Uber Technologies will pay $148 million (roughly Rs. 1,000 crores) for failing to disclose a massive data breach in 2016, marking a costly resolution to one of the biggest embarrassments and legal tangles the ride-hailing company has suffered.
The settlement with 50 US states and Washington, DC brings closure to one of several high-stakes legal battles Uber is seeking to resolve before an initial public offering next year, while also delivering a national rebuke against Uber’s history of flouting laws and basic business ethics.
The amount is the largest among attorneys general settlements in privacy cases. By comparison, the multi-state settlement with Target Corp in 2017, over a breach in which 41 million people had their data stolen, was $18.5 million (roughly Rs. 134 crores).
The settlement follows a 10-month investigation into a data breach that exposed personal data from 57 million Uber accounts, including 600,000 driver’s licence numbers. Uber’s new Chief Executive Dara Khosrowshahi disclosed the breach in November, more than a year after the company was hacked under the previous CEO. Khosrowshahi has said the incident should have been disclosed to regulators at the time it was discovered in 2016.
The cover-up, widely seen by states as violating data breach reporting and data security laws, drew the ire of authorities across the United States and also in the United Kingdom, Australia and the Philippines. About half of the data breach victims lived in the United States.
The settlement terms include changes to Uber’s business practices aimed at preventing future breaches and reforming its corporate culture. Uber will be required to report any data security incidents to states on a quarterly basis for the next two years, and implement a comprehensive information security programme overseen by an executive officer who advises executive staff and Uber’s board of directors.
“We know that earning the trust of our customers and the regulators we work with globally is no easy feat,” said Uber Chief Legal Officer Tony West. “We’ll continue to invest in protections to keep our customers and their data safe and secure, and we’re committed to maintaining a constructive and collaborative relationship with governments around the world.”
In November 2016, Uber paid the hackers – who included a 20-year-old Florida man and a hacker in Canada – $100,000 to destroy the stolen data, using its “bug bounty” programme, which is designed to reward security researchers who report flaws in a company’s software. Uber then chose not to report the matter to victims or authorities.
“Uber’s decision to cover up this breach was a blatant violation of the public’s trust,” said California Attorney General Xavier Becerra. “Consistent with its corporate culture at the time, Uber swept the breach under the rug in deliberate disregard of the law.”
California, one of lead states in the settlement effort, will keep $26 million, to be split between the state Attorney General’s Office and the San Francisco District Attorney’s Office, a spokeswoman for Becerra’s office said.
Khosrowshahi fired two of Uber’s top security officials when he announced the breach, and other members of that team have since departed. The company recently hired a chief privacy officer and chief security officer.
It still faces lawsuits from riders, drivers and the cities of Chicago and Los Angeles over the data breach.
The pervasive adoption of mobile devices has driven an explosion of contextual user information, including geolocation data, which has become a valuable resource for marketers. However, a lack of technical skill sets among marketers has made it difficult for them to use this data (when they have access to it) effectively. Plus, changing regulations mean it’s more important than ever for marketers to understand what data they have access to and how to properly leverage it.
Currently, most brands, agencies, website publishers, and other marketing entities use location data to engage in a variety of marketing applications, such as proximity marketing, among shoppers with the brand’s app. Many retailers and proximity marketers have deployed beacons inside stores that have resulted in up to a 15% lift in retail foot traffic and a 73% increase in the likelihood of purchase among shoppers. Beacons are battery-powered wireless sensors installed in retail stores or event venues that detect nearby consumers who have opted in to alerts through Bluetooth or other technologies and that relay information to consumers’ mobile devices. For example, a store like Macy’s can build its presence on a beacon platform that can be downloaded by shoppers as a mobile app. After that, each time shoppers with the app enter a beacon-enabled store, they can receive promotional messages or deals on their device about products in the aisles they are browsing.
Brands also use geo-fencing, or creating a zone around a business for advertisement targeting, in different locations for targeted promotional offers on mobile devices (via any digital platform the firm as access to, such as social media, email, or text). For example, Whole Foods developed geo-fences around its stores, as well as its competitors’ stores, to target relevant audiences and achieved a post-click conversion rate that was three times higher than the national average.
Some brands are using location data for improved attribution analysis to assess marketing effectiveness. This entails identifying whether exposure to a certain promotion, ad, or specific touchpoint (such as a sales encounter) for a demographic can generate future sales. For example, Placed is a firm that provides in-store attribution analysis representing consumer visits to physical store locations. It measures both promotional tactics and audience characteristics of targeted audiences who have opted in. It uses customer location data to ascertain which promotions work, and for whom.
With the right guidelines in place, there’s a much greater potential for geolocation data that remains untapped. We propose combining geolocation data with social media data to create what we call vigilant marketing intelligence (VMI), a conceptual framework based on our prior academic research and observations. VMI can help firms to better use location-based social media posts for enhanced data-driven marketing.
What Is Vigilant Marketing Intelligence?
