The New York Times' unflattering profile last weekend of Uber founder Travis Kalanick (nytimes.com/2017/04/23/technology/travis-kalanick-pushes-uber-and-himself-to-the-precipice.html) provides some jaw-dropping disclosures. Not just about Kalanick, but – thanks to a number of anecdotes –the cavalier attitude digital era companies have towards data privacy.
For me, the most astonishing revelation was that Kalanick had "pulled a fast one on Apple by directing his employees to help camouflage the ride-hailing app from Apple's engineers. The reason? So Apple would not find out that Uber had been secretly identifying and tagging iPhones even after its app had been deleted and the devices erased."
From a European perspective, such secretive device fingerprinting raises obvious questions under EU privacy laws
Uber geo-fenced Apple headquarters in Cupertino using a small bit of persistent, unremovable code in the app – the very code Uber didn't want Apple to see. Uber was already automatically "fingerprinting" all iPhones with the code, so blocking anyone in the vicinity of Apple from seeing the phone's code wasn't difficult. Fingerprinting iPhones in this way broke Apple's privacy guidelines, and in early 2015 Apple chief executive Tim Cook gave Kalanick a dressing-down, according to the article.
Device fingerprinting
From a European perspective, such secretive device fingerprinting raises obvious questions under EU privacy laws. Uber was turning every iPhone into a tracking device, and could spy on and gather data from ex-customers.
A quick online search showed me that Uber was registered under the old (and now invalid) Safe Harbour EU/US data transfer principles in force at the time.
The company was operating in many EU countries by then. It had set up Uber BV, which Uber described on its Safe Harbour certification as "a private limited liability company established in the Netherlands that acts as a data controller" with respect to the wide range of European data it was gathering. At the time, it listed Ireland as one of the countries from which it received data, though it doesn't operate here.
The <em>Times </em>piece revealed more: that Uber bought data about rival ride service Lyft from a small data broker called Slice Intelligence
But, oddly, the company stated in its certification information that it did not agree to “co-operate and comply with the EU and/or Swiss Data Protection Authorities”.
How could a company self-certify through Safe Harbour – an agreement whose entire purpose was to confirm compliance with EU data protection laws – while also refusing to “co-operate or comply” with European DPAs?
I mention this just in case you needed any further convincing that the European Court of Justice was correct in viewing Safe Harbour as a wholly inadequate privacy fig leaf with demonstrably weak provisions and oversight mechanisms. Justices were right to toss Safe Harbour out in 2015. Its replacement, Privacy Shield, is up for review in autumn.
The Times piece revealed more: that Uber bought data about rival ride service Lyft from a small data broker called Slice Intelligence, which obtained Lyft ride receipt data from scanning the email inboxes of individuals using its subsidiary service, unroll.me.
Inbox data
Unroll.me is a popular free service that enables users to easily unsubscribe from mail lists. But it doesn’t make it particularly clear on its website that it parses your inbox for data that its parent company can sell to third parties.
The FAQ says nothing at all, while the privacy policy, which does note that data may be collected and then sold, expresses this in vague legalese. Nor does the website make clear that Unroll.me’s parent company is a data broker, and that Unroll.me is essentially a data tapping tool for Slice Intelligence. In exchange for a modestly useful service, it gets access to your personal data, including email. That’s a big trade-off.
The company, which has faced a backlash from angry users since the article ran, argues the data gathered is anonymised before being sold on, with personal identifiers removed. But many experts have long since demonstrated that anonymised data can often be relinked to an individual due to its revealing detail.
Unroll.me also has noted it does let people know how their data may be used in its privacy policy. But come on: that information is not clearly presented, nor does the company make clear its relationship with Slice.
And Unroll.me defends itself with that most feeble of excuses: everyone else is doing it and we aren’t as bad as some of the others. On Twitter, Unroll.me even noted it wasn’t the worst: “Gmail has more data on you than we ever would.”
This is comparing dumb and dumber. These data collection business models have crept in over time, often by luring in users before the quid pro quo existed, and inflicting it afterwards, with the data trade realities hidden behind verbose, unread privacy policies and terms of use.
The Times piece is a reminder – if you need it still – that many digital companies no longer provide a service for a payment. They trade in you.