Slashdot Mirror
Uber Used Another Secret Software To Evade Police, Report Says (bloomberg.com)
schwit1 shares a Bloomberg report: In May 2015 about 10 investigators for the Quebec tax authority burst into Uber Technologies's office in Montreal. The authorities believed Uber had violated tax laws and had a warrant to collect evidence. Managers on-site knew what to do, say people with knowledge of the event. Like managers at Uber's hundreds of offices abroad, they'd been trained to page a number that alerted specially trained staff at company headquarters in San Francisco. When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they'd obtained a warrant to collect. The investigators left without any evidence.
Most tech companies don't expect police to regularly raid their offices, but Uber isn't most companies. The ride-hailing startup's reputation for flouting local labor laws and taxi rules has made it a favorite target for law enforcement agencies around the world. That's where this remote system, called Ripley, comes in. From spring 2015 until late 2016, Uber routinely used Ripley to thwart police raids in foreign countries, say three people with knowledge of the system. Allusions to its nature can be found in a smattering of court filings, but its details, scope, and origin haven't been previously reported. The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices. This routine was initially called the unexpected visitor protocol. Employees aware of its existence eventually took to calling it Ripley, after Sigourney Weaver's flamethrower-wielding hero in the Alien movies. The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. 'Nuke the entire site from orbit. It's the only way to be sure.'
Most tech companies don't expect police to regularly raid their offices, but Uber isn't most companies. The ride-hailing startup's reputation for flouting local labor laws and taxi rules has made it a favorite target for law enforcement agencies around the world. That's where this remote system, called Ripley, comes in. From spring 2015 until late 2016, Uber routinely used Ripley to thwart police raids in foreign countries, say three people with knowledge of the system. Allusions to its nature can be found in a smattering of court filings, but its details, scope, and origin haven't been previously reported. The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices. This routine was initially called the unexpected visitor protocol. Employees aware of its existence eventually took to calling it Ripley, after Sigourney Weaver's flamethrower-wielding hero in the Alien movies. The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. 'Nuke the entire site from orbit. It's the only way to be sure.'
If a mere remote network command can thwart police ... er, well, insert devastating finish here.
We'll take all the computers in your office. No evidence? Guess we'll return next week when you bought new equipment.
By the way: Due to legal regulations, everything confiscated is forfeited. You pay your tax. One way or another.
Welcome to Europe.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm seeing more and more references to "a software." Would you like to buy a software with your hardware? How will you be using your mobile device to update your time sheet ... will you be using a software? And, "Uber used another secret software." Ugh.
Don't disappoint your bird dog. Go to the range.
Comment removed based on user account deletion
Most tech companies don't expect police to regularly raid their offices
Every non-government entity should treat the government as an adversary. Government agencies want to compromise everything.
So... obviously they were sued for contributory acts towards the obstruction of justice, no?
If not, why not?
Literally, the guy who phoned it in has deliberately obstructed justice, whether or not the company policy says to do it, or whether the system is entirely operated remotely, or even whether the data asked for was to hand. You can go to jail for decades for that offence alone, whether or not anything is found, which would make anyone think twice about paging that number, no?
I'm more concerned not that Uber did this (they're scumbags, we get the idea already), but that a manager would press it (and in Canada) at personal risk of imprisonment, and that no action was taken about it (whether or not they later provided the data).
If you're trading in Canada, you're liable to their laws and they are able to seize related equipment and data with your co-operation or not, and performing a deliberate act with the express intention of removing said access can only be construed as obstruction of justice and/or contempt of court depending on the court order. It's not even "open to interpretation"... it's quite clear that the only reason to use a facility that cuts off the system should the police come knocking is to stop the police seeing things you don't want them to see but that they may well be otherwise entitled to see.
Uber are scumbags because courts like this allow them to be.
If a mere remote network command can thwart police...
It was written by jerks and evil geniuses.
