Uber Tracked iPhone Users, Even After Deleting the App
In a disturbing turn of events, Uber has been tracking oblivious iPhone users even after they removed the application from their phone. Two years ago, the situation escalated to such an extent that CEO Travis Kalanick earned a slap on the wrist from Apple mogul Tim Cook.
The New York Times reports that Kalanick pulled a "fast one" on Apple back in 2015 when the app continued to identify and tag iPhone users after they had deleted it from their phones. In doing so, Kalanick's company violated Apple's privacy guidelines and was nearly booted off the App Store.
The practice is called 'fingerprinting,' which Uber used on iPhones initially as a fraud-prevention method. It is a piece of code that identifies a specific iPhone, locates it, and remembers it. Uber hoodwinked Apple engineers by geofencing Apple's Cupertino headquarters to hide this code, but Cook & Co. soon discovered the deception. The whole debacle resulted in an awkward face-to-face meeting for Kalanick at Apple headquarters back in 2015 where Uber was forced to comply with Apple's regulations.
Now, fingerprinting does have practical uses when it comes to fraud prevention. In places like China, ride volume was rewarded so drivers were creating dummy Uber accounts on stolen phones to cash in on this. Fingerprinting allowed Uber to identify when a device had reinstalled an app. Uninstalling an application leaves a trace of code behind and enables the company to detect fraudsters. However acceptable fingerprinting may be, Uber took it too far by accessing iPhone users' Apple-assigned serial number and therein lies the issue.
Will Strafach, the president of Sudo Security Group, a mobile security platform, analyzed a 2014 version of the app and found that Uber's "shenanigans" included tracking between uninstall/reinstall, which was still in violation of Apple's rules.
Late last year, an update to the app meant that customers locations would be tracked, five minutes before and after the ride, to ensure a safe exit etc. The update required consent to apply (in line with Apple's guidelines) and allows Uber to track the user even when they are not using the app.
A spokesperson for the company insisted that identifying and tracking is common practice in the ride-sharing industry to prevent fraudulent activity, however:
We absolutely do not track individual users or their location if they've deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users' accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users.
In 2013, Apple did away with Unique Device Identifier, or UDID, a tracking system which was persistent upon install, and replaced it with less intrusive trackers. Evidently, some companies are just more concerned with user privacy than others.
Meanwhile, the NYT also discovered that Uber used an intelligence company called Slice Intelligence, to gain more of an insight into their Lyft's customer base. Some might call that spying, but each to their own! Uber combed through data purchased from Unroll.Me, an email-decluttering service provided by Slice, to accumulate data on Lyft users, via their inbox receipts.
Unroll.Me CEO Jojo Hedaya has since issued a groveling apology on the company's blog, which is ironically titled "We Can Do Better." Hedaya writes that it was "heartbreaking to see that some of our users were upset to learn about how we monetize our free service" and that they had not been "explicit" enough in their privacy terms. You don't say?
Although this isn't an uncommon practice for sites of this sort, it didn't stop users from being any less shocked that there was a mole in their mail for the benefit of Uber. This is just the latest scandal to rock Uber, which is currently embroiled in a court battle with Google's Waymo over data theft.
We wonder whether it can weather this particular privacy storm? Good luck, Mr. Kalanick (you'll need it!).