Slashdot Mirror

← Back to Stories (view on slashdot.org)

Uber Used Secret Spyware To Try To Crush Australian Startup GoCatch (abc.net.au)

Posted by BeauHD on from the sneaky-bastards dept.

Uber used a secret spyware program, codenamed Surfcam, to steal drivers from an Australian competitor with the aim of putting that company out of business. The startup was backed by high-profile investors including billionaire James Packer and hedge fund manager Alex Turnbull. ABC News reports: GoCatch was a major competitor to Uber when the U.S. company launched in Australia in 2012. At the time, both companies were offering a new way to book taxis and hire cars using a smartphone app. Surfcam was developed in Uber Australia's head office in Sydney in 2015. A former senior Uber employee has told Four Corners that the idea behind the use of the Surfcam spyware was to starve GoCatch of drivers.

"Surfcam when used in Australia was able to put fledgling Australian competitors onto the ropes," the former employee with direct knowledge of the program said on the condition of anonymity. "Surfcam allowed Uber Australia to see in real time all of the competitor cars online and to scrape data such as the driver's name, car registration, and so on." It allowed Uber to directly approach the GoCatch drivers and lure them to work for Uber. "GoCatch would lose customers due to poaching of its drivers draining their supply. With fewer and fewer drivers, GoCatch would eventually fold," the former Uber employee said. GoCatch's co-founder and chief executive, Andrew Campbell, said Uber's tactics damaged the company. He said: "The fact that Uber used hacking technologies to steal our data and our drivers is appalling. It had a massive impact on our business. It sets a really dangerous precedent for the Australian economy and Australian businesses as well. It tells every multinational company to come to Australia and follow the same practice. As an Australian small business, a technology start-up business based in Australia that's improving efficiency and service levels in the taxi industry, to have a company come to Australia and get away with that type of behavior is ... it's disgusting."

A senior Uber source has confirmed the existence of Surfcam, saying it was developed by a staff member in the Sydney head office who modified off-the-shelf data scraping software. "They said the Sydney employee did it under his own authority, and that once Uber discovered this, they requested he stop," the report says.

76 comments

  1. Two wrongs there by SuperKendall · · Score: 5, Insightful

    What Uber did was abhorrent for sure.

    However, WHY did that other company have all of these details of drivers that could be scraped? I feel like they had an API that could be arbitrarily queried for cars on the road that gave out way too much information.

    Server API designers seem to never consider the importance of what they send, and how to protect the contents of what is being sent from a user that can easily install certificates or man in the middle attacks to inspect all traffic. How do you not expect competitors are trying to look at this information? Even if it were not officially sanctioned you know some software engineer at Uber would have been trying to see hit competitive apps did just to understand how other people made systems work...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Two wrongs there by Anonymous Coward · · Score: 2, Insightful

      She shouldn't have been out by herself at night, especially not dressed like that. I mean it's practically her fault!

    2. Re: Two wrongs there by Anonymous Coward · · Score: 0

      Fuck that. Some Australian company stole Uber's idea and business model and implemented it before they could expand into the country.

    3. Re:Two wrongs there by Anonymous Coward · · Score: 2, Interesting

      I would guess for safety and usability. If everyone can see where your taxi is, it's harder for a driver to kidnap you. Tracking driver location is required for calculating routes, cost, and determining which to route to which pickup request. Allowing the passengers access to that information allows the to glance at their local area and estimate the chances and time frame for a pickup. In terms of passenger safety, it also helps prove the person claiming to be there to pick you up is actually the car you're supposed to get in is not someone trying to kidnap or scam you. It seems believable that the data is available on a website interface or though watching the network traffic of an app. The API could block someone when it sees them requesting everything, but with cloud computing or the resources of a business, it's trivial to send the requests from thousands of different computers. Even if it wasn't a public API, it would be easy to bribe one of the drivers to give them a copy of their tracking device/api or bribe a developer of the company. Uber has no problems using such tactics.

      Even in USA, I've been the target of taxi scams where a driver claims to be the one you pre-paid for then demands payment to leave the vehicle when you realize it's not the right person. I was told by the correct driver that it isn't too rare though not too common either. It happens, so verify someone trying to pick you up by directly calling them before getting into the car. If you end up talking over the phone to the person in front of you, good. If not, pretend you called a family member because you forgot something then leave that area immanently to go on this forgotten quest.

