

Controversial car service Uber, already under fire recently, has a new pair of privacy concerns this morning. One has to do with drivers’ accounts, and the other is for anyone who uses the Android version of the app.

Uber is like hundreds of other companies in one particular way: they rely on recommendations from current employees to help them find new workers. One Uber driver’s girlfriend recently got a text from him, through Uber’s referral program, urging her to sign up so they could both get a bonus. The problem? He didn’t send that text or choose to refer anyone at all, in fact, let alone his girlfriend. And neither did other Uber drivers whose friends and family have received recruiting messages in their names.

Newsweek calls the problem “ghost texts.” They spoke with a driver, “George,” who showed them the message his girlfriend had received:

UberMSG: “Congratulations! Your friend [George] wants you to be an Uber partner! Both of you can make money when you APPLY HERE: [URL with referral code].

George told Newsweek that he neither gave Uber permission to contact his girlfriend, nor manually referred her. And the referral code in the text wasn’t his, either.

Of course, it’s sadly common for apps to require you to opt out of giving them access to your contacts, rather than requiring you to opt in. So George immediately went to go check his settings. Only… there wasn’t a choice. “Most apps have an option that says, ‘Do you want this app to see your contacts list?’,” George told Newsweek, but “Uber doesn’t have that option.”

Newsweek looked at the way Uber’s referral program is supposed to work, and it’s a very clear set of manual steps a driver needs to take and confirm along the way. Drivers using an Uber-owned company phone first have to select a “refer now” option and then manually enter a contact’s information. Drivers using their own devices have a similar process, but with an extra step.

The wording on the referral message is different depending on if the driver is using their own phone or a company phone. Although George uses his own device, his girlfriend received the “company phone” variant of the message.

Neither George nor any of the other Uber drivers Newsweek spoke with went through that manual referral process. When George contacted Uber to ask about it, he received a reply saying they’d follow up with him… which they still haven’t done.

Uber told Newsweek, “We are looking into how these messages may have been sent. Uber does not ask for or have access to drivers’ contacts stored on their personal phones. To refer friends, drivers have to manually and locally send from their phone. For any drivers whose friends sign up as a result of these messages, we will ensure that they receive the proper referral bonus.”

At least one driver, meanwhile, told Newsweek he’d stick with paying the fee for the Uber-owned phone instead. No contacts, no spam.

Android device owners who use Uber, meanwhile, might need to worry about a whole lot more than spam to their contacts. The app, as it turns out, not only has access to every piece of data about your phone, but also reports that information back to Uber.

Users at Hacker News reverse-engineered the Uber Android app, as BGR reports, and looked at all of the data it collects and systems it has access to.

It’s not a surprise to any Uber user that the app needs the ability to send and receive texts and calls and to access your GPS. Those are foundational to the service: it can’t send a car to your location, and text you updates, if it doesn’t know where you are or how to reach your phone.

However, Uber also accesses a whole bunch of other information about your Android phone. Some of that info includes: what other, non-Uber apps are installed and what and when they’re running; how much data your phone is sending everywhere; what cell towers you’re connected to; what wifi networks you’re connected to; what wifi networks in the area are available that you’re not connected to; whether or not your phone has been rooted; and how much charge is left in your battery, or whether your phone is plugged in.

Uber also checks if your phone has any malware on it, and if your phone is vulnerable to the heartbleed bug. Among other things.

As one Hacker News user points out, most of the things Uber asks are just part of making it work, though not all of them are. Plenty of those settings are just left in, basically, by default.

That doesn’t mean Uber is doing anything nefarious with the data or in fact collecting it at all. But they could be, either now or in the future. And perhaps more importantly: every app that has access to private phone data is yet another app that could be leaving users vulnerable to having their information stolen, hacked, or otherwise used against them.

That’s a lot of risk for basically calling a cab.

Ghost Texts: Uber’s Invasive Practices in Driver Recruitment [Newsweek]

Uber’s Android app is reportedly collecting a huge amount of data without your knowledge [BGR]