Uber is watching your smartphone's battery charge
Browser vendors' Battery API deprecation can't come soon enough
Browser authors are abandoning the invasive Battery API W3C specification, but not everybody's got the memo: Uber, for example, still watches battery status.
The not-an-employer, not-a-taxi-company's app checks battery status and remaining battery, with the explanation that the feature is used for fraud detection. The discovery came courtesy of Paul Dehaye of PersonalData.io, who made a request under European law for data Uber collected about him (published at GitHub, here).
As Lukasz Olejnik (the University College, London security researcher and consultant who tipped Vulture South to the story) notes, that could be a reasonable explanation because battery information could help Uber confirm that a user is real.
For example, if someone was impersonating another Uber subscriber, two requests at nearly the same time from devices with wildly-varying battery charge would help raise an alert to a fraud.
Fair enough: but Olejnik also points out, the battery information can help build intrusive user profiles – that's why Chrome, Firefox and WebKit are moving to deprecate the API. That prompted The Register to ask Uber if loss of the API would harm its anti-fraud efforts.
However, it's also true that Uber – like most players in the “app economy” – is an enthusiastic profiler of its users. As has also been reported this week, the Electronic Privacy Information Center in the United States is upset that its app is tracking users' locations when they're not using the service.
The Register notes that the extra privacy risk, in the circumstances, is minimal. As we reported in August 2016, the main risk from the Battery API is that users could be uniquely identified by the behaviour of their battery – but Uber's already got your identity.
That made Olejnik suspect it's more likely to be that the car-hire service is fooling around with using battery status as an input to its charging: if you were trying to raise a driver at half-past-midnight after the New Year's Eve fireworks, would you pay more if you only had 11 per cent battery remaining?
Or it could simply be that developers in the app economy can't resist grabbing everything, whether they need it or not.
The rest of the data Dehaye turned up is less remarkable: payment information collection is a given, and most of the mobile device information is the kind spaffed to all and sundry by Android's device API (called from android.os). ®
Sponsored: Becoming a Pragmatic Security Leader