cover-ups – Page 2 – Uber Scandals

November 29, 2017February 11, 2018

Federal judge harshly criticized Uber and its lawyers

In Google’s lawsuit against Uber as to alleged theft of self-driving car technology, federal judge William Alsup offered a stern critique of Uber. In particular, Alsup criticized Uber’s Competitive Intelligence group and the company’s intentional concealment of its practices. Beginning with the fact that Uber “withheld evidence,” Alsup continued:

I can no longer trust the words of the lawyers for Uber in this case. If even half of what is in that letter is true, it would be an injustice for Waymo to go to trial.

Alsup specifically criticized Uber’s use of a system that deleted correspondence automatically, saying this was contrary to court instructions for producing relevant documents:

The server [that Uber searched] turns out to be for dummies, that’s where the stuff that doesn’t matter shows up. The stuff that does matter is going to be in the Wickr evaporate file.

Alsup expressed shock at Uber’s practices:

You don’t get taught how to deal with this problem in law school. In 25 years of practice and 18 years in this job I have never seen such a problem.

He continued after a second day of hearings:

I’ve never seen a case where there were so many bad things that—like Uber has done in this case. So many

Alsup said he plans to tell the jury about the new findings, including Uber’s concealment of its practices and intentional destruction of staff discussions:

That is going to hurt your case because any company that would set up that kind of system is as suspicious as can be. I don’t know how you are going to get around that.

November 29, 2017December 2, 2017

Market Intelligence team used surreptitious practices to prevent sensitive information from emerging in legal disputes

Uber’s Competitive Intelligence group used surreptitious practices to communicate with others in Uber in order to avoid creating digital records that could be used in future legal disputes.

Some employees used the Wickr service, which automatically deletes communications after a preset period.

Some employees used special devices for hiding communications. These “non-attributable” devices could not be easily traced back to Uber. Reporting from a hearing, a Tweeter reported Judge Alsup asking who supplied these devices to employees. An ex-Uber employee explained that Uber used third-party vendors so that the expense would stay off of Uber’s books.

The ex-employee confirmed the purpose of these methods: “to evade, impede, obstruct, influence several ongoing lawsuits against Uber.” He said email was a last resort because the messages could be used in litigation. He continued: “There was legal training around the use of attorney-client privilege markings on written materials and the implementation of encrypted and ephemeral communications intended to destroy communications that might be considered sensitive.”

November 23, 2017December 8, 2017

Regulators criticized company’s cover-up of data breach

After a data breach exposed information about 57 million user accounts and Uber covered it up (including paying hackers a ransom), multiple regulators criticized Uber’s response.

The FTC said it was “closely evaluating the serious issues raised.”

The New York Attorney’s General office said it opened an investigation of Uber’s actions. The Massachusetts Attorney General reported “serious concerns” about Uber’s conduct. Attorneys general in New York, Illinois, and Connecticut also opened investigations, as did the city of Portland, Oregon.

The UK Information Commissioner’s Office pointed out that “Deliberately concealing breaches from regulators and citizens could attract higher fines.” Current British law imposes penalties up to 500,000 pounds for failing to notify users and regulators about data breaches. More than 2.7 million UK users were affected.

Mexico’s National Institute of Transparency, Access to Information and Protection of Personal Data also criticized the breach and Uber’s response, seeking information about effects on Mexican citizens.

In addition, Uber faced three class action lawsuits alleging that it was negligent in its failure to protect consumer data.

November 21, 2017November 8, 2024

Covered up 2016 hack, paid hackers to delete data, and failed to disclose to regulators

In an October 2016 attack, hackers extracted names, email addresses, and phone numbers of 50 million Uber riders (details), as well as personal information about 7 million drivers (including 600,000 US drivers license numbers). Details from Uber. A subsequent FTC investigation found that more than 25 million names and email addresses, and more than 22 million names and phone numbers, were affected.

Uber did not tell the public about the hack or alert the affected drivers or passengers. Nor did Uber tell regulators, although at the same time Uber was negotiating with the US FTC about other claims of privacy violations. As of November 2017, when the attack was publicly revealed, Uber admitted that it was required to disclose the hack because driver’s license information was among the information taken.

Instead of disclosing the hack to regulators or the public, Uber paid the hackers $100,000 to delete the data and not tell anyone what had happened. The New York Times reported that Uber also pushed the hackers to sign nondisclosure agreements, and that the company “made it appear” as if the $100,000 payout had been part of a “bug bounty” program (paying hackers to find problems) rather than a response to hackers’ demands.

Uber then-CEO Travis Kalanick learned of the breach in November 2016, a month after it took place. Reuters indicated that new CEO Dara Khosrowshahi indicated only having learned about the problem “recently.”

Uber Chief Security officer Joe Sullivan oversaw Uber’s response to the hack. As part of Uber’s 2017 investigation of the situation, new CEO Dara Khosrowshahi fired Sullivan along with Craig Clark, who had been legal director of security and law enforcement (reporting to Sullivan).

Upon learning of Uber’s failure to disclose the privacy breach, multiple regulators criticized the company’s action and opened investigations.

Uber’s statement

In a December follow-up, Reuters reported that the hacker was a 20-year-old man from Florida.

October 21, 2017February 10, 2018

Sought to conceal embarrassing court proceedings from the public

In Google’s lawsuit against Uber as to alleged theft of self-driving car technology, Uber sought to hold a hearing in camera, closed to the public. Judge Alsup concluded that Uber sought confidentiality not for any proper purpose permitted under law, but to avoid embarrassment. From the court transcript for March 26, 2017:

Mr. Gonzalez (for Uber): Your Honor, the reason why we wanted it in chambers is because of the adverse impact that we think it would have on our client. If there’s a headline tomorrow saying this guy is asserting the Fifth Amendment —

The Court: Listen, please don’t do this to me again. There’s going to be a lot of adverse headlines in this case on both sides. And I can’t stop that.

