The news is out that Uber got fined by the New York Attorney General's office for data breaches and privacy concerns. The headline writer for ZDNet nailed this one: "Uber fined peanuts in God View surveillance" (link). And the sub-lead has the kicker: "For a company with a valuation of over $50 billion, a $20,000 fine over user data protection is laughable."
This settlement tells us one of the following (or both) is not serious: the NYAG's attitude toward protecting consumer data privacy, or the valuation of the so-called unicorn.
But let's review the events that got Uber in trouble, and what it says about the state of ethics in data science.
As any Uber user knows, the service runs on an app, which means that the company has data tracking every Uber ride you took. Many users are fine with having such data collected and compiled by Uber, probably with the understanding that such data would not be used for purposes contrary to the consumer interest. Because the app runs on the smartphone, and payment is via credit cards, Uber certainly knows your identity, and also any additional information you provide on your profile. (Such data don't need to be merged with your travel logs but they almost surely will be merged by data scientists.)
At Uber offices, they are apparently very proud of a data visualization tool called God View. This is an aerial view of where all the Uber cars are, and where the Uber riders are.
There is a legitimate use of such a tool for managing the supply and demand of Uber cars, and for routing of cars.
Then the story gets muddier. Ethical issues often arise not because someone deliberately did something bad, but that something with a legitimate purpose is used, perhaps by other people, for more dubious purposes.
In November 2014, a Buzzfeed News reporter hired a Uber car to go meet with the GM of Uber NYC, Josh Mohrer. Upon arriving, Mohrer held out his iPhone, and remarked: "There you are, I was tracking you."
The underlying data processing technology is the same but two important distinctions must be made between God View and Mohrer's view.
First, for operations management, there is absolutely no need to use or even record any customer information--it doesn't matter whether it is John or Jane who is waiting for a Uber car at the corner of 14th and Madison; it only matters that John or Jane is one of 15 people all looking for rides within a two-block radius. But when Mohrer tracked the reporter, he was looking for a specific person, and this incident reveals that the travel log data are not anonymized.
Second, it is one thing for Uber to use the data internally for legitimate business reasons, such as managing supply and demand; it is a different thing to assess a customer's travel log, especially without first asking for that person's permission. The fact that a third party is able to do this without permission is quite disturbing. There are not many consumer-friendly use cases I can think of that requires looking up someone's past Uber rides.
Even before the Buzzfeed controversy, Peter Sims, a venture capitalist, already filed a similar complaint. Here's what he had to put up with. He was in a Uber car in New York City when an industry acquaintance, whom he "barely know," texted him from Chicago, and proceeded to trace his whereabouts during the trip.
It turned out that Uber was holding a gathering in Chicago in which someone was using Sims to demonstrate the power of Uber's data.
The informat remarkably showed no understanding of the privacy intrusion. She said the Uber Chicago event was "cool" and that Sims should be honored to have been selected for the demo.
Just think for a second, in his line of business, Sims could have been going to a meeting to strike an important business deal, which, for both financial and legal reasons, has to remain private until it is announced publicly.
One of the most concerning aspects of the massive data collection is the fact that once we allow data to be collected and stored in the "cloud" or corporate servers, we lose control of our own data. The idea that corporations are benevolent do not, and will not, stand the test of time.
And now I come to the juiciest part of this Uber story, what really got the NYAG involved. A Buzzfeed reporter was invited to a meeting between Uber SVP Emil Michael, and "an influential New York crowd."
During this meeting, Michael suggested that Uber would spend "a million dollars" to hire four top "opposition researchers" and four journalists in order to "help Uber fight against the press."
Specifically Michael was unhappy with Sarah Lacy, who was a website editor critical of Uber. Michael claimed that Uber's team "could prove a particular and very specific claim about her personal life."
People at the meeting suggested that such a move might present publicity problems, to which Michael said, "Nobody would know it was us."
After the Buzzfeed report, Michael and Uber's PR team now said that he made a mistake, and that the company "does not do oppo research of any sort on journalists" and "has never considered doing it".
Regardless of whether they have done it, it is clear that the data are available to dirt-diggers.
Uber also protested that the meeting was a "private dinner" and remarks were supposed to be "off the record." I am not sure how to interpret this. Are they saying it would be okay to carry out that plan so long as no one knows about it?
Look, these are not simple issues, and Uber is not an outlier. The answers to these questions go to the values of our society, and involve complicated trade-offs between conflicting goals. In particular, there are many things that corporations say they will not do which are well within their capability of doing. Unfortunately, in this case, the NYAG is setting a precedent that even when a company is found to have done something improper, it gets a light slap on the wrist.