Uber Technologies, Inc.; Analysis To Aid Public Comment, 18061-18064 [2018-08600]

Download as PDF sradovich on DSK3GMQ082PROD with NOTICES Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Notices Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible FTC website at https://www.ftc.gov/, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the public FTC website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from the FTC website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive VerDate Sep<11>2014 19:12 Apr 24, 2018 Jkt 244001 public comments that it receives on or before May 25, 2018. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/ site-information/privacy-policy. For supporting documentation and other information underlying the PRA discussion in this Notice, see http:// www.reginfo.gov/public/jsp/PRA/ praDashboard.jsp. Comments on the information collection requirements subject to review under the PRA should additionally be submitted to OMB. If sent by U.S. mail, they should be addressed to Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission, New Executive Office Building, Docket Library, Room 10102, 725 17th Street NW, Washington, DC 20503. Comments sent to OMB by U.S. postal mail, however, are subject to delays due to heightened security precautions. Thus, comments instead can also be sent by email to wliberante@ omb.eop.gov. David C. Shonka, Principal Deputy General Counsel. [FR Doc. 2018–08627 Filed 4–24–18; 8:45 am] BILLING CODE 6750–01–P FEDERAL TRADE COMMISSION [File No. 152 3054] Uber Technologies, Inc.; Analysis To Aid Public Comment Federal Trade Commission. Proposed consent agreement. AGENCY: ACTION: The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis To Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations. DATES: Comments must be received on or before May 14, 2018. ADDRESSES: Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write: ‘‘Uber Technologies, Inc.’’ on your comment, and file your comment online at https:// ftcpublic.commentworks.com/ftc/ reviseduberconsent by following the instructions on the web-based form. If you prefer to file your comment on SUMMARY: PO 00000 Frm 00069 Fmt 4703 Sfmt 4703 18061 paper, write ‘‘Uber Technologies, Inc.’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC– 5610 (Annex D), Washington, DC 20580; or deliver your comment to: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Ben Rossen (202–326–3679) and James Trilling (202–326–3497), Bureau of Consumer Protection, 600 Pennsylvania Avenue NW, Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for April 12, 2018), on the World Wide Web, at https:// www.ftc.gov/news-events/commissionactions. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before May 14, 2018. Write ‘‘Uber Technologies, Inc.’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission website, at https://www.ftc.gov/policy/publiccomments. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ reviseduberconsent by following the instructions on the web-based form. If this Notice appears at http:// www.regulations.gov/#!home, you also may file a comment through that website. If you prefer to file your comment on paper, write ‘‘Uber Technologies, Inc.’’ on your comment and on the envelope, and mail your comment to the following E:\FR\FM\25APN1.SGM 25APN1 sradovich on DSK3GMQ082PROD with NOTICES 18062 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Notices address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC– 5610 (Annex D), Washington, DC 20580; or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Because your comment will be placed on the publicly accessible FTC website at https://www.ftc.gov, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any ‘‘trade secret or any commercial or financial information which . . . is privileged or confidential’’—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled ‘‘Confidential,’’ and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the public FTC website—as legally required by FTC Rule 4.9(b)—we cannot redact or remove your comment from the FTC website, unless you submit a confidentiality request that meets the requirements for such treatment under VerDate Sep<11>2014 19:12 Apr 24, 2018 Jkt 244001 FTC Rule 4.9(c), and the General Counsel grants that request. Visit the FTC website at http:// www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before May 14, 2018. For information on the Commission’s privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/ privacy-policy. Analysis of Proposed Consent Order To Aid Public Comment The Federal Trade Commission has withdrawn its acceptance of the agreement containing consent order from Uber Technologies, Inc. (‘‘Uber’’) that the Commission released for public comment in this proceeding on August 15, 2017 (‘‘August 2017 proposed consent agreement’’), and has accepted, subject to final approval, a new agreement containing consent order from Uber (‘‘April 2018 proposed consent agreement’’). The April 2018 proposed consent agreement has been placed on the public record for thirty (30) days for receipt of comments by interested persons. All comments received during this period will become part of the public record. Interested persons who submitted comments during the public comment period for the August 2017 proposed consent agreement should resubmit their original comments, or submit new comments, during the new comment period if they would like the Commission to consider their comments when the Commission decides whether to make final the April 2018 proposed consent agreement. After thirty (30) days, the Commission again will review the April 2018 proposed consent agreement, and the comments received, and will decide whether it should withdraw from the agreement or make final the agreement’s proposed order. Since 2010, Uber has operated a mobile application (the ‘‘App’’) that connects consumers who are