Exclusive: Current and former Uber security staffers
cast doubt on spying claims
Send a link to a friend
 [January 13, 2018]
SAN FRANCISCO (Reuters) - The
former security chief of Uber Technologies Inc. [UBER.UL] swore in a
closed legal proceeding that he knew of no attempts to steal trade
secrets from anyone, including Alphabet Inc's self-driving unit Waymo,
and would be "shocked" if that had occurred.
In a deposition taken in mid-December near San Francisco, Joe Sullivan,
Uber's security chief from 2015 to 2017, said that the most explosive
claims made by another former Uber employee of unethical and illegal
behavior by members of his security team were false.
The testimony, described to Reuters by people familiar with it, came in
connection with a lawsuit brought by Waymo which accuses arch rival Uber
of stealing trade secrets.
Sullivan's testimony has not been made public. He has not spoken in open
court or spoken publicly since leaving Uber in November, when he was
fired following an investigation.
The previously unreported testimony from the onetime senior Uber
official, as well as interviews conducted by Reuters with five current
and former Uber employees, rebuts statements made in an explosive
37-page letter last year that triggered the internal probe and drew the
attention of federal prosecutors, who are still investigating.
The letter was written by an attorney for Richard Jacobs, a security
analyst who worked at Uber from 2016 to 2017 and was about to be fired,
Jacobs has acknowledged.
Jacobs' lawyer wrote that Uber's security apparatus was engaged in
stealing trade secrets, spying on rival executives and wiretapping,
among other questionable behavior.
Uber's internal probe of Jacobs' claims also uncovered something new,
which was not mentioned in Jacobs' letter: an undisclosed 2016 data
breach and a $100,000 payout to a hacker in Florida. This discovery led
to Uber firing Sullivan and legal deputy Craig Clark for failing to have
the company disclose the breach to customers and regulators.
Waymo seized on the claims made by Jacobs because they explicitly
mentioned that Uber had stolen Waymo trade secrets, and Waymo was
already suing Uber in a federal court for theft of trade secrets.
Sullivan in his testimony and the other executives in interviews with
Reuters questioned Uber's decision to pay Jacobs a $7.5 million
settlement and offer him a consulting contract in connection with his
threats to expose Uber's alleged wrongdoing.
An Uber spokesman did not comment on the implication of Sullivan's
testimony, but said that Uber had already substantiated some of Jacobs'
claims, although nothing related to Waymo. He added that the company is
"changing the way we do business, putting integrity at the core of
everything we do." A spokeswoman for Waymo declined to comment.
Jacobs' attorney in the Waymo case, Martha Boersch, who did not write
the 37-page-letter, did not respond to requests for comment. Jacobs did
not respond to a request for comment.
Attorneys for Waymo have said in court that over the nearly year-long
case they have amassed a file of evidence against Uber and were ready to
go to trial before the revelation of the Jacobs letter, which came days
before the original trial date. On Friday, Waymo filed a court document
that said it had corroborated some of Jacobs' claims about Uber's
data-gathering efforts against rivals, but the specifics were redacted.
[to top of second column] |
A man arrives at the Uber offices in Queens, New York, U.S. on
February 2, 2017. REUTERS/Brendan McDermid/File Photo
In interviews with Reuters, three current Uber executives repeated Sullivan's
rejection of Jacobs' claims and said they were unaware of any of the lawbreaking
allegations by Jacobs. They called false Jacobs' statements that the security
unit had misused attorney-client privilege or encouraged the use of ephemeral
messaging services in order to cover up improper behavior.
Uber received the letter from Jacobs in May 2017, but it was not publicly
disclosed until November, when federal prosecutors shared the letter with the
judge overseeing the Uber-Waymo lawsuit. The judge delayed the trial to allow
Waymo attorneys to question Sullivan and other Uber employees about the letter.
In his own recent court appearance in the Waymo case, Jacobs stood by his claims
that Uber's security team spied on and stole from competitors and tried to cover
its tracks. But he admitted he was not aware of Uber stealing anything from
Waymo, contradicting part of his letter. He attributed the contradiction to a
miscommunication with the attorney who wrote it on his behalf.
Though the new accounts contest most of Jacobs’ claims, his letter played a
major and previously undisclosed role in the bitter battle for control over
Uber, according to the current and former top executives.
It landed in May as Kalanick and the board were clashing over his role at the
company and directors were hearing the results of other investigations,
including one into sex harassment.
Kalanick resigned under pressure the following month.
By then, a committee of directors had assumed oversight of the investigation
into the Jacobs letter, led by law firm WilmerHale, which eventually uncovered
an event that was not in the Jacobs letter: the 2016 data breach, the current
and former executives said.
In interviews with Reuters, current and former members of Sullivan's security
team provided details of the hack that were previously unreported, and they
defended the payout Uber made to the Florida hacker.
In the emails among Uber security staff and a representative for the hacker,
Uber treated the breach as a "bug bounty,” something normally reserved for
hackers who discover weaknesses in a system without extracting data.
Investigations chief Mat Henley established the hacker’s identity and secretly
obtained access to electronic records showing that the Uber data had been
deleted, giving Sullivan and other members of the security team comfort that it
had not reached any criminals, the security staffers said. With no data on the
loose and a danger to customers, they felt Uber did not have to disclose the
breach to regulators.
In addition, they said Sullivan was not responsible for Uber's decision about
whether to disclose data breaches to regulators since this decision was made by
the legal department.
Uber declined to discuss the details of responsibility for disclosure decisions.
But it has made clear that the Florida breach should have been disclosed under
various regulations and in fairness to users and drivers.
(Reporting by Joseph Menn and Heather Somerville; Editing by Jonathan Weber &
Shri Navaratnam)
[© 2018 Thomson Reuters. All rights
reserved.] Copyright 2018 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
