commission website, at
https://www.ftc.gov/policy/publiccomments.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
reviseduberconsent by following the
instructions on the web-based form. If
this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that
website.
If you prefer to file your comment on
paper, write ‘‘Uber Technologies, Inc.’’
on your comment and on the envelope,
and mail your comment to the following
E:\FR\FM\25APN1.SGM
25APN1
sradovich on DSK3GMQ082PROD with NOTICES
18062
Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Notices
address: Federal Trade Commission,
Office of the Secretary, 600
Pennsylvania Avenue NW, Suite CC–
5610 (Annex D), Washington, DC 20580;
or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex D),
Washington, DC 20024. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Because your comment will be placed
on the publicly accessible FTC website
at https://www.ftc.gov, you are solely
responsible for making sure that your
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number; date of
birth; driver’s license number or other
state identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure that your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comment to be withheld from the public
record. See FTC Rule 4.9(c). Your
comment will be kept confidential only
if the General Counsel grants your
request in accordance with the law and
the public interest. Once your comment
has been posted on the public FTC
website—as legally required by FTC
Rule 4.9(b)—we cannot redact or
remove your comment from the FTC
website, unless you submit a
confidentiality request that meets the
requirements for such treatment under
VerDate Sep<11>2014
19:12 Apr 24, 2018
Jkt 244001
FTC Rule 4.9(c), and the General
Counsel grants that request.
Visit the FTC website at https://
www.ftc.gov to read this Notice and the
news release describing it. The FTC Act
and other laws that the Commission
administers permit the collection of
public comments to consider and use in
this proceeding, as appropriate. The
Commission will consider all timely
and responsive public comments that it
receives on or before May 14, 2018. For
information on the Commission’s
privacy policy, including routine uses
permitted by the Privacy Act, see
https://www.ftc.gov/site-information/
privacy-policy.
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission has
withdrawn its acceptance of the
agreement containing consent order
from Uber Technologies, Inc. (‘‘Uber’’)
that the Commission released for public
comment in this proceeding on August
15, 2017 (‘‘August 2017 proposed
consent agreement’’), and has accepted,
subject to final approval, a new
agreement containing consent order
from Uber (‘‘April 2018 proposed
consent agreement’’).
The April 2018 proposed consent
agreement has been placed on the
public record for thirty (30) days for
receipt of comments by interested
persons. All comments received during
this period will become part of the
public record. Interested persons who
submitted comments during the public
comment period for the August 2017
proposed consent agreement should
resubmit their original comments, or
submit new comments, during the new
comment period if they would like the
Commission to consider their comments
when the Commission decides whether
to make final the April 2018 proposed
consent agreement. After thirty (30)
days, the Commission again will review
the April 2018 proposed consent
agreement, and the comments received,
and will decide whether it should
withdraw from the agreement or make
final the agreement’s proposed order.
Since 2010, Uber has operated a
mobile application (the ‘‘App’’) that
connects consumers who are
transportation providers (‘‘Drivers’’)
with consumers seeking those services
(‘‘Riders’’). Riders book transportation
or delivery services through a publiclyavailable version of the App that can be
downloaded to a smartphone. When a
Rider requests transportation through
the App, the request is conveyed to a
nearby Uber Driver signed into the App.
Drivers use the App to determine
which ride requests they will accept.
PO 00000
Frm 00070
Fmt 4703
Sfmt 4703
Uber collects a variety of personal
information from Drivers, including
names, email addresses, phone
numbers, postal addresses, Social
Security numbers, driver’s license
numbers, bank account information,
vehicle registration information, and
insurance information. With respect to
Riders, Uber collects names, email
addresses, postal addresses, and
detailed trip records with precise
geolocation information, among other
things.
In November 2014, Uber was the
subject of various news reports
describing improper access and use of
consumer personal information,
including geolocation information, by
Uber employees. One article reported
that an Uber executive had suggested
that Uber should hire ‘‘opposition
researchers’’ to look into the ‘‘personal
lives’’ of journalists who criticized
Uber’s practices. Another article
described an aerial tracking tool known
as ‘‘God View’’ that displayed the
personal information of Riders using
Uber’s services. These reports led to
considerable consumer uproar. In an
effort to respond to consumer concerns,
Uber issued a statement describing its
policies concerning access to Rider and
Driver data. As part of that statement,
Uber promised that all ‘‘access to rider
and driver accounts is being closely
monitored and audited by data security
specialists on an ongoing basis, and any
violations of the policy will result in
disciplinary action, including the
possibility of termination and legal
action.’’
As alleged in the proposed complaint,
Uber has not monitored or audited its
employees’ access to Rider and Driver
personal information on an ongoing
basis since November 2014. In fact,
between approximately August 2015
and May 2016, Uber did not timely
follow up on automated alerts
concerning the potential misuse of
consumer personal information, and for
approximately the first six months of
this period only monitored access to
account information belonging to a set
of internal high-profile users, such as
Uber executives. During this time, Uber
did not otherwise monitor internal
access to personal information unless an
employee specifically reported that a coworker had engaged in improper access.
Count one of the proposed complaint
alleges that Uber’s representation that it
closely monitored and audited internal
access to consumers’ personal
information was false or misleading in
violation of Section 5 of the FTC Act in
light of Uber’s subsequent failure to
E:\FR\FM\25APN1.SGM
25APN1
Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Notices
sradovich on DSK3GMQ082PROD with NOTICES
monitor and audit such access between
August 2015 and May 2016.1
The proposed complaint also alleges
that Uber failed to provide reasonable
security for consumer information
stored in a third-party cloud storage
service provided by Amazon Web
Services (‘‘AWS’’) called the Amazon
Simple Storage Service (the ‘‘Amazon
S3 Datastore’’). Uber stores in the
Amazon S3 Datastore a variety of files
that contain sensitive personal
information, including full and partial
back-ups of Uber databases. These backups contain a broad range of Rider and
Driver personal information, including,
among other things, names, email
addresses, phone numbers, driver’s
license numbers, and trip records with
precise geolocation information.
From July 13, 2013 to July 15, 2015,
Uber’s privacy policy described the
security measures Uber used to protect
the personal information it collected
from consumers, stating that such
information ‘‘is securely stored within
our databases, and we use standard,
industry-wide commercially reasonable
security practices such as encryption,
firewalls and SSL (Secure Socket
Layers) for protecting your
information—such as any portions of
your credit card number which we
retain . . . and geo-location
information.’’ Additionally, Uber’s
customer service representatives offered
assurances about the strength of Uber’s
security practices to consumers who
were reluctant to submit personal
information to Uber.
As described below, count two of the
proposed complaint alleges that the
above statements violated Section 5 of
the FTC Act because Uber engaged in a
number of practices that, taken together,
failed to provide reasonable security to
prevent unauthorized access to Rider
and Driver personal information in the
Amazon S3 Datastore.2 Specifically,
Uber allegedly:
• Failed to implement reasonable
access controls to safeguard data stored
in the Amazon S3 Datastore. For
example, Uber (1) until approximately
September 2014, permitted engineers to
1 Count one of the proposed complaint and the
underlying factual allegations are unchanged from
the proposed complaint against Uber that the
Commission issued previously as part of the August
2017 proposed consent agreement.
2 Count two of the proposed complaint addresses
the same allegedly false or misleading statements as
did count two of the proposed complaint against
Uber that the Commission issued as part of the
August 2017 proposed consent agreement. The
proposed complaint includes allegations that the
now withdrawn complaint included to support
count two and also includes additional allegations
to support count two based on new information the
Commission obtained after August 2017.
VerDate Sep<11>2014
19:12 Apr 24, 2018
Jkt 244001
access the Amazon S3 Datastore with a
single, shared AWS access key that
provided full administrative privileges
over all data stored there; (2) until
approximately September 2014, failed to
restrict access to systems based on
employees’ job functions; and (3) until
approximately September 2015, failed to
require multi-factor authentication for
individual account access, and until at
least November 2016, failed to require
multi-factor authentication for
programmatic service account access, to
the Amazon S3 Datastore;
• Until at least September 2014,
failed to implement reasonable security
training and guidance;
• Until approximately September
2014, failed to have a written
information security program; and
• Until at least November 2016,
stored sensitive personal information in
the Amazon S3 Datastore in clear,
readable text, rather than encrypting the
information.
As a result of these failures, intruders
accessed Uber’s Amazon S3 Datastore
multiple times using access keys that
Uber engineers had posted to GitHub, a
code-sharing site used by software
developers.
