Mike Isaac’s profile for the New York Times of Travis Kalanick includes some fascinating reporting, but little more is as shocking as the opener:
Travis Kalanick, the chief executive of Uber, visited Apple’s headquarters in early 2015 to meet with Timothy D. Cook, who runs the iPhone maker. It was a session that Mr. Kalanick was dreading.
For months, Mr. Kalanick had pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple’s engineers. The reason? So Apple would not find out that Uber had secretly been tracking iPhones even after its app had been deleted from the devices, violating Apple’s privacy guidelines.
But Apple was on to the deception, and when Mr. Kalanick arrived at the midafternoon meeting sporting his favorite pair of bright red sneakers and hot-pink socks, Mr. Cook was prepared. “So, I’ve heard you’ve been breaking some of our rules,” Mr. Cook said in his calm, Southern tone. Stop the trickery, Mr. Cook then demanded, or Uber’s app would be kicked out of Apple’s App Store.
Isaac explains later in the article what happened: Uber decided to fingerprint iPhones — contrary to App Store rules — to prevent a common scheme that exploited how drivers were compensated, then hid that code whenever the device was in Cupertino to prevent the App Review team from seeing it. That’s a deliberate deception. It’s a gross privacy violation of every Uber member that used an iPhone.
Yet Apple’s behaviour is also concerning. When AppGratis was found to be violating App Store rules, Apple gave them a heads-up on the Friday before the weekend during which their app would be removed. Based on Isaac’s reporting, Uber was provided with the opportunity to correct a more egregious violation of the App Store rules.
Even if you’re comfortable with the idea that big companies can have a different set of App Store rules and responses — and I’m not sure I am — I don’t think this should have remained a secret. It’s a flagrant and sneaky violation of users’ privacy. Ultimately, Uber is to blame, but Apple could have handled their discovery in a way that was more consistent with their commitment to privacy. Without Isaac’s report, this story likely would have remained secret.
My favourite sentence in this article is a parenthetical midway through:
Uber is grappling with the fallout. For the last few months, the company has been reeling from allegations of a machismo-fueled workplace where managers routinely overstepped verbally, physically and sometimes sexually with employees. Mr. Kalanick compounded that image by engaging in a shouting match with an Uber driver in February, an incident recorded by the driver and then leaked online. (Mr. Kalanick now has a private driver.)
Even the CEO of Uber doesn’t use Uber. Why should anyone else?
Update: Kate Conger, TechCrunch:
However, Uber told TechCrunch that it still uses a form of device fingerprinting in order to detect fraudulent behavior. If a device has been associated with fraud in the past, a new sign-up from that device should raise a red flag, an Uber spokesperson said. Uber suggested that the practice of fingerprinting was modified to comply with Apple’s rules rather than discontinued altogether.
If this uses the advertising identifier provided by Apple, I think that’s reasonable. If it’s fingerprinting devices through an alternative means that users cannot control, I see that as overstepping expected app behaviour.