‘Hit the kill switch’: Uber used covert tech to thwart government raids

Regulators entered Uber’s offices only to see computers go dark before their eyes

(Lucy Naland/Washington Post illustration; Remko de Waal/ANP/AFP/Getty; Uber screenshots; iStock)
Comment
EDITOR’S NOTE

This story has been updated to reflect that the source of the Uber Files trove, former company lobbyist Mark MacGann, has publicly identified himself. The Washington Post and other project partners previously had agreed to keep his identity confidential.

Twenty minutes after authorities raided Uber’s Amsterdam office in April 2015, Ligea Wells’s computer screen mysteriously went blank. The executive assistant tapped out a text warning her boss of another strange occurrence on an already eventful day.

“hi!” she typed in a message that’s part of a trove of more than 124,000 previously undisclosed Uber records. “My laptop shut down after acting funny.”

But her computer’s behavior was no mystery to some of her superiors.

Uber’s San Francisco-based chief executive, Travis Kalanick, had ordered the computer systems in Amsterdam cut off from Uber’s internal network, making data inaccessible to authorities as they raided its European headquarters, documents show.

“Please hit the kill switch ASAP,” Kalanick had emailed, ordering a subordinate to block the office laptops and other devices from Uber’s internal systems. “Access must be shut down in AMS,” referring to Amsterdam.

Uber’s use of what insiders called the “kill switch” was a brazen example of how the company employed technological tools to prevent authorities from successfully investigating the company’s business practices as it disrupted the global taxi industry, according to the documents.

During this era, as Uber’s valuation was surging past $50 billion, government raids occurred with such frequency that the company distributed a Dawn Raid Manual to employees on how to respond. It ran more than 2,600 words with 66 bullet points. They included “Move the Regulators into a meeting room that does not contain any files” and “Never leave the Regulators alone.”

That document, like the text and email exchanges related to the Amsterdam raid, are part of the Uber Files, an 18.7-gigabyte trove of data that former top Uber lobbyist Mark MacGann provided to the Guardian. It shared the trove with the International Consortium of Investigative Journalists, a nonprofit newsroom in Washington that helped lead the project, and dozens of other news organizations, including The Washington Post. The files, spanning 2013 to 2017, include 83,000 emails and thousands of other communications, presentations and direct messages. MacGann was the company’s head of public policy for Europe, the Middle East and Africa from 2014 to 2016.

Mark MacGann, former top executive, comes forward as Uber Files leaker

They show that Uber developed extensive systems to confound official inquiries, going well past what has been known about its efforts to trip up regulators, government inspectors and police. Far from simply developing software to connect drivers and customers seeking rides, Uber leveraged its technological capabilities in many cases to gain a covert edge over authorities.

In written responses to questions, Uber acknowledged that the company made numerous missteps during the time covered by the files, an era when Kalanick, who was ousted by the board in 2017, led the company. “We have not and will not make excuses for past behavior that is clearly not in line with our present values,” said company senior vice president Jill Hazelbaker. “Instead, we ask the public to judge us by what we’ve done over the last five years and what we will do in the years to come.”

Devon Spurgeon, a spokeswoman for Kalanick, said in a statement to The Post that Uber’s expansion efforts were led by more than 100 people in dozens of countries — with approval from the company’s legal, policy and compliance teams.

“Uber, like most other businesses operating overseas, used tools that protect intellectual property and the privacy of their customers, and ensure due process rights are respected in the event of an extrajudicial raid,” Spurgeon said. “They are a common business practice and not designed or implemented to ‘obstruct justice.’ These fail-safe protocols do not delete any data or information and all decisions about their use involved, were vetted by, and were approved by Uber’s legal and regulatory departments. Notably, Mr. Kalanick did not create, direct or oversee these systems set up by legal and compliance departments and has never been charged in any jurisdiction for obstruction of justice or any related offense.”

According to the documents and interviews with former employees, the company used a program called Greyball to keep authorities from hailing cars — and potentially impounding them and arresting their drivers.

It used a technology called “geofencing” that, based on location data, blocked ordinary use of the app near police stations and other places where authorities might be working. And it used corporate networking management software to remotely cut computers’ access to network files after they had been seized by authorities.

Read key takeaways from the Uber Files investigation

The Post was unable to learn whether authorities ultimately gained access to all the data they were seeking in such cases. Bloomberg News, which first reported on the kill switch in 2018, reported that in at least one case, Uber turned over records not initially available to authorities after they produced a second search warrant.

While some of these technologies have been reported previously, the Uber Files provide the most extensive, behind-the-scenes account of how Uber executives ordered their deployment to gain advantages over authorities.

Uber discussed or invoked the kill switch — code-named Ripley — more than a dozen times in at least six countries over a two-year span, according to the new documents and previous reporting on the tool. References to Greyball appear repeatedly, in countries including Denmark, Belgium and Germany. The documents show that, in at least some cases, Uber’s legal department in San Francisco was aware of the use of the kill switch.

Uber employees sometimes expressed concern about the use of technological tools amid multiplying government investigations. In a text exchange in January 2016, officials in Europe discussed the pros and cons of building an alternative version of the Uber app.

“Point is more to avoid enforcement," wrote Thibaud Simphal, then general manager for Uber in France.

Simphal, who is now Uber’s global head of sustainability, said in a recent statement: “From 2014 to 2017, Uber has been in the news both for its positive impact on mobility and the economic opportunities it has created and for certain practices that do not comply with the frameworks and requirements of the countries in which we have developed. We have publicly acknowledged this. Our current CEO, Dara Khosrowshahi, has been transparent about these issues since his arrival, and has made significant reforms to the company’s culture.”

Kill switch

Uber’s tactics were born out of more than stubbornness. To top Uber executives, they were existential. What started as a simple idea in 2008 — to offer on-demand taxi service in private cars — had burgeoned by 2015 into a bona fide Silicon Valley “unicorn,” a start-up rapidly multiplying in value but one that hemorrhaged money, requiring regular cash infusions from investors.

It faced fierce rivalry from companies such as Didi in China, Yandex in Russia, Ola in South Asia and Lyft in the United States. Uber competed in part by luring customers to its app with steep discounts, and it recruited drivers with generous incentives.

The business model also relied on overcoming legal barriers to competing with a taxi industry that was heavily regulated in much of the world. Authorities dictated the colors of those competing vehicles, the licensing and insurance rules for drivers, and how and when drivers worked.

As Uber steamrolled into France, Emmanuel Macron was a ‘true ally’

Uber insisted on designating its drivers as independent contractors rather than full-time employees. The company said the distinction afforded drivers more work flexibility, but it also freed Uber from the obligation to pay them costly benefits while limiting its own legal liability.

Confrontations also developed between authorities and the company over its business practices. Uber sometimes would not comply with cease-and-desist orders if it believed immediate enforcement actions were unlikely, two former employees said, speaking on the condition of anonymity to describe sensitive matters.

“I don’t have any comment on whether that was the case back then, but that’s certainly not how we would respond today,” said Uber spokesman Noah Edwardsen.

Such confrontations forced questions about long-established taxi regulations into view. Negative articles about arrests and other clashes, meanwhile, increased public awareness of the service, a former employee told The Post.

Kalanick exuded an overt hostility toward the taxi industry — which he dubbed “Big Taxi” — and the regulators, he argued, protected it from competition, the documents and news reports show.

Uber leveraged violent attacks against its drivers to pressure politicians

In the period covered in the documents, Uber was embarking on an aggressive expansion in countries such as Spain, France, the Netherlands and Belgium — many of which outlawed paid transport in private personal vehicles.

Regulators barged in, conducting raid after raid, in an effort to prove Uber was flouting the law, while police conducted stings to catch drivers in the act.

Inside Uber’s offices, however, law enforcement agents were sometimes surprised to find that the computers — as many as two dozen simultaneously — would go black. That was the experience of one individual close to a raid in Paris on March 16, 2015, who spoke on the condition of anonymity to candidly describe the events.

That same month in Amsterdam, the company’s Europe hub, company executives worried about a looming crackdown and likely raid by transport authorities to collect evidence, the documents show.

Uber was making preparations that included moving documents off-site and compiling a list of office employees “to ensure an IT kill gets everyone,” according to an email at the time from Zac de Kievit, European legal director for Uber.

Uber also was finalizing its Dawn Raid Manual, which was shared by email with employees in Europe. While other companies give written guidance on how employees should interact with authorities, Uber’s was striking in its details. The manual, labeled “CONFIDENTIAL -- FOR INTERNAL USE ONLY,” formalized many of the strategies Uber would employ against regulatory raids, the documents show.

