I really hope that Uber's shenanigans get studied in ethics classes in Computer Science and other technology degrees. When I was doing my CS degree, we had a mandatory ethics class (which I hated at the time but in hindsight think is a good thing). Ethical implications were something I hadn't previously thought of much, but in the field I've encountered them many times.
Based on the news that has been coming out from Uber, I think it's time for our industry to re-focus on the ethics of what we do. Being technologically cool, doesn't make something good.
Mine focused on Therac-25... not quite the same problem-space.
It's possible Uber's devs were misled about the nature of the software they were writing - for example I read their other secret system, "Greyball", was written under the guise of protecting Uber drivers from being physically assaulted by militant Taxi drivers - a common sight in certain parts of the world - nothing to do with the dual-use of shadow-banning public officials and journalists.
I think it's a pretty common ethics case study. Therac-25 almost seems like a meme to me these days:
"What are the ethical implications in the field of software engineering?"
"Therac-25."
I don't think we've gotten any better, either. I'm surprised there aren't thousands of Therac-25s killing people every day, actually. I guess the hardware engineers got better at turning off software, because I don't think software engineers got better at software engineering.
> I guess the hardware engineers got better at turning off software, because I don't think software engineers got better at software engineering.
Years ago (like 25 years) I read an author discussing safety critical system. He flat out said, safety must be a primary system level design goal. Attempts to band aid it in will fail. Properly designed systems have safeties, interlocks, and monitoring subsystems to prevent software bugs from propagating to the point where people are harmed. People designing safety critical systems tend to completely distrust software.
Huh, I think I never heard of the Therac-25. We instead talked about flight Lufthansa 2904 [1] (Airbus A320-211 Warsaw accident), also as a case of overconfident engineers (although Wikipedia mostly blames the weather report).
The "ethics" aspect came from the conduct of the engineers behind Therac that did not take the reports of malfunctions seriously, including a fatality - they were too overconfident and arrogant - as a result it took 2 more people to die, and many more seriously injured, before the problem was identified and fixed.
We also covered other ethics-related case-studies that covered project-mismanagement leading to massive cost-overruns, especially of public-service projects - particularly when those overruns are caused by malfeasance instead of incompetence or ever-changing client requirements (e.g. embezzlement, fraudulent conduct, etc). Another one was the ethics of personal data collection.
What's unethical about this? They were doing market research. It's not much different from stalking your competitor on google and going after the users they advertise to.
It's completely different, so far different as to be antonyms, opposites, completely diametrically opposed ends, because you just described a passive, orthogonal, ethical activity while Uber actively fooled with Lyft's systems to get the intel they wanted (emphasis mine):
> Hell originated after Uber created fake rider accounts on Lyft and used software to trick Lyft’s system into thinking those riders were in certain locations. This allowed Uber to see the eight closest available Lyft drivers to each fake rider.
You literally just typed the equivalent of "what's wrong with using an ad unit to deliver a zero day exploit? It's not much different from advertising."
There isn't the one and only standard for ethics. Perhaps a class would teach a certain version of ethics, but not a universally applicable one. As a somewhat relevant example, a lot of ethical norms in USSR (prosecution of successful individuals, outlawing free speech, destroying dissent, banning "unethical" literature and works of art) would be considered completely unethical in the Western society and vise versa, although the admiration of former became fashionable in tech circles lately.
It's not an exploit. There was no privilege escalation, denial of service, theft of private data, or anything like that. You can take the technology involved and replace it with a human process: multiple people around the city open the app and report back to the HQ the locations they see. Now, would you say this process is illegal?
Simplifying it even more: If you had people on the street, looking for cars with a Lyft sticker and reporting back every one you see - would you say that is illegal?
Not sure about this in the US, but I'm pretty sure that in the UK, gathering a database of intelligence on competitors' staff earnings would be a violation of the Data Protection Act.
It would be interesting if this came to a trial. DPA protects only information that identifies people. If Uber collected information on cars instead which is anonymous and then correlated it with data it already has access to, so it only deanonymises its drivers, that's... I don't know.
IANAL, but I read the DPA a few times and I think it's an edge case. If someone has better idea, I'd love to hear it.
The Data Prrotection Act specifically covers this:
"* “personal data” means data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller"
> Simplifying it even more: If you had people on the street, looking for cars with a Lyft sticker and reporting back every one you see - would you say that is illegal?
Yes, because trying to "hack" the legal system by finding things that you can argue are "technically legal" is not something that impresses me.
I get that beating someone up and throwing a paying customer off a plane, or using a firehose on civil rights marchers, is "legal" if some judge can be persuaded ($$$) to agree, but I'm not going to play that game: I don't want to live someplace where we do what is legal and don't do what is illegal; I want my neighbors to know right from wrong.
A Reasonable Person would think that Uber was doing this to wrong Lyft and indeed it turns out, was doing this to wrong Lyft.
Don't get me wrong. I think they're total assholes and shouldn't be doing this even if it is legal. But at the same time I'm interested in what would happen in case of an actual lawsuit. These don't care what impresses us :-(
Also, discussing what changes on Lyft's side would make it definitely illegal is interesting if you ever have some personal data in your own service.
The thing is, it would likely be a civil tort case, not necessarily a criminal case. An action can be legal from a criminal statute point of view, and yet still open the company up to a lawsuit in civil court where the other party can try to prove they were harmed.
I believe it would need to be personally identifiable data. The fact that Uber can personally identify someone with location is unique to them and falls into this gray area.
I have decided that location data is PII. It is notoriously hard to anonymize. I have conducted some experiments with customers and even with a a relatively few samples it was possibl to merge address databases and "anonymous" location with ease. Right now there is a data classification fiction in most corporations that location days is not PII because it lets them do all sorts of analytics. I predict this fiction is going to get so excited organization in trouble and not just an Uber being so blatant about it.
