Uber Data Hack

Uber was hacked, losing data on 57 million driver and rider accounts. The company kept it quiet for over a year. The details are particularly damning:

The two hackers stole data about the company's riders and drivers ­-- including phone numbers, email addresses and names -- from a third-party server and then approached Uber and demanded $100,000 to delete their copy of the data, the employees said.

Uber acquiesced to the demands, and then went further. The company tracked down the hackers and pushed them to sign nondisclosure agreements, according to the people familiar with the matter. To further conceal the damage, Uber executives also made it appear as if the payout had been part of a "bug bounty" -- a common practice among technology companies in which they pay hackers to attack their software to test for soft spots.

And almost certainly illegal:

While it is not illegal to pay money to hackers, Uber may have violated several laws in its interaction with them.

By demanding that the hackers destroy the stolen data, Uber may have violated a Federal Trade Commission rule on breach disclosure that prohibits companies from destroying any forensic evidence in the course of their investigation.

The company may have also violated state breach disclosure laws by not disclosing the theft of Uber drivers' stolen data. If the data stolen was not encrypted, Uber would have been required by California state law to disclose that driver's license data from its drivers had been stolen in the course of the hacking.

Posted on November 27, 2017 at 9:13 AM • 56 Comments

Comments

AlanS November 27, 2017 9:34 AM

MA and NY AGs have already opened investigations as presumably there is a high likelihood that Uber violated their state data protection and disclosure laws.

Jeroen-bart EngelenNovember 27, 2017 10:07 AM

I read a lot about the implications for Uber in the USA, but since they have their international headquarters in Amsterdam they also fall under EU law, which tend to be more strict than US law for these kinds of privacy matters, and under dutch law, which is also very strict when it comes to privacy (even more so then the EU law I think).

ThaumaTechnicianNovember 27, 2017 10:20 AM

Really?

A company that since its inception treated its customers, employees/subcontractors, and local laws as chattel didn't 'do the right thing'? Where's my fainting couch?

Peter PeterNovember 27, 2017 10:59 AM

I am clearly seeing a joint venture of words here: bailout and bug bounty; bug bounty and bailout. This is exactly what the abbreviation FTC should prevent when expanded. The Federal Trade Commission cannot look at this as an “I am sorry crime” and claim to understand the proper usage of serial comma.

RachelNovember 27, 2017 11:26 AM

AlanS
by context take it your AG means Attorney General, but what are all the other double capitals you used?

Someone recently described the new Uber CEI as expressing outrage and shock, genuine surprise about alk the funny biz, was a bit like someone taking over the german fascist party in the '40's and being amazed they really WERE up to no good -' who whoulda thunk it??' Note my comment on Squid this CEO knew for two months before telling the public. I believe its 28 day to disclose? that means they accept liability.

handle_xNovember 27, 2017 11:29 AM


There's no possible jail time for corporate officers who signed off on this conspiracy, which is exactly what it was. They conspired with the hackers in a real sense to break the law, straight up. They paid them off in the process with company funds, no doubt lied about that. Uber Co would do themselves a HUGE favor to fire anyone around during that time, right the hell now. Even the new CEO knew for two months before it was released? There's no salvaging that judgment. This is criminal all around.

But let's face it once more, nothing real serious will happen to dissuade this behavior in the future. A few million in fines absolute tops. PG&E was found to have KILLED PEOPLE and covered up after the fact on the details - MORE THAN ONCE - and they've only paid a few dozen at a time. These are rounding errors. Can you imagine what a negligent individual would get for the deaths of 9 people in 1 incident, or giving cancer knowingly to a town of thousands of people en masse and covering it up? The death penalty would be on the table!

