Are Uber and Lyft Driving Recalled Cars?

Originally published in The American Prospect on July 8, 2015.
——
U
ber and Lyft—two popular ride-sharing companies sweeping cities worldwide—work hard to market their transportation services as safe and secure. On Lyft’s website, the company boasts, “As pioneers in transportation, we’re changing the industry with safety front of mind.” Touting their mandatory inspection requirements, like driver criminal background checks, the company declares: “We designed safety into every part of Lyft.” Uber’s rhetoric is quite similar. “From the moment you request a ride to the moment you arrive, the Uber experience has been designed from the ground up with your safety in mind,” their website states. Phillip Cardenas, the Head of Global Safety at Uber says that while his company is committed to continually improving its policies, he believes Uber has “built the safest transportation option in 260 cities around the world.”

Over the past year I’ve spent a lot of time looking into the growing number of recalled but unrepaired vehicles on the road. Auto manufacturers and the National Highway Traffic Safety Administration (NHTSA) issue safety recalls when they determine that a vehicle or particular piece of motor vehicle equipment creates an unreasonable safety risk or fails to meet minimum safety standards. But while manufacturers must repair recalled vehicles for free, consumers are not actually required to fix their cars—and many don’t. At the end of 2014, Carfax estimated 46 million cars were on the road with unfixed safety recalls.

Reformers have been working to close many of the regulatory loopholes in American auto recall policy. For example, while it’s long been illegal under federal law to sell recalled new cars, no such law exists for used cars, and more than 35 million used vehicles are sold annually. Advocates have been pushing Congress to ban this practice, though most car dealerships remain staunchly opposed. In the rental car world, under federal law, companies can still legally rent cars with unfixed safety recalls, however Hertz, Avis, and Enterprise—which account for more than 90 percent of the rental car market—pledged in 2012 to stop doing so.The companies also support federal legislation that would ban renting recalled cars, but the bill is stalled in Congress. While no such legislative effort exists for ride-sharing companies, I started to wonder, well what about Uber and Lyft? Where do they stand on auto recall reform?

Uber and Lyft’s Weak Defenses

It turns out that despite Uber and Lyft’s public rhetoric about safety, consumers that use these services may be riding in vehicles with unfixed safety recalls. Neither company requires its drivers to repair recalled cars; in fact, the mandatory safety inspections do not even involve checking to see if a car has been recalled. (To check, one would enter a vehicle’s 17-digit VIN number online.)

I reached out to Uber and Lyft to ask whether they allow drivers to work for them with unfixed safety recalls, and what steps the companies take to keep track of recalled cars in their fleets. It’s possible, for example, that a manufacturer could issue a recall for an Uber driver’s car a year or two after the driver has already been working for the company. How does Uber keep track of this? Do they keep track?

An Uber spokesman responded: “Manufacturers notify vehicle owners of recalls. Uber doesn’t own vehicles, we provide a technology platform to help connect drivers—who are independent contractors—with riders. It’s important to note that drivers on the Uber Platform are expected to meet and maintain all vehicle safety standards.”

Chelsea Wilson, a spokesperson for Lyft, told me: “Lyft drivers use their personal vehicles to drive on the platform—the same car they use in their daily lives, driving their kids to school or friends around town. Drivers have a strong personal incentive to make sure their car is in a safe operating condition. In addition to the safety inspection conducted by Lyft, drivers make a continuous representation that their vehicle meets the industry safety standards and all applicable state department of motor vehicle requirements of its kind.”

So Uber says that their car inspections do not include checking for safety recalls because manufacturers will notify vehicle owners if there’s a problem. But what if an Uber driver owns a used car? One of the biggest issues with auto recalls in the U.S. is that manufacturers cannot send secondary car owners mail notices because driver privacy protection laws shield their contact information. Ideally the state would pick up this responsibility, but for now this has meant that many used car owners never learn their car has been recalled. Unless Uber required all their drivers to operate new cars—which it doesn’t—then claiming manufacturer notifications will be sufficient is incorrect.

Moreover, as we’ve seen, even if drivers are aware that their car has an open safety recall, many do not feel compelled to take their car in to be fixed. If Uber wants to ensure that all their cars are actually safe, then presumably they would require each car inspection to include checking for safety recalls, and make the repair of any outstanding recall a requirement for passing the company’s safety inspection.

Lyft suggests that because their drivers use their own cars, there are strong “personal incentives” to ensure that recalled vehicles will be fixed, even if Lyft doesn’t mandate it. But the reason that millions of cars aren’t getting repaired isn’t because they aren’t personal vehicles—most of them are—it’s because owners don’t know they have a recall, or because owners don’t have the time, resources, or will to get their cars fixed.

