Uber Tried To Hide Its Secret IPhone Fingerprinting From Apple (cnbc.com) 115
theodp quotes today's New York Times profile of Uber CEO Travis Kalanick:
For months, Mr. Kalanick had pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple's engineers. The reason? So Apple would not find out that Uber had secretly been tracking iPhones even after its app had been deleted from the devices, violating Apple's privacy guidelines.
Uber told TechCrunch this afternoon that it still uses a form of this device fingerprinting, saying they need a way to identify those devices which committed fraud in the past -- especially in China, where Uber drivers used stolen iPhones to request dozens of rides from themselves to increase their pay rate. It's been modified to comply with Apple's rules, and "We absolutely do not track individual users or their location if they've deleted the app..." an Uber spokesperson said. "Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users."
The article offers a longer biography of Kalanick, who dropped out of UCLA in 1998 to start a peer-to-peer music-sharing service named Scour. (The service eventually declared bankruptcy after being sued for $250 billion for alleged copyright infringement.) Desperately trying to save his next company, Kalanick "took the tax dollars from employee paychecks -- which are supposed to be withheld and sent to the Internal Revenue Service," according to the Times, "and reinvested the money into the start-up, even as friends and advisers warned him the action was potentially illegal." The money eventually reached the IRS as he "staved off bankruptcy for a second time by raising another round of funding." But the article ultimately argues that Kalanick's drive to win in life "has led to a pattern of risk-taking that has put his ride-hailing company on the brink of implosion."
Uber told TechCrunch this afternoon that it still uses a form of this device fingerprinting, saying they need a way to identify those devices which committed fraud in the past -- especially in China, where Uber drivers used stolen iPhones to request dozens of rides from themselves to increase their pay rate. It's been modified to comply with Apple's rules, and "We absolutely do not track individual users or their location if they've deleted the app..." an Uber spokesperson said. "Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users."
The article offers a longer biography of Kalanick, who dropped out of UCLA in 1998 to start a peer-to-peer music-sharing service named Scour. (The service eventually declared bankruptcy after being sued for $250 billion for alleged copyright infringement.) Desperately trying to save his next company, Kalanick "took the tax dollars from employee paychecks -- which are supposed to be withheld and sent to the Internal Revenue Service," according to the Times, "and reinvested the money into the start-up, even as friends and advisers warned him the action was potentially illegal." The money eventually reached the IRS as he "staved off bankruptcy for a second time by raising another round of funding." But the article ultimately argues that Kalanick's drive to win in life "has led to a pattern of risk-taking that has put his ride-hailing company on the brink of implosion."
Re: (Score:2)
Re: This article would have been nice two days ago (Score:2, Informative)
You don't already assume your smartphone is being fingerprinted and tracked?! That's the first thing anyone using such a device should assume.
Re: (Score:1)
assume your smartphone is being fingerprinted and tracked
It's totally wrong. I do not think Uber should be allowed a free pass just because you say we should assume everybody else it doing it. Anybody who does this is wrong. It's wrong and Uber is wrong.
Uber stepped in it and you want me to think: "oh well. that's the way life is".
Uber is trying to enter my city. If they do, I will not use their service because their app is intentionally broken. I will advise people I know not to use Uber until they answer to how they will fix this and remove all the silent track
Re:This article would have been nice two days ago (Score:4, Interesting)
Worried about what they are seeing you do, then let them see a whole bunch of stuff you do not do, why try to steam the flow of your privacy when you can deluge them with a flood http://www.cs.nyu.edu/trackmen... [nyu.edu] and https://adnauseam.io/ [adnauseam.io]. I am also thinking email games might be interesting to floor every possible channel with useless information, even all the spy vs spy stuff. Say an email game where one side plots to assassinate the president of Ameriganislav and the other plays as agents, trading emails with plots and encryption for the other side break, when side plotting the assasination and the other side trying to foil the plot a game to punish the professionally paranoid illegally spying on everyone with a flood of suggestive data to poison spy data bases, the game run from a web site.
So as many way as possible to generate false data at many, many mutliples of real data generated. A personal profile made totally meaningness and as a bonus the more you generate the more they must spend to store it. Double their data storage bill, triple it, how about increasing storage requirements hundreds of times over. Think of all the time, you are not on there internet but your computer could be, generating volumes of false empty data, hundreds of thousands of web visits you never went to, hundred of thousands of searches you never did, emails you never sent, your computer and software flooding marketers with empty data they have to pay to store.