Where this kind of equity and justice is upheld as our highest standard, what standards are we really upholding as a society? Aren't we in fact programming the future generations to have nothing but seething contempt for these institutions as they fail ridiculously, purposefully almost, publicly over and over again in a charade that never seems to end and only gets worse and more absurd at once?


markNovember 27, 2017 11:51 AM

How amusing that you should have a story on Uber. Over the T-day weekend, I was reading an F&SF that was a freebie at CapClave, and the lead story is about self-driving cabs in NYC. The story goes in a very sfnal way, but a *lot* of the intermediate story... the POV character came from DoD, and all the self-driving cabs by the current storytime are illegally using electronic countermeasures, to slow down opposing cab companies' vehicles. screwing with GPS, open/closed streets, etc.

Do I suspect that once self-driving cabs are deployed, they won't be doing that within five years? You bet your sweet bippy....

DFNovember 27, 2017 11:51 AM

@Rachel,

They are postal abbreviations for the US States of Connecticut, Illinois and Missouri.

Sergey BabkinNovember 27, 2017 12:11 PM

Hey, they've TRACKED THE HACKERS DOWN AND ESSENTIALLY BEAT THEM INTO SUBMISSION. What stronger outcome could be expected? It's the best possible end result.

IggyNovember 27, 2017 12:16 PM

Once again, I'm here to harp on the increasingly pressing need for online anonymous cash commerce. Too late you say? Impossible you say?

As the old saying goes, where there's a will, there's a way. All we need is the will.

Just for the record, I have tried using prepaid/gift cards online. They are more and more routinely treated as de facto terrorist activity and being rejected as payment causing orders to be cancelled by the vendor.

(Hey, where's the comment Preview button?)

RachelNovember 27, 2017 12:20 PM

DF
Generous, thankyou

HandleX

it does matter for a corporation because of reputation. Uber are overvalued by about 50% , they desperately need investors, court cases and licence bans are piling up, and they fantasise about going Public (IPO) Amongst other issues. It does have consequences

SpencerNovember 27, 2017 12:33 PM

The statement "while it is not illegal to pay money to hackers.." is not always true. It's possible, and I heard this in a private conversation with someone senior at Homeland, that paying a ransom may get you accused of funding a terrorist organization, money laundering or other crimes.

RachelNovember 27, 2017 12:53 PM

So Uber "tracked them down'. Will they release their identity to authorities? Is it legal not to? And wheres this NDA? I don't believe it. Sorry for multiple posts

LsuomaNovember 27, 2017 1:51 PM

And that is called paying the Dane-geld; but we've proved it again and again, that if once you have paid him the Dane-geld you never get rid of the Dane.

WinterNovember 27, 2017 2:06 PM

@Jeroen-bart Engelen
" (even more so then the EU law I think)."

The Netherlands has implemented most of the upcoming GDPR in law from 2016. But there is a good chance the lost data is not under Dutch juridiction.

He HawNovember 27, 2017 3:06 PM

Am I the only one who thinks that Uber is being made the sacrificial lamb for all the sins of Silicon Valley? Uber's basic problem is that unlike Apple, Google, Facebook et al it is not to big to fail. So everyone can strut their stuff and look tough bashing Uber while the main criminals continue their crime spree unabated. They almost make me want to feel sorry for Uber and in this day and age I have learned that when someone wants me to feel sympathy for someone else I am in the process of being played for the fool.

Clive RobinsonNovember 27, 2017 3:37 PM

The thing that worries me about Uber, is that whilst it's easy to have a more than justified pop at them, what is going on with other companies in the shadow Uber are throwing?

The sheer number of things Uber has done day after day, month after month, all very questionable suggests either they are an entirely rogue organisation, or they are just pushing the envelope that little bit harder.

If the latter, to what extent are other companies pushing the envelope and getting away with it because they appear small fry compared to Uber, thus journolists in effect give them a pass because they are not as newsworthy in total as Uber are.

As I've said before the US politico's and MSM treat the average citizen like they have the IQ of a sheep, the curiosity of a snail and the attention span considerably less than a goldfish is reputed to have... Thus the US only ever has one existential threat at a time, one bad boy computer firm, likewise other business sectors... After all we all remember the face hugging vampire squid, but what of the other financial organisations that were doing the same or worse?

Frank WilhoitNovember 27, 2017 3:49 PM

This does NOT add up, at all, at all, at all.

