Can a deleted app keep on tracking you, even if the app is off the phone?
The unsatisfying answer: Yes and no.
The app can’t follow you around and know your whereabouts. But app developers can engage in “tagging,” leaving behind a unique ID on an iPhone so the developer can recall the apps that were on it and the last Wi-Fi network the phone was logged onto. These marks are used to help a company prove that the phone belonged to an individual, says Joseph Jerome, privacy & data policy counsel for the Center for Democracy and Technology.
The subject became hotly debated online this week in response to a New York Times profile of ride-hailing app Uber.
Uber had marked iPhones with persistent digital ID tags that would remain after users had deleted the Uber app and wiped the phone, the Times said. Apple CEO Tim Cook scolded Uber CEO Travis Kalanick for the practice, but didn’t kick Uber out of the App Store.
Today, Uber says it doesn’t track users or their location once they’ve deleted the app, but it does hold onto tagging data collected as a check against “fraudsters from loading Uber onto a stolen phone, putting in a stolen credit card, taking an expensive ride and then wiping the phone—over and over again,” the company told USA TODAY in a statement.
Blogger John Gruber, whose Daring Fireball is targeted to app developers, noted that Apple ditched earlier iPhone tools like UDID (Unique Device ID) and Mac addresses for developers several years back (in 2012) because they were “being abused by privacy invasive ad trackers, analytics packages,” and companies like Uber.
Uber notes that Apple does allows limited use of fingerprinting, and “merely stipulates which identifiers can be collected from the device, which are used by our team in combination with non-device signals to detect fraudulent activity & suspicious logins.”
If app developers could truly track you after you’ve deleted the app, it would “violate Apple developer terms and show a giant security hole in,” the iOS operating system, says Jerome.
The consumer tips for how to protect your privacy are few.
You could try living without apps on your smartphone—go without Uber, Facebook, Google Maps and the like, and your daily activities won’t be tracked. (The phone is the worst abuser of tracking, because it monitors your location, in return for cars showing up to pick you up and GPS directions getting you from where you are to the destination.)
But, “this is not possible today,” says Setu Kulkarni, a vice-president with WhiteHat Security. “Apps are how business will be done in the many decades to come.”
Kulkarni suggests consumers think twice about signing up for apps through Facebook and Google, which are offered as ways to speed up the process and eliminate the typing in of name, address and other information.
“Do you really want the app to access your friend and contacts data?” he asks. “Be cognizant about what the app can access.”
Jerome is hoping to hear how Google and Apple, which have upcoming developer conferences in May and June, will clamp down on how the folks who make apps keep tabs of their customers and set new security policies. “They really need to address this.”
Tim Bajarin, the president of Creative Strategies, expects Apple to stress user privacy at its Apple Worldwide Developers Conference. “It’s always a big topic,” he says. “Apple stresses personal privacy of data at every WWDC.”
Apple and Google didn’t respond to requests for comment.