transportation providers (‘‘Drivers’’) with consumers seeking those services (‘‘Riders’’). Riders book transportation or delivery services through a publiclyavailable version of the App that can be downloaded to a smartphone. When a Rider requests transportation through the App, the request is conveyed to a nearby Uber Driver signed into the App. Drivers use the App to determine which ride requests they will accept. PO 00000 Frm 00070 Fmt 4703 Sfmt 4703 Uber collects a variety of personal information from Drivers, including names, email addresses, phone numbers, postal addresses, Social Security numbers, driver’s license numbers, bank account information, vehicle registration information, and insurance information. With respect to Riders, Uber collects names, email addresses, postal addresses, and detailed trip records with precise geolocation information, among other things. In November 2014, Uber was the subject of various news reports describing improper access and use of consumer personal information, including geolocation information, by Uber employees. One article reported that an Uber executive had suggested that Uber should hire ‘‘opposition researchers’’ to look into the ‘‘personal lives’’ of journalists who criticized Uber’s practices. Another article described an aerial tracking tool known as ‘‘God View’’ that displayed the personal information of Riders using Uber’s services. These reports led to considerable consumer uproar. In an effort to respond to consumer concerns, Uber issued a statement describing its policies concerning access to Rider and Driver data. As part of that statement, Uber promised that all ‘‘access to rider and driver accounts is being closely monitored and audited by data security specialists on an ongoing basis, and any violations of the policy will result in disciplinary action, including the possibility of termination and legal action.’’ As alleged in the proposed complaint, Uber has not monitored or audited its employees’ access to Rider and Driver personal information on an ongoing basis since November 2014. In fact, between approximately August 2015 and May 2016, Uber did not timely follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately the first six months of this period only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives. During this time, Uber did not otherwise monitor internal access to personal information unless an employee specifically reported that a coworker had engaged in improper access. Count one of the proposed complaint alleges that Uber’s representation that it closely monitored and audited internal access to consumers’ personal information was false or misleading in violation of Section 5 of the FTC Act in light of Uber’s subsequent failure to E:\FR\FM\25APN1.SGM 25APN1 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Notices sradovich on DSK3GMQ082PROD with NOTICES monitor and audit such access between August 2015 and May 2016.1 The proposed complaint also alleges that Uber failed to provide reasonable security for consumer information stored in a third-party cloud storage service provided by Amazon Web Services (‘‘AWS’’) called the Amazon Simple Storage Service (the ‘‘Amazon S3 Datastore’’). Uber stores in the Amazon S3 Datastore a variety of files that contain sensitive personal information, including full and partial back-ups of Uber databases. These backups contain a broad range of Rider and Driver personal information, including, among other things, names, email addresses, phone numbers, driver’s license numbers, and trip records with precise geolocation information. From July 13, 2013 to July 15, 2015, Uber’s privacy policy described the security measures Uber used to protect the personal information it collected from consumers, stating that such information ‘‘is securely stored within our databases, and we use standard, industry-wide commercially reasonable security practices such as encryption, firewalls and SSL (Secure Socket Layers) for protecting your information—such as any portions of your credit card number which we retain . . . and geo-location information.’’ Additionally, Uber’s customer service representatives offered assurances about the strength of Uber’s security practices to consumers who were reluctant to submit personal information to Uber. As described below, count two of the proposed complaint alleges that the above statements violated Section 5 of the FTC Act because Uber engaged in a number of practices that, taken together, failed to provide reasonable security to prevent unauthorized access to Rider and Driver personal information in the Amazon S3 Datastore.2 Specifically, Uber allegedly: • Failed to implement reasonable access controls to safeguard data stored in the Amazon S3 Datastore. For example, Uber (1) until approximately September 2014, permitted engineers to 1 Count one of the proposed complaint and the underlying factual allegations are unchanged from the proposed complaint against Uber that the Commission issued previously as part of the August 2017 proposed consent agreement. 