Legal Liability

Ignoring safety recalls may also put ride-sharing services in murky legal territory in the event of an accident. What happens for instance if a passenger is injured in an Uber or Lyft car that has an unfixed safety recall? Who could be held liable?

I asked Taras Rudnitsky these questions, a former car safety engineer who now works as a consumer justice attorney for victims in auto accidents. According to Rudnitsky, even though the drivers are classified as independent contractors, both the driver and the ride-sharing company could be liable for damages if a passenger was hurt in a recalled car.

In the case of the driver, Rudnitsky explains, a jury would determine whether the driver’s actions fell below the standard of care a reasonable person would take in the same circumstances. “If you’re going to be making money off of your car rides, shouldn’t you make sure your car is in good shape?” he asks. Even if Uber or Lyft didn’t require the driver to check for safety recalls, given that the individual sought to profit from rides that consumers believed to be safe—a driver could certainly be found guilty of negligence in the event of a preventable auto recall accident.

In other words, the fact that Uber and Lyft aggressively market themselves as safe companies reinforces the need for them to prohibit unfixed recalled vehicles from operating within their ride-sharing fleets.
The next question is whether a victim could reasonably go after Uber or Lyft, too. For this, Rudnitsky believes a victim could probably make a strong case that the ride-sharing companies were negligent and fraudulent. “This isn’t just something where an inadvertent accident happened. [These companies] are affirmatively making a case about the safety of these rides with the intention of getting people to call them for business,” he says. In other words, the fact that Uber and Lyft aggressively market themselves as safe companies reinforces the need for them to prohibit unfixed recalled vehicles from operating within their ride-sharing fleets.

“I had never thought about it before, but there’s an awful lot of culpability,” muses Rudnitsky.

Ways To Change Their Policies And Keep Roads Safe

The good news? This is an easy policy fix for Uber, Lyft, and other ride-sharing services to make. In order to ensure that all their cars are safe not only for consumers, but also for other riders on the road, Uber and Lyft should formally prohibit their drivers from using ride-sharing technology until they have repaired any outstanding safety recalls.

Beyond that, Uber and Lyft should instate procedures to ensure that they know exactly which cars in their fleets have unfixed safety recalls at all times, even beyond the initial safety inspection. Since new recalls are announced often, the companies could hire staff to regularly check the VINs in their fleets with NHTSA’s data. Alternatively they could rely on vehicle history reporting services that send regular updates on new auto safety recalls. Another option is AutoAp—a tech company that automatically sends alerts when new safety recalls are announced that match specific VIN numbers you wish to track.

Moreover, Uber and Lyft could follow the example set by the big rental car companies and press for legislation that would formally ban ride-sharing drivers from taking passengers around in unsafe recalled vehicles.

All of these changes would improve auto safety, and none would be too difficult to implement. Why wait?

A small step toward safeguarding Facebook privacy

Originally published in the Baltimore Sun on April 20, 2013.

Millions of people put their lives on Facebook, but thanks to the site’s convoluted and ever-changing privacy policies, they often have little idea who else can see the information they provide or what the company itself is doing with all the personal data it collects. For that reason, Attorney General Douglas F. Gansler’s effort as president of the National Association of Attorneys General to partner with Facebook on a public information campaign is welcome — so long as it doesn’t give the public the impression that the problem of Facebook privacy has been solved.

On Facebook, people publish information about what they like, where they live, where they work, what their relationships are and how to contact them. People also frequently exchange personal and private messages.

Online predators, thieves and frauds have a keen interest in collecting as much personal data as they can to harm, rob or impersonate individuals. Employers and admissions officers actively seek out information that many applicants likely never thought would be public. And Facebook itself makes money from the use of the personal data it collects in ways that users may not realize or appreciate.

The threats to privacy in the digital age have clearly outpaced the government’s regulatory framework. The dominant legislation that governs Internet privacy, the Electronic Communications Privacy Act, was written in 1986, before social-networking sites like Facebook were even conceived. The ECPA says that the Fourth Amendment, which guards against unreasonable searches and seizures, applies to digital files — but only if they are not given to a third party server. Given that Facebook is a third party server with some of our most private information, the law is of little use. For the time being, safeguarding privacy is up to individual users.

The educational campaign Mr. Gansler helped arrange will consist of tips and resources to help clarify some commonly misunderstood privacy questions. The information will be available both on the websites of attorney general across the country and, more importantly, on Facebook itself. Tips include things like, “Think before you tag and check what you are tagged in,” and “Check your audience before you post.”

Soon, public service announcements, starring various attorneys general and Facebook CEO Sheryl Sandberg, will also appear on users’ news feeds, in the way that sponsored advertisements often do. That’s important because the information will be more likely to be seen by those who need it most.

