The Uber driver allegedly attacked his passenger on Aug. 10, 2023, in San Francisco, trying to kiss her twice before she could unlock the car door and flee. The woman, identified only as “A.R.2,” claims in a lawsuit that the ride-hailing firm never should have let him be one of its drivers, given his convictions for assault and kidnapping, three domestic violence restraining orders and another rider’s recent complaint about him. 

A.R. 2’s lawsuit is among more than 3,000 nationwide alleging that Uber failed to take appropriate steps to prevent assaults on riders, cases being overseen by U.S. District Court Judge Charles R. Breyer in San Francisco. Thousands of similar actions have been filed against Uber’s rival, Lyft. The companies deny liability. In A.R.2’s case, an Uber representative said the driver had passed a background check consistent with state law and that Uber had followed up on the complaint. 

But the growing number of cases has raised questions about whether the San Francisco-based firms hid the risks of sexual assault and harassment from the public — and whether state regulators have in effect helped them do it.

Ride Hailing's Dark Data

As the state’s chief regulator of the ride-hailing industry, the California Public Utilities Commission is responsible for ensuring rides are safe, and is uniquely positioned to assess such dangers and warn the public. It is the only agency in the state that collects data from each company, in the form of mandatory annual reports that track trips, collisions and passenger complaints of assault and harassment. 

But despite the mounting number of lawsuits against Uber and Lyft, the commission has failed to follow through on its own declarations, most recently last summer, that the annual reports should be released in the interest of public safety. For years it has kept the general public and local officials in the dark about the extent and nature of the assault problem in California, and whether the agency has responded appropriately.

A Public Press investigation — based on agency documents obtained under the California Public Records Act, other previously unreported legal records and interviews — has found that the commission:

  • Allowed Uber and Lyft to file numerous repetitive challenges to its decisions to release data from the annual reports, even though they were based on arguments the commission previously rejected. The agency finally voted last August to bar such challenges, declaring it would be an “injustice” to keep the information secret, but then took under consideration another challenge from Lyft that has further delayed its release. 
  • Never required Uber, by far the largest ride-hailing firm, to submit corrected data on assault and harassment complaints from 2017 through 2021, according to the company. The agency’s inconsistent collection of data obscured the frequency and patterns of assaults in millions of rides.
  • Failed to allocate sufficient staff and resources to process the companies’  annual reports, instead using a “manual” process that caused up to a nine-month delay just in validating the data. This hindered the agency’s ability to conduct analyses of the information necessary to oversee the industry and enact timely safety measures.

As a result of all this, the public does not have a reliable understanding of the safety risks of using ride-hailing services. In the 12 years since it began collecting the annual reports from each firm, the commission has released only those for 2020 and 2021, which contain numerous redactions and inconsistently collected assault information.

And the agency has yet to create a long-discussed web portal through which the public could access and analyze anonymized data on the transportation networking companies, or TNCs, as the firms are known. The portal could show when and where assaults reportedly occurred. By way of reference, thousands of colleges publish annual reports highlighting such information about campus crimes. The portal could also show patterns in the incidents. For example, a review of lawsuits against Uber suggests that some assaults happen after passengers have been out drinking.

But so far, the commission has produced only a web page titled “TNC Portal” showing just the flawed 2021 annual reports filed by Uber and Lyft as raw spreadsheets. The site has no reports for any other year or for any of the state’s 14 other ride-hailing firms. 

Loretta Lynch, president of the commission from 2000 through 2002 and a commissioner until 2005, said the agency’s withholding of the ride-hailing data is “an egregious dereliction and abdication of their statutory responsibilities. This clearly affects safety.”

Lynch said the agency’s long record of delays in making the ride-hailing data public suggests it is putting “the companies’ business interests above its own duty to promote transparency and protect the safety of Californians.”

She noted that the commission has always had the legal power to release additional annual report data in anonymized form, such as state or county totals of complaints, or analyses of patterns of incidents, that could illuminate the danger. 