2 Count two of the proposed complaint addresses the same allegedly false or misleading statements as did count two of the proposed complaint against Uber that the Commission issued as part of the August 2017 proposed consent agreement. The proposed complaint includes allegations that the now withdrawn complaint included to support count two and also includes additional allegations to support count two based on new information the Commission obtained after August 2017. VerDate Sep<11>2014 19:12 Apr 24, 2018 Jkt 244001 access the Amazon S3 Datastore with a single, shared AWS access key that provided full administrative privileges over all data stored there; (2) until approximately September 2014, failed to restrict access to systems based on employees’ job functions; and (3) until approximately September 2015, failed to require multi-factor authentication for individual account access, and until at least November 2016, failed to require multi-factor authentication for programmatic service account access, to the Amazon S3 Datastore; • Until at least September 2014, failed to implement reasonable security training and guidance; • Until approximately September 2014, failed to have a written information security program; and • Until at least November 2016, stored sensitive personal information in the Amazon S3 Datastore in clear, readable text, rather than encrypting the information. As a result of these failures, intruders accessed Uber’s Amazon S3 Datastore multiple times using access keys that Uber engineers had posted to GitHub, a code-sharing site used by software developers. First, on or about May 12, 2014, an intruder accessed Uber’s Amazon S3 Datastore using an access key that was publicly posted and granted full administrative privileges to all data and documents stored within Uber’s Amazon S3 Datastore (the ‘‘2014 data breach’’). The intruder accessed one file that contained sensitive personal information belonging to Uber Drivers, including over 100,000 unencrypted names and driver’s license numbers, 215 unencrypted names and bank account and domestic routing numbers, and 84 unencrypted names and Social Security numbers. Uber did not discover the breach until September 2014. Uber sent breach notification letters to affected Uber Drivers in February 2015. Uber later learned of more affected Uber Drivers in May and July 2016 and sent breach notification letters to those Drivers in June and August 2016. Second, between October 13, 2016 and November 15, 2016, intruders accessed Uber’s Amazon S3 Datastore using an AWS access key that was posted to a private GitHub repository (‘‘the 2016 data breach’’). Uber granted its engineers access to Uber’s GitHub repositories through engineers’ individual GitHub accounts, which engineers generally accessed through personal email addresses. Uber did not have a policy prohibiting engineers from reusing credentials, and did not require engineers to enable multi-factor authentication when accessing Uber’s PO 00000 Frm 00071 Fmt 4703 Sfmt 4703 18063 GitHub repositories. The intruders who committed the 2016 breach said that they accessed Uber’s GitHub page using passwords that were previously exposed in other large data breaches, whereupon they discovered the AWS access key they used to access and download files from Uber’s Amazon S3 Datastore. The intruders downloaded sixteen files that contained unencrypted consumer personal information relating to U.S. Riders and Drivers, including approximately 25.6 million names and email addresses, 22.1 million names and mobile phone numbers, and 607,000 names and driver’s license numbers. Nearly all of the exposed personal information was collected before July 2015 and stored in unencrypted database backup files. Uber discovered the 2016 data breach on or about November 14, 2016, when one of the attackers contacted Uber claiming to have compromised Uber’s ‘‘databases’’ and demanding a six-figure payout. Uber paid the attackers $100,000 through the third party that administers Uber’s ‘‘bug bounty’’ program. Respondent created the bug bounty program to pay financial rewards in exchange for the responsible disclosure of serious security vulnerabilities. However, the attackers who committed the 2016 data breach were fundamentally different from legitimate bug bounty recipients. Instead of responsibly disclosing a vulnerability, the attackers maliciously exploited the vulnerability and acquired millions of consumers’ personal information. Uber failed to disclose the 2016 data breach to affected consumers until November 21, 2017, more than a year after discovering it. Uber also failed to disclose the 2016 data breach to the Commission until November 2017 despite the fact that the breach occurred in the midst of a nonpublic Commission investigation relating to Uber’s data security practices, including, specifically, the security of Uber’s Amazon S3 Datastore. The proposed consent order contains provisions designed to prevent Uber from engaging in acts and practices in the future similar to those alleged in the proposed complaint. Part I of the proposed order prohibits Uber from making any misrepresentations about the extent to which Uber monitors or audits internal access to consumers’ personal information or the extent to which Uber protects the privacy, confidentiality, security, or integrity of consumers’ personal information. This Part is identical to Part I of the August 2017 proposed consent agreement. E:\FR\FM\25APN1.SGM 25APN1 sradovich on DSK3GMQ082PROD with NOTICES 18064 Federal Register / Vol. 83, No. 80 / Wednesday, April 25, 2018 / Notices Part II of the proposed order requires Uber to implement a mandated comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of consumers’ personal information. Part II.B includes new language that requires Uber’s mandated privacy risk assessments to include consideration of risks and safeguards related to (a) secure software design, development, and testing, including access key and secret key management and secure cloud storage; (b) review, assessment, and response to third-party security vulnerability reports, including through a ‘‘bug bounty’’ or similar program; and (c) prevention, detection, and response to attacks, intrusions, or systems failures. Part III of the proposed order requires Uber to undergo biennial assessments of its mandated privacy program by a third party. Part III has been revised from the August 2017 proposed consent agreement to require Uber to submit to the Commission each of its assessments rather than only its initial assessment. Part IV of the proposed order requires Uber to submit a report to the Commission if Uber discovers any ‘‘covered incident’’ involving unauthorized access or acquisition of consumer