Information Security, Top News

Massive Uber data scraping and secret servers exposed in Waymo suit



It’s old news that Uber has more legal troubles on its plate than its recently exposed attempt to cover up a 2016 breach that compromised about 57 million customer and driver records.

It was almost 10 months ago – 23 February 2017 – that Google parent company Alphabet’s self-driving-car unit Waymo sued the mega-ride-hailing company, alleging that around 14,000 pages of proprietary information downloaded by one of its former employees had made its way to Uber, which is also working on developing autonomous vehicles.

However, the plot has thickened over the past few weeks – so much so that a trial that was supposed to start last week in a California federal district court has now been delayed until February.

As news sites like Gizmodo, Ars Technica and Recode have reported, it is no longer just about 14,000 pages of intellectual property. It is about Uber having a unit, called Marketplace Analytics (MA), that allegedly spied on competitors worldwide for years, scraping millions of their records using automated collection systems and conducting physical surveillance.

It is about the company using “non-attributable” servers that couldn’t be traced to Uber to store that data. It is about non-attributable laptops, pre-paid phones and Mi-Fi wireless internet devices. It is about using “ephemeral” messaging services like Wickr and Telegram to communicate, so as not to leave the digital version of a paper trail that could damage the company in any legal proceeding.

This new information has come to light largely due to a 37-page letter written seven months ago by an attorney for Richard Jacobs, a former Uber security analyst who worked in the company’s global intelligence unit, but just turned over to the court last month.

As Gizmodo put it, “it’s possible Uber’s data gathering did not violate any laws – much of it occurred internationally, and the data was often collected from publicly-available websites and apps.” Indeed, scraping data in the intensely competitive ride-hailing industry is considered common – competitors reportedly do it to Uber as well.

But the letter from Jacobs which was expected to be made public today, besides noting the secret servers and messaging, accused Uber of, “using its competitive intelligence teams to steal trade secrets from Waymo and other companies.” And that goes beyond what has been at the heart of Waymo’s suit – that former employee Anthony Levandowski allegedly stole 14,000 documents just days before starting his own company, Otto, which Uber acquired in 2016.

Jacobs resigned from Uber abruptly on 14 April, after he was caught forwarding company emails to his personal email. He emailed his resignation with the subject line, “Criminal and Unethical Activities in Security,” and said he had been collecting the emails to blow the whistle on the company’s actions.

The 37-page demand letter from Jacobs’s attorney, Clayton Halunen, came three weeks later.



The Jacobs letters were explosive enough, and late enough (they should have been added to the case file as soon as Uber received them) to prompt Waymo’s attorneys to move for a delay in the trial, arguing that there was no way they could review them in time for the scheduled 4 December start. Judge William Alsup agreed, granting a two-month delay.

At a 28 November hearing on the postponement, Waymo attorney Charles Verhoeven quoted from a portion of the demand letter that said:

Jacobs is aware that Uber used the MA [Marketplace Analytics] team to steal trade secrets at least from Waymo in the United States… (and that) MA exists expressly for the purpose of acquiring trade secrets, code base, and competitive intelligence.

Jacobs, who testified at the hearing, walked back some of the contents of the letter, saying he had not fully read it and that some of what it described about Uber’s intelligence collection efforts was, “hyperbolic.”

Still, Judge Alsup was not happy:

You don’t get taught how to deal with this problem in law school. In 25 years of practice and 18 years in this job I have never seen such a problem.

The problem, the judge said, was much bigger than the late inclusion of the letters. It was that even though none of the allegedly stolen 14,000 documents, “hit the (Uber) server,” that was because they were likely being held on a “shadow” server – which would mean Uber was trying to withhold evidence. As he put it to an Uber attorney:

You stood up so many times and said, Judge, we searched our servers; these documents never hit a Uber server. You never told me that there was a surreptitious, parallel, nonpublic system that relied upon messages that evaporated after six seconds or after six days.

The server turns out to be for dummies, that’s where the stuff that doesn’t matter shows up. The stuff that does matter is going to be in the Wickr evaporate file. Any company that would set up such a surreptitious system is as suspicious as can be. You’re making the impression that this is a total cover up.

Uber’s deputy general counsel, Angela Padilla testified that there was no merit to the claims in Jacobs’s letter – that he was simply trying to extort money from the company.

But, as Judge Alsup noted, Uber agreed to pay Jacobs a $4.5m settlement – with $1m of that as a consulting fee for helping with an internal investigation at Uber, plus another $3m to his lawyer. And he wasn’t persuaded that this was done simply because it was a cheaper alternative and would eliminate the “distraction” of litigation. He told Padilla:

You said it was a fantastic BS letter… and yet you paid $4.5 million. To someone like me, an ordinary mortal… that’s a lot of money. People don’t pay that kind of money for BS. That’s one point. And you certainly don’t hire them as consultants if you think everything they’ve got to contribute is BS.

Alsup also ordered Uber to produce all documents related to ephemeral messaging services dating back to December 2015.

With the trial now about two months away, about the only thing that is clear so far is that “ephemeral” communication will apparently no longer be used by Uber. The company’s current CEO, Dara Khosrowshahi, acknowledged in a tweet that the company had used Wickr and Telegram before he arrived, but that Uber employees had been directed to stop using them as of 27 September.




Source : Naked Security



Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.