Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber Used Another Secret Software To Evade Police, Report Says (bloomberg.com)

Posted by msmash on from the paint-us-surprised dept.

schwit1 shares a Bloomberg report: In May 2015 about 10 investigators for the Quebec tax authority burst into Uber Technologies's office in Montreal. The authorities believed Uber had violated tax laws and had a warrant to collect evidence. Managers on-site knew what to do, say people with knowledge of the event. Like managers at Uber's hundreds of offices abroad, they'd been trained to page a number that alerted specially trained staff at company headquarters in San Francisco. When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they'd obtained a warrant to collect. The investigators left without any evidence.

Most tech companies don't expect police to regularly raid their offices, but Uber isn't most companies. The ride-hailing startup's reputation for flouting local labor laws and taxi rules has made it a favorite target for law enforcement agencies around the world. That's where this remote system, called Ripley, comes in. From spring 2015 until late 2016, Uber routinely used Ripley to thwart police raids in foreign countries, say three people with knowledge of the system. Allusions to its nature can be found in a smattering of court filings, but its details, scope, and origin haven't been previously reported. The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices. This routine was initially called the unexpected visitor protocol. Employees aware of its existence eventually took to calling it Ripley, after Sigourney Weaver's flamethrower-wielding hero in the Alien movies. The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. 'Nuke the entire site from orbit. It's the only way to be sure.'

8 of 226 comments (clear)

  1. Most tech companies by Anonymous Coward · · Score: 4, Insightful

    Most tech companies don't expect police to regularly raid their offices

    Every non-government entity should treat the government as an adversary. Government agencies want to compromise everything.

    1. Re:Most tech companies by borcharc · · Score: 4, Insightful

      This could just be as easy a using desktop virtualization and pulling the plug on access when needed. Keep the servers backing it in a different, more friendly country. There is no reason to have any data on local computers.

    2. Re:Most tech companies by Opportunist · · Score: 4, Insightful

      We prefer to have a government that does its job. We understand that there are certain requirements for this to be possible. That means that taxes have to be paid to fund what they're supposed to do, and we also need to give them the ability to do it. It's pretty much the same that I'd expect to get at work. If I'm supposed to do a project, I need funding and I need the ability to command people to do what I need them to do to make the project work out. If I get neither money nor power, well, I will not be able to do my project, will I?

      Oddly it seems that in the US, the government is supposed to not do anything. At least when listening to people claiming that taxation is theft and that the police shouldn't have any kind of power. How the hell are they supposed to do their job if that's what you expect from them? So in return, they try to force this onto you, to take by force what's not given, so they can do what they perceive as their job. And they overdo it by quite a margin.

      Maybe that's the main difference. We try for cooperation, in the US, confrontation seems to be rather the norm.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Uber. by ledow · · Score: 5, Interesting

    So... obviously they were sued for contributory acts towards the obstruction of justice, no?

    If not, why not?

    Literally, the guy who phoned it in has deliberately obstructed justice, whether or not the company policy says to do it, or whether the system is entirely operated remotely, or even whether the data asked for was to hand. You can go to jail for decades for that offence alone, whether or not anything is found, which would make anyone think twice about paging that number, no?

    I'm more concerned not that Uber did this (they're scumbags, we get the idea already), but that a manager would press it (and in Canada) at personal risk of imprisonment, and that no action was taken about it (whether or not they later provided the data).

    If you're trading in Canada, you're liable to their laws and they are able to seize related equipment and data with your co-operation or not, and performing a deliberate act with the express intention of removing said access can only be construed as obstruction of justice and/or contempt of court depending on the court order. It's not even "open to interpretation"... it's quite clear that the only reason to use a facility that cuts off the system should the police come knocking is to stop the police seeing things you don't want them to see but that they may well be otherwise entitled to see.

    Uber are scumbags because courts like this allow them to be.

  3. Pretty common police 'tactic' for digital evidence by Wrath0fb0b · · Score: 5, Informative

    Normally if police want records, they have to subpoena them and the company has a chance to contest the subpoena in front of a neutral judge. The judge can sustain the subpoena, quash it entirely or tweak just parts of it depending on their view of what is relevant to the ongoing investigation and any other claim of privilege. Most importantly, after any challenges are made and ruled on, the subpoena requires the positive action of the company to produce the responsive documents. The judge overseeing the case can penalize the company and the principles for not producing the records fast enough, for withholding responsive documents. This includes fines to induce compliance (usually a per-day fine) and contempt proceedings for gross misconduct.

