Friday, 3 March 2017

How Uber Used Secret Greyball Tool to Deceive Authorities Worldwide

quote [ Uber has for years engaged in a worldwide program to deceive the authorities in markets where its low-cost ride-hailing service was being resisted by law enforcement or, in some instances, had been outright banned.

The program, involving a tool called Greyball, uses data collected from the Uber app and other techniques to identify and circumvent officials. Uber used these methods to evade the authorities in cities such as Boston, Paris and Las Vegas, and in countries like Australia, China, Italy and South Korea. ]

I'm not looking forward to the future of transportation if it's in the hands of companies like this.

MARCH 3, 2017
SAN FRANCISCO — Uber has for years engaged in a worldwide program to deceive the authorities in markets where its low-cost ride-hailing service was being resisted by law enforcement or, in some instances, had been outright banned.

The program, involving a tool called Greyball, uses data collected from the Uber app and other techniques to identify and circumvent officials. Uber used these methods to evade the authorities in cities such as Boston, Paris and Las Vegas, and in countries like Australia, China, Italy and South Korea.

Greyball was part of a broader program called VTOS, short for “violation of terms of service,” which Uber created to root out people it thought were using or targeting its service improperly. The VTOS program, including the Greyball tool, began as early as 2014 and remains in use, predominantly outside the United States. Greyball was approved by Uber’s legal team.

Greyball and the broader VTOS program were described to The New York Times by four current and former Uber employees, who also provided documents. The four spoke on the condition of anonymity because the tools and their use are confidential and because of fear of retaliation by the company.

Uber’s use of Greyball was recorded on video in late 2014, when Erich England, a code enforcement inspector in Portland, Ore., tried to hail an Uber car downtown as part of a sting operation against the company.

At the time, Uber had just started its ride-hailing service in Portland without seeking permission from the city, which later declared the service illegal. To build a case against the company, officers like Mr. England posed as riders, opening the Uber app to hail a car and watching as miniature vehicles on the screen made their way toward the potential fares.

But unknown to Mr. England and other authorities, some of the digital cars they saw in the app did not represent actual vehicles. And the Uber drivers they were able to hail also quickly canceled. That was because Uber had tagged Mr. England and his colleagues — essentially Greyballing them as city officials — based on data collected from the app and in other ways. The company then served up a fake version of the app populated with ghost cars, to evade capture.

Portland vs. Uber: City code officers try to ticket drivers
At a time when Uber is already under scrutiny for its boundary-pushing workplace culture, its use of the Greyball tool underscores the lengths to which the company will go to dominate its market. Uber has long flouted laws and regulations to gain an edge against entrenched transportation providers, a modus operandi that has helped propel it into more than 70 countries and to a valuation close to $70 billion.

Yet using its app to identify and sidestep the authorities in places where regulators said Uber was breaking the law goes further toward skirting ethical lines — and, potentially, legal ones. Some within the company who knew about the VTOS program and how the Greyball tool was being used were troubled by it.

In a statement, Uber said, “This program denies ride requests to users who are violating our terms of service — whether that’s people aiming to physically harm drivers, competitors looking to disrupt our operations, or opponents who collude with officials on secret ‘stings’ meant to entrap drivers.”

Dylan Rivera, a spokesman for the Portland Bureau of Transportation, said in a statement: “We’re very concerned to hear that this practice continued at least into 2015 and affected other cities.

“We take any effort to undermine our efforts to protect the public very seriously,” Mr. Rivera said.

Uber, which lets people hail rides using a smartphone app, operates multiple types of services, including a luxury Black Car offering in which drivers are commercially licensed. But an Uber service that many regulators have had problems with is the lower-cost version, known in the United States as UberX.

UberX essentially lets people who have passed a cursory background check and vehicle inspection become Uber drivers quickly. In the past, many cities have banned the service and declared it illegal.

That is because the ability to summon a noncommercial driver — which is how UberX drivers using private vehicles are typically categorized — was often unregulated. In barreling into new markets, Uber capitalized on this lack of regulation to quickly enlist UberX drivers and put them to work before local regulators could stop them.