Uber did not respond to questions about the raid manual.

‘Unexpected visitors’

On several occasions, including twice in Montreal in May 2015, authorities entered the company’s offices only to find devices such as laptops and tablets resetting at the same time, court documents showed.

The kill switch helped thwart authorities by locking devices out of Uber’s internal systems. Although it was used internationally, the kill switch was controlled centrally by Uber’s San Francisco IT department and through another location in Denmark to protect local employees who might otherwise be accused of obstruction or forced to override it, two former employees said. According to the documents, Uber used it to cut access to devices that could have been seized in raids, sometimes while authorities searched for evidence within Uber’s offices.

Uber officials eventually began hitting the kill switch as soon as they considered a raid imminent, the documents show. The action blocked the laptops from accessing information held on remote servers, former employees said, making the devices unable to retrieve even email.

Some employees engaged in stall tactics so the kill switch could be activated before police got their hands on their devices by, among other strategies, asking that the police or tax authorities wait together in a room without computers until local lawyers arrived, according to the documents and interviews with people familiar with the tactics.

“The procedure was, if you have law enforcement, you try to buy time by greeting them, and call San Francisco,” said one of Uber’s former lawyers in Europe, who spoke on the condition of anonymity to describe the tactics. “Even if it was 2 a.m. in San Francisco, there were people who were supposed to react.”

Many companies use kill switches or other remote administration tools to cut off devices when employees are fired or lose them. Inside Uber, workers were told they would also be used in case of “unexpected visitors,” a term that covered angry passengers or drivers as well as police or other authorities, according to former executives.

Uber was never charged criminally with obstruction of justice, and the company said it shut down machines mainly so that investigators did not see more than they were entitled to. When investigators later asked for specific documents, the company generally furnished them, said former employees.

Some European legal experts said using a tool such as a kill switch is legal only before a government authority produces paperwork entitling them to look for specific documents. But afterward, cutting access could break national laws, they said.

“If a raid by a supervisor or economic investigator has already begun, and it has been made clear that copies of records are being requested, a company may no longer intervene by making them inaccessible,” said Brendan Newitt, of De Roos & Pen Lawyers in the Netherlands. “The same applies if regular investigators have already started, for example, a computer or network search to obtain the records.”

In France, a prosecutor involved in the initial investigation could add new charges based on a kill switch “if it turns out that it is not automated, that there is a human action leading to a disconnection and that there is a will to obstruct justice,” said Sophie Sontag Koenig, a teacher at Université Paris Nanterre with a doctorate in criminal law who specializes in technology issues.

Uber’s Hazelbaker said, “Uber does not have a ‘kill switch’ designed to thwart regulatory inquiries anywhere in the world" and that it has not used one since Kalanick’s replacement, Khosrowshahi, became chief executive. Although software that remotely isolates devices is standard for companies to use in cases of lost or stolen laptops, Uber said “such software should never have been used to thwart legitimate regulatory actions.”

The statement from Kalanick’s spokeswoman said, “Travis Kalanick never authorized any actions or programs that would obstruct justice in any country.” She also rejected as “completely false” any allegation that he “directed, engaged in, or was involved” in any activity that may have obstructed justice.

Local operations managers, who had a great deal of autonomy in running their own offices, often made the initial requests for activation of the kill switch, said former employees. That would lead to consultations with the general manager of the relevant global region as well as top executives in California, according to former executives and the documents. Employees sometimes copied top officials including Kalanick and general counsel Salle Yoo. San Francisco executives typically issued the final command, said several former employees.

“On every occasion where I was personally involved in ‘kill switch’ activities, I was acting on the express orders from my management in San Francisco,” Mark MacGann, Uber’s former top lobbyist in Europe, said in a statement.

The former European lawyer for Uber who spoke on the condition of anonymity said colleagues sometimes raised objections with Yoo.

“Of course we highlighted it to Salle, that this is not how you should proceed in Europe,” the lawyer said. “But that was kind of disregarded. There was a bigger mission behind it: ‘Everyone is wrong, and we are right.’ ”

Yoo provided the following statement in response to requests for comment:

“During my time at Uber, we developed systems to ensure the company acted ethically and consistent with the law in the countries where we operated. Working with outside counsel, my team and I instituted policies to safeguard the company’s data and made it clear that the policies were never designed to prevent or inhibit the company’s cooperation with regulators and local authorities. If I had learned of any illegal or improper behavior, I would have immediately taken steps to stop it.”