Normally if police want records, they have to subpoena them and the company has a chance to contest the subpoena in front of a neutral judge. The judge can sustain the subpoena, quash it entirely or tweak just parts of it depending on their view of what is relevant to the ongoing investigation and any other claim of privilege. Most importantly, after any challenges are made and ruled on, the subpoena requires the positive action of the company to produce the responsive documents. The judge overseeing the case can penalize the company and the principles for not producing the records fast enough, for withholding responsive documents. This includes fines to induce compliance (usually a per-day fine) and contempt proceedings for gross misconduct.
Increasingly, the police see all this judicial process as an impediment rather than part of working in a country that respects rule of law. So instead they get a warrant and try to seize all the records they want that way. A warrant is usually pretty broad ("any electronic devices capable of holding evidence" really means anything with a circuit board) and lets them shift through at their leisure. It's also something they can do and execute without notifying the company until it happens and litigate after the fact. But importantly, warrants (generally) do not require the company to actively assist anything. And if the police miss something relevant, that's on them, whereas in the subpoena case it's the company's responsibility to ensure that all responsive records are found.
So there are tradeoffs: the warrant is quicker but doesn't guarantee that you'll get anything meaningful -- it just entitles the police to search/seize whatever they find. The subpoena can drag on in court, but once upheld requires the company to do the heavy lifting and deliver the responsive records directly to the police.
[ And before we get all up about "Uber is evil" and so .., I'll just leave this here ]
Did you think PriceWaterhouse et al would just give you everything just because some lowly policeman has a piece of paper?
They protect their clients with teeth and nails, like everybody.
I'm sorry, but Uber exists to decide laws don't apply to it, and no legitimate organization has in place a procedure to burn their computers remotely in the event of a police raid.
Uber is pretty much the definition of a company which needs to be brought down, because it's little more than a criminal conspiracy.
This is fucking insane. This is essentially pre-planned obstruction of justice, which should presumptively lead to the maximum penalty.
I'm of the opinion that every employee of Uber should be carted off to jail and left there. Certainly in any jurisdiction where they've done this shit. EVERYTHING this company is pretty much intended to sidestep the law.
Quebec and any other jurisdiction should go straight to "Uber is illegal, and we will arrest any employees and drivers".
Absolutely un-fucking-believable. This is pretty much the worst example of a company ran by sociopaths I've ever heard of, and pretty much has no legitimacy whatsoever.
... which would be pointless if the data was held remotely and the local access keys have been wiped or disabled.
they managed to evade labor law long enough to get entrenched, buy off the necessary politicians and win. Nobody discusses forcing them to comply with minimum wage law. Nobody mentioned that there are millions of commercial drivers without the necessary insurance to protect passengers. No unemployment insurance, no OSHA. Nobody making sure their drivers don't work 30 hours straight off amphetamines, only the most casual background checks....
They've managed to erode several hundred years worth of hard fought worker & consumer protections in about 20 years...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
When exactly does it become obstruction of justice? After you're informed and instructed not to interfere with an investigation? Or before?
If you delete a file on your laptop in the course of a normal day that no police is interested in, clearly that cannot be obstruction of justice. Even if 2 weeks later someone tells you that file was relevant to some investigation.
If you actively push a police investigator with a valid warrant away from your computer and type a command to erase the laptop, clearly that could be called obstruction of justice.
Now, how about if you erase your file after you read in the news that your general industry is being investigated for some wrongdoing? How about as you see the police pull up to your house? They haven't given you any notice that your files are of interest to "justice". How about as they knock on the door?
Where is the line drawn?
It was included in your Windows 10 free upgrade.
Increasingly companies with deep pockets can evade the law through continual delays, impediments, and endless appeals, twisting the law to delay justice until it is moot. If a company like Uber can delay their judgement day a few years through these vile tactics it lets them illegally get the leg up on competitors and an opportunity to lobby for rule changes or even stack a few legislatures with candidates more favorable to them. Basically illegal actors can stay solvent longer than justice can stay effective.
I'd like to see the right to a speedy trial applied in BOTH directions. The public who is impacted should have a right for these sort of asshats to be tried in a time effective fashion. A burglar doesn't politely asked to hand over any evidence in his house some time in the next year or two, why should these modern bandits get so much more benefit simply because they are huge?
At the rate the company is going, they're asking to be put under the equivalent of a consent decree.
"Forget the engineers." -Carly Fiorina, briber of MIT Technology Review.
