Morally speaking, I’m not sure who is in the right here. I believe in the right to protect your data, and the kill switches seem somewhat acceptable.. on the other hand, Uber is scum and has systematically destroyed the taxi business.
Could you explain what this "the right to protect your data" is supposed to mean?
The US has always allowed a government to get a warrant to search personal records, including the ability to execute that warrant quickly, to prevent someone from destroying those records.
Companies should and do get into legal trouble for destroying records which are required for legal, regulatory, or lawsuit discovery purposes.
I don't think you rank corporate records higher than personal ones.
Your moral point is that you think it's okay to block anyone else from accessing your data, but it's not okay to destroy it? Because that's the only way I can make sense of your comment.
What is the moral reason for saying that a company can store, use, and profit off of data, with a kill switch that {delete, hides, obscures, encrypts} that data when the government comes with a warrant, or when the courts have authorized discovery for a lawsuit?
Isn't that just rife for abuse? "Sorry, we don't have any records of dumping hexavalent chromium. The file deletion we did 10 second ago must have included them, if we had them." That would make for a very different Erin Brockovich movie.
More to the point, why would encryption be okay, while deletion is not?
Even more to the point, what judge (or jury!) would accept that difference?
Uber appear to have been instructing their staff to act unlawfully to conceal information that could be used as evidence against them, when they were (and knew they were) operating illegally. And not just in one country, in at least six different ones.
I mean it's kind of hard to feel sorry for Uber in this scenario surely?
Jailed in which jurisdiction? Do you think there are some jurisdictions (say, Hong Kong) where it’s okay for Uber to use this system, but others where it’s not?
Shouldn't a company which could collect location data of sensitive populations, opposition politicians, etc, not have a standard operating procedure to make sure un-audited+un-reviewed access is not possible? Shouldn't companies with user-generated "content" have a way to remotely lock down and wipe laptops which are seized or stolen? even when law enforcement or state actors involved: what will we say when uber's florida or texas office is raided in an effort to get a list of people seeking transportation to certain types of healthcare? what about in states where "aiding and abetting" certain types of healthcare is itself treated as a criminal act? what about in places which imprison or persecute queer people?
I don't think the lying and the misdirection and the "prediction" based on reading news reports or political rumors are ethical or even particularly smart, but I think you'd be hard-pressed to find a company storing mountains of user data which does not have a lockout plan like this that they will be willing to use against law enforcement in certain scenarios or by default.
> to make sure un-audited+un-reviewed access is not possible?
No. They must have a system in place to follow local, state and federal laws, to comply with industry regulations, and to allow discovery for lawsuits. Doing otherwise is illegal.
> effort to get a list of people seeking transportation to certain types of healthcare?
Don't collect that data in the first place. Have retention policies to delete data when it's no longer useful (so long as it's legally permissible), so you can demonstrate to the authorities or judge that it wasn't an attempt to evade or obstruct justice.
> I think you'd be hard-pressed to find a company storing mountains of user data which does not have a lockout plan like this that they will be willing to use against law enforcement in certain scenarios or by default.
This is tampering with evidence, which is a crime. Your view appears to be that nearly all such companies have policies to commit a crime.
] However, a number of courts have issued rulings imposing a duty to preserve before litigation begins if a party knows of the existence of a potential claim and can identify relevant evidence. See, e.g., Silvestri v. General Motors Corp., 271 F.3d 583, 590 (4th Cir. 2001) (upholding sanctions for failure to preserve a car involved in an accident, which plaintiff reasonably should have known would be material evidence in anticipated litigation against auto manufacturer). Therefore, as a practical matter, it is our general advice that you should instruct your colleagues and subordinates to retain records of any business activities for which litigation is anticipated, especially when it becomes apparent (through a demand letter or other saber-rattling) that a business relationship is "going south" and may be headed to court.
I understand where these questions are coming from, but many Western countries have decent legal systems where data unrelated to a case cannot be used by law enforcement and this will be tested by both prosecutors and judges.
