Did Uber Use Spyware on Rival Taxi Firm? Yes (and No)

“Ride sharing” company stands accused of using spyware to damage a competitor’s business: An Australian taxi startup says Uber poached its drivers by spying on their movements.

Uber blames one rogue employee. But some commentators allege it’s not the first time the company’s used dirty tricks to boost its business. For example, there was that time Uber was banned from operating anywhere in London, England.

So what really happened here? In today’s SB Blogwatch, we make educated guesses.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: bill wurtz.

G’day, Yous Galahs

What’s the craic? Sean Nicholls, Peter Cronau and Mary Fallon allege an allegation—”Uber used secret spyware to try to crush Australian start-up GoCatch”:

Uber used a secret spyware program … code-named Surfcam … to steal drivers from an Australian competitor with the aim of putting that company out of business. … GoCatch was a major competitor to Uber when the US company launched in Australia in 2012. At the time, both companies were offering a new way to book taxis and hire cars using a smartphone app.

A former senior Uber employee has told [us] that the idea behind the use of the Surfcam spyware was to starve GoCatch of drivers. … It allowed Uber to directly approach the GoCatch drivers and lure them to work for Uber.

Surfcam was part of an aggressive strategy Uber pursued under co-founder Travis Kalanick to establish itself globally amid fierce opposition. … Mr Kalanick has since been replaced as chief executive by Dara Khosrowshahi, who has declared he wants to overhaul Uber’s culture.

The existence of Surfcam has been confirmed to [us] by a senior Uber source [who] stated that the spyware program was developed by a staff member in the Sydney head office … under his own authority. … An Uber Australian spokeswoman said the company had conducted an audit of the use of Surfcam and it has been prohibited.

Yikes. Bill Toulas adds Uber planted spyware to steal drivers:

 [It] caused great disturbance to GoCatch, who couldn’t explain how they lost one driver after another. [But] Uber denies that the spyware was part of their business plan.

Uber is the most known and successful rideshare company in the world, but it’s not the only one. … GoCatch [is] a rideshare company that is backed by [Australian] billionaires like James Douglas Parker, an investor who occupies a position on the country’s top ten wealthiest person list.

Surfcam helped Uber to hook drivers from GoCatch, essentially starving their competitors of contractors and hurting their operation on a fundamental level. [It] allowed Uber to make targeted offers to … drivers, offering … better deals than GoCatch, and converting them to become their own contractors.

Are you feeling a touch of déjà vu? Cory Doctorow is incensed, calling it Son of Greyball:

A senior source at Uber has confirmed to the Australian Broadcasting Corporation … that Uber Australia illegally deployed … Surfcam in order to spy on … a rival.

It was just one of many in-house dirty tricks software: In 2017, it was caught using an internally developed program called Greyball to kick people off the system if they were suspected of being cops or investigators in territories where the company was fighting with regulators.

But is there a silver lining? Hoist up the johnd’s sail, see how the mainsail sets: [You’re fired—Ed.]

Uber’s business practices in Australia have been appalling (though probably no worse than elsewhere), but it has had one co-lateral effect. Taxi services in Australia have been horrible for a long time (try going to an unfamiliar city and finding your taxi driver does not know where a major hospital is) and Uber has made them start to improve services.

What about a lesson for DevSecOps folk? Here’s an insightful SuperKendall:

Why did that other company have all of these details of drivers that could be scraped? I feel like they had an API that could be arbitrarily queried for cars on the road that gave out way too much information.

API designers seem to never consider the importance of what they send, and how to protect the contents of what is being sent from a user that can easily install certificates or man in the middle attacks to inspect all traffic. How do you not expect competitors are trying to look at this information?

You know some software engineer at Uber would have been trying to see what competitive apps did just to understand how other people made systems work.

[And] the company had a responsibility to the drivers. … If Uber had enough data to find drivers, that’s a very bad sign for how well the company protected data. Who is to say they were not equally lax in protecting client data?

How is everyone OK with this? … It is way past time we stopped letting this kind of no-security bull**** slide.

But that’s harder than it seems, according to this Anonymous Coward:

Tracking driver location is required for calculating routes, cost, and determining which to route to which pickup request. Allowing the passengers access to that information allows them to glance at their local area and estimate the chances and timeframe for a pickup.

If everyone can see where your taxi is, it’s harder for a driver to kidnap you. [It] helps prove the person claiming to be there to pick you up is actually the car you’re supposed to get in is not someone trying to kidnap or scam you. … I’ve been the target of taxi scams where a driver claims to be the one you pre-paid for then demands payment to leave the vehicle when you realize it’s not the right person. I was told by the correct driver that it isn’t too rare.

The API could block someone when it sees them requesting everything, but … it’s trivial to send the requests from thousands of different computers. [Or] it would be easy to bribe one of the drivers to give them a copy of their tracking device/api or bribe a developer of the company.

Wait. Pause. Why are we calling this “spyware”? luckylion explains:

 [Mainstream] news has the usual problem with technology: terminology. This doesn’t sound like spyware at all, but rather like [scraping] software.

Where’s the libertarian angle? piojo shrugged:

It sounds like he was scraping the web site of a rival company. Is that even unethical? The worst he could have done is ignored robots.txt, and I don’t know whether that is considered serious in Australia.

I’m not sure where the line is when using data you already have access to, but for an unintended purpose. I see crushing their competitor (so they can be a monopoly) as a bigger story than how exactly they used their competitor’s APIs.

Meanwhile, a slightly sarcastic sphealey snarks it up:

Odd coinkydinks … how things like this just seem to keep happening to Uber.

Shame that there are so many rogues in their organization; you’d think the world’s largest monitoring and tracking system could identify and root out that sort of stuff.

And Finally:

Glorious weirdness from bill wurtz

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: freestocks-photos (via Pixabay)

Featured eBook
How to manage SAP-User Accounts and Access Rights with Identity Manager

How to manage SAP-User Accounts and Access Rights with Identity Manager

Learn how you can simplify the management of SAP-user accounts and their access rights. Native SAP tools fall short and aren’t useful across the entire ecosystem. Read this white paper to see how your organization can integrate SAP-user data with your identity and access management (IAM) system and processes. One Identity Manager streamlines user administration ... Read More
One Identity

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 45 posts and counting.See all posts by richi