Uber Used Another Secret Software To Evade Police, Report Says (bloomberg.com) 186
schwit1 shares a Bloomberg report: In May 2015 about 10 investigators for the Quebec tax authority burst into Uber Technologies's office in Montreal. The authorities believed Uber had violated tax laws and had a warrant to collect evidence. Managers on-site knew what to do, say people with knowledge of the event. Like managers at Uber's hundreds of offices abroad, they'd been trained to page a number that alerted specially trained staff at company headquarters in San Francisco. When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they'd obtained a warrant to collect. The investigators left without any evidence.
Most tech companies don't expect police to regularly raid their offices, but Uber isn't most companies. The ride-hailing startup's reputation for flouting local labor laws and taxi rules has made it a favorite target for law enforcement agencies around the world. That's where this remote system, called Ripley, comes in. From spring 2015 until late 2016, Uber routinely used Ripley to thwart police raids in foreign countries, say three people with knowledge of the system. Allusions to its nature can be found in a smattering of court filings, but its details, scope, and origin haven't been previously reported. The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices. This routine was initially called the unexpected visitor protocol. Employees aware of its existence eventually took to calling it Ripley, after Sigourney Weaver's flamethrower-wielding hero in the Alien movies. The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. 'Nuke the entire site from orbit. It's the only way to be sure.'
Alternatively, if a mere network command can brick Uber in a region
... er, well, insert devastating finish here.
They're providing cheaper transportation fares despite gov't regulations that protect entrenched taxi companies from upstart competitors
While avoiding paying taxes and paying their 'workers' less than labour laws require.
They aren't shouldering a share of the costs of the community/society from which they are making money and they aren't paying enough to their workers to meet the requirements of the law. If the labour laws are poor, incomplete or even corrupt - change them. But a company making an end-run around them is not a useful solution.
Government created/protected monopolies exist (ideally) in industries where competition would be harmful to the industry and/or society. Taxis are a good example of this. Unregulated competition creates a race to the bottom with desperate drivers in cars that are barely roadworthy competing to find a fare, then having to find a way to milk that fare to cover costs.
However, these monopolies must be regularly challenged and scrutinised to prevent the sort of entrenched corruption that becomes almost inevitable. To that extent, I think start-ups that challenge monopolies are fantastic. But that becomes a fig leaf when the company is simply exploiting the community (no/low tax) and their workers (avoiding labour laws). The potential benefit of shaking up an entrenched player does not justify breaking the law, nor the sort of exploitation that the regulation/monopoly was created to prevent.
I'm my land the taxi industry was reregulated in 1990 and although there have been numerous small players comes and go the established players are still there with some additions. Cetianly not as profitable.
this was backed up by regulation: separate endorsements for licence, log books, police checks, in car cameras etc.
Uber did none of these until recently when the law was changed to help them and they are now fulfilling most of these conditions.
The other way Uber rip off their competitors is this whole 'r
We'll take all the computers in your office. No evidence? Guess we'll return next week when you bought new equipment.
By the way: Due to legal regulations, everything confiscated is forfeited. You pay your tax. One way or another.
Welcome to Europe.
With no network connection it's not possible to do a remote access to log out the users.
And if the visits are frequent enough then it would be pretty stressful.
Remember that the tax authorities always are right even if they are wrong.
If they're already going to these lengths, a cellular modem would be easy to add to their arsenal. If the main Internet feed cuts out, ping HQ and send over ingress/egress security cam photos. They could still lock down.
Surprisingly, Europe has not yet annexed Canada.
Well, surprising to you maybe. Not me. The Brits gave it up, the Crown not so much. And before you ask, Quebec isn't yet a part of France. Ask the French, and they will make it clear. Crystal. Clear.
Last time I looked Quebec was in North America.
Re: forfeited stuff
Where in Europe is this the case?
It certainly doesn't appear to be EU regulations. I know of lots of regulatory "raids" (you'd be amazed at the breadth of reasons that companies get raided, often not hanging or even moral-outrage stuff) and this isn't the general case.
Takes a bit of creative warrant writing, I give you that, but our judges generally know how to word it that you'll never see your computers again.
Even the cheapest clients add up over time.
