Tim Cook once scolded Travis Kalanick about Uber’s practice of tracking users even after they deleted the app from their iPhones. But in its newest operating system, iOS 11, Apple is rolling out a feature that will allow the same type of tracking—but with fewer privacy implications.
Apple’s new feature is called DeviceCheck and, if developers choose to use it, it will allow them to fingerprint and persistently track users’ iPhones, even if a user deletes the app or wipes their phone completely, using Apple as an intermediary.
To be clear, this kind of fingerprinting does not allow for location tracking. It lets developers keep track of former users’ devices so that, if they ever come back to the app, the developers will know they’ve been there before.
In Uber’s case, the ridesharing company developed a fingerprinting technique to blacklist devices that were involved in fraud, though Uber’s implementation ran afoul of Apple policy. The New York Times reported that Uber engineers used geofencing and a dummy policy-compliant version of their code to prevent Apple employees from catching onto the technique.
Apple, of course, discovered it anyway, leading to the 2015 showdown between Cook and Kalanick. A review of Uber’s code from late 2014 by Will Strafach of Sudo Security Group found that Uber was likely tracking device serial numbers. After Cook confronted Kalanick, Uber modified its code to comply with Apple policy.
The newly unveiled DeviceCheck will work with iOS and tvOS, and it allows app developers to associate two bits and a timestamp with a device indefinitely. Apple privacy engineer Katie Skinner pitched DeviceCheck at WWDC yesterday as a method for fraud prevention that will be more privacy-protective for consumers.
“There are many developers who are currently using a variety of techniques to try and identify devices. Now, they may be trying to identify and answer questions like: Has this device received a free trial? Has this device participated in fraudulent activity?” Skinner said. “Now, in order to achieve that goal, many developers—though I’m sure none of you in this room—may be collecting lots of information in order to associate some state with that device.”
Instead of sneakily scraping a device serial number, as Uber apparently did back in 2014, developers will send two bits (they can choose from 00, 01, 10, and 11) and a timestamp to Apple. This information will be saved by Apple until an app developer resets or modifies it.
“This means it will be stored by Apple through deletion of your app, reinstallation of your app, through erase all contents and settings, as well a transfer of that device between users,” Skinner explained.
Developers can assign whatever significance they choose to the bits: 01 could indicate that a device has engaged in fraudulent behavior while 11 might mean a device was flagged as suspicious but later cleared, for example. But the device will forever remain associated with the timestamp and bits the app developers assigned it.
Skinner used the example of a news app with a seven-day free trial to explain how DeviceCheck will work. Imagine you download an app that comes with a free trial; the app might send Apple a timestamp and 00 to indicate that the app has been installed and the seven-day trial started. After a week, the app might send a different token to Apple’s servers (01 and a timestamp) to indicate that your device has used up its free trial. If you delete the app and reinstall it later, it will request the token from Apple, and Apple will respond to the app’s servers with 01—indicating that it’s time for you to start paying a subscription to use the app. The user may then receive a prompt that their free trial has expired and it’s time to pay up.
The setup leaves everyone involved in the equation holding as little personal information as possible: The app developer isn’t collecting a serial number or other identifying information about a user, and Apple only holds two numbers, without any indication of what those numbers mean in the app’s logic.
However, DeviceCheck could create problems for people who’ve purchased used iPhones—they might be blocked from receiving a free trial of an app the previous owner once downloaded, for instance. “You need to think about how to handle these types of cases,” Skinner warned developers, suggesting that they give users a way to get in touch if their device has been incorrectly fingerprinted.
Strafach, the president of Sudo Security Group, told Gizmodo that DeviceCheck seems like a balance between fighting fraud and preserving privacy (although he stressed that he hasn’t personally tested the feature yet).
“What I am seeing is an honest effort to compromise between the legitimate need to prevent fraudulent behavior versus allowing developers to access sensitive identifiers,” Strafach said.
Gizmodo contacted an Apple spokesperson for further comment on DeviceCheck and will update if we hear back.