Kind of hard to do business when your company has no infrastructure capable of doing it.
"Forget the engineers." -Carly Fiorina, briber of MIT Technology Review.
Was anyone ever taken to court, charged and convicted of Sexual Harassment, or is this just another case of accusation and the label sticking?
Yeah, because that's really an option for someone when Uber has a mandatory arbitration clause in their contracts disallowing you from taking your case to court. It makes a good soundbite to hollar "no court cases, no convictions, so innocent" but the reality is very different, and not just at Uber. If we ever get a government that cares about humans more than corporations again, we need to ban contract clauses that allow people to sign away their constitutional rights to speak out, to sue for redress, etc., but until then corporations like Uber will continue to bury their dirt, and those they've wronged, in arbitration where the outcome is a foregone conclusion that favors those who pay the bills--namely the corporation, and not the wronged individual.
Having a company that can remote-wipe all of your systems with a single SMS actually sounds like a really handy service for a lot of people.
Honestly, most MDM products can do this. I know AirWatch can.
- Vincit qui patitur.
There is another salient difference between a warrant and a subpoena: a subpoena requires the cooperation of the target. The writ obtains that cooperation viathreat of punishment -- in fact that's the root of the word: sub poena -- under punishment.
However that threat is empty if you're never caught.
If subpoenas truly compelled a suspect to turn over evidence, you'd never have to do anything like a high stakes drug raid. You'd simply have the court issue a writ ordering the suspect to turn over all the drugs and related records and wait for your evidence to show up at the court on the appointed date.
So the choice of search warrant and subpoena in the case of a company like Uber depends on your estimate of their willingness to risk defying the law.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
In this modern world going to a judge and contesting a subpoena pretty much guarantees data being deleted, purged, or just modified.
A proactive collection followed by challenges is common unless you're politically connected.
deleting the extra space after periods so i can stay relevant, yeah.
That's called Abuse of Process — when the very mechanism of justice is used to punish those, who can not be proven guilty.
Europe, where citizens celebrate government's harassment...
In Soviet Washington the swamp drains you.
Anytime the blood sucking leeches who contribute nothing are thwarted, I cheer.
The summary reports, "The investigators left without any evidence." They had a warrant, they could have grabbed the physical machinery. Depending on the type of data, they could have compelled the company to turn over access methods... Why no evidence?
Ah.
Because what they wanted was not physically present in the jurisdiction the warrant was issued in. They were trying to gain legal-on-their-side but likely considered unauthorized use and access of the company's intranet via an employee's existing login session. Like how some people might consider it totally fair to send themselves a copy of all the email you've ever sent because you left your phone unlocked or a browser open.
This is all based on an assumption, but I can't think of anything else that fits the bill. If so, that's pretty shady work on the part of the police. Replace 'Quebec' with any other country, or Uber with any other corporation (or agency) and the justification falls apart.
* It was okay for the _Foreign Government_ to access all the _Domestic Government agency emails_ because they (legally) confiscated a laptop that was still logged in.
etc.
You might think this is the right thing to do when the target is someone you feel is morally bankrupt, like drug dealers, terrorists, uber, or westboro baptists, but that justification can just as easily be used by bad actors against peaceful protestors, political opponents, spouses, and so on.
I'd be more surprised if something like this isn't widely set as policy in any multinational company, especially those with subtle or overt government pressure against them or their country of origin. It's just good policy.
Whether or not Uber is breaking laws, those laws should not exist. If I can give you a ride, I can also ask you for money — and we both can use the Internet to arrange the meeting and the payment-transaction. No one is forced to work for Uber and no one is compelled to use them either.
Major props to Uber for resisting the oppression.
In Soviet Washington the swamp drains you.
Subpoenas have time limits associated with them. Judges can hand out sanctions for raising frivolous challenges or not responding in a timely manner.
Remember that whatever rules you empower for the government to go after Uber, they can use to go after anyone else. That's the purpose of the quote from Bolt.
Except the cops had a warrant.
All that was happening is the the local Montreal computers no longer had access to data in San Francisco. Nothing was destroyed.
