Franken's letter to entrepreneur Travis Kalanick comes the same week that a journalist for BuzzFeed reported that her whereabouts were tracked by a company employee. The journalist said she took an Uber car to the the company's New York office, only to learn upon arrival that her whereabouts were monitored while she was en route.
The lawmaker has asked Kalanick to specify which employees have access to “God view,” why they're allowed to see that information, and what steps the company is taking to limit access.
Franken also is asking the company why it appears to indefinitely retain information about customers, including their geolocation data and usage history.
“What limits are you considering imposing?” Franken asks. “In particular, when an account is terminated, why isn’t this information deleted as soon as pending charges or other transactional disputes are resolved?”
This week marks at least the second time Uber has been accused of tracking passengers without their permission. Three years ago, entrepreneur Peter Sims blogged that the company disclosed his whereabouts to a roomful of party guests in Chicago.
He said that was heading to Penn Station, in an Uber vehicle, when he began receiving text messages from a partygoer who appeared to know his exact location. “The party featured a screen that showed where in NYC certain 'known people' (whatever that means) were currently riding in Uber cabs,” he wrote. “After learning this, I expressed my outrage to her that the company would use my information and identity to promote its services without my permission. She told me to calm down, and that it was all a 'cool' event.”
Franken is requesting answers by Dec. 15.
Uber could face more than just questioning from Capitol Hill. The company also could be hauled into court for allegedly violating California's privacy law, according to attorney and privacy expert Jay Edelson.
“Silicon Valley companies have a much different sensibility when it comes to the use of private information,” says Edelson, who has brought privacy lawsuits against Facebook, Netflix and other companies. “That being said, Uber is displaying a degree of recklessness that is unusual even amongst technology companies. The idea that customer data can be used ... as a party trick is an incredibly frightening concept.”
The California Privacy Act includes a 1990 provision that prohibits ride-sharing companies from disclosing personal information about people without their written consent. Edelson recently sued Uber competitor Lyft, along with Enterprise Holdings, for allegedly violating that law by transmitting some users' personal information to the analytics business Mixpanel.
California's privacy law provides for damages of $5,000 per violation, and also leaves open the possibility of criminal charges.
That law has a 1-year statute of limitations, so Sims' allegations apparently couldn't be used as the basis for charges. But if more recent allegations surface, Uber could be vulnerable to liability.
Also, the car service company could still face civil lawsuits for violating previous privacy policies, which Edelson says restricted the company's ability to share passengers' geo-location data with third parties. “The damages would likely be small. However, it would allow the litigant to get discovery into how widespread this conduct was,” he says.
Uber didn't respond to a request for comment for this article.