Data destruction can never be verified.

$100,000.00 is chump change -- even more ridiculous than Dr. Evil's "One MILLLLLLLLLLION Dollars!"

No one involved is telling the truth.

hmmNovember 27, 2017 5:52 PM

@ Rachel

Oh they'd already blown their IPO valuation expectations many times over before this.
The secret God mode, the cheating of workers, the contractor/employee issues, office climate...

AFTER all that, this criminal bombshell drops. They KNOWINGLY prevented the public from realizing their data had been exposed through UBER NEGLIGENCE.

Whatever tiny regulatory act comes as a direct 1:1 result of this realization surely won't be of a size of itself to derail the company in any meaningful way if everything else to date hasn't already.

Other companies see UBER, see Trump U, see all these outright boldfaced frauds making MILLIONS OF DOLLARS PROFIT and in the end, nobody is actually held to any serious consequences or accounting for it.

What kind of message does that send to the shady eyed monsters around the bend?

hmmNovember 27, 2017 5:58 PM

"$100,000.00 is chump change" - exactly right, that makes no sense either.

And what, did they just blindly trust their ATTACKERS to do the right thing and delete the data since they'd been paid off to do so?

It's sitting in an AWS bucket somewhere right now, you know that right? Or sold already.

That $100,000 probably bought silence for a year, and the blackmail renewal came up and rather than have to pay another figure to KEEP IT SECRET, they decided to bite the PR bullet now instead because they got rid of Travis already and can just wash their hands of it, or so they no doubt think.

There ought to be an outright injunction day 1 when this kind of fraud is revealed.
THAT would get some attention.

The UBER board should get metal bracelets for the afternoon and get their mug shot, suspicion of conspiracy to commit fraud. You do it like that, and the truth comes out.

TJNovember 27, 2017 7:17 PM

Uber is a privately held company in California.. As such California law applies first.. so how are they going to get past the theft of data disclosure which is required within 30 days of discovery?

treyNovember 27, 2017 7:35 PM

> Uber is a privately held company in California.. As such California law applies first.. so how are they going to get past the theft of data disclosure which is required within 30 days of discovery?

The NYT article is unclear about whether the data was stolen or copied. The same paragraph says the hackers "stole data" and Uber paid them to delete "their copy" of it. There was no mention of having to return it to Uber. Of course, I wonder whether Uber needed it anyway. Do they really need to keep drivers license data forever? And keep it online? It seems like the type of sensitive data they should delete as soon as they're done with it, i.e., after verifying the person is licensed to drive and their photo matches.

RachelNovember 27, 2017 10:39 PM

Frank Wilholt

Thanks for this. And the hackers didnt ask for bitcoin. But USD!?

Niceley said, Clive

hmmNovember 27, 2017 10:58 PM

"and Uber paid them to delete "their copy" of it."

Do people not watch movies from the 1950's 60's anymore?

Nobody deletes their copy lol. Who could prove they did?

Right before the credits roll they whip it out,

"You mean this?"

And the music plays.

The end.

HarrowNovember 27, 2017 11:01 PM

@trey: "Do they really need to keep drivers license data forever?"

Probably. Some authority or court might someday accuse them of contracting with unlicensed drivers during a certain period. Without this data their defense would look distinctly dodgy.

"And keep it online?"

No. That's just another example of the foolish, negligent, and unfortunately widespread fad of using the internet for what is essentially business internal communication.

tyrNovember 28, 2017 12:36 AM


Why does the cynic in me say to follow
the money in this case ?? It is far too
easy these days to scream hackers and be
believed while the so called ransom is
moved into some offshore haven. Given
the track record of the folks who claimed
this it could be an insider scam.

@Rachael

You mean you haven't memorized all of the
worlds ubiquitous acronyms yet ?

225November 28, 2017 3:33 AM

Wait a company with a 6.5 billion dollar revenue needed to make a fake bug bounty to find $100,000?