After the authorities caught on to what was happening, Uber and local officials often clashed. The company has encountered legal problems over UberX in cities including Austin, Tex., Philadelphia and Tampa, Fla., as well as internationally. Eventually, agreements were reached under which regulators developed a legal framework for the low-cost service.

That approach has been costly. Law enforcement officials in some cities have impounded or issued tickets to UberX drivers, with Uber generally picking up those costs on the drivers’ behalf. The company has estimated thousands of dollars in lost revenue for every vehicle impounded and ticket received.

This is where the VTOS program and the use of the Greyball tool came in. When Uber moved into a new city, it appointed a general manager to lead the charge. This person, using various technologies and techniques, would try to spot enforcement officers.

One technique involved drawing a digital perimeter, or “geofence,” around the government offices on a digital map of a city that Uber was monitoring. The company watched which people were frequently opening and closing the app — a process known internally as eyeballing — near such locations as evidence that the users might be associated with city agencies.

Other techniques included looking at a user’s credit card information and determining whether the card was tied directly to an institution like a police credit union.

Enforcement officials involved in large-scale sting operations meant to catch Uber drivers would sometimes buy dozens of cellphones to create different accounts. To circumvent that tactic, Uber employees would go local electronics stores to look up device numbers of the cheapest mobile phones for sale, which were often the ones bought by city officials working with budgets that were not sizable.

In all, there were at least a dozen or so signifiers in the VTOS program that Uber employees could use to assess whether users were regular new riders or likely to be city officials.

If such clues were not enough to confirm a user’s identity, Uber employees would search social media profiles and other information available online. If users were identified as being connected to law enforcement, Uber Greyballed them by tagging them with a small piece of code that read “Greyball” followed by a string of numbers.

When someone tagged this way called a car, Uber could scramble a set of ghost cars inside a fake version of the app for that person to see, or show that no cars were available. Occassionally, if a driver accidentally picked up someone tagged as an officer, Uber called the driver with instructions to end the ride.

Uber employees said the practices and tools were born in part out of safety measures meant to protect drivers in some countries. In France, India and Kenya, for instance, taxi companies and workers targeted and attacked new Uber drivers.

“They’re beating the cars with metal bats,” the singer Courtney Love posted on Twitter from an Uber car in Paris at a time of clashes between the company and taxi drivers in 2015. Ms. Love said that protesters had ambushed her Uber ride and had held her driver hostage. “This is France? I’m safer in Baghdad.”

Uber has said it was also at risk from tactics used by taxi and limousine companies in some markets. In Tampa, for instance, Uber cited collusion between the local transportation authority and taxi companies in fighting ride-hailing services.

In those areas, Greyballing started as a way to scramble the locations of UberX drivers to prevent competitors from finding them. Uber said that was still the tool’s primary use.

But as Uber moved into new markets, its engineers saw that the same methods could be used to evade law enforcement. Once the Greyball tool was put in place and tested, Uber engineers created a playbook with a list of tactics and distributed it to general managers in more than a dozen countries on five continents.

At least 50 to 60 people inside Uber knew about Greyball, and some had qualms about whether it was ethical or legal. Greyball was approved by Uber’s legal team, led by Salle Yoo, the company’s general counsel. Ryan Graves, an early hire who became senior vice president of global operations and a board member, was also aware of the program.

Ms. Yoo and Mr. Graves did not respond to requests for comment.

Outside experts said they were uncertain about the legality of the program. Greyball could be considered a violation of the federal Computer Fraud and Abuse Act, or possibly intentional obstruction of justice, depending on local laws and jurisdictions, said Peter Henning, a law professor at Wayne State University, who also writes for The New York Times.

“With any type of systematic thwarting of the law, you’re flirting with disaster,” Professor Henning said. “We all take our foot off the gas when we see the police car at the intersection up ahead, and there’s nothing wrong with that. But this goes far beyond avoiding a speed trap.”

To date, Greyballing has been effective. In Portland on that day in late 2014, Mr. England, the enforcement officer, did not catch an Uber , according to local reports.

