Uber under fire for ‘Greyball’ program used to dodge enforcement officials

What do you do if you’re violating local government regulations and you know the local authorities are looking for you? Maybe you lay low. But if you’re Uber, you supercharge everyday “hiding” with an integrated assemblage of industrial-strength code, data analytics and whatever creative low-tech methods you can conjure up. So the New York Times reports, and Uber admits.

According to the Times, Uber unleashed its Greyball program “to identify and circumvent officials who were trying to clamp down on the ride-hailing service. Uber used these methods to evade the authorities in cities like Boston, Paris and Las Vegas, and in countries like Australia, China and South Korea.” In some locations, says the NYT, Uber’s services were currently being “resisted by law enforcement”.

In other locations, such as Portland, Oregon, local government was taking the position that the low-cost UberX service is illegal – a claim that Uber vigorously disagreed with and chose to disregard.

Greyball used roughly a dozen markers to tag city inspectors. Some potential giveaways: calls made near city government offices; quick and repeated opening and closing of Uber’s app, and credit cards linked to police credit unions. Knowing that law enforcement often ran its stings from dirt-cheap feature phones, Uber also sent employees to local retailers to “look up device numbers of the cheapest mobile phones for sale,” and then flag calls based on this information. When it still wasn’t sure, “Uber employees would search social media profiles and other information available online.”

If you were tagged, the Times reports

Uber could scramble a set of ghost cars in a fake version of the app… or show that no cars were available. Occasionally, if a driver accidentally picked up someone tagged as an officer, Uber called the driver with instructions to end the ride.

All this was evidently pretty systematic, the Times says. Once Uber knew Greyball worked to deter law enforcement, its engineers “created a playbook with a list of tactics and distributed it to general managers in more than a dozen countries on five continents”. Looks like it worked: here’s a 2014 clip of Portland code enforcers trying and failing to catch Uber violating the city code.

Uber points out that Greyball has multiple uses in deterring violations of its terms of service, not all equally controversial. For example, it has used Greyball to protect drivers against physical attack – which has clearly occurred in some locations where local transportation providers have been threatened by its new service. So, too, Greyball attempts to halt “competitors looking to disrupt our operations”. From Uber’s standpoint, using Greyball to deter local code enforcement is a way to protect drivers from having their cars impounded for illegal commercial transport of passengers (oh, and also save Uber the costs of reimbursing them).

Legal observers in the US couldn’t say for sure if Uber’s actions were illegal (its own internal lawyers signed off, though some of the Times’s sources evidently had qualms). And Uber says that once city officials surrender and legalize the service, it ceases using Greyball to evade code enforcement.

Of course, all this once again raises the question: how might Uber wield the increasingly rich data patterns it can generate about your life and behavior? Might it ever geofence certain neighborhoods out of bounds, as traditional cab companies have been known to do informally? What are the implications of Uber’s massive data hoard even on those rare occasions when it’s trying to play nice?


 

Source: Naked Security – Sophos @ March 6, 2017 at 09:27AM

0