Intentionally accessing a protected computer system without authorization and obtaining information from it is a federal criminal offense (18 USC 1030 (a)(2)(C)).
They didn't access any Lyft systems. They ran Lyft software on their own devices and collected and analyzed the data Lyft provides. One can argue that they broke EULA, but it's not necessarily unethical, and I'm ready to bet the majority of this site users broke at least one software EULA in their lifetime.
Sure, the fake accounts just violated the ToS. But they then used an enumeration attack to find existing accounts and retrieve information not intended to be available to them. That it's not technologically sophisticated doesn't mean it's not a criminal offense.
If someone doesn't lock their front door and you enter their building, you're still trespassing. Especially if it's your competitor's front door and you're repeatedly entering the building to scout the place out for financial gain.
I don't use any service without having a basic understanding oh how secure and private their systems are - the CFAA makes that all illegal
"You wouldn't open an unlocked door" is the "you wouldn't download a car" of infosec. The later redefined theft as not requiring anybody to be deprived of a good while the former has the same flaw, you arent deprived of any good, you aren't harmed, you haven't been coerced or forced - i.e. It meets none of the common law definitions of trespass[0]
[0] but it does explain why ddos attacks, spam and stealing user data are trespass because they do meet those definitions
FWIW, I wouldn't walk through an unlocked door I'm clearly not meant to walk through.
There's a difference between "opening an unlocked door" and opening it, walking through it, making notes of everything behind it and repeating this room for all the other unlocked doors and then doing that pretty much continuously for days, weeks, months or however long Uber did it.
> FWIW, I wouldn't walk through an unlocked door I'm clearly not meant to walk through.
I would totally open an unmarked unlocked door in a public space that has locked doors clearly marked "restricted access", especially if the layout of the place I'm visiting suggests that there would be something interesting there.
That's pretty much what it boils down to, no? Just because you didn't document an endpoint doesn't necessarily mean it's restricted access. In fact, if the end point is accessible, and you have other sections of your service that require authentication, then it's very much the exception that proves the rule — the fact that you specifically forbid access to some routes reasonably means that, in general, I'm allowed access to unauthenticated endpoints.
The part of CFAA that classified breaking a EULA or Terms of Service as unauthorized access is a horrible law that is frequently abused (most famously Aaron Swartz)
It is rightfully broadly criticized, and that shouldn't change because Uber are the perpetrators here
Just because you like Aaron Swartz doesn't mean that the law was 'abused'. He flagrantly violated MIT's terms of service and knew that he was doing so.
> He flagrantly violated MIT's terms of service and knew that he was doing so.
Yep and that shouldn't be a federal offense with ~20 year jail term with a lifetime criminal record
It's private companies defining federal law and dictating enforcement for their own purposes. You wouldn't let Wal-Mart define what it's own tax laws are, or have McDonalds define what RICO is - having companies define what theft or trespass are is just as absurd.
edit: the list of notable CFAA cases reads like a tragic comedy[0]
There is a case in there where someone was charged for encouraging his union members to email complaints to a company and when it crashed their mail server he was charged under the CFAA.
The sentencing is up to the judge, not the law. Swartz was never sentenced to anything. You are getting the 20 year figure from media outlets that added up the maximum possible sentences for everything he was charged with, which bears no relation to how sentencing actually works.
Also, it obviously has to be a federal offense, since wires cross state lines.
The whole point is that they don't sentence people to 35 years - they use that as a threat to leverage them into pleading guilty. Hence the dictatorship-level 99%+ conviction rates.
Same thing happen to Aaron, they hung a 7 year sentence around his neck if he didn't please guilty to all charges and accept the deal they offered him.
Even the innocent would please guilty in those circumstances, it's the only rational thing to do.
There is no contradiction. Let me break it down again.
The original DOJ press release[0] when Schwartz was charged:
> If convicted on these charges, SWARTZ faces up to 35 years in prison
That maximum sentence is not uncommon in CFAA cases as most charges carry 10 or 5 years and layering charges together is very common (ex Mathew Keys faced 25 years on 3 charges for sharing a password)
Facing 35 years Swartz enters plea talks and is offered 6 months recommended, up to 6 years but guilty to all charges
The prosecutors tell him if he doesnt take that deal and goes to trial then they'll be seeking a 7 year minimum 35 year max
A lot has been written about the problems with not just federal sentencing and plea agreements (internationally it is a unique system) but also specific problems with CFAA and sentencing guidelines:
Again, 35 years is simply the figure derived by adding up all of the maximum sentences. Swartz had good legal advice. He knew he wasn't going to be sentenced to 35 years in jail.
The problems with plea agreements relate largely to innocent people being pressured into taking them because a trial is too risky. Swartz had clearly violated the law, so he would have had nothing to gain from going to trial in any jurisdiction.
>... realistically, Swartz was facing anything from probation to a few years in jail if he went to trial — depending largely on how you value the loss he caused — and either a 4 months in jail or 0-6 months in jail if he pled guilty.
How does that justify having a ridiculous 35 year sentence hanging over somebody for a terms of use violation? That is murder levels of sentencing
The case was far from clear cut, weev had his case overturned and the Lori Drew case was overturned specifically because the judge said terms of use violations don't apply under CFAA
I read Orin Kerr a lot, abd agree with almost all of what he says in the series he wrote on the Swartz case - I only didn't buy his justification that overprosecution is ok because all the other prosecutors also do it
Swartz's main concern was a lifetime criminal record and not being able to work, and second pleading guilty to charges that he (and many others) don't agree he was guilty to
I def agree with Kerr that the unauthorized access statutes need to be reformed tho, that would have the Swartz case irrelevant and placed it back where it belonged - in a civil court
>How does that justify having a ridiculous 35 year sentence hanging over somebody for a terms of use violation?
It's arithmetic. The maximum sentences are what they are, and their sum is what it is. Justification doesn't come into it. But a 35 year sentence was never "hanging over him". He had good legal advice. He knew that he would not go to jail for 35 years.
>The case was far from clear cut,
He physically broke into one of their network closets while attempting to disguise his identity. If that doesn't count as unauthorized access, nothing does.
>Swartz's main concern was a lifetime criminal record and not being able to work
Which, as Kerr points out, makes it absolutely baffling that he did this in the first place. It's often glossed over, but it really was an enormously stupid thing to do. It's sad that he got himself into so much trouble by doing it, but I can't see how anyone else is to blame for that. Especially when he'd already had fair warning after the PACER incident.
I have read it, but it opens with the "35 years in jail" canard and is full of nonsense. Example:
>MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.
MIT did impose controls on the network to prevent Aaron from downloading PDFs, and he kept deliberately circumventing them (e.g. by spoofing his MAC address). So the idea that MIT was totally cool with what he was doing is obviously false, and AS knew that at the time.
Let's explore this from the information security perspective, since that is my thing. If I had performed this research against Lyft and knew about these "information disclosure" issues I would have felt they were significant enough for disclosure to see them remediated.
Why? Sweeping privacy concerns. In a world where most people have an Uber or a Lyft app installed security issues like this become spy machines. So it isn't just drivers that lose their privacy, in the long run it touches on everyone's privacy, because location data is notoriously hard to anonymize and machine learning is only getting better. So there is the first ethical argument against this behavior that pops to mind.
I don't think it is lack of ethical knowledge that makes people act unethical. It is that being consistently ethical costs and may have bad impact on your career. It is also that company like Uber would punish overly ethical people too much and would pish them out.
Ethical class might help a young developer understand why working at a company like that is a bad idea. Understanding that a company punishing you for being ethical is a big glowing red flag is important.
Yes, but the problem is that Uber pays well and it has a lot of interesting problems to solve, and as usual in our society, morality becomes the later priority than interesting work/pay
It's not a problem limited to our society. Ethics, regulations, and consumer pressure can all help to keep corporations in check. The thing to remember is that a corporation can never have a moral compass, so we have to give it to them.
But if there was the potential for future prosecution because of your actions, maybe that would alter the risk/reward profile enough for some people? Especially if you've taken an ethics course, and thus can't really argue plausible deniability.
If developers had a professional organization and working for Uber (or some company that does things which are banned by that organization) was a black mark on your resume that would ensure you never get a good job again, then we'd be in business.
Ethics being recognized as an important part of the field would also give one leverage to oppose their employeer's unethical demands, and make it more costly for the latter to make such demands in the first place.
Many technology people adopt a see no evil, hear no evil point of view. It's commonly manifested in the pseudo-libertarian philosophy that you hear a lot.
IMO, its one of the reasons this field is such a feast and famine shitshow. Unlike accountants, attorneys, and engineers, we have no professional associations or standards to help protect our professional interests.
Since we all learned so much from Enron and ethical problems like that never cropped up again, stands to reason Uber's going to be the last of its kind.
I've been designing a CS ethics class for the past few months, mostly as a personal challenge. I proposed it to a few professors in my department yesterday.
The responses I got were mostly variants of "not until they make us," which is exactly the kind of attitude that results in our present state of affairs (thinking of the BMW emissions controversy, Uber, &c). I don't want another major teachable scandal to come out of the tech world, but that may be what it takes.
It was VOLKSWAGEN --NOT BMW-- that created the emissions scandal by programming their cars to change the engine running parameters when the detected the conditions of the emissions test.
Perhaps the Guardian story is true and everyone is playing around the margins on the European tests, but that's trying to obscure the forest with one tree.
In the actual context of the comment, which is the the USA "emissions controversy" with the massively fraudulent code, it was VOLKSWAGEN that was the main player, BMW was not involved.
(also IMO, Diesels are a pretty bad way to burn fuel in any case; I don't think BMW should pursue it at all, and although I like my petrol-powered model, I wouldn't buy one of their diesels)
Sounds like they don't have the authority to do it. Perhaps pitch it to the business school Ethics professor, who perhaps might be willing to sign a letter of support.
Then take that to the authority. I believe it's the dean or provost of the CS department who would have the authority to make changes to the program -- and it is usually on a review cycle (so they might tell you to wait).
I think it's great what you've started, and so if all else fails -- put it on Coursera or open source it.
Thanks for the advice. I was planning to ask for support from the Philosophy department, but getting it from another school that has a practical ethics requirement is also a good idea.
The professors I talked to referred me to the department chair, who I think has final say over new courses here. Either way, open sourcing it would be fantastic (an entire section is devoted to ethical questions in IP/open source development).
It's only because Uber's view of its own drivers is known as heaven/god view.
edit: discussed in article.
Call me a pessimist, but I am betting that, despite the long and rocky road ahead, Uber is eventually going to succeed. And we're going to see the emergence of a new corporate template.
I strongly prefer lyft's side, haven't used uber in years and the last year I drove for ridesharing I exclusively drove for lyft and not uber, but I really don't have a problem with this. OF COURSE you should collect intelligence on your competitor's activities - if they expose information publically (e.g. showing the cars on the app / API) and cross-correlating with the uber drivers that still are logged on - what is the objection to this?
Mind you, some of the other things uber has done, like hail a lyft and repeatedly cancel, are totally not ok.
There is a strong dichotomy in the minds of many american people, between large private companies and public offices.
This is an instance of it: Uber has shown in the past that they can wield considerable powers, and are prone to misuse it. Therefore, them collecting data about drivers, a population that is vulnerable towards Uber (and a subset of which we know is shared between the two platforms), is dangerous.
If you approach this dichotomy from the other side, can you imagine the NSA being described as doing no-brainer customer research ?
If Uber had been circuit-bending the Lyft app or Lyft's API or rider/driver devices, I would think it unacceptable. But this information is being provided by Lyft inside their app. Uber was just aggregating this information and storing and analysing the data.
Also the NSA is doing a lot worse things and we know this for certain. I find it distressing how many people seemingly have forgotten about that. If the NSA were only going this far, I'd be pretty happy.
> But this information is being provided by Lyft inside their app.
No it isn't. Not according to the article. According to the article a fraction of that information is provided as part of the app but Uber went ahead and exploited the lack of operational security on Lyft's side to crawl _all_ the information by traversing over information intended for other users. Repeatedly.
No it's not. Its ok to estimate your competitors size by driving by their parking lot and counting how many cars are there. It's not ok to bypass security and access their company directory.
The ethical line is "what is publically available following all laws and regulations".
Collecting intelligence is one thing. But deliberately abusing your competitor's systems in a way they did not intend to allow in order to collect intelligence is not only ethically wrong, but also likely illegal, as this article mentions.
Hell originated after Uber created fake rider accounts on Lyft and used software to trick Lyft’s system into thinking those riders were in certain locations. This allowed Uber to see the eight closest available Lyft drivers to each fake rider.
This is a very "benign" fake, akin to scraping a website for information... Moreover, you could just as easily do it with a 'real' account; and just use the 'real' account far... Less often than you're using it to scrape the info.
This wasn't public information to be scraped, hence the requirement for an account.
Creating fake accounts for this purpose is a violation of the current terms of service [1] (these might have been different in 2016):
9. Restricted Activities
h. forge headers or otherwise manipulate identifiers in order to disguise the origin of any information transmitted through the Lyft Platform;
l. use any robot, spider, site search/retrieval application, or other manual or automatic device or process to retrieve, index, scrape, “data mine”, or in any way reproduce or circumvent the navigational structure or presentation of the Lyft Platform or its contents;
When an end user breaks the terms of service of whatever system, most people would say that terms of service mean nothing. But since it's Uber, uuuuh, the scary terms of service!!!
it's likely not defensible in court. Let's say Uber was smart (i have no idea if they actually were) and used the account to monitor lyft demand, and every so often, sent the account on an actual ride, say, with one of their recruiters, to try and hook a lyft driver.... Then the account is being used for 'legit' purposes; where do you draw the line?
If you illegitimately gain access to privileged information and use that information illegitimately for financial gain, yes, that still counts even if it was done with the most primitive technology.
That you have access to information (whether accidental or through deception) doesn't mean you're free to use that information any way you please. Especially when it comes to anti-competitive business practices.
Let's say I am a dentist in Chicago who's buying Google AdWords. Every now and then I conduct a Google search for "chicago dentist" to see who else is in the run. To ensure a random distribution and no retargeting of results, I may conduct this search incognito or under a different Gmail account I've created.
Lyft said “We are in a competitive industry. However, if true, these allegations are very concerning.”
Notice the careful non-statement by Lyft. It's hard to believe Lyft isn't doing exactly the same thing.
It's not questionable behavior to track what your competitor is doing. That's the first step toward beating them. And yes, Uber is trying to beat Lyft, just like Lyft is trying to beat Uber. That happy balance is a good thing for consumers.
It's pretty strange that I have to second-guess whether to post this comment since it could be interpreted as a defense of Uber. But the PR spin is getting to be a feeding frenzy.
Is all tracking now unethical? Under what circumstances should you be allowed to track other people? Google knows more about you than your significant other. Should they be allowed to do this? Is this ethically questionable? What is the categorical difference between Google and Uber? These are questions which have no clear and easy answer, but it's painted as if it's so clear-cut.
> It's hard to believe Lyft isn't doing exactly the same thing.
No, it's actually really easy to believe that Lyft isn't tricking Uber's computer systems into giving Lyft real-time info on Uber's drivers and fare prices. Please stop trying to make excuses for Uber's shitty behavior.
You aren't allowed to comment like this here, and you should definitely know this. You have to engage civilly and substantively with points you disagree with, not make a lowbrow "Uber is shitty and so are you" comment.
Yep, I agree with your disagreement. Oh well. Apologies to eridius.
I just wish we could maybe turn down the heated discourse from the maximum setting, since people are quick to escalate. But my original comment certainly didn't help in that regard.
So, now that I've chosen to be in the hot-seat regarding Uber, who's up for a debate? Why is this particular behavior unethical? If it's true they accessed Lyft's API, under what circumstances is it ok to do this as a competitor? I promise I have an open mind.
Usage of the API is bound by the terms of service. I've not read Lyft's ToS in detail, but I'm sure what Uber is doing is in violation of said terms. That's certainly unethical, potentially illegal.
So to be clear, is it true to say that under no circumstances may a competitor access an API without it being unethical behavior? It seems like every business will have a ToS clause to cover that, so this is an interesting moral question.
Assuming it's unethical, if you were asked at your company to build a script that accesses a competitor's API, what should you do?
Isn't it difficult to claim in general that collecting data using a competitor's services is inherently unethical?
If you're using a competitor's API in a way the API was intended to be used, it's probably OK, even if your motivation is to gain intelligence. But when you're breaking the ToS or otherwise doing things it wasn't intended to do, that's a problem.
Hmm, I see. Is it possible to think of a single example where you could use a competitor's API in a way they intend, but also at a scale large enough to be useful from an intelligence perspective?
If there isn't one, it seems like the argument again reduces down to "It's never okay for a competitor to use an API," which could be problematic.
IANAL, but using Lyft's API to see pricing and availability (to model your pricing and/or where drivers are in abundance) seems at minimum in a grey area. Using it to de-anonymize drivers and try to poach them, feels like crossing the line to me.
