This really doesn't match up with how the conversation/outrage is playing out on Twitter right now. People seem to be interpreting this as "Uber continues to track your location after you have deleted the app," when what really happened seemed to be "If you delete Uber and then reinstall it on the same phone, Uber knows that it's the same phone."

See for example this Tweet, with hundreds of retweets and lots of verified replies:

https://twitter.com/dnvolz/status/856166875511894016

"This is like a holy trinity of privacy disaster: 1) secret tracking that 2) persists after users delete app 3) in knowing violation of rules"

Uber was tracking people after they left their rides, and it's unsure if they ever stopped.

http://www.npr.org/sections/alltechconsidered/2016/12/01/503...

OK, but that's different from tracking people after they've deleted the app.

I'm genuinely curious how that would even work on the technical level. As an app developer, I'm not making the connection here as to how iOS would even allow that.

Edit: Read up a bit more on it. Turns out it was the practice of fingerprinting and tracking after re-installs, not after an uninstall. TechCrunch provided a better technical description: https://techcrunch.com/2017/04/23/uber-responds-to-report-th...

To me it seems like this is mischaracterized to make it sound worse than it is. Can someone explain why people are making a big deal about this practice?

Its because its fashionable to beat the horse that Uber is a terrible company led by a terrible man. I personally am no fan of Uber or Travis, but I do get disgusted sometimes when the media hypes certain perceptions to an inappropriate degree.

So for all means continue to investigate the seemingly terrible and anti-women culture and the fraudulent stealing of Technology from Google. But like you said, don't mischaracterize other facts to make them sound more terrible than what they really are.

Because it violated their agreement with Apple and accessed private APIs, infringed on user privacy, and they geofenced the behavior to try to sneak it past app review. It's another example of Uber knowingly being evil.

Well for one, it's against Apple's rules to do this. And just because it's "industry practice" doesn't mean you get a free pass.

That's true, but there's a bit of live by the sword, die by the sword here. Uber is no stranger to the power of propaganda with their campaigns on the sharing economy, unions, regulations, etc.

You think that Uber is a service that people need? This sounds like exactly the kind of company that should be held to a high standard.

If we were to judge companies solely through a moral lense, sure.

But in the direct interest of capitalism, and indirectly consumers, it's terrible to restrict important businesses.

Important businesses are the ones that need restrictions the most. "Too big to fail" doesn't work, for society or consumers.

You're not addressing what I'm saying. What I said has nothing to do with journalism

Is there a specific journalistic integrity issue going on with this article?

Nope. He's just being a contrarian clown.

"A lie will go round the world while truth is pulling its boots on."

C.H. Spurgeon, Gems from Spurgeon (1859)

Well Churchill, of all people would know it pretty well.

One of the risks of refusing to talk about services is that you're at the mercy of games of telephone. People describe what you're doing to journalists who carefully dilute anecdotes and details to obscure their exact source. Then you don't comment directly on the system because it's a secret, and here you are.

The problem for Uber is that they /are/ scummy. They proudly bend every possible rule to their advantage. It's easy to believe the worst about them.

The concept of fake news Rose from one guy making shit up for ad money. The whole ordeal about how fake news is this sinister plot to disinform is a disinformation effort in itself. There's a big difference about reporting while being misinformed vs disinforming or to harness views.

I think it takes a certain kind of individual to trust everything they read at face value without getting multiple points of view on an issue and researching their own facts. Not saying we shouldn't hold reporters accountable to higher standards but we live in a time where everything is rushed and pumped out as "content' for ad revenue.

Ah, I get it now. The author took a shortcut.

Basically, they created a unique 'fingerprint' of the iPhone. It was unique enough that even if you reinstalled the app, the fingerprint would still be the same. This was done, ostensibly, to prevent people from scamming them by reinstalling the app and coming over as new users? But they already have the phone number, so I don't understand the point.

Phone numbers can be trivially changed.

In the article this is in the context of fraudsters buying used phones to fake rides in China and take advantage of incentive programs to make money. So they want to track these devices as they change hands.

Phones can change ownership too, so even if you can identify the phone it is dangerous to assume that you have identified a person.

If you can buy a new phone for $5 and the referral bonus is $20, there's $15 arbitrage to be made just by buying up as many phones as you can.

So I think their goal is not so much about identifying people, but identifying devices in order to prevent this loophole.

But can you buy (even a stolen) iPhone for USD 5?

The question is, can you buy it and sell it again with less than a 20$ loss

Yup, no question. I'm not claiming Uber's approach is flawless, I'm just describing what I believe they were doing and why.

> "to be clear, a # of companies practice 'fingerprinting,' and it is fully breaking the App Store rules. But also very clever fraud detection."

https://twitter.com/MikeIsaac/status/856180005977677825

wonder why Mike Issac gave that clarification immediately to his twitter-base but didn't put it in the relevant section?

could it be because the article intentionally glosses over complex details in order to pump a specific narrative ... hmm. \s

Sorry to burst the 'specific narrative' bubble but its probably not that. Just look at the change:

Here's the change in question: http://newsdiffs.org/diff/1383350/1383404/https%3A/www.nytim...

changing "tracking" to "identifying and tagging" and changing "even after its app had been deleted from the devices, violating Apple's..." to "even after its app had been deleted and the devices erased — a fraud detection maneuver that violated Apple's..."

In a really long article like this which is probably under some time pressure to publish, there's almost always things that seem clear to the author aren't to the reader. This is a standard clarification bug fix, and tweets were over an hour after the article was published - enough time to gather feedback and realize the need for clarification.

At least in this instance, the only specific narrative being pumped is the one that journalists are always pumping a specific narrative on touchy subjects.

The tweet responses:

> @MikeIsaac 32 minutes ago > Since the line about fingerprinting is being misinterpreted(though it is explained later in piece) adding language up top to better explain.

> @MikeIsaac 31 minutes ago > appreciate Technical community's concerns about how It is presented. Uber was not tracking location after device wipe (which I never said).

> @dangillmor 30 minutes ago > What exactly were they tracking? Not entirely clear (at least to me).

> @MikeIsaac 29 minutes ago > ID-ing devices. so if I steal a phone and wipe it, they can still determine I had that phone and used it to defraud uber, using other data

That's a clever media hack. Using provocative headlines and misleading lead to get clicks and shares, but using a separate medium (Twitter) to get away with it.

Clever, but it's disappointing that even NYT is turning into this madness.

They've also updated the article text now: "To halt the activity, Uber engineers assigned a persistent identity to iPhones with a small piece of code, a practice called “fingerprinting.” Uber could then identify an iPhone and prevent itself from being fooled even after the device was erased of its contents."

Note that this was at least 4 hours after the outrage on Twitter started. Seems like a very intentional, well-calculated strategy indeed.

> Note that this was at least 4 hours after the outrage on Twitter started. Seems like a very intentional, well-calculated strategy indeed.

That comment seems a bit disingenuous. i.e. it's entirely possible it takes a journo 20 seconds to post a correct to a twitter account he/she controls and 4 hours/days/weeks to get his/her editors to sign off on the same correct and the change pushed to the news website.

Large news sites like the NYT have editing procedures and internal hoops to go through. This isn't just joe shmo's blog that is updated at a whim. I've written freelance articles with editing periods of months, you can imagine that it's a lot harder when it's news.

Kind of reminds me of the "motte and bailey"[0]. The misleading but technically accurate claim gets all the play and all the reaction. The author goes on Twitter and says "golly gee I didn't mean for you take it like that, all I really meant was [much weaker claim that wouldn't have gotten all this attention in the first place]."

The correction bounces around but never takes hold the way the initial claim does and people quietly go on believing their initial interpretation. Sad.

[0] http://rationalwiki.org/wiki/Motte_and_bailey

It's wrong to assume malice.

100% sure that all decent banking app use device fingerprinting. 100% sure that it is not breaking the rules and it is really important that they keep doing it.

While you're right that a lot of FinTech applications do use fingerprinting, it is absolutely against the rules. It's rather annoying from a mobile security perspective but given the rampant abuse of persistent device identifiers on Android, I understand and appreciate Apple's stance here.

> While you're right that a lot of FinTech applications do use fingerprinting

Do they really? [Citation needed] very much here. Which fintech app fingerprints devices? What would even be the point of doing that. You can persist a token in the keychain for that which is enough unless you are devious.

Why would a banking app need to use device fingerprinting?

Perhaps to identify a device from which a fraudulent transaction occurred in the past?

Because you don't want any phone in the world to be allowed to access any bank account in the world by just giving a name and password.

Fingerprinting is a form of 2 factor authentication, it's easy to perform and it's relatively efficient against fraud.

If they're doing this on iOS, which is where it's interesting (in that it violates Apple's policies), they have a perfectly good 2-factor solution already present -- your finger.

as if used phones market doesn't exists

instagram do it on android. they place a small file called .profig.os on external storage that is left there even if the app is deleted.

External? So change the SD card and it's gone?

Near the bottom of the article:

To halt the activity, Uber engineers assigned a persistent identity to iPhones with a small piece of code, a practice called “fingerprinting.” Uber could then identify an iPhone and prevent itself from being fooled even after the device was erased of its contents.

I also interpreted "track" as "report geolocation data," but that's not what the reporter means, and honestly the reporter's meaning is more consistent with, e.g., "this website is tracking users" or "Do-Not-Track".

What goes around comes around. Reminds me of that time when Uber would issue throwaway credit cards and burner iPhones to people, so that they would order and cancel Lyft rides...

>" Some Uber drivers there would then create dozens of fake email addresses to sign up for new Uber rider accounts attached to each phone, and request rides from those phones, which they would then accept. Since Uber was handing out incentives to drivers to take more rides, the drivers could earn more money this way."

Could someone explain the logic behind how a driver requesting rides benefited them? Did the drivers fake the ride and pay for it themselves? Was there a cash incentive where they were reaping enough to offset paying for the fake rides themselves and profit hanseomely? Is that correct?

Yes, in the earlier days in each city, they (just pulling numbers from thin air) do something like pay a minimum $20 for each trip if you complete 5 trips within an hour without cancellation. Helps to kickstart the driver supply.

Thanks for the explanations.

Interesting and somewhat ironic to think that Uber had to put countermeasures in place against drivers engaging in their own questionable version of "growth hacking."

Give a reference code to your other phone. That phone now has a credit for their first uber ride or first 20 dollars, something like that. Then take the ride on your driver phone. You get paid from the second phones credit but dont spend any money yourself

I think they're referring to Keychain items surviving an app deletion. That quietly stopped working in a recent iOS update.

It was in one of the 10.3 betas but was removed. I don't think it can be deleted reliably without losing data if iCloud keychain is enabled, e.g. another device might still have the same app or share the app group.

Was the keychain item surviving app deletion a feature that was dropped or an undocumented feature?

If it "quietly stopped working" I'd have to assume the latter.

Thanks, I just remember that when I stored the items the documentation recommended that one put in the keychain list, then deleted the app off of an actual device for testing purposes and reinstalled the app on that same device, all those items would still be there so I (wrongly in hindsight ) assumed it was the desired behavior by Apple otherwise other developers would have complained.

I believe that is the desired behavior with the Keychain.

Pretty sure this is about persisting data after the entire device has been wiped. Not just the app removed and re-installed.

Could be via other apps using ubers native sdk writing to a common key store. ala Google sharing auth between apps on iOS.

Such key stores are wiped on erase. They more likely used the wifi MAC address.

Keychain used to persist data and are shared, this was a very recent change in iOS to "fix"

It can be backed up to iCloud but in the context of scammers they're likely not using the same iCloud over and over.

Is it against the rules to track via the mac address?

The wifi Mac address is obscured from native code

Didn't used to be and it's unclear what the exact timing is of this code.

Apple made the standard API return garbage in iOS 6, and the API would probably trigger an analysis error iTC, so if they were getting the MAC address it was via much sneakier means.

Can't one simply change the MAC address like you can do on PC?

Maybe if you're jail broken? But if you're not then no way.

I believe I tried long long ago on iOS and couldn't get it to work, but I don't know if I'm remembering correctly.

I have heard that it is quite possible. Supposedly if you measure enough characteristics of the phone, the combination of such characteristics is enough to uniquely identify a phone. May be able to poll such information you measure with those measured by other apps.

There are quite a bit of SKUs, but not enough to make the phone unique itself. You'd ultimately need something more special to do so, such as the MAC address.

It's not clear if such code would work today on the latest iOS version but maybe. They probably used a private API to do so, and that itself was obfuscated in the compiled binary such that apples automatic analysis would fail to catch it.

> They probably used a private API to do so

My understanding was that Apple made those APIs return garbage anyway, so more hacky methods were required.

No? Did you work on this code and know for sure?

Let's look at roughly what's available:

iPhone model (2 orders of magnitude of possibilities)

Device storage -- increases entropy with iPhone model but still not that much

Device name -- easily changeable by scammer, so not enough

iOS version -- changes over time, not great for a long term fingerprint but might help short term

IP address -- short term attribution ok, but not against scammers. People in china have multiple sims very often so even relying on carrier isn't enough

Cell phone carrier -- same as above

Other apps installed -- as of iOS 9 you have to pre-declare what you want to be able to query, and that's subject to App Store review. It does help give a fair bit entropy. This also can change at any moment. But if you're wiping the device constantly, they might not be installing any apps.

In advertising / web, you want to attribute across sites / installs on a short time basis. You have plugins and their unique version numbers, OS versions and all their attributes, browsers version, fonts installed, etc. Way more variation than iPhones.

To defeat scammers erasing their phone constantly it's actually much harder, and likely needs something a bit more unique.

Each variable you mentioned is not unique, but put them all together and now you are talking. And then apply a heavy dose of statistics and machine learning on top of THAT.

Especially since the behavior/activity of the phone could be suspicious as well.

You also don't need to be 100% accurate all the time. The point is to minimize the damages done to you by scammers, not reduce it to 0 which is impossible.

Doubt it. You can't use those methods to identify users if the phones are just being used to mine new accounts.

I'd assume the miners just wipe a phone clean, reinstall Uber & create a new account.

There are no special settings & variability in installed apps in that case.

>request rides from those phones, which they would then accept.

Rider and drivers are randomly assigned. I am not sure if you can choose your driver. Not sure if all these drivers in China made a huge group to benefit each other

Having looked through Uber's iOS app pretty extensively - that fingerprint methodology is easy to bypass.