By keeping it secret, she said, the commission has helped the companies avoid public accountability. “It clearly affects our knowledge of the extent of the sexual assault that’s going on in these companies, at a time when there’s ongoing litigation about that,” she added.

panoramic photo of a glass-walled building bearing the word "Uber" on a busy street corner
Uber, headquartered on Third Street in Mission Bay, and cross-town rival Lyft have filed repeated legal challenges to block release of ride-hailing safety data. Credit: Neal Wong / San Francisco Public Press

The San Francisco City Attorney’s Office filed a brief last year on behalf of the County Transportation Authority expressing frustration that the state Public Utilities Commission had not followed through on its decisions to publish the information. 

Drew Cooper, a data analyst for the transportation authority, said in an interview that the commission’s refusal to release the annual reports has prevented his agency from assessing how ride-hailing is affecting roadway congestion, public transit ridership and safety.

“How often are people reporting that assaults or sexual assaults are happening?” he asked. “I think there’s an obvious public interest in that type of information.”

Uber and Lyft say problems occur on a tiny percentage of their rides and that they have added many security features. As Uber put it in a statement, “Everything we do is about safety.” Lyft did not respond to requests for comment for this article. 

But the firms have long sought to conceal the full extent of such incidents. Although each company publishes its own biannual safety report, they provide national totals of assault complaints, traffic deaths and fatal physical assaults, and exclude other kinds of incidents. In court, the companies usually settle assault and injury cases with confidentiality agreements.

This legal strategy, combined with the incomplete company reports and the commission’s secrecy, leaves the public without accurate information about the danger of catching rides with strangers driving on the Uber and Lyft platforms. Drivers likewise have no data about assaults by passengers. 

See previous reporting in our ongoing series, Ride Hailing’s Dark Data.

Terrie D. Prosper, the commission’s director of external affairs, said in an email that the agency had taken actions to address safety issues in the ride-hailing industry, including those of sexual assault and harassment. She wrote that it had also worked to correct problems with “data integrity” in its collection of the annual reports.

Prosper acknowledged that the commission has withheld the annual reports “due to pending confidentiality claims” by the ride-hailing companies. However, she did not answer questions about why the agency had manually processed the data for years, how that affected its ability to monitor the industry and why it had not at least released some safety data that it determined was publicly disclosable.

A record of secrecy and errors

The California Public Utilities Commission regulates companies that offer essential services to the general public, such as power providers, telecommunications firms and statewide transportation firms. Its five commissioners are appointed by the governor for six-year terms. The current ones were named by Gov. Gavin Newsom. 

In 2013, the agency legalized app-based ride-hailing services and issued rules for the new business. The California Fair Political Practices Commission later found that this process was influenced by the illegal lobbying of a Lyft representative. 

Those rules required each company to file annual reports consisting of spreadsheets containing information on subjects such as the total number and location of trips, drunk-driving complaints and collisions. In 2017 the agency started collecting data specifically on sexual assaults and harassment complaints. 

But a one-sentence footnote inserted into the final 2013 rules, without prior public notice, deemed the annual reports confidential. On that basis, the commission for years has denied public and local governments’ requests for the data. 

In 2020 the commission reversed footnote 42 for future annual reports, declaring: “The Commission’s newly adopted approach in this proceeding aligns with California’s policy that public agencies conduct their business with the utmost transparency, and that absent a compelling reason to the contrary, information provided by a TNC to the Commission should be available to the public.”  

The Public Press then obtained the annual reports for 2020, and discovered that the agency had allowed Uber and Lyft to use their own differing definitions of sexual assault and harassment, rendering the data unreliable. A social sciences professor who was a member of the National Academy of Sciences Panel on Research on Violence Against Women said this deviation from the standard practice of using consistent classifications indicated “an apparent lack of concern.”

