Fingerprinting has long been a controversial topic for scandal-laden Uber. The ride-sharing service, alongside its prime competitor, Lyft, has fought efforts to identify its drivers using the traditional sense of the word: marks representing the unique whorl of each person’s fingertip.
Uber’s latest fingerprint brouhaha has gone digital.
The company recently acknowledged that through its app, it has been collecting fingerprints—or unique identifying numbers—of devices using its app to prevent fraudulent behavior such as gaming its driver sign-up bonus system, or using a stolen phone to take free rides. And it has been accused of retaining device fingerprints, even after device owners had deleted the app or wiped their phones altogether.
Responding to complaints, Uber says its practices are currently in compliance with Apple’s developer guidelines, which prohibit certain ways of creating a device fingerprint but not the practice itself. And it denies tracking its users, once they’ve deleted the app. In a statement, an Uber representative described device fingerprinting as “a typical way to prevent fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride, and then wiping the phone—over and over again.”
Hardware, software, and networking companies indeed use device fingerprints to track how people use their products—and to prevent illegal or otherwise unauthorized behavior, including identity theft.
Cell phones contain several unique hardware identification numbers, or fingerprints, for the phone’s specific Wi-Fi, Bluetooth, SIM card, and signal band, as well as the phone hardware itself. Desktop computers have fingerprints too—as does just about any device that has at least one LED light attached to it, jokes Robert Graham, CEO of Errata Security.
Privacy experts have long worried that device fingerprints could be used to track people without their knowledge. Hackers have tracked travelers by watching where their device fingerprints interact with airport public Wi-Fi networks, Graham says. And law enforcement agencies have used International Mobile Subscriber Identity-catchers such as Stingrays to eavesdrop on mobile phones and cast a wide net, intercepting traffic from all phones that connect to the trackers.
There’s no evidence thus far that Uber has used device fingerprints in such ways.
“I would assume that lots of companies have the same problem. Every app that deals with money is going to have the same problem and will want some solution,” Graham says. “Uber did something totally innocent and legitimate. This is Uber on its good side.”
Software, including Web browsers or mobile apps like Uber, also contains unique identifiers that, when combined with information such as IP addresses and Google searches, could be valuable to a data sleuth.
While Joseph Lorenzo Hall, chief technologist at privacy rights group the Center for Democracy and Technology, says fingerprinting to prevent fraud is both “useful” and “increasingly standard-operating procedure,” he expressed concerns about other uses of fingerprinting.
“Where it gets dicey is when those powerful mechanisms are used for other nonsecurity uses, such as marketing,” he says. “In contrast to other forms of tracking, there are no effective user controls for fingerprinting, which means that users are left without ways to ensure their history online doesn’t follow them around.”
Security expert Lee Brotherston, who has used fingerprinting techniques to identify malicious software such as Dridex, says software fingerprints are helping researchers more effectively detect malware infections. But he notes that they can also can be used to harm people.
A government with a “less than perfect human rights record” could use software fingerprints, Brotherston says, to “spy on [its] citizens.” By tracking the use of apps such as Tor or Signal that hide user identities or Internet traffic, and analyzing that data alongside a trove of device fingerprints, authorities could more easily identify the people who use them.
For what it’s worth, Graham says consumers have little insight today into whether their devices are fingerprinted—nor control over how fingerprints are used.
“Consumers can’t really tell if fingerprinting is being used against them,” he says.