Maybe I'm looking at it wrong, there must be plenty of hush money paid out in secret that doesn't make it to the news.

RachelNovember 28, 2017 3:53 AM

Tyr

Not only is your handle a cool and appropriate Mythological reference from my favourite of the traditions.But your contributions here are impeccably insightful, restrained yet expansive. for some stretches you don't appear and it would seem it is because you comment when useful and relevant, otherwise not. With all the utility and elegance of Bushido. you never waste a single word.
I simply love your comments and many times I have noted parts of them.

I don't quite follow your comment about acronyms. I'm sure it is not mocking me or even sarcasm. Rhetoric yes but with a grander truth, hidden and maybe to be revealed?

How do you feel about Uber vs the utility of their service?
ps one A in Rachel

Ollie JonesNovember 28, 2017 6:14 AM

Outrage at visible companies like Uber and Equifax, while entirely justified, is getting in the way of dealing with this business of breaches.

Look, caches of secrets will leak. They will. Not even wealthy companies with strong tech teams (Uber a year ago before Susan Fowler wrote them up for executive approved groping) can keep secrets. Not even state actors with unlimited infosec budgets can keep secrets. I can't keep my kids from learning the passcode to my mobile phone.

The next generation of infosec requires us to confront the truth that data will leak.
Solving this problem well means several things. I'm pretty sure this all comes under the heading of Dr. Schneier's "defense in depth"

1. Good perimeter security. (We focus on that issue these days, and screech loudly when it fails.)

2. Small numbers of secrets in each data cache, so if the perimeter security fails the size of the leak is less, and the damage is limited.

3. Secrets of limited value. For example, properly hashed passwords are limited-value secrets. Transactions from chip-and-pin payment card terminals are limited-value secrets. USA taxpayer IDs are not limited value secrets.

Hoarded exploits for attacking mass market operating systems are very valuable secrets indeed. They are probably too dangerous to keep in a cache of secrets.

4. Exfiltration alarms and other ways of alerting the holders of secrets to leaks. For example, banks monitor bogus charges to payment cards, and go on darkweb forums to try to buy their own stolen cards.

5. A liability system for leaks of secrets. This can be similar to workers' compensation or to the fund for compensating people injured by vaccines. This should come with a requirement for holders of caches of secrets to help fund the system.

6. Criminal penalties. The liability system should come with criminal penalties for officers of companies that don't help fund the system (that refuse to pay premiums to the data-insurance fund). Criminal penalties already exist: in the USA health care (HIPAA) world, penalties for breaches explicitly "pierce the corporate veil", making people responsible for breaches personally liable. That can be done for other caches of data too.

Jumping directly to the criminal penalties part of this without establishing the rest simply won't work.

Clive RobinsonNovember 28, 2017 8:12 AM

@ BF Skinner,

You are still with us ;-)

I was just talking about you a couple of days ago, and up you pop B-)

How are,the pigeon feet, nicely fried?

AlanSNovember 28, 2017 8:17 AM

@Clive

As I've said before the US politico's and MSM treat the average citizen like they have the IQ of a sheep, the curiosity of a snail and the attention span considerably less than a goldfish is reputed to have... Thus the US only ever has one existential threat at a time, one bad boy...
Shouldn't you be preoccupuied with the evil Taoiseach or a mixed-race divorcee or something at the moment?

SiegfriedNovember 28, 2017 8:42 AM

@Ollie Jones:
> 4. Exfiltration alarms

If a company stores data caches that includes login credentials, how about filling the data with fake accounts so that whenever someone uses any such account it would trigger an alarm? I am sure this "honeypot data" could be used with more than just login credentials, and in very creative ways. One could have totally fake accounts, but also fill real accounts with some carefully chosen bits of honeypot data.

Of course, that means storing somewhere else which data is real and which honeypot. Ideally in a way that, even if someone stole this "correspondence data", it should not be obvious how to use it to establish if a specific record is real or honey.

I am sure someone thought about that.

Clive RobinsonNovember 28, 2017 9:03 AM

@ Rachel, Tyr,

Rhetoric yes but with a grander truth, hidden and maybe to be revealed?