First, on or about May 12, 2014, an
intruder accessed Uber’s Amazon S3
Datastore using an access key that was
publicly posted and granted full
administrative privileges to all data and
documents stored within Uber’s
Amazon S3 Datastore (the ‘‘2014 data
breach’’). The intruder accessed one file
that contained sensitive personal
information belonging to Uber Drivers,
including over 100,000 unencrypted
names and driver’s license numbers,
215 unencrypted names and bank
account and domestic routing numbers,
and 84 unencrypted names and Social
Security numbers. Uber did not discover
the breach until September 2014. Uber
sent breach notification letters to
affected Uber Drivers in February 2015.
Uber later learned of more affected Uber
Drivers in May and July 2016 and sent
breach notification letters to those
Drivers in June and August 2016.
Second, between October 13, 2016
and November 15, 2016, intruders
accessed Uber’s Amazon S3 Datastore
using an AWS access key that was
posted to a private GitHub repository
(‘‘the 2016 data breach’’). Uber granted
its engineers access to Uber’s GitHub
repositories through engineers’
individual GitHub accounts, which
engineers generally accessed through
personal email addresses. Uber did not
have a policy prohibiting engineers from
reusing credentials, and did not require
engineers to enable multi-factor
authentication when accessing Uber’s
PO 00000
Frm 00071
Fmt 4703
Sfmt 4703
18063
GitHub repositories. The intruders who
committed the 2016 breach said that
they accessed Uber’s GitHub page using
passwords that were previously exposed
in other large data breaches, whereupon
they discovered the AWS access key
they used to access and download files
from Uber’s Amazon S3 Datastore. The
intruders downloaded sixteen files that
contained unencrypted consumer
personal information relating to U.S.
Riders and Drivers, including
approximately 25.6 million names and
email addresses, 22.1 million names and
mobile phone numbers, and 607,000
names and driver’s license numbers.
Nearly all of the exposed personal
information was collected before July
2015 and stored in unencrypted
database backup files.
Uber discovered the 2016 data breach
on or about November 14, 2016, when
one of the attackers contacted Uber
claiming to have compromised Uber’s
‘‘databases’’ and demanding a six-figure
payout. Uber paid the attackers
$100,000 through the third party that
administers Uber’s ‘‘bug bounty’’
program. Respondent created the bug
bounty program to pay financial
rewards in exchange for the responsible
disclosure of serious security
vulnerabilities. However, the attackers
who committed the 2016 data breach
were fundamentally different from
legitimate bug bounty recipients.
Instead of responsibly disclosing a
vulnerability, the attackers maliciously
exploited the vulnerability and acquired
millions of consumers’ personal
information.
Uber failed to disclose the 2016 data
breach to affected consumers until
November 21, 2017, more than a year
after discovering it. Uber also failed to
disclose the 2016 data breach to the
Commission until November 2017
despite the fact that the breach occurred
in the midst of a nonpublic Commission
investigation relating to Uber’s data
security practices, including,
specifically, the security of Uber’s
Amazon S3 Datastore.
The proposed consent order contains
provisions designed to prevent Uber
from engaging in acts and practices in
the future similar to those alleged in the
proposed complaint.
Part I of the proposed order prohibits
Uber from making any
misrepresentations about the extent to
which Uber monitors or audits internal
access to consumers’ personal
information or the extent to which Uber
protects the privacy, confidentiality,
security, or integrity of consumers’
personal information. This Part is
identical to Part I of the August 2017
proposed consent agreement.
E:\FR\FM\25APN1.SGM
25APN1
sradovich on DSK3GMQ082PROD with NOTICES
18064
Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Notices
Part II of the proposed order requires
Uber to implement a mandated
comprehensive privacy program that is
reasonably designed to (1) address
privacy risks related to the development
and management of new and existing
products and services for consumers,
and (2) protect the privacy and
confidentiality of consumers’ personal
information. Part II.B includes new
language that requires Uber’s mandated
privacy risk assessments to include
consideration of risks and safeguards
related to (a) secure software design,
development, and testing, including
access key and secret key management
and secure cloud storage; (b) review,
assessment, and response to third-party
security vulnerability reports, including
through a ‘‘bug bounty’’ or similar
program; and (c) prevention, detection,
and response to attacks, intrusions, or
systems failures.
