In recent years, the rideshare-app company called Uber
has not led anyone to believe they would win a corporate personality contest. Their aggressive growth and shouldering
aside of municipal regulations and the charges of sexual harrassment that
ultimately led to the resignation of Uber co-founder Travis Kalanick last June
have now been followed by a revelation that Uber had a massive data breach in
October of 2016, over a year ago, and didn't make it public till last
week. Besides probably violating
state laws, this latest flap raises serious questions about the responsibility
of companies to protect consumers' data, and what companies should do when that
data is compromised.
Here is apparently what happened. A year ago last October, Uber
discovered that hackers had obtained about 57 million names, addresses, and
emails of customers who had used Uber's services. The hackers also snagged driver license numbers for
over half a million of these people.
Then they pulled a classic blackmail act: for a mere $100,000, the hackers offered to destroy the data
and keep the whole thing a secret.
Under the reign of Kalanick, Uber agreed to this deal. The company claims that they have
evidence that the data was destroyed, but one can be permitted to wonder about
something that amounts to proving a negative.
The main problem with all this skulduggery, other than
the breach itself, was the way Uber handled it. Many state laws require companies to disclose major data
breaches like this within a stated time, usually within four to six weeks of
discovery. Uber clearly didn't do
this. And even if Uber's new CEO,
Dara Khosrowshahi, had disclosed the incident upon taking up his new job in
September, instead of waiting for two months, Uber would have still been
violating these laws.
As hacks go, in terms of numbers and the kind of data
stolen, there have been worse incidents.
But still, knowing that your email and linked phone number, and maybe
your driver license number, are floating around out there in the hands of
blackmailers, is not a comforting thought. Even worse is the fact that Uber caved so fast to the blackmailers'
demands. True, not many hackers offer
to destroy the data they've stolen, but words are cheap.
What should consumers do when faced with a choice to
either (a) deal with a company that offers an attractive service at a good
price, but has a reputation for shady actions with regard to its own employees,
hackers, and the law, or (b) well, maybe there isn't another good choice,
except to try calling an old-fashioned cab and hope for the best? (Full disclosure: I have never used Uber, airbnb, or any
of those other newfangled apps that are breaking down the time-honored
traditional service industries.
There's nothing intrinsically wrong with using them, and many millions
of happy customers continue to do so.
But I have no personal experience with them myself.)
Even if a person is well aware of Uber's
less-than-stellar corporate reputation, in many cases one doesn't have a
choice: Uber has chased away most
of the competing apps (Lyft being an exception in some locations). To use anything else may require a great
deal of conscious effort and ingenuity, and in some locations and situations it
simply may not be possible at all.
There is a paradox in the fact that the digital online
world on the one hand promises an infinity of options and choices. But on the other hand, when it comes to
certain close-to-essential services such as search engines, online
transportation apps, and Internet service providers, the list of workable
choices at a given time and place is usually radically limited to a few, or
even one.
From a business point of view, this narrowing of choices
is a function of what is called the network advantage. As Ma Bell found out around 1890 when
the telephone network was experiencing rapid growth, every customer a network
company adds not only increases the company's customer base, but also makes
that same company more valuable to all of its other customers. That doesn't apply in exactly the same
way to Uber as it does to AT&T, but the principle is the same: the biggest firm in a network-intensive
business automatically has built-in advantages over everybody else, and so you usually
end up with a winner-take-most situation.
For those lucky enough to invest in the biggest company before it takes
over the whole market, it is a very attractive deal indeed. But for consumers wishing to have a meaningful
choice among a number of alternatives, the dominance of a single firm is less
than salutary.
The concept of privacy, and the related idea of
security, may simply have to keep changing as we seem to accept risks that a
few years ago would have simply been unacceptable. Even in the Middle Ages, there was no such thing as absolute
security. A man carrying a purse
of gold coins was always liable to run into some ruffians who would knock him
down and rifle through his possessions.
But one of the basic attractive features of civilization is that under
most circumstances, people can go about their daily business using services
that they need, without unduly running the risk of somebody coming along and
taking valuables from them.
Now that identity theft is so easy, it's something that
is ethically equivalent to a purse of gold coins carried by a Middle Ages
merchant. But in the wild-West
environment that is the global Internet, we have left the providing of security
largely to service firms themselves, with results such as the Uber breach that
are far from encouraging. In
breaking the law requiring timely notification, Uber became one with the
hackers, at least to the extent of ignoring the law. Unfortunately, none of its customers knew what they were up
to. And now that we know, many
people will simply shrug the incident off as one of the risks of modern digital
life.
Maybe it is, but to my mind, accepting and tolerating
such things is a step backwards in the progress of civilization.
Sources:
I referred to
reports on the Uber data breach at Gizmodo.com, posted on Nov. 24 at https://gizmodo.com/uber-s-new-ceo-was-told-about-the-companys-massive-data-1820722228,
and the Washington Post at https://www.washingtonpost.com/news/the-switch/wp/2017/11/24/uber-is-sued-over-massive-data-breach-after-paying-hackers-to-keep-quiet/. I also referred to the Wikipedia
articles on Travis Kalanick and Uber.