information. This Part is new. Parts V through IX of the proposed order are reporting and compliance provisions. Part V requires dissemination of the order now and in the future to all current and future principals, officers, directors, and managers, and to persons who participate in conduct related to the subject matter of the order, including all employees, agents, and representatives who regularly access personal information. Part VI mandates that Uber submit a compliance report to the FTC one year after issuance of the order and submit additional notices as specified. Parts VII and VIII require Uber to retain documents relating to its compliance with the order, and to provide such additional information or documents as are necessary for the Commission to monitor compliance. Part IX states that the order will remain in effect for 20 years. These provisions include modifications from the August 2017 proposed consent agreement. Part V expands the acknowledgement of order provision to require Uber to obtain signed acknowledgements from all employees, agents, and representatives who regularly access personal information that Uber collects or VerDate Sep<11>2014 19:12 Apr 24, 2018 Jkt 244001 receives from or about consumers, rather than limiting the requirement to employees with managerial responsibility related to the order. And Part VII contains modified recordkeeping provisions and new recordkeeping provisions relating to Uber’s bug bounty program and its subpoenas and communications with law enforcement. The purpose of this analysis is to aid public comment on the proposed order. It is not intended to constitute an official interpretation of the complaint or proposed order, or to modify in any way the proposed order’s terms. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 2018–08600 Filed 4–24–18; 8:45 am] BILLING CODE 6750–01–P DEPARTMENT OF HEALTH AND HUMAN SERVICES National Institutes of Health National Institute of Diabetes and Digestive and Kidney Diseases; Notice of Closed Meetings Pursuant to section 10(d) of the Federal Advisory Committee Act, as amended, notice is hereby given of the following meetings. The meetings will be closed to the public in accordance with the provisions set forth in sections 552b(c)(4) and 552b(c)(6), Title 5 U.S.C., as amended. The grant applications and the discussions could disclose confidential trade secrets or commercial property such as patentable material, and personal information concerning individuals associated with the grant applications, the disclosure of which would constitute a clearly unwarranted invasion of personal privacy. Name of Committee: National Institute of Diabetes and Digestive and Kidney Diseases Special Emphasis Panel; NIDDK–KURe–K12 Telephone Review. Date: May 7, 2018. Time: 12:00 p.m. to 1:30 p.m. Agenda: To review and evaluate grant applications. Place: National Institutes of Health, Two Democracy Plaza, 6707 Democracy Boulevard, Bethesda, MD 20892 (Telephone Conference Call). Contact Person: Xiaodu Guo, MD, Ph.D., Scientific Review Officer, Review Branch, DEA, NIDDK, National Institutes of Health, Room 7023, 6707 Democracy Boulevard, Bethesda, MD 20892–5452, (301) 594–4719, guox@extra.niddk.nih.gov. This notice is being published less than 15 days prior to the meeting due to the timing PO 00000 Frm 00072 Fmt 4703 Sfmt 4703 limitations imposed by the review and funding cycle. Name of Committee: National Institute of Diabetes and Digestive and Kidney Diseases Special Emphasis Panel; NIDDK KUH Fellowship Review. Date: June 6, 2018. Time: 8:00 a.m. to 2:00 p.m. Agenda: To review and evaluate grant applications. Place: Bethesda North Marriott Hotel and Conference Center, Montgomery County Conference Center Facility, 5701 Marinelli Road, Bethesda, MD 20852. Contact Person: Xiaodu Guo, MD, Ph.D., Scientific Review Officer, Review Branch, DEA, NIDDK, National Institutes of Health, Room 7023, 6707 Democracy Boulevard, Bethesda, MD 20892–5452, (301) 594–4719, guox@extra.niddk.nih.gov. Name of Committee: National Institute of Diabetes and Digestive and Kidney Diseases Special Emphasis Panel; The NIDDK DDK–D Member Conflict SEP. Date: June 6, 2018. Time: 9:00 a.m. to 3:00 p.m. Agenda: To review and evaluate grant applications. Place: Bethesda North Marriott Hotel and Conference Center, Montgomery County Conference Center Facility, 5701 Marinelli Road, North Bethesda, MD 20852. Contact Person: Xiaodu Guo, MD, Ph.D., Scientific Review Officer, Review Branch, DEA, NIDDK, National Institutes of Health, Room 7023, 6707 Democracy Boulevard, Bethesda, MD 20892–5452, (301) 594–4719, guox@extra.niddk.nih.gov. Name of Committee: National Institute of Diabetes and Digestive and Kidney Diseases Special Emphasis Panel; Fellowships in Digestive Diseases and Nutrition. Date: June 7–8, 2018. Time: 8:00 a.m. to 5:00 p.m. Agenda: To review and evaluate grant applications. Place: Residence Inn Bethesda, 7335 Wisconsin Avenue, Bethesda, MD 20814. Contact Person: Jian Yang, Ph.D., Scientific Review Officer, Review Branch, DEA, NIDDK, National Institutes of Health, Room 7111, 6707 Democracy Boulevard, Bethesda, MD 20892–5452, (301) 594–7799, yangj@ extra.niddk.nih.gov. Name of Committee: National Institute of Diabetes and Digestive and Kidney Diseases Special Emphasis Panel; DDK–C Conflicts. Date: June 8, 2018. Time: 8:00 a.m. to 12:00 p.m. Agenda: To review and evaluate grant applications. Place: Residence Inn Bethesda, 7335 Wisconsin Avenue, Bethesda, MD 20814. Contact Person: Jian Yang, Ph.D., Scientific Review Officer, Review Branch, DEA, NIDDK, National Institutes of Health, Room 7111, 6707 Democracy Boulevard, Bethesda, MD 20892–5452, (301) 594–7799, yangj@ extra.niddk.nih.gov. Name of Committee: National Institute of Diabetes and Digestive and Kidney Diseases Special Emphasis Panel; O’Brien Urology Centers. Date: July 10–11, 2018. Time: 3:00 p.m. to 6:00 p.m. E:\FR\FM\25APN1.SGM 25APN1

