cover-ups – Uber Scandals

March 12, 2018March 14, 2018

Kalanick criticized SVP Whetstone for reporting escort bar visit to investigators

After Uber then-CEO Travis Kalanick and colleagues visited an escort bar and tried to cover it up when asked, one person who had been there contacted Rachel Whetstone, then Uber’s senior vice-president of communications and public policy, seeking guidance. Whetstone in turn reported the matter to Uber’s attorneys, who turned it over to Eric Holder, who was at the time investigating possible improprieties at Uber.

Business Insider described Kalanick’s response:

Kalanick was not pleased. As his head of PR, he felt Whetstone was supposed to be defending the company from stories like these, not be part of them.

BI continued, explaining how some at Uber saw Whetstone as “difficult to work with … or even irrational,” but others saw her “speaking truth to power”:

One employee described her as “intellectually honest.” Whetstone was already rich from her years at Google and wasn’t under the spell of potential wealth, which drove other top players at Uber. “That made her feel like she could speak truth to power with Travis,” a former executive said. “She wasn’t part of the group of yes-men who would never disagree with him.”

For her part, Whetstone had become disillusioned with Uber. In her role as a powerful woman in the company, she was someone who many troubled employees and other insiders felt comfortable venting to. As these people shared stories with her, Whetstone began to see Uber differently. She became angry.

She saw a company that needed to grow up, but that under Kalanick wouldn’t.

Ultimately Whetstone resigned and Kalanick accepted her resignation. BI reports that Whetstone’s exit package included millions of dollars worth of stock as well as keeping Whetstone on as a consultant to save face.

March 7, 2018April 12, 2018

Regulators sued Uber for failing to disclose data breaches

After a data breach in which hackers stole data from about 600,000 drivers globally, for which Uber paid a ransom to hackers but did not notify affected drivers, regulators pursued Uber’s violation of applicable law, including state laws about notifying those subject to data breaches.

The FTC filed a revised complaint adding additional concerns to a prior action against Uber. Uber responded by agreeing to expand its prior settlement with the FTC over charges that it deceived consumers about its privacy and data security practices. The FTC specifically criticized Uber for failing to disclose the breach to the FTC until November 2017, fully a year after the breach occurred, even though the FTC was already investigating other Uber data security practices.
Pennsylvania sued, threatening a penalty of up to $13.5 million ($1000 for each of the 13,500 Pennsylvania drivers affected).
The city of Chicago also sued (complaint), seeking $10,000 per day for each day that Uber violated the state’s disclosure ordinance, as well as $50,000 for violating the Illinois Consumer Fraud Act.

January 18, 2018

Kalanick asked security team to examine employee email for leaks

While on leave, Kalanick asked Uber’s security team to examine an employee’s email to see if that person was leaking information related to a damaging story.

See Bloomberg report.

December 15, 2017

Acting US Attorney confirmed a “pending criminal investigation” of Uber

A December 2017 letter confirmed a “pending criminal investigation” against Uber by the US Attorney’s Office of the Northern District of California. This was the first official confirmation of such an investigation.

The letter indicated that the US Attorney’s Office had interviewed ex-Uber security analyst Richard Jacobs. See Jacobs’ allegations.

December 2, 2017

Complained of “extortion” by a former employee, but paid $7.5 million anyway

When former employee Richard Jacobs sent a demand letter alleging possible criminal behavior by the Uber team where he previously worked, Uber viewed the claims as extortion. Uber deputy general counsel Angela Padilla said Jacobs’ claims were “extortionate.” Yet Uber paid Jacobs $4.5 million ($2 million upfront, $1.5 million in stock, and an additional $1 million to consult with the company and cooperate in any investigations over the course of the next year), plus an additional $3 million to his attorney.

Concerns resulting from Jacobs’ letter and the practices he reported

November 29, 2017February 11, 2018

Federal judge harshly criticized Uber and its lawyers

In Google’s lawsuit against Uber as to alleged theft of self-driving car technology, federal judge William Alsup offered a stern critique of Uber. In particular, Alsup criticized Uber’s Competitive Intelligence group and the company’s intentional concealment of its practices. Beginning with the fact that Uber “withheld evidence,” Alsup continued:

I can no longer trust the words of the lawyers for Uber in this case. If even half of what is in that letter is true, it would be an injustice for Waymo to go to trial.

Alsup specifically criticized Uber’s use of a system that deleted correspondence automatically, saying this was contrary to court instructions for producing relevant documents:

The server [that Uber searched] turns out to be for dummies, that’s where the stuff that doesn’t matter shows up. The stuff that does matter is going to be in the Wickr evaporate file.

Alsup expressed shock at Uber’s practices:

You don’t get taught how to deal with this problem in law school. In 25 years of practice and 18 years in this job I have never seen such a problem.

