Yet another uncomfortable revelation about Uber’s legacy business and attitude to legal oversight: Between spring 2015 until late 2016 the ride-hailing giant routinely used a system designed to thwart police raids in foreign countries, according to Bloomberg, citing three people with knowledge of the system.
It reports that Uber’s San Francisco office used the protocol — which apparently came to be referred to internally as ‘Ripley’ — at least two dozen times. The system enabled staff to remotely change passwords and “otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices”, it reports.
We’ve also been told — via our own sources — about multiple programs at Uber intended to prevent company data from being accessed by oversight authorities.
The existence of the Ripley program has been alleged previously, in December 2016, when an ex-Uber security employee, Ward Spangenberg, made a sworn statement saying he was part of an “incident response team” that helped remotely erase data when Revenu Québec raided the company’s Montreal offices in 2015. (Allegations that Uber denied at the time.)
But according to Bloomberg Uber created the system in response to raids on its offices in Europe: Specifically following a March 2015 raid on its Brussel’s office in which police gained access to its payments system and financial documents as well as driver and employee information; and after a raid on its Paris office in the same week.
It says the idea came — at least in part — from a suggestion made by Uber’s general counsel Sally Yoo (who resigned from the company in September). While the system was reportedly built by Uber’s IT department, before being taken over by the security team in 2016.
Last month allegations that the company had systematic processes in place to put potential evidence beyond the reach of any investigating authorities — including using encryption, secret servers and ephemeral messaging apps — emerged via allegations made in a 37-page letter written by the attorney of Uber’s former manager of global intelligence, Richard Jacobs (which was made public as a result of the ongoing Waymo vs Uber IP theft lawsuit).
In the letter, Jacobs’ attorney writes that his client’s suggestion, early on during his employment, to create a secure and encrypted centralized database for ensuring “recordkeeping and confidentiality” was rejected by Uber managers “because they objected to preserving any intelligence that would make preservation and legal discovery a simple process for future litigants”.
From the letter:
Jacobs then became aware that Uber, primarily through [in-house counsel Craig] Clark and [head of global threat operations, Mat] Henley, had implemented a sophisticated strategy to destroy, conceal, cover up, and falsify records or documents with the intent to impede or obstruct government investigations as well as discovery obligations in pending and future litigation. Besides violating U.S.C. 1519, this conduct constitutes an ethical violation.
Uber said last month that it has not substantiated all the claims in the letter — some of which were also withdrawn by Jacobs (who previously reached a financial settlement with Uber).
Clark is no longer employed by Uber, having been fired by Uber CEO Dara Khosrowshahi late last year following the revelations the company concealed a massive data breach for the best part of a year. Head of security, Joe Sullivan, was also sacked at the same time. While Henley was last month reported to be beginning a three-month medical leave.
Bloomberg reports that the Ripley program was a closely guarded secret at Uber — claiming that many staff in offices being raided were unaware of its existence.
It adds that later versions of the system gave the company the ability to selectively provide information to government agencies that searched its foreign offices, with Uber’s lawyers directing security engineers to selective disclose information to officials who had warrants to access its systems.
Bloomberg also names another obfuscation system, it says was called uLocker, which it says was contemplated for times when Uber wanted to be “less transparent”.
A prototype version of the software could apparently present a dummy version of a typical login screen to police or other unwanted eyes. Though it says this was never implemented or used by Uber. According to the report, Uber’s security team began working on the uLocker software in 2016, with the project overseen by John Flynn, Uber’s still sitting CISO.
In a response statement to Bloomberg’s story, Uber told us: “Like every company with offices around the world, we have security procedures in place to protect corporate and customer data. When it comes to government investigations, it’s our policy to cooperate with all valid searches and requests for data.”
We’ve also heard of the existence of a program at Uber called uLocker, although one source with knowledge of the program told us that the intention was to utilize a ransomware cryptolocker exploit and randomize the tokens — with the idea being that if Uber got raided it would cryptolocker its own devices in order to render data inaccessible to oversight authorities.
The source said uLocker was being written in-house by Uber’s eng-sec and Marketplace Analytics divisions (the latter being the unit previously reported to be focused on gathering intelligence from competitors).
The same source told us that Uber had another program intended to orchestrate the physical destruction of end-point workstations in the event of a raid by law enforcement — again as a strategy to render company data inaccessible to external investigators.
A different source with knowledge of Uber’s processes, and who was taking legal advice at the time we spoke, declined to comment on those two programs but told us that Uber had a program in place, led by Clark, in which Uber staff in the US trained others on how to avoid discovery on a legal due process.
