Uber’s Secret Tool for Keeping the Cops in the Dark
In May 2015 about 10 investigators for the Quebec tax authority burst into Uber Technologies Inc.’s office in Montreal. The authorities believed Uber had violated tax laws and had a warrant to collect evidence. Managers on-site knew what to do, say people with knowledge of the event.
Like managers at Uber’s hundreds of offices abroad, they’d been trained to page a number that alerted specially trained staff at company headquarters in San Francisco. When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they’d obtained a warrant to collect. The investigators left without any evidence.
Most tech companies don’t expect police to regularly raid their offices, but Uber isn’t most companies. The ride-hailing startup’s reputation for flouting local labor laws and taxi rules has made it a favorite target for law enforcement agencies around the world. That’s where this remote system, called Ripley, comes in. From spring 2015 until late 2016, Uber routinely used Ripley to thwart police raids in foreign countries, say three people with knowledge of the system. Allusions to its nature can be found in a smattering of court filings, but its details, scope, and origin haven’t been previously reported.
The Uber HQ team overseeing Ripley could remotely change passwords and otherwise lock up data on company-owned smartphones, laptops, and desktops as well as shut down the devices. This routine was initially called the unexpected visitor protocol. Employees aware of its existence eventually took to calling it Ripley, after Sigourney Weaver’s flamethrower-wielding hero in the Alien movies. The nickname was inspired by a Ripley line in Aliens, after the acid-blooded extraterrestrials easily best a squad of ground troops. “Nuke the entire site from orbit. It’s the only way to be sure.”
Other companies have shut off computers during police raids, then granted officers access after reviewing a warrant. And Uber has reason to be cautious with the sensitive information it holds about customers and their locations around the world. Ripley stands out partly because it was used regularly—at least two dozen times, the people with knowledge of the system say—and partly because some employees involved say they felt the program slowed investigations that were legally sound in the local offices’ jurisdictions. “Obstruction of justice definitions vary widely by country,” says Ryan Calo, a cyberlaw professor at the University of Washington. “What’s clear is that Uber maintained a general pattern of legal arbitrage.”
“Like every company with offices around the world, we have security procedures in place to protect corporate and customer data,” Uber said in a statement. “When it comes to government investigations, it’s our policy to cooperate with all valid searches and requests for data.”
Uber has already drawn criminal inquiries from the U.S. Department of Justice for at least five other alleged schemes. In February, the New York Times exposed Uber’s use of a software tool called Greyball, which showed enforcement officers a fake version of its app to protect drivers from getting ticketed. Ripley’s existence gives officials looking into other Uber incidents reason to wonder what they may have missed when their raids were stymied by locked computers or encrypted files. Prosecutors may look at whether Uber obstructed law enforcement in a new light. “It’s a fine line,” says Albert Gidari, director of privacy at Stanford Law School’s Center for Internet & Society. “What is going to determine which side of the line you’re on, between obstruction and properly protecting your business, is going to be things like your history, how the government has interacted with you.”
About a year after the failed Montreal raid, the judge in the Quebec tax authority’s lawsuit against Uber wrote that “Uber wanted to shield evidence of its illegal activities” and that the company’s actions in the raid reflected “all the characteristics of an attempt to obstruct justice.” Uber told the court it never deleted its files. It cooperated with a second search warrant that explicitly covered the files and agreed to collect provincial taxes for each ride.
Uber deployed Ripley routinely as recently as late 2016, including during government raids in Amsterdam, Brussels, Hong Kong, and Paris, say the people with knowledge of the matter. The tool was developed in coordination with Uber’s security and legal departments, the people say. The heads of both departments, Joe Sullivan and Salle Yoo, left the company last year. Neither responded to requests for comment.
Ripley’s roots date to March 2015, when police stormed Uber’s Brussels office, say people with knowledge of the event. The Belgian authorities, which accused Uber of operating without proper licenses, gained access to the company’s payments system and financial documents as well as driver and employee information. A court order forced Uber to shut down its unlicensed service later that year. Following that raid and another in Paris the same week, Yoo, then Uber’s general counsel, directed her staff to install a standard encryption service and log off computers after 60 seconds of inactivity. She also proposed testing an app to counter raids. Workers in Uber’s IT department were soon tasked with creating a system to keep internal records hidden from intruders entering any of its hundreds of foreign offices. They used software from Twilio Inc. to page staffers who would trigger the lockdown.
The security team, which housed many of Uber’s most controversial programs, took over Ripley from the IT department in 2016. In a letter shared with U.S. attorneys and made public in a trade-secrets lawsuit against Uber, Richard Jacobs, a former Uber manager, accused the security group of spying on government officials and rivals. Jacobs’s letter makes an oblique reference to a program for impeding police raids. A 2016 wrongful-dismissal lawsuit by Samuel Spangenberg, another Uber manager, also references its use during the May 2015 tax authority raid in Montreal.
The three people with knowledge of the program say they believe Ripley’s use was justified in some cases because police outside the U.S. didn’t always come with warrants or relied on broad orders to conduct fishing expeditions. But the program was a closely guarded secret. Its existence was unknown even to many workers in the Uber offices being raided. Some were bewildered and distressed when law enforcement ordered them to log on to their computers and they were unable to do so, two of the people say.
Later versions of Ripley gave Uber the ability to selectively provide information to government agencies that searched the company’s foreign offices. At the direction of company lawyers, security engineers could select which information to share with officials who had warrants to access Uber’s systems, the people say.
Another option was contemplated for times when Uber wanted to be less transparent. In 2016 the security team began working on software called uLocker. An early prototype could present a dummy version of a typical login screen to police or other unwanted eyes, the people say. But Uber says no dummy-desktop function was ever implemented or used, and that the current version of uLocker doesn’t include that capability. The project is overseen by John Flynn, Uber’s chief information security officer.