Guard rails for regulatory data requests

Posted by Betsy Masiello, Director of Policy and Communications

We’ve written previously about how smartphone apps like Uber benefit riders, drivers and the cities they live in. That’s why more than 70 states and cities around the U.S. have passed new ridesharing regulations in the last two years. Other jurisdictions around the world — from the Philippines to Mexico — have followed suit. The goal of these regulations is to protect consumers and ensure public safety, through things like licensing and insurance requirements.

Uber is a technology company, but it’s something of a new breed. Unlike searches on Google or chats on Facebook, trips on the Uber platform happen in the real world. That means in many places we’re regulated by transportation authorities or public utilities commissions (PUCs) that have historically regulated taxis.

These regulations typically require that we provide certain datasets to regulators. Unlike the companies these regulators typically oversee, every Uber ride is GPS-enabled and recorded for convenience and safety — so we have more data than most.

Of course, regulators need data to do their jobs. And cities could use this kind of data to help improve transportation, logistics and urban planning. In both cases, Uber is committed to ensuring that cities and regulators have the opportunity to get data that is both necessary and useful.

In return, we want regulators to consider issues like business and personal confidentiality. In his recent paper “Data in the On-Demand Economy,” Gautam Hans of the Center for Democracy and Technology writes that today regulators often aren’t taking such issues into account.

Hans makes some interesting recommendations on how companies like us can provide regulators with the data they need while also protecting sensitive information:

Clearly specify what the data is used for and limit requests

Regulators will always need some of our data to make sure that we are compliant with local regulations, but in many cases we’ve been asked for pretty much everything we’ve got, like the starting and ending point and cost of every Uber trip in their jurisdiction.

This type of information — which amounts to our competitive advantage — wouldn’t be required of a traditional tech company trying to get ahead. It’d be like asking Netflix to hand over information on who’s watching what. And moreover, as Hans implies, a clever analyst could use travel patterns to identify where individuals are going and track their movements.

One solution to this is to limit the scope of data requests. Often requests for can be narrowed or aggregated in order to protect our competitive interests and our users’ confidentiality. As Hans describes:

“A [regulator] that seeks to collect data needs to carefully determine what data categories are necessary for the intended purpose of the proposal, and what categories are not relevant. For example, in the context of ridesharing in order to research usage patterns, it may be relevant to collect information on the number of trips originating in a particular ZIP code. However, there isn’t a need for information on individual trips, as aggregated data would be sufficient for the intended purpose.”

Establish clear guidelines on confidentiality

Regulators are typically required to make any data they have public, for instance through freedom of information laws. Often what we share becomes public, occasionally without proper legal process. We therefore have to consider the possibility that anything we share outside our company will potentially become available to everybody through a FOIA request. This is not ideal. For example, while some legitimate regulations might require access to details on total fares in a city, this type of sensitive financial information is something that any privately held company would not want made public. So as Hans notes, governments need to implement programs designed to protect consumers when the public exercises its right to know.

Give special consideration to sensitive data types

Some data, like geospatial data and rider and driver profile information, should not be treated like other data. According to Hans, “Providing unredacted sensitive financial, location, residential, or demographic data to governmental agencies should not be the default. If legislative or regulatory proposals mandate transmission of this data, companies should work to remove or limit the scope of such proposals.” Uber has always worked to anonymize or aggregate any of these data types when sharing them with regulators, and will work with regulators to encourage them to default to this method as well.

It is our hope that, through working together with regulators, policymakers, and industry experts like Hans, we can establish a new set of regulatory principles that both satisfy regulatory goals and preserve trade secrets and protect information about our riders and drivers.

Editor’s note (April 2017): Since our initial publication in April 2016, we’ve updated our Transparency Report with half-yearly data to make sure riders can know the extent of our regulatory data reporting and law enforcement requirements in the U.S., and more recently, Canada. Uber works with city, state, and provincial officials to make sure that data requests follow the recommendations outlined above. Uber maintains guidelines that define the process for law enforcement authorities to obtain information from Uber in accordance with our terms, policies, and applicable law, and any efforts to use regulatory reports, or publicly available Uber tools, for purposes of rider surveillance are inconsistent with these guidelines.