Uber’s not alone in tracking users when apps are deleted

Uber reportedly tagged iPhones with persistent IDs that allowed it to identify devices uniquely after a phone had been wiped and configured from scratch. The company said it was about fraud detection, but its history makes many people dubious, whether that’s true or not.

Bigger issues were raised, however. It’s Apple who discovered the violation of its terms, news about which never appeared until last week. Is Apple acting in our best interests as proprietary and quiet stewards of our identities? This tagging also raises the spectre of a silent ban by app makers, in which consumers could buy a second-hand phone previously employed for fraud that can’t be used ever again with many services.

Let’s start with what happened two years ago, and which would have destroyed Uber’s business.

What’s Uber up to?

The New York Times on April 23 said Travis Kalanick, the CEO of the once-darling of taxi replacements Uber, had been called to Apple in early 2015 to meet with Tim Cook. In the story’s first draft, it was because “Uber had secretly been tracking iPhones even after its app had been deleted from the devices, violating Apple’s privacy guidelines.” Change your app, Cook reportedly said, or it’ll be pulled from the App Store.

A few hours later, a revised version of the story appeared. Now it read, “Uber had been secretly been identifying and tagging iPhones even after its app had been deleted and the devices erased—a fraud detection maneuver that violating Apple’s privacy guidelines.”

To be fair, the change isn’t as big as it seems: Uber was tracking iPhones—by their identity, not their location. This detail was explained in depth at the story’s end—along with the detail that Uber knew it wasn’t conforming to Apple’s stance on privacy, because its programmers had used geofencing to block out Cupertino, hoping to avoid Apple’s scrutiny. That failed.

Apple didn’t reply to a request for comment for this column. Uber provided a statement that I’ll get into, but which doesn’t address the geofencing or whether its actions went against the rules of the App Store. Security researcher and entrepreneur Will Strafach posted screen captures on Twitter of code extracted from a 2014 release of Uber’s iOS app that confirmed the claims.

There are so many issues raised by this incident. Should Uber have been bumped from the store, as many iOS developers said smaller firms would have been after the news broke? Should Apple have disclosed this device tagging or required Uber to do so? Was user privacy put at risk? Uber now has a long history of sketchy actions related to our whereabouts and actions, which is not just documented, but for some of which Kalanick has apologized—can its explanation of how it uses device tagging be trusted?

And is it possible that many other developers engaged in similar kinds of tagging without Apple having noticed, or less persistent forms but still beyond user expectations and App Store guidelines?

Fighting fraud

The statement Uber sent to me reiterates the point the Times story tilted towards in its revision and near its end: “…this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts.” The statement didn’t note something mentioned elsewhere: drivers particularly in China coordinated faked rides to obtain bonuses paid out in competition between Uber and Didi Chuxing. (Uber agreed last August to merge its operations with Didi Chuxing.)

Uber also stated, “We absolutely do not track individual users or their location if they’ve deleted the app.” People were suspicious of this claim, because of a change in December 2016 in which Uber continued to track location for up to five minutes after a ride was complete. Shortly after that, it appeared that Uber was tracking all the time, although the company said it was related to Apple’s Maps extensions, which allow third-party apps to add and offer certain kinds of information, but which can be disabled individually.

“Any time they’re breaking the rules—and to be clear, this wasn’t just bending the rules, it was breaking the rules—people assume it was for some reason, often nefarious,” said Greg Leppert, an affiliate at the Berkman Klein Center for Internet and Society at Harvard, and a software and services entrepreneur himself.

However, Uber’s assertions make logical sense. First, without having an app installed, Uber would need to have some other mechanism in place that would regularly provide them with information. That could be a secret partnership or ownership of another commonly used app, or arrangements with advertising networks to feed location. The former would be difficult; the latter would require associating users, ads, and location together in a useful-enough way to pass on, regulatory and other issues aside.

And Uber is obviously the constant victim of fraud, as are people whose credit-card numbers and Uber account credentials are stolen. A single iPhone that cycles through various scams related to Uber could cost the company hundreds to thousands of dollars, depending on how long it’s in use.

It’s also hard to see how Uber benefits outside of noticing fraud when a user uninstalls and later reinstalls the app. The user might use a different email address, but there are other markers, including their typical locations for pick-up and drop-off, that likely are just as easy to associate.

Apple barred the use of a built-in unique device identifier, the UDID, in May 2013 from new or updated apps, and later prevented that code from being read by an app in any fashion. Other potentially unique IDs, like the cellular IMMEI, are blocked as well. Apple doesn’t mention policies around this in its App Review Guidelines, but it does cover it explicitly in the developer program license agreement: “Further, neither You nor Your Application will use any permanent, device-based identifier, or any data derived therefrom, for purposes of uniquely identifying a device.”

Leppert said, “It’s probably a fair assumption that they are still doing it, but they are probably doing it in ways that are compliant with Apple’s guidelines, and probably a little less” reliable than pulling a device ID.”

There’s a worry here, however: “The idea that the user through legitimate means could end up with a tainted device,” Leppert noted. If Uber is part of the critical infrastructure, “this puts me at a severe disadvantage.” Uber didn’t disclose until now that it was tagging devices and seemingly has no appeals banned phone.

Is Uber alone?

It would be naive to assume Uber was the only company that created a UDID replacement, however accurate it was. If it’s possible for one development team to do it, others would as well. The fact that there’s been no widespread removal of apps for this reason, other leaks about similar threats from Apple to pull apps, or broad chatter makes it seem like it’s either below Apple’s radar (though perhaps about to change due to the attention from this article), or ineffective.

One developer pointed me to an open-source library of iOS code that provides persistent user identification, even when an app is deleted and later reinstalled in a number of cases, and that many apps use. I asked Apple if the library conforms to its rules, and didn’t get an answer.

But that library doesn’t survive wiping an iPhone and setting it up from scratch; it only persists with a restore that includes the secure keychain.

And one of the techniques for persistence between delete and reinstall, storing items in the secure keychain, will disappear soon. This seemed to be a flaw, not a feature, that a deleted app’s keychain items would remain. A beta of iOS 10.3 deleted these items when removing an app, but it’s not clear that was rolled out yet in the 10.3 release tree.

Leppert noted that of all the assumptions made about Uber’s behavior, few were raised about Apple’s. “We’ve all defaulted to thinking they’re in our best interests,” he said. He suggested that given Apple didn’t disclose Uber’s transgressions despite holding a guillotine over Uber’s neck, it’s worth giving Apple a hard look as well.