Part III of the proposed order requires
Uber to undergo biennial assessments of
its mandated privacy program by a third
party. Part III has been revised from the
August 2017 proposed consent
agreement to require Uber to submit to
the Commission each of its assessments
rather than only its initial assessment.
Part IV of the proposed order requires
Uber to submit a report to the
Commission if Uber discovers any
‘‘covered incident’’ involving
unauthorized access or acquisition of
consumer information. This Part is new.
Parts V through IX of the proposed
order are reporting and compliance
provisions. Part V requires
dissemination of the order now and in
the future to all current and future
principals, officers, directors, and
managers, and to persons who
participate in conduct related to the
subject matter of the order, including all
employees, agents, and representatives
who regularly access personal
information. Part VI mandates that Uber
submit a compliance report to the FTC
one year after issuance of the order and
submit additional notices as specified.
Parts VII and VIII require Uber to retain
documents relating to its compliance
with the order, and to provide such
additional information or documents as
are necessary for the Commission to
monitor compliance. Part IX states that
the order will remain in effect for 20
years.
These provisions include
modifications from the August 2017
proposed consent agreement. Part V
expands the acknowledgement of order
provision to require Uber to obtain
signed acknowledgements from all
employees, agents, and representatives
who regularly access personal
information that Uber collects or
VerDate Sep<11>2014
19:12 Apr 24, 2018
Jkt 244001
receives from or about consumers,
rather than limiting the requirement to
employees with managerial
responsibility related to the order. And
Part VII contains modified
recordkeeping provisions and new
recordkeeping provisions relating to
Uber’s bug bounty program and its
subpoenas and communications with
law enforcement.
The purpose of this analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the complaint
or proposed order, or to modify in any
way the proposed order’s terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2018–08600 Filed 4–24–18; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
National Institutes of Health
National Institute of Diabetes and
Digestive and Kidney Diseases; Notice
of Closed Meetings
Pursuant to section 10(d) of the
Federal Advisory Committee Act, as
amended, notice is hereby given of the
following meetings.
The meetings will be closed to the
public in accordance with the
provisions set forth in sections
552b(c)(4) and 552b(c)(6), Title 5 U.S.C.,
as amended. The grant applications and
the discussions could disclose
confidential trade secrets or commercial
property such as patentable material,
and personal information concerning
individuals associated with the grant
applications, the disclosure of which
would constitute a clearly unwarranted
invasion of personal privacy.
Name of Committee: National Institute of
Diabetes and Digestive and Kidney Diseases
Special Emphasis Panel; NIDDK–KURe–K12
Telephone Review.
Date: May 7, 2018.
Time: 12:00 p.m. to 1:30 p.m.
Agenda: To review and evaluate grant
applications.
Place: National Institutes of Health, Two
Democracy Plaza, 6707 Democracy
Boulevard, Bethesda, MD 20892 (Telephone
Conference Call).
Contact Person: Xiaodu Guo, MD, Ph.D.,
Scientific Review Officer, Review Branch,
DEA, NIDDK, National Institutes of Health,
Room 7023, 6707 Democracy Boulevard,
Bethesda, MD 20892–5452, (301) 594–4719,
guox@extra.niddk.nih.gov.
This notice is being published less than 15
days prior to the meeting due to the timing
PO 00000
Frm 00072
Fmt 4703
Sfmt 4703
limitations imposed by the review and
funding cycle.
Name of Committee: National Institute of
Diabetes and Digestive and Kidney Diseases
Special Emphasis Panel; NIDDK KUH
Fellowship Review.
Date: June 6, 2018.
Time: 8:00 a.m. to 2:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: Bethesda North Marriott Hotel and
Conference Center, Montgomery County
Conference Center Facility, 5701 Marinelli
Road, Bethesda, MD 20852.
Contact Person: Xiaodu Guo, MD, Ph.D.,
Scientific Review Officer, Review Branch,
DEA, NIDDK, National Institutes of Health,
Room 7023, 6707 Democracy Boulevard,
Bethesda, MD 20892–5452, (301) 594–4719,
guox@extra.niddk.nih.gov.
Name of Committee: National Institute of
Diabetes and Digestive and Kidney Diseases
Special Emphasis Panel; The NIDDK DDK–D
Member Conflict SEP.
Date: June 6, 2018.
