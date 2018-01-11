Uber Used Another Secret Software To Evade Police, Report Says (bloomberg.com) 25
schwit1 shares a Bloomberg report: In May 2015 about 10 investigators for the Quebec tax authority burst into Uber Technologies's office in Montreal. The authorities believed Uber had violated tax laws and had a warrant to collect evidence. Managers on-site knew what to do, say people with knowledge of the event. Like managers at Uber's hundreds of offices abroad, they'd been trained to page a number that alerted specially trained staff at company headquarters in San Francisco. When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they'd obtained a warrant to collect. The investigators left without any evidence.
Most tech companies don't expect police to regularly raid their offices, but Uber isn't most companies. The ride-hailing startup's reputation for flouting local labor laws and taxi rules has made it a favorite target for law enforcement agencies around the world. That's where this remote system, called Ripley, comes in. From spring 2015 until late 2016, Uber routinely used Ripley to thwart police raids in foreign countries, say three people with knowledge of the system. Allusions to its nature can be found in a smattering of court filings, but its details, scope, and origin haven't been previously reported. The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices. This routine was initially called the unexpected visitor protocol. Employees aware of its existence eventually took to calling it Ripley, after Sigourney Weaver's flamethrower-wielding hero in the Alien movies. The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. 'Nuke the entire site from orbit. It's the only way to be sure.'
We'll take all the computers in your office. No evidence? Guess we'll return next week when you bought new equipment.
By the way: Due to legal regulations, everything confiscated is forfeited. You pay your tax. One way or another.
Welcome to Europe.
With no network connection it's not possible to do a remote access to log out the users.
And if the visits are frequent enough then it would be pretty stressful.
Remember that the tax authorities always are right even if they are wrong.
I'm seeing more and more references to "a software." Would you like to buy a software with your hardware?
Sure
.. can you inbox me with the details?
IT WAS A SECRET TO EVERYBODY!
If your government is your adversary, I guess it's time to overthrow it and install one that is elected by the people for the people.
Oh wait...
This could just be as easy a using desktop virtualization and pulling the plug on access when needed. Keep the servers backing it in a different, more friendly country. There is no reason to have any data on local computers.
Uber. (Score:3)
So... obviously they were sued for contributory acts towards the obstruction of justice, no?
If not, why not?
Literally, the guy who phoned it in has deliberately obstructed justice, whether or not the company policy says to do it, or whether the system is entirely operated remotely, or even whether the data asked for was to hand. You can go to jail for decades for that offence alone, whether or not anything is found, which would make anyone think twice about paging that number, no?
I'm more concerned not that Uber did this (they're scumbags, we get the idea already), but that a manager would press it (and in Canada) at personal risk of imprisonment, and that no action was taken about it (whether or not they later provided the data).
If you're trading in Canada, you're liable to their laws and they are able to seize related equipment and data with your co-operation or not, and performing a deliberate act with the express intention of removing said access can only be construed as obstruction of justice and/or contempt of court depending on the court order. It's not even "open to interpretation"... it's quite clear that the only reason to use a facility that cuts off the system should the police come knocking is to stop the police seeing things you don't want them to see but that they may well be otherwise entitled to see.
Uber are scumbags because courts like this allow them to be.
I've always defended Uber against accusations of not having insurance (they documented that every driver is covered by a $1M policy while driving for Uber) and against being treated as a taxi (in the same way GrubHub, Eat24, and Delivery.com aren't restaurants or delivery services, but a service connecting an independent delivery restaurant with an independent customer).
Then, all kinds of bullshit started coming out of Uber.
I still say Uber as a business model is fine and sensible: you're using their s
Pretty common police 'tactic' for digital evidence (Score:4, Informative)
Normally if police want records, they have to subpoena them and the company has a chance to contest the subpoena in front of a neutral judge. The judge can sustain the subpoena, quash it entirely or tweak just parts of it depending on their view of what is relevant to the ongoing investigation and any other claim of privilege. Most importantly, after any challenges are made and ruled on, the subpoena requires the positive action of the company to produce the responsive documents. The judge overseeing the case can penalize the company and the principles for not producing the records fast enough, for withholding responsive documents. This includes fines to induce compliance (usually a per-day fine) and contempt proceedings for gross misconduct.
Increasingly, the police see all this judicial process as an impediment rather than part of working in a country that respects rule of law. So instead they get a warrant and try to seize all the records they want that way. A warrant is usually pretty broad ("any electronic devices capable of holding evidence" really means anything with a circuit board) and lets them shift through at their leisure. It's also something they can do and execute without notifying the company until it happens and litigate after the fact. But importantly, warrants (generally) do not require the company to actively assist anything. And if the police miss something relevant, that's on them, whereas in the subpoena case it's the company's responsibility to ensure that all responsive records are found.
So there are tradeoffs: the warrant is quicker but doesn't guarantee that you'll get anything meaningful -- it just entitles the police to search/seize whatever they find. The subpoena can drag on in court, but once upheld requires the company to do the heavy lifting and deliver the responsive records directly to the police.
And before we get all up about "Uber is evil" and so
.., I'll just leave this here [youtube.com] ]
Having a company that can remote-wipe all of your systems with a single SMS actually sounds like a really handy service for a lot of people.
Maybe add an option for an additional fee to buy you a plane ticket to the Bahamas and a pair of sunglasses with a facial recognition confusion pattern.
... which would be pointless if the data was held remotely and the local access keys have been wiped or disabled.
Lots of companies have that (Score:3)
Did you think PriceWaterhouse et al would just give you everything just because some lowly policeman has a piece of paper?
They protect their clients with teeth and nails, like everybody.
They won (Score:2)
They've managed to erode several hundred years worth of hard fo