Agencies

[Federal Register Volume 83, Number 80 (Wednesday, April 25, 2018)]
[Notices]
[Pages 18061-18064]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-08600]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 152 3054]


Uber Technologies, Inc.; Analysis To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis To Aid Public Comment describes both 
the allegations in the complaint and the terms of the consent order--
embodied in the consent agreement--that would settle these allegations.

DATES: Comments must be received on or before May 14, 2018.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write: ``Uber Technologies, 
Inc.'' on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/reviseduberconsent by following the 
instructions on the web-based form. If you prefer to file your comment 
on paper, write ``Uber Technologies, Inc.'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite 
CC-5610 (Annex D), Washington, DC 20580; or deliver your comment to: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 
20024.

FOR FURTHER INFORMATION CONTACT: Ben Rossen (202-326-3679) and James 
Trilling (202-326-3497), Bureau of Consumer Protection, 600 
Pennsylvania Avenue NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for April 12, 2018), on the World Wide Web, at 
https://www.ftc.gov/news-events/commission-actions.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before May 14, 2018. 
Write ``Uber Technologies, Inc.'' on your comment. Your comment--
including your name and your state--will be placed on the public record 
of this proceeding, including, to the extent practicable, on the public 
Commission website, at https://www.ftc.gov/policy/public-comments.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/reviseduberconsent by following the instructions on the web-based 
form. If this Notice appears at http://www.regulations.gov/#!home, you 
also may file a comment through that website.
    If you prefer to file your comment on paper, write ``Uber 
Technologies, Inc.'' on your comment and on the envelope, and mail your 
comment to the following

