Sen. Al Franken questions Uber, Lyft over privacy (Q&A)

Among the many problems Uber is facing, one of the biggest is its take on privacy, and the US Congress wants to find out exactly how the ride-sharing service handles its customers' personal information.

After a couple of Uber executives alluded to tracking users with the service's geolocation data last month, many began to question the company's privacy standards. Among them: Sen. Al Franken.

The Minnesota senator wrote a letter to Uber CEO Travis Kalanick last month asking the rides-on-demand company to outline its data collection practices and privacy policy. A couple of weeks later, he wrote a similar letter to Uber's primary competitor, Lyft. Both companies let would-be riders connect with drivers via a smartphone app.

The rub is that the apps track riders' pick-up and drop-off locations. And that's what Franken's concerned about. He wants to know how the companies use this geolocation data.

Franken is the chairman of the Senate Judiciary Subcommittee on Privacy, Technology and the Law and a vocal watchdog of consumers' privacy rights. In 2011, he went after Apple and Google, urging them to explicitly detail their apps' privacy policies so users could better understand what type of personal information was being collected.

The whole debacle that prompted Franken to contact Kalanick began in November when BuzzFeed reported that Uber executive Emil Michael said he would like to spend $1 million to "dig up dirt on its critics in the media." At the same time, another BuzzFeed journalist reported that Uber's New York general manager used a feature the company calls "God View" to track her without her knowledge.

Uber responded by updating its data privacy policy, which prohibits "all employees at every level from accessing a rider or driver's data." Uber spokeswoman Nairi Hourdajian wrote in a November blog post that the only exception was for "a limited set of legitimate business purposes," such as monitoring accounts for fraudulent activity.

Among several other questions he addresses in his letters, Franken asks Uber and Lyft to clarify these "limited set of legitimate business purposes." The deadline for Uber to respond to Franken is Monday. When contacted by CNET, Uber didn't respond to request for comment.

Updated, December 16 at 10:20 a.m. PT: Uber responded to Senator Al Franken's letter by the December 15 deadline. In a letter signed by Katherine M. Tassi, the company's managing counsel for privacy, the ride-sharing service detailed its privacy policy and said it has a "strong culture of protecting rider information." In a statement responding to Tassi's letter, Franken said, "While I'm pleased that they replied to my letter, I am concerned about the surprising lack of detail in their response. Quite frankly, they did not answer many of the questions I posed directly to them. Most importantly, it still remains unclear how Uber defines legitimate business purposes for accessing, retaining, and sharing customer data. I will continue pressing for answers to these questions."

Lyft has until the end of December to respond.

"We share Senator Franken's dedication to keeping consumers and their information safe," a Lyft spokeswoman said in an emailed statement, adding that the company plans to respond by the deadline. "The respect and rights of our users are at our core as a company, and we look forward to discussing this important issue and Lyft's commitment to consumer privacy in depth."

CNET News spoke with Franken about his concerns. The following is an edited transcript of the conversation.

Q: What initially prompted you to question Uber's data collection practices and privacy policies?
Franken: As you know, there were a couple of high-profile incidents. In one case an executive from Uber suggested he might intimidate journalists to not do negative reporting on Uber by using their location data. It was unclear whether he was just a guy who had a bad day or if it reflected Uber's approach to their data. Then there was another incident with Uber where an executive told a reporter he had been tracking her that day. Those raised a lot of questions. I think it's fair to say that Uber hadn't given enough thought to their privacy policy and culture.

I believe Americans have the fundamental right to privacy and that right includes the ability to control who's getting your personal location information and who it's shared with. Obviously Uber and Lyft get your location information and I think they have a responsibility to have a policy in place that protects people's privacy.

In your letter to Uber, you asked if there was any disciplinary action taken as a result of Emil Michael's statements, what do you think would be an appropriate disciplinary action for him?
Franken: I don't know, I just wanted to know if they had. We've heard they took some disciplinary action with the other executive but I'm not sure what that was. I don't have a real strong idea about what should be the appropriate action, but I think you'd have to do something.

You wrote Uber first -- in the context of these circumstances and incidents -- why did you choose to contact Lyft too?
Franken: They're in the same space of ride-sharing and I wanted to see what their policy was. I believe they had a similar thing with an executive and a journalist that also came to light.

Have you heard back from either of the companies?
Franken: We've heard from Uber that they will respond by Monday. We have no reason to believe they won't. We've also heard that they are consulting some experts in this field, which we think is a good idea. Maybe it's something they probably should have done before. Maybe [the letter] just had a good effect on them and maybe it made them realize they hadn't spent enough time thinking about this.

You mention that users' location data can be misused, what examples of misuse can you give?
Franken: The worst kind of misuse are stalking apps. When I first started looking into geolocation I was a newly appointed chairman of the Subcommittee on Privacy, Technology, and the Law. It's the subcommittee I helped create to really look at how technology was evolving and how that related to privacy. The way I like to talk about it is that the founding fathers did not foresee the telephone. At some point, somebody had to decide whether a phone tap was in violation of the fourth amendment. And they said, "yes it is, you have to get a warrant." And now, with geolocation information, we saw a Supreme Court decision on whether police need warrants to put a tracking device on someone's car -- and they do.

On stalking apps, some of the first testimony I got on geolocation information came from the Minnesota Coalition for Battered Women. One of the pieces of testimony was quite chilling. It was about a woman who was in an abusive relationship in northern Minnesota. She went to a county building to go to the domestic violence center there and after about five minutes she got a text from her abusive partner saying, "why are you there?" That scared her. They took her to the courthouse to get a restraining order against the guy. Not long after that, she got a text from him that said, "why did you go there, was it to get a restraining order against me?" She didn't know it, but he had a stalking app. These are apps that actually advertise themselves as, "Suspect your partner is cheating on you? Slip this on her phone and you can track her wherever she goes." It's actually a very dangerous thing and it's proliferating because of the use of smartphones. I'm writing a piece of legislation that includes making the manufacturing and advertising of these things illegal.

How does that relate to how geolocation data can be misused by ride-sharing companies?
Franken: Again, this is all very private information. It gets where you go to the doctor, what you do on the weekends. This is very private stuff and I think people have the right to determine whether that information is taken, whether it's stored and whether it's shared. There are scenarios that you can come up with where that can intersect with the issue of stalking apps. I'm asking, "Do the employees of the company look at this stuff?"

In your letter you mention that Uber maintains users' information after they've terminated their accounts, why is that a concern in your opinion?
Franken: People may have terminated their accounts for various reasons. For some, it may be that they don't like the way they've experienced their information used. OnStar, at one point, had talked about how after discontinuing their service they continued to track your location information. I don't think that companies should do that. I wrote them a letter [asking them not to do that] and they said "OK, we won't."

Do you think what Uber and Lyft are doing is different from what other tech companies are doing, like Facebook or Foursquare, as far as location tracking?
Franken: It depends on the company. Most companies tend to have a privacy policy and they aren't going around telling reporters, "I'm going to track you."

Ideally, what would you like these ride-sharing companies to do concerning their data collection and privacy policies?
Franken: I would like them to have a policy that is clearer. If you say, "We're only going to look at this for business reasons," what are the business reasons? In other words, have a defined privacy policy that is clear and makes sense and that the company and its employees know about. There's very good reasons for them to analyze their data and to make their service more efficient and there's perfectly legitimate uses of this data. But, because there are, you have to have very clear, defined limits.

Updated, December 16 at 10:20 a.m. PT with information about Uber's response to Franken's letter.