Eridius answered the first part, so I'll tackle the second part. What you should do depends on many factors. First and foremost, is the access you are doing strictly forbidden? You'd be surprised how often it's not. Next you'd need to assess the intent of the access. Is it for a legitimate fair use reason (even if forbidden, aka it's a judgment call if you feel you could legitimately make a case it shouldn't be forbidden)? Ultimately the above two don't matter, it all comes down to a decision of "is keeping your job" more important than "doing what is ethical/legal/whatever"?
Maybe it is productive to compare this to Aaron Schwartz's violation of the terms of service, downloading information from a publishers api using a university account against the terms of service.
That was enough reason for a 35 year prison charge, plus 1 million damages.
Of course, he was an activist, doing it for ideological reasons, against corporate interests. Contrary to what one might expect, the class justice system in the US punishes that much harder than a big corporation doing the same for the non-ideological reason of making more profit.
Most people here seem to think it's benign, just a company competing hard, but that seems hypocritical to me.
But Uber supposedly has no competition relation with drivers. Adding that drivers may choose to work both for Uber and Lyft, this gives Uber leverage against a category of population they have been known to abuse.
The danger here is the combination of undue knowledge and a de-facto dependency relation in the hands of a known offender.
Because most companies don't intentionally break the law or engage in fraudulent activity. Just because Uber does this all the time doesn't mean Uber's competitors must do it too.
Or they're being smart with PR: they issue a statement saying this is concerning, but not too strongly worded, and let the general coverage and zeitgeist say all the things they'd like to say, but without anyone being able to pin those statements on them later.
Agree. Google not only tracked Bing but also set up fake results to catch them copying.
There's an app that compares the price from Uber, Lyft and others services.
These two examples are using data from computer systems in a way companies didn't intend. Have you guys ever thought that search engines scraping your site is opt-out?
We are just repelling this because Uber has a bad reputation.
> Google not only tracked Bing but also set up fake results to catch them copying.
I'm not sure I see the similarity. Google never sent false queries to Bing - Google sent synthetic queries to their own infrastructure, and observed how Microsoft's software (search engine, toolbar etc.) responded to that. There's
That seems closer to if Uber had just hired a team of people to use Lyft and record their observations (which is still problematic, as one of the results is tracking people without their knowledge, but for different reasons than falsifying queries to scrape this data).
Uber & Lyft need a large pool of drivers readily available. The quick pickup is a key part of the experience that makes them superior to taxis. Especially drivers who are rated well. I'd be kind of surprised if a driver's rating didn't factor into their entire incentive program. I carried a 4.9 Uber rating by the time I quit driving and they were issuing some really attractive incentives by the end.
They created fake accounts with fake geolocation to extract information, then they exploited a design flaw in Lyft's software to perform an enumeration attack that allowed them to extract full information about all drivers in real time in order to exploit that information financially.
Google crawls public websites while respecting counter-measures like the `robots.txt` protocol. They also don't create fake accounts. They most certainly don't perform enumeration attacks to find more content to index.
This is nothing like what Google does. If Google did this, they'd be called out the same way.
Heck, if anything, this is similar to what Aaron Swartz did, except Aaron did it to make the information public rather than profit from it for financial gain -- and the data he did it with was neither sensitive nor private.
If I were Lyft, I might try to detect what traffic is coming from suspect clients and present an inaccurate view to them to maximize inefficient spending on Uber's part. This seems like it should be easy to do without harming someone in case you inaccurately label someone as illegitimate.
It is interesting that Lyft didn't detect this malicious behaviour and this raises some questions.
Did Uber try to obscure what they were doing by spreading the requests over various IPs to cover their tracks? This would indicate that they knew they were doing something malicious (which could affect sentencing if this is considered a federal crime under US law which it actually might be -- though IANAL).
If this really was "realtime", why didn't Lyft notice the unusual request volume? What could they have done to detect this as suspicious and investigate? Are there some specific lessons other companies could learn from this?
Detecting these kinds of behaviors is hard without generating false positives. GPS on phones arent always the most reliable thing, especially if the user is opening and closing the app.
An app that did try to stop this type of behavior was Pokémon Go. It took them a while to do even halfway well.
>Hell originated after Uber created fake rider accounts on Lyft and used software to trick Lyft’s system into thinking those riders were in certain locations. This allowed Uber to see the eight closest available Lyft drivers to each fake rider.
I don't see how this is nefarious, Uber is scraping data that Lyft is sharing publicly. And based on Lyft's response, my hunch is that they do the same thing.
If anything, this story distracts us from legit nasty business practices - like repeatedly cancelling on Lyft drivers to waste their time and lower their earnings.
Uber is scraping data that Lyft is sharing publicly.
Except they're really not. They accessed data from an API that is only available to the Lyft app by creating some fake profiles. That means their profiles couldn't legally have agreed to the app's terms and conditions, so it wasn't legally permissible for them to access the API. So no, they weren't just accessing information that Lyft were "sharing publicly".
Do you think it's OK for violating the T&Cs of an app to be illegal? Isn't that the same as using the F word on a forum when you agreed not to? Didn't we go through all this with Aaron Swartz and one or two other high profile hackers?
Consider Uber's "Greyball" program. This attempted to identify people (read: government officials) who would use Uber in order to document how it worked for purposes of determining if it complied with local laws, and ensure they couldn't get a ride and thus couldn't collect evidence of Uber breaking the law.
They said that was really a program to deal with people violating their terms of service. So one would think, given Uber's demonstrated commitment to enforcing its own terms, they'd have the utmost respect for competitors' terms. Of course, if they violate competitors' terms to gain an advantage, then we know where they really stand and what their own standards are (i.e., no standards other than "anything that gets us ahead is good").