In June 2022, following official calls for reform, the commission ordered the ride-hailing firms to use a uniform “taxonomy” in future reports on sexual assault and harassment. The order said inconsistent reporting occurred from 2017 through 2021 and “could impact the total number and types of incidents reported in their annual reports.” 

Defective data

Newly released Public Utilities Commission records shed light on problems with the annual report data and how they hindered oversight of the industry. In response to six public records requests by the Public Press, the agency released more than 700 pages, with redactions it said were necessary to protect internal deliberative process, potential investigations and the public interest.

According to internal commission correspondence, Uber had “likely” undercounted the assault and harassment complaints it reported to the commission. 

In a Sept. 8, 2022, email, an agency analyst told a colleague that since 2019, Uber had reported only complaints that led to the driver being banned from the platform. The analyst noted that the rules also required reporting “claims that do not involve driver deactivations.”

Gabriela Condarco-Quesada, an Uber spokesperson, said in an email that the company disputed the analyst’s statement and had “provided information based on what was required at the time.” Since 2022, when the commission issued uniform definitions for sexual assault and harassment, she said, Uber has reported complaints accordingly.

But, she added, the commission never required Uber to submit corrected data on assaults and harassment complaints, non-sexual assaults and harassment, and collisions for reports it submitted prior to 2022.

This part of Uber’s statement appears to be supported by the commission’s response to a records request. The Public Press asked for any documents dated after Jan. 1, 2021, in which the agency told the companies to use the uniform definitions in their reports or noted problems with how those terms were applied. The commission’s legal staff said the agency had no such documents.

Other internal Public Utilities Commission records acknowledge that its inconsistent collection of data hampered the agency’s ability to oversee the industry.

In November 2023, the U.S. Government Accountability Office was surveying the availability of data on assault complaints against ride-hailing and taxi drivers. Commission staff told the federal researchers “they have faced challenges” in collecting “consistent information from ridesourcing companies,” according to one record referring to the ride-hailing firms. This made it “difficult to compare data across different companies without sending data requests to the companies for additional information.” 

Prosper did not answer questions about the analyst’s email, whether the agency had corrected the inconsistent annual reports and how the faulty data affected the commission’s ability to meet its oversight responsibilities. 

Overwhelmed by spreadsheets

Although its job is to regulate large utilities that use some of the most advanced technology, the Public Utilities Commission failed to allocate sufficient staff and resources to process the voluminous annual reports. 

Every ride-hailing company must annually submit 19 spreadsheets that include reports on accidents, zero-tolerance violations, suspended drivers, accessibility complaints and assaults. All told, there are 87 descriptive details, with Uber’s and Lyft’s annual reports each totaling 100 to 200 gigabytes.

For years the state agency processed all this manually. A May 1, 2024, memo from staff to Commissioner Matt Baker described the “current manual process” required after each company uploaded its reports:  

“Data intake, download, and storage; validate data to ensure it meets data dictionary criteria; issue Data Requests to correct any deficiencies; intake, download and store re-submitted data w/ corrections; re-validate data to ensure compliance.”  

The average processing time for just one year’s worth of data was five months as of 2024, the memo said. That was an improvement from nine months as of 2022.   

According to a December 2024 memo, “Extensive reporting and historical lack of staff resources meant limited ability to validate data with TNCs, creating delays in ability to share verified data.” 

This document, an overview prepared by the commission’s Transportation Licensing and Analysis Branch, added, “State agency partners, academic institutions, and local agencies are frustrated at inability [sic] to access crucial info in a timely manner or at all.” 

These problems impeded the commission’s ability to use the data to identify and address public safety risks. As a June 2, 2022, report notes, “Analysis of data can only be performed once filings are verified, clean, and complete.” 

