Mike Isaacâ€™s profile of Uber CEO Travis Kalanick for The New York Times contains an accusation that, on its face, sounds outrageous:
For months, Mr. Kalanick had pulled a fast one on Apple by
directing his employees to help camouflage the ride-hailing app
from Appleâ€™s engineers. The reason? So Apple would not find out
that Uber had been secretly identifying and tagging iPhones even
after its app had been deleted and the devices erased â€” a fraud
detection maneuver that violated Appleâ€™s privacy guidelines.
But Apple was on to the deception, and when Mr. Kalanick arrived
at the midafternoon meeting sporting his favorite pair of bright
red sneakers and hot-pink socks, Mr. Cook was prepared. â€œSo, Iâ€™ve
heard youâ€™ve been breaking some of our rules,â€ Mr. Cook said in
his calm, Southern tone. Stop the trickery, Mr. Cook then
demanded, or Uberâ€™s app would be kicked out of Appleâ€™s App Store.
For Mr. Kalanick, the moment was fraught with tension. If Uberâ€™s
app was yanked from the App Store, it would lose access to
millions of iPhone customers â€” essentially destroying the
ride-hailing companyâ€™s business. So Mr. Kalanick acceded.
â€œSecretly identifying and tagging iPhones even after its app had been deleted and the devices erasedâ€ is a rather startling accusation, because it sounds like it should be technically impossible. Itâ€™s also very much unclear what information Uber was able to glean from these â€œidentified and taggedâ€ iPhones other than some sort of unique device identifier. Unfortunately, the Times story is very short on details here. But note that the Times is not saying Uber was â€œtrackingâ€ these phones. A lot of people are jumping to the conclusion that Uber was somehow tracking the location of users even after they deleted the Uber app, but the word â€œtrackâ€ only appears in the article in the context of Kalanick having â€œexcelled at running track and playing footballâ€ in high school.
[Update: This explains a lot, regarding the hubbub today over this story. When first published, the Times story did use the word â€œtrackingâ€, but a subsequent revision changed that word to â€œidentifying and taggingâ€.]
Reading between the lines, it is possible â€” and my gut says quite probable â€” that Uber wasnâ€™t doing anything on these iPhones other than when its app was installed and running on them. From the end of the article:
The idea of fooling Apple, the main distributor of Uberâ€™s app,
began in 2014.
At the time, Uber was dealing with widespread account fraud in
places like China, where tricksters bought stolen iPhones that
were erased of their memory and resold. Some Uber drivers there
would then create dozens of fake email addresses to sign up for
new Uber rider accounts attached to each phone, and request rides
from those phones, which they would then accept. Since Uber was
handing out incentives to drivers to take more rides, the drivers
could earn more money this way.
To halt the activity, Uber engineers assigned a persistent
identity to iPhones with a small piece of code, a practice called
â€œfingerprinting.â€ Uber could then identify an iPhone and prevent
itself from being fooled even after the device was erased of its
There was one problem: Fingerprinting iPhones broke Appleâ€™s rules.
Mr. Cook believed that wiping an iPhone should ensure that no
trace of the ownerâ€™s identity remained on the device.
What Isaac is reporting here doesnâ€™t require any code running on an iPhone other than when the Uber app is itself installed and launched. Iâ€™m speculating here, but it could be something like this:
The Uber app, while installed, fingerprints the device somehow, and reports the fingerprint home to Uberâ€™s servers, where it is tied to the userâ€™s Uber account. (All iPhones have a Unique Device Identifier â€” â€œUDIDâ€ â€” but Apple banned third-party apps from accessing it in 2012. Uber either found a way to access UDIDs surreptitiously, or created some other way of uniquely identifying devices even after theyâ€™ve been wiped. It would be good to know exactly what they did, but for the sake of my argument here it doesnâ€™t matter.)
The Uber app is deleted from the device and/or device is wiped. At this point, Uber knows the fingerprint for the device, but canâ€™t use it to track the device in any way, and they donâ€™t care, because until someone reinstalls the Uber app on the phone it isnâ€™t being used to book fraudulent rides.