And yes, you buying them back would be pretty useful, for, well, we have no real use for the computers other than finding someone to sell them to, so... we could also just agree that you pay every time we come and we forgo the process of carrying your shit out and back in again. Saves us the hassle and you the time, it's just so win-win...
Even the cheapest clients add up over time.
So do write-offs from seized equipment, that you can declare at any value you can document...
Any good accountant could turn seized equipment into a revenue stream.
You don't know how deductions work, do you? Further, how many more writeoffs does Uber need to zero out its profit? Oh wait, they're burning cash like mad already?
And no, you don't get to declare "any value you can document", you only get to declare the actual cost, often up to specific maximums.
You don't know how deductions work, do you?
I know really well how deductions work, apparently you don't know much about shady accounting practices some companies use.
And no, you don't get to declare "any value you can document", you only get to declare the actual cost
Right, "actual cost". Which is verified by what... Starting to understand yet? No? Can't help you friend.
Right, "actual cost". Which is verified by what... Starting to understand yet? No? Can't help you friend.
Actual cost, verified by the price on the invoice or receipt for the product when you bought it.
DOUBLE WHOOSH.
As I said, I cannot help you, when you choose not to see or think.
Right, "actual cost". Which is verified by what... Starting to understand yet? No? Can't help you friend.
Receipts.
Do you actively fucking enjoy being investigated for tax fraud?
Receipts.
Yes, because a piece of paper that may or may not be from some other company is SO ACCURATE.
It's not like those can be faked or perhaps the other company is ALSO owned by the same company that owns yours so, you know? You don't know?
Do you actively fucking enjoy being investigated for tax fraud?
*I* do not play those games because ended, crossing the IRS is a bad idea. But I have seen companies that, shall we say, fudge things. The fact you are arguing this is not possible makes you retarded. HIG
No, you'd need to be intelligent, understand what I am and am not arguing and have the fucking sense not to call people retards before you could help me.
But that's fine, you're probably too old to buy a fucking clue now.
Write-offs mean jack shit when you already pay no tax. And write-offs only reduce your profit and hence your taxes, they aren't magically money you needn't pay.
"Cheap" clients, plus monitors, keyboards, mice, conference room camera and mic setups, all networking gear and cabling, every flash drive found on the premises, every surge protector, every copier, fax machine and printer, etc.
Plus haul in a few employees and hold em as long as possible, threaten them with charges like obstruction of justice, destroying evidence, etc. Not sure what applies in Canada, but I"m sure there's plenty they could do if they wanted to.
That isn't abuse. If there are reason to believe criminal acts are happening and people refuse to co-operate with legal requests the material can and will be confiscated. It isn't punishment nor harassment - it's called an investigation.
It never cease to amaze me that people don't understand basics and instead push forward legal arguments that aren't generally even internally consistent.
Police: "We have reason to suspect you are violating rule X and according to law Y we request that you produce the materia
That's the difference between the US and Europe. In Europe, governments harass corporations trying to abuse the law, in the US, the governments conspires with corporations to abuse the law to harass the people...
You see, our judges tend to be quite level headed and sensible. It usually takes a LOT of convincing to have them write warrants, except for one thing: If they feel you're trying to bullshit them, they can get VERY creative.
Judges in Europe also tend to have a LOT more leeway when it comes to interpreting the law than in the US. Anything short of simply ignoring the law is pretty much fair game.
Separation of power is all fine and nice, but at the end of the day, pretty much all the power rests in the hands
Odd. Hasn't happened over here.
Maybe because you first of all would need to corrupt our judges. Which isn't as easy as in the US due to the way judges get appointed.
I'm seeing more and more references to "a software." Would you like to buy a software with your hardware?
Sure
.. can you inbox me with the details?
Most tech companies don't expect police to regularly raid their offices
Every non-government entity should treat the government as an adversary. Government agencies want to compromise everything.
If your government is your adversary, I guess it's time to overthrow it and install one that is elected by the people for the people.
Oh wait...
Constituents aren't part of the adversarial government triangle of checks and balances. At least, they're not supposed to be.