Corporate siege mentality

Looking back, a corporate siege mentality and poor training contributed to serious mistakes in judgment, said another former Uber executive from this era.

“That’s rookie bulls---,” the executive said of cutting access after a raid had begun. “It’s cowboy culture, no governance, improper compliance controls.”

In one instance, documents show de Kievit, the European legal executive, sent direct instructions copying Kalanick and Yoo regarding a raid in Paris in November 2014.

“Please kill access now,” de Kievit wrote, according to an email from the trove of internal Uber documents.

He soon followed up with another email, “Please let me know when this is done.”

The kill was done 13 minutes after the initial request, the documents show.

“They have not been too aggressive so far, but we are taking no risks,” de Kievit wrote to policy and strategy head David Plouffe, referring to authorities.

Plouffe, a former campaign manager and adviser to President Barack Obama, said that his time at Uber coincided with a “fierce debate about how and whether ridesharing should be regulated,” during which some within Uber wanted “to go too far.”

“I did my best to object when I thought lines would be crossed — sometimes with success, sometimes not,” Plouffe said in a written statement.

De Kievit, who is now an attorney in Australia, did not respond to questions emailed to his law office in Melbourne or voice-mail messages on his cellphone.

In addition to the kill switch, executives sometimes used a comprehensive remote-control program called Casper, a commercial software suite Uber tailored for its own use, the documents show. Casper could cut network access even after devices were removed by authorities, documents and interviews reflect.

Fake view

Uber employees shielded activity in the app with Greyball, which falsely indicated to suspected authorities that no Uber rides were available near them, in an effort to thwart investigations and enforcement actions, the documents show.

Greyball was created as a fraud-fighting tool to limit scammers’ access to the app, a former executive said, and was at times used to frustrate violent Uber opponents hunting drivers. But Uber operations executives took control of the program and redeployed it against the government, former employees said.

The company used geofencing, meanwhile, to limit where people could access the regular version of its app. Uber employees could create a geofence targeting a police station so anyone in or near the building would see the Greyball version of the app, which Uber sometimes called Fake View, the documents show. It banned riders it suspected were government employees.

As Danish transport authorities began an investigation of Uber in January 2015, Uber strategized to impose one such digital shield around its activities, changing how its app behaved near government facilities, according to an internal email saying, “Blackout geofences around main police stations.”

The documents show Greyball was a preferred response mechanism for areas where Uber was alleged to be operating outside existing laws or regulations. As Uber brainstormed ways to dodge authorities in Italy, Spain, the Netherlands and Belgium, executives discussed Greyball as a way to avoid detection.

“It feels to me like greyballing is better than banning, as the greyball user is likely to think that there’s just no supply out there (as opposed to being banned, or not seeing the view at all),” Uber’s Pierre-Dimitri Gore-Coty, then Western Europe regional general manager, wrote in an email in October 2014.

Spurgeon, speaking on behalf of Kalanick, said the CEO never authorized or directed Greyball to be used “for any illegal purpose.”

“The program was designed and used to protect Uber drivers from harassment and assault from taxi drivers—an unfortunate occurrence during the early days of Uber,” she wrote. “Government regulators were aware of the harassment and assaults Uber drivers suffered at the hands of taxi drivers, and the program was meant to try and protect Uber’s drivers. Notably, neither Mr. Kalanick nor anyone else at Uber has ever been accused of or charged with any offense related to Greyball by any enforcement agency.”

Spurgeon further characterized the resistance to Uber as it challenged the taxi industry in many important markets, saying: “To do this required a change of the status quo, as Uber became a serious competitor in an industry where competition had been historically outlawed. As a natural and foreseeable result, entrenched industry interests all over the world fought to prevent the much-needed development of the transportation industry.”

In Germany, a Munich official in 2014 had managed to ride with several Uber drivers, whom the company then expected would receive sternly worded letters from authorities, as other drivers had received at the time, according to the documents. The letters accused Uber drivers of transporting passengers without the necessary paperwork.

Uber then sought to prevent the Munich official from riding with any more drivers.

