Uber using ”˜fingerprinting’ to track iPhone users


It’s no secret that Uber isn’t exactly the greatest when it comes to protecting the privacy of customers.

Back in March, we told you that several major security holes were found in newer versions of the Uber app — including unenforced HTTPS connections and data that was being sent unencrypted in some cases!

But now The New York Times reports the company is trying to get its act together to comply with Apple’s privacy guidelines.

Unfortunately, it took Apple threatening Uber with removal from the App Store to get to this point!

Read more: How to protect yourself from Uber’s gaping security holes

Uber plays cat-and-mouse game with Apple over privacy issues

Ever used Uber from your iPhone? Then’s there’s a good chance the ride-hailing company has the ability to know where you are at this very minute — even if you’ve deleted the Uber app!

Uber began using a technology called “fingerprinting” in 2014 to track iPhones in China. The goal was to crackdown on ride fraud. The company wanted to make sure criminals weren’t using stolen phones and stolen credit cards to game the Uber ride incentive system.

In a nutshell, Uber was trying to stop the criminals from creating fake rides in the system and collecting a cash bonus for giving a certain number of rides that never took place.

The fingerprinting allowed Uber to track handsets known to be involved with criminal activity and ban them from getting back into the system.

The only problem was the fingerprints stayed on iPhones even after the Uber app was deleted, which amounts to a violation of Apple’s privacy rules.


Yet Uber still kept fingerprinting iPhones even though it knew doing so ran afoul of Apple rules.

Listen: Clark discusses Uber’s privacy habits on The Clark Howard Show Podcast

In fact, The New York Times reports that Uber’s tech people even put up a “geofence” around Apple’s headquarters in Cupertino, CA., that prevented Apple’s engineers from being able to read the fingerprints left behind after app deletion.

Of course, Uber didn’t geofence every single Apple location around the world, so employees outside of Cupertino eventually detected the fingerprints and therefore knew Uber was flouting Apple’s security rules.

That bit of subterfuge landed Uber CEO Travis Kalanick in front of Apple CEO Tim Cook in early 2015. Cook threatened Kalanick with expulsion from Apple’s App Store if he didn’t knock it off.

The company complied — albeit almost two years later — and has now modified its use of fingerprints to conform to Apple’s privacy guidelines.

“We absolutely do not track individual users or their location if they’ve deleted the app. As The New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users,” an Uber spokesperson said.

But that’s not the end of it. The ability for tracking still exists.

TechCrunch notes that a late 2016 update to the Uber app now allows the company to track users for five minutes before or after a ride. The stated goal is to ensure accurate pickup and safe exit from a ride. Only this time, you have to agree to be tracked by enabling location services.

By doing it this way, Uber is now in compliance with Apple’s privacy wishes.

Don’t like being tracked? Do this

If you don’t like the idea of still being tracked even for just a few minutes, you have the option to turn off the app’s location services permission and type in your pickup location by hand when you need a ride.


Read more: 7 things I wish I knew before I started driving for Uber

Uber scam: What you need to know to protect yourself

  • Show Comments Hide Comments