AL FRANKEN sums MINNESOTA 202?224?5m1 ?Enittd ewtw ?rm? WASHINGTON, DC 20510?2309 January 27, 2015 Mr. Travis Kalanick Chief Executive Of?cer Uber Technologies, Inc. 1455 Market Street San Francisco, CA 94103 Dear Mr. Kalanick: I believe Americans have a fundamental right to privacy, which includes the right to know who is getting access to their personal geolocation information and the ability to control with whom that information is being shared. At the end of last year, I wrote to you asking you to explain the scope, transparency, and enforceability of Uber?s privacy policies. I appreciate that Uber responded and has expressed its commitment to improving its data privacy and protection policies and practices. However, while I?m pleased that I received a reply, I was?and still am? concerned about the lack of detail in the response. After carefully reviewing your response of December 15, I have identi?ed several key areas where I continue to have signi?cant questions and concerns. I would respectfully ask that yOu respond to these points: 1. You have indicated that employees are permitted access to and use of consumer records for only a ?limited set of legitimate business purposes.? Your December 15 letter did not identify that ?limited set? nor point to a place in your privacy policy that addresses internal use generally. With regard to the God View tool speci?cally, the letter explains that it is ?essential to Uber?s operations teams,? and is now available to ?employees working in operations or other areas, like fraud prevention, where it is necessary to have a real?time view of trips.? I would like to understand for whom it is necessary to have a real-time View of trips and why. In which ?other areas, like fraud prevention,? is real- time access considered necessary? Who within the company makes the determination of necessity? What portion of your staff has access to the God View tool? Who in the company has access to customer records more generally?not limited to the real?time God View tool, but including historical trip data? What process does Uber use to determine which employees should have access to customer records? 2. In my original inquiry, I asked you to explain the terms of Uber?s published Privacy Policy relating to the sharing of information internally or with third parties. For example, your Policy states that personally identi?able customer data may be shared with the company?s ?parent, subsidiaries and af?liates for internal reasons.? I asked you to explain how you determine what constitutes legitimate ?internal reasons? and why these standards aren?t shared with customers. Similarly, I asked you to address the meaning of ?business purposes,? which your Policy states may justify sharing of non-personally identi?able information with third parties. I did not ?nd responses to these inquiries in 1 your December 15 letter, and I am hoping you will turn your attention to them-at this time. Likewise, I do not believe any response was given to my questions about the ability of customers to opt-in or opt-out of information sharing with third parties. Do customers have any ability to control with whom their data are shared? 3. Uber?s data retention policies also continue to raise important questions. My letter in November inquired about Uber?s inde?nite retention of customers? personal information and usage information. In particular, I queried: ?when an account is terminated, why isn?t this information deleted as soon as pending charges or other transactional disputes are resolved?? Your letter responded by stating that a rider cancels his or her account, the records will be retained until the account is settled and there is no longer a business need to retain them.? I remain interested in understanding what, in your view, constitutes a legitimate ?business need? after a cancelled account is fully settled. Please clarify your approach to data retention, including data for settled, cancelled accounts. 4. Your spokesperson has stated that the company provides privacy training to its employees, and engages in monitoring and auditing of its systems. My earlier letter requested further information, which was not forthcoming. I remain interested in understanding what action Uber is taking in this regard. How is monitoring conducted? How frequently are audits completed? Are customers informed if their information is inappropriately accessed? I would appreciate responses to these questions by February 11, 2015. Thank you for your attention to this matter, and please do not hesitate to contact me, or Samantha Chaifetz on my staff, at (202) 224-5641. Sincerely, Al ranken United States Senator