Uber broke Apple’s rules by tagging and tracking iPhones even after users had uninstalled the taxi-hailing app. The New York Times reports that Tim Cook met with CEO Travis Kalanick and warned that the Uber app could be kicked out of the App Store for violating privacy guidelines.
It is said that Uber has been found “secretly identifying and tagging iPhones” not only after the app was uninstalled, but even after phones had been wiped. The “fingerprinting” technique was used — it is alleged — to identify individual iPhones, and measures were taken to hide the offending code from Apple.
The New York Times explains the thinking behind the alleged deception: “The idea of fooling Apple, the main distributor of Uber’s app, began in 2014. At the time, Uber was dealing with widespread account fraud in places like China, where tricksters bought stolen iPhones that were erased and resold. Some Uber drivers there would then create dozens of fake email addresses to sign up for new Uber rider accounts attached to each phone, and request rides from those phones, which they would then accept. Since Uber was handing out incentives to drivers to take more rides, the drivers could earn more money this way.”
The fingerprinting made it easy to identify iPhones through the use of persistent code. It did not matter if the app was removed, or even if an iPhone was subjected to a factory reset. But as the NYT continues:
There was one problem: Fingerprinting iPhones broke Apple’s rules. Mr. Cook believed that wiping an iPhone should ensure that no trace of the owner’s identity remained on the device.
So Mr. Kalanick told his engineers to “geofence” Apple’s headquarters in Cupertino, Calif., a way to digitally identify people reviewing Uber’s software in a specific location. Uber would then obfuscate its code for people within that geofenced area, essentially drawing a digital lasso around those it wanted to keep in the dark. Apple employees at its headquarters were unable to see Uber’s fingerprinting.
Uber told TechCrunch that fingerprinting is still used to try to identify fraudulent accounts. However, the company denies that the technique is used to spy on the location of users:
We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone — over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users.
Image credit: 360b / Shutterstock.com