By Charlotte O'Donnelly • April 27, 2017

Apple Calls Out Uber for Violating Developer Policy

Recent Scandal Brings to Light Collective Need for Better Identity Management 

 

Uber can’t catch a PR break. A few weeks back we wrote about state-sponsored background checks in Massachusetts that pulled more than 8,000 Uber and Lyft drivers from the road for violations ranging from license suspensions to violent crimes and sexual assault charges. Now it turns out that Uber has been tracking users’ iPhones – even those users that deleted the app – as a means of preventing account fraud and ensuring compliance. Just as with its background check controversy, Uber is setting its own rules for digital identity management, and forgoing convenient and credible options that exist to remotely authenticate user identities via mobile devices.

 

 

 

 

Identity fraud is becoming a serious issue that affects not only heavily regulated industries such as financial services, but also businesses in the emerging, mobile-based on-demand economy as well. In Uber’s case, the fraud comes from drivers creating false accounts on stolen phones to request rides and artificially boost their metrics – a seemingly innocuous crime when compared to recent cases of financial fraud, data breaches, and identity theft, though undoubtedly harmful to Uber’s business and its drivers’ credibility. 

 

The issue of user privacy aside, Uber’s digital tracking strictly goes against Apple’s developer requirements. In 2013, Apple removed the ability for apps to track users through Unique Device Identifiers (UDIDs), as the company began prioritizing less intrusive means of monitoring app users. To get around this, Uber assigned a distinct identity to devices through a piece of code that acted as a digital “fingerprint,” and then used geofencing to disguise this code from Apple engineers accessing it from the company’s California headquarters. Apple recently caught on to the deception, and the two have clashed over whose unregulated security policy trumps whose.

 

Part of the problem with ride-sharing providers – and companies in the tech economy in general – is that state and federal governments have largely taken a backseat (pun intended) when it comes to creating and enforcing regulations in these industries that would prevent similar behavior as Uber’s. This has left Uber free to make its own rules for both security policies and the classification and treatment of its employees, and unfortunately Uber hasn’t always held itself to the highest ethical standards.

 

But the complicated, behind-the-scenes engineering choreography Uber employed to track its users is not only bad manners; it’s also bad business. Uber’s problem of account fraud and identity authentication is a valid one, but it’s one that companies in the digital identity management space are poised to address in a far more convenient and credible (as well as ethical) way.

 

Mobile identity verification technologies that incorporate biometrics as well as the authentication of secure, government-issued documents could be used to ensure both drivers and riders are who they say they are, and aren’t using multiple accounts. Biometrics are increasingly being recognized as a valid and convenient means of authenticating a user’s identity, and are beginning to be incorporated into technologies such as fingerprint and retinal scanners in phones.

 

Confirm’s leading facial recognition technology could serve on the backend of Uber’s account registration process and be used to create a secure, reusable identity token for persistent identity management that has been authenticated through multiple identity sources including a valid ID document as well as facial recognition analysis. This simple step in the onboarding process would drastically reduce the instances of false accounts and driver fraud without inconveniencing the on-demand nature of Uber’s transactions. Additionally, periodic prompts for ID verification or facial recognition would renew and strengthen this token, providing additional security in the identity management process.

 

Uber disrupted transportation, and ushered in an entirely new peer-to-peer industry that is largely changing how we transact business. But its latest controversy highlights the challenges that exist when unregulated companies in this new era of business make their own rules about security, and don’t seek out technologies that exist to provide identity authentication and management. When two of the leading technology companies in America – Uber and Apple – disagree about identity management, it’s clear the issue has become an important one that will continue to shape how companies address security and fraud going forward.

 

Just as Uber disrupted transportation, Confirm hopes to disrupt identity authentication by providing secure, convenient, and credible mobile solutions suited to highly-regulated, traditional industries such as financial services, as well as the “Wild West” of new-economy players like Uber.