Prosper did not answer questions about the data processing problems.

five people sit behind a large curved desk in a hearing room with American and California flags and the seal of the Public Utilities Commission behind them
Members of the Public Utilities Commission, which is based in San Francisco, have voiced support for releasing safety data collected from ride-hailing companies. But the agency has kept nearly all of it secret. Credit: Neal Wong / San Francisco Public Press

Finally, in 2025, the commission retained Chico State University to address such technical issues. Under a three-year, $317,207 pilot project, ride-hailing companies upload annual report data to a web server managed by university employees that automatically identifies errors and requires corrections before accepting it. The university will keep the data confidential under a nondisclosure agreement. 

The contract, obtained with a public records request, emphasizes that the commission needs validated data to monitor the industry and enforce consumer protection measures “such as rules related to zero tolerance for substance abuse, sexual assault and harassment, and off-platform solicitation.” 

The contract does not include creating an online portal through which the public could access ride-hailing data, something the commission broached as early as 2017.

In a June 2, 2022, commission overview, agency staff described to the commissioners their “vision” for a public portal and dashboard that would provide “transparency and clear insights” about the ride-hailing industry.

Such a dashboard would let users filter and download data, the overview says, and could include data visualization tools such as maps showing patterns of vehicle, bicycle and pedestrian crashes. 

The dashboard could also provide “regular updates on TNC trends and activities,” according to the May 1, 2024, memo to Commissioner Baker.

It could likewise address the persistent problem of assaults, the Public Press found. It could show numbers and general locations of alleged attacks, like the anonymized reports published annually by some 5,000 universities and colleges that participate in federal financial aid programs. 

Those reports enumerate alleged crimes and whether they reportedly occurred on campus, in student housing or in a neighboring area. They are required under the Jeanne Clery Campus Safety Act, named for a student murdered in 1986 at Lehigh University in Bethlehem, Pa., and are intended to foster transparency and safety. 

“A core aspect of the Clery Act is to have crime statistics so that this information is readily available to students and parents,” Abigail Boyer, then-associate executive director of the nonprofit Clery Center, said in an interview last year. She explained that the data warns about risks and helps campus communities identify and prevent potential crimes.

Prosper did not answer questions about the agency’s plans for an online data portal.  

Years of confidentiality claims

The Public Utilities Commission has long had the legal power to publish at least some anonymized ride-hailing data, such as total numbers of assaults, collisions and drunk-driving incidents on a state- or countywide basis, according to former commission president Lynch.  

In 2020, Robert Mason, one of the commission’s administrative law judges, used that power to require Uber to publicly release the number of sexual assault complaints it had received in California during 2017 and 2018: 1,243. They were among the 5,981 that Uber said it had received nationally, in its self-published biannual “US Safety Report” for those years.

In its subsequent self-published reports, covering 2019-2022, Uber said it received another 6,541 assault complaints across the country.

Lyft publishes similar reports, which state it received 6,809 such complaints from 2017 to 2022 nationally. 

But neither Mason nor the commission ever ordered Uber or Lyft to release the total numbers of assault complaints in California contained in these later reports. Prosper, the commission spokesperson, would not say why not.  

close-up photo of the back windshield of a car with Uber and Lyft signs
Both Uber and Lyft have published their own safety reports, but they provide national totals for certain incidents, omit others and provide no state or local figures. Credit: Neal Wong / San Francisco Public Press

An initiative proposed for the November ballot by attorneys and doctors would impose additional safety measures on ride-hailing firms, make the companies legally responsible for sexual assaults that happen on their rides and require them to publish monthly reports on the number of sexual assault complaints against drivers and passengers. 

That measure followed an initiative proposed by Uber, also for November, to limit medical expenses and lawyers’ fees paid to people who sue for injuries in crashes.

Meanwhile, the commission for years let the ride-hailing companies file repetitive legal challenges to publicly releasing data from their mandatory annual reports to the agency, which then cited those challenges as the basis for continuously keeping the safety information secret.  

