By Dr Tristan Jenkinson
The Uber Files is a set of more than 124,000 files leaked to the Guardian, by an Uber insider. They have been the focus of a number of recent articles which have been published questioning the ethical nature of many of Uber’s activities.
Working in digital forensics, one of the things that struck me when I first starting reading some of the reports based on the Uber files, was the mention of a “kill switch” which, according to the Guardian, was used “to prevent police and regulators from accessing sensitive data during raids on its offices”.
I have advised clients on best practices on how to respond to dawn raids for many years. Much of the focus of dawn raid preparedness for companies lies in identifying the data sources that regulators and/or law enforcement may be interested in and ensuring that data is accessible and exportable if required. Putting in processes to prevent regulators and law enforcement from accessing data that they are lawfully entitled to collect is not typically going to be seen as a good move.
Though the Uber files leaks and related articles have brought Uber’s use of kill switch software to the attention of the public, it is not the first time that it has been reported on, with a number of related stories stemming from reporting by Bloomberg back in January 2018 which we will discuss further momentarily.
The recent Guardian article explains that “Uber developed its kill switch systems in the midst of a flurry of raids by police and officials”, suggesting that rather than a single tool, there were various systems in place. This does indeed appear to be the case, with a number of systems and approaches apparently in use.
In this article I explore what I found when I started digging for more information on the Uber kill switch. I look at the kill switch itself, related steps allegedly taken to avoid data getting to discovery, including interesting public information from ex-Uber employees, discuss some related eDiscovery issues from the Waymo v Uber case, and mention some of the legal considerations.
Brussels – March 2015
As mentioned above, on 11 January 2018, Bloomberg published an article (by Olivia Zaleski and Eric Newcomer) – the first report to mention regarding the kill switch technology that Uber was using (an archived copy of the article can be found here).
The article suggests that the protocols stem from a March 2015 raid on the Brussels Uber office by Belgian law enforcement in which the police gained access to a large amount of information including the payments system, financial documents and employee data. In response, the article continues, Uber’s general counsel Salle Yoo, took two actions.
- Yoo directed staff to encrypt devices, and for computers to be automatically logged off the system after just 60 seconds of inactivity.
- Yoo proposed developing an application which could assist them in their raid response.
The article reports that “Workers in Uber’s IT department were soon tasked with creating a system to keep internal records hidden from intruders entering any of its hundreds of foreign offices”.
The system which was devised was later nicknamed “Ripley” by those aware of its usage, a reference to the main character in Aliens, who has the pertinent line:
“Nuke the entire site from orbit. It’s the only way to be sure”.
While there had been allusions and oblique references to it prior to the Bloomberg article, this was the first time that information about Ripley was published.
How Ripley Worked
Shortly after the Bloomberg article, Marketplace.org published an interview with Zaleski, in which presenter Kai Ryssdal asked how Ripley worked, and when it was started:
Kai Ryssdal: All right, so do me a favor and tell me how this Ripley thing worked, would you?
Olivia Zaleski: Well, let’s imagine that you’re in an Uber office abroad, and you see the authorities, the tax authorities, coming, and they’re about to raid your office. You can see them through the window, or maybe security tips you off. As soon as you know that, say that you’re the general manager of the office there. You press a button on your phone and it routes to Uber’s headquarters in San Francisco. And there, a member of the security team initiates a program called Ripley that will shut down all the computers in your office abroad.
Ryssdal: So that when the tax authorities, or whoever it is, finally show up and they look at your computer, what do they see?
Zaleski: A blank screen. They can’t get in. And later iterations, they were able to get in, but they weren’t able to access the files that they wanted. So there were a few iterations of this program, but they were all designed to essentially keep files from being collected by authorities that usually had warrants.
Ryssdal: This goes back to an event in Brussels in 2015, right? explain that whole thing to us.
Zaleski: Yeah, the 2015 raid in Brussels was really when Uber realized, you know, that we have a problem on our hands. We’re getting targeted by authorities. They don’t like us, and we need to design something that will make it impossible for authorities to collect information on us when they come into our offices. So that’s what initiated the program, and after that they designed Ripley.
The January 2018 Bloomberg article also provided a few additional details on Ripley’s capabilities:
“The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices”
Montreal – May 2015
Zaleski and Newcomer’s January 2018 article also discusses what happened on a raid by Revenu Quebec on Uber’s Montreal offices which occurred in May 2015, just months after the Brussels raid.
“In May 2015 about 10 investigators for the Quebec tax authority burst into Uber Technologies Inc.’s office in Montreal. The authorities believed Uber had violated tax laws and had a warrant to collect evidence. Managers on-site knew what to do, say people with knowledge of the event.
Like managers at Uber’s hundreds of offices abroad, they’d been trained to page a number that alerted specially trained staff at company headquarters in San Francisco. When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they’d obtained a warrant to collect. The investigators left without any evidence.”
Revenu Quebec claimed that Uber had deleted information and tried to block them from getting access to information during the raid. According to the Canadian Broadcasting Corporation, during the ensuing legal battle with Uber, Revenu Quebec told the judge that:
“… on the day of the raid, smartphones and laptops seized appeared to have been remotely restarted and that data they were looking for was then encrypted from the company’s head office in San Francisco.”
In May 2016 (a year after the raid), judge Guy Cournoyer said of Uber’s conduct:
“[it] had all the characteristics of an attempt to obstruct justice.”
Samuel Spangenberg was a forensic investigator at Uber who was working at Uber’s San Francisco office during the time of the Revenu Quebec raid on the Montreal office. He was fired, and filed for wrongful dismissal in 2016.
As part of his claim for wrongful dismissal, Spangenberg made a declaration to the court, including information about Uber’s security policies – misuse of systems for tracking celebrities or ex-boyfriend/girlfriend/spouses, the vast amount of data collected for each ride requested using the app, and insecure storage of personal information. In addition, there were several sections of which appear to link with Uber’s approach to raids, and in particular the Montreal raid:
“… as part of Uber’s Incident Response Team, I would be called when governmental agencies raided Uber’s offices due to concerns regarding noncompliance with governmental regulations. In those instances, Uber would lock down the office and immediately cut all connectivity so that law enforcement could not access Uber’s information.”
“I would then be tasked with purchasing all new equipment for the office within the day, which I did when Uber’s Montreal office was raided”.
“… Uber routinely deleted files which were subject to litigation holds”.
From the above, it is not clear why new equipment would be required if Ripley was used to lock up devices, and/or remove access to company data stored elsewhere. But many aspects of Spangenberg’s declaration, back in 2016, appear consistent with the use of Ripley as has been reported elsewhere.
The “Jacobs Letter” (a Waymo v Uber eDiscovery Sidebar)
Samuel Spangenberg is not the only ex-Uber employee with a related story in the public domain. Richard Jacobs was the manager of global intelligence for Uber. He resigned in April 2017. According to the report of Special Master John Cooper (more on that shortly) in his resignation email which was sent to Uber CEO Travis Kalanick and General Counsel Salle Yoo:
“… [Jacobs] accused Uber of retaliating against him for his efforts to expose within the company certain alleged activities he believes were wrongful, unethical, and/or illegal”.
Uber’s Associate General Counsel in Litigation and Employment, Angela Padilla sought to receive clarification from Jacobs on those allegations.
In May 2017, a letter was sent from Jacobs’ lawyers to Padilla. The letter states that Jacobs “would be happy to provide additional information”.
The letter explains that Jacobs understood that Uber were particularly interested in his “assertions regarding destruction, spoliation and manipulation of discovery documents”. We will discuss the content in more detail shortly, but it is worthwhile first considering how the letter became publically available.
The letter became public (and known as the “Jacobs Letter”) as it was belatedly disclosed in the Waymo v Uber case alleging Uber stole trade secrets from Waymo regarding self-driving vehicles.
In the Waymo v Uber case the (eventual) disclosure of the letter led to the appointment of a Special Master, as it had not originally been provided with the main disclosure – despite its content appearing to be directly relevant, and damning for Uber. The Special Master was to consider if the Letter (and other related materials) should have been provided to the parties earlier. It was determined that indeed, it should have been.
Special Master Cooper pointed out in particular that there was no agreement between the parties to limit disclosure to only responsive data. Indeed, to demonstrate, Cooper quotes Uber counsel telling Waymo “Waymo has an obligation to conduct a reasonable search for responsive documents separate and apart from any search term negotiations” thereby, it would appear, obligating Uber to do the same.
Special Master Cooper then points out (my emphasis added) that:
Uber needed no such help in finding the Jacobs Materials. They were not stowed away in a large volume of data on some server. They were not stashed in some low-level employee’s files. Parties agree to use search terms and to look into the records of the most likely relevant custodians to help manage the often unwieldy process of searching through massive amounts of data. These methods are particularly called for when a party, instead of merely having to look for a needle in a haystack, faces the prospect of having to look for lots of needles in lots of haystacks. This needle was in Uber’s hands the whole time.
Despite his findings that the Jacobs Letter should have been produced, Special Master Cooper also notes that:
“Despite extensive discovery and multiple Court orders to produce an extensive amount of information related to the accusations in the Jacobs Materials, Waymo did not learn of their existence until after November 22, when the Court notified the parties that a federal prosecutor wrote a letter to this Court disclosing the gist of the Jacobs allegations”
According to this Reuters article, the Judge in the Waymo v Uber case, US District Judge William Alsup, was informed of the gist of the content of the Jacobs letter by the US Department of Justice. Reuters also report Alsup as telling Uber at the corresponding hearing:
“I can’t trust anything you say because it’s been proven wrong so many times… You’re just making the impression that this is a total cover-up.”
The Waymo v Uber case was ultimately settled, with Uber providing Waymo (part of Google) with a 0.34% stake in Uber, valued at around $245 million when calculated from Uber’s $72 billion valuation at the time (see for example this article).
The Jacobs Letter Content
The content of the Jacobs Letter supports suggestions that at least some elements of Uber were seeking to minimise data being discoverable, including the Ripley kill switch as well as other means, such as the use of ephemeral messaging and misuse of privilege markings.
The Jacobs Letter in the Waymo v Uber case details a number of tactics that Uber used with regard to their competitors, for further information see for example this Forbes article (which also provides a link to (a redacted) copy of the Jacobs letter itself.
Relevant to the discussions in this article, the Jacobs Letter also makes allegations about the conduct of Uber regarding discoverable data, specifically alleging that Craig Clark (Legal Director of Threat Operations) and Mat Henley (Director of Threat Operations):
“… led Uber’s efforts to evade current and future discovery requests, court orders, and government investigations”.
The letter goes on to state that:
“Jacobs then became aware that Uber, primarily through Clark and Henley, had implemented a sophisticated strategy to destroy, conceal, cover up, and falsify records or documents with the intent to impede or obstruct government investigations as well as discovery obligations in pending and future litigation”
Other accusations made by Jacobs regarding Uber’s approach to apparently obstruct (or at least complicate) discovery, include the encouragement of ephemeral messaging systems, of which the Letter states:
“Henley and Clark implemented this program of ephemeral and encrypted communications for the express purpose of destroying evidence of illegal or unethical practices to avoid discovery in actual or potential litigation”
Uber’s Response to the Jacobs Letter
The response from Uber was that Jacobs letter was simply created for Jacobs to extort the company. Angela Padilla is quoted as saying:
“Given the huge sums of money that Mr. Jacobs was demanding at the outset, I felt it was clearly extortionist especially given the low value of his claims”
“Ric Jacobs’ letter is nothing more than character assassination for cash. And Jacobs is nothing more than a failed Uber employee who underperformed and got demoted, and then retaliated against his supervisors and colleagues with a letter filled with distortions designed to line his own pockets. Jacobs took the good work my clients did and twisted it into something it wasn’t.”
Uber settled with Jacobs , paying him $2 million in cash, $1.5 million in stock and an additional $1 million for him to consult and cooperate with the company in any investigations for the following year. As reported by Forbes, Jacobs’ lawyers also received $3 million from Uber for their work.
Revisiting Ripley – Paris – November 2014
At the start of the article, we discussed the Bloomberg article by Olivia Zaleski and Eric Newcomer, and the interview with Zaleski in the Marketplace. In both those pieces, it was understood that Ripley developed after Uber’s Brussels office was raided in March 2015. However, additional information available in the Uber files suggests that the system may have been developed earlier – dating back at least to a raid in Paris in November 2014 by the DGCCRF (“Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes), the French competition authority.