Such controversial programs did not sit easily with every Uber employee who was aware of them, according to our discussions with sources, and appear to have contributed to some individual departure decisions — above and beyond staff directly fired by Khosrowshahi as he seeks to clean house.
An Uber spokeswoman confirmed the Ripley program’s existence to us in a phone call but said its use was discontinued in 2016. She also said that it was the same software Uber had used when employees left the company to ensure they no longer had access to company systems.
She told us she was not aware of any specific programs to train staff to avoid due legal process, noting that Jacobs “walked back a lot of those statements under oath”.
Regarding uLocker she confirmed the software exists, and said it is still in use at Uber, but described it as being for Mobile Device Management (saying it replaced a prior off-the-shelf MDM system that Uber had been using, called Prey) — so used for locking devices and encrypting files such as in the event of a corporate device being stolen.
The uLocker encryption process takes “about a day, so it’s not an immediate thing”, she added.
Regarding Uber considering using uLocker to power a system of dummy logins, she said that was a feature proposed for the system but never implemented.
“I know of two people who proposed that as an idea — they are no longer at the company and that feature was never built or implemented in uLocker,” she told us, declining to name the individuals but specifying they weren’t senior executives but front-line engineers.
On the cryptolocker allegation, the spokeswoman reiterated “that is not how uLocker works”, adding: “uLocker is designed so we can unencrypt it.”
“There’s only ever been one version of uLocker. There were earlier conversations about what it should include — but there’s only ever been one version of it. And all it does is the locking and encryption.”
The spokeswoman also told us she was not aware of any programs set up for physically destroying workstations in the event of a raid on an Uber office.
She sent us Uber’s current protocol for handling regulatory visits to its offices — in which the company instructions employees to “cooperate with the investigation”. It also explicitly warns staff: “Do NOT delete, destroy, conceal any document or data”.
So what might be the legal implications for companies that put programs in place intended to deliberately destroy or otherwise render information inaccessible at the point it’s being sought by investigators or regulators?
“If they have knowledge of a specific investigation and a specific… search warrant… and they encrypt while that raid’s going on to stop the agents from accessing the computers that they have a court order to access that could be considered obstruction of justice,” says Josh Robbins, partner at litigation law firm Greenberg Gross LLP, discussing the risks of companies trying to thwart regulatory oversight.
“If they were encrypting computers without knowledge of a specific investigation but encrypting computers as a security measure, just generally, I think it would be hard to make the allegation of obstruction of justice because they’d need to have knowledge of a specific investigation. It’s just a general security measure.
“But it shouldn’t matter because if they receive a subpoena, say, or a court order to produce records then they have the obligation to use their decryption key and unlock the computers and access the information and provide it to the government — and if they refuse to do that then they would be subject to sanctions, contempt of court and so on.”
In a civil case, a court could penalize a company for engaging in what’s known as “spoliation of evidence”, he notes, suggesting the penalty could be anything from “allowing the other side to tell a jury about the conduct (which could be very harmful to the trial) — all the way up to just ruling against them without even going to trial”.
“On the criminal side it could be — again if they know about an existing investigation and they put this into place for the purpose of preventing information from ever being disclosed to the investigators that could be viewed as obstruction of justice, which is a criminal violation of a US law,” he adds.
While Robbins confirms there is no general obligation on technology companies to keep their records in an accessible format, and firms are rather given flexibility in terms of how they manage their data security, there can still be legal risks given that companies can often have multiple litigation investigations ongoing at any given time (as Uber certainly now does, and has done for several years).
“If any of the information at issue is relevant to any of those then they would have a problem doing that because they are effectively going to obstruct or impede that investigation or litigation so it would be legally risky to do that unless they know that it’s not related to those things,” Robbins continues. “Their policy can’t override their general legal obligations to preserve and make available evidence.”
He also points out that having systematic policies in place to render data inaccessible could have other negative impacts for companies — citing the decision by London’s transport regulator to withdraw Uber’s operator license last year, with TfL explicitly mentioning the Greyball program (another piece of in-house software, developed to help Uber avoid regulatory scrutiny by monitoring oversight activity) in its list of concerns.
“As a prosecutor or a regulator recidivism is a huge issue in terms of how you approach a case and how aggressively you approach a case,” he says. “And if somebody is seen to be a bad, repeat actor there is that much more of a need to deter their conduct by being very aggressive in enforcement, or take them out entirely.
“In London… Uber is not welcome there anymore because of the Greyball incident. And probably not just Greyball but they’re well aware of some of the other things that Uber has been involved in and you can see that attitude being taken probably by regulators state, local, federal, in various jurisdictions when they see an actor that seems like it is very consistent in its flouting of the law.”