Time: 9:00 a.m. to 3:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: Bethesda North Marriott Hotel and
Conference Center, Montgomery County
Conference Center Facility, 5701 Marinelli
Road, North Bethesda, MD 20852.
Contact Person: Xiaodu Guo, MD, Ph.D.,
Scientific Review Officer, Review Branch,
DEA, NIDDK, National Institutes of Health,
Room 7023, 6707 Democracy Boulevard,
Bethesda, MD 20892–5452, (301) 594–4719,
guox@extra.niddk.nih.gov.
Name of Committee: National Institute of
Diabetes and Digestive and Kidney Diseases
Special Emphasis Panel; Fellowships in
Digestive Diseases and Nutrition.
Date: June 7–8, 2018.
Time: 8:00 a.m. to 5:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: Residence Inn Bethesda, 7335
Wisconsin Avenue, Bethesda, MD 20814.
Contact Person: Jian Yang, Ph.D., Scientific
Review Officer, Review Branch, DEA,
NIDDK, National Institutes of Health, Room
7111, 6707 Democracy Boulevard, Bethesda,
MD 20892–5452, (301) 594–7799, yangj@
extra.niddk.nih.gov.
Name of Committee: National Institute of
Diabetes and Digestive and Kidney Diseases
Special Emphasis Panel; DDK–C Conflicts.
Date: June 8, 2018.
Time: 8:00 a.m. to 12:00 p.m.
Agenda: To review and evaluate grant
applications.
Place: Residence Inn Bethesda, 7335
Wisconsin Avenue, Bethesda, MD 20814.
Contact Person: Jian Yang, Ph.D., Scientific
Review Officer, Review Branch, DEA,
NIDDK, National Institutes of Health, Room
7111, 6707 Democracy Boulevard, Bethesda,
MD 20892–5452, (301) 594–7799, yangj@
extra.niddk.nih.gov.
Name of Committee: National Institute of
Diabetes and Digestive and Kidney Diseases
Special Emphasis Panel; O’Brien Urology
Centers.
Date: July 10–11, 2018.
Time: 3:00 p.m. to 6:00 p.m.
E:\FR\FM\25APN1.SGM
25APN1
Agencies
[Federal Register Volume 83, Number 80 (Wednesday, April 25, 2018)]
[Notices]
[Pages 18061-18064]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-08600]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 152 3054]
Uber Technologies, Inc.; Analysis To Aid Public Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed consent agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices. The attached Analysis To Aid Public Comment describes both
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.
DATES: Comments must be received on or before May 14, 2018.
ADDRESSES: Interested parties may file a comment online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write: ``Uber Technologies,
Inc.'' on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/reviseduberconsent by following the
instructions on the web-based form. If you prefer to file your comment
on paper, write ``Uber Technologies, Inc.'' on your comment and on the
envelope, and mail your comment to the following address: Federal Trade
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite
CC-5610 (Annex D), Washington, DC 20580; or deliver your comment to:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC
20024.
FOR FURTHER INFORMATION CONTACT: Ben Rossen (202-326-3679) and James
Trilling (202-326-3497), Bureau of Consumer Protection, 600
Pennsylvania Avenue NW, Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement, and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for April 12, 2018), on the World Wide Web, at
https://www.ftc.gov/news-events/commission-actions.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before May 14, 2018.
Write ``Uber Technologies, Inc.'' on your comment. Your comment--
including your name and your state--will be placed on the public record
of this proceeding, including, to the extent practicable, on the public
Commission website, at https://www.ftc.gov/policy/public-comments.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/reviseduberconsent by following the instructions on the web-based
form. If this Notice appears at https://www.regulations.gov/#!home, you
also may file a comment through that website.
If you prefer to file your comment on paper, write ``Uber
Technologies, Inc.'' on your comment and on the envelope, and mail your
comment to the following
[[Page 18062]]
address: Federal Trade Commission, Office of the Secretary, 600
Pennsylvania Avenue NW, Suite CC-5610 (Annex D), Washington, DC 20580;
or deliver your comment to the following address: Federal Trade
Commission, Office of the Secretary, Constitution Center, 400 7th
Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If
possible, submit your paper comment to the Commission by courier or
overnight service.