He continued after a second day of hearings:

I’ve never seen a case where there were so many bad things that—like Uber has done in this case. So many

Alsup said he plans to tell the jury about the new findings, including Uber’s concealment of its practices and intentional destruction of staff discussions:

That is going to hurt your case because any company that would set up that kind of system is as suspicious as can be. I don’t know how you are going to get around that.

November 29, 2017December 2, 2017

Market Intelligence team used surreptitious practices to prevent sensitive information from emerging in legal disputes

Uber’s Competitive Intelligence group used surreptitious practices to communicate with others in Uber in order to avoid creating digital records that could be used in future legal disputes.

Some employees used the Wickr service, which automatically deletes communications after a preset period.

Some employees used special devices for hiding communications. These “non-attributable” devices could not be easily traced back to Uber. Reporting from a hearing, a Tweeter reported Judge Alsup asking who supplied these devices to employees. An ex-Uber employee explained that Uber used third-party vendors so that the expense would stay off of Uber’s books.

The ex-employee confirmed the purpose of these methods: “to evade, impede, obstruct, influence several ongoing lawsuits against Uber.” He said email was a last resort because the messages could be used in litigation. He continued: “There was legal training around the use of attorney-client privilege markings on written materials and the implementation of encrypted and ephemeral communications intended to destroy communications that might be considered sensitive.”

November 23, 2017December 8, 2017

Regulators criticized company’s cover-up of data breach

After a data breach exposed information about 57 million user accounts and Uber covered it up (including paying hackers a ransom), multiple regulators criticized Uber’s response.

The FTC said it was “closely evaluating the serious issues raised.”

The New York Attorney’s General office said it opened an investigation of Uber’s actions. The Massachusetts Attorney General reported “serious concerns” about Uber’s conduct. Attorneys general in New York, Illinois, and Connecticut also opened investigations, as did the city of Portland, Oregon.

The UK Information Commissioner’s Office pointed out that “Deliberately concealing breaches from regulators and citizens could attract higher fines.” Current British law imposes penalties up to 500,000 pounds for failing to notify users and regulators about data breaches. More than 2.7 million UK users were affected.

Mexico’s National Institute of Transparency, Access to Information and Protection of Personal Data also criticized the breach and Uber’s response, seeking information about effects on Mexican citizens.

In addition, Uber faced three class action lawsuits alleging that it was negligent in its failure to protect consumer data.

November 21, 2017April 12, 2018

Covered up hack, paid hackers to delete data, and failed to disclose to regulators

In an October 2016 attack, hackers extracted names, email addresses, and phone numbers of 50 million Uber riders (details), as well as personal information about 7 million drivers (including 600,000 US drivers license numbers). Details from Uber. A subsequent FTC investigation found that more than 25 million names and email addresses, and more than 22 million names and phone numbers, were affected.

Uber did not tell the public about the hack or alert the affected drivers or passengers. Nor did Uber tell regulators, although at the same time Uber was negotiating with the US FTC about other claims of privacy violations. As of November 2017, when the attack was publicly revealed, Uber admitted that it was required to disclose the hack because driver’s license information was among the information taken.

Instead of disclosing the hack to regulators or the public, Uber paid the hackers $100,000 to delete the data and not tell anyone what had happened. The New York Times reported that Uber also pushed the hackers to sign nondisclosure agreements, and that the company “made it appear” as if the $100,000 payout had been part of a “bug bounty” program (paying hackers to find problems) rather than a response to hackers’ demands.

Uber then-CEO Travis Kalanick learned of the breach in November 2016, a month after it took place. Reuters indicated that new CEO Dara Khosrowshahi indicated only having learned about the problem “recently.”

Uber Chief Security officer Joe Sullivan oversaw Uber’s response to the hack. As part of Uber’s 2017 investigation of the situation, new CEO Dara Khosrowshahi fired Sullivan along with Craig Clark, who had been legal director of security and law enforcement (reporting to Sullivan).

Upon learning of Uber’s failure to disclose the privacy breach, multiple regulators criticized the company’s action and opened investigations.

Uber’s statement

In a December follow-up, Reuters reported that the hacker was a 20-year-old man from Florida.

October 21, 2017February 10, 2018

Sought to conceal embarrassing court proceedings from the public

In Google’s lawsuit against Uber as to alleged theft of self-driving car technology, Uber sought to hold a hearing in camera, closed to the public. Judge Alsup concluded that Uber sought confidentiality not for any proper purpose permitted under law, but to avoid embarrassment. From the court transcript for March 26, 2017:

Mr. Gonzalez (for Uber): Your Honor, the reason why we wanted it in chambers is because of the adverse impact that we think it would have on our client. If there’s a headline tomorrow saying this guy is asserting the Fifth Amendment —

The Court: Listen, please don’t do this to me again. There’s going to be a lot of adverse headlines in this case on both sides. And I can’t stop that.

[T]he public has a right — in fact, this whole transcript, I’m going to make it public.

Details in The Verge

Waymo v. Uber litigation docket