It shouldn’t come as a complete surprise to Uber users that the company has access to its customers’ location. After all, that’s how the immensely popular app locates passengers and gets them where they want to go. But users have a certain amount of trust in Uber that the company won’t misuse customer data—a trust that is quickly eroding, following a Buzzfeed report that Uber tracked a journalist’s location without her knowledge.
But what, exactly, do those “legitimate business purposes” entail, and what are the criteria for determining a violation? As it turns out, that clause leaves Uber with a lot of wiggle room, with the company citing just a few examples, like “facilitating payment transactions for drivers,” rather than a more exhaustive list of permissible uses that might actually allow for enforcement of a strict policy that would protect customers’ privacy.
In the past, Uber has drawn criticism for allegedly using “God View,” a tool that allows Uber to see where their users and drivers are in real time, to entertain attendees at launches in new cities. They have also used geolocation and time stamp information as a way to ascertain patterns concerning their passengers’ sex lives, although individual users in this case remained anonymous.
Incidents like these were apparently not out of line with Uber’s existing policy from July 2013, which is still posted. Monday’s blog post does little to reassure users that similar actions in the future will be punished.
Finally, as Jeff Roberts at Gigaom points out, Uber maintains your personal data and travel history even after you delete your account (which is itself not an easy feat). According to the 2013 policy, “Even after your account is terminated, we will retain your Personal Information and Usage Information (including geolocation, trip history, credit card information and transaction history).” So yes, if for some reason Uber wanted to track you, it likely could, with ease… even if you no longer use the service.
Of course, Uber’s business model depends on access to its users’ information. It is understandable that the company doesn’t want to pen itself in with restrictive language. However, without further legal remedies, Monday’s blog post does not give the impression that it is anything but an attempt to sidestep a PR disaster.