      If you use Uber, fuck you for supporting such a criminal organization.

    4. Re: Two wrongs there by Anonymous Coward · · Score: 0

      Is that illegal? If that is illegal then we wouldnt have competition. Every competitor follows the ideas of another company. You cannot copyright or patent an idea. Go fuck yourself you commie.

    5. Re:Two wrongs there by Anonymous Coward · · Score: 0

      Argued the insurance in a negligence hearing. Leave a bank vault open and see if the blameless victim show still gets you a payout.

    6. Re:Two wrongs there by Anonymous Coward · · Score: 0

      Since when is gathering names of employees and trying to poach them to come work for you "abhorrent"?

      When it is used on a large scale to shutdown your competitor. Uber should be banned from offering taxi services by the Australian courts, as punishment.

    7. Re:Two wrongs there by Anonymous Coward · · Score: 0

      Who left a bank vault open? And BTW there's a precedent in the relevant jurisdiction: a person taking money from an ATM which was uncontrollably spitting out money was convicted of larceny.

      More to the point circumvention is criminal under federal Australian law. Rather obviously, it's no defence (any more than it would be to sexual assault) to argue it was trivially accomplished.

    8. Re: Two wrongs there by Anonymous Coward · · Score: 0

      In the US, unlike in Australia, business models can be patented, crazy I know.

      Be that as it may, the egregious nature of the wrongdoing by Uber here, is evidenced by their desperate attempts to shift the blame to a single employee. Riiiiight.

    9. Re: Two wrongs there by astrofurter · · Score: 1

      Is there any reason to believe Uber extracted the driver info from GoCatch's API?

      Most drivers were probably running Android OS, which was designed from the ground up to facilitate snooping and data exfiltration. Uber likely took advantage of Android's insecure design to data rape GoCatch's drivers.

    10. Re: Two wrongs there by Anonymous Coward · · Score: 0

      That's one of the many reasons America is languishing in a four decade economic depression.

    11. Re: Two wrongs there by Anonymous Coward · · Score: 0

      Nothing was âoestolenâ. If Uberâ(TM)s idea was so unique and original it would have applied for a patent. It didnâ(TM)t, because it wasnâ(TM)t. Uber has a number of competitors. What other tactics has it used against them if it was prepared to do this?

    12. Re:Two wrongs there by Software · · Score: 2

      My guess is that the software impersonated the app: request a pickup, and then when a driver matched, get the details of the vehicle and driver (so the pretend rider knows what vehicle to look for), then cancel the pickup.

    13. Re:Two wrongs there by Anonymous Coward · · Score: 0

      There is a point where enough sucking force is applied that something is hard to call a leak anymore. Was there an unsecured API or did Uber screen scrape a mobile app for position info and create fake fares to illicit more information?

      Do you know the sucking force, SuperKendall? Or should I call it a vacuum. Want to play vacuum the drapery with me Kendoll? Best go back to your room now.

    14. Re:Two wrongs there by Anonymous Coward · · Score: 0

      Yes. Public API is fair game.

    15. Re:Two wrongs there by Anonymous Coward · · Score: 0

      "illicit"

      That word. It does not mean what you think it means.

  2. Uber is a scumbag company since forever. by Anonymous Coward · · Score: 0

    Merge them with Nvidia to become "Uberscumbags" - seriously what the fuck.

    1. Re: Uber is a scumbag company since forever. by Anonymous Coward · · Score: 0

      I guarantee the idea was approved encouraged and funded at the very most senior levels of the company. Don't let them fool you with their misdirection.

    2. Re: Uber is a scumbag company since forever. by Anonymous Coward · · Score: 0

      I concur. The VCs who own Uber almost certainly knew about and approved this tactic.

    3. Re: Uber is a scumbag company since forever. by Anonymous Coward · · Score: 0

      But, but... they said it was an unsanctioned act by a lone software engineer, and senior management shut it down as soon as they became aware of it. Obviously, after they had recruited enough of the drivers. It must have been that software engineer doing the recruiting too... /s

  3. The burden of evidence of recurring conduct... by Anonymous Coward · · Score: 0

    At Uber implies this is culturally ingrained and expected of employees even if executives find 'weasel word' ways to claim they did not endorse it 'on the record'.