Then again, even congress (senators vs. representatives) was supposed to be adversarial (not necessarily, but they were supposed to represent different entities). Things have greatly changed in the U.S. (and elsewhere, of course). Our constitution has been subverted to the point where I guess the government does consider us "adversaries." Given that point, I say "bully for Uber."
Constituents aren't part of the adversarial government triangle of checks and balances. At least, they're not supposed to be.
Sure they are. Depending on the situation, a constituent might have the executive, or legislature, or courts working on their behalf "against" one or both of the other branches. You might have your congressional representative helping you out with the IRS, or you may ask the courts to help you out with something the executive branch is or isn't doing.
Your blood first.
No. We should try and neuter the current one first. Get it back to minding it's business, as intended.
We know the euros don't understand 'limited government', don't care.
We prefer to have a government that does its job. We understand that there are certain requirements for this to be possible. That means that taxes have to be paid to fund what they're supposed to do, and we also need to give them the ability to do it. It's pretty much the same that I'd expect to get at work. If I'm supposed to do a project, I need funding and I need the ability to command people to do what I need them to do to make the project work out. If I get neither money nor power, well, I will not be
This could just be as easy a using desktop virtualization and pulling the plug on access when needed. Keep the servers backing it in a different, more friendly country. There is no reason to have any data on local computers.
Except the cops had a warrant.
Except the cops had a warrant.
Warrants allow for searches and seizures. And that is what police did. But a warrant for the machines doesn't mean the company needs to help officers access accounts, read the data, nor help by decoding or decrypting them.
There are many legal tools if the authorities want to obtain specific documents and records. An unannounced visit to seize computer equipment is typically the worst of those tools. The searches are often sloppy and (for those who are prepared) the searches are easily overcome by measures like those in the story. Authorities love "snatch and grab" because the surprise often grants access to a wide range of other secondary data, also including ad-hoc statements and access to items that are nearby on whiteboards and both on and inside desks and at the time of the police break-in.
The company still has a fight ahead, but the policy generally is a strong case that they were protecting user's data rather than obstructing justice. Agents had an order to seize computers, the computers were seized. If agents produce an order to produce specific documents, I'm sure they could be produced. They complied with the requests while also protecting private information of millions of customers. That isn't obstruction.
If they actually destroyed their data, or if they altered or falsified data, those actions would be obstruction. But locking down records for proper data preservation and basic data security are not obstruction.
"If you treat the government as an adversary, trying to undermine them, then I would say you are experienced in dealing with them."
There, FTFY
I have to agree with rickb928 - a lot of people have reached a breaking point with government taxes and rules and regulations. It's not that they don't want to pay anything at all (well, there is that, too), it's that it's gotten to the point where all the rules and tax laws have gotten too burdensome - and not just for companies, but for people. Consider that not only are you paying taxes, but the more complicated the laws get the more you have to pay accountants to figure it all out for you... the "burd
Re: (Score:3)
So you're saying large businesses use all the tools available to them to stab their competitors in the back, including sweetheart legislation. And your solution is to remove all the constraints on businesses rather than impose more constraints on bigger businesses.. riiiight... totally logical... also, that doesn't refute my argument that cheating bastard corporations are why regulations are so complex, it pretty much proves it.
I know people who failed to treat the government as an adversary, who were asked by the police to come in and talk to them, and who did so because they had "nothing to hide" and wanted to cooperate. They ended up in jail for the weekend (with no evidence to hold them but the police knew they couldn't get out until a court hearing on Monday and wanted to "soften them up" and try to wring a confession out of them) and although they ultimately prevailed in the legal battle, they lost their college degree (col
So... obviously they were sued for contributory acts towards the obstruction of justice, no?
If not, why not?
Literally, the guy who phoned it in has deliberately obstructed justice, whether or not the company policy says to do it, or whether the system is entirely operated remotely, or even whether the data asked for was to hand. You can go to jail for decades for that offence alone, whether or not anything is found, which would make anyone think twice about paging that number, no?
I'm more concerned not that Uber did this (they're scumbags, we get the idea already), but that a manager would press it (and in Canada) at personal risk of imprisonment, and that no action was taken about it (whether or not they later provided the data).