Re: (Score:2)
Yeah, it's too bad, there is a first-time Uber promo code that is worth about $20 that you can google for, but the app won't accept it now that you've already registered. They probably remember a hashed version of your phone number, credit card number, and the id of your phone.
There is probably still the $50 promo code from Lyft, but unlike Uber's promo code, the Lyft promo code can only be used $5 at a time (in other words, you have to use it 10 times if you want to use it all). The Uber code, on the other
Re: (Score:2)
put the phone under a car tire. problem solved.
Just book a 12 inch journey on Uber
CEO needs to go (Score:1)
The Uber CEO needs to go. He's what's keeping Uber from being great.
Re: (Score:2)
Well, Larry Ellison is a bastard. So was Steve Jobs. Being a bastard surely doesn't make you successful, but it probably helps some times. I'm guessing the trick is knowing when not to be yourself.
Re: (Score:2)
Uber's CEO was replaced a couple of weeks ago. This is old news.
This particular incident was actually in 2015.
Re: (Score:1)
Uber's CEO was replaced a couple of weeks ago.
Kalanick named himself as his replacement. You had to read the stories really carefully.
Re:CEO needs to go (Score:5, Insightful)
The Uber CEO needs to go. He's what's keeping Uber from being great.
From what I hear about Uber, it seems they in so many ways act and think like criminals, but manage to keep just on the legal side of the law. Mostly. That said, though, they are just an extreme example of all the worst aspects of capitalism: the underhandedness, the ethos that says 'if we can get away with it, it must be OK', the lack of genuine care and consideration for their employees, customers and society, the sense of entitlement take what they want no matter what.
It is really sad, I think - there is a good kind of capitalism, where a clever, hardworking man or woman can grow a business from little more than their own abilities and determination, but the whole concept gets a grubby taint from the likes of Uber.
Re: (Score:2)
The Uber CEO needs to go. He's what's keeping Uber from being great.
From what I hear about Uber, it seems they in so many ways act and think like criminals, but manage to keep just on the legal side of the law. Mostly. That said, though, they are just an extreme example of all the worst aspects of capitalism: the underhandedness, the ethos that says 'if we can get away with it, it must be OK', the lack of genuine care and consideration for their employees, customers and society, the sense of entitlement take what they want no matter what.
It is really sad, I think - there is a good kind of capitalism, where a clever, hardworking man or woman can grow a business from little more than their own abilities and determination, but the whole concept gets a grubby taint from the likes of Uber.
Well said.
And in future people may more often look to work for their sense of purpose in life, the place where they can build their character and compassion along with building their career. So "play fair" will be all the more important.
FTFY (Score:4, Funny)
"has led to a pattern of risk-taking that has put his taxi company on the brink of implosion."
There. FTFY.
Re: (Score:2, Insightful)
taxi company
There. FTFY.
Nope. Uber is very scummy, but still worlds above any taxi company. Those bastards need to die.
Re:FTFY (Score:5, Insightful)
Yes, the horrors of having professional drivers who make a living wage, don't have to pay for maintenance on the cars they drive, and who carry hundreds of thousands in passenger insurance as opposed to the $25,000 you can count on from your Uber driver's All State policy. Horrors, I tell you!
Re: (Score:2)
What $25k All State policy? You mean the one that doesn't cover commercial activities and so wont pay out?
Re: (Score:1)
Re: (Score:2)
You could have said "I have anecdotes and suffer from confirmation bias" and made the same point with fewer words. Efficiency man, efficiency...
Re:FTFY (Score:4, Insightful)
Uber tries to hide just about everything (Score:5, Funny)
Re:Uber tries to hide just about everything (Score:5, Funny)
. . . they are certainly doing extremely well at hiding their profit.
Re: (Score:2, Troll)
Really? I was going to say that hearing Uber is doing something unethical is like hearing that Trump is doing something that contracts a promise he previously made -- not newsworthy anymore.
