[decisiveness]

> These permissions were mistakenly introduced by an engineer on the team who thought a 3rd party library needed them when in fact it does not.

What caused the engineer to be mistaken about this? What library?

Considering Uber's history, expecting people to believe a claim like: "one guy acted alone in an oopsy", without providing a more detailed report, is a bit optimistic.

[jfrisby]

If they did indeed immediately release an update that ceases asking for these permissions, then I'd say this is an entirely reasonable explanation regardless of their history.

[decisiveness]

I could be wrong, but without a real explanation, it seems more likely Uber is still convinced analyzing customer behavior in the most personally invasive ways is worth the risk, and were testing the waters, hoping a response like the OP's wouldn't gain traction the way it did.

In a company with thousands of employees, already scrutinized for privacy violations, it's hard to believe that a single engineer could ask for the most sensitive of permissions without anyone else reviewing or bumping up the chain first.

[makeramen]

You're right that we have a very strict review process for added permissions, but unfortunately due to the way libraries and Android's manifest merger work, this change managed to slip through our standard review process. We're definitely going to add stricter enforcement to make sure something like this doesn't happen again.