Bloomberg reports that Uber’s Chief Security Officer, Joe Sullivan, was also assigned the title of deputy general counsel. Bloomberg notes the importance of this designation: it “could allow him to assert attorney-client privilege on his communications with colleagues and make his e-mails more difficult for a prosecutor to subpoena.”
Kalanick “promoted” then-General Counsel Yoo to sideline her
As then-Genreal Counsel Salle Yoo pushed for Uber to comply with the law, then-CEO Travis Kalanick reassigned her from General Counsel to Chief Legal Officer. Kalanick styled this as a promotion, but Bloomberg says his “true intention was to sideline her from daily decisions” (based on assessment from two employees who worked closely with them).
Due diligence report on Otto and Anthony Levandowski revealed copying of Google information
Forensics firm Stroz Friedberg investigated the information Anthony Levandowski allegedly took from Google and whether or how it was destroyed. Stroz’s report conveys Levandowski’s admission that he had five discs of Google information which he says he destroyed (a claim Stroz was unable to verify).
Stroz found about 50,000 Google work emails on Levandowski’s personal computer, and there was evidence that he accessed some of the emails at about the same time he left Google, making it “difficult to believe” that he could not remember having those emails, as he claimed when interviewed.
Stroz found that Levandowski accessed certain Google files after his departure, then deleted them. Stroz also found evidence of Levandowski searching for instructions on secure file deletions, and telling coworkers to delete messages from him. These deletions are consistent with an attempt to destroy confidential Google information that Levandowski should not have had, but also consistent with a cover-up of information previously received and used.
A Google spokesperson said in a statement: “The Stroz Report unequivocally shows that, before it acquired his company, Uber knew Anthony Levandowski had a massive trove of confidential Waymo source code, design files, technical plans and other materials after leaving Google; that he stole information deliberately, and repeatedly accessed it after leaving Waymo; and that he tried to destroy the evidence of what he had done. In addition, Mr. Levandowski used his smartphone to take thousands of covert photographs of computer screens displaying Google confidential files. Knowing all of this, Uber paid $680 million for Mr. Levandowski’s company, protected him from legal action, and installed him as the head of their self-driving vehicle program.”
Fuel Card duplicate charges
Uber provided some drivers with “fuel cards” usable for gasoline, carwashes, and other services, at a discount, with charges deducted from future Uber earnings. Multiple drivers reported duplicate charges. Representative quotes:
“Double charged for gas with Uber card. Same transaction. Exact same time and date stamp. You took double from my earnings…The rep last night said they have had multiple calls for this same issue. That it would be cleared up by midnight. Today it’s still not fixed and the rep said he couldn’t do anything about it! Uber this is unacceptable” (September 6, Facebook, Florida driver).
“Gas card is very funny…Something is fishy about how this card works. Once I was triple charged and no one caught on until I bought it to Uber attention and the fixed it. I no longer want to use card” (September 2017, YouTube, Curtis J.).
“I was looking over my transaction history and there is two gas card purchases. Same amounts/ days. I was charged twice for 1” (June 28, Twitter).
“Hey my uber gas card was charge 3 times at the same time and day, but different days each” (June 28, Twitter, Oregon driver).
“It’s been 4 days since I wrote to customer care to review my fuel card charges, there were duplicate charges on it and I was overcharged, I have sent screenshots of duplicate charges but so far I got only one reply yesterday with copy pasted text that has nothing to do with what I asked for.” (April 4, Facebook, New York driver).
Drivers reported heightened difficulty resolving the problems because Uber told them to contact FleetCor, which operated the fuel card program. FleetCor in turn told them to contact Uber.
Drivers also reported that Uber and FleetCor suggested that the drivers conduct their own investigations into the disputed transactions such as interviewing merchants and requesting refunds from merchants. Most drivers found these approaches untenable, particularly because the fraudulent charges could occur at distant merchants far from where the drivers lived.
