Ruby Zefo, Uber’s first chief privacy officer, has her work cut out for her.
She joined the ride hailing company nearly six months ago, just after the company revealed a data breach from two years earlier that had affected 57 million passengers and drivers. Until then, Uber had covered up the hacking.
Ultimately, Uber agreed to pay $148 million to settle the matter with state attorneys general.
“We made our mistake; we admitted it; we paid our price,” Zefo said. “Now it’s time to change the narrative.”
Zefo’s response has been to set new standards for data privacy and security at Uber. She is trying to make the company’s data privacy practices more rigorous, implement new safety features for passengers, and create new security standards that guide the development of all new products.
Those standards include examining how the company’s technology collects, uses, shares, and stores user information. Combined, the efforts have one main goal, she says: Providing drivers and riders with transparency and creating trust.
“We drive Uber’s efforts to be a trusted steward … of people’s data,” Zefo said. “We’re not a giant data broker. Our interest is to provide a better experience.”
That means giving passengers more options for how much data they provide to Uber and providing them with a look behind the curtain into how their data is used. One privacy feature that Uber rolled out in December lets U.S. riders mask their pickup address and set their location as a general area or a set of cross streets. The idea is to let passengers avoid sharing their exact address with drivers—so that riders don’t have to worry about the possibility of drivers stalking them—or have their address stored in their user history.
Providing a personalized experience while respecting users’ privacy comes down to a very simple philosophy, according to Zefo: Let people choose what they’re comfortable with.
“There are certain things mandatory to the service—we have to pick you up somewhere,” she said. “But there are options we can give people. It’s about giving people choices that might make their experiences better.”
Zefo says the company also plans to be more transparent about its business practices by providing riders and drivers with information about privacy improvements it’s making to its technology infrastructure.
Zefo joined Uber after more than 15 years at Intel, where she served as an executive focused on privacy. At Uber, she oversees about 16 people in the U.S. while also working with the company’s legal, security, communications, public policy, and engineering teams.
Uber was working on improving data privacy before Zefo got there, she said. But with her hiring, the company has been able to move more quickly.
The creating of the chief privacy officer job is part of a broader housecleaning at Uber under CEO Dara Khosrowshahi, who was hired in 2017 following a series of privacy scandals under his predecessor, Uber co-founder Travis Kalanick. Under Kalanick, Uber illegally obtained medical records of a rape victim in India, researched the personal lives of the company’s critics, and left the door open to employees tracking the location of individual passengers using GPS.
Khosrowshahi has been busy trying to repair some of the damage done. Enter Zefo.
In addition to keeping an eye internally on privacy, Zefo is also keeping close watch on proposed federal data privacy legislation that may impact Uber’s operations. Last week, Senator Marco Rubio (R-Fla.) introduced a bill that, if passed, would require the Federal Trade Commission to create federal privacy protection standards for big tech companies.
Although Zefo is tracking the data privacy in Congress, she said it’s still too early to know what any final legislation will say. Regardless, she hopes that regulators will give companies flexibility with their data security plans.
“We don’t want technical standards—mandates on how to fix a problem will be quickly outdated,” she said. “I don’t think regulators are the best at understanding this technology. I have to pay very close attention to how things will be substantiated.”
Correction: This article incorrectly stated the party with which Uber settled over a data breach. The settlement was with state attorneys general.