Uber responds to report that it tracked devices after its app was deleted

Uber tracked former users even after they deleted the app from their iPhones, a practice that eventually earned CEO Travis Kalanick a scolding from Apple chief executive Tim Cook, the New York Times reports. Uber is pushing back on the allegations, saying that the tracking is a common industry practice used to prevent fraud and account compromise.

Uber allegedly used a practice called fingerprinting to track devices after the app was deleted. Uber reportedly began fingerprinting iPhones as a fraud-prevention method in locations like China. Drivers there would register multiple Uber accounts on stolen iPhones and use them to request rides, thereby boosting the number of overall rides — a metric that Uber rewards with bonuses.

Apple previously allowed developers to track their users with a Unique Device Identifier, or UDID. This kind of tracking was persistent across installs, but as Apple became more concerned with user privacy, it deprecated UDIDs in 2013. Apple replaced UDIDs with other variants of trackers that are designed to be less intrusive, including vendor IDs and advertising IDs. It’s not clear how Uber fingerprinted the devices in 2015 that led to the meeting between Kalanick and Cook.

Will Strafach, the president of Sudo Security Group, analyzed a version of Uber’s app from late 2014 and discovered code that he says reveals how Uber tracked its users’ devices.

“They were dynamically loading IOKit.framework (a private framework), then dynamically loading some symbols from it to iterate through the device registry (also very much forbidden). They have code to nab a few things from the registry, but the only persistent identifier they actually use appears to be the device Serial Number,” Strafach told TechCrunch in an email. “I believe that in iOS 9 and beyond, this is blocked by the iOS sandbox. Just to clarify, this also shows the initial concern of ‘tracking after uninstall’ was bad phrasing. The case here is tracking between uninstall/reinstall, which is still a privacy violation as Apple forbids this kind of tracking (that is why they removed the APIs for getting device UDID).”

In order to prevent Apple engineers from discovering the fingerprinting, Uber allegedly geofenced Apple’s Cupertino headquarters to hide the code used in the process. But Apple engineers based in other offices discovered the trick, according to the New York Times and confirmed by TechCrunch, leading Cook to summon Kalanick to his office in early 2015.

Cook reportedly told Kalanick, “I’ve heard you’ve been breaking some of our rules,” and threatened to yank Uber from the App Store if it didn’t stop tracking iPhone customers. Kalanick reportedly complied.

However, Uber told TechCrunch that it still uses a form of device fingerprinting in order to detect fraudulent behavior. If a device has been associated with fraud in the past, a new sign-up from that device should raise a red flag, an Uber spokesperson said. Uber suggested that the practice of fingerprinting was modified to comply with Apple’s rules rather than discontinued altogether.

“We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users,” an Uber spokesperson said.

The New York Times also reports that Uber purchased Lyft rider receipts from an intelligence firm. The company partnered with a firm called Slice Intelligence to do research on Lyft customers. Uber reportedly purchased Lyft users’ ride receipts from Slice, which the company accumulates through an email digest service it owns, in order to study its competitor’s business.

In late 2016, nearly two years after Kalanick’s sit-down with Cook, an update to Uber’s app allowed the company to begin tracking its customers’ locations even when they aren’t using the app. Uber said that it would only track users for five minutes after they begin or end a ride in order to ensure a more accurate pickup location and a safe exit from the vehicle after the ride. This tracking relies on user consent — an Uber customer has to enable location services for the app — and is in line with Apple’s developer rules.