[T]he public has a right — in fact, this whole transcript, I’m going to make it public.

Details in The Verge

Waymo v. Uber litigation docket

October 13, 2017

Security officer designated as attorney

Bloomberg reports that Uber’s Chief Security Officer, Joe Sullivan, was also assigned the title of deputy general counsel. Bloomberg notes the importance of this designation: it “could allow him to assert attorney-client privilege on his communications with colleagues and make his e-mails more difficult for a prosecutor to subpoena.”

October 13, 2017

Kalanick “promoted” then-General Counsel Yoo to sideline her

As then-Genreal Counsel Salle Yoo pushed for Uber to comply with the law, then-CEO Travis Kalanick reassigned her from General Counsel to Chief Legal Officer. Kalanick styled this as a promotion, but Bloomberg says his “true intention was to sideline her from daily decisions” (based on assessment from two employees who worked closely with them).

October 8, 2017November 27, 2017

Due diligence report on Otto and Anthony Levandowski revealed copying of Google information

Forensics firm Stroz Friedberg investigated the information Anthony Levandowski allegedly took from Google and whether or how it was destroyed. Stroz’s report conveys Levandowski’s admission that he had five discs of Google information which he says he destroyed (a claim Stroz was unable to verify).

Stroz found about 50,000 Google work emails on Levandowski’s personal computer, and there was evidence that he accessed some of the emails at about the same time he left Google, making it “difficult to believe” that he could not remember having those emails, as he claimed when interviewed.

Stroz found that Levandowski accessed certain Google files after his departure, then deleted them. Stroz also found evidence of Levandowski searching for instructions on secure file deletions, and telling coworkers to delete messages from him. These deletions are consistent with an attempt to destroy confidential Google information that Levandowski should not have had, but also consistent with a cover-up of information previously received and used.

A Google spokesperson said in a statement: “The Stroz Report unequivocally shows that, before it acquired his company, Uber knew Anthony Levandowski had a massive trove of confidential Waymo source code, design files, technical plans and other materials after leaving Google; that he stole information deliberately, and repeatedly accessed it after leaving Waymo; and that he tried to destroy the evidence of what he had done. In addition, Mr. Levandowski used his smartphone to take thousands of covert photographs of computer screens displaying Google confidential files. Knowing all of this, Uber paid $680 million for Mr. Levandowski’s company, protected him from legal action, and installed him as the head of their self-driving vehicle program.”

October 5, 2017November 26, 2017

Fuel Card duplicate charges

Uber provided some drivers with “fuel cards” usable for gasoline, carwashes, and other services, at a discount, with charges deducted from future Uber earnings. Multiple drivers reported duplicate charges. Representative quotes:

“Double charged for gas with Uber card. Same transaction. Exact same time and date stamp. You took double from my earnings…The rep last night said they have had multiple calls for this same issue. That it would be cleared up by midnight. Today it’s still not fixed and the rep said he couldn’t do anything about it! Uber this is unacceptable” (September 6, Facebook, Florida driver).

“Gas card is very funny…Something is fishy about how this card works. Once I was triple charged and no one caught on until I bought it to Uber attention and the fixed it. I no longer want to use card” (September 2017, YouTube, Curtis J.).

“I was looking over my transaction history and there is two gas card purchases. Same amounts/ days. I was charged twice for 1” (June 28, Twitter).

“Hey my uber gas card was charge 3 times at the same time and day, but different days each” (June 28, Twitter, Oregon driver).

“It’s been 4 days since I wrote to customer care to review my fuel card charges, there were duplicate charges on it and I was overcharged, I have sent screenshots of duplicate charges but so far I got only one reply yesterday with copy pasted text that has nothing to do with what I asked for.” (April 4, Facebook, New York driver).

Drivers reported heightened difficulty resolving the problems because Uber told them to contact FleetCor, which operated the fuel card program. FleetCor in turn told them to contact Uber.

Drivers also reported that Uber and FleetCor suggested that the drivers conduct their own investigations into the disputed transactions such as interviewing merchants and requesting refunds from merchants. Most drivers found these approaches untenable, particularly because the fraudulent charges could occur at distant merchants far from where the drivers lived.

A further challenge for drivers is that many did not know how to contact FleetCor. The Uber-provided FleetCor card does not include a customer service phone number. Drivers would need to find the number in the original card materials that provided in an envelope along with the card — easily overlooked or discarded.

An October 5, 2017 report from The Capitol Forum (paid subscription required) analyzed these concerns and tabulated these and numerous additional driver complaints.

September 28, 2017November 27, 2017

Portland “Regulation Evasion Audit” of Uber Greyball

In response to Uber’s Greyball blocking of government investigations, the Portland Bureau of Transportation (PBOT) prepared a 56-page audit report. Their summary:

In using Greyball, Uber has sullied its own reputation and cast a cloud over the TNC industry generally. The use of Greyball has only strengthened PBOT’s resolve to operate a robust and effective system of protections for Portland’s TNC customers.

PBOT continued:

As the agency responsible for ensuring the safety of TNC customers and the integrity of the TNC market, PBOT views Uber’s failure to comply with deep concern. This failure calls into question Uber’s commitment to comply in general with the City of Portland’s regulatory framework. It also raises questions about Uber’s ability to be a trustworthy partner in PBOT’s efforts to ensure that Portland’s TNC customers receive safe and reliable service.

PBOT searched for evidence of Uber continuing to use Greyball, or of Lyft doing so. They found no such evidence, though they noted that “It is inherently difficult to prove a negative.”