When taking Uber or Lyft, is your ride-sharing data buckled up?

When it comes to the sharing economy, some companies share a lot more than others.

The Electronic Frontier Foundation recently rated how well tech companies such as Airbnb, Instacart, and TaskRabbit protect customer privacy including ride-sharing data. Most didn’t fare so well, but Uber and Lyft received five-star ratings.

Both companies limit government agencies’ ability to obtain customer data, according to the EFF report, and both issue transparency reports outlining the agency requests they receive.

“Usually, it’s companies like Verizon and Google that put out transparency reports,” says Jules Polonetsky, CEO of consumer privacy advocacy group Future of Privacy Forum. “It’s promising to see a broader range of players recognize that people care about this.”


READ MORE ON UBER AND LYFT

How Uber drives a fine line on security and privacy
Uber isn’t the only company fingerprinting devices. Here’s why


But Uber and Lyft also collect and store a huge amount of data about their customers, says EFF staff attorney Nate Cardozo, which makes them attractive targets for government agencies, insurance companies, and hackers alike. He calls this a Field of Dreams problem.

“If you collect the data, they will come,” he says. “And if Uber or Lyft suffered a data breach, you’d expose a lot of people’s personal habits.”

So what are they collecting, and who is coming for it? Here’s a rundown.

What information do they have?

At a minimum, Uber and Lyft collect customers’ names, payment information, street and email addresses, and birth dates. They record when and where you requested a ride, where you were dropped off, and how much you paid. They store text messages you’ve exchanged with drivers, dates and times of calls with them, and the phone numbers you’ve used. If you agreed to let the app access your address book, they also have your contacts.

If you’ve used Uber for Business, Uber has additionally recorded where you work and where you’ve attended job-related events. If you’ve used UberEats to receive meals or UberRush to send flowers, it could infer what you like to eat and whom you love. And if you’ve gotten dropped off late at night and picked up from the same location the following morning, it might have inferred a bit more about your personal life. (The company deleted a March 2012 post titled “Rides of Glory” comparing this to the Walk of Shame.)

Who can access it?

Like Google, Facebook, and other companies with customer data-centric business models, Uber and Lyft require law enforcement agencies to provide them with a subpoena, court order, or search warrant before releasing location data or communications between drivers and riders. Both companies say they challenge requests they deem overbroad.

According to its 2015 transparency report, Uber received more than 600 law enforcement requests for driver or rider data last year and produced data for 85 percent of them. Lyft says it received 72 requests and complied with 96 percent of them. Uber says most of the law enforcement requests were related to investigations of credit card fraud; Lyft did not elaborate on the type of requests it received and declined to comment for this story.

Uber says it also coughed up data on more than 11 million riders and nearly 600,000 drivers in response to requests from state and local transportation agencies. And it shared data on 1.6 million riders with airport authorities. (Lyft did not reveal how many regulatory requests it received.)

These government agencies could be forced to publicly reveal this data in response to Freedom of Information Act requests, Cardozo says.

“The Uber report is a perfect example of why we think transparency reports are good,” he says. “They’re a great tool for companies to say how much data the government is seeking about users and how disturbing that is.”

Both companies also share some information with affiliates and marketing partners. Lyft’s privacy policy says it shares with advertisers, on “an anonymous and aggregated basis,”  “demographic data” that includes customer usernames, birth dates, ZIP codes, search terms, browser histories, and contacts.

How long do they keep it?

Although Lyft’s privacy policy notes that it will “nullify” a rider’s account information if it receives a written request, it generally retains rider data “for an indefinite length of time.” In a letter it sent to Sen. Al Franken (D-Minn.) last year, Lyft said it needed to hold on to data even of  deactivated accounts to comply with requests regarding insurance claims or law enforcement investigations.

Uber’s privacy policy is mum on the topic. A company representative said the length of time Uber holds customer data often depends on regulatory agencies’ data retention requirements but declined to get more specific.

According to an Uber spokesperson, the company plans to implement a policy of deleting account data within 90 days of a customer requesting it, unless the account is under investigation, or there are outstanding credits or debits.