I'm interested in battery status security/privacy potential for a while now. I have previously written about it here and recently my research led to web browser vendors removing battery readout functionality, citing privacy issues (Firefox, WebKit; Chrome has not decided yet).
I'm also very happy to have suggested to W3C some privacy strategies for Battery Status API.
In general I feel like, I know a few things about privacy.
We already know that Uber was making studies that showed that users with phones running low on battery would be happy to pay more for a service. Call it price profiling.
Recently I learned that Uber is using battery status information for in even more creative ways. Is there a possibility that Uber is using battery information to profile users and possibly even make some form of fingerprinting schema based on battery status information?
Thanks to Paul-Olivier Dehaye of PersonalData.IO who asked Uber to kindly reveal what information they have on him (and all other people) we've got interesting insight into types of data Uber is collecting, and how these are handled. This was possible thanks to the transparency laws we have in Europe.
Some highlights. Uber is collecting:
- Names, addressess, payment means etc. - pretty standard stuff
- Mobile device information, e.g. the hardware model, operating system and version, software and file names and versions, preferred language, unique device identifier, advertising identifiers, serial number, device motion information, and mobile network information
- They use unique identifiers to track users
- Latitude and longitude of the users (Uber recently started to collect user location data in background, all the time)
- Battery status information (battery level, rate of charge/discharge)
Battery information? Yes. Uber collects:
- battery charging status (charging, discharging, unplugged, full, unknown)
- the remaining battery percentage
As in the picture below shows:
Uber justifies the use of this data for fraud detection / prevention. If so, it appears Uber has tested that this particular information (why not any other?) is an indicator of possible fraud. Perhaps it's being done by monitoring of device patterns of use (behaviour analysis).
One thing of note is that the above data suggests that some of the below may be true:
- Battery information is used to see if the user is real
- Battery information may be used to profile the user
I also learned that data retention period (latitude, longitude, battery status information, etc) at Uber is for at least almost two years.
Can battery status information really be used to detect fraud? I'm not sure how effective that could be. At scale, the fraud model is probably a petty fraudster and we can assume such profile does not correspond to a person versed in technology to a degree to spoof the battery readings.
On the other hand, the information is quite easy to spoof. I would be very interested if Uber could tell us more about the reasons, rationale and the way battery status if collected, stored and analysed.
Just for the sake of transparency.