Tech blogs last week pounced on the ride-sharing app for the wide range of permissions sought by the Uber app.
There are legitimate reasons for many of these requested permissions, says Urs Hengartner, a University of Waterloo professor and an expert in mobile app security and privacy. But Uber "should have explained it earlier on and told people about it openly," he says.
The criticism began when a blogger, who says he’s a security researcher, dug into the Uber app’s code for Android and noted the app has access to SMS, camera, internet, WiFi, contacts and calendar.
In the discussion that followed, many users were surprised to learn about Uber’s broad access to their phones.
Uber explained the rationale behind many of the permissions — though not all.
Its app, it said, needs access to calendars and contacts because of a feature allowing users to send a text via the app if they are late.
In addition, WiFi helps locate the user when GPS signals are low. Plus, users can pay by taking a picture of their credit card, thus explaining access to the camera.
"This is not unique to Uber, and downloading the Uber app is of course optional," Xavier Van Chau, a Canadian spokesperson for Uber wrote in an email to CBC News.
A big part of the problem is that, on Android, a user must agree to all permissions in order to use the app. On an iPhone, a dialogue box opens to ask users if they want to allow access to a particular part of their phone.
Hengartner says there are inherent problems with the way Android forces a user to OK a blanket set of permissions, problems that need to be fixed.
But he adds that Uber could have told users clearly in the app description in Google Play exactly which permissions it needed and why.
"I think people should be concerned if companies aren’t open about it, and that’s the main issue here," says Hengartner.
App privacy under scrutiny
The ride-sharing app is not alone in coming under attack. Privacy commissioners around the world are closely scrutinizing mobile apps for gathering too much personal information from unaware consumers.
Canada’s privacy commissioner’s office recently worked with counterparts around the world to pore over more than 1,200 apps.
Less than a third of those apps provided clear explanations for why they were collecting certain types of data, how they were using what they were collecting and what their disclosure policies were.
One of the most flummoxing apps was the Super-Bright LED Flashlight. The app turns a mobile phone into a flashlight, but asked for access to users' cameras, microphones and call information.
The privacy commissioner is currently looking into the extent of permissions sought by apps and plans to make the findings public soon.
Uber under fire
For five-year-old Uber, the swirling concerns around its permissions may be the least of its worries.
Earlier this month, a senior vice-president, Emil Michael, suggested in a conversation that he thought was off-the-record that the company should hire a team of researchers to dig up dirt on its media critics.
Also, a New York City Uber executive accessed the Uber profile of a Buzzfeed reporter without obtaining permission.
A company spokesperson later denounced Michael’s comments and said employees are only allowed to access and use data for legitimate business purposes.
U.S. Senator Al Franken sent a scathing letter to the start-up, demanding information about how the company uses all the data it collects and which employees can view the information. The actions of these top Uber executives "suggests a troubling disregard for customers’ privacy," he wrote
For Michael Karlin, an Ottawa resident who regularly uses Uber, those two stumbles by executives were far more damning than the recent concerns over permission.
"The app is fantastic," said Karlin, who enjoys many of its features, such as tracking the Uber car as it approaches, dropping a pin to tell the company his location and the automatic payment from his credit card at the end of the ride.
"I don’t have to fish for tips or anything like that. The transaction is over. It’s time to move on."
Still, a few more privacy-related breaches could send Karlin back to regular taxis, he says.
Michael’s comments also troubled him and made him wonder if Uber has a broken corporate culture.
"I am really worried that they are doing more than they are saying they are," said Karlin. "If there’s a systematic abuse of my privacy, I will abandon them despite taxis being so much worse."
Karlin’s more savvy with apps than most, checking permissions every time he downloads an app. But he would like to see companies like Uber make it easier to understand what it wants to access to and why.
"I would love to know more about the exact information that Uber collects. I don’t know if I'll ever learn. These companies are usually not good at disclosing that."
CBC News asked Uber several questions about how it collects and uses its data, but it didn't respond.
It did, though, acknowledge what Karlin and other users already know: "Our business depends on the trust we establish with all our customers and business partners," the Uber spokesperson wrote.