The commission ultimately acknowledged the dilemma created by these “duplicative motions” in its decision of Aug. 28, 2025, noting that as the ride-hailing companies filed their reports each year “they raised the same claims of trade secret protection and privacy protection for the trip data.” This imposed an “unintended burden” on the commission, it said. 

The decision ordered that companies cease filing redundant motions opposing disclosure of the data.

The August ruling also addressed the still-unreleased annual reports that the firms had submitted. Although the companies had a financial interest in certain trade secrets, the commission concluded, the public interest in disclosure outweighed that concern and “it would be an injustice” to keep the reports out of public view.

The decision directed the ride-hailing firms to submit public versions of their 2021-2024 annual reports by October 2025, and 2014-2020 reports by February 2026. They could make only limited redactions to protect the privacy of drivers and riders. 

And with that order, the commission closed the public proceeding in which it had legalized and regulated ride-hailing since 2012. A proceeding is a legal process for regulating industries and typically includes hearings, briefings and rulings.

The commission declared that it had taken many steps to improve safety and service, including setting requirements for insurance, vehicle inspections, driver background checks and mandatory annual reports.

But major safety issues remained.

The commission had neither completed an industrywide survey nor developed best practices for companies in responding to and reporting sexual assaults. 

Both actions are legally required under a 2021 settlement between Uber and the commission in which Uber paid $9 million to support the survey and other safety measures. The settlement resolved a prior recommendation by Administrative Law Judge Mason that Uber be fined $59 million for withholding information about sexual assaults.

In a brief on the commission’s proposal to close the proceeding, San Francisco Deputy City Attorney Lillian Levy expressed the transportation authority’s concern about doing so before fulfilling these “outstanding obligations.”

Levy also wrote that Uber and Lyft had inconsistently reported collisions and physical altercations, and that “the need for uniform reporting extends well beyond sexual assault and sexual harassment.” 

(Uber representative Condarco-Quesada said that since 2022 Uber has reported these kinds of incidents according to the agency’s definitions.)

But despite the city’s concerns, the commission closed the public proceeding. The agency’s order said it would continue its oversight of the industry, with ride-hailing companies and agency staff working together to resolve “any remaining questions.”

Lynch, the former commission president, said shutting the proceeding would take regulation of Uber and Lyft “behind closed doors” and limit the “opportunity for anyone who wants stronger rules and more accountability and transparency to even comment.”

Prosper did not answer questions about why the commission voted to close the proceeding.

Even after its order, the agency allowed more delays in releasing the safety data.

Last September, Lyft filed a new challenge to the August decision, again arguing that the commission unlawfully ordered the release of trade secrets in the 2021-2024 reports.

That led the agency to reopen the proceeding on Oct. 31, 2025, when it issued a partial stay of its decision to accommodate Lyft’s request for a rehearing, which is pending.

And in November 2025, at Uber’s request, Rachel Peterson, then the commission’s executive director, extended the deadline for the companies to submit the older annual reports to March 31, 2026. As of mid-June, the agency had not released them.

Meanwhile, more sexual assault lawsuits against Uber and Lyft have landed in the U.S. District Court at 450 Golden Gate Ave., with more passengers and drivers claiming they were attacked during rides.  

And city officials concerned with transportation safety still can’t access data they say could help prevent attacks. 

“The public has been deprived of access to TNC Annual Report Data for more than a decade,” wrote Levy, of the San Francisco City Attorney’s Office, in her brief. “Enough is enough.”

This article was supported by a grant from the Fund for Investigative Journalism. Previous articles in this series were produced in partnership with the McGraw Center for Business Journalism at the Craig Newmark Graduate School of Journalism at the City University of New York.

Seth Rosenfeld is an independent journalist who for more than 30 years has specialized in using public records acts in defense of the public’s right to know. He has been a staff reporter for the San Francisco Examiner and San Francisco Chronicle and his freelance articles have appeared in The New York Times, Los Angeles Times and Harper’s Magazine. He has received the George Polk Award for health reporting and other national honors.