Uber tracked former users even after they deleted the app from their iPhones, a practice that eventually earned CEO Travis Kalanick a scolding from Apple chief executive Tim Cook, the New York Times reports. Uber is pushing back on the allegations, saying that the tracking is a common industry practice used to prevent fraud and account compromise.
Uber allegedly used a practice called fingerprinting to track devices after the app was deleted. Uber reportedly began fingerprinting iPhones as a fraud-prevention method in locations like China. Drivers there would register multiple Uber accounts on stolen iPhones and use them to request rides, thereby boosting the number of overall rides — a metric that Uber rewards with bonuses.
Apple previously allowed developers to track their users with a Unique Device Identifier, or UDID. This kind of tracking was persistent across installs, but as Apple became more concerned with user privacy, it deprecated UDIDs in 2013. Apple replaced UDIDs with other variants of trackers that are designed to be less intrusive, including vendor IDs and advertising IDs. It’s not clear how Uber fingerprinted the devices in 2015 that led to the meeting between Kalanick and Cook.
Will Strafach, the president of Sudo Security Group, analyzed a version of Uber’s app from late 2014 and discovered code that he says reveals how Uber tracked its users’ devices.
“They were dynamically loading IOKit.framework (a private framework), then dynamically loading some symbols from it to iterate through the device registry (also very much forbidden). They have code to nab a few things from the registry, but the only persistent identifier they actually use appears to be the device Serial Number,” Strafach told TechCrunch in an email. “I believe that in iOS 9 and beyond, this is blocked by the iOS sandbox. Just to clarify, this also shows the initial concern of ‘tracking after uninstall’ was bad phrasing. The case here is tracking between uninstall/reinstall, which is still a privacy violation as Apple forbids this kind of tracking (that is why they removed the APIs for getting device UDID).”
In order to prevent Apple engineers from discovering the fingerprinting, Uber allegedly geofenced Apple’s Cupertino headquarters to hide the code used in the process. But Apple engineers based in other offices discovered the trick, according to the New York Times and confirmed by TechCrunch, leading Cook to summon Kalanick to his office in early 2015.
Cook reportedly told Kalanick, “I’ve heard you’ve been breaking some of our rules,” and threatened to yank Uber from the App Store if it didn’t stop tracking iPhone customers. Kalanick reportedly complied.
However, Uber told TechCrunch that it still uses a form of device fingerprinting in order to detect fraudulent behavior. If a device has been associated with fraud in the past, a new sign-up from that device should raise a red flag, an Uber spokesperson said. Uber suggested that the practice of fingerprinting was modified to comply with Apple’s rules rather than discontinued altogether.
“We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users,” an Uber spokesperson said.
The New York Times also reports that Uber purchased Lyft rider receipts from an intelligence firm. The company partnered with a firm called Slice Intelligence to do research on Lyft customers. Uber reportedly purchased Lyft users’ ride receipts from Slice, which the company accumulates through an email digest service it owns, in order to study its competitor’s business.
In late 2016, nearly two years after Kalanick’s sit-down with Cook, an update to Uber’s app allowed the company to begin tracking its customers’ locations even when they aren’t using the app. Uber said that it would only track users for five minutes after they begin or end a ride in order to ensure a more accurate pickup location and a safe exit from the vehicle after the ride. This tracking relies on user consent — an Uber customer has to enable location services for the app — and is in line with Apple’s developer rules.
The new reports of privacy-infringing practices come on the heels of allegations of sexual harassment at Uber and in the midst of a trade secret lawsuit brought against the company by Waymo, the self-driving car unit owned by Alphabet. Kalanick has admitted he needs leadership help and is reportedly seeking a chief operating officer to help balance his hard-charging leadership style. An independent report on Uber’s workplace culture, prompted by the sexual harassment claims, is expected at the end of May.
Update: The CEO of Unroll.me has now published a blog post defending its business practices that were called out in the NY Times piece on Uber. Specifically, the post refers to the fact that Unroll.me sold anonymized data it gathered from people’s inboxes to Uber. The data consisted of receipt data for Lyft rides, which Uber used to build competitive counter-models. This data is likely very valuable in the right context — akin to an app analytics service for people’s spending habits.
Selling anonymized data is not uncommon for free services like Unroll.me and its owner Slice — Slice even pitches its powerful data set publicly. But many appear to feel shocked that they were not more clearly informed that if you are not paying with money you still have to pay somehow. Unroll.me CEO Jojo Hedaya said that it was “heartbreaking to see that some of our users were upset to learn about how we monetize our free service.”
He made no indications that it would alter this practice in the future.
Additional reporting by Matthew Panzarino. Title updated to clarify that iPhone devices were tracked.