Let me see there are 26^2=676 Two letter acronyms (TLAs) and 26^3=17576 Three letter acronyms (TLAs).

Which immediately shows two problems, firstly there are not enough at a total of 18252 to go around, secondly some are unavoidably the same.

That said however some TLAs are of not much use "ONE", "AND", "THE", "TWO", "TOO", "TO"s are taken and some like "ZZZ" people are not exactly forming a queue for...

Some try to get around the TLA issue by adding a little extra such as AT&T, but for some reason four or more letter acronyms are even worse unless punctuated in some way like R&TTE now shortend to a lack luster RED (Radio Equipment Directive) by many...

Worse some like ISO actually are not TLAs even though they should be, and many people incorrectly believe they are...

An engineers life is full of TLAs and sometimes you actually have to ask as the surrounding context does not make it obvious. One such is RTL which can mean Resistor Transistor Logic, --built in moduals called NORBITS that look like TTL chips on steroids-- and RTL for Register Transfer Logic, used to describe the lowest level of programing in a CPU to shuffle data and addresses from Registers to ALU and back and to the Data and Address bus buffers.

Such things were meat drink and good cheer to me before I sold out and climbed the language ladder to microcode, and from that heady folly I progressed to Assembler. And thence to stand on the crumbling edges of that gapping canyon rent in all that was sacrosanct by abstraction and crossed over to the likes of BCPL and C that others see as meta-assemblers... Ahh the shame the guilt a wretched soul must bare B-)

Clive RobinsonNovember 28, 2017 9:41 AM

@ AlanS,

The list is longer than the guest list at a greatful dead concert, would you care to shorten the search?

CallMeLateForSupperNovember 28, 2017 9:43 AM

@all @Clive Re: acronyms
"[...] Two letter acronyms (TLAs) and [...] Three letter acronyms (TLAs)"

Yep. Definitely not enough TLAs (three-letter acronyms). Cognitive dissonance: "TLA" most often means "three-letter agency" in this blog.

"That said however some TLAs are of not much use [...]"
I'll just point out two ringingly obvious examples - FBI; CIA - and now quietly exit. :-)

treyNovember 28, 2017 10:57 AM

> Probably. Some authority or court might someday accuse them of contracting with unlicensed drivers during a certain period. Without this data their defense would look distinctly dodgy.

If they have a proper audit trail I wouldn't agree with that, e.g., "Alice applied to be a driver on Nov. 28, Bob verified the license in person on Nov. 29:
* photo matches
* license class X
* expiry date Y (in future)"

Were I on a jury, I'd accept that as long as there were no evidence it was fabricated. There doesn't look to be anything "dodgy". It's basically what notaries do, e.g. when certifying true copies, and it's more than what bars do when serving alcohol (policy + spot checks; no records necessary).

It does hint at a future service for DMVs: driver applies to Uber and gets an Uber "contractor" ID, driver gives that number and their license to a DMV employee, DMV tells Uber this driver with name X is OK to drive. And, bonus, tells them immediately if the license is ever suspended, without ever giving Uber extraneous personal data.

treyNovember 28, 2017 11:10 AM

> DMV tells Uber this driver with name X is OK to drive.

Actually, with "Real ID" many licenses are smartcards now. It would be a simple matter of cryptography to have it generate a storable proof, with no personal information, that Uber physically had the card. Or without a chip, print a meaningless random number into a barcode for Uber to store.

Clive RobinsonNovember 28, 2017 11:12 AM

@ CallMeLateForSupper,

I'll just point out two ringingly obvious examples...

+2 ;-)

@ AlanS,

The UK MSM shovels the 'stuff'.

But is it truley "UK" you've a geriatric Aus lier married to a Mick Jagger cast off, who's holding company is actually based in the US.

