Apple threatened Uber with iPhone ban over privacy cheat

Chris Davies - Apr 23, 2017, 1:59 pm CDT
0
Apple threatened Uber with iPhone ban over privacy cheat

Controversial tech exec Travis Kalanick was forced into a face-off with Tim Cook, a new profile of the Uber founder claims, after Apple discovered the ridesharing app had flouted privacy rules. Kalanick’s company has repeatedly made headlines over the past year for a number of reasons, ranging from frustrated drivers, arguments with city administrators and legacy cab firms, over-ambitious autonomous car testing, and allegations of harassment in the workplace. Indeed, Kalanick’s ambition almost saw him lose his entire iPhone audience.

The degree to which Kalanick was willing to push his company to the brink is made clear in a new profile of the entrepreneur by the New York Times. It details a reported meeting between the executive and Apple’s CEO in 2015, after Kalanick was forced to answer questions about Uber circumnavigating privacy policies laid down for apps in the App Store. That brought him to Cupertino and a sit-down meeting with Tim Cook.

According to the report, Uber’s engineers had baked a tracking system into the app based on a unique “fingerprint” of each iPhone, which allowed them to continue to identify unique devices even when the software had been uninstalled. Such data could be invaluable to a company specializing in disrupting the transportation business; however, it was also in direct contravention of Apple’s requirements for privacy. Despite Kalanick’s team doing their best to hide it, Apple had discovered the trick.

[Update: Uber PR has pointed out that, rather than tracking the location of devices, the software remembered the individual iPhone; indeed, the NYT piece has been updated to remove mention of tracking and instead highlight the system’s use in fraud detection, albeit still contravening Apple’s policies in the process. Back in 2012, for instance, Apple had warned developers not to use the UDID (Unique Device Identifiers) of an iOS device for tracking purposes]

Cook’s response, it’s said, was blunt. Uber could cease to run its tracking workaround and agree to comply with Apple’s rules, or Apple would simply remove the Uber app from the App Store. Without a foothold in the download store for iOS devices, Uber would effectively be cut off from a huge number of existing and potential users.

While at the time Kalanick backed down, in a statement Uber PR denied using such fingerprinting for nefarious means. According to the company’s version of the story, the system is intended to protect customers from credit card fraud, rather than to track them. Indeed, it argues, it’s common practice for apps:

“We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users.”

At other times, Kalanick has proved less willing to compromise: at least, not until the very last minute. Another recent example is Uber’s testing with self-driving vehicles, which the company has said will eventually allow it to move beyond human drivers. Unlike such projects from other companies, Uber opted to begin testing first in San Francisco rather than apply for permission, with execs arguing that its trials fitted neatly through a loophole in terminology that meant DMV approval wasn’t required.

Unsurprisingly, California lawmakers didn’t agree, and it was only when they yanked the licenses for Uber’s test fleet that the company conceded. After making a big show of packing up the cars and moving them to Arizona, a state with a more liberal approach to on-road testing, Uber quietly applied for the necessary San Francisco permits. That came just in time for a lawsuit with Alphabet spin-off Waymo, which accused Uber of stealing autonomous car technology.

Although giving users options beyond traditional taxis is Uber’s claimed reason for existing, at times its ambitions ride roughshod over things like privacy. It’s said that Uber purchased data from anonymized Lyft receipts scraped – legally – from the emails of users of the rival service, from a data intelligence firm that operates a free email digest service. Although users may not have realized it, by using that service they also gave the data firm, Slice Intelligence, permission to sell the anonymized contents of their inbox to other businesses.

At the same time, it was trying to evade the eyes of authorities with a secretive tool known internally as Greyball. That allowed different driver locations to be shown to different users, in part as an attempt to undermine attempts to more tightly regulate the startup. However, some Uber drivers also used it as a way to avoid police and other law enforcement.

The lingering question is how much Uber can continue to get away with and still remain standing. According to the NYT, though momentarily cowed by Cook’s ultimatum, the fact that his company made it through to the other side is said to have buoyed Kalanick’s resolve. With numerous lawsuits on the cards, and the #DeleteUber campaign showing no signs of fading, he’ll need as much of it as he can muster.


Must Read Bits & Bytes