Co-author: Devin Rauchwerger 

A former Lyft driver filed a class action lawsuit in the Northern District of California against Uber, alleging Uber violated the Electronic Communications Privacy Act (“ECPA”), the California Invasion of Privacy Act (“CIPA”), and other common law invasions of privacy and unfair competition.  The plaintiff seeks to represent two classes: 1) all individuals in the U.S. who worked as Lyft drivers while not working for Uber whose private information and whereabouts was obtained by Uber’s unlawful access of Lyft computer systems; and 2) a similar California class.  The lawsuit estimates the national class at 126,000 individuals or more.

Plaintiff alleges Uber developed a spyware system named “Hell” which permitted Uber to access Lyft computer systems by posing as Lyft customers.  By posing as a customer, Uber could determine the location of up to eight Lyft drivers and obtain their unique Lyft ID.  Once Uber had the particular driver ID, they were able to indefinitely track that particular driver’s location.

The lawsuit further alleges Uber used the information gathered from Lyft drivers to determine how many drivers Lyft had in particular areas, what the average charge was for rides, and which Lyft drivers were also working for Uber.  Uber then offered incentives to the drivers who were using dual platforms to encourage them to only use Uber.

It is also believed another objective of the Hell program was to generate more rides for Uber drivers who were also using the Lyft platform.  Using this method, if there were several Uber drivers in the area when a pickup was requested, Uber’s program would route the person to the Uber driver who also happened to be a Lyft driver, thus ensuring that the driver worked more frequently for Uber.

Uber was already on rocky terms from a privacy perspective even before information about the Hell program was first released in April 2017.  In March of this year, a report came out about a different program called Greyball which Uber initially created to avoid abusive riders.  The report claimed Uber used the Greyball program to avoid government regulators who were attempting to catch Uber drivers in restricted or banned areas.  The Greyball program issued law enforcement members a fake Uber app which prevented them from successfully obtaining rides in the restricted or banned areas.  Use of the program stopped after it was publicly discovered.

While Uber has not officially admitted to the use of the Hell program, they have failed to publicly deny the program’s existence.

We will continue to monitor the developments of this lawsuit, as well as decisions regarding Uber’s other questionable privacy practices. As this incident exemplifies, this area of the law continues to change, but its pace is behind the changes in technology so it is important to consult with privacy counsel before implementing new technologies.