Image: Bernard Lee
Uber has your home address. It has the addresses of the places you want to get to. It knows when you're going to church, to your boyfriend's house, to the union hall, to the doctor's office. And if you're a driver for Uber, it's tracking you for hours and hours each day.We talk a lot about NSA surveillance, National Security Letters, warrant canaries, facial recognition technology, a police van disguised as a Google Maps vehicle, the war against encryption, and government-mandated backdoors. And yeah, sure, the expansive net of government surveillance is really troubling. That's why organizations like the Electronic Frontier Foundation put out "Who's Got Your Back" reports, grading the technology industry on how they treat user privacy.
But these reports look at how the tech industry responds to government surveillance. Ultimately, the EFF gave Uber five out of five stars—endorsing the company as one that "has your back." Government surveillance is nothing to sneeze at, but reports like these implicitly turn a blind eye to the astounding privacy invasions that companies like Uber regularly engage in, all on their own—and not for purported national security reasons, but for their bottom line.Uber tracks its drivers via GPS. In Hangzhou, China, the company used tracking to find drivers that were attending taxi protests, and threatened to terminate them as drivers. It also uses gyroscopes to see how fast their drivers are going, or whether they are fiddling with their phones while driving. Maybe the safety benefits to passengers outweigh the privacy interests of drivers—but it only goes to show that Uber has a lot of ways to collect information on people.And it's not just through your smartphone. In 2015, Uber partnered with subprime lender Santander to offer automobile leases to prospective drivers. The Santander agreement included clauses that indicated that Santander may have been planning on leasing out vehicles that would include starter-interrupt devices—a combo GPS/killswitch that allows lenders to remotely turn off vehicles when the driver falls behind on payments, and then track down and repossess the car. Uber has since ended its partnership with Santander, but it's not clear whether Uber will use the devices in new lending programs. (When asked, Uber did not respond with any information.)
It's not just drivers that are affected by Uber's reach, and it's not just rank capitalism that motivates privacy invasions. In 2012, Uber published an astoundingly tasteless blog post that quantified user data to look at "Rides of Glory"—Uber rides that were being taken after one night stands.
There was no point to accessing private user data like this, except for a laugh at their passengers' expense, and Uber published the results for the whole world to see. The post has since been taken down—signaling a little more self-awareness at the company. But because there's little to no transparency into what it's doing behind passengers' and drivers' backs, we don't know if this kind of creepy data analysis is still going on.Worse, Uber doesn't disclose all the different types of information it's collecting on people.We asked a group of security researchers to see just how much data the Uber iOS app gobbles up, and how much it knows about you. The results were not overly surprising. Uber, among other things, knows where you are, the level of your battery, the model of your phone, your IP address, whether your phone is rooted or jailbroken, and even the MAC address of your Bluetooth chip (it's unclear why the company needs that). (When we asked Uber for comment, they just sent us to their FAQ page for app permissions.)
Are consumers actually aware all this data is sent over to Uber's servers?
All in all, it's what you'd expect for a company that runs an online and mobile service, but maybe that's the point: are consumers actually aware all this data is sent over to Uber's servers? And what does Uber do with it once the data is there?The old trope is, "I have nothing to hide." But the kind of data that Uber has access to—even if it's not, say, the actual contents of your email or the actual conversations you're having on your phone—is extremely invasive.In the Supreme Court case US v. Jones, Justice Sotomayor noted in her concurrence that GPS tracking data could say a lot about a person. "Disclosed in [GPS] data . . . will be trips the indisputably private nature of which takes little imagination to conjure: trips to the psychiatrist, the plastic surgeon, the abortion clinic, the AIDS treatment center, the strip club, the criminal defense attorney, the by-the-hour motel, the union meeting, the mosque, synagogue or church, the gay bar and on and on."The result of Jones was that government has to get a warrant to put a GPS tracker on your car. But if you use, or drive for, Uber, that doesn't mean much. Theoretically, Uber can just fork your GPS data over without one.Fortunately, it looks like Uber has chosen to ask the government to provide them with a warrant in such cases. Unfortunately, Uber doesn't have a good track record with keeping sensitive data secure. The company has been hacked repeatedly. In October 2015, Uber leaked thousands of drivers' social security numbers, while there were multiple other incidents of users reporting their accounts being stolen. On top of that, Uber has, in the past, intentionally played fast and loose with their drivers' and passengers' information—sometimes for profit, and sometimes, like in the case of the "Ride of Glory" analysis, just for shits and giggles.For the average person, a warrant or a National Security Letter isn't the biggest threat to their privacy. Rather, it's private tech companies whose actions go mostly unregulated—or are even largely accepted as a legitimate part of their business model. Uber might have your back when it comes to government surveillance, but who has your back against Uber?Lorenzo Franceschi-Bicchierai contributing writing and reporting to this article.Uber Earth is Motherboard's exploration of the ways Uber has already changed the world and how it stands to do so in the future. Follow along_ here_.