Because your comment will be placed on the publicly accessible FTC
website at https://www.ftc.gov, you are solely responsible for making
sure that your comment does not include any sensitive or confidential
information. In particular, your comment should not include any
sensitive personal information, such as your or anyone else's Social
Security number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also
solely responsible for making sure that your comment does not include
any sensitive health information, such as medical records or other
individually identifiable health information. In addition, your comment
should not include any ``trade secret or any commercial or financial
information which . . . is privileged or confidential''--as provided by
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2),
16 CFR 4.10(a)(2)--including in particular competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted on the public FTC website--as legally required by FTC Rule
4.9(b)--we cannot redact or remove your comment from the FTC website,
unless you submit a confidentiality request that meets the requirements
for such treatment under FTC Rule 4.9(c), and the General Counsel
grants that request.
Visit the FTC website at https://www.ftc.gov to read this Notice and
the news release describing it. The FTC Act and other laws that the
Commission administers permit the collection of public comments to
consider and use in this proceeding, as appropriate. The Commission
will consider all timely and responsive public comments that it
receives on or before May 14, 2018. For information on the Commission's
privacy policy, including routine uses permitted by the Privacy Act,
see https://www.ftc.gov/site-information/privacy-policy.
Analysis of Proposed Consent Order To Aid Public Comment
The Federal Trade Commission has withdrawn its acceptance of the
agreement containing consent order from Uber Technologies, Inc.
(``Uber'') that the Commission released for public comment in this
proceeding on August 15, 2017 (``August 2017 proposed consent
agreement''), and has accepted, subject to final approval, a new
agreement containing consent order from Uber (``April 2018 proposed
consent agreement'').
The April 2018 proposed consent agreement has been placed on the
public record for thirty (30) days for receipt of comments by
interested persons. All comments received during this period will
become part of the public record. Interested persons who submitted
comments during the public comment period for the August 2017 proposed
consent agreement should resubmit their original comments, or submit
new comments, during the new comment period if they would like the
Commission to consider their comments when the Commission decides
whether to make final the April 2018 proposed consent agreement. After
thirty (30) days, the Commission again will review the April 2018
proposed consent agreement, and the comments received, and will decide
whether it should withdraw from the agreement or make final the
agreement's proposed order.
Since 2010, Uber has operated a mobile application (the ``App'')
that connects consumers who are transportation providers (``Drivers'')
with consumers seeking those services (``Riders''). Riders book
transportation or delivery services through a publicly-available
version of the App that can be downloaded to a smartphone. When a Rider
requests transportation through the App, the request is conveyed to a
nearby Uber Driver signed into the App.
Drivers use the App to determine which ride requests they will
accept. Uber collects a variety of personal information from Drivers,
including names, email addresses, phone numbers, postal addresses,
Social Security numbers, driver's license numbers, bank account
information, vehicle registration information, and insurance
information. With respect to Riders, Uber collects names, email
addresses, postal addresses, and detailed trip records with precise
geolocation information, among other things.
In November 2014, Uber was the subject of various news reports
describing improper access and use of consumer personal information,
including geolocation information, by Uber employees. One article
reported that an Uber executive had suggested that Uber should hire
``opposition researchers'' to look into the ``personal lives'' of
journalists who criticized Uber's practices. Another article described
an aerial tracking tool known as ``God View'' that displayed the
personal information of Riders using Uber's services. These reports led
to considerable consumer uproar. In an effort to respond to consumer
concerns, Uber issued a statement describing its policies concerning
access to Rider and Driver data. As part of that statement, Uber
promised that all ``access to rider and driver accounts is being
closely monitored and audited by data security specialists on an
ongoing basis, and any violations of the policy will result in
disciplinary action, including the possibility of termination and legal
action.''
As alleged in the proposed complaint, Uber has not monitored or
audited its employees' access to Rider and Driver personal information
on an ongoing basis since November 2014. In fact, between approximately
August 2015 and May 2016, Uber did not timely follow up on automated
alerts concerning the potential misuse of consumer personal
information, and for approximately the first six months of this period
only monitored access to account information belonging to a set of
internal high-profile users, such as Uber executives. During this time,
Uber did not otherwise monitor internal access to personal information
unless an employee specifically reported that a co-worker had engaged
in improper access. Count one of the proposed complaint alleges that
Uber's representation that it closely monitored and audited internal
access to consumers' personal information was false or misleading in
violation of Section 5 of the FTC Act in light of Uber's subsequent
failure to
[[Page 18063]]
monitor and audit such access between August 2015 and May 2016.\1\
---------------------------------------------------------------------------
\1\ Count one of the proposed complaint and the underlying
factual allegations are unchanged from the proposed complaint
against Uber that the Commission issued previously as part of the
August 2017 proposed consent agreement.
