That Story About Uber Tracking People After They Deleted The App? Yeah, That's Not Really Accurate
from the let's-try-this-again dept
Have you heard the story about how Uber was tracking ex-users even after they had deleted the app from their phone? You'd have to be living under a rock to have missed it. It came from a fascinating NY Times profile of Uber's CEO/founder Travis Kalanick and is the opening anecdote, and then it started spreading like wildfire across social media.
Travis Kalanick, the chief executive of Uber, visited Apple’s headquarters in early 2015 to meet with Timothy D. Cook, who runs the iPhone maker. It was a session that Mr. Kalanick was dreading.
For months, Mr. Kalanick had pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple’s engineers. The reason? So Apple would not find out that Uber had been secretly identifying and tagging iPhones even after its app had been deleted and the devices erased — a fraud detection maneuver that violated Apple’s privacy guidelines.
But Apple was onto the deception, and when Mr. Kalanick arrived at the midafternoon meeting sporting his favorite pair of bright red sneakers and hot-pink socks, Mr. Cook was prepared. “So, I’ve heard you’ve been breaking some of our rules,” Mr. Cook said in his calm, Southern tone. Stop the trickery, Mr. Cook then demanded, or Uber’s app would be kicked out of Apple’s App Store.
This has created lots and lots of headlines all over the place, claiming that Apple kept tracking ex-Uber users after they'd deleted the app. And some even whining that Apple "let" Uber get away with this with no more than a verbal scolding. The most egregious of these is Andrew Orlowski, over at the Register, who has never found a story about a tech company he couldn't totally misreport to make the company look worse. Here, he claims: Uber cloaked its spying and all it got from Apple was a slap on the wrist. Others just claimed that Uber was "tracking users even after they deleted the app."
Except, if you actually read what the NY Times said it notes that what the company was doing was an anti-fraud detection. Did it break Apple's rules and go too far? Yes, absolutely. Was it bad? Probably. Was it tracking users who deleted the app? No, not at all. Again, there are plenty of legitimate reasons to dislike Uber or to dislike its business practices or its management. But that's no excuse to oversell a story that already looks bad. Uber clearly broke the rules and used a fairly sketchy maneuver to track phones to prevent fraud -- but that's not the same as tracking users who deleted the app. Wired has a pretty clear summary of what actually happened:
Fingerprinting, in and of itself, has plenty of non-invasive uses. Uber, for example, deployed it to help prevent fraud. Being able to identify when a device reinstalls a particular app helps developers spot phones that are, say, bouncing around the black market. In Uber’s case, fingerprinting kept drivers, especially those in China, from gaming a promotion that rewarded them for maximizing ride volume. The company discovered that some drivers were buying stolen phones, creating dummy Uber accounts, and using those phones to call for rides.
When someone uninstalls an app that uses fingerprinting, it leaves behind a small piece of code that can be used as an identifier if the app is ever reinstalled on the device. For the iOS App Store, Apple originally permitted developers to keep track of their users over time using a broad Unique Device Identifier (UDID). Beginning with iOS 5, though, Apple scaled this back, because of the potential privacy implications of giving developers permission to individually ID users even after their app had been uninstalled. Instead, Apple turned to more limited mechanisms, like advertising IDs and vendor IDs. These still give developers the ability to do fraud defense, but with less leeway for potential privacy abuse.
Uber took it one step further, which is to say, one step too far, using application program interfaces designed to access data like an iPhone’s device registry and Apple-assigned serial number.
Again: this is not excusing what Uber did. It clearly broke Apple's rules, and using this kind of fingerprinting can have some problematic consequences for privacy. And, yes, because everything Uber does seems to come included with some secondary component that makes even reasonable actions look bad, the company geofenced Apple's headquarters to try to try to hide the fact that it was doing this. That seems like a pretty blatant admission that the company knew it was breaking Apple's rules. It just doesn't mean that the company was tracking you after you deleted its app.
I certainly understand that there's a long list of actions by Uber that make people not trust the company. And that's completely valid. But if you're going to attack the company, it should be for the bad actions that the company actually did, rather than the exaggerated and misleading descriptions that start spreading across social media.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: deleted, fraud, press coverage, tracking, travis kalanick
Companies: apple, uber
Reader Comments
Subscribe: RSS
View by: Time | Thread
CLickbait
"But if you're going to attack the company, it should be for the bad actions that the company actually did, rather than the exaggerated and misleading descriptions that start spreading across social media."
[ link to this | view in chronology ]
Re: CLickbait
[ link to this | view in chronology ]
"Non-invasive"
The actions are invasive or not, regardless of the reason behind them. It doesn't matter whether they prevented fraud. That might justify some invasiveness but doesn't nullify it.
[ link to this | view in chronology ]
So, who are we gonna lock up for the fake news spreading around? (just to remind how bad these fake news laws would be)
[ link to this | view in chronology ]
I don't quite understand
But as you pointed out, there are many reasons to dislike them.