Do you think it's OK for violating the T&Cs of an app to be illegal?
I don't think determining legality and harm should be a boolean operation. There are layers of subtly and nuance in most things, and the law is one of them. I don't think posting the F word on a forum where the owner doesn't want you to post it should be treated as an equal violation of the law as deliberately abusing your competition as a billion dollar business. The amount of damage, and perhaps potential damage should be considered. When I swear a reasonable person would think the harm is minimal. When I try to sabotage another company where the damage could result in billions of dollars of lost investment and thousands of jobs vanishing a reasonable person would think that's pretty bad. They're technically the same 'crime', but they're obviously not the same in scale.
Legality should be boolean - either you're following the law or you're not. If guilty, however, the penalty should be proportionate to the harm done.
In this particular case, Uber is guilty of breaching Lyft ToS's clause around no data mining. However, this seems like an insignificant infraction, there is likely to be zero legal penalty. Lyft's only recourse is to either shut down Uber's accounts or feed them bogus data.
> Do you think it's OK for violating the T&Cs of an app to be illegal?
Yes, T&C are the legal terms and conditions under which you have permission to use an app; violating them ought, geenrally, to be illegal, provided they are valid in form and process.
> Isn't that the same as using the F word on a forum when you agreed not to?
Yes, breaking that agreement could also be illegal. Why is that relevant?
> Didn't we go through all this with Aaron Swartz and one or two other high profile hackers?
Whether a thing should be illegal is a broader question than whether it should be criminal, which is a broader question than whether it should be covered under a particular criminal statute with particular penalties or pursued in a particular manner by prosecutors.
Are user location credentials often accidentally exposed in other app's APIs? This isn't something I have much knowledge in and am just wondering how often this is a security issue.
Trying to think through how Hell must have worked, Uber must have decoded Lyft's encrypted Rest APIs and were able to hit an endpoint that returned the 8 nearest available rides given a user and geolocation. Given a large metro area such as LA, you would probably need to make hundreds of requests with fake geolocations to be able to map out the whole area. You would probably only need to do it maybe every 5-10 minutes to get decent resolution for a semi-live map. Depending on Lyft's rate limiting you might get by with in the order of dozens of fake accounts. Given Lyft's scale this would probably be small undetectable noise in their analytics and wouldn't really degrade their systems. I would say it's only semi-shady, probably doesn't rise to the level of civil or criminal lawsuits.
I love how "There has been some recent tension between her and Kalanick, with some investors blaming bad press for Uber’s woes (wrong!), although sources said that was expected given all the controversies at the company of late." becomes "Uber’s head of communications Rachel Whetstone recently quit, reportedly because of conflicts with Kalanick."
Please note that the whole "illegal access to a computer system" business is what Aaron Scwartz was being prosecuted for. I don't think we want to promote a restrictive idea about what constitutes authorised use of a system, just so we can have a go at an unpopular taxi service.
As technology goes, Aaron merely accessed what was already accessible to every user. Uber accessed information a single user wouldn't have had access to.
As ethics go, Aaron downloaded information that represented publicly funded research and would be available to the public if academic publishing wasn't so horribly defunct. Uber extracted operative business information that was only meant to be exposed a fraction at a time to provide specific services.
As motives go, Aaron tried to make information publicly available for free. Uber tried to poach Lyft's drivers and sabotage Lyft's operational model for financial gain.
The only value of Aaron's case in this discussion is as an example in the form of "If what Aaron did was grounds for criminal prosecution, how is what Uber did not a federal crime?".
Even if you disagree with the ethical aspects, Aaron exfiltrated information available to any normal user (just at a larger scale than intended) whereas Uber intentionally exploited a design flaw to access information not available to any individual user. If both crimes could be described as "doing X, and then doing the same thing again a lot more times" for Aaron X was "downloading a file intentionally made available to all users" whereas for Uber X was "downloading information only intended to be available to a single other user".
I would really like to know what is unethical (or even illegal) about this (just so I can understand this correctly).
Uber
* created multiple fake accounts on lyft to know about it's drivers
* figured out that it's drivers were assigned numerical ids
* used said ids, to track lyft drivers.
imho, this is just figuring out your competition (say by signing up to the service) and then using this knowledge to improve your service (by incising drivers on both platforms to ditch one).
This is one of those "do things that don't scale" mean (or my interpretation of it). I say this because, one multi-billion $ "startup" is doing this to another multi-billion $ "startup".
Also, I'm sure this would never be an issue if Uber was not in the press for other crappy stuff they did.
>If there were several Uber drivers near an Uber rider but one of those drivers was also frequently available on the Lyft network, as seen by the Hell program, Uber’s ride-dispatch team was supposed to “tip” that ride request to the driver who was “dual apping,” or typically looking for riders through both the Lyft and Uber apps, sometimes by using two different smartphones at the same time. The person involved in the program called it “privileged dispatch” and said Uber aimed to use that to squeeze Lyft’s supply of drivers.
[from the original article on The Information]
I think this should be the most controversial part of the program. Essentially, Uber favored its drivers who used both Uber and Lyft at the expense of its drivers who were strictly loyal to Uber.
I always wondered why Uber showed fake cars on their map. I remember them citing "technical" issues which seemed suspicious given that it's not a hard problem, and Lyft actually shows car locations. I wouldn't be surprised if the fake cars came about as a result of the Hell program when they realized car locations could be used against them.
What is wrong with Uber's management? I don't think I've ever read anything positive about the company.
From their numerous gender bias and sexual harassment claims, to their CEO acting like a bratty spoiled 15yr old and bitching out a driver, to trying to skirt public safety laws by refusing to register their self-driving cars after being catered and begged to do so by government regulators simply because they don't give a fuck, to this whole Waymo lawsuit, to this. I think this shitty company needs a complete change of upper management.
I drove for both Lyft and Uber last year, and I could swear that Uber was tracking Lyft. I'd get a call for an Uber and while fumbling around with the phone getting to the Lyft app to drop driver mode, I'd get a Lyft call in. Totally anecdotal, but it happened enough that I noticed. Eventually I quit trying to double dip, it was just too stressful. I'd make a call on which to use based on the incentives being offered, basically, or if things were slow on one I'd switch to the other.
159 comments
[ 2.6 ms ] story [ 209 ms ] threadBased on the news that has been coming out from Uber, I think it's time for our industry to re-focus on the ethics of what we do. Being technologically cool, doesn't make something good.
It's possible Uber's devs were misled about the nature of the software they were writing - for example I read their other secret system, "Greyball", was written under the guise of protecting Uber drivers from being physically assaulted by militant Taxi drivers - a common sight in certain parts of the world - nothing to do with the dual-use of shadow-banning public officials and journalists.
Though I feel that's not so much about ethics as it was appropriate safeguards/testing given the problem space.
"What are the ethical implications in the field of software engineering?"
"Therac-25."
I don't think we've gotten any better, either. I'm surprised there aren't thousands of Therac-25s killing people every day, actually. I guess the hardware engineers got better at turning off software, because I don't think software engineers got better at software engineering.
Years ago (like 25 years) I read an author discussing safety critical system. He flat out said, safety must be a primary system level design goal. Attempts to band aid it in will fail. Properly designed systems have safeties, interlocks, and monitoring subsystems to prevent software bugs from propagating to the point where people are harmed. People designing safety critical systems tend to completely distrust software.
[1] https://en.wikipedia.org/wiki/Lufthansa_Flight_2904
Its a pretty infamous case.
We also covered other ethics-related case-studies that covered project-mismanagement leading to massive cost-overruns, especially of public-service projects - particularly when those overruns are caused by malfeasance instead of incompetence or ever-changing client requirements (e.g. embezzlement, fraudulent conduct, etc). Another one was the ethics of personal data collection.
Summary: https://en.wikipedia.org/wiki/Therac-25#Problem_description
Full Reading from Berkeley course: https://www-inst.cs.berkeley.edu/~cs61a/reader/Therac-25.pdf
> Hell originated after Uber created fake rider accounts on Lyft and used software to trick Lyft’s system into thinking those riders were in certain locations. This allowed Uber to see the eight closest available Lyft drivers to each fake rider.
You literally just typed the equivalent of "what's wrong with using an ad unit to deliver a zero day exploit? It's not much different from advertising."
Simplifying it even more: If you had people on the street, looking for cars with a Lyft sticker and reporting back every one you see - would you say that is illegal?
IANAL, but I read the DPA a few times and I think it's an edge case. If someone has better idea, I'd love to hear it.
"* “personal data” means data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller"
Sorry, but they already thought of that one.
Yes, because trying to "hack" the legal system by finding things that you can argue are "technically legal" is not something that impresses me.
I get that beating someone up and throwing a paying customer off a plane, or using a firehose on civil rights marchers, is "legal" if some judge can be persuaded ($$$) to agree, but I'm not going to play that game: I don't want to live someplace where we do what is legal and don't do what is illegal; I want my neighbors to know right from wrong.
A Reasonable Person would think that Uber was doing this to wrong Lyft and indeed it turns out, was doing this to wrong Lyft.
Also, discussing what changes on Lyft's side would make it definitely illegal is interesting if you ever have some personal data in your own service.
> collected and analyzed the data Lyft provides
they did it without permission
If someone doesn't lock their front door and you enter their building, you're still trespassing. Especially if it's your competitor's front door and you're repeatedly entering the building to scout the place out for financial gain.
"You wouldn't open an unlocked door" is the "you wouldn't download a car" of infosec. The later redefined theft as not requiring anybody to be deprived of a good while the former has the same flaw, you arent deprived of any good, you aren't harmed, you haven't been coerced or forced - i.e. It meets none of the common law definitions of trespass[0]
[0] but it does explain why ddos attacks, spam and stealing user data are trespass because they do meet those definitions
There's a difference between "opening an unlocked door" and opening it, walking through it, making notes of everything behind it and repeating this room for all the other unlocked doors and then doing that pretty much continuously for days, weeks, months or however long Uber did it.
I would totally open an unmarked unlocked door in a public space that has locked doors clearly marked "restricted access", especially if the layout of the place I'm visiting suggests that there would be something interesting there.
That's pretty much what it boils down to, no? Just because you didn't document an endpoint doesn't necessarily mean it's restricted access. In fact, if the end point is accessible, and you have other sections of your service that require authentication, then it's very much the exception that proves the rule — the fact that you specifically forbid access to some routes reasonably means that, in general, I'm allowed access to unauthenticated endpoints.
It is rightfully broadly criticized, and that shouldn't change because Uber are the perpetrators here
Yep and that shouldn't be a federal offense with ~20 year jail term with a lifetime criminal record
It's private companies defining federal law and dictating enforcement for their own purposes. You wouldn't let Wal-Mart define what it's own tax laws are, or have McDonalds define what RICO is - having companies define what theft or trespass are is just as absurd.
edit: the list of notable CFAA cases reads like a tragic comedy[0]
There is a case in there where someone was charged for encouraging his union members to email complaints to a company and when it crashed their mail server he was charged under the CFAA.
https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#N...
Also, it obviously has to be a federal offense, since wires cross state lines.
With 97% of federal cases ending in plea agreements sentencing is overwealmingly in the hands of prosecutors.
In the Swartz case she wanted him to plead guilty to every single charge and serve up to 6 years. Hence the suicide.
As leverage in negotiations they told him at trial he was facing up to 35.
It was 6 months, not 6 years. http://archive.boston.com/metrodesk/2013/01/14/mit-hacking-c...
>As leverage in negotiations they told him at trial he was facing up to 35.
Again, this is a nonsense figure. Can you give an example of someone who has been sentenced to 35 years in jail for similar crimes?
Same thing happen to Aaron, they hung a 7 year sentence around his neck if he didn't please guilty to all charges and accept the deal they offered him.
Even the innocent would please guilty in those circumstances, it's the only rational thing to do.
But you contradict this in your own post. They threatened him with a 7 year jail term, not a 35 year jail term.
The plight of the innocent in the US system is very real, but irrelevant to the case of AS, as he was very clearly and unambiguously guilty.
The original DOJ press release[0] when Schwartz was charged:
> If convicted on these charges, SWARTZ faces up to 35 years in prison
That maximum sentence is not uncommon in CFAA cases as most charges carry 10 or 5 years and layering charges together is very common (ex Mathew Keys faced 25 years on 3 charges for sharing a password)
Facing 35 years Swartz enters plea talks and is offered 6 months recommended, up to 6 years but guilty to all charges
The prosecutors tell him if he doesnt take that deal and goes to trial then they'll be seeking a 7 year minimum 35 year max
A lot has been written about the problems with not just federal sentencing and plea agreements (internationally it is a unique system) but also specific problems with CFAA and sentencing guidelines:
https://www.eff.org/deeplinks/2013/03/41-months-weev-underst...
[0] https://web-beta.archive.org/web/20110724043722/https://www....
The problems with plea agreements relate largely to innocent people being pressured into taking them because a trial is too risky. Swartz had clearly violated the law, so he would have had nothing to gain from going to trial in any jurisdiction.
See e.g. here for further analysis:
http://volokh.com/2013/01/16/the-criminal-charges-against-aa...
>... realistically, Swartz was facing anything from probation to a few years in jail if he went to trial — depending largely on how you value the loss he caused — and either a 4 months in jail or 0-6 months in jail if he pled guilty.
The case was far from clear cut, weev had his case overturned and the Lori Drew case was overturned specifically because the judge said terms of use violations don't apply under CFAA
I read Orin Kerr a lot, abd agree with almost all of what he says in the series he wrote on the Swartz case - I only didn't buy his justification that overprosecution is ok because all the other prosecutors also do it
Swartz's main concern was a lifetime criminal record and not being able to work, and second pleading guilty to charges that he (and many others) don't agree he was guilty to
I def agree with Kerr that the unauthorized access statutes need to be reformed tho, that would have the Swartz case irrelevant and placed it back where it belonged - in a civil court
It's arithmetic. The maximum sentences are what they are, and their sum is what it is. Justification doesn't come into it. But a 35 year sentence was never "hanging over him". He had good legal advice. He knew that he would not go to jail for 35 years.
>The case was far from clear cut,
He physically broke into one of their network closets while attempting to disguise his identity. If that doesn't count as unauthorized access, nothing does.
>Swartz's main concern was a lifetime criminal record and not being able to work
Which, as Kerr points out, makes it absolutely baffling that he did this in the first place. It's often glossed over, but it really was an enormously stupid thing to do. It's sad that he got himself into so much trouble by doing it, but I can't see how anyone else is to blame for that. Especially when he'd already had fair warning after the PACER incident.
>MIT is aware of the controls they could put in place to prevent what they consider abuse, such as downloading too many PDFs from one website or utilizing too much bandwidth, but they choose not to.
MIT did impose controls on the network to prevent Aaron from downloading PDFs, and he kept deliberately circumventing them (e.g. by spoofing his MAC address). So the idea that MIT was totally cool with what he was doing is obviously false, and AS knew that at the time.
The Information article suggests that driver IDs were available in the clear to anyone who'd bother looking at API payloads.
Why? Sweeping privacy concerns. In a world where most people have an Uber or a Lyft app installed security issues like this become spy machines. So it isn't just drivers that lose their privacy, in the long run it touches on everyone's privacy, because location data is notoriously hard to anonymize and machine learning is only getting better. So there is the first ethical argument against this behavior that pops to mind.
Ethical class won't solve that.
That's how it works for doctors and lawyers.
IMO, its one of the reasons this field is such a feast and famine shitshow. Unlike accountants, attorneys, and engineers, we have no professional associations or standards to help protect our professional interests.
The responses I got were mostly variants of "not until they make us," which is exactly the kind of attitude that results in our present state of affairs (thinking of the BMW emissions controversy, Uber, &c). I don't want another major teachable scandal to come out of the tech world, but that may be what it takes.
first article found of 641000 http://www.bbc.com/news/business-34324772
BMW is actually doing it right http://www.bmwblog.com/2016/02/16/top-five-current-diesel-bm...
sheesh
(edit: add BMW story link)
The BMW story is on a bmw blog...
Here you can see other emissions, in a Guardian article, where it's clearly to be seen that BMW does not comply to the EURO 6 norms.
https://www.theguardian.com/business/2016/apr/21/all-top-sel...
In the actual context of the comment, which is the the USA "emissions controversy" with the massively fraudulent code, it was VOLKSWAGEN that was the main player, BMW was not involved.
(also IMO, Diesels are a pretty bad way to burn fuel in any case; I don't think BMW should pursue it at all, and although I like my petrol-powered model, I wouldn't buy one of their diesels)
Then take that to the authority. I believe it's the dean or provost of the CS department who would have the authority to make changes to the program -- and it is usually on a review cycle (so they might tell you to wait).
I think it's great what you've started, and so if all else fails -- put it on Coursera or open source it.
The professors I talked to referred me to the department chair, who I think has final say over new courses here. Either way, open sourcing it would be fantastic (an entire section is devoted to ethical questions in IP/open source development).
edit: discussed in article.
Call me a pessimist, but