If you're trading in Canada, you're liable to their laws and they are able to seize related equipment and data with your co-operation or not, and performing a deliberate act with the express intention of removing said access can only be construed as obstruction of justice and/or contempt of court depending on the court order. It's not even "open to interpretation"... it's quite clear that the only reason to use a facility that cuts off the system should the police come knocking is to stop the police seeing things you don't want them to see but that they may well be otherwise entitled to see.
Uber are scumbags because courts like this allow them to be.
I've always defended Uber against accusations of not having insurance (they documented that every driver is covered by a $1M policy while driving for Uber) and against being treated as a taxi (in the same way GrubHub, Eat24, and Delivery.com aren't restaurants or delivery services, but a service connecting an independent delivery restaurant with an independent customer).
Then, all kinds of bullshit started coming out of Uber.
I still say Uber as a business model is fine and sensible: you're using their service whether you're a driver or passenger. Nobody is trying to drive a stake into Lyft these days for doing the same sort of business (well, almost nobody).
I haven't come out to defend Uber in a long, long time because nobody's been attacking them based on what kind of business they want to pretend Uber is. Uber shit its own pants this time, and it never stopped shitting. Sexual harassment, corporate espionage, invasions of privacy, and now they've taken it all the way up to bona fide organized crime with countermeasures in place to impede investigators. They have a great business model, but they've ruined it with terrible business ethic.
Was anyone ever taken to court, charged and convicted of Sexual Harassment, or is this just another case of accusation and the label sticking?
Re: (Score:3)
It's a case of lots of complaints and circumstantial evidence from people testifying to the media, and the CEO at some point kind of suggesting he might step down because he let it go farther than it should. I think. So much of this shit has come through that I'm not 100% sure which specifics go where anymore, well aside from Uber's CEO mailing out to Corp-all that he's not allowed to have sex with anyone at company parties.
Disingenuous: cf forced arbitration clauses (Score:2, Insightful)
Was anyone ever taken to court, charged and convicted of Sexual Harassment, or is this just another case of accusation and the label sticking?
Yeah, because that's really an option for someone when Uber has a mandatory arbitration clause in their contracts disallowing you from taking your case to court. It makes a good soundbite to hollar "no court cases, no convictions, so innocent" but the reality is very different, and not just at Uber. If we ever get a government that cares about humans more than corpo
You're wrong, though - you can put an arbitration clause in your contract for civil matters, but not criminal matters. Sexual harassment is a criminal offense.
Yeah, because that's really an option for someone when Uber has a mandatory arbitration clause in their contracts disallowing you from taking your case to court.
If someone rapes or tries to rape you, no forced arbitration clause is going to prevent shit. (Unless the someone raping you is the government.)
Now, unless you are only looking to win $$ in a settlement and not have justice served, well, I think that speaks more about the alleged victim, doesn't it?
DDG [duckduckgo.com] might know?
And in the midst of this, does Lyft have the same problems with government and such?
Re: (Score:3)
Re: (Score:3)
If you're trading in Canada, you're liable to their laws and they are able to seize related equipment and data with your co-operation or not, and performing a deliberate act with the express intention of removing said access can only be construed as obstruction of justice and/or contempt of court depending on the court order. It's not even "open to interpretation"... it's quite clear that the only reason to use a facility that cuts off the system should the police come knocking is to stop the police seeing things you don't want them to see but that they may well be otherwise entitled to see.
Uber are scumbags because courts like this allow them to be.
While I agree with you, as TFA points out there is a hazy line between obstructing justice and not allowing access to material not in the warrant; as it points out in other cases Uber complied with the warrant after they had a chance to review it. A warrant should not be grounds for a fishing expedition just as a company should be eld accountable if they destroy evidence once they know it may be part of an investigation.
Doesn't mean Uber is not a bad actor but I do not think such things are cut and dry eit
An employee phoning head office to tell them the police have arrived is not a crime. It's perfectly reasonable behaviour. What the head office choose to do with that information is not the responsibility of the employee doing the phoning.
And once the records have been suppeoned, isnt not turning them over, regardless of where they located contempt of court?
Yes (or of congress, etc). Unless you're Hillary Clinton. And then it's just "a matter."