I'm currently working in LE and I would not be allowed to look at customer data if that was seized during a search related to an investigation of Uber. I would not be able to just grab the ride data of a subject of another investigation because that would be illegal. If I did do that, that evidence would be thrown out and I would be reprimanded.
I understand there are countries where this isn't true though, or where people are worried about the state of legal proceedings in their countries. But that doesn't mean Uber or any other company can just destroy evidence on the premise of securing customer data.
Also, I highly doubt that Uber hosts their customer data on workstations in their offices. At least I hope they don't.
>. I would not be able to just grab the ride data of a subject of another investigation because that would be illegal. If I did do that, that evidence would be thrown out and I would be reprimanded.
In the majority of countries on Earth, the law is merely a suggestion to a significant portion of the police force.
I understand, but Uber used these practices everywhere. And, like I mentioned, they used it on their company machines, not the servers where their customer data would probably be stored. So the hypothesis of doing this to protect customers is doubtful at best.
Standard procedure. Who knows what customer or other data is on an employee laptop seized in a raid. If they have a justification for accessing the data, the authorities can get a search warrant from a judge to have the company produce that information. They don’t get to riffle around in a laptop looking for whatever.
Standard procedure if you run a criminal business maybe. And Uber knew they did in many countries. At none of the employers I have worked for anything like this existed. Our laptops have been and are fully disk-encrypted so when seized the police might have challenges to acess them. But I have never come even close to the situation that someone would have asked for the passphrase, don't know what would happen then.
Uh, what? You're totally fine with companies like Uber being completely unaccountable to justice systems across the globe? I'm not surprised, but I genuinely think there's something wrong with you and others who think it's okay for these companies to destroy data to hide what they're doing.
Legitimate requests from law enforcement should go through proper channels. Performing a “raid” in an attempt to gain access to data not on site (and potentially out of scope/jurisdiction) feels somehow improper to me.
A kill switch should be standard operating procedure in the event that armed persons enter secured areas unexpectedly. Ideally, the human factor should be avoided too; this makes a good argument for tamper-sensitive systems, anti-forensics, etc.
My understanding is they disabled access to data that was stored in the US, and their intent to "ensure due process rights are respected in the event of an extrajudicial raid" seems reasonable to me. Uber's lawyers say that no data was deleted and can still be obtained by law enforcement.
If I was pulled over and had my car searched by police, I would not expect them to use my keys to then search my home without due process. If I felt that was a risk, I think changing my locks is entirely reasonable, as it doesn't prevent a legitimate search warrant.
I see this as hijacking a companies computers to export confidential data they were not otherwise entitled to from a foreign country.
Amateurs. Laptops should be empty nettops with some sort of a remote desktop access, and remote surveillance for simulating network outages from the outside.
I actually used to maintain a "kill the servers" script, long ago when I was responsible for servers that had sensitive data on them. Tried to rather; they're hard to keep up to date and hard to test. Worse than backups in the "will we ever need this?" priority race.
Physical demolition is much less likely to fail, and more fun to test. Thermite charges are easy enough to make.
I think I'd be too worried about burning my house down, and/or liability in a commercial context. It's also one of the most suspicious sounding things you could possibly do. "There was thermite in the servers" instantly makes people wonder just how much child exploitation material you were storing to even think about doing that. It's not endearing to judges or the media and both of these are likely to be involved in the aftermath.
>In a statement, Uber said it had stopped using the kill switch in 2017, when Dara Khosrowshahi replaced Kalanick as chief executive and overhauled its corporate culture
And as we all know, conspiracy to obstruct justice only started being a crime in 2018, so they're all clear.
It constantly astonishes me the lengths Uber went to in order to build a shitty shitty business.
Yeah, sure we did spend copious amounts of effort to breach every law and regulation around the world, and then even more laws and regulations to cover it up - but look at the results! We have an incredibly unprofitable taxi company, we push our employees into poverty, and we've lost about half the company's value since IPO!
reply