"The information, truthfully, that I ever felt was safe inside of Uber is your credit card information. Because it's not stored by Uber."
--Ward Spangenberg. Former Uber security professional.
Traditional ride services like taxis have fallen in popularity due to ride services offering more convenience, instant confirmations and less expensive rates. Available cars tend to be newer and more varied. But for those of us who are privacy mined, there is a downside as location services on your phone need to be switched on. Some companies want users to login using a Facebook account and thus the car provider has access to a lot of other information about you. Credit cards are the norm so there is a huge question about those details being stored securely.
Prior to the pandemic, Uber certainly had a huge chunk of the ride-sharing market worldwide. Global revenue in 2019 was $14.1 billion with 6.9 billion rides delivered by the Uber app in that year. The sharing aspect of Uber's business however, does not extend to allowing the taxman to get his share of the profits and the Paradise Papers revealed some interesting insights about how Uber had been able to avoid tax. Like other tech companies, Uber established a network of subsidiaries in tax havens as part of its tax planning.
It also set up a business in the Netherlands back in 2013 and called it Uber International C.V. Having shifted ownership of several of its foreign businesses to this company, it reached an agreement with the Dutch business to split the profits from its intellectual property. From there, nearly all of its ride-share income would be shielded from US taxes, these being strategies also employed by Apple, Google and Facebook. Ed Kleinbard, a professor of law and business at the University of Southern California who previously served as the chief of staff of the US Congress Joint Committee on taxation said "Silicon Valley is a small place, just as there is a vibrant atmosphere for tech innovation, there is a vibrant climate for tax sharing information."
Due to its arrangements in the Netherlands, in 2014 Uber only paid 22,134 pounds in tax in the UK despite making a profit of 866,000 pounds. In 2017 the company was also able to avoid charging Value Added Tax (VAT) of 20% which its local competitors had to include in their fares. This was due to Uber exploiting a loophole in business-to-business across EU borders. An Uber spokesman denied that the company had used any loopholes and insisted it had paid:
"every penny of tax that is due".
He added that Uber was a "significant net contributor" to the economy. When pressed about not paying VAT which gave Uber an unfair advantage over its rivals, a spokesman shrugged this off by saying:
"The same rules apply to any international service provider with customers in the UK."
Margaret Hodge, a member of Britain's Labour Party, criticised Uber's practise of not paying VAT on its fees:
"It is yet another example of how large companies find loopholes and use the law for a purpose for which it was never intended. There is a failure to pay tax which should be due. That reduces the money available for public services and is unfair on Uber's competitors."
Whilst Uber can arrange its tax affairs nicely, the company can't get its house in order when it comes to regulating their drivers. In London in 2019 it was discovered that the driver registration system used by Uber could be easily deceived. This allowed customers to take over 14,000 rides with unregistered drivers, with someone other than the booked driver picking up the passenger. Transport for London (TfL) said in a statement it had identified a "pattern of failures" by Uber, including several breaches which placed passengers and their safety at risk:
"Despite addressing some of the issues, TfL does not have confidence that similar issues will not occur in the future, which has led it to conclude that the company is not fit and proper at this time."
Uber were subsequently stripped of their license but appealed the decision. The issues referred to by TfL included one driver whose license had been revoked and another who had been cautioned for distributing indecent images of children.
In 2019 Uber drivers in the UK had to instigate legal action against the company in order to get their trip ratings, the time spent logged onto the platform and their GPS data. Under the EU's General Data Protection Regulation (GDPR) legislation individuals have the right to access personal data held by any company -- even their employer. Drivers claimed that Uber repeatedly failed to provide them with the information. James Farrar, a driver leading the case said:
"I can only calculate the hourly pay that they want me to. They've given me trip information that includes start to finish location points, fares and duration for individual journeys, but providing all of my GPS data and log on and off times would allow me to calculate my hourly pay."
Whilst they ignore the rules and keep a tight rein on their employees' data, Uber allowed the personal information of around 57 million of its customers to be exposed in a massive global breach. Worse still, the company failed to disclose the breach leading Chris Hoofnagle of the Berkeley Center of Law and Technology to describe it as "amateur hour". He clarified that:
"The only way one can have direct liability under security breach notification statutes is to not give notice. Thus it makes little sense to cover up a breach."
But trying to cover up the attack further compounded the stupidity as a former Uber executive has just been charged with arranging to pay $100,000 to the hackers who were responsible. Joe Sullivan was charged with obstructing justice and concealing a felony for the alleged cover-up. Sullivan "engaged in a scheme to withhold and conceal" the breach from regulators and failed to report it to law enforcement or the public, according to a complaint filed in the federal court in California. According to the complaint, Uber's CEO at the time, Travis Kalanick, knew about the incident and about the steps Sullivan took to allegedly cover it up, including making the $100,000 payout under Uber's "bug bounty" program.
U.S. Attorney David Anderson said in a news release that:
"Silicon Valley is not the Wild West. We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigators. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments."
When it comes to customers' data, Uber really plays fast and loose due to insufficient security being involved. A story in Reveal has highlighted that trip information giving details of where and when each customer traveled was freely accessible to thousand of employees. This could lead to blackmail due to some trips appearing to be overnight trysts and having access to this data could allow governments and criminals to spy on politicians.
Claire Gartland of the Electronic Privacy Information Center said that:
"The idea that Uber is so cavalierly taking very little responsibility for protecting your information should be concerning to everyone."
Former Uber employee and forensic investigator Ward Spangenberg says Uber's policies ultimately don't prevnt employees from getting and missusing the private information.
Take care out there!
The Privacy Advocate