Slashdot Mirror
Uber Used Another Secret Software To Evade Police, Report Says (bloomberg.com)
schwit1 shares a Bloomberg report: In May 2015 about 10 investigators for the Quebec tax authority burst into Uber Technologies's office in Montreal. The authorities believed Uber had violated tax laws and had a warrant to collect evidence. Managers on-site knew what to do, say people with knowledge of the event. Like managers at Uber's hundreds of offices abroad, they'd been trained to page a number that alerted specially trained staff at company headquarters in San Francisco. When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they'd obtained a warrant to collect. The investigators left without any evidence.
Most tech companies don't expect police to regularly raid their offices, but Uber isn't most companies. The ride-hailing startup's reputation for flouting local labor laws and taxi rules has made it a favorite target for law enforcement agencies around the world. That's where this remote system, called Ripley, comes in. From spring 2015 until late 2016, Uber routinely used Ripley to thwart police raids in foreign countries, say three people with knowledge of the system. Allusions to its nature can be found in a smattering of court filings, but its details, scope, and origin haven't been previously reported. The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices. This routine was initially called the unexpected visitor protocol. Employees aware of its existence eventually took to calling it Ripley, after Sigourney Weaver's flamethrower-wielding hero in the Alien movies. The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. 'Nuke the entire site from orbit. It's the only way to be sure.'
Most tech companies don't expect police to regularly raid their offices, but Uber isn't most companies. The ride-hailing startup's reputation for flouting local labor laws and taxi rules has made it a favorite target for law enforcement agencies around the world. That's where this remote system, called Ripley, comes in. From spring 2015 until late 2016, Uber routinely used Ripley to thwart police raids in foreign countries, say three people with knowledge of the system. Allusions to its nature can be found in a smattering of court filings, but its details, scope, and origin haven't been previously reported. The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices. This routine was initially called the unexpected visitor protocol. Employees aware of its existence eventually took to calling it Ripley, after Sigourney Weaver's flamethrower-wielding hero in the Alien movies. The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. 'Nuke the entire site from orbit. It's the only way to be sure.'
If a mere remote network command can thwart police ... er, well, insert devastating finish here.
We'll take all the computers in your office. No evidence? Guess we'll return next week when you bought new equipment.
By the way: Due to legal regulations, everything confiscated is forfeited. You pay your tax. One way or another.
Welcome to Europe.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm seeing more and more references to "a software." Would you like to buy a software with your hardware? How will you be using your mobile device to update your time sheet ... will you be using a software? And, "Uber used another secret software." Ugh.
Don't disappoint your bird dog. Go to the range.
Most tech companies don't expect police to regularly raid their offices
Every non-government entity should treat the government as an adversary. Government agencies want to compromise everything.
So... obviously they were sued for contributory acts towards the obstruction of justice, no?
If not, why not?
Literally, the guy who phoned it in has deliberately obstructed justice, whether or not the company policy says to do it, or whether the system is entirely operated remotely, or even whether the data asked for was to hand. You can go to jail for decades for that offence alone, whether or not anything is found, which would make anyone think twice about paging that number, no?
I'm more concerned not that Uber did this (they're scumbags, we get the idea already), but that a manager would press it (and in Canada) at personal risk of imprisonment, and that no action was taken about it (whether or not they later provided the data).
If you're trading in Canada, you're liable to their laws and they are able to seize related equipment and data with your co-operation or not, and performing a deliberate act with the express intention of removing said access can only be construed as obstruction of justice and/or contempt of court depending on the court order. It's not even "open to interpretation"... it's quite clear that the only reason to use a facility that cuts off the system should the police come knocking is to stop the police seeing things you don't want them to see but that they may well be otherwise entitled to see.
Uber are scumbags because courts like this allow them to be.
If a mere remote network command can thwart police...
It was written by jerks and evil geniuses.
Normally if police want records, they have to subpoena them and the company has a chance to contest the subpoena in front of a neutral judge. The judge can sustain the subpoena, quash it entirely or tweak just parts of it depending on their view of what is relevant to the ongoing investigation and any other claim of privilege. Most importantly, after any challenges are made and ruled on, the subpoena requires the positive action of the company to produce the responsive documents. The judge overseeing the case can penalize the company and the principles for not producing the records fast enough, for withholding responsive documents. This includes fines to induce compliance (usually a per-day fine) and contempt proceedings for gross misconduct.
Increasingly, the police see all this judicial process as an impediment rather than part of working in a country that respects rule of law. So instead they get a warrant and try to seize all the records they want that way. A warrant is usually pretty broad ("any electronic devices capable of holding evidence" really means anything with a circuit board) and lets them shift through at their leisure. It's also something they can do and execute without notifying the company until it happens and litigate after the fact. But importantly, warrants (generally) do not require the company to actively assist anything. And if the police miss something relevant, that's on them, whereas in the subpoena case it's the company's responsibility to ensure that all responsive records are found.