Broadly, the rising gap between new customer acquisition costs and retention costs for existing customers necessitates continuous vigilance of consumers’ purchase journeys and their satisfaction from the same. In some specialized industries, such as pharmaceuticals, monitoring consumer behavior can be a legally mandated part of post-purchase experiences, with the ultimate goal of vigilance for brand and consumer safety (such as tracking adverse drug reactions). While brands do attempt to forecast customer-related outcomes based on social media posts, the availability of location-based social media data further enhances the predictive power of future unfavorable outcomes, including customer dissatisfaction, brand switching, and churn. When such vigilant intelligence is operationalized, it can help improve customer relationships, retain customers, and expand customer lifetime value.
VMI creates a framework that integrates incident reporting data from social media posts with geolocation data of the report —that is, the physical location that the post is emanating from. For example, this happens when a consumer checks in with an app, such as Foursquare, at a location, such as a store or a restaurant, and then also tweets about what is happening in terms of an experience, incident, or service encounter. While the term “incident reporting” is frequently used in media and journalism, for marketers, a close parallel is customers’ interactions with brands, which can indicate important incidents or events, also referred to as touchpoints, micromoments, or “moments of truth.”
Many companies already monitor social media networks for posts from customers. However, adding location data for monitoring consumer behavior makes the firm’s responses more actionable in the short run and adds value in the long run. For example, tracking activity on a platform like Foursquare not only can inform a brand when customers visit specific stores and complain about wait times or products being out of stock but also presents a firm with an opportunity to respond (digitally or physically) while the customer is still inside the store. The company can then open a new counter or activate an inventory transfer between stores. Additionally, in the long run, a customer’s presence in nearby businesses or establishments can help brands cross-promote their own products and services. Knowing that a loyal customer of TGI Fridays checked in at a movie theater next door can initiate special offers to attract them to the restaurant. This can help increase short-term sales as well as build long-term brand loyalty.
Mapping adds a new layer to this type of monitoring. Several African and Asian countries have used Ushahidi’s crowd mapping technology for crisis monitoring during natural disasters, post-electoral violence, and other crises. Researchers have designed early warning systems at London’s Heathrow and Gatwick airports to estimate flight disruptions, delays, and breakdowns by harvesting complaints from location-based social media. One novel use of this location-based data is KLM Royal Dutch Airlines’ surprise campaign, where the company identified passengers who checked into its flights on Foursquare and tweeted about waiting to board. KLM conducted social media research to find out more about why the customers were waiting at the gate, whether their flights were delayed, why they were traveling, and then surprised them at their gates with personalized gifts.
Integrating such social reports with geolocation delivers two added advantages. First, the content of the communication can be interpreted within the context of physical surroundings, thus identifying if the user is sharing specifics of an ongoing service experience. For example, this data could tell you if a customer is still waiting to board a delayed flight at the airport, or if they are tweeting about a bad experience after the fact. Second, knowing the consumer’s location gives a brand an opportunity to take timely corrective actions when a customer is having a problem. For that customer still waiting at the airport, for example, the airline could reach out with text updates to keep the customer informed about updated flight departure times, continued delays, or alternative travel options.
Integrating geolocation data with social media content also helps ascertain the accuracy of shared content to validate if restaurant ratings, such as those on Yelp, are consistent with emotions embedded in tweets from restaurant locations. Significant deviations or inconsistencies at certain times or days of the week can make the ratings of the restaurant from such review platforms questionable. Location-based posts can also help monitor user satisfaction dynamically. For example, users riding in different modes of transportation — buses, trains, boats, and bicycles — can report their experiences in different cities. Information gleaned from the location-based social media posts of the travelers can then show traffic patterns, such as whether certain routes are overcrowded.
To use this location data most effectively, companies need to monitor business locations for shared social media content, identify topics of conversation and the sentiments expressed, follow time-based patterns, and either promote positive remarks from customers with the help of PR teams or have customer service teams follow up on complaints.
Challenges of Building a VMI Framework
There are three major challenges to implementing a VMI framework.
The first challenge is the precision and accuracy of available location data. While a person might be located at a specific spot with geographical coordinates, the real location is often a distance from where they are shown to be. The extent of this deviation depends on the source of the data, whether it is cell towers, Wi-Fi, Bluetooth, or GPS, as well as external factors such as urban construction density and the ways consumers update device settings. The average deviation in one study was found to be 93 feet. This deviation can make a big difference in how well marketers can execute their plans, especially in crowded cities where a small distance can change the consumer’s physical state, as well as their state of mind.
The second challenge is the voluntary nature of the shared content. It becomes necessary for service providers who are harvesting the data to ascertain its validity and define the minimum volume of feedback they consider important before triggering responses. For example, feedback from a single customer about wait times may not be sufficient to generalize the operational efficiency of the staff.
Finally, the simultaneous optimization of trust and relevance is an inherently difficult balancing act. While timely interventions or offers can make customers happy in the short run, recent awareness of Facebook’s data exposure and social media practices of data sharing with third parties such as Cambridge Analytica have led to long-term concerns about the safety of their personal data. New regulations such as GPDR in the EU aim to give consumers control over their personal data. In such an environment of heightened concern about data privacy, assurances — such as better end-user license agreement design, opt-ins, limited third-party sharing, and better deidentification processes — need to be designed to alleviate concerns about storage of data, identifiability of users, and terms of sharing with other entities. Only then can VMI succeed in fully capitalizing on consumers’ location-based social media data for better data-driven marketing and a better customer experience overall.