And two weeks after Uber began dispatching drivers in Portland, the company reached an agreement with local officials that made UberX legally available in the city.
[SFW] [business] [+4 Interesting]
[by evil_eleet@9:23pmGMT]


sanepride said @ 9:40pm GMT on 3rd Mar [Score:1 Underrated]
Mostly I'm impressed by the scope and sophistication of this. Obviously Uber is doing it for corporate financial gain, but there's also interesting potential here for organized political subversion and resistance.
steele said @ 10:03pm GMT on 3rd Mar
Yes! That's exactly what this is, sanepride! :D Political subversion and resistance! Just because it's for corporate gain doesn't change that fact. When I'm going off on facebook for manipulating trends and news stories, that's because it's political subversion and resistance. When I'm suggesting people read Dark Money, that's because it's documented decades of political subversion and resistance. When I'm suggesting people read Who Owns the Future, I'm doing so because it discusses the future of things like this; Corporate gain in the form of political subversion and resistance.

When I'm saying shit like this. I'm really not doing so to be a dick. I'm being quite serious when I say many of the most vocal people here do not understand what the fuck is happening, the stakes that are being waged in how these companies are doing business, or the precedence they are setting in how future technologies are going to be received by the law and the public at large.

I apologize if it does come off as dickish, but I seriously can't explain 30 years of experience in the tech field in the small space of an SE comment. That's why I recommend a handful of books out of the hundreds I read per year.
sanepride said @ 10:45pm GMT on 3rd Mar
You have an interesting, much broader definition of 'political subversion and resistance' than I do. But I see what you're getting at.
steele said @ 11:03pm GMT on 3rd Mar
I promise, the more of my booklist you read and the narrower it would seem. Dark Money is basically about a multi-decade coordinated effort to dismantle the US government via influence and media manipulation, but Silicon Valley companies are doing the same thing by manipulating the medium people use to communicate and share media with each other. Unions and profit impeding protections are high on the hit lists of both sides.
sanepride said @ 11:15pm GMT on 3rd Mar
I'll try to squeeze it in. Yeah I know I razz on you for your excessive bookishness, but frankly I'm envious that you apparently have the time and inclination to put in all that reading.
I note that 'Dark Money' began as Jane Mayer's now iconic New Yorker expose on the Koch Brothers (first time most people heard of them), so in a way I already know a piece of the story.
steele said @ 12:01am GMT on 4th Mar
Thank you. Sadly, my reading has taken a major hit. Because of my grandfather's issues (he's mostly fine now) I only got out to the woods once since October. Then about two weeks ago my truck died in the middle of the interstate and I had to sell it. I've basically gone from a book every other day or so, to a 3 or 4 books a month. I'm going somewhat stir crazy. Brightside is, I'm getting a lot of coding done. So, yay, I guess :P
sanepride said @ 12:43am GMT on 4th Mar
Well yay for us I guess. 3 or 4 books a month still seems pretty luxurious to me. I can barely keep up with my New Yorker subscription.
steele said @ 1:19am GMT on 4th Mar
The future is coming fast, sanepride. There's still a lot of shit I need to learn.
arrowhen said @ 11:19pm GMT on 3rd Mar
It's political resistance and subversion, just not the cool kind.
steele said @ 12:09am GMT on 4th Mar [Score:4]
For many of the silicon valley folk, they think it's the cool kind. They think they're saving the world through a kind of techno-libertarianism where an oppressive government is the enemy, but the privatised authoritarianism (which they conveniently overlook) of Big Data and Big AI is the future. There's a lot of dissonance between what they believe and the actual impact they're creating.
damnit said @ 1:08am GMT on 4th Mar
It's not the intent. It's the impact that matters.
sanepride said @ 11:35pm GMT on 3rd Mar
Yeah, I get that, but in my first comment I meant the cool kind.
3333 said @ 12:42am GMT on 4th Mar

But Uber breaks the law it many/most of the cities it operates in. That's a much more concrete concern than this tantalizing, but less galling, bit of digital/contractual sleight of hand.

Post a comment
[note: if you are replying to a specific comment, then click the reply link on that comment instead]

You must be logged in to comment on posts.

Posts of Import
4 More Years!
SE v2 Closed BETA
First Post
Subscriptions and Things
AskSE: What do you look like?

Karma Rankings