Click here for the original content

Mike Isaac’s profile of Uber CEO Travis Kalanick for The New York Times contains an accusation that, on its face, sounds outrageous:

For months, Mr. Kalanick had pulled a fast one on Apple by
directing his employees to help camouflage the ride-hailing app
from Apple’s engineers. The reason? So Apple would not find out
that Uber had been secretly identifying and tagging iPhones even
after its app had been deleted and the devices erased — a fraud
detection maneuver that violated Apple’s privacy guidelines.

But Apple was on to the deception, and when Mr. Kalanick arrived
at the midafternoon meeting sporting his favorite pair of bright
red sneakers and hot-pink socks, Mr. Cook was prepared. “So, I’ve
heard you’ve been breaking some of our rules,” Mr. Cook said in
his calm, Southern tone. Stop the trickery, Mr. Cook then
demanded, or Uber’s app would be kicked out of Apple’s App Store.

For Mr. Kalanick, the moment was fraught with tension. If Uber’s
app was yanked from the App Store, it would lose access to
millions of iPhone customers — essentially destroying the
ride-hailing company’s business. So Mr. Kalanick acceded.

“Secretly identifying and tagging iPhones even after its app had been deleted and the devices erased” is a rather startling accusation, because it sounds like it should be technically impossible. It’s also very much unclear what information Uber was able to glean from these “identified and tagged” iPhones other than some sort of unique device identifier. Unfortunately, the Times story is very short on details here. But note that the Times is not saying Uber was “tracking” these phones. A lot of people are jumping to the conclusion that Uber was somehow tracking the location of users even after they deleted the Uber app, but the word “track” only appears in the article in the context of Kalanick having “excelled at running track and playing football” in high school.

[Update: This explains a lot, regarding the hubbub today over this story. When first published, the Times story did use the word “tracking”, but a subsequent revision changed that word to “identifying and tagging”.]

Reading between the lines, it is possible — and my gut says quite probable — that Uber wasn’t doing anything on these iPhones other than when its app was installed and running on them. From the end of the article:

The idea of fooling Apple, the main distributor of Uber’s app,
began in 2014.

At the time, Uber was dealing with widespread account fraud in
places like China, where tricksters bought stolen iPhones that
were erased of their memory and resold. Some Uber drivers there
would then create dozens of fake email addresses to sign up for
new Uber rider accounts attached to each phone, and request rides
from those phones, which they would then accept. Since Uber was
handing out incentives to drivers to take more rides, the drivers
could earn more money this way.

To halt the activity, Uber engineers assigned a persistent
identity to iPhones with a small piece of code, a practice called
“fingerprinting.” Uber could then identify an iPhone and prevent
itself from being fooled even after the device was erased of its
contents.

There was one problem: Fingerprinting iPhones broke Apple’s rules.
Mr. Cook believed that wiping an iPhone should ensure that no
trace of the owner’s identity remained on the device.

What Isaac is reporting here doesn’t require any code running on an iPhone other than when the Uber app is itself installed and launched. I’m speculating here, but it could be something like this:

  1. The Uber app, while installed, fingerprints the device somehow, and reports the fingerprint home to Uber’s servers, where it is tied to the user’s Uber account. (All iPhones have a Unique Device Identifier — “UDID” — but Apple banned third-party apps from accessing it in 2012. Uber either found a way to access UDIDs surreptitiously, or created some other way of uniquely identifying devices even after they’ve been wiped. It would be good to know exactly what they did, but for the sake of my argument here it doesn’t matter.)

  2. The Uber app is deleted from the device and/or device is wiped. At this point, Uber knows the fingerprint for the device, but can’t use it to track the device in any way, and they don’t care, because until someone reinstalls the Uber app on the phone it isn’t being used to book fraudulent rides.

  3. The Uber app is reinstalled on the iPhone. When it launches, it does the fingerprint check and phones home again. Uber now knows this is the same iPhone they’ve seen before, because the fingerprint matches. This is the violation of Apple’s privacy policy.

