Global ride-hailing service Uber is in the middle of a new storm after it came to light that the company bypassed Apple’s device identification rules to track iPhones even after such users deleted the company’s app.
Uber CEO Travis Kalanick was caught by Apple engineers for side-lining Apple’s rules on user privacy, but the company continues to track mobile devices to purge fraud, without disregarding Apple’s rules anymore.
Back in 2014, Uber had a thriving business in China. But while the company kept earning, it also learnt about a large-scale fraud that was taking place at the same time. A large number of stolen iPhones were supposedly being used by drivers to book hundreds of rides and thereby earn incentives from the company without any ‘actual rides’ taking place.
To stem this, Kalanick decided to ‘fingerprint’ handsets to ensure that they weren’t used in such a manner, even if such iPhones were wiped and the apps deleted. As per Apple’s rules, once an app is deleted, owners of the app cannot continue to track users’ location or other data. Uber did, and this prompted a meeting between Tim Cook and Kalanick in February of 2015.
What must have incensed Cook more was the fact that Kalanick decided to geofence Apple’s headquarters in Cupertino, California to prevent Apple’s engineers from finding out about the fingerprinting. Tim Cook did find out, and reportedly served an ultimatum to Kalanick, asking him to cease and desist or the app would be kicked out of the Apple App Store. Uber has since complied and continues to track devices through a mechanism that doesn’t violate Apple’s rules.
“We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users,” an Uber spokesperson told TechCrunch.
The reason why Uber’s new practice doesn’t violate Apple’s rules is because it plays by user consent. Based on a user’s consent, Uber can track his location for five minutes after he begins or ends his ride to ensure better pick up locations.
The fact that Uber’s services were misused in China was revealed by a series of incidents in early 2015 when a number of users complained that their Uber accounts were hacked and that they were being charged for rides completed in China where in fact they weren’t in the country in the first place. Uber was also the victim of a gigantic data breach in February of that year, incidentally the same month when Tim Cook met Kalanick, through which names and licenses of 50,000 Uber drivers were stolen and leaked on web-hosting service GitHub. Uber blamed rival ride-hailing service Lyft for the data breach.