It's a fair cop. I do have contempt for courts. Particularly the ones with no jurisdiction, but not only.
If I were Uber, I'd fax them a copy of my junk. Go 'no presence, except drivers' in many nations. It's tough to be a 'half-outlaw'. Go for it Uber. Create your own payment system to avoid the inevitable attacks on money flows.
Exactly. Certainly better than 'strong central government', based on megadeaths in the 20th century.
Pretty common police 'tactic' for digital evidence (Score:5, Informative)
Normally if police want records, they have to subpoena them and the company has a chance to contest the subpoena in front of a neutral judge. The judge can sustain the subpoena, quash it entirely or tweak just parts of it depending on their view of what is relevant to the ongoing investigation and any other claim of privilege. Most importantly, after any challenges are made and ruled on, the subpoena requires the positive action of the company to produce the responsive documents. The judge overseeing the case can penalize the company and the principles for not producing the records fast enough, for withholding responsive documents. This includes fines to induce compliance (usually a per-day fine) and contempt proceedings for gross misconduct.
Increasingly, the police see all this judicial process as an impediment rather than part of working in a country that respects rule of law. So instead they get a warrant and try to seize all the records they want that way. A warrant is usually pretty broad ("any electronic devices capable of holding evidence" really means anything with a circuit board) and lets them shift through at their leisure. It's also something they can do and execute without notifying the company until it happens and litigate after the fact. But importantly, warrants (generally) do not require the company to actively assist anything. And if the police miss something relevant, that's on them, whereas in the subpoena case it's the company's responsibility to ensure that all responsive records are found.
So there are tradeoffs: the warrant is quicker but doesn't guarantee that you'll get anything meaningful -- it just entitles the police to search/seize whatever they find. The subpoena can drag on in court, but once upheld requires the company to do the heavy lifting and deliver the responsive records directly to the police.
[ And before we get all up about "Uber is evil" and so
.., I'll just leave this here [youtube.com] ]
Increasingly companies with deep pockets can evade the law through continual delays, impediments, and endless appeals, twisting the law to delay justice until it is moot. If a company like Uber can delay their judgement day a few years through these vile tactics it lets them illegally get the leg up on competitors and an opportunity to lobby for rule changes or even stack a few legislatures with candidates more favorable to them. Basically illegal actors can stay solvent longer than justice can stay effec
Subpoenas have time limits associated with them. Judges can hand out sanctions for raising frivolous challenges or not responding in a timely manner.
Remember that whatever rules you empower for the government to go after Uber, they can use to go after anyone else. That's the purpose of the quote from Bolt.
There is another salient difference between a warrant and a subpoena: a subpoena requires the cooperation of the target. The writ obtains that cooperation viathreat of punishment -- in fact that's the root of the word: sub poena -- under punishment.
However that threat is empty if you're never caught.
If subpoenas truly compelled a suspect to turn over evidence, you'd never have to do anything like a high stakes drug raid. You'd simply have the court issue a writ ordering the suspect to turn over all the drugs and related records and wait for your evidence to show up at the court on the appointed date.
So the choice of search warrant and subpoena in the case of a company like Uber depends on your estimate of their willingness to risk defying the law.
In this modern world going to a judge and contesting a subpoena pretty much guarantees data being deleted, purged, or just modified.
A proactive collection followed by challenges is common unless you're politically connected.
In this time of NSA snooping and privacy concerns, its amazing to see so many people siding with police raiding people and seizing documents by the millions to fish for evidence.
What was Uber's great crime again? Giving people car rides for money? What kind of person thinks heavy-handed government raids to interfere with car rides are legitimate and just?
Search Warrants exist for a reason. (Score:3)
If we take your ideas to their logical conclusion police lose search warrants as a tool and must rely on subpoenas. But if they're not allowed to do a forceful
Their tactics would lead a person to believe that this is some lawmaker looking to make life difficult for uber. Had they subpoenaed records it would be a pain for Uber to collect what was demanded, but their operations would continue. If the police use a warrant to "collect evidence" (IE every computer, phone, tablet, etc.) that sure as hell would slow them down for a while.
