The New York Times reported on March 3rd that Uber, for years, has engaged in a worldwide program to deceive the authorities in markets where its low-cost ride-hailing service was resisted by law enforcement or, in some cases, had been banned.
The program, involving a tool called Greyball, uses data collected from the Uber app and other techniques to identify and circumvent officials trying to clamp down on the ride-hailing service. Uber used these methods to evade the authorities in cities like Boston, Paris and Las Vegas, and in countries like Australia, China and South Korea.
Greyball was part of a program called VTOS, short for "violation of terms of service," which Uber created to root out people it thought were using or targeting its service improperly. The program began as early as 2014 and remains in use, predominantly outside the United States. Greyball was approved by Uber's legal team.
Uber's use of Greyball was recorded on video in 2014, when Erich England, a code enforcement inspector in Portland, Oregon, tried to hail an Uber car downtown in a sting operation against the company.
At the time, Uber had just started its ride-hailing service in Portland without seeking permission from the city, which later declared the service illegal. To build a case against the company, officers like Mr. England posed as riders, opening the Uber app to hail a car and watching as vehicles on the screen made their way toward the potential fares.
Unknown to Mr. England and other authorities, some of the digital cars they saw in the app did not represent actual vehicles. And the Uber drivers they were able to hail also quickly canceled. That was because Uber had tagged Mr. England and his colleagues, essentially Greyballing them as city officials, based on data collected from the app and in other ways. The company then served up a fake version of the app, populated with ghost cars, to evade capture.
I have never been a fan of Uber. I get the cheap fares. But there's an element of wild, wild west culture about Uber, drivers have complained publicly about the number of hours they must work to receive anything like a living wage – and now this program emerges from the shadows which seems to flout laws and regulations.
Uber is now in more than 70 countries and its valuation is close to $70 billion. But, from my foxhole, it appears to have crossed both ethical and legal lines.
In a statement, Uber said, "This program denies ride requests to users who are violating our terms of service — whether that's people aiming to physically harm drivers, competitors looking to disrupt our operations, or opponents who collude with officials on secret 'stings' meant to entrap drivers."
Uber operates multiple types of services, including a luxury Black Car offering in which drivers are commercially licensed. But an Uber service that many regulators have had problems with is the lower-cost version, known in the United States as UberX.
UberX essentially lets people who have passed a background check and vehicle inspection become Uber drivers quickly. In the past, many cities have banned the service and declared it illegal.
The article details the clashes between Uber and authorities. Uber's Greyball tool was developed to weed out riders thought to be using its service improperly. This is where the VTOS program and the use of the Greyball tool came in. When Uber moved into a new city, it appointed a general manager to lead the charge. This person, using various technologies and techniques, would try to spot enforcement officers.
One technique involved drawing a digital perimeter, or "geofence," around the government offices on a digital map of a city that Uber was monitoring. The company watched which people were frequently opening and closing the app, known as eyeballing, near such locations as evidence that the users might be associated with city agencies. Other techniques included looking at a user's credit card information and determining whether the card was tied directly to an institution like a police credit union.
Enforcement officials involved in large-scale sting operations meant to catch Uber drivers would sometimes buy dozens of cellphones to create different accounts. To circumvent that tactic, Uber employees would go to local electronics stores to look up device numbers of the cheapest mobile phones for sale, which were often the ones bought by city officials working with budgets that were not large. In all, there were at least a dozen or so indicators in the VTOS program that Uber employees could use to assess whether users were regular new riders or probably city officials.
If such clues did not confirm a user's identity, Uber employees would search social media profiles and other information available online. If users were identified as being linked to law enforcement, Uber Greyballed them by tagging them with a small piece of code that read "Greyball" followed by a string of numbers.
When someone tagged this way called a car, Uber could scramble a set of ghost cars in a fake version of the app for that person to see, or show that no cars were available. Occasionally, if a driver accidentally picked up someone tagged as an officer, Uber called the driver with instructions to end the ride.
Uber engineers actually created a playbook with a list of tactics and distributed it to general managers in more than a dozen countries on five continents. At least 50 people inside Uber knew about Greyball, and some had concerns about whether it was ethical or legal. Greyball was approved by Uber's legal team.
Outside legal specialists said they were uncertain about the legality of the program. Greyball could be considered a violation of the federal Computer Fraud and Abuse Act, or possibly intentional obstruction of justice, depending on local laws and jurisdictions, said Peter Henning, a law professor at Wayne State University who also writes for The New York Times.
If I didn't like Uber before I learned about Greyballing, I like it even less now.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology