This chapter is from the book
This chapter is from the book
This chapter is from the book
Rideshare Apps
Location information is always important in an investigation because an investigator does not just search for incriminating evidence but also needs to identify where a suspect was. As you will learn, rideshare apps, like Uber, contain extensive geolocation data that is easily accessible.
Uber
Uber is a service that enables drivers to act as flexible contractors and provide transportation services that compete with traditional taxi services. Consumers, using the Uber mobile app, can search for a car service in their area. The benefit to the consumer is that they are visually provided with the mapped location of Uber cars in their vicinity and are provided with an upfront quote for a specific journey (or “ride”). Uber operates in approximately 600 cities worldwide. In the past, Uber has received negative press about its geolocation tracking of users, which raised a number of concerns regarding its privacy policies and potentially invasive data collection practices. In April 2017, the New York Times published a story that documented a meeting, at Apple headquarters, in 2015, between Travis Kalanick, CEO of Uber, and Tim Cook, CEO of Apple. The article alleged that Mr. Cook scolded Mr. Kalanick for identifying and tagging iPhones after the Uber app had been uninstalled or the device had been wiped. Apparently, this type of user identity coding violated the Apple developer terms of service agreement.
An article in the New York Times detailed how Unroll.me, which purported to purge your device’s email inbox of annoying advertising messages, was used to spy on competitors. The article documented how Unroll.me would scan a user’s inbox, identify if there were service receipts, from competing companies like Lyft, and then sell that information to Lyft’s competitor—Uber.
Since the introduction of iOS 5, Apple has been limiting app developer access to the iPhone’s UDID (unique device identifier). A notice from Apple stated, “Starting May 1, the App Store will no longer accept new apps or app updates that access the UDID; please update your apps and servers to associate users with the Vendor or Advertising identifiers introduced in iOS 6.” Apple now prefers that app developers utilize the official Apple advertising platform to track app users. Based on Apple’s advertising and privacy policy, it appears that Apple does collect user data and then subsequently shares it with third parties. Nevertheless, developers can obtain extensive information about an app user through the integration of the UIDevice object. The UIDevice object can be used by an app developer to determine the assigned name of the device, device model and iOS version, orientation (orientation property) of the device, battery charge (batteryState property), and distance of the device to the user (proximity-State property). Moreover, developers can integrate code, during app development, for third-party analytics. These third-party companies include Localytics, mixpanel, UXCam, and Fabric. Companies like Apptopia provide app developers with extensive, nay invasive, analytics on competitor apps.
The use of the user UDID has not always been employed for nefarious purposes. However, the UDID was often utilized to identify if an app user was legitimate and could block a customer’s access if an account was compromised or potentially stolen. Fingerprinting is yet another methodology, used by third parties, to uniquely identify users, based on application configuration. Fingerprinting is best known for identifying online users based on user settings from their browser, which may include user cookies and browser plug-ins. The Electronic Frontier Foundation (EFF) created a project known as Panopticlick (panopticlick.eff.org) to raise awareness about how your browser is used by advertisers, and others, to identify and track you on the Web. The EFF announced that 84% of online users can be uniquely identified by their browser.
According to Uber’s user privacy statement, there are two categories of information collected about users: (a) Information You Provide to Us, which can include name, email, phone number, postal address, profile picture, payment method, and (b) Information We Collect Through Your Use of Our Services, which can include location information, contacts, transactions, usage and preference, device information, call and SMS data, and log information. Of particular interest is the device information (hardware model, operating system and version, software and file names and versions, preferred language, unique device identifier, advertising identifiers, serial number, device motion information, and mobile network information). In terms of location information, Uber is not specific about the extent to which the user’s location is being tracked but states that they “may also collect the precise location of your device when the app is running in the foreground or background.” Uber provides more detailed information about the use of location services on its website under iOS App Permissions.
What is interesting is that during our installation of the Uber app, a dialog box appears and states that “Uber collects your location (i) when the app is open and (ii) from the time of the trip request through five minutes after the trip ends”, as displayed in Figure 10.21.
){kind=link}
FIGURE 10.35 Uber dialog box during installation
Uber states in their FAQ that the reasoning behind this data collection is to “improve pickups, drop-offs, customer service, and to enhance safety.” However, users reported seeing the Uber app using location services weeks after the app was used and certainly beyond the stated 5 minutes. Uber responded to these reports blaming Apple’s iOS Maps extension that Uber uses to serve regional maps to their customers.
Perhaps unsurprisingly, Uber has invested heavily in data science to retain its competitive advantage, as evidenced by its aggressive recruitment of data scientists. We also know that Uber extensively uses a telematics pilot program, called Autohawk, to identify the location of its drivers and perform diagnostic testing on the vehicle to ensure passenger safety. In fact, Uber provides geolocation information, provided by its data visualization team, on its website at eng.uber.com/data-viz-intel. Uber integrates both Fabric and Localytics in its mobile app. Fabric provides companies, like Uber, with real-time information about the health of their app. These analytics include application crash analytics. Localytics provide location information.
As of November 2017, allegations abound about Uber’s competitor spy programs. The Waymo v. Uber lawsuit appears to indicate that Uber may have been involved in illegal espionage. A letter, submitted as evidence in this lawsuit and penned by Richard Jacobs, former Uber security executive, details Uber’s illegal practices of hiring actors to collect data and spy on their competitors. In the letter, Jacobs, who at the time had filed suit against Uber in the capacity of “whistleblower”, detailed practices that would lead to the theft of trade secrets related to competitor fares and driver incentives. To settle, Uber paid Jacobs $4.3 million at the time. His allegations have now been made public and have been used in a related case, Waymo v. Uber. In this case, a former employee allegedly sold trade secrets to Uber, prior to the company being acquired by Uber.