This post was coauthored by R Street Policy Analyst Nathan Leamer.

Recent years have seen a range of internet companies release “transparency reports” that attempt to detail, to the extent allowed by law, law-enforcement and national-security demands for user data. Most of these reports have been issued by companies that either are primarily internet service providers or internet-focused communications companies – such as Google, AT&T, Verizon, Twitter and CloudFlare – or longstanding, consumer-facing tech firms like Apple and Microsoft.

Uber, the internet-based ridesharing company, this week joined the ranks of companies to publish transparency reports, a move R Street applauds. Moreover, there are some key aspects to Uber’s first transparency report to which we should all pay attention.

In the final six months of 2015, Uber reports it received “33 requests from regulatory agencies, 34 from airport authorities, and 408 requests for rider account information and 205 for driver account information from law enforcement agencies.” These numbers need some unpacking.

First and foremost, Uber’s report includes aggregated data on information it’s provided to state regulatory agencies. State regulators gathered information, including GPS coordinates for pickups and drop-offs, on more than 12 million individuals (drivers and riders) just in the last half of 2015.

By comparison, Uber received only 415 warrants or subpoenas from law-enforcement agencies in all of 2015. Those 415 warrants or subpoenas covered only 613 drivers and riders, total. The company reports it hasn’t yet received any National Security Letters or any orders from the Foreign Intelligence Surveillance Court, but we may reasonably expect that to change over time as our intelligence services become more interested in the question of what logistical and other data they can recover from ridesharing services.

Turning our attention back to the roughly 11.6 million riders and 650,000 drivers whose data was swept up by state regulators, it wouldn’t be surprising to learn that federal agencies (as well as other state agencies) already have access to this information. There’s no standard set of rules that would illuminate what state agencies are doing with this data – whether it’s kept forever or erased at some point, or anything else. While it’s good that Uber is committed to transparency in what it shares with government agencies, this transparency report underscores the need for state regulators to be just as transparent about what they do with the data they collect from Uber and other ridesharing companies.

Another way that Uber’s duties under the law differ from (and arguably are greater than) those of other internet companies is the airport-reporting requirements. Everyone knows Uber drivers (in those states and localities that allow ridesharing companies to operate relatively freely) may pick up and drop off riders at airports. But what you may not know is that U.S. airports often operate as their own separate jurisdictions and may impose their own reporting requirements on Uber and similar companies. As Uber’s report puts it:

In order to operate at airports, regulated transportation companies and other similar services are required to enter into agreements created and enforced by each airport authority. These agreements vary by airport and require transportation services to report information such as trip volumes on a monthly basis; when vehicles enter and exit the airport area; where vehicles pick up and drop off within the airport area; and/or each vehicle’s registration information, license plate and driver. The statistics here show the number of riders and drivers affected by airport reporting requirements.

Not every airport chooses to impose such requirements, but from those that do, Uber received 34 requests for data that included information about more than 1.6 million riders and more than 150,000 drivers. As with the state regulators, we don’t know what the airports ultimately do with this information, the extent to which it’s protected or whether it’s ever deleted. In an age of cyber-security hacks and loads of potentially compromising information in government hands, there really is cause for concern that state and local agencies have the wherewithal to protect the details shared in these reports. These are questions worth raising now, since airports, like all government entities, ultimately ought to be accountable to citizens.

Unlike companies in other areas of internet-based commerce who previously have complied with mandated transparency reports, Uber is compelled to share extremely sensitive data about their drivers and users. We understand that, in some sense, Uber is simply meeting requirements that taxis and limo and courier services long have been required to meet.

But with Uber, there’s at least one important difference – the company’s business model relies on GPS, on in-depth customer reviews of drivers and even drivers’ review of riders.  All of that means the information transportation network companies must share may be vastly more detailed and intimate than, say, a taxi service would provide. Plus, taxi companies can (and typically do) accept cash rather than credit cards for payment.

Despite what we don’t yet know about what government agencies ultimately are doing with TNC data, we nonetheless have to praise Uber for taking the initiative to make this first transparency report public. We look forward to Uber’s efforts to adapt and evolve this transparency report over time. Not only do we expect federal and state law-enforcement, national-security and regulatory demands from companies like Uber to grow, but Uber and other international internet-based companies likely will be compelled to turn over information to other governments around the world. Uber has been operating internationally since 2012. Google and other pioneers of the transparency-report movement have made a point to include data about demands from other governments under whose jurisdiction they operate. In the long run, we’d like to see Uber publish transparency reports that include compliance with foreign governments’ demands, as well.

Uber’s transparency report marks a major milestone in the dialogue over data integrity and what should and should not be shared with government agencies. As internet-based companies continue to expand into traditional commerce, we look forward to other companies – as well as state regulators, federal agencies and other nations’ governments – following the examples set by Google, Apple, Twitter and now, Uber.

Featured Publications