So there are tradeoffs: the warrant is quicker but doesn't guarantee that you'll get anything meaningful -- it just entitles the police to search/seize whatever they find. The subpoena can drag on in court, but once upheld requires the company to do the heavy lifting and deliver the responsive records directly to the police.
[ And before we get all up about "Uber is evil" and so .., I'll just leave this here ]
Did you think PriceWaterhouse et al would just give you everything just because some lowly policeman has a piece of paper?
They protect their clients with teeth and nails, like everybody.
they managed to evade labor law long enough to get entrenched, buy off the necessary politicians and win. Nobody discusses forcing them to comply with minimum wage law. Nobody mentioned that there are millions of commercial drivers without the necessary insurance to protect passengers. No unemployment insurance, no OSHA. Nobody making sure their drivers don't work 30 hours straight off amphetamines, only the most casual background checks....
They've managed to erode several hundred years worth of hard fought worker & consumer protections in about 20 years...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
When exactly does it become obstruction of justice? After you're informed and instructed not to interfere with an investigation? Or before?
If you delete a file on your laptop in the course of a normal day that no police is interested in, clearly that cannot be obstruction of justice. Even if 2 weeks later someone tells you that file was relevant to some investigation.
If you actively push a police investigator with a valid warrant away from your computer and type a command to erase the laptop, clearly that could be called obstruction of justice.
Now, how about if you erase your file after you read in the news that your general industry is being investigated for some wrongdoing? How about as you see the police pull up to your house? They haven't given you any notice that your files are of interest to "justice". How about as they knock on the door?
Where is the line drawn?
Was anyone ever taken to court, charged and convicted of Sexual Harassment, or is this just another case of accusation and the label sticking?
Yeah, because that's really an option for someone when Uber has a mandatory arbitration clause in their contracts disallowing you from taking your case to court. It makes a good soundbite to hollar "no court cases, no convictions, so innocent" but the reality is very different, and not just at Uber. If we ever get a government that cares about humans more than corporations again, we need to ban contract clauses that allow people to sign away their constitutional rights to speak out, to sue for redress, etc., but until then corporations like Uber will continue to bury their dirt, and those they've wronged, in arbitration where the outcome is a foregone conclusion that favors those who pay the bills--namely the corporation, and not the wronged individual.
There is another salient difference between a warrant and a subpoena: a subpoena requires the cooperation of the target. The writ obtains that cooperation viathreat of punishment -- in fact that's the root of the word: sub poena -- under punishment.
However that threat is empty if you're never caught.
If subpoenas truly compelled a suspect to turn over evidence, you'd never have to do anything like a high stakes drug raid. You'd simply have the court issue a writ ordering the suspect to turn over all the drugs and related records and wait for your evidence to show up at the court on the appointed date.
So the choice of search warrant and subpoena in the case of a company like Uber depends on your estimate of their willingness to risk defying the law.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
In this modern world going to a judge and contesting a subpoena pretty much guarantees data being deleted, purged, or just modified.
A proactive collection followed by challenges is common unless you're politically connected.
deleting the extra space after periods so i can stay relevant, yeah.
The summary reports, "The investigators left without any evidence." They had a warrant, they could have grabbed the physical machinery. Depending on the type of data, they could have compelled the company to turn over access methods... Why no evidence?
Ah.
Because what they wanted was not physically present in the jurisdiction the warrant was issued in. They were trying to gain legal-on-their-side but likely considered unauthorized use and access of the company's intranet via an employee's existing login session. Like how some people might consider it totally fair to send themselves a copy of all the email you've ever sent because you left your phone unlocked or a browser open.
This is all based on an assumption, but I can't think of anything else that fits the bill. If so, that's pretty shady work on the part of the police. Replace 'Quebec' with any other country, or Uber with any other corporation (or agency) and the justification falls apart.
* It was okay for the _Foreign Government_ to access all the _Domestic Government agency emails_ because they (legally) confiscated a laptop that was still logged in.
etc.
You might think this is the right thing to do when the target is someone you feel is morally bankrupt, like drug dealers, terrorists, uber, or westboro baptists, but that justification can just as easily be used by bad actors against peaceful protestors, political opponents, spouses, and so on.
I'd be more surprised if something like this isn't widely set as policy in any multinational company, especially those with subtle or overt government pressure against them or their country of origin. It's just good policy.
That isn't abuse. If there are reason to believe criminal acts are happening and people refuse to co-operate with legal requests the material can and will be confiscated. It isn't punishment nor harassment - it's called an investigation.