    It really is time Uber gets shut down, its executive bros get executed, and a reminder is made to all corporations, both those operating in Australia and those worldwide that conduct such as this won't just be frowned upon, but will have harsh and permanent if not fatal consequences for the executives endorsing, allowing, or making it happen.

    1. Re: The burden of evidence of recurring conduct... by Anonymous Coward · · Score: 0

      Whatever you do, never sign a multi-hundred page agreement with anyone if the word über so much as appears buried on one page in the middle of the document. You become both a stooge and an accomplice to all sorts of criminal and unethical behavior

    2. Re:The burden of evidence of recurring conduct... by Anonymous Coward · · Score: 0

      A senior Uber source has confirmed the existence of Surfcam, saying it was developed by a staff member in the Sydney head office who modified off-the-shelf data scraping software. "They said the Sydney employee did it under his own authority, and that once Uber discovered this, they requested he stop," the report says.

      You can't blame Uber for what a rogue employee does! As all of us who develop software for a living are well aware, our employers have no interest in what the code we develop actually does, and we are simply left to do any damn thing we like without any supervision whatsoever.

  4. Who is the bad guy here? by youngone · · Score: 2

    It's so hate to figure out who I hate more, Uber or the Packers.
    Maybe I will just hope that the "billionaire James Packer" (the one who inherited all he has) gets scammed out of all his money and winds up living in a cardboard box, and all the Uber executives get prosecuted for fraud and thrown in prison.
    Yes, I know.

    1. Re:Who is the bad guy here? by Cmdln+Daco · · Score: 1

      I am definitely more of a Vikings fan.

    2. Re:Who is the bad guy here? by rtb61 · · Score: 1

      How about thus, I know it will tickle your fancy. 'Your Drivers', what the fuck you corporate cunts, they are gig economy barely working workers, come or go as you please, since the fuck when do you 'OWN' them, they are not fucking yours, you do fuck all for them, they do all the work and you are just scummy middlemen taking the majority of the profits. Oh yeah, those workers are disposable nothings when you don't need them to make you money, oh but when you do, then they are 'YOUR' workers, you own them, your possession. The Packer genes right there in your face, scummy cunts.

      One side or the other, I am wandering why any gig economy barely working worker would ever accept exclusivity contracts, you would have to be an idiot.

      --
      Chaos - everything, everywhere, everywhen
  5. #DeleteUber by Sebby · · Score: 4, Insightful

    Seriously, Uber is the Facebook of the ridesharing world.

    --

    AC comments get piped to /dev/null
    1. Re:#DeleteUber by Anonymous Coward · · Score: 0

      Without even the plausible veneer of incompetent ignorance.... https://www.forbes.com/sites/kashmirhill/2014/10/03/god-view-uber-allegedly-stalked-users-for-party-goers-viewing-pleasure/

    2. Re:#DeleteUber by Anonymous Coward · · Score: 0

      Seriously, US companies behave the way they accuse the Chinese of behaving.

    3. Re:#DeleteUber by mjwx · · Score: 1

      Seriously, Uber is the Facebook of the ridesharing world.

      So no matter how shitty they get, no matter how much bad press there is about their misdeeds... People won't stop using them.

      Either that or you're saying that Facebook is losing hundreds of millions of dollars per quarter, I doubt Facebook is making a profit, but their costs aren't that great.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  6. Underpaid drivers by Anonymous Coward · · Score: 0

    Would not have worked if GoCatch wasn't using its drivers' lower ability to have full market knowledge against them.

    1. Re: Underpaid drivers by Anonymous Coward · · Score: 0

      Were they under paying or was uber over paying? Its a well known tactic to offer better ONLY to wipe out the competition and then when you become a monopoly, offer poorer than the competitor did before. Want to complain then? You cant because by then theyre the only ones offering that job!

  7. Here is a wild idea... by Anonymous Coward · · Score: 0

    Crimes are things that are generally agreed by the community to be things in the community's best interest to minimize.

    Using spyware to succeed in business is a crime.

