In 2014, Uber was discovered to be blocking authorities from seeing its cars in order to evade regulations or bans in a series of locations including Paris, Las Vegas, China and South Korea. In 2015, Apple found out Uber was also using its iOS developer rules to identify users’ devices by hardware ID. The company nearly got their app kicked out of the App Store because of this.
A new report by Mike Issac for New York Times profiled various high-risk gambles taken by Uber’s chief executive Travis Kalanick. The report was a follow up on an earlier article, which was released in March, that specifically detailed the “Greyball” evasion software it created to fool authorities.
Issac noted that in early 2015, Uber was summoned to Apple’s offices for violating Apple’s privacy guidelines. Uber’s goal had been to block fraudsters from creating multiple fake accounts on the same iPhones in order to collect new account bonuses.
However, Uber attempted to do this by collecting the UUIDs (essentially a unique hardware serial number) of iOS devices that had installed the Uber app. Apple has worked to prevent its app developers from accessing this information or collecting it. It is not illegal to do this on Android, where there are far fewer restrictions on collecting data from or about users.
Once Apple found out about Uber’s activity, Cook brought Kalanick into his office and reportedly stated, “So, I’ve heard you’ve been breaking some of our rules,” and threatened to block Uber’s app from the iOS App Store unless the company backed down. Uber heeded Apple’s demands. “While Uber’s behavior on iOS was reported as “tracking,” what it was really doing was collecting identifying hardware ID numbers.”
While Uber’s behavior on iOS was reported as “tracking,” what it was really doing was collecting identifying hardware ID numbers, so that even if a user deleted the Uber app or reformatted their device, Uber could later identify the device as having been previously used by the Uber app.
Uber has issued a direct response to the issue, maintaining that its staff does not track individual users after they have deleted the app.
“We absolutely do not track individual users or their location if they’ve deleted the app. As the New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users’ accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users.”