Uber Reportedly Tracked iPhones Even After The App Was Deleted, Bought Lyft Receipts

Image courtesy of Alper Çuğun

It’s been a busy spring for Uber, in all the ways that companies usually try to avoid. Now, among all the allegations of tracking programs from “Greyball” to “Hell,” come a pair of new claims that won’t do anything to improve Uber’s dodgy reputation with regard to privacy.

Included in the New York Times’ new, in-depth profile of Uber CEO and lightning rod Travis Kalanick, are two items that are of particular interest to Uber users who care about privacy.

First, there’s the claim that Uber was tracking iPhones even when the Uber app was not in use. Then there is the allegation that the company was using third parties to track how much its customers used competing service Lyft.

‘Fingerprinting’ iPhones

One day in 2015, the NYT reports, Kalanick got called down to Cupertino to meet with none other than Apple CEO Tim Cook. As it turned out, Uber was tracking iPhones persistently in a way that was a big, big no-no for Apple. Cook told Kalanick to knock it off, or he’d have Uber kicked off the platform.

The problem was something called “fingerprinting.” Much in the same way people can be identified wherever, whenever they touch something by leaving unique fingerprints, so can devices — at least, if you generate a virtual fingerprint for them first.

Uber started with a good reason to leave the fingerprint code on phones, the NYT explains. The Uber app was becoming subject to widespread fraud in places like China. Users there could buy inexpensive, stolen iPhones. The original user data from those phones had been erased, and so Uber drivers there could create dozens of fake driver and passenger email accounts and use the stolen phones to accept ride requests that didn’t happen for passengers that didn’t exist. That let the drivers reap the incentive money Uber was offering anyone who accepted more rides.

(Uber gave up on China and sold its business there to competitor Didi Chuxing in 2016.)

So Uber came up with a way to give each iPhone a unique fingerprint that stayed even after you’d erased the Uber app — and everything else — from it. But that’s explicitly against Apple’s rules: “Mr. Cook believed that wiping an iPhone should ensure that no trace of the owner’s identity remained on the device,” as the NYT put it.

Instead of asking Apple or coming up with another solution, though, Uber did what it now seems to have done on the regular: Tried to hide its tracks.

The company used what’s known as a “geofence” to block Apple employees from seeing the fingerprints. Basically, if you were trying to get into Uber’s stuff from someplace in Cupertino, you’d be blocked from accessing it.

So nobody at Apple HQ could see the code… but Uber apparently failed to consider that Apple also has many employees who don’t work out of the main office. Apple engineers working elsewhere caught it and rang it up the chain, leading to Kalanick’s meeting with Cook.

Uber reportedly stopped using that kind of device fingerprinting after that meeting.

But as TechCrunch reports after explaining technical details of how the fingerprint migh work, the company now says it has tweaked, but not ended, the process.

“We absolutely do not track individual users or their location if they’ve deleted the app,” an Uber representative told TechCrunch.

“As the New York Times story notes … this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users,” the representative said.

Targeting Lyft

It’s no secret that for years, Uber has been painting targets on competitor Lyft’s back as much as it’s been growing its own business. In 2014, Lyft accused Uber of requesting then deleting thousands Lyft rides en masse, in order to make the service less usable and attractive to everyone else.

Then, earlier this month, information surfaced about a tool, dubbed “Hell,” that Uber had been using internally from 2014 to 2016 to track Lyft usage and recruit its drivers by using fake driver accounts.

But according to the NYT, it’s not just Lyft drivers Uber was targeting; it was passengers, too.

Uber’s “competitive intelligence” team (which, the NYT notes, Lyft has one of as well) collects data on Lyft users to get an overall picture of the competition’s health, and they do that by buying user data from a company called Slice Intelligence.

Slice owns the service Unroll.me, which aims to make out-of-control email inboxes more manageable by handling all those automated subscription blasts you get. It lets you unsubscribe from the ones you don’t want, presents you a digest of the ones you do, and sorts the ones you keep without reading.

That’s not a bad set of features, if the ones your email client has aren’t enough for you. But because the tool is managing your email, it also has acecss to a whole lot of data about you. And because the service is free to use, that data is where the company makes its money.

The NYT’s report that Slice sells aggregated Lyft receipt data to Uber set off a public outcry over the weekend. In response, Unroll.me CEO Jojo Hedaya wrote that he found it, “heartbreaking to see that some of our users were upset to learn about how we monetize our free service.”

The company publishes both its terms of service and its privacy policy for everyone to read and makes you agree to them before you sign up, Hedaya continued, but he’s aware that basically nobody actually reviews either.

“All data is completely anonymous and related to purchases only,” Hedaya ads — although if your purchase is a ride from your home to, say, your doctor’s office, that purchase history can still be more informative to outsiders than you would like.

Uber’s CEO Plays With Fire [New York Times]