A further challenge for drivers is that many did not know how to contact FleetCor. The Uber-provided FleetCor card does not include a customer service phone number. Drivers would need to find the number in the original card materials that provided in an envelope along with the card — easily overlooked or discarded.
An October 5, 2017 report from The Capitol Forum (paid subscription required) analyzed these concerns and tabulated these and numerous additional driver complaints.
Portland “Regulation Evasion Audit” of Uber Greyball
In response to Uber’s Greyball blocking of government investigations, the Portland Bureau of Transportation (PBOT) prepared a 56-page audit report. Their summary:
In using Greyball, Uber has sullied its own reputation and cast a cloud over the TNC industry generally. The use of Greyball has only strengthened PBOT’s resolve to operate a robust and effective system of protections for Portland’s TNC customers.
PBOT continued:
As the agency responsible for ensuring the safety of TNC customers and the integrity of the TNC market, PBOT views Uber’s failure to comply with deep concern. This failure calls into question Uber’s commitment to comply in general with the City of Portland’s regulatory framework. It also raises questions about Uber’s ability to be a trustworthy partner in PBOT’s efforts to ensure that Portland’s TNC customers receive safe and reliable service.
PBOT searched for evidence of Uber continuing to use Greyball, or of Lyft doing so. They found no such evidence, though they noted that “It is inherently difficult to prove a negative.”
London Police said Uber “aware of criminal activity and yet haven’t informed the police”
In an April 2017 letter, the London Metropolitan Police questioned why Uber had not notified the police about criminal offenses known to Uber. The Police reported Uber refusing to provide information within its custody unless the police submit a formal request, and also refusing to report crime to the police because such reports may breach rights of a passenger. The Police questioned Uber’s approach, saying that Uber is “allowing situations to develop” that affect public safety, and noting also that the extra steps Uber calls for can impede prompt prosecution and ultimately lead perpetrators to go free.
The letter’s conclusion:
The significant concern I am raising is that Uber have been made aware of criminal activity and yet haven’t informed the police. Uber are however proactive in reporting lower level document frauds to both the MPS and LTPH. My concern is twofold, firstly it seems they are deciding what to report (less serious matters / less damaging to reputation over serious offences) and secondly by not reporting to police promptly they are allowing situations to develop that clearly affect the safety and security of the public.
Fuel Card charged drivers for unauthorized purchases; Uber refused to investigate
Uber provided some drivers with “fuel cards” usable for gasoline, carwashes, and other services, at a discount, with charges deducted from future Uber earnings. Multiple drivers reported unauthorized charges posting to their cards.
When drivers reported the problem to Uber, Uber told them that records indicated that the charges were requested with the driver’s PIN, so Uber declined to investigate or look up the charges. (One Uber response: “We’re sorry for any inconvenience this has caused you. I have checked our system and it shows that your PIN Code was entered for each transaction that you have mentioned. Since your PIN Code is unique to your Fuel Card, it is not eligible to file a dispute.”) But some drivers found that charges could be made without PINs. Moreover, skimmers and concealed surveillance devices allow attackers to obtain driver card details and PINs without authorization.
Drivers who requested a phone number for the fuel card issuer — necessary to file police reports in some jurisdictions — were rebuffed by Uber, whose staff said they contacted the issuer only by email.
Drivers report never receiving terms and conditions for the fuel card, noting that no such terms were included in the postal envelope that delivered the card. Requests for the terms through Uber support and in-person visits to Uber local offices were also unsuccessful. However, fine print on the back of each card said drivers were bound by the terms.
Representative complaints from Uber drivers on online discussion boards and social media:
• “I do not use the Uber Fool Card”
• “Veteran drivers call it the Uber Fool Card.”
• “I should have never gotten that damn Uber fuel card.”
• “HERE WE GO AGAIN WITH THE GAS CARD BULL$h!t AGAIN!!! F$%) ME!!”