In this time of NSA snooping and privacy concerns, its amazing to see so many people siding with police raiding people and seizing documents by the millions to fish for evidence.
What was Uber's great crime again? Giving people car rides for money? What kind of person thinks heavy-handed government raids to interfere with car rides are legitimate and just?
They're Used to seize evidence when police have a reasonable expectation evidence would be destroyed if subpoenaed. It's up to a judge to decide if that expectation is warranted (pun not intended). In Uber's case we now have definitive proof that they intended from the get go to destroy evidence. They'd built an entire business process around it.
If we take your ideas to their logical conclusion police lose search warrants as a tool and must rely on subpoenas. But if they're not allowed to do a forceful search they're at the mercy of the person being subpoenaed. I somehow doubt that, if Uber had no fear whatsoever of a search warrant, that they would share incriminating documents.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
when you're earning $1/hour living in a shanty town. Yeah, yeah, you'll run your own business. It'll get run out of business by mega corps who can undercut your prices. Then you'll go to work for one of those mega corps for enough food to make it through the day...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
... like a two-bit criminal organization but instead of keeping their records out of the law's hand by igniting old-fashioned flash paper they're written on with a cigarette, they're using a digital equivalent by killing all the logins to Uber headquarters from the office that's called in. I can't see this scheme working for much longer.
CUR ALLOC 20195.....5804M
If Uber can be compelled to give access to records without a subpoena, we all can be. I'm not an Uber fan, but I don't have a problem with this behavior.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
You don't know how deductions work, do you?
I know really well how deductions work, apparently you don't know much about shady accounting practices some companies use.
And no, you don't get to declare "any value you can document", you only get to declare the actual cost
Right, "actual cost". Which is verified by what... Starting to understand yet? No? Can't help you friend.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Except the cops had a warrant.
Warrants allow for searches and seizures. And that is what police did. But a warrant for the machines doesn't mean the company needs to help officers access accounts, read the data, nor help by decoding or decrypting them.
There are many legal tools if the authorities want to obtain specific documents and records. An unannounced visit to seize computer equipment is typically the worst of those tools. The searches are often sloppy and (for those who are prepared) the searches are easily overcome by measures like those in the story. Authorities love "snatch and grab" because the surprise often grants access to a wide range of other secondary data, also including ad-hoc statements and access to items that are nearby on whiteboards and both on and inside desks and at the time of the police break-in.
The company still has a fight ahead, but the policy generally is a strong case that they were protecting user's data rather than obstructing justice. Agents had an order to seize computers, the computers were seized. If agents produce an order to produce specific documents, I'm sure they could be produced. They complied with the requests while also protecting private information of millions of customers. That isn't obstruction.
If they actually destroyed their data, or if they altered or falsified data, those actions would be obstruction. But locking down records for proper data preservation and basic data security are not obstruction.
//TODO: Think of witty sig statement
Their tactics would lead a person to believe that this is some lawmaker looking to make life difficult for uber. Had they subpoenaed records it would be a pain for Uber to collect what was demanded, but their operations would continue. If the police use a warrant to "collect evidence" (IE every computer, phone, tablet, etc.) that sure as hell would slow them down for a while.
From a legal perspective, if the police come barging through my front door demanding my phone I don't believe I'm required to unlock it for them. (And I'm sure as hell not going to do with without consulting a lawyer) Same for my computer. Assuming both are encrypted, that leaves them SoL. As long as the application they have isn't deleting data, I see no harm in a "lock all of my devices" button.
You see, our judges tend to be quite level headed and sensible. It usually takes a LOT of convincing to have them write warrants, except for one thing: If they feel you're trying to bullshit them, they can get VERY creative.
Judges in Europe also tend to have a LOT more leeway when it comes to interpreting the law than in the US. Anything short of simply ignoring the law is pretty much fair game.
Separation of power is all fine and nice, but at the end of the day, pretty much all the power rests in the hands of our judges. Should they ever get corrupted, we're FUBAR for good.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
DOUBLE WHOOSH.
As I said, I cannot help you, when you choose not to see or think.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The down sides of an unregulated taxi market have already been demonstrated: bodies found floating in the East River. So a government entity steps in and takes over control of the market. Then, the previous players figure out how to game the system. In the end, the government maintains its monopoly on violence, allowing the lower level corruption to continue.
