Over the weekend, The New York Times reported a damning story that alleged Uber continued to collect and tag users' smartphone data even after the Uber app was deleted. The report came weeks after the Times reported on Uber's controversial "Greyball" program, which allegedly helped the company circumvent regulators and law enforcement.
Outrage in the media and on Twitter naturally followed Sunday's article, but the incident may well demonstrate the complexity of the mobile app space and how a potential lack of understanding of technology involved can create a media firestorm around a company allegedly committing privacy violations, even when the company may not be doing so.
In an official statement replying to the Times' report and emailed to Privacy Tech, an Uber spokesperson said, "We absolutely do not track individual users or their location if they've deleted the app. As The New York Times story notes towards the very end, this is a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and they wiping the phone — over and over again. Similar techniques are also used for detecting and blocking suspicious logins to protect our users' accounts. Being able to recognize known bad actors when they try to get back onto our network is an important security measure for both Uber and our users."
Many privacy professionals are likely familiar with how the media can sometimes distort news stories into a sort of "techno panic." The recent roll back of the Federal Communications Commission privacy rules serves as one obvious and recent example, where news reports alleged that internet service providers would begin selling users' browsing histories. Of course, this wasn't exactly true. The privacy rules had not yet gone into effect, and most ISPs offer privacy notices that allow some sort of opt out.
The Uber report appears to be yet another instance where a lack of complete understanding of the technology involved led to misinterpretations in headlines. In fact, as The Daily Stratechery pointed out, the Times silently amended part of the Uber story after it was originally posted. Here's the original paragraph and then their "redlined" version (updates in bold):
The misinterpretation could have had significant consequences for the ride-hailing service, as many Twitter users claimed the story demonstrated that Uber employed deceptive trade practices while tagging regulators such as the Federal Trade Commission and state attorneys general.
This is not to say that Uber is completely innocent, but clearly technology has become so complex, it's easy to distort or misinterpret facts. As the Daily Stratechery pointed out, "Tracking a user's location on an ongoing basis even after the app is deleted is very different from identifying a device (i.e. its universally unique identifier, MAC address, etc.) and thus knowing if the app has been installed previously (with zero tracking of any sort in the meantime)."
This doesn't mean that Uber is off the hook, however. It's facing two new developments that could prove damaging. In fact, the bad news appears to be spreading to the company's business partners. Late Monday, CBS News reported that the same New York Times story implicated Unroll.me, a privacy-touting email service, in the privacy maelstrom. As the report states, "Using an email digest service owned named Unroll.me, Slice [Intelligence] collected its customers' emailed Lyft receipts from their inboxes and sold the anonymized data to Uber. Uber used the data as a proxy for the health of Lyft's business."
The Intercept's Sam Biddle wrote, "Stop using unroll.me right now, it sold your data to Uber." The CEO of Slice, which owns Unroll.me, said, "it was heartbreaking to see that some of our users were upset to learn about how we monetize our free service." The company told CBS news it essentially uses the email metadata to determine if a user is receiving a receipt and from which company.
The Guardian reports that Uber now faces a class-action from a former Lyft driver who alleges Uber created a secret program to spy on rival drivers, a potential violation of federal and state privacy laws. This program, known by some as Hell, allegedly tracked and identified Lyft drivers, "building up profiles of individuals and figuring out who was driving for Uber and Lyft. Uber then prioritized sending rides to drivers who used both apps, hoping to persuade drivers to abandon Lyft."
Uber has disputed these allegations.
Though there is plenty of gray area in the above reports, Uber has clearly pushed the envelope concerning its technology. Privacy pros likely face similar challenges with their organizations as they continue to expand products and services. Making sense of what are legitimately fraud- and privacy-protecting services and what are shady, privacy-violating practices will not always be easy, especially for consumers when media reports misunderstand and misinterpret the technology ecosystem.
Privacy pros may even have an opportunity here. Your own public relations people may need an education on what the organization is doing and how to explain why it isn't privacy invasive and how the privacy team has been involved. Having that message down pat ahead of time could mean avoiding a media maelstrom altogether.
Correction: This article mistakenly reported that Uber owned Unroll.me, it has since been updated at 2:27 pm on 4/25/17.
If you want to comment on this post, you need to login.