They simply remember your UDID (Score:5, Insightful)
The *tracking* is based on Uber saving device UDID, so that they know who you are even if you later reinstall the app and use a different account. While Uber is evil in many ways, this UDID "tracking" is not what the article makes it appear - Uber certainly cannot "track" anyone in any way once their app has been removed.
In fact, I am not sure why go to such great lengths to obtain UDID when device MAC address is readily available (and must be for variety of software to work) and globally unique.
This also smacks of those scaremongering sites that start with a banner like "Your computer is broadcasting a unique IP address" and lead to hard sell of overpriced VPN service or bs apps to "hide your IP".
Re: (Score:1)
And if you install the app on a used/resold device?
Re: (Score:2)
Does iOS make the actual MAC address readily available to the application layer?
Knowing Apple I would have thought the MAC address would be abstracted, with iOS providing apps access to the TCP/IP stack a lot closer to the top. I haven't programmed an iOS app though so I wouldn't know for sure.
Re: (Score:2)
Re: (Score:2)
OK, the randomised MAC is what's presented to a wifi hotspot: a layer 2 device which definitely won't work without a MAC address to send traffic to.
Assuming the randomised MAC is also being sent to layer 7 / the application layer of actual apps on your phone, it's not the hardware MAC address of the phone and isn't traceable is it?
Re: (Score:2)
They randomize only the MAC address that is used on beacon frames. Once connection is established, the MAC address is the actual permanent address of the device. Users would not be able to use most WiFi hotspots that authenticate them based on the device MAC, if it changed every time.
Re: (Score:1)
Re: (Score:2)
Yes, they do. It's a basic Unix API, and it must be present because plenty of things need it to work.
Re: (Score:3)
Re: (Score:3)
Does iOS make the actual MAC address readily available to the application layer?
You can read it here [apple.com] on the "Deprecated APIs" section.
In iOS 7 and later, if you ask for the MAC address of an iOS device, the system returns the value 02:00:00:00:00:00. If you need to identify the device, use the identifierForVendor property of UIDevice instead. (Apps that need an identifier for their own advertising purposes should consider using the advertisingIdentifier property of ASIdentifierManager instead.)
Re: They simply remember your UDID (Score:2)
Yeah the NY times article was scaremongering and partially wrong but the 'bad' thing Uber did here was break the Apple TOS which say developers should not be fingerprinting users devices.
You're supposed to be able to install an app, uninstall it and then the next time you install the same app the company has no idea it is a second installation.
Apple have tried to give each app a new unique udid, unlike the old days of iOS where everyone read the same UDID
Re: They simply remember your UDID (Score:5, Funny)
Who would have ever thought that a company founded on the principle [sic] of breaking the law in multiple jurisdictions would ignore and circumvent the terms and conditions, to which they agreed, of an entity with which they do business. Whodathunkait.
Re: (Score:2)
>Who would have ever thought that a company founded on the principle [sic] of breaking the law in multiple jurisdictions would ignore and circumvent the terms and conditions, to which they agreed, of an entity with which they do business. Whodathunkait.
They're adding functionality that Apple refuses to do. If you cheat in a Steam game, your device and account gets banned. On iOS, apparently, you just uninstall and reinstall and then you can fraudlently order cars all over again.
Might violate the Apple TO
Re: They simply remember your UDID (Score:4, Insightful)
They're adding functionality that Apple refuses to do.
Apple refuses to do it for a valid reason, and I see Apple as the ethical winners here. If Uber is experiencing a high rate of fraud, that's a business process problem that needs to be addressed within Uber's own internal systems. Considering Uber can afford a "competitive intelligence" team that buys and crunches data about Lyft, and they can afford to develop "Greyball" deception tools to evade law enforcement, they should also be able to afford a couple of employees to build some better fraud detection into their signup process. A little less offense and a little more defense might be a rewarding strategy.
Thousands of other companies conduct business via iOS apps without resorting to breaking the rules. Uber is showing once again that they don't give a fuck about the rules, and that puts them squarely outside of the "ethical right."
Re: (Score:1)
I don't get it! Why should they? Isn't it up to the owner of the phone to protect their property, not the property's manufacturer?