• “Just cancelled my Uber fuel card because it took a huge chunk out of my earnings for this past week and left me with nothing but chump change, which I spent on gas. I’m better off using my debit card to pay for gas.” (=
Some drivers explained in greater detail:
UBER SHOULD BE ASHAMED BECAUSE INSTEAD OF INVESTIGATING THEY ARE SIMPLY TRYING TO COVER THIS UP!,, I have been trying to get UBER to correct the fuel card issue but they only blew it off saying the excuse about the driver pin code which is the pin that can be cloned and UBER has had the same issues across the USA! They haven’t investigated a video I sent that showed the tall male of Caucasian or Hispanic descent using the card on a NON-UBER vehicle that was a totally different color.
My fraudulent charges are now totaling over $400. This all started on March 22 and I still have not been refunded! They keep telling me that they are waiting on the credit card company to finish their investigation. I have filed a claim with my local police department and they said since the fraud happened in another state they couldn’t do anything so I should file a complaint with the DOJ. In order to do that you have to have a phone number of the company you are filing a complaint against so I asked Uber to give me the credit card company’s contact info. They said that they didn’t have it and that they only dealt with them through email. You know this is a lie because how would they not have the contact info for a company they do business with.
An August 29, 2017 report from The Capitol Forum (paid subscription required) analyzed these concerns and tabulated these and 30+ additional driver complaints.
Judge said Uber abused attorney-client privilege
San Francisco district Judge William Alsup criticized Uber’s practice of including lawyers in discussions strategically — using the lawyer’s presence to claim that discussions were privileged if Uber wants to keep the content confidential, but claiming that the attorney did not attend in the capacity of an attorney if that advances Uber’s interests. Alsup explains:
Uber has indulged in the slick practice of including its lawyers in meetings and communications and deciding after the fact if a lawyer was actually included for the purpose of providing legal advice, all in accordance with what happens to be convenient for Uber’s case. Where, as here, the contents of a meeting prove advantageous for Uber to reveal, it readily claims that the lawyer did not attend the meeting in their capacity as a lawyer. But where the contents of a meeting would hurt Uber’s litigation position, Uber is quick to conceal the facts under claims of privilege.
Alsup concluded that he will not “indulge this pattern of convenience.”
Full order from Judge William Alsup and full order from Magistrate Judge Jacqueline Scott Corley. Waymo v. Uber litigation docket.
Judge said Uber lawyers “misled the court”
San Francisco district judge William Alsup said he would tell the jury that Uber lawyers “misled the court” and withheld documents. He explained that he was “inclined to tell the jury…that [Uber] was ordered to come clean, ordered to come clean again, and did not come clean — finally in June or July came clean.” Alsup continued: “You misled the judge time and time again.”
Misrepresented its monitoring of employee access to data, steps taken to secure data
In a press release, the FTC summarized its privacy-related complaint against Uber.
For example, Uber told the public that the company “has a strict policy prohibiting all employees at every level from accessing a rider or driver’s data. The only exception to this policy is for a limited set of legitimate business purposes.” Uber claimed access was “closely monitored and audited by data security specialists on an ongoing basis.” Uber made strong claim in its privacy policy such as “We use the most up to date technology and services” to protect customer data, and “we’re extra vigilant in protecting” customer data” via “the highest security standards available.”
In contrast, the FTC found that Uber “has not always closely monitored and audited its employees’ access to Rider and Driver accounts” in that the security system “was not designed or staffed … effectively.” The FTC continued: “In approximately August 2015, Respondent ceased using the automated system it had developed in December 2014 and began to develop a new automated monitoring system. From approximately August 2015 until May 2016, Respondent did not timely follow up on automated alerts concerning the potential misuse of consumer personal information, and for approximately the first six months of this period, Respondent only monitored access to account information belonging to a set of internal high-profile users, such as Uber executives.”
The FTC also criticized Uber for letting engineers use shared access keys with full administrative privileges to all data in Uber’s Amazon Web Services database, rather than requiring that each program and each engineer use a separate key. Uber further failed to restrict access based on employees’ job functions, and failed to require multi-factor authentication to access data. Until March 2015, Uber stored sensitive personal information in AWS in clear text without encryption.