[[Page 18062]]

address: Federal Trade Commission, Office of the Secretary, 600 
Pennsylvania Avenue NW, Suite CC-5610 (Annex D), Washington, DC 20580; 
or deliver your comment to the following address: Federal Trade 
Commission, Office of the Secretary, Constitution Center, 400 7th 
Street SW, 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If 
possible, submit your paper comment to the Commission by courier or 
overnight service.
    Because your comment will be placed on the publicly accessible FTC 
website at https://www.ftc.gov, you are solely responsible for making 
sure that your comment does not include any sensitive or confidential 
information. In particular, your comment should not include any 
sensitive personal information, such as your or anyone else's Social 
Security number; date of birth; driver's license number or other state 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure that your comment does not include 
any sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 
16 CFR 4.10(a)(2)--including in particular competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the public FTC website--as legally required by FTC Rule 
4.9(b)--we cannot redact or remove your comment from the FTC website, 
unless you submit a confidentiality request that meets the requirements 
for such treatment under FTC Rule 4.9(c), and the General Counsel 
grants that request.
    Visit the FTC website at http://www.ftc.gov to read this Notice and 
the news release describing it. The FTC Act and other laws that the 
Commission administers permit the collection of public comments to 
consider and use in this proceeding, as appropriate. The Commission 
will consider all timely and responsive public comments that it 
receives on or before May 14, 2018. For information on the Commission's 
privacy policy, including routine uses permitted by the Privacy Act, 
see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission has withdrawn its acceptance of the 
agreement containing consent order from Uber Technologies, Inc. 
(``Uber'') that the Commission released for public comment in this 
proceeding on August 15, 2017 (``August 2017 proposed consent 
agreement''), and has accepted, subject to final approval, a new 
agreement containing consent order from Uber (``April 2018 proposed 
consent agreement'').
    The April 2018 proposed consent agreement has been placed on the 
public record for thirty (30) days for receipt of comments by 
interested persons. All comments received during this period will 
become part of the public record. Interested persons who submitted 
comments during the public comment period for the August 2017 proposed 
consent agreement should resubmit their original comments, or submit 
new comments, during the new comment period if they would like the 
Commission to consider their comments when the Commission decides 
whether to make final the April 2018 proposed consent agreement. After 
thirty (30) days, the Commission again will review the April 2018 
proposed consent agreement, and the comments received, and will decide 
whether it should withdraw from the agreement or make final the 
agreement's proposed order.
    Since 2010, Uber has operated a mobile application (the ``App'') 
that connects consumers who are transportation providers (``Drivers'') 
with consumers seeking those services (``Riders''). Riders book 
transportation or delivery services through a publicly-available 
version of the App that can be downloaded to a smartphone. When a Rider 
requests transportation through the App, the request is conveyed to a 
nearby Uber Driver signed into the App.
    Drivers use the App to determine which ride requests they will 
accept. Uber collects a variety of personal information from Drivers, 
including names, email addresses, phone numbers, postal addresses, 
Social Security numbers, driver's license numbers, bank account 
information, vehicle registration information, and insurance 
information. With respect to Riders, Uber collects names, email 
addresses, postal addresses, and detailed trip records with precise 
geolocation information, among other things.
    In November 2014, Uber was the subject of various news reports 
describing improper access and use of consumer personal information, 
including geolocation information, by Uber employees. One article 
reported that an Uber executive had suggested that Uber should hire 
``opposition researchers'' to look into the ``personal lives'' of 
journalists who criticized Uber's practices. Another article described 
an aerial tracking tool known as ``God View'' that displayed the 
personal information of Riders using Uber's services. These reports led 
to considerable consumer uproar. In an effort to respond to consumer 
concerns, Uber issued a statement describing its policies concerning 
access to Rider and Driver data. As part of that statement, Uber 
promised that all ``access to rider and driver accounts is being 
closely monitored and audited by data security specialists on an 
ongoing basis, and any violations of the policy will result in 
disciplinary action, including the possibility of termination and legal 
action.''
    As alleged in the proposed complaint, Uber has not monitored or 
audited its employees' access to Rider and Driver personal information 
on an ongoing basis since November 2014. In fact, between approximately 
August 2015 and May 2016, Uber did not timely follow up on automated 
alerts concerning the potential misuse of consumer personal 
information, and for approximately the first six months of this period 
only monitored access to account information belonging to a set of 
internal high-profile users, such as Uber executives. During this time, 
Uber did not otherwise monitor internal access to personal information 
unless an employee specifically reported that a co-worker had engaged 
in improper access. Count one of the proposed complaint alleges that 
Uber's representation that it closely monitored and audited internal 
access to consumers' personal information was false or misleading in 
violation of Section 5 of the FTC Act in light of Uber's subsequent 
failure to

[[Page 18063]]

monitor and audit such access between August 2015 and May 2016.\1\
---------------------------------------------------------------------------

