Sophos Cloud Optix
When it comes to privacy, folks have learned to watch Uber like a hawk. This turns out to be useful even when Uber (apparently) turns out to be innocent. Case in point: the way Uber’s iOS app (3.222.4 and higher) now requests permission to track your location… “Always”.
“Previously, Uber only collected location information while a user had the app open,” TechCrunch reported late in November. “Now, Uber asks users to always share their location with the ride-hailing company.”
What’s going on here? Uber told TechCrunch: “Even though it can harvest your location constantly while its app is running in the background… it won’t use that capability. Instead, Uber claims it just needs a little bit more location data to improve its service, and it has to ask for constant access because of the way device-level permissions are structured.”
TechCrunch quotes Uber as saying it simply wants five more minutes of tracking before and after your ride. With this info, it can help drivers and riders find each other, and see if passengers are having to cross dangerous streets after drop-off. But, says Uber, app developers can’t ask Apple for “just five more minutes” of access after users close the app: their only option is “always”.
Since those first reports, prominent bloggers Michael S Fischer (HackerNoon) and John Gruber (Daring Fireball) have blogged extensively on this issue. First, Fischer asked Apple to prevent app developers from doing what Uber did: disabling a device owner’s option to provide location access only “when using the app”. Gruber then showed his iOS-using readers how to check the last time Uber tracked them: “Go to Settings → Privacy → Location Services and take a look at the list of apps. If Uber has checked your location recently, an indicator will appear in the list — purple if it checked “recently”, gray if in the last 24 hours.”
Well, it wasn’t long before some of Gruber’s readers started posting screen captures suggesting Uber was checking them out even if they hadn’t requested an Uber in weeks.
So, now what’s going on here? TechCrunch went back to Uber, and here’s what it says: since September, Uber’s app has been capable of integrating with iOS Maps. Using new iOS 10 APIs, Uber can add a handy-dandy Ride button to Maps. Not only can you request your Uber straight from Maps, Apple says that “you can also book and pay for rides… once you’ve ordered a ride, Maps even shows you the driver, the car, and the driver’s current location.”
But for all this to work, says TechCrunch, “location data must be shared” with Maps and whatever third-party apps are running inside it. And when you open Maps, Apple happily shares that tracking info even if you have no intention of ordering a car.
John Gruber suggests that Apple change Maps’ behavior so “extensions only load when you tap the ‘Ride’ tab in Maps” – not every time you load Maps. (Slower, but more private.) Alternatively, TechCrunch suggests a tweak to Apple’s color-coded Location Services Settings so it’s easier to tell which billion-dollar corporation is tracking you. (Of course, with the tracking rights you’ve already given Uber, who’s to say what could legally happen to all the data Apple keeps sending Uber, even after you’re safely across the street and safely inside your destination.) Just another day in this warm, fuzzy 21st century.
Need to tie in Uber, Maps, purchase history, police records, and anything NSA can offer, to help make Santa’s job easier. I mean, who would want a bike if you just bought one, and if your staying at your mom’s house for Christmas, you wouldn’t want him to deliver to your home. Not to mention with the NSA being able to help him from giving naughty people toys….
It certainly makes one believe the truth that UBER is the property of NSA. After all, why would a “taxi company” give a damn what you do after you leave the taxi? It seems the more I read the more “paranoid” I get. Of course, what if it isn’t paranoia at all? Maybe it’s your husband paying UBER to tell him where your boy/girlfriend lives. Maybe it’s the local police tracking your drinking habits, ready to give you that hefty fine or impound your car? Makes one think. Makes one realize that unless I live in the forest without anything that is an object in the Internet Of Things, somemany know too much about me. SOPHOS protects our computers up to a point but there is a big ocean out there that SOPHOS can’t protect us against. To think that for most of us it all started with that innocent “call display” feature in the 1980’s and Steve Jobs’ long distance for free gadget.
Taking Uber’s claim as legit: Why don’t they simply modify their app a bit? [disclaimer: I’ve not used it]
When closing the app, users could approve extended visibility: “Touch [YES] to let Uber remain open for five more minutes…we want to monitor your safety as you leave the drop-off vicinity.” Then when the time expires, the app gracefully–and honorably–exits.
The app obviously must be open while a rider is requesting the ride, so there’s at least a short duration of initial trackable goodness for Big Broth…I mean, Uber. Updated documentation could also urge users to open Uber a few minutes before they need it, which could afford further precision.
If their motives are overt–and their explanations genuine–then this should be easy for them to accomplish a high percentage of the time.