Listen to this article now
These days, it seems that there are only two kinds of articles on the internet: Those that provoke anger and outrage, and those that are forgotten as quickly as they are posted.
In a world where “content is king,” and in which companies, nations and influencers are incessantly competing – battling, even – for mindshare, the ability to spark a strong emotional response is the best way to ensure that the things we want people to see are in fact seen. Unfortunately, we also live in a world where money can buy a lot of eyeballs. These same companies, nations and influencers, given an adequate budget, have the ability to manipulate what audiences will see, and consequently, what they won’t. Thus, with a few clicks, swipes, and transactions, one story can see its reach and impact immediately boosted and maximized, often at the expense of a dozen other stories of equal quality or value to readers. On occasion, unscrupulous parties will use this model to not only promote stories they like, but drown out stories that they don’t. Stories that might shed a negative light on institutions, products, or projects they would rather canonize than have an honest discussion about.
It was only a couple of weeks ago that Gizmodo broke the story about how Apple, one of the worlds most beloved technology companies, had allegedly been working behind the scenes with Uber, one of the world’s favorite “Sharing Economy” success stories (although the young company’s luster has been somewhat tarnished lately), to develop a demo that would highlight its smooth new iPhone-to-Apple Watch interoperability. So far so good. But based on the reporting, Apple gave Uber engineers access to the screens of iPhones running Uber in the background. This access, we learn, remained “open” for some time, without iPhone users’ knowledge. This means that during that time, iPhone users running the Uber app on their phone could have had Uber employees access what was being displayed on their iPhone screens.
That means confidential emails, photos, videos, text messages, documents, legal briefs, prototype drawings, lab results, location data, business transactions, contracts, banking information, passwords, and more. Those are the types of things Uber would have been able to access without iPhone users ‘ knowledge.
In short, that’s just no good at all.
According to Gizmodo, it was both shocking and alarming that Apple gave such permission to Uber. Allegedly, Uber was the only company to have access to this feature. Maybe that’s true. Maybe it isn’t. Time will tell.
Some of this just doesn’t pass the stink test. Even if this really was some kind of negligent oversight on the part of a few people, I think that the public has every reason to be upset about what happened and how it happened, regardless of why it happened. In fact, they should be flat-out pissed about it. Let’s explore a few of the implications:
- Privacy Rights: Even though privacy policies for most applications are littered with loopholes and entitlements that allow app creators to basically use data for whatever they want, I seriously doubt that users would be okay if they understood that Uber had been given permission to monitor their screen when they weren’t using the Uber App. The excuse that this access was given to help with an Apple Watch demo or the early stages of an app’s development doesn’t cut it. It isn’t enough. Users have a right to know how and when their privacy might be violated or breached by the devices and apps that they use.
- Security: We all know that companies are more vulnerable than ever to intrusion. Target, Equifax, Yahoo and countless other large enterprises have been breached despite massive security budgets. Those breaches are rarely ever revealed until well after the breach has taken place. So the obvious question is this: What if sensitive data was pulled from users’ screens and stored somewhere? Would anyone find out? Would anyone at Apple or Uber come forward and volunteer that it was? If indeed some type of breach did occur, we likely wouldn’t hear about it for a while. That’s a problem. I don’t like not knowing if private or confidential business data was stolen from my phone this way, and neither should you. What we do know is that there is a chance that treasure trove of confidential data is sitting out there somewhere just waiting to be put into the wrong hands. This is something people should be aware of AND care about, and both Apple and Uber should be made to account for it.
- Ethics: What does it say about Apple’s culture that it allegedly gave a somewhat shady tech giant with a history of questionable privacy breaches unprecedented access to iPhone users’s screens without their permission? Perhaps more troublesome, what does it say about our own priorities and expectations as consumers that we barely took notice of what had happened, and didn’t demand answers from Apple and Uber? Was it a failure in news reporting? Was it a failure of pay-to-play publishing? Did the public just not care? Was it all of the above? Whatever the answer is, people should be a lot angrier than they are about this, and here’s why: Aside from how many people may have been affected by it, this breach of privacy wasn’t the result of hackers illegally breaking into complex systems designed to keep them out. It was a breach of confidence. That’s a very different animal.