    \1\ Count one of the proposed complaint and the underlying 
factual allegations are unchanged from the proposed complaint 
against Uber that the Commission issued previously as part of the 
August 2017 proposed consent agreement.
---------------------------------------------------------------------------

    The proposed complaint also alleges that Uber failed to provide 
reasonable security for consumer information stored in a third-party 
cloud storage service provided by Amazon Web Services (``AWS'') called 
the Amazon Simple Storage Service (the ``Amazon S3 Datastore''). Uber 
stores in the Amazon S3 Datastore a variety of files that contain 
sensitive personal information, including full and partial back-ups of 
Uber databases. These back-ups contain a broad range of Rider and 
Driver personal information, including, among other things, names, 
email addresses, phone numbers, driver's license numbers, and trip 
records with precise geolocation information.
    From July 13, 2013 to July 15, 2015, Uber's privacy policy 
described the security measures Uber used to protect the personal 
information it collected from consumers, stating that such information 
``is securely stored within our databases, and we use standard, 
industry-wide commercially reasonable security practices such as 
encryption, firewalls and SSL (Secure Socket Layers) for protecting 
your information--such as any portions of your credit card number which 
we retain . . . and geo-location information.'' Additionally, Uber's 
customer service representatives offered assurances about the strength 
of Uber's security practices to consumers who were reluctant to submit 
personal information to Uber.
    As described below, count two of the proposed complaint alleges 
that the above statements violated Section 5 of the FTC Act because 
Uber engaged in a number of practices that, taken together, failed to 
provide reasonable security to prevent unauthorized access to Rider and 
Driver personal information in the Amazon S3 Datastore.\2\ 
Specifically, Uber allegedly:
---------------------------------------------------------------------------

    \2\ Count two of the proposed complaint addresses the same 
allegedly false or misleading statements as did count two of the 
proposed complaint against Uber that the Commission issued as part 
of the August 2017 proposed consent agreement. The proposed 
complaint includes allegations that the now withdrawn complaint 
included to support count two and also includes additional 
allegations to support count two based on new information the 
Commission obtained after August 2017.
---------------------------------------------------------------------------

     Failed to implement reasonable access controls to 
safeguard data stored in the Amazon S3 Datastore. For example, Uber (1) 
until approximately September 2014, permitted engineers to access the 
Amazon S3 Datastore with a single, shared AWS access key that provided 
full administrative privileges over all data stored there; (2) until 
approximately September 2014, failed to restrict access to systems 
based on employees' job functions; and (3) until approximately 
September 2015, failed to require multi-factor authentication for 
individual account access, and until at least November 2016, failed to 
require multi-factor authentication for programmatic service account 
access, to the Amazon S3 Datastore;
     Until at least September 2014, failed to implement 
reasonable security training and guidance;
     Until approximately September 2014, failed to have a 
written information security program; and
     Until at least November 2016, stored sensitive personal 
information in the Amazon S3 Datastore in clear, readable text, rather 
than encrypting the information.
    As a result of these failures, intruders accessed Uber's Amazon S3 
Datastore multiple times using access keys that Uber engineers had 
posted to GitHub, a code-sharing site used by software developers.
    First, on or about May 12, 2014, an intruder accessed Uber's Amazon 
S3 Datastore using an access key that was publicly posted and granted 
full administrative privileges to all data and documents stored within 
Uber's Amazon S3 Datastore (the ``2014 data breach''). The intruder 
accessed one file that contained sensitive personal information 
belonging to Uber Drivers, including over 100,000 unencrypted names and 
driver's license numbers, 215 unencrypted names and bank account and 
domestic routing numbers, and 84 unencrypted names and Social Security 
numbers. Uber did not discover the breach until September 2014. Uber 
sent breach notification letters to affected Uber Drivers in February 
2015. Uber later learned of more affected Uber Drivers in May and July 
2016 and sent breach notification letters to those Drivers in June and 
August 2016.
    Second, between October 13, 2016 and November 15, 2016, intruders 
accessed Uber's Amazon S3 Datastore using an AWS access key that was 
posted to a private GitHub repository (``the 2016 data breach''). Uber 
granted its engineers access to Uber's GitHub repositories through 
engineers' individual GitHub accounts, which engineers generally 
accessed through personal email addresses. Uber did not have a policy 
prohibiting engineers from reusing credentials, and did not require 
engineers to enable multi-factor authentication when accessing Uber's 
GitHub repositories. The intruders who committed the 2016 breach said 
that they accessed Uber's GitHub page using passwords that were 
previously exposed in other large data breaches, whereupon they 
discovered the AWS access key they used to access and download files 
from Uber's Amazon S3 Datastore. The intruders downloaded sixteen files 
that contained unencrypted consumer personal information relating to 
U.S. Riders and Drivers, including approximately 25.6 million names and 
email addresses, 22.1 million names and mobile phone numbers, and 
607,000 names and driver's license numbers. Nearly all of the exposed 
personal information was collected before July 2015 and stored in 
unencrypted database backup files.
    Uber discovered the 2016 data breach on or about November 14, 2016, 
when one of the attackers contacted Uber claiming to have compromised 
Uber's ``databases'' and demanding a six-figure payout. Uber paid the 
attackers $100,000 through the third party that administers Uber's 
``bug bounty'' program. Respondent created the bug bounty program to 
pay financial rewards in exchange for the responsible disclosure of 
serious security vulnerabilities. However, the attackers who committed 
the 2016 data breach were fundamentally different from legitimate bug 
bounty recipients. Instead of responsibly disclosing a vulnerability, 
the attackers maliciously exploited the vulnerability and acquired 
millions of consumers' personal information.
    Uber failed to disclose the 2016 data breach to affected consumers 
until November 21, 2017, more than a year after discovering it. Uber 
also failed to disclose the 2016 data breach to the Commission until 
November 2017 despite the fact that the breach occurred in the midst of 
a nonpublic Commission investigation relating to Uber's data security 
practices, including, specifically, the security of Uber's Amazon S3 
Datastore.
    The proposed consent order contains provisions designed to prevent 
Uber from engaging in acts and practices in the future similar to those 
alleged in the proposed complaint.
    Part I of the proposed order prohibits Uber from making any 
misrepresentations about the extent to which Uber monitors or audits 
internal access to consumers' personal information or the extent to 
which Uber protects the privacy, confidentiality, security, or 
integrity of consumers' personal information. This Part is identical to 
Part I of the August 2017 proposed consent agreement.