It never cease to amaze me that people don't understand basics and instead push forward legal arguments that aren't generally even internally consistent.
Police: "We have reason to suspect you are violating rule X and according to law Y we request that you produce the material Z as you are required"
Unter: "Nope, we don't wanna - it wuld be harrussment"
Police: "Okay, have a good day"
Except the cops had a warrant.
In this time of NSA snooping and privacy concerns, its amazing to see so many people siding with police raiding people and seizing documents by the millions to fish for evidence.
What was Uber's great crime again? Giving people car rides for money? What kind of person thinks heavy-handed government raids to interfere with car rides are legitimate and just?
They're Used to seize evidence when police have a reasonable expectation evidence would be destroyed if subpoenaed. It's up to a judge to decide if that expectation is warranted (pun not intended). In Uber's case we now have definitive proof that they intended from the get go to destroy evidence. They'd built an entire business process around it.
If we take your ideas to their logical conclusion police lose search warrants as a tool and must rely on subpoenas. But if they're not allowed to do a forceful search they're at the mercy of the person being subpoenaed. I somehow doubt that, if Uber had no fear whatsoever of a search warrant, that they would share incriminating documents.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
when you're earning $1/hour living in a shanty town. Yeah, yeah, you'll run your own business. It'll get run out of business by mega corps who can undercut your prices. Then you'll go to work for one of those mega corps for enough food to make it through the day...
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Except the cops had a warrant.
Warrants allow for searches and seizures. And that is what police did. But a warrant for the machines doesn't mean the company needs to help officers access accounts, read the data, nor help by decoding or decrypting them.
There are many legal tools if the authorities want to obtain specific documents and records. An unannounced visit to seize computer equipment is typically the worst of those tools. The searches are often sloppy and (for those who are prepared) the searches are easily overcome by measures like those in the story. Authorities love "snatch and grab" because the surprise often grants access to a wide range of other secondary data, also including ad-hoc statements and access to items that are nearby on whiteboards and both on and inside desks and at the time of the police break-in.
The company still has a fight ahead, but the policy generally is a strong case that they were protecting user's data rather than obstructing justice. Agents had an order to seize computers, the computers were seized. If agents produce an order to produce specific documents, I'm sure they could be produced. They complied with the requests while also protecting private information of millions of customers. That isn't obstruction.
If they actually destroyed their data, or if they altered or falsified data, those actions would be obstruction. But locking down records for proper data preservation and basic data security are not obstruction.
//TODO: Think of witty sig statement
They're providing cheaper transportation fares despite gov't regulations that protect entrenched taxi companies from upstart competitors
While avoiding paying taxes and paying their 'workers' less than labour laws require.
They aren't shouldering a share of the costs of the community/society from which they are making money and they aren't paying enough to their workers to meet the requirements of the law. If the labour laws are poor, incomplete or even corrupt - change them. But a company making an end-run around them is not a useful solution.
Government created/protected monopolies exist (ideally) in industries where competition would be harmful to the industry and/or society. Taxis are a good example of this. Unregulated competition creates a race to the bottom with desperate drivers in cars that are barely roadworthy competing to find a fare, then having to find a way to milk that fare to cover costs.
However, these monopolies must be regularly challenged and scrutinised to prevent the sort of entrenched corruption that becomes almost inevitable. To that extent, I think start-ups that challenge monopolies are fantastic. But that becomes a fig leaf when the company is simply exploiting the community (no/low tax) and their workers (avoiding labour laws). The potential benefit of shaking up an entrenched player does not justify breaking the law, nor the sort of exploitation that the regulation/monopoly was created to prevent.
I'm my land the taxi industry was reregulated in 1990 and although there have been numerous small players comes and go the established players are still there with some additions. Cetianly not as profitable.
this was backed up by regulation: separate endorsements for licence, log books, police checks, in car cameras etc.
Uber did none of these until recently when the law was changed to help them and they are now fulfilling most of these conditions.
The other way Uber rip off their competitors is this whole 'ride-sharing' lie, they have the drivers register for GST (the local VAT equivalent) but the drivers pay no GST because no one earns over the $40k that requires a return. (After all they are 'independent contractors eh?)
Established/ any other taxi company collect & pay GST at an enterprise level so Uber gets a 15% tax-free break.
That means they are also ripping off the taxpayer but our Republican/ Conservative major political party analogue (National) just sucked their dick and agreed to let them go their way.
They are not a technology company they are a transportation company using their drivers (through depreciation of their cars etc.) and the taxpayer to fund their lying, duplicitous ways.
New Zealanders are well balanced with a chip on each shoulder. One represents Australia, the other the rest of the world