Where do you stand on tracking, hacking, eaves dropping and covert surveillance? The average man on the street most likely falls somewhere between “nothing to hide, nothing to fear” and “why would anyone bother to hack me?” So, the recent exposé in The New York Times about Uber’s Greyball software is particularly interesting in that it shows just how normal it has become.
In Uber you have an app that is so ubiquitous it has become a verb in its own right – if you live, work or spend time in any large cities, chances are you have it on your phone. And they’ve been caught up to some decidedly shady practices. Mike Isaac, of The New York Times has revealed how Uber has developed techniques and software to work around legal issues with their low-cost ride-hailing service Uber-X. In brief, authorities in some locations wanted to set up stings in order to catch Uber operating, as they considered it to be, illegally. To prevent them, Uber put in place technology and procedures to ensure those individuals were identified, and then placed on separate version of the app which offered them only ghost cars that would never show up.
How did they do this? The “violation of terms of service” or VTOS techniques included drawing a “geofence” around government offices and watching for users who frequently opened and closed the app (known as eyeballing) in such locations. Alongside this, and rather more intrusively, Uber examined the user’s credit card information to see if it is related to any tell-tale institutions such a police credit union.
According to Isaac, “In all, there were at least a dozen or so signifiers in the VTOS program that Uber employees could use to assess whether users were regular new riders or probably city officials.” But if these techniques proved inconclusive, employees would search the user’s social media profiles and other online content to try to identify them as a governmental official. Once that was established, they were tagged with code featuring the word “Greyball” and sent onto a ghost version of the app.
These practises were actually cleared by Uber’s legal team, with the tech/taxi firm stating "This program denies ride requests to fraudulent users who are violating our terms of service – whether that's people aiming to physically harm drivers, competitors looking to disrupt our operations, or opponents who collude with officials on secret 'stings' meant to entrap drivers."
If that makes you uncomfortable, you’re not the only one – as coding teacher and blogger Quincy Larson puts it: “Take a moment to let that sink in. Uber is — thanks to its superior software — essentially above the law.”
So Uber is gathering all kinds of information about its users, and when these activities are brought to light, seem perfectly comfortable with their stance. This despite the fact that according to Peter Henning, a law professor at Wayne State University, it could be an intentional obstruction of justice, along with a violation of the federal Computer Fraud Abuse Act.
Consider also the fact that once they had identified an undesirable user, Uber could simply have banned them from using the app. However, as Isaac points out, this would have meant giving up the learning an insight they could gain from such users. That information is so important to Uber that they were prepared to create a dedicated alternative app, complete with ghost cars, to string along officials including police officers.
Against this backdrop it seems crazy to assume that the consumer apps so many of us let beyond our firewall are not collecting additional data on us for their own, unstated ends. If this is business as usual for Uber, what then of everything else on our phones? Can we trust WhatsApp not to share our data with owner company Facebook, for example?
What it comes back to again is the necessity to ask what is within our control, and what is happening beyond it. Whether it’s Uber, online shopping, or so called “encrypted consumer messaging” apps, the equation is clear: if it is not within your control, it can’t be fully trusted. Because right now, the Uber tagline “Everyone’s private driver” is beginning to look laughable.
Harvey Boulter, Chairman, Communication Security Group