    A crime's punishment should be related to the amount of actual damage, thus spying on countless people is a very grave crime indeed.

    Here is a wild idea. Prosecute the scumbags in charge to the maximum possible by law and get those who would harm the community off the streets.

    Too many people abuse power to harm, or not care about the harm they do. Let the punishment fit the crime including the scale of the crime.

    1. Re: Here is a wild idea... by Anonymous Coward · · Score: 0

      You misunderstand the nature of crime. Crime is whatever the law says it is. The law, in turn, is whatever the upper class wants it to be.

      Uber is owned by upper class twits, and was doing their bidding when it undertook this snooping campaign. Therefore the snooping was fully lawful.

  8. Corporate Espionage? by Sebby · · Score: 3, Interesting

    I don’t know what the laws are like in Australia, but this seems to me like a clear case of it.

    --

    AC comments get piped to /dev/null
    1. Re: Corporate Espionage? by Anonymous Coward · · Score: 0

      I doubt the prisons are as pleasant as their little spying cubicles with the imaginary glory holes

    2. Re:Corporate Espionage? by mjwx · · Score: 1

      I don’t know what the laws are like in Australia, but this seems to me like a clear case of it.

      Not with Australia's current government. They keep flip-flopping between corporate apologist/stooge/protector and wannabe Trumpite popularists but with limited success in either attempt, not that there's much difference between their two stances.

      Basically few Australians would know about this and the company wasn't big enough to make political donations, so no Australian politician would care.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
  9. ^ DUMBEST APOLOGIST EVER. by Anonymous Coward · · Score: 0

    Kendall seriously, you have to be the dumbest apologist troll on slashdot - and that's truly saying something.

    1. Re: ^ DUMBEST APOLOGIST EVER. by Anonymous Coward · · Score: 0

      If you say so

    2. Re: ^ DUMBEST APOLOGIST EVER. by Anonymous Coward · · Score: 0

      We all say so.

  10. Requested he stop? by phalse+phace · · Score: 2

    The source stated that the spyware program was developed by a staff member in the Sydney head office who modified off-the-shelf data scraping software.

    They said the Sydney employee did it under his own authority, and that once Uber discovered this, they requested he stop.

    According to the former senior employee, the Sydney developer of the spyware had moved from Sydney to Singapore at the time when Uber and Grab were fighting it out for dominance of the massive rideshare market in South-East Asia.

    They "requested" that he stop? Why didn't Uber fire him?

    Instead, it looks like they sent him to Singapore to help grow Uber's market share there, using the same dirty tactics.

    1. Re:Requested he stop? by Anonymous Coward · · Score: 0

      Exactly, documentation requests him to stop but over the phone it is a pat on the back, bonus and promotion.

    2. Re: Requested he stop? by Anonymous Coward · · Score: 0

      Its called scrapgoating. They probably picked out somebody they didnt like and doesnt work there anymore. Then send him a big fat paycheck or threats against something unrelated he did wrong to keep him quiet about this. Bonus if hes now overseas so he cant be easily subpheonered for questioning and persecution. Fuck uber.

    3. Re:Requested he stop? by piojo · · Score: 1

      It sounds like he was scraping the web site of a rival company. Is that even unethical? The worst he could have done is ignored robots.txt, and I don't know whether that is considered serious in Australia. Was there some more serious breach which evaded my attention? The title mentioned spyware, but the article didn't.

      --
      A cat can't teach a dog to bark.
    4. Re:Requested he stop? by piojo · · Score: 1

      Ahh, he was using their app's API. Still, I'm not sure where the line is when using data you already have access to, but for an unintended purpose. I see crushing their competitor (so they can be a monopoly) as a bigger story than how exactly they used their competitor's APIs.

      --
      A cat can't teach a dog to bark.
    5. Re:Requested he stop? by Anonymous Coward · · Score: 0

      If someone leaves their door unlocked it is careless of them but doesn't make it legal to go in and rifle through their house and take photos of everything.

    6. Re: Requested he stop? by Anonymous Coward · · Score: 0

      Please stop. I'm giving you 2 years to stop this activity in Australia. Here's a promotion, and a transfer to Singapore. Don't disappoint us again.