From a legal perspective, if the police come barging through my front door demanding my phone I don't believe I'm required to unlock
If Uber can be compelled to give access to records without a subpoena, we all can be. I'm not an Uber fan, but I don't have a problem with this behavior.
Did you think PriceWaterhouse et al would just give you everything just because some lowly policeman has a piece of paper?
They protect their clients with teeth and nails, like everybody.
Subpoenas require you to hand over evidence, this was not a subpoena. This was a warrant, you are not required to assist with a warrant. So no, PW would not "hand over everything" for a warrant. The cops have to come and get it. If all the computers are locked, they are on their own getting it.
There is a big difference.
Excellent. And we've come full circle, where this is a similar argument for or against encryption. The difference is, can the corporation (or individual, actually) delete data upon being served a warrant, or are they immediately guilty of obstruction etc. because they were aware of the warrant? Are they under any obligation to NOT destroy evidence when asked for it?
I'm even more glad I'm not a lawyer.
They've managed to erode several hundred years worth of hard fought worker & consumer protections in about 20 years...
20 years? Try 10
Let me hear you say that again (Score:2)
If you delete a file on your laptop in the course of a normal day that no police is interested in, clearly that cannot be obstruction of justice. Even if 2 weeks later someone tells you that file was relevant to some investigation.
If you actively push a police investigator with a valid warrant away from your computer and type a command to erase the laptop, clearly that could be called obstruction of justice.
Now, how about if you erase your file after you read in the news that your general industry is being investigated for some wrongdoing? How about as you see the police pull up to your house? They haven't given you any notice that your files are of interest to "justice". How about as they knock on the door?
Where is the line drawn?
The law actually does define it quite clearly in all of your clear cut examples.
Intent.
If you delete a file because you no longer need it and it's uglying up your desktop, then you've committed no crime. If a LEO comes knocking and you delete it because you don't want them to find it, congrats, you're going to jail if they find out. If you read about your industry getting investigated and delete it because you're done with it, you're fine. If you read about your industry getting investigated and delete i
If you read about your industry getting investigated and delete it "just in case we get investigated and we really don't want them to find it", congrats, you're going to jail if you get found out.
Nope, that's legal too. Plenty of places destroy business records so they can't be subpoenaed. Libraries started destroying patrons' borrowing records when the FBI started to come calling for them.
The only time you get into legal trouble for destroying records is _after_ you've been asked for them (legally).
So, calling Ripley seems an action likely to result in the files getting deleted.
Read the article. (I know, I know) Nothing was deleted. All of their computers/devices are encrypted, this protocol just logs out the user/shuts down the machine. No data deleted, the police just can't get to it at that time.
How do you know that they are cops? Toy badges and uniforms are cheap.
What a heart warming story! (Score:2)
Anytime the blood sucking leeches who contribute nothing are thwarted, I cheer.
The summary reports, "The investigators left without any evidence." They had a warrant, they could have grabbed the physical machinery. Depending on the type of data, they could have compelled the company to turn over access methods... Why no evidence?
Ah.
Because what they wanted was not physically present in the jurisdiction the warrant was issued in. They were trying to gain legal-on-their-side but likely considered unauthorized use and access of the company's intranet via an employee's existing login s
I'm both happy and sad about this. I hate seeing corporations fly above the law, but its about damn time that some body (company) stood up to the pay to play scheme that Taxi and other systems support. I will choose who I want to ride with, thank you very much. I am willing to accept the consequences if I choose poorly. Government needs to stay the hell out of it.
The down sides of an unregulated taxi market have already been demonstrated: bodies found floating in the East River. So a government entity steps in and takes over control of the market. Then, the previous players figure out how to game the system. In the end, the government maintains its monopoly on violence, allowing the lower level corruption to continue.
... like a two-bit criminal organization but instead of keeping their records out of the law's hand by igniting old-fashioned flash paper they're written on with a cigarette, they're using a digital equivalent by killing all the logins to Uber headquarters from the office that's called in. I can't see this scheme working for much longer.
... which would be pointless if the data was held remotely and the local access keys have been wiped or disabled.
Having a company that can remote-wipe all of your systems with a single SMS actually sounds like a really handy service for a lot of people.
Honestly, most MDM products can do this. I know AirWatch can.