Uber’s Lyon office had been raided 3 days prior to the Paris raid in November 2014, so the company could have been alerted that another raid was to be expected.
According to the Guardian, the Uber files show that on the day of the raid, Zac de Kievit, Uber’s Legal Director in Europe, sent an email to an IT engineer in Germany saying “Please kill access now”, receiving confirmation 13 minutes later.
The Guardian have also used new information from the files to fill out more information about what happened at the March 2015 raid in Brussels:
“Unlike in France, police took steps to ensure local staff could not communicate with Uber HQ back in San Francisco during the raid. Later that day, De Kievit emailed executives, including Kalanick: “Our team were detained and did not have an opportunity to raise the kill switch.””
In the March 2015 Brussels raid, although the kill switch could not be operated, Uber were able to lock some machines using “an administrative system called Casper”.
Casper appears to be a reference to the Casper Suite, which is (or at least was) a mobile device management tool. It has since has been rebranded as Jamf Pro, by its developers, Jamf Software.
An administrators guide dating from 2015 can be found online. On page 351, there is a listing of the remote commands, including “Lock Computer” which is described as “Logs the user out of the computer, restarts the computer, and then locks the computer… To unlock the computer, the user must enter the passcode that you specific when you sent the Lock Computer command”. It is also possible to send a wipe computer command.
Further Ripley Usage in 2015
The Uber files Guardian article describes further uses of the kill switch systems in place.
In Paris just days after the Brussels March 2015 raid, where Mark MacGahn (Uber’s chief lobbyist in Europe) said:
“Access to IT tools was cut immediately, so the police won’t be able to get much if anything”
In Amsterdam in April 2015, the Guardian report that there was further usage of the kill switch, with Travis Kalanick, then Uber CEO, sending an email, with company lawyers copied in stating:
“Please hit the kill switch ASAP… Access must be shut down in AMS”.
In Paris in July 2015, the Uber office was raided by the French tax inspectorate, prompting an exchange between Mark MacGahn and Thibaud Simphal, manager of Uber France:
“Use the ‘Zachary De Kievit’ playbook: try a few laptops, appear confused when you cannot get access, say that IT team is in SF [San Francisco] and fast asleep…”
With the response from Simphal:
“Oh yeah we’ve used that playbook so many times by now the most difficult part is continuing to act surprised!”
This includes suggestions that use of a kill switch after legitimate papers have been served could be illegal, and that in France, a non-automated kill switch could demonstrate a will to obstruct justice.
An argument that I have seen elsewhere that the kill switch usage could potentially amount to spoliation, though a potential counter argument would be that the data had not been deleted, it could just not be accessed from the devices.
Another point that has been made is that Thibaud Simphal’s response above (suggesting that Uber staff acted surprised when there was no access, while fully aware why and how access was cut), could in itself suggest that Uber staff were misleading law enforcement and regulators – potentially a secondary obstructive element in addition to the usage of the kill switch itself.
Response from Uber
The Guardian Uber Files site report that Jill Hazelbaker, Uber’s Senior Vice-President of Public Affairs stated:
“We have not and will not make excuses for past behaviour that is clearly not in line with our present values. Instead, we ask the public to judge us by what we’ve done over the last five years and what we will do in the years to come”
There is evidence to suggest that the Ripley kill switch (or variants thereof) were used quite regularly by Uber from 2015 to late 2016, and there are related attempts to limit data being discoverable or provided in discovery, as discussed by the Jacobs Letter. While there have been many comments, including from judges that Uber’s conduct appeared to amount to deliberate obstruction, they have never been charged with such an offence.
While usage of remote programs, such as Ripley or Casper have legitimate functions, for example disabling a machine in the event that it is stolen so that there can be no malicious access to material, there are significant legal considerations and concerns in deploying that technology to stop access to devices under lawful court orders, especially once such papers have been served or presented.
As discussed above, the best approach to prepare for dawn raids from regulators or law enforcement is to identify the data sources that regulators and/or law enforcement may be interested in, ensuring that data is accessible and exportable if required.