  11. Encryption by Anonymous Coward · · Score: 0

    I bet if any of the programmers suggested encrypting all the data sent to and from the app, the managers would claim it would take too long, cost too much money and if they did approve it go for a cheap and fast to develop in-house program that would be easy to break.

  12. Theft is theft - even if done for business reasons by Anonymous Coward · · Score: 0

    How convenient that it was a rogue employee that implemented this. First of all it should be two employees if they're code reviewing properly. Secondly the code review should have raised questions about what was going into the source. What they'll do here is find a relatively poor performing employee and pin this on them to deflect attention away from the company. They were going to fire them anyway so this is a win-win and Uber doesn't have to admit guilt.

    It's also more than a little suspicious that Uber responded by "requesting he stop". Planting malware is a breach of ethics on the shallow end, and its' outright criminal hacking at the deep end. I would have expected any such actions to receive a swift dismissal or Uber would be complicit in illegal behavior. Also, how the heck did just one person manage to do all of this? This person likely isn't a hiring manager so they'd at least have to be working with a manager and someone in HR. Let's say he was fielding all the recommendations himself...I think HR would be a little suspicious that one person is making hundreds of recommendations.

    This explanation doesn't seem remotely plausible.

  13. Re: Theft is theft - even if done for business rea by Anonymous Coward · · Score: 0

    That's a first mover advantage, as they would describe it for impression management purposes

  14. Re: It's called "capitalism" by Anonymous Coward · · Score: 0

    I am positive lyft would behave the same way if they could

  15. Re:It's called "capitalism" by Anonymous Coward · · Score: 0

    Shut the fuck up, you ignorant, mouth-breathing Trumptard.

  16. Uber disavows everything! by Anonymous Coward · · Score: 0

    typical capitalism... if the project had worked and nobody figured it out, that employee would've been promoted.

  17. Re: It's called "capitalism" by Anonymous Coward · · Score: 0

    Feel the Bern, deplorable!

  18. That is not how you design that system by SuperKendall · · Score: 5, Interesting

    I would guess for safety and usability. If everyone can see where your taxi is, it's harder for a driver to kidnap you.

    You can have that without giving away the whole store. How can you claim a system is designed to be "Safe" when it somehow reveals personal details enough about a driver for Uber to find them and try to hire them? What is to stop a stalker from finding female drivers and doing whatever they like to them...

    I am jus saying the company had a responsibility to the drivers that it sounds like they shirked, if Uber had enough data to find drivers that a very bad sign for how well the company protected data. Who is to say they were not equally lax in protecting client data too...

    How is everyone OK with this? We must wake up and punish companies anywhere that leak personal data, for either employees or customers. It is way past time we stopped letting this kind of no-security bullshit slide, even (especially?) if the information is used against that company.

    Seriously, how can you support the lax security policies of this company as being OK?

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:That is not how you design that system by Anonymous Coward · · Score: 0

      You know what else is lax, Kendoll's anise. That's what I like to call it, almost star shaped from the stretch marks.

  19. Re: It's called "capitalism" by Anonymous Coward · · Score: 0

    Uber did the same thing in the US too Lyft and got away with it. God mode, anyone?
      Lyft culture abhors these practices, so I fundamentally disagree with your assertion.

  20. Biased hyperboly, or am I missing something? by ikegami · · Score: 1

    So if I'm reading this correctly, Uber offered work to GoCatch drivers, drivers they identified using information published by GoCatch themselves. The fact that GoCatch didn't intend to be used that way doesn't make the tool "spyware" or otherwise nefarious. And the fact that it worked implied that Uber offered the drivers a good deal.

    1. Re:Biased hyperboly, or am I missing something? by Solandri · · Score: 2

      Presumably the part missing from the summary (I haven't read TFA) is that Uber offered better pay to GoCatch drivers to lure them away. And once GoCatch went bankrupt, Uber lowered the pay it offered to GoCatch drivers since they no longer needed to be competitive.

  21. Call them? by BankRobberMBA · · Score: 5, Insightful

    No. That would take forever and your call history would wind up full of those stupid disposable temporary numbers.

    For both Uber and Lyft, do this:

    If you are a passenger, open the door or look through the window and say "What's your name?"
    Your driver's name is right there on the app. With their picture. And I know the picture's not always great, but it's good enough to verify you have the right driver. And they will say their name.

