Post by: Lisa Vaas | Sophos Naked Security | Published on: 12/01/2016
Now, with the latest update to the app – version 3.222.4 – Uber has put that into practice and is now tracking your location constantly if you’ve got the app running in the background. Oh, and it’s also asking that you always share your address book. Until now it had only collected your location data if you had the app open.
When Uber announced the change to its policy in May last year, it incurred the displeasure of just about everyone concerned about privacy, not to mention the Federal Trade Commission (the Electronic Privacy Information Center filed this complaint [PDF] with the FTC about the change).
As the Center noted in its complaint, back when it announced the change in May 2015, Uber said that tracking passengers in real time and accessing users’ address books were merely “potential new use cases” of its customers’ data.
The change was meant to “get people on their way more quickly,” Uber said. As it was, Uber apps for iOS, Android and Windows phones could only fetch location data if they were open, sometimes creating a slight delay.
Most communication between drivers and their customers has been of the “Where are you?!?” variety, Uber says – a needless batch of confusion that can be done away with if it can pinpoint customers’ locations more precisely.
As far as following people after they get out of a car goes, the company has cited safety concerns: if you cross the street, it means a driver hasn’t dropped you off at your exact location, and all that street-crossing incurs the possibility you’ll get run over.
Why access users’ contact lists in their address books? Uber says it’s got to do with splitting a fare with other riders.
Are we all steaming frogs?
Is the issue here that Uber is slowly heating up the frog in the pot – in other words, its customers – so they don’t notice declining privacy?
Or is it that people who use Uber have never been the type to care about privacy in the first place?
It’s not as if Uber users don’t express outrage at its ever-expanding collection of data. The Electronic Privacy Information Center provided a plethora of comments in its complaint, such as these that followed last year’s announcement:
Wow. Until I know more – I’ve deleted the Uber app and will not use it again. Sad, it works so well.
That is very creepy. Uber now wants to track your location at all times.
That could be a useful resource for the police, FBI, NSA, hackers, etc.
Uber’s history has given us much to be concerned about. EPIC’s complaint (PDF) has a thorough chronology of its checkered past, which has included using a “God view” tool to track riders and to display information in an aerial view; a data breach, caused by Uber itself, that exposed hundreds of Uber driver names, social security numbers, pictures of driving licenses, tax forms and other sensitive information; its months-long failure to report that breach to the drivers; its poking at a journalist’s personal data (twice), tracking her movements without her permission; and, well, the incident list goes on.
Meanwhile, Uber has run into regulatory issues around the world and sparked protests in cities from London (pictured) and Paris to Warsaw and Melbourne, among others
What will save those customers who don’t jump out of the pot before they boil?
There are lawmakers and law enforcers who’ve tried to put the brakes on Uber. In January, New York’s attorney-general settled with Uber over a probe into the driver data breach. The upshot: Uber was required to encrypt rider geolocation information and to adopt multifactor authentication before any employee could access especially sensitive rider personal information.
Uber has also been taken to task by US Senator Al Franken over the anti-journalist privacy debacle.
What to do?
Uber’s app will work without any automatic access to your contacts or your location, although obviously getting and sharing Uber rides won’t be quite so frictionless (as user interface experts like to call it) if you deny the app access to this data altogether.
On iOS you have to opt in to sharing your contact and location data, on Android you have to opt out, but either way we recommend you don’t just accept the defaults.
Given Uber’s previous history, we think it’s wise to:
- Decide how much you want to share with Uber.
- Go into the privacy settings relevant to the Uber app and make sure the active settings actually do reflect your decision from step (1).
Of course, that’s sound advice for any app: even if you think the defaults will suit you just fine, go and check that you’re getting the settings you want.
Oh, and when there’s an update, whether to the app or to your phone’s OS, review your settings in case there’s a brand new privacy option with a default you didn’t expect.
Remember: if in doubt, don’t give it out.
Reference Article: https://nakedsecurity.sophos.com/2016/12/01/uber-now-collecting-location-data-even-after-you-leave-a-drivers-car/