    Increasingly, the police see all this judicial process as an impediment rather than part of working in a country that respects rule of law. So instead they get a warrant and try to seize all the records they want that way. A warrant is usually pretty broad ("any electronic devices capable of holding evidence" really means anything with a circuit board) and lets them shift through at their leisure. It's also something they can do and execute without notifying the company until it happens and litigate after the fact. But importantly, warrants (generally) do not require the company to actively assist anything. And if the police miss something relevant, that's on them, whereas in the subpoena case it's the company's responsibility to ensure that all responsive records are found.

    So there are tradeoffs: the warrant is quicker but doesn't guarantee that you'll get anything meaningful -- it just entitles the police to search/seize whatever they find. The subpoena can drag on in court, but once upheld requires the company to do the heavy lifting and deliver the responsive records directly to the police.

    [ And before we get all up about "Uber is evil" and so .., I'll just leave this here ]

  4. Re:Abuse of process is a MAJOR problem by Megol · · Score: 4, Insightful

    That isn't abuse. If there are reason to believe criminal acts are happening and people refuse to co-operate with legal requests the material can and will be confiscated. It isn't punishment nor harassment - it's called an investigation.

    It never cease to amaze me that people don't understand basics and instead push forward legal arguments that aren't generally even internally consistent.

    Police: "We have reason to suspect you are violating rule X and according to law Y we request that you produce the material Z as you are required"
    Unter: "Nope, we don't wanna - it wuld be harrussment"
    Police: "Okay, have a good day"

  5. Re:Exactly. by Frobnicator · · Score: 4, Insightful

    Except the cops had a warrant.

    Warrants allow for searches and seizures. And that is what police did. But a warrant for the machines doesn't mean the company needs to help officers access accounts, read the data, nor help by decoding or decrypting them.

    There are many legal tools if the authorities want to obtain specific documents and records. An unannounced visit to seize computer equipment is typically the worst of those tools. The searches are often sloppy and (for those who are prepared) the searches are easily overcome by measures like those in the story. Authorities love "snatch and grab" because the surprise often grants access to a wide range of other secondary data, also including ad-hoc statements and access to items that are nearby on whiteboards and both on and inside desks and at the time of the police break-in.

    The company still has a fight ahead, but the policy generally is a strong case that they were protecting user's data rather than obstructing justice. Agents had an order to seize computers, the computers were seized. If agents produce an order to produce specific documents, I'm sure they could be produced. They complied with the requests while also protecting private information of millions of customers. That isn't obstruction.

    If they actually destroyed their data, or if they altered or falsified data, those actions would be obstruction. But locking down records for proper data preservation and basic data security are not obstruction.

    --
    //TODO: Think of witty sig statement
  6. Re: If a remote network command can thwart police by another_twilight · · Score: 5, Insightful

    They're providing cheaper transportation fares despite gov't regulations that protect entrenched taxi companies from upstart competitors

    While avoiding paying taxes and paying their 'workers' less than labour laws require.

    They aren't shouldering a share of the costs of the community/society from which they are making money and they aren't paying enough to their workers to meet the requirements of the law. If the labour laws are poor, incomplete or even corrupt - change them. But a company making an end-run around them is not a useful solution.

    Government created/protected monopolies exist (ideally) in industries where competition would be harmful to the industry and/or society. Taxis are a good example of this. Unregulated competition creates a race to the bottom with desperate drivers in cars that are barely roadworthy competing to find a fare, then having to find a way to milk that fare to cover costs.

    However, these monopolies must be regularly challenged and scrutinised to prevent the sort of entrenched corruption that becomes almost inevitable. To that extent, I think start-ups that challenge monopolies are fantastic. But that becomes a fig leaf when the company is simply exploiting the community (no/low tax) and their workers (avoiding labour laws). The potential benefit of shaking up an entrenched player does not justify breaking the law, nor the sort of exploitation that the regulation/monopoly was created to prevent.