“He drove with 4 other drivers before we were able to Greyball/ban,” said the September 2014 email from Cornelius Schmahl, an Uber operations manager.

Schmahl, in response to a Post request for comment, replied with an image showing a single sentence. It was a quote sometimes misattributed to Thomas Jefferson: “If a law is unjust, a man is not only right to disobey it, he is obligated to do so.”

Uber used another tactic during a crackdown by authorities in Brussels in January 2015. The company, which had received a tip that an enforcement action was coming, learned that authorities were using people that Uber described as “mystery shoppers” to order rides with the intention of impounding the vehicles when drivers arrived.

Faced with this threat, Uber had employees sign up and pose as mystery shoppers — with the intention of snarling the operation. It blocked newly signed up users from ordering cars. It used geofencing to screen rides in the area where the crackdown was taking place. And it told employees to advise drivers to circle around or claim to be stuck in traffic rather than fulfilling ride requests deemed suspicious.

Uber employees planned to watch all of this play out on its “Heaven” view computer system that allowed them to watch trip activity across an area in real time, documents show.

Employees sometimes had reservations about Uber’s tactics.

“Of course, it gave pause,” said the former Uber lawyer in Europe who spoke on condition of anonymity. “But what Travis was saying was, ‘Do something and ask for forgiveness later.’ ”

U.S. prosecutors launched an investigation into Greyball after its disclosure by the New York Times in 2017 but have brought no charges.

Some Uber employees paid a price for their alleged efforts to circumvent regulators. Gore-Coty and Simphal were taken into custody in 2015. They were later convicted of complicity in operating an illegal transportation service and fined, but avoided jail time.

Gore-Coty, who is still an executive for Uber, said in a recent statement: “I was young and inexperienced and too often took direction from superiors with questionable ethics. While I believe just as deeply in Uber’s potential to create positive change as I did on day one, I regret some of the tactics used to get regulatory reform for ridesharing in the early days.”

In another case revealed by the Uber Files, de Kievit emailed the company leadership on April 10, 2015, to say he had been arrested in the Amsterdam office. He also said that Dutch authorities had asked him whether he had ordered equipment disconnected and told him he was being charged with obstruction of justice.

Two Dutch government officials, a prosecutor and a transport law enforcement official, recently confirmed that an Uber employee was arrested that month, though they declined to name the person. The prosecutor said the case was settled.

One of the former Uber executives said, reflecting on that era, “It was like a religion inside the company that we had to beat taxi and we had to beat other ride-share competitors, whatever it cost.”

Hazelbaker, the Uber spokeswoman, said the company has not used Heaven or Greyball since 2017 and now works cooperatively with authorities worldwide.

Uber promised South Africans better lives but knew drivers risked debt and danger

Raid dilemma

During a different raid, in Paris on July 6, 2015, Uber employees faced an internal battle: Comply or obstruct?

Paris executive Simphal wrote to colleagues saying that local authorities had arrived and that they wanted access to computers. MacGann, the lobbyist, replied by text that the Paris staff should play dumb as Uber centrally cut access to device after device.

But one escaped their reach — that of Gore-Coty, Uber’s general manager for Western Europe.

“F--- it seems Pierre’s laptop was not KS,” Simphal wrote, referring to the kill switch.

He instructed Gore-Coty to try to close an open browser tab that could provide access to Uber’s systems, according to the documents.

“But lawyers are saying that the moment we obstruct they will take us and staff into custody,” Simphal wrote to colleagues as the search continued. “They have full access right now on Pierre’s computer and are browsing through everything. Should we continue getting them full access? Or block knowing it means custody and being charged with obstruction?”

Internal communications suggest Uber wanted to give the appearance of complying. “I would give them access to the computer but in the background we cut access” to online systems, de Kievit responded by text message.

Alice Crites, Aaron C. Davis, Doug MacMillan and Michael E. Miller of The Post; Nicole Sadek and Fergus Shiel of the International Consortium of Investigative Journalists; Paul Lewis, Rob Davies and Simon Goodley of the Guardian; Gaby De Groot of Het Financieele Dagblad; Martin Untersinger of Le Monde; Frédéric Zalac of CBC and Radio-Canada; Romy van der Burgh of Investico; and journalist Melissa Iaria contributed to this report.

Loading...
Loading...