    Drivers should do the same thing, although almost none of mine ever do. "What's the name on the account?"
    Allowing an incorrect passenger in your car is a surefire way to get cheated, and maybe robbed/raped/kidnapped/murdered as well.

    For both passengers and drivers, do not ask them to confirm their name: "Are you So-and-so?" Make them provide it: "What's your name/name on the account?"

    It's too easy for an opportunistic scammer to just go "Yep, that's me."

  22. the Death of Elaine Herzberg criminal trial by Joe_Dragon · · Score: 1

    If they take the safely driver to an criminal trial then all kinds of dirt can come out in it.

    https://www.azcentral.com/stor...

  23. Ah, Slashdotters by SlaveToTheGrind · · Score: 2

    It's popcorn-worthy to watch the usual "IF YOU WERE DUMB ENOUGH TO PUBLISH THE BITS, I CAN FREELY USE THOSE BITS HOWEVER I WANT" crowd get all up in arms about a corporation they don't like doing some competitive data scraping.

    Mod me down all you want -- it will remain hilarious.

  24. Still legal by Anonymous Coward · · Score: 0

    If Uber used information that was freely available on their app/website to poach drivers etc. that's not illegal. Unethical perhaps but not illegal.

    It's a different matter if GoCatch want to sue Uber for damage done to their business.

  25. Kendall you have never designed any real system. by Anonymous Coward · · Score: 0

    Kendall is security-retarded on every level. You have to be the dumbest apologist troll on slashdot - and that's truly saying something.

  26. Didn't use encryption by Anonymous Coward · · Score: 0

    ... off-the-shelf data scraping software ...

    Translation: GoCatch didn't use business-class encryption.

    The spyware could use a OS-level MitM attack, duplicating the data before it was sent to GoCatch. But it is unlikely that a majority of drivers (with iOS or Android) would download the same malware, making this vector, unfeasible.

    The obvious answer is a single point of entry, where GoCatch servers were cracked (not 'hacked') and data duplicated "in real time".

  27. Employee poaching by Anonymous Coward · · Score: 0

    Nothing new here except the method to do it with.

  28. Anything goes with Uber by Anonymous Coward · · Score: 0

    The ride share industry is sketchy at best, saves the rider money but the unregulated part of it is problematic.

  29. Odd coinkydinks by sphealey · · Score: 2

    - - - - - - A senior Uber source has confirmed the existence of Surfcam, saying it was developed by a staff member in the Sydney head office who modified off-the-shelf data scraping software. "They said the Sydney employee did it under his own authority, and that once Uber discovered this, they requested he stop," the report says. - - - - -

    Odd coincidence how things like this just seem to keep happening to Uber. Darn shame that there are so many rogues in their organization; you'd think the world's largest monitoring and tracking system could identify and root out that sort of stuff.

  30. Why not both? by DrYak · · Score: 1

    But why don't the drivers keep both applications installed on their smartphones?
    In several countries (FR, CH), I've seen drivers using several parralel means to catch clients: Uber Driver, some other network popular locally, and even an actual *taxi* dispatcher.

    local law about competition should prevent Uber from offering a different pay depending on if a driver works for another dispatcher or is exclusive to Uber.
    (And remember, Uber strongly wants to believe that the drivers are *contractros*, not *employee* - the drivers should legally be allowed to work with whom ever they want)

    and local security features of android should be able to block the Uber Driver app trying to crash other apps / block phonecalls from taxi dispatcher. (On would be considered unacceptable practice if they somewhat managed anyway).

    Aussie drivers could be install both Uber's and GoCatch (And whatever else is popular downunder) and serve rides as requests come.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  31. Capitalism + Lack of Ethics + Technology by v1s10nary · · Score: 1

    This is what happens when you combine capitalism, a lack of ethics, and technology. The end result is companies like Uber and Facebook. Unfortunately, the reality of modern times is that we value ethical companies as much as we value ethical leaders (in other words, we don't give a shit).

    --
    "The cause of fear is ignorance."
  32. Re:largest monitoring and tracking system could id by Anonymous Coward · · Score: 0

    So...the great Firewall of China?

    Or did you mean the NSA?