But until step 3, when the Uber app is reinstalled, I donâ€™t think Uber was â€œtrackingâ€ the phone in any way. And they didnâ€™t care â€” the Times says the whole project was designed to counter fraud in China, which required the Uber app to be reinstalled on stolen iPhones.
Repeating from the opening of the article, Isaac wrote:
So Apple would not find out that Uber had been secretly
identifying and tagging iPhones even after its app had been
deleted and the devices erased â€” a fraud detection maneuver that
violated Appleâ€™s privacy guidelines.
That sounds like Uber was doing the identifying and â€œtaggingâ€ (whatever that is) after the app had been deleted and/or the device wiped, but I think what it might â€” might â€” actually mean is merely that the identification persisted after the app had been deleted and/or the device wiped. Thatâ€™s not supposed to be technically possible â€” iOS APIs for things like the UDID and even the MAC address stopped reporting unique identifiers years ago, because they were being abused by privacy invasive ad trackers, analytics packages, and entitled shitbags like Uber. Thatâ€™s wrong, and Apple was right to put an end to it, but itâ€™s far less sensational than the prospect of Uber having been able to identify and â€œtagâ€ an iPhone after the Uber app had been deleted. The latter scenario only seems technically possible if other third-party apps were executing surreptitious code that did this stuff through Uberâ€™s SDK, or if the Uber app left behind malware outside the appâ€™s sandbox. I donâ€™t think thatâ€™s the case, if only because I donâ€™t think Apple would have hesitated to remove Uber from the App Store if it was infecting iPhones with hidden phone-home malware.
The article does raise some questions:
What APIs and device info was Uber using to identify iPhones? Are these API loopholes now closed in iOS? If we donâ€™t learn exactly what Uber was using to identify devices, we cannot know that the technique no longer works. iOS users should be able to feel confident that when they delete an app, all connections between their device and the developer of the app are disconnected, and that when they wipe a device, everything personally identifying has been removed from it.
What exactly did Apple know about Uberâ€™s actions in this regard when Tim Cook called Kalanick in for the meeting? Was Apple aware that Uber was specifically keeping a database of unique iPhone identifiers? If so, how?
What prompted Apple to investigate Uber in this regard? And why did Uber suspect Apple was going to investigate, prompting them to geofence their fingerprinting so it wouldnâ€™t trigger in Cupertino? (My theory: the Uber app was calling private APIs, and they used the geofence to avoid calling those private APIs while the app was in App Store review, assuming, perhaps incorrectly, that all App Store reviewers work in Cupertino. App Store review can identify apps that call private APIs.)
Update: Why didnâ€™t Apple require Uber to disclose what theyâ€™d done as a condition for remaining in the store? Shouldnâ€™t iPhone users who had Uber installed know about this?
[Update 2: Will Strafach examined a 2014 build of the Uber iOS app and found them using private APIs to use IOKit to pull the device serial number from the device registry. There might be more, but this alone is a blatant violation of App Store policy. Strafach confirms that the technique Uber was using no longer works in iOS 10.]
The article also contains this non-Apple-related tidbit:
Uber devoted teams to so-called competitive intelligence,
purchasing data from an analytics service called Slice
Intelligence. Using an email digest service it owns named
Unroll.me, Slice collected its customersâ€™ emailed Lyft receipts
from their inboxes and sold the anonymized data to Uber. Uber used
the data as a proxy for the health of Lyftâ€™s business. (Lyft, too,
operates a competitive intelligence team.)
Slice confirmed that it sells anonymized data (meaning that
customersâ€™ names are not attached) based on ride receipts from
Uber and Lyft, but declined to disclose who buys the information.
This is, needless to say, super shitty. We expect it from Uber. But Slice should be ashamed of themselves. Their Unroll.me service is billed as a tool to â€œClean up your inboxâ€ by identifying subscription emails and allowing you to unsubscribe from them in bulk. Itâ€™s â€œfreeâ€ in the sense that you donâ€™t pay them money, but theyâ€™re selling your personal information to companies like Uber. Supposedly that information is anonymized, but wiped iPhones are supposed to be anonymized too, and Uber found at least one route around that.