Uber processed 415 data requests on its riders and drivers from US law enforcement agencies in the last six months of 2015, according to the ride-hail company's first-ever transparency report released Tuesday. Most, if not all, of those requests pertained to criminal investigations, such as cases of fraud, theft, or assault. Uber received 309 requests for rider information and 205 for drivers. The company says it "fully complied" with almost 32 percent of those requests, "partially complied" with over 52 percent, and either came up with no information or the request was withdrawn by law enforcement with 15 percent.
Uber was subpoenaed for its data 267 times
Uber's first transparency report — which also details its interactions with other government agencies like airports, taxi commissions, and public utility regulators — is a perfect illustration of the ride-hail company's pugnacious reputation. No appeal is met without some pushback. Uber lists the number of requests it receives, its compliance rate, and how many drivers and riders are affected by each data request. In some cases, Uber was able to aggregate the data and scrub it of any personalized information, and therefore lists the number of affected riders and drivers as zero. Other times, Uber was able to successfully narrow down the amount of data it is being forced to hand over. But most of the time, it is powerless to resist the long arm of the law.
How was Uber receiving these requests from law enforcement? Uber was subpoenaed for its data 267 times between July and December 2015, 138 times for driver data and 312 times for rider data. In over 82 percent of those cases, some data was produced. It also received 90 search warrants, 30 emergency requests, and 28 court orders. Some data was handed over in at least 80 percent in each of those categories. Also, the majority of these inquiries came from state law enforcement agencies: 368 state requests versus just 47 federal requests. This is a reflection of the nature of Uber's business: a for-hire vehicle service that operates primarily in cities and rarely rises to the level of federal inquiry.
Unsurprisingly, Uber reported receiving no National Security Letters or FISA court orders, which is an indication that most investigations involving Uber do not involve national security or foreign intelligence. Contrast that to Google, which regularly receives both types of requests.
No National Security Letters or FISA court requests
The report is the latest evidence that Uber, with its 3 million rides a day in 66 countries and its $62.5 billion valuation, sees itself on par with Silicon Valley's heaviest hitters, like Facebook and Amazon. Starting with Google almost a decade ago, the world's biggest tech firms regularly release transparency reports detailing their interactions with law enforcement agencies. And with the release of its first report, Uber says it is going a step further by releasing requests from both airports and regulatory agencies in addition to law enforcement interactions. This is because unlike Google and Facebook, Uber is primarily a transportation company, and therefore deals with government agencies both big and small, from port officials to taxi commissions to utility regulators.
in most cases, Uber pushed back against the agencies requesting the data
Uber says it received 33 data requests from regulatory agencies in the last six months of last year. This includes inquiries from agencies like the California Public Utilities Commission (which is weighing some new rules for Uber this month) to the New Orleans Department of Safety and Permits. These requests run the gamut from broad, such as trip volume during a particular period of time, to specific, such as GPS coordinates for pick-ups and drop-offs. Uber responded "as required" to just 21 percent of those requests. But in most cases, Uber pushed back against the agencies requesting the data. It was successful in turning over less information in 42 percent of those cases, and unsuccessful in 37 percent of them.
Since this is Uber we're talking about, there is also a healthy dose of chest-puffing throughout the report. The ride-hail company wants you to know that it isn't tripping over itself to respond to these requests. In fact, it often fights against them, which it says reflects its commitment to protecting the security of its riders and drivers. Traditional taxi companies could be seen as having a leg up here, at least among privacy advocates, since there's nothing to subpoena when you hail a cab and pay cash. This explains why Uber is making a big deal about fighting these requests.
"Of course regulators will always need some amount of data to be effective, just like law enforcement," the company says in a blog post accompanying the report. "But in many cases they send blanket requests without explaining why the information is needed, or how it will be used. And while this kind of trip data doesn't include personal information, it can reveal patterns of behavior—and is more than regulators need to do their jobs. It's why Uber frequently tries to narrow the scope of these demands, though our efforts are typically rebuffed."
"though our efforts are typically rebuffed"
The recent dustup between Apple and the FBI over access to the San Bernardino shooter's iPhone shone a spotlight on interactions between government agencies and the consumer tech industry. Also the recent incident of an Uber driver who went on a killing rampage while driving for the ride-hail service in Kalamazoo, Michigan, brought a lot of unwanted attention on Uber's security and driver screening measures. And there was a report by BuzzFeed, which published leaked screenshots from Uber's customer service portal that showed over 11,000 reports of "rape" and "sexual assault" in a 33-month period. (Uber strongly contested those figures.)
Uber's report is important to better understand how tech companies interact with government and law enforcement agencies, said GS Hans, policy counsel and director of the Center for Democracy and Transparency in San Francisco. "I think there's always room to improve," Hans said. "For me this is a useful first draft."
Other experts were more concerned by the numbers contained in the report. "There seems to be much more sharing of personal data for a less important purpose, which raises privacy flags for me," said Jim Harper, senior fellow at the libertarian Cato Institute. (Uber CEO Travis Kalanick is an avowed Randian.) "Are public utility commissions going to be able to secure all this potentially sensitive personal data? Are they going to refuse access to other government departments or hand it over willy-nilly?"