Uber used data collected by its app and a tool called Greyball to help avoid authorities in markets where its service was being resisted or outright banned, according to a report from the New York Times.
The report describes Greyball as a tool that was part of a broader program called “violation of terms of service”—known as VTOS. Uber initially created the tool in 2014 to help identify people the company believed were using its service improperly. The program is reportedly still in use outside of the United States and was approved by Uber’s legal team.
In a statement released to the New York Times, Uber said, “This program denies ride requests to users who are violating our terms of service — whether that’s people aiming to physically harm drivers, competitors looking to disrupt our operations, or opponents who collude with officials on secret ‘stings’ meant to entrap drivers.”
What Is Greyball?
The Greyball tool was captured in action in a video recorded in 2014 by Erich England, a code enforcement inspector in Portland, Ore. At the time of the video’s recording, Uber was operating in the city without seeking permission, and England was taking part in a sting operation to catch the ridehailing service operating illegally.
In the video, England summons a car through the Uber app. The app typically displays the location of drivers on screen, which would then be used by the sting operating to identify cars. However England and many of his associates had been tagged by Uber through the Greyball tool.
The tool would cancel rides summoned by those who were tagged, and populate the app with spoofed cars that weren’t actually on the road in the city to deceive the sting operators and allow drivers to continue to operate and evade being reprimanded.
Uber has used the tool around the world, including in cities like Paris, Boston and Las Vegas, and in countries including Italy, Australia, China and South Korea.
According to the New York Times, the program was carried out by general managers appointed to a region when Uber would begin operations in a new city. Those managers would identify law enforcement agents and others who may attempt to shut down the ride hailing service in order to help drivers avoid being caught.
Uber also used a number of other technologies to operate outside law enforcement’s reach, including a geofencing technique that would create a virtual perimeter around the offices of law enforcement agencies. The company also noted users who frequently opened and close the app, which it believed indicated could be activity from government agencies.
Uber would look at the credit card information from registered users to see if that card was linked to an institution like police credit unions and searched social media profiles to identify if a person was involved in law enforcement.
The company also visited local electronics stores to look up the numbers of cheap mobile phones that may have been purchased by government agencies attempting to perform sting operations with burner devices.
If all of the programs failed and a driver accidentally picked up a member of law enforcement hailing a ride, Uber would call the user directly and provide them with directions on how to terminate the ride.
Kenneth Geers, senior research scientist at cybersecurity research firm Comodo, told International Business Times that open-source intelligence collection services are available to just about anyone if they know where to look, and “and it would be more surprising if greyballing, which is a good way to gain competitive advantage in today’s marketplace, was not happening every day.”
Geers, who serves as an ambassador for the NATO Cooperative Cyber Defence Centre of Excellence and is a former analyst for the U.S. National Security Agency, said that Uber can afford to take the risk of the legally dubious practice of greyballing because of the company’s massive, $70 billion valuation. He also said greyballing is considered “an acceptable business risk in the poorly-governed realm of cyberspace.”
Phillip Hallam-Baker, the vice president and principal scientist of Comodo, told IBT cities and municipalities will be able to pass ordinances to make Uber’s Greyball program illegal now that its existence is out in the open.
Even more important, according to Hallam-Baker, is the fact that law enforcement will now be able to develop policing strategies to combat Uber’s workarounds and reduce the effectiveness of the company’s programs.
“It is much harder to develop a program like Greyball than to defeat it,” he said. “The advantages Uber has had up until now is that many localities did not know that the technology was being used against them, and Uber’s interest in developing counter-enforcement strategies has been greater than the localities’ interest in defeating them. That is likely to change now. I would predict several entrepreneurs are cold calling municipalities offering to help them oust Uber for a share in the ticket revenues.”