[[Page 18064]]

    Part II of the proposed order requires Uber to implement a mandated 
comprehensive privacy program that is reasonably designed to (1) 
address privacy risks related to the development and management of new 
and existing products and services for consumers, and (2) protect the 
privacy and confidentiality of consumers' personal information. Part 
II.B includes new language that requires Uber's mandated privacy risk 
assessments to include consideration of risks and safeguards related to 
(a) secure software design, development, and testing, including access 
key and secret key management and secure cloud storage; (b) review, 
assessment, and response to third-party security vulnerability reports, 
including through a ``bug bounty'' or similar program; and (c) 
prevention, detection, and response to attacks, intrusions, or systems 
failures.
    Part III of the proposed order requires Uber to undergo biennial 
assessments of its mandated privacy program by a third party. Part III 
has been revised from the August 2017 proposed consent agreement to 
require Uber to submit to the Commission each of its assessments rather 
than only its initial assessment.
    Part IV of the proposed order requires Uber to submit a report to 
the Commission if Uber discovers any ``covered incident'' involving 
unauthorized access or acquisition of consumer information. This Part 
is new.
    Parts V through IX of the proposed order are reporting and 
compliance provisions. Part V requires dissemination of the order now 
and in the future to all current and future principals, officers, 
directors, and managers, and to persons who participate in conduct 
related to the subject matter of the order, including all employees, 
agents, and representatives who regularly access personal information. 
Part VI mandates that Uber submit a compliance report to the FTC one 
year after issuance of the order and submit additional notices as 
specified. Parts VII and VIII require Uber to retain documents relating 
to its compliance with the order, and to provide such additional 
information or documents as are necessary for the Commission to monitor 
compliance. Part IX states that the order will remain in effect for 20 
years.
    These provisions include modifications from the August 2017 
proposed consent agreement. Part V expands the acknowledgement of order 
provision to require Uber to obtain signed acknowledgements from all 
employees, agents, and representatives who regularly access personal 
information that Uber collects or receives from or about consumers, 
rather than limiting the requirement to employees with managerial 
responsibility related to the order. And Part VII contains modified 
recordkeeping provisions and new recordkeeping provisions relating to 
Uber's bug bounty program and its subpoenas and communications with law 
enforcement.
    The purpose of this analysis is to aid public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the complaint or proposed order, or to modify in any 
way the proposed order's terms.


    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2018-08600 Filed 4-24-18; 8:45 am]
 BILLING CODE 6750-01-P