It’s a nice idea, but we can’t help but observe that this is also a pretty sweet arrangement for Mr. Gansler, a man with plans to run for governor next year, and for the attorneys general in 49 other states, many of whom likely have similar ambitions. It’s unclear what their presence adds to the effort.

Indeed, the arrangement poses a greater risk than the possibility that Mr. Gansler will get a little free publicity. The use of his image — or that of one of his colleagues from another state — may suggest to the public that the government is giving its sanction to Facebook’s privacy policies or even playing some role in regulating them. If so, a campaign to get people to be more careful in their online activities might have the opposite effect.

After all, the greatest perpetrator of privacy confusion is often Facebook itself; the company’s practice of manipulating privacy settings, even after users have taken the time to set them, can become a confounding puzzle and headache. Facebook’s “targeted advertisements” are very often a result of information users hadn’t realized they released.

Mr. Gansler says he raised the issue of Facebook’s frequent privacy policy changes, but the site has made no commitment to mend its ways. The partnership, it seems, only goes so far. If this is a step in the right direction, it is a small one that serves to underscore the need for a much broader conversation about these issues.

The threat to Internet privacy

Originally published in the Baltimore Sun on January 31, 2013.

This week, the United States, Canada, and the 27 countries in the European Union “celebrated” Internet Privacy Day. However, it seems there is little to really celebrate; the past few years have given rise to the largest increase in electronic wiretapping our nation has seen. To be sure, access to information is important for fighting crime and terrorism. However, because the major laws that govern Internet privacy were written in 1986, they fail to protect the modern-day security needs of American citizens. And despite Barack Obama’s campaign promises in 2008 to repeal policies that violate civil liberties, his administration is now not only supporting them but also quickly expanding their presence within the digital world.

The 1986 Electronic Communications Privacy Act (EPCA) was enacted before social networking sites were invented, and before the everyday use of email, Internet and cellphones. Thus, there are many unsettling constitutional quandaries that Congress simply could not have anticipated 27 years ago. For example, the bill says that the Fourth Amendment, which guards against unreasonable searches and seizures, applies to digital files — but only if they are not given to a third party. Yet third-party entities such as Google, Facebook and Dropbox hold some of our most private communications on their servers. The structure of the law as it is written gives more privacy protection to a yellow memo pad on your nightstand than emails on your Yahoo account.

In September, 2012 the ACLU released a report that stated the number of authorizations the Justice Department received to use “pen register” and “trap and trace” techniques on individuals’ email and network data increased 361 percent between 2009 and 2011. A “pen register” intercepts outgoing data from a phone or email account, while “trap and trace” intercepts incoming data. The ACLU also reports that the Justice Department used these measures to spy on phones 23,535 times in 2009 and 37,616 times in 2011, an increase of 60 percent.

Additionally, Google just released a report stating its company saw requests for information from the federal government increase by 70 percent over the past three years. In more than two-thirds of those cases, Google complied and released some amount of personal data. Sixty-eight percent of the requests Google received were through subpoenas, which typically do not require a judge’s approval. According to Google’s public statements, “Government agencies make requests … seeking information about Google users’ accounts or products. In [our] report, we are generally revealing statistics about demands in criminal investigations.”

To be sure, not all information requests are controversial, since these numbers reflect not only requests for “content” emails but also for basic subscriber information, which is not protected under the Fourth Amendment to begin with. Yet, while big companies like Google, Yahoo and Microsoft demand warrants for content requests, it is likely that smaller companies with less money for legal battles do not.

Google is not the only company facing a surge of government information requests. Verizon told Congress in 2007 that it received at least 90,000 such requests each year. And Facebook told Newsweek in 2009 that orders were arriving at the company at a rate of 10 to 20 a day. The number of requests and subpoenas has surely increased since then, but ultimately there exists no clear public mechanism to monitor exactly what information the government requests and receives from Internet companies. This is problematic.

The Obama administration has been too quiet on matters regarding digital security, and in situations where officials have spoken out, they’ve advocated for a greater ability to collect information, rather than less. In December, the administration reauthorized an extension of the Foreign Intelligence Surveillance Act, which allows the government to monitor overseas phone calls and emails without obtaining a court order for each intercept. While the law excludes Americans, there remains a lot of troubling obscurity as to the nature and execution of these powers. Additionally, the FBI has said that revising surveillance laws to make it easier to wiretap people who communicate online rather than by telephone is a top and urgent priority.

The FBI contends it is not seeking new, invasive powers but rather looking to keep its existing powers relevant in the modern age. However, the Obama administration, Congress and even the FBI have to work vigorously to protect the civil liberties and privacy of American citizens. As Internet Freedom Day (Jan. 18) and now Internet Privacy Day (Jan. 28) come and go, it is imperative that we actively seek to establish a clear and constitutional legal framework for the digital era.