Re: (Score:3)
Actually Apple had that ability. The removed it in iOS7 because developers were abusing it for... tracking purposes. They were sending the device unique IDs to advertisers and giving advertisers a per-device view into everything - location information (if allowed), system informat
Re: (Score:1)
Re:They simply remember your UDID (Score:5, Informative)
In fact, I am not sure why go to such great lengths to obtain UDID when device MAC address is readily available (and must be for variety of software to work) and globally unique.
MAC Address is no longer available since iOS 7. You can request it, but you'll get the same fake value of 02:00:00:00:00:00 on every iPhone. UDID is not available, either.
There's IDFV, the Identifier For Vendors, which is different for each vendor on the phone, and gets reset if you remove all the apps from that vendor on the phone. (That is, two apps from Google will see the same IDFV, but a different one from the one Facebook sees.)
Then there's IDFA, the Identifier for Advertisers, which the user can reset at any time via system settings, and which Apple will reject your app for if they catch you using it for anything other than ad-tracking.
The end result is that there is no longer any stable cross-app identifier that survives app uninstalls and user attempts to avoid tracking, by explicit design.
Re: (Score:2)
Then there's IDFA, the Identifier for Advertisers, which the user can reset at any time via system settings, and which Apple will reject your app for if they catch you using it for anything other than ad-tracking.
And every time I submit an app, they threaten me personally with all kinds of nastiness if the app does anything with the IDFA that it shouldn't. I'd say they take this seriously. And I'd say that if I worked for Uber (which I probably wouldn't), I would _not_ be the one submitting apps.
Re: (Score:2)
This is not correct - getifaddrs() is available and works. As a case in point, an app I am familiar with that is still used on current versions of iOS (though no longer in appstore) is able to get MAC address on current devices.
Re: (Score:2)
Re: (Score:2)
There is a new thing - a device specific identifier for a vendor. That is a unique code identifying your phone _to one application_. And this
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
I am not sure why go to such great lengths to obtain UDID when device MAC address is readily available (and must be for variety of software to work) and globally unique.
MAC address are easy to change, and don't actually have to be globally unique. That may be why they don't want to use them -- too easy to to bypass that sort of check.
MAC addresses only have to be unique at layer 2 of the OSI model (essentially, this means they only have to be unique on your local ethernet or wifi network). You and I can have the exact same MAC on our devices without causing any problem at all as long as we don't both directly connect to the same LAN at the same time.
Re: (Score:2)
If Uber breaks the law, and only Lyft hears it, has it made a sound?
Re: (Score:3)
I'm glad that the vigilance of the media compels Uber to work harder to be a scrupulous and ethical company, but the series of critical stories seems a bit like a negative campaign or mob mentality dog-piling, without noting how Uber continues to improve the lives of millions (by increasing the efficiency of people traveling between places, and improving rider experience (with driver ratings, and full routes and driver info indicated in receipts, and tracking drivers for accurate pick-up estimation), reducing drunk-driving rates because of truly convenient service).
I feel like the overwhelmingly positive aspects of Uber are not often part of the commentary, and so these revelations often seems to be considered without a reasonable sense of overall perspective.
I'm sure there's some level of astroturfing going on, after all Uber does have enemies, but I think there's also a lot of fire to go with this smoke.
The thing to realize with Uber is that their business is built on breaking the law, specifically Taxi regulations. Now you can make defences for their strategy and the unethical nature of taxi regs, but when your business is built around breaking rules it gets baked into your company's DNA.
Uber is going to keep committing ethical missteps because it's a company
Re: (Score:2)
breaking rules is fine as long as the reward exceeds the penalty.
The word you're looking for is 'capitalism'.
Re:I still LOVE Uber (Score:4, Interesting)
breaking rules is fine as long as the reward exceeds the penalty.
The word you're looking for is 'capitalism'.
I guess so, though I think the real issue is that business people basically think of these laws the same way a hockey player thinks about the rules of hockey. Sure, you're not supposed to hook another player, but you're going to end up hooking sometimes because that's how the game goes, and sometimes even if you're caught the reward is big enough that it's considered a "good penalty". In this context people like Kalanick are basically hockey pests, people who succeed by their ability to skirt as close to the edge of the rules as possible.
Or perhaps they think about things like fraud, false advertising, and ripping off employees the way we think of traffic violations. You're not supposed to speed, but everyone does it to some extent.
I'm not sure what has to be done to make politicians and companies take law-breaking companies seriously, but it doesn't seem to be happening.