---------------------------------------------------------------------------
The proposed complaint also alleges that Uber failed to provide
reasonable security for consumer information stored in a third-party
cloud storage service provided by Amazon Web Services (``AWS'') called
the Amazon Simple Storage Service (the ``Amazon S3 Datastore''). Uber
stores in the Amazon S3 Datastore a variety of files that contain
sensitive personal information, including full and partial back-ups of
Uber databases. These back-ups contain a broad range of Rider and
Driver personal information, including, among other things, names,
email addresses, phone numbers, driver's license numbers, and trip
records with precise geolocation information.
From July 13, 2013 to July 15, 2015, Uber's privacy policy
described the security measures Uber used to protect the personal
information it collected from consumers, stating that such information
``is securely stored within our databases, and we use standard,
industry-wide commercially reasonable security practices such as
encryption, firewalls and SSL (Secure Socket Layers) for protecting
your information--such as any portions of your credit card number which
we retain . . . and geo-location information.'' Additionally, Uber's
customer service representatives offered assurances about the strength
of Uber's security practices to consumers who were reluctant to submit
personal information to Uber.
As described below, count two of the proposed complaint alleges
that the above statements violated Section 5 of the FTC Act because
Uber engaged in a number of practices that, taken together, failed to
provide reasonable security to prevent unauthorized access to Rider and
Driver personal information in the Amazon S3 Datastore.\2\
Specifically, Uber allegedly:
---------------------------------------------------------------------------
\2\ Count two of the proposed complaint addresses the same
allegedly false or misleading statements as did count two of the
proposed complaint against Uber that the Commission issued as part
of the August 2017 proposed consent agreement. The proposed
complaint includes allegations that the now withdrawn complaint
included to support count two and also includes additional
allegations to support count two based on new information the
Commission obtained after August 2017.
---------------------------------------------------------------------------
Failed to implement reasonable access controls to
safeguard data stored in the Amazon S3 Datastore. For example, Uber (1)
until approximately September 2014, permitted engineers to access the
Amazon S3 Datastore with a single, shared AWS access key that provided
full administrative privileges over all data stored there; (2) until
approximately September 2014, failed to restrict access to systems
based on employees' job functions; and (3) until approximately
September 2015, failed to require multi-factor authentication for
individual account access, and until at least November 2016, failed to
require multi-factor authentication for programmatic service account
access, to the Amazon S3 Datastore;
Until at least September 2014, failed to implement
reasonable security training and guidance;
Until approximately September 2014, failed to have a
written information security program; and
Until at least November 2016, stored sensitive personal
information in the Amazon S3 Datastore in clear, readable text, rather
than encrypting the information.
As a result of these failures, intruders accessed Uber's Amazon S3
Datastore multiple times using access keys that Uber engineers had
posted to GitHub, a code-sharing site used by software developers.
First, on or about May 12, 2014, an intruder accessed Uber's Amazon
S3 Datastore using an access key that was publicly posted and granted
full administrative privileges to all data and documents stored within
Uber's Amazon S3 Datastore (the ``2014 data breach''). The intruder
accessed one file that contained sensitive personal information
belonging to Uber Drivers, including over 100,000 unencrypted names and
driver's license numbers, 215 unencrypted names and bank account and
domestic routing numbers, and 84 unencrypted names and Social Security
numbers. Uber did not discover the breach until September 2014. Uber
sent breach notification letters to affected Uber Drivers in February
2015. Uber later learned of more affected Uber Drivers in May and July
2016 and sent breach notification letters to those Drivers in June and
August 2016.