Then you have a "two bearded Russian" who uses an inept, incompetent and gidiotic ex UK chancellor to edit a paper. Which the gidiot them uses as a sniper platform against his previous political parties current leadership. Which lets face it is so incompetent they can't just shoot the Turkey in charge themselves and have to give the sniper free reign with fingers crossed that his misses don't wing them...

Then there is another White Van Man conspiracy rag that still looks to find out why some unpleasent off spring of an even more unpleasant father who is not as competent as an Egyptian Bizzar trader died in a car because he did not wear a seat belt in a car driven at high speed by a man reportedly with enough alcohol in his blood to presserve a dead newt without it being embalmed like a Phoney Pharaoh.

Then there is the loonie two tunes twins who likewise have troubles managing businesses, but get all steamed up about the fact that people on an island don't want to be surfs to the two twats who live in a castle and do not step foot where they seek to control. Their rag is apparently so bad that even a well known Supper market could not get rid of it buy hiding copies in the bottom of home shopping delivery crates. Worse a well known newsagent/bookstall could not give them away with a free bottle of ice cold water on the hotest days of the year in railway terminuses where trains were being cancled as fast as the rags subscriptions.

I could go on but as they say occasionally about reality "You really could not make this stuff up if you tried, and nobody would believe you if you did".

I guess the big news about "faux news" in the UK is we think we have an MSM biased or otherwise.

But you know it's got bad when even NewsThump and The Onion satirical sites are closer to the truth than the UK MSM...

fredNovember 28, 2017 12:05 PM

Uber should have stuck to the transportation business. By collecting data for analytics, they set themselves up to be a target. Reputation damage will produce a greater loss then analytics will gain.

Data is Toxic!

AlanSNovember 28, 2017 1:44 PM

@Clive

I was thinking more of the shoveled on than the shovelers. Maybe the latter will wake from their delusions shortly, just as they did in 1919 and 1819. But that might be magical thinking on my part.

Northern WatcherNovember 28, 2017 3:22 PM

@Clive Robinson

Beyond TLAs are MLAs (no, not provincial politicians in Quebec). Of course one of the best MLAs (one which most probably don't realize is indeed an MLA) is SNAFU...

hmmNovember 28, 2017 5:05 PM

The allegation is they have a "shadow" network for their actual activities and hid it from the court.

Judges love shenanigans like this. It gives them a reason to yell.

EÜberNovember 28, 2017 11:37 PM

@hmm

The allegation is they have a "shadow" network for their actual activities and hid it from the court.

a.k.a. Parallel (Parking) Distraction.

Clive RobinsonNovember 29, 2017 1:48 AM

@ hmm,

Yep, they're hosed.

No they are not, it might look bad but it's about proving intent after the alleged fact[1].

There is nothing wrong with a business using secure ephemeral communications as part of a non disclosure project. No more than holding engineering chats over a water cooler or coffee machine in a seperate secured kitchen or conferance room on a high value IP design project.

All secure ephemeral communications actually does is alow the same ability we assume on face2face to be range extended, nothing more (and actually less technically).

In fact things like pattent law require that sort of behavioir as does the various forms of privilege in most jurisdictions world wide.

Arguably this case is about such a high value IP, but also in many important respects it is also about an individuals right to work freely (something that effects us all that the press etc are not talking about).

The key thing on such projects is to have policy documents signed off by senior managment explaining the "mandated use" of such technology. As,

1, A standard company document for those who "sign on" to do such a task.

2, At the begining of the project.

3, After some event that caused or potentialy caused a loss of high value IP or other non disclosure data.

Such documents usually come in two parts, a "statment" that referes to a "policy". The former is a page or two and rarely if ever changed, the latter could be many volumes and changed frequently as needs arise or circumstances change. What goes in both parts is what you pay a team of experts the big bucks for (and no I'm not hanging out a shingle here, this blog likewise has rules).

Importantly there are good reasons (ie a defence) to taking such actions to protect high value IP etc. Because not doing so can lead to share holders suing the senior managment for being negligent etc[2].

Thus the important thing is when such a policy document was put in place and why and what processes it implements. Not that it was done, or carried out, or what an involved individual supposes long after the fact were the reasons.