[ link to this | view in chronology ]
Re: I don't quite understand
It seems more of a semantic argument. When they say "track" what they really mean is "keep track of" and it's not the USERS but the PHONE ITSELF that they are "keeping track of" via fingerprinting, which was against Apple's ToS and therefore most users assume that it was not being done, therefore it violated their privacy.
I think it goes beyond the semantic argument. There's a wide canyon of difference between "Uber was spying on ex-users" and "Uber had an anti-fraud technique that made sure people weren't gaming their system by deleting the app and reloading it." One looks a lot worse than the other.
But as you pointed out, there are many reasons to dislike them.
Yup. And thus it's completely fair to argue the company deserves no benefit of the doubt. But, silly me, I like to focus on a company's actual actions, rather than the hyped up versions that take things out of context. I understand the anti-fraud argument, though the company should have found a way to do that without violating Apple's ToS.
But the story here should just be Uber's anti-fraud efforts violated Apple's terms, not that it was "tracking users after they deleted the app" which sounds much worse.
[ link to this | view in chronology ]
Re: Re: I don't quite understand
[ link to this | view in chronology ]
Re: Re: Re: I don't quite understand
Well, if I understand it correctly, it would only matter if they deleted and then reinstalled the app, and the only thing it would track would be that it was previously installed on that phone. It's pretty limited "tracking".
On the other hand, if I was Apple, I'd ban them forever. Not for tracking users, but for geofencing Apple HQ. That's not something done accidentally.
[ link to this | view in chronology ]
Re: Re: Re: Re: I don't quite understand
Yet you concede it is tracking and thus factual.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: I don't quite understand
It also does not "track users after they have uninstalled the app". That is what we call "a lie".
If they reinstall the app, does the system know the app had been installed and uninstalled before? Yup.
So the images of Uber surreptitiously installing a glowing red ball up the noses of users who are simply trying to get their asses to Mars are wholly fictional.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: I don't quite understand
Uber seem to have a lot of other issues worth attacking them for without delving into this kind of pettiness.
[ link to this | view in chronology ]
Re: Re: I don't quite understand
When articles use the words "track" or "tracking" in this context, it is a lie. It could be argued (semantically) that "track" has multiple meanings. However, in this case "track" was deliberately chosen to mislead because, to most people, being told they are "being tracked" implies their location is being reported.
The article writers in The Register, The Verge, and other websites know that most people will not full read and understand the article to know that, in this case "track" doesn't mean what they think it does. They know that most people will go away believing it is far worse than it is.
THAT is why it's lie, even though the semantic meaning isn't strictly untrue. It's a lie because the intent of the authors was to deceive.
It's a bit like when Microsoft accused Google of "Reading" your gmail, which implies actual people snooping through the contents of your inbox. The reality is it means automated scanning (pretty essential for search, antivirus, etc.) which Microsoft's own email services have done for far longer than Gmail has been about.
[ link to this | view in chronology ]
Re: Re: Re: I don't quite understand
You're clouded by your own bias. There is nothing false in the reporting.
[ link to this | view in chronology ]
Re: Re: Re: Re: I don't quite understand
This would be the point where you explain why...
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: I don't quite understand
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: I don't quite understand
...and pretty much everywhere else if you read the comments there and the opinions stated. But we're wrong here for pointing out the implication that's led to people jumping to the conclusion that it's about location. Got it.
[ link to this | view in chronology ]
Re: Re: Re: Re: I don't quite understand
Yes, the phrasing is technically correct, if you look at it coldly and semantically.
But what is the intent? Do you really believe that these writers, when they used the word "tracking" used it to inform and that there was no intent to mislead their readers into believing this is worse than it is, and to cause outrage based on this?
If you believe that then I have a bridge to sell you.
I should point out I'm not defending Uber here: even if it's not as terrible as most people assume, it still was pretty dreadful.
I'm attacking bad, click-bait journalism that values misleading articles and shock tactics over reporting of the facts. And I get the impression that the author of the article above is too.
Cheers,
Keith
[ link to this | view in chronology ]
Re: Re: Re: I don't quite understand
Let's say you had a friend who has a bad habit of borrowing your stuff and not bringing it back, but he's still your friend.
Now, let's say one day he asks if he can borrow your baseball glove. Knowing the odds you'll ever see this glove again are not great, you take an invisible marker pen - the kind that can only be seen by YOUR OWN super-special blacklight - and write a simple "x" on the back of the glove. You lend your friend the glove.
Years later, you're over at your friend's house, and notice the glove. You remind him that you loaned it to him, and you'd like to have it back. Your friend claims that he got that glove from someone else.
Now you tell him you wrote an invisible X on the glove, whip out your blacklight, and show him the X. You get your glove back.