But until step 3, when the Uber app is reinstalled, I don’t think Uber was “tracking” the phone in any way. And they didn’t care — the Times says the whole project was designed to counter fraud in China, which required the Uber app to be reinstalled on stolen iPhones.

Repeating from the opening of the article, Isaac wrote:

So Apple would not find out that Uber had been secretly
identifying and tagging iPhones even after its app had been
deleted and the devices erased — a fraud detection maneuver that
violated Apple’s privacy guidelines.

That sounds like Uber was doing the identifying and “tagging” (whatever that is) after the app had been deleted and/or the device wiped, but I think what it might — might — actually mean is merely that the identification persisted after the app had been deleted and/or the device wiped. That’s not supposed to be technically possible — iOS APIs for things like the UDID and even the MAC address stopped reporting unique identifiers years ago, because they were being abused by privacy invasive ad trackers, analytics packages, and entitled shitbags like Uber. That’s wrong, and Apple was right to put an end to it, but it’s far less sensational than the prospect of Uber having been able to identify and “tag” an iPhone after the Uber app had been deleted. The latter scenario only seems technically possible if other third-party apps were executing surreptitious code that did this stuff through Uber’s SDK, or if the Uber app left behind malware outside the app’s sandbox. I don’t think that’s the case, if only because I don’t think Apple would have hesitated to remove Uber from the App Store if it was infecting iPhones with hidden phone-home malware.

The article does raise some questions:

  • What APIs and device info was Uber using to identify iPhones? Are these API loopholes now closed in iOS? If we don’t learn exactly what Uber was using to identify devices, we cannot know that the technique no longer works. iOS users should be able to feel confident that when they delete an app, all connections between their device and the developer of the app are disconnected, and that when they wipe a device, everything personally identifying has been removed from it.

  • What exactly did Apple know about Uber’s actions in this regard when Tim Cook called Kalanick in for the meeting? Was Apple aware that Uber was specifically keeping a database of unique iPhone identifiers? If so, how?

  • What prompted Apple to investigate Uber in this regard? And why did Uber suspect Apple was going to investigate, prompting them to geofence their fingerprinting so it wouldn’t trigger in Cupertino? (My theory: the Uber app was calling private APIs, and they used the geofence to avoid calling those private APIs while the app was in App Store review, assuming, perhaps incorrectly, that all App Store reviewers work in Cupertino. App Store review can identify apps that call private APIs.)

  • Update: Why didn’t Apple require Uber to disclose what they’d done as a condition for remaining in the store? Shouldn’t iPhone users who had Uber installed know about this?

[Update 2: Will Strafach examined a 2014 build of the Uber iOS app and found them using private APIs to use IOKit to pull the device serial number from the device registry. There might be more, but this alone is a blatant violation of App Store policy. Strafach confirms that the technique Uber was using no longer works in iOS 10.]


The article also contains this non-Apple-related tidbit:

Uber devoted teams to so-called competitive intelligence,
purchasing data from an analytics service called Slice
Intelligence. Using an email digest service it owns named
Unroll.me, Slice collected its customers’ emailed Lyft receipts
from their inboxes and sold the anonymized data to Uber. Uber used
the data as a proxy for the health of Lyft’s business. (Lyft, too,
operates a competitive intelligence team.)

Slice confirmed that it sells anonymized data (meaning that
customers’ names are not attached) based on ride receipts from
Uber and Lyft, but declined to disclose who buys the information.

This is, needless to say, super shitty. We expect it from Uber. But Slice should be ashamed of themselves. Their Unroll.me service is billed as a tool to “Clean up your inbox” by identifying subscription emails and allowing you to unsubscribe from them in bulk. It’s “free” in the sense that you don’t pay them money, but they’re selling your personal information to companies like Uber. Supposedly that information is anonymized, but wiped iPhones are supposed to be anonymized too, and Uber found at least one route around that.