As I've also pointed out on the odd occasion the only thing a judge is interested in is the piles of paper. Likewise the words that becomes paper (testimony) and facts that have become paper (evidence) only after certain rules have been followed (look up the "tribunal of fact" and "opinion").

The problem with civil suit is that the rules and laws of hearsay realy don't apply any more they have been so whittled away. Thus the requirment of proving a burden prior to admission of evidence in court has effectively gone and it's become a public mud slinging contest.

But as I've indicated on this blog before judges are not disinterested parties when it comes to electronic discovery. They take a few moments to scribble a note in the court record, and suddenly one of the parties is hit with a "begger thyself" rights stripping action. The judge is on the clock so cares not.

There are ways to structure projects and their processes with High Value IP to avoid all of these issues, what you need is a team of experts to come in and give the training and importantly set the paper trail and processes[3] like "clean room oracles" up correctly before you start. And I'm guessing from the little said Uber did not do this as well as they should have.

As I keep pointing out the technology is agnostic to use... it's determaning the "intent" of the individual "Directing Minds" good or bad that is the real issue[1].

So what we will see now is teams of overly paid legal sharks all on the clock swimming in little circles "painting pictures with words", to try to set a scene thus point of view to move forward from, and thus they hope a good payday if not victory.

If Uber have put the paperwork and processes in place adiquately then Alphabet will have a tough time. If not then Uber will have a tough time. Either way all the legal bodies present including the judge are on the clock, and the judge like any good critic is being well paid to watch the show. Such is the litigation game, because that is what it is, in effect little different to "Late night televised poker"... Other than it's office hours and the stakes on the table are more than some countries GDP, or the modern day equivalent of a King's Ransom.

The person I would not want to be right now is the security bod who if the press are correct has apparently flapped his gums both verbally and in writing, if not inconsistantly. He is about to enter a rather savage game that makes throwing a Christian to the lions look like a childish past time in comparison, and they can be oh so much nastier in civil court than criminal, where atleast a few rules remain... His credibility is going to be key to this part of the case and there will be people looking and talking and digging and second guessing every fact of his life from first diapers/nappies to what he last ate, with shrinks talking about what that might suggest his sexual prefrences, motivations, etc are doing a human "SWOT".

I won't comment on his future life prospects but now his name is out due dilligance by any prospective employer will put this mess as an addendum to his C.V.

My advice to anyone with a connection to Uber currently on their C.V. Is think about a way to do damage limitation fast... Because the level of mud being thrown would bury an angel let alone a saint.

[1] https://www.americanbar.org/content/dam/aba/administrative/litigation/materials/2014_sac/2014_sac/best_practices.authcheckdam.pdf

[2] The argument logic dictates should be asked of Alphabets legal bretheren after first establishing they actually do communicate are,

2.1, Do you use such technology Y/N.

2.2, Are you aware of the Ed Snowden and other whistle blower documents Y/N.

And if the answer is No to either of them,

2.3 Are you admitting in court as an officer of the court to being grossly negligent and breaching privelage with your clients and the court Y/N?

Sadly most judges will not alow it but you get the picture.


[3] Processes like "clean room oracles". The purpose of which are to prevent knowledge contamination. For instance in patent law there is a big difference in "unintentionaly infringing a patent" and "Knowingly infringing a patent" thus reading a patent can be seriously injurous to your health in a Catch 22 way. Likewise reading an engineering journal or conferance papers or book might give you insight to a technique or process that you might not otherwise have got. The problem is the person writing such a article, paper or book might not say that information is say patented, then again they might indirectly by saying who they work for in some way. The idea of a clean room is that one team does reserch and extracts knowledge from it. The knowledge goes into the clean room and is "vetted" by a different --often legal-- team, if they pass the knowlege as clean then it can be passed to the cretive/design team in effect by the equivalent of a Greek Delphic Oracle.

RachelDecember 2, 2017 8:12 AM

nakedcapitalism.com for 2 December has several articles about present situation with Uber

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.