Second, between October 13, 2016 and November 15, 2016, intruders
accessed Uber's Amazon S3 Datastore using an AWS access key that was
posted to a private GitHub repository (``the 2016 data breach''). Uber
granted its engineers access to Uber's GitHub repositories through
engineers' individual GitHub accounts, which engineers generally
accessed through personal email addresses. Uber did not have a policy
prohibiting engineers from reusing credentials, and did not require
engineers to enable multi-factor authentication when accessing Uber's
GitHub repositories. The intruders who committed the 2016 breach said
that they accessed Uber's GitHub page using passwords that were
previously exposed in other large data breaches, whereupon they
discovered the AWS access key they used to access and download files
from Uber's Amazon S3 Datastore. The intruders downloaded sixteen files
that contained unencrypted consumer personal information relating to
U.S. Riders and Drivers, including approximately 25.6 million names and
email addresses, 22.1 million names and mobile phone numbers, and
607,000 names and driver's license numbers. Nearly all of the exposed
personal information was collected before July 2015 and stored in
unencrypted database backup files.
Uber discovered the 2016 data breach on or about November 14, 2016,
when one of the attackers contacted Uber claiming to have compromised
Uber's ``databases'' and demanding a six-figure payout. Uber paid the
attackers $100,000 through the third party that administers Uber's
``bug bounty'' program. Respondent created the bug bounty program to
pay financial rewards in exchange for the responsible disclosure of
serious security vulnerabilities. However, the attackers who committed
the 2016 data breach were fundamentally different from legitimate bug
bounty recipients. Instead of responsibly disclosing a vulnerability,
the attackers maliciously exploited the vulnerability and acquired
millions of consumers' personal information.
Uber failed to disclose the 2016 data breach to affected consumers
until November 21, 2017, more than a year after discovering it. Uber
also failed to disclose the 2016 data breach to the Commission until
November 2017 despite the fact that the breach occurred in the midst of
a nonpublic Commission investigation relating to Uber's data security
practices, including, specifically, the security of Uber's Amazon S3
Datastore.
The proposed consent order contains provisions designed to prevent
Uber from engaging in acts and practices in the future similar to those
alleged in the proposed complaint.
Part I of the proposed order prohibits Uber from making any
misrepresentations about the extent to which Uber monitors or audits
internal access to consumers' personal information or the extent to
which Uber protects the privacy, confidentiality, security, or
integrity of consumers' personal information. This Part is identical to
Part I of the August 2017 proposed consent agreement.
[[Page 18064]]
Part II of the proposed order requires Uber to implement a mandated
comprehensive privacy program that is reasonably designed to (1)
address privacy risks related to the development and management of new
and existing products and services for consumers, and (2) protect the
privacy and confidentiality of consumers' personal information. Part
II.B includes new language that requires Uber's mandated privacy risk
assessments to include consideration of risks and safeguards related to
(a) secure software design, development, and testing, including access
key and secret key management and secure cloud storage; (b) review,
assessment, and response to third-party security vulnerability reports,
including through a ``bug bounty'' or similar program; and (c)
prevention, detection, and response to attacks, intrusions, or systems
failures.
Part III of the proposed order requires Uber to undergo biennial
assessments of its mandated privacy program by a third party. Part III
has been revised from the August 2017 proposed consent agreement to
require Uber to submit to the Commission each of its assessments rather
than only its initial assessment.
Part IV of the proposed order requires Uber to submit a report to
the Commission if Uber discovers any ``covered incident'' involving
unauthorized access or acquisition of consumer information. This Part
is new.
Parts V through IX of the proposed order are reporting and
compliance provisions. Part V requires dissemination of the order now
and in the future to all current and future principals, officers,
directors, and managers, and to persons who participate in conduct
related to the subject matter of the order, including all employees,
agents, and representatives who regularly access personal information.
Part VI mandates that Uber submit a compliance report to the FTC one
year after issuance of the order and submit additional notices as
specified. Parts VII and VIII require Uber to retain documents relating
to its compliance with the order, and to provide such additional
information or documents as are necessary for the Commission to monitor
compliance. Part IX states that the order will remain in effect for 20
years.
These provisions include modifications from the August 2017
proposed consent agreement. Part V expands the acknowledgement of order
provision to require Uber to obtain signed acknowledgements from all
employees, agents, and representatives who regularly access personal
information that Uber collects or receives from or about consumers,
rather than limiting the requirement to employees with managerial
responsibility related to the order. And Part VII contains modified
recordkeeping provisions and new recordkeeping provisions relating to
Uber's bug bounty program and its subpoenas and communications with law
enforcement.
The purpose of this analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the complaint or proposed order, or to modify in any
way the proposed order's terms.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2018-08600 Filed 4-24-18; 8:45 am]
BILLING CODE 6750-01-P