Re: (Score:2)
I'm glad that the vigilance of the media compels Uber to work harder to be a scrupulous and ethical company
Uber has exactly the same interest in being a scrupulous and ethical company as it has always had: zero. The only ethical way to deal with a company like Uber is to refuse to do business with them.
Who is surprised by this? (Score:1)
A taxi company, whose business model is entirely based on breaking laws, violate the rules of another company. Is anyone surprised?
Next up: Drug traffickers speed and run red lights.
Re: (Score:2)
Re: (Score:1)
Next up: Drug traffickers speed and run red lights.
Only if they are stupid or want to get caught.
Re: (Score:2)
This is what should have happened when cook met with him. Cook should have said, you broke the rules, the app is no longer on iphone. The problem with the uber guy is his go to method is break the law. Be it taxi regs, IRS regs... Lately he has enhanced his methods to actively avoid detection. In apple's case, he used geofencing so apple corp did not see the code, which sounds a little like the VW thing on emissions testing. Uber also was detecting when law enforcement was requesting rides, don't remember w
Re: (Score:2)
This is what should have happened when Cook met with him.
Actually, what should have happened is that Cook said: Look, not only did you break our app store rules, but you actively added code to keep is from detecting it. So your app is rejected, will be removed from everyone's phone, your developer account is closed, and you won't be allowed to create a new one.
example (Score:4, Interesting)
Uber is actually a good example of what's going wrong with the world: They are openly criminal and it works. It's Al Capone all over again. Everyone knows what they are doing, but they're too slippery to be nailed.
Same with the tax evasion of multinational cooperation, wars based on invented bullshit, election frauds done almost openly (like in Turkey), and so on.
Minority Report may have been on to something: The legal system working after the fact, and with a delay often measured in years, does not deter criminals. If you can take over a country, or become a billionaire, the threat that ten years from now they might file charges which your $1000/h lawyers will then simply drag through the courts for twenty years - well, that is not a very threatening thing especially for people trained to think primarily about next quarter.
Re: (Score:2)
Which part of "charging them in a legal system that operates on the timescale of years when their personal success depends on quarterly results" wasn't clear ?
Re: (Score:2)
I didn't say it was right, I said it was on to something.
When prosecution doesn't work as a deterence - and it obviously doesn't in high-stakes white collar crimes - then prevention needs the be stronger.
This could very well take the form of pre-crime investigations. I'm against imprisoning someone for something they didn't (yet) do. But why is it that police has to wait until a crime has been committed before they can even begin looking?
I was in this position once. Someone tried to run a common scam on me
Red Swoosh is Bittorrent with its own trackers (Score:2)
Red Swoosh is just Bittorrent with its own, private trackers.
$19M was a really low price. Akamai got a great deal on that technology.
Re: (Score:2)
Donald Trump? Is that you?
Re:Still better than taking the bus! (Score:4, Funny)
Is this Fox News or Info Wars? No, so no it isn't Trump. p.s. The fact that this site has text on it should have given it away as well.
It's Mike Pence. He's worked out that Slashdot is the one part of the internet where he can guarantee he won't end up talking to a woman.
Re: (Score:2)
what is it with black people and the bus stop?
It's a convenient way to avoid people like you.
Re: (Score:1)
It's where they pick up capital letters. You know, because they aren't red neck pieces of shit who cannot understand how fucking English is written after at least two decades of daily exposure.
It's not just rednecks who can't speak or write English well. Plenty of supposedly educated people can't write English
well. I see it every day on Slashdot, and in many other places which supposedly are frequented by "intelligent"
people.
Aside from that, there's plenty you don't know. Rednecks are not all stupid whether they can use English properly or not. Spend some time around them and you will realize this is true. If civilization collapses many ( most ) rednecks will know how to hunt for food and thus be
Re: Still better than taking the bus! (Score:1)
SJW. .. for the longest time i thought this was Single Jewish Woman , like in the personals at the back of NYRB.
Now I find it's Social Justice Warrior, derogative ironically?
Re: (Score:2)
Anybody who played Wolfenstein 3D and Doom knows that BFG stands for 'big fucking gun.' Amazing that Disney made a whole movie about those guns, and for a childrens audience, too!