Have gnu, will travel.
Alternatively, if a mere network command can brick Uber in a region ... er, well, insert devastating finish here.
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
and take the routers and switches as well. $300-$1000+ per unit a week adds up fast.
The point was, if you go in with a warrant, you take your chances on whether the objects of your search are there. You don't get the active help of the target to preserve/collect/deliver anything.
In other words, it's a practical choice. Do you want to retain the element of surprise? Fine, that method works like this. Do you want to compel the target to provide you with all responsive documents under pain of sanctions, fine, that method works like this.
So the choice of search warrant and subpoena in the case of a company like Uber depends on your estimate of their willingness to risk defying the law.
Indeed. Fully agree. Your choice should also depend on your estimate of your ability to actually secure the records that you are after by serving a warrant.
Uber isn't the only technology company that sees the physical seizure of digital records (not necessarily even by the police, mind you -- and once built an 'unexpected visitor' system is as effective against a thief as it is against a warrant) as a risk. The more they build against it, the more it suggests that working a subpoena through the courts is the way to go.
The best investigators are patient. Sadly their management sometimes doesn't appreciate the merits of a detailed investigation.
They're providing cheaper transportation fares despite gov't regulations that protect entrenched taxi companies from upstart competitors
While avoiding paying taxes and paying their 'workers' less than labour laws require.
They aren't shouldering a share of the costs of the community/society from which they are making money and they aren't paying enough to their workers to meet the requirements of the law. If the labour laws are poor, incomplete or even corrupt - change them. But a company making an end-run around them is not a useful solution.
Government created/protected monopolies exist (ideally) in industries where competition would be harmful to the industry and/or society. Taxis are a good example of this. Unregulated competition creates a race to the bottom with desperate drivers in cars that are barely roadworthy competing to find a fare, then having to find a way to milk that fare to cover costs.
However, these monopolies must be regularly challenged and scrutinised to prevent the sort of entrenched corruption that becomes almost inevitable. To that extent, I think start-ups that challenge monopolies are fantastic. But that becomes a fig leaf when the company is simply exploiting the community (no/low tax) and their workers (avoiding labour laws). The potential benefit of shaking up an entrenched player does not justify breaking the law, nor the sort of exploitation that the regulation/monopoly was created to prevent.
I'm my land the taxi industry was reregulated in 1990 and although there have been numerous small players comes and go the established players are still there with some additions. Cetianly not as profitable.
this was backed up by regulation: separate endorsements for licence, log books, police checks, in car cameras etc.
Uber did none of these until recently when the law was changed to help them and they are now fulfilling most of these conditions.
The other way Uber rip off their competitors is this whole 'ride-sharing' lie, they have the drivers register for GST (the local VAT equivalent) but the drivers pay no GST because no one earns over the $40k that requires a return. (After all they are 'independent contractors eh?)
Established/ any other taxi company collect & pay GST at an enterprise level so Uber gets a 15% tax-free break.
That means they are also ripping off the taxpayer but our Republican/ Conservative major political party analogue (National) just sucked their dick and agreed to let them go their way.
They are not a technology company they are a transportation company using their drivers (through depreciation of their cars etc.) and the taxpayer to fund their lying, duplicitous ways.
New Zealanders are well balanced with a chip on each shoulder. One represents Australia, the other the rest of the world
who were run out of business by Walmart. As for the wages, tell that to the literally billions of people paid subsistence wages in China, India, Africa, and even wealthy spots like Dubai. America's middle class is an anomaly that came about from the aftermath of WWII and communism. WWII destroyed the world's infrastructure leaving us the only industrialized country for 30 years and communism scared businesses too much to outsource. Both those pressures are gone. Meanwhile the working class didn't just get back from saving the world so they're ready to be shit on all over again. They've stopped demanding education, Unions and better pay and gone back to fighting among themselves over wedge issues.
Spend some time on google learning about the way the world actually works. Folks like you are patsies being used to prop up the aristocracy. The sooner you learn that the sooner you can stop being taken advantage of.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/