Mobile technology allows firms to know where the consumer is located. Integrating such location information with social media posts that the consumer shares from that location enables a better marketing intelligence system. Such a system can help firms better understand consumer journeys and also address consumer needs in the moment, provided that consumer privacy and security concerns are adequately addressed.
Apple neither requested any personal data from Facebook nor did it receive any, Apple CEO Tim Cooksaid while responding to a New York Times report that claimed that the social networking giant allowed about 60 device makers, including Apple and Samsung, to access personal information of users and their friends.
“We’ve never been in the data business,” Cook told National Public Radio (NPR) on Monday during the company’s annual conference for developers in San Jose, California.
“The things mentioned in the Times article about relationship statuses and all these kinds of stuff, this is so foreign to us, and not data that we have ever received at all or requested – zero,” Cook was quoted as saying.
Even before Facebook apps were widely available on smartphones, Facebook had data-sharing partnerships with the device makers, The New York Times report said citing company officials, adding that most of the deals remain in effect.
The deals raise concerns about the company’s privacy protections and compliance with a 2011 consent decree with the US Federal Trade Commission (FTC), it added.
“What we did was we integrated the ability to share in the operating system, make it simple to share a photo and that sort of thing,” Cook added.
“So it’s a convenience for the user. We weren’t in the data business. We’ve never been in the data business,” he said.
Facebook is already under scrutiny after the Cambridge Analytica data leak scandal revealed in March how the political consultancy firm had misused data of millions of Facebook users.
The social network, however, defended on Sunday the pacts with the device makers saying that these partnerships do not raise privacy concerns.
Facebook said that contrary to claims by The New York Times, friends’ information, like photos, was only accessible on devices when people made a decision to share their information with those friends.
“We are not aware of any abuse by these companies,” Ime Archibong, Facebook’s Vice President of Product Partnerships, said in a statement.
The social network added that the device partnerships are very different from the public APIs used by third-party developers who used the Facebook information people shared with them to build completely new experiences.
Facebook said that it had already ended 22 of the device partnerships.
A CNET report on Monday said that Senator John Thune, head of the US Senate Commerce Committee, said his committee “will be sending Facebook a letter seeking additional information” about issues including transparency and privacy risks.
“We look forward to addressing any questions the Commerce Committee may have,” a Facebook spokesman was quoted as saying.
Replaces the Opera Max app on Galaxy A and Galaxy J handsets
Samsung on Friday released an Android app that is designed to offer mobile data savings and privacy management. Called Samsung Max, the new app is designed by Samsung R&D Institute India and is available for free download on Google Play and Galaxy App store for select Galaxy devices. The proprietary app will also come preloaded on all Galaxy A and Galaxy J series handsets in a few emerging markets, including India, Argentina, Brazil, Indonesia, Mexico, Nigeria, South Africa, Thailand, and Vietnam – replacing the recently discontinued Opera Max app.
Similar to Google’s Datally that was launched in last November, the Samsung Max offers foreground data compression service that allows you to reduce data consumption from your installed apps. The app also has the functionality to block background data and data access for any app. It compresses webpages, photos, videos, and media within apps and browser to drop data consumption. Similarly, it lets you manage data permissions for specific apps and customise data consumption for existing apps to save your data for other useful tasks.
Alongside offering data savings and data compression features, Samsung Max provides regular reports to let you see which of your favourite apps are consuming the most of your data limit. The app also has a boost Wi-Fi feature that is touted to uplift connectivity even in a crowded Wi-Fi hotspot or at a weak signal area.
Samsung has provided a bunch of features that are specific to security as well. Primarily, the Samsung Max app not just compress but also encrypt all the network traffic that flows from your apps using Samsung’s in-house servers. The South Korean company also claims that has been using a “bank-grade”, secure network experience. In the same vein, there is Samsung Max’ data-savings cloud access make data usage efficient and secure from third-party services.
The Samsung Max app encrypts data when it is sent through a public Wi-Fi network. Likewise, there are features such as tracker blocking and DNS masking to offer a secured Web browsing experience. You can view privacy reports to see how the app adds security to other apps and network connections.
While the Samsung Max by default serves ads, you can choose whether to view ads inside the app or on the lock screen only while your device is plugged in and charging. The latter can be enabled by switching to the premium mode.
“At Samsung, we’ve been committed to creating inclusive data saving and privacy protection services for all our devices. Because of this, we are now introducing Samsung Max to our mid-range devices as an exclusive and unique service that sets Samsung devices apart from the rest of the smartphone market,” said Seounghoon Oh, Vice President Samsung R&D Institute India.
It is worth noting here that the Samsung Max app is presently incompatible with devices other than the eligible Samsung devices. You can check whether it is compatible with your Galaxy handset by visiting Google Play or Galaxy App store.