Hacks, bribes and bugs: Uber accused of illegal snooping on rivals
Filing: Explosive allegations against ride-hailing biz revealed in letter from former staffer
Uber has been accused of illegal intelligence gathering, using non-attributable hardware and software, impersonating drivers and bugging private events, in an explosive set of allegations from a former staffer.
The revelations came in a document released as part of competitor Waymo's case against Uber, in which the Alphabet-owned biz claims Uber stole its trade secrets.
They come from security analyst Ric Jacobs, who was fired in April, and first came to light last month, when they caused Northern California district judge William Alsup to delay the start of the impending Waymo trial.
Jacobs worked at Uber for about a year and claims to have witnessed a whole host of unethical and likely illegal activities during his time in the secretive Strategic Services Group (SSG).
This includes the use of separate "anonymous servers" and self-destructing messaging services, impersonation of drivers and making secret recordings.
However, his claims had only been read aloud in court – now a redacted version of the 37-page letter [PDF] detailing the accusations has been released publicly – and it makes for shocking reading.
The document, written by Jacobs' lawyer Clayton D Halunen and sent to Uber's general counsel, Angela Padilla, claimed that Uber "frequently engaged in fraud and theft, and employed third-party vendors to obtain unauthorised data or information", used "computer hacking tactics", infiltrated driver groups and even bugged hotel and conference facilities.
'Destroy, conceal, falsify'
According to Jacobs, Uber had a "sophisticated strategy to destroy, conceal, cover up, and falsify records or documents with the intent to impede or obstruct government investigations as well as discovery obligations in pending and future litigation".
He claimed that when he proposed a secure and encrypted database for intelligence, superiors said this was "exactly what we don't want to do... create [a paper trail] that could later be discoverable" for future litigants.
The document details some of the ways Uber allegedly managed this, including staff being "verbally coached" in how to conceal documents – such as marking all communications "draft" or asking for legal opinions – to the use of Wickr, which automatically deletes messages after a time.
Meanwhile, Uber is accused of infiltrating protesters' and drivers' WhatsApp and social media groups, identifying and targeting government officials and impersonating users on competitor platforms.
The document alleged that the marketplace analytics team, which aims to acquire competitive intelligence, "fraudulently impersonates riders and drivers on competitor platforms, hacks into competitor networks, and conducts unlawful wiretapping" to gain trade secrets.
Information reportedly gathered includes the function of, and vulnerabilities in, competitors' apps, as well as pricing structures and incentives.
Jacobs said that this was done using "a distributed architecture of anonymous servers, telecommunications architecture, and non-attributable hardware and software".
He alleged that teams used computers "not directly purchased by Uber that operate only on MiFi devices", VPNs and "a distributed and non-attributable architecture of contracted Amazon Web Services (AWS) server space to conduct competitive-intelligence collections against other ride-sharing companies".
This setup allows the MA team to make millions of data calls against competitor and government servers without causing a signature that would alert competitors to the theft. For instance, a sophisticated competitor would set thresholds when they see devices attempting to request rides by the hundreds or thousands in a short period of time. However, if the data calls are diversified across what appear to be multiple devices and a broader time period, filters would not detect the anomaly.
Other teams would use non-attributable devices "to store raw information collected by their operatives from politicians, regulators, law enforcement, taxi organizations, and labor unions in, at a minimum, the U.S., [REDACTED]", Jacobs claimed.
'Identifying groups with political clout'
Among Jacobs' claims are that Uber had "engage[d] in targeted business practices aimed at gaining the support of government officials in foreign countries".
Jacobs said Uber aimed to "gather threat intelligence on taxi groups, unions, and agitators harassing Uber partner-drivers in the area" through "undercover agents [... who] took rides in local taxis, loitered around locations where taxi drivers congregated, and leveraged a local network of contacts with connections to police and regulatory authorities".
We go live to the Uber-Waymo court battle... You are not going to believe this. The judge certainly doesn'tREAD MORE
He said that the aim was to identify which groups had "the political clout and motivation to direct aggressive enforcement activity against Uber" and which "might be compelled to end costly enforcement activities or partner with Uber to unblock the market and open up the supply of partner-drivers out of shared financial incentive".
Jacobs also levels an accusation of bribery of foreign government officials at Uber, which he claims to have heard about during his time.
"Based on his knowledge of targeting foreign officials to identify those with influential power... Jacobs reasonably believed that bribery of foreign officials was taking place," the document said. The areas he is said to believe this happened are redacted.
Uber is also alleged to have recorded conversations between executives and officials.
This included "multiple surveillance and collections operations" during June 2016, and "recording of mobile phone video and/or photography during private events" at hotels and conference facilities, Jacobs said.
He went on to allege that in January this year, someone (the name is redacted) contacted him on Wickr to say "they had a bug in a meeting with transport regulators" and that they "needed help cleaning up the audio".
The accusations are, of course, the word of just one man – whom Uber has accused of being an extortionist – but will do nothing for Uber's already severely damaged reputation with the fallout of the mass data breach and employment lawsuits.
The alleged incidents also took place under former CEO Travis Kalanick, and new boss Dara Khosrowshahi has been at pains to distance himself from his predecessor's practices.
However, he said in a staff email in November, published by Recode, that although the team has "not been able to substantiate every one of his claims... there is more than enough there to merit serious concern".
An Uber spokesperson told The Register: "While we haven't substantiated all the claims in this letter – and, importantly, any related to Waymo – our new leadership has made clear that going forward we will compete honestly and fairly, on the strength of our ideas and technology." ®
The case is Waymo LLC v. Uber Technologies, Inc. et al, case number 3:17-cv-00939, from California Northern Court
Sponsored: Becoming a Pragmatic Security Leader