That's what this is. It's a simple marker that "hey, this phone used to have the Uber app installed" that ONLY the Uber app can read. Yes, technically, someone ELSE could check the phone. They might see a strange little piece of code sitting there - code that means absolutely nothing to them - and with that knowledge, they could do what, exactly? Nothing, that's what.
Like many things related to privacy, this is a case of "privacy for privacy's sake." There is NO way to abuse this. Much like the video game development game which, instead of DRM, punishes you with rampant piracy in-game if you pirate the game itself (or a half-dozen other examples here on TechDirt) this is a problem for the user ONLY if said user is abusing Uber's app in the first place.
Nothing to see here, guys. Move along.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
It's a shame to see writers stoop to this level to defend corporate surveillance and misconduct.
[ link to this | view in chronology ]
Re:
"Again: this is not excusing what Uber did. It clearly broke Apple's rules, and using this kind of fingerprinting can have some problematic consequences for privacy. And, yes, because everything Uber does seems to come included with some secondary component that makes even reasonable actions look bad, the company geofenced Apple's headquarters to try to try to hide the fact that it was doing this. That seems like a pretty blatant admission that the company knew it was breaking Apple's rules. It just doesn't mean that the company was tracking you after you deleted its app."
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
I cannot speak for the previous AC, but it would appear that you did not read the post.
I cannot speak for the previous AC, but my counterpoint would be: what exactly in this article do you consider to be "defending corporate surveillance and misconduct"? IMHO, the article is saying "please be accurate in your attacks on corporate surveillance and misconduct".
[ link to this | view in chronology ]
Re: Re: Re: Re:
The claim that Uber's anti-fraud efforts were not user tracking. Whatever the purported motivations for tracking, it's still tracking. Uber did collect "data like an iPhone’s device registry and Apple-assigned serial number." They used that unique data to re-identify users.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Call Mike whatever you want, but he seems to have a lot more consistency in his views than the AC brigade.
[ link to this | view in chronology ]
I don't think he realizes the amount of damage he and his blind "crusade" alone does to a news outfit already heading in a rather questionable direction...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Advertising Tracking ID
[ link to this | view in chronology ]
I am outraged and will never use Uber again!
[ link to this | view in chronology ]
Re: I am outraged and will never use Uber again!
[ link to this | view in chronology ]
Re: Re: I am outraged and will never use Uber again!
[ link to this | view in chronology ]
Two news sources that are suspect.
The Register of course, some of their coverage is good, but they do seem revel in their bad apples. Who knows, maybe they are only click focused?
As to the NYT they have a dingy reputation regarding tech, IMO/experience. They routinely have 'deep' articles on tech issue (the trouble with normally) and while they are biased as expected they also base some of their original viewpoint on a misreading of vital data. As in, nobody in tech thinks that it means what they do. Also they like to use old, and I mean up to a decade old, facts to base their tech industry bashing on.
Of course, the Register takes the prize in this particular misrepresentation of reporting.
[ link to this | view in chronology ]
Re: Two news sources that are suspect.
NYT are relatively respectable, but they're not particularly tech focused, and so are perhaps a little more easily misled.
[ link to this | view in chronology ]
Though I must ask. Normal computers (i.e. Laptops and Desktops, What is traditionally thought of as a computer in the mind of a user.) have loads of software that do this exact thing all the time, so why is this suddenly an outcry when it comes to mobile phones?
A bit hypocritical, don't you think? People will accept it on their computer, but not their phone?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Attack for the right reasons
But if you're going to attack the company, it should be for the bad actions that the company actually did, rather than the exaggerated and misleading descriptions that start spreading across social media.
I'm becoming of the opinion that the exaggerated and misleading descriptions are created by people who don't believe that the actual actions are all that bad. If I'm right, that's a problem. It means that the people creating and broadcasting the exaggerations and misleading descriptions don't trust people to make their own minds up.
This is the problem I have with paternalistic authoritarians. They don't know what's best for us. While I'm on the subject, how does that hack Orlowski still have a job?
[ link to this | view in chronology ]
Re: Attack for the right reasons
I asked myself that numerous times in years past, but then I checked here:
https://www.theregister.co.uk/about/company/contact/
According to a Google search, "Executive Editor" basically means he's the boss, sadly. I still go there occasionally, but I back out when I spot his name. Usually not hard, his posts tend to be the ones with comments disabled so that nobody can correct him.
[ link to this | view in chronology ]
Re: Re: Attack for the right reasons
[ link to this | view in chronology ]
I understand why you gave this the headline you did.
I mean... do you see why people (myself included) wonder whether your reporting about Uber is fully neutral? There are probably a half-dozen news stories a day that get a major tech item wrong. And most of them involve something more significant than a downgrade from "shady" to "less shady." But you chose this one. And at its absolute best interpretation, this story still shows Uber doing the thing that is most problematic about Uber - Uber breaking rules/regulations and doing whatever it wants. I'm not saying the correction isn't real - it clearly is - but... so what?
[ link to this | view in chronology ]