If all of the reporting we have seen so far is accurate, Apple gave Uber access to their users’ screens and surrendered their users’ privacy all on their own. That’s what makes this case more egregious and problematic than most of the “big” privacy breaches that tech companies have subjected us to in recent years. Apple seems to have deliberately given a third party the ability to read your emails and text messages, to see the websites you visit, to view your social media activity and conversations, and even to watch you type in your passwords. Maybe Uber saw all of that, and maybe it didn’t. The point is that Apple opened the door to that possibility, and we should all be very concerned about both its ability and decision to do so.
In the end, maybe nothing will come of this. Maybe something will. It’s too soon to tell. Maybe if data accessed from people’s iPhones during the vulnerability’s window does land in the wrong hands, people will finally pay attention and demand answers. Perhaps we are getting so desensitized to data breaches and companies abusing our loyalty that many have just decided to give Apple and Uber a pass. Apple pretty much always gets a pass, so that would help explain the relative absence of outrage, but the same can’t be said for Uber, so perhaps this story just got buried under a lot of other news content. It happens.
Still, I can’t shake the feeling that we should have heard a lot more about this. At a time where voicing outrage has practically become a national sport, and our social feeds are flush with endless diatribes against companies and people violating our rights and entitlements, or just threatening to do so, I am shocked that this story didn’t ignite a powder keg of outrage. I would have at least expected a similar type of anger and disdain that is being shed upon Equifax. How is it that Equifax gets demonized for having been hacked but Apple doesn’t even get a slap on the wrist for treating user privacy as an optional feature? Think about it. Equifax was the unfortunate victim of a sophisticated attack from talented hackers, like many other giants in the tech and financial sector have been. Equifax didn’t hand over a few lines of code to a partner, knowing that it would give them access to millions of people’s private communications and data. Equifax may have been negligent, but at least the invasion of privacy they were involved with wasn’t deliberate on their part. They didn’t engineer it. In this case we are dealing with an app used by millions of people being granted the ability to view and collect confidential data right off of our screens by a smartphone manufacturer we all trust to protect our data and our privacy. Equifax doesn’t get a pass but Apple does? Why?
We won’t know for some time if there will be any lingering impacts from this. For now, the story is that this was an insignificant mistake, a non-issue, a necessary step to improve a popular product, and that user privacy wasn’t ever actually breached. That’s nice, but experience and history remind us to take those kinds of assurances with a big grain of salt. When Yahoo had 500 million records breached in 2014, did the company fess up right away? No. We didn’t hear about it for two years. When Verisign was breached in 2010, did the company immediately notify anyone? No. When Heartland Payment Systems was breached in 2008, did the company immediately notify anyone? No again. It isn’t difficult to spot patterns of corporate self-preservation and obfuscation when it comes to disclosing electronic privacy and data breaches, especially when they involve millions of people. To assume that no user’s privacy was breached while this particular vulnerability existed is both naïve and reckless on the part of iPhone users and journalists alike. Even if nothing nefarious comes of this, the fact is that Apple, one of the world’s most prolific companies, appears to have recklessly granted a separate company, in this case Uber, access to iPhone screens so that their app would work better on the Apple Watch. Apparently, millions of iPhone owners’ privacy was less important to Apple than ensuring the success of a product demo. Sure. Nothing to see here. Seems like something no one should be the least bit concerned about.
Disclosure: Futurum Research, like all research and analyst firms, provides or has provided research, analysis, advising, and/or consulting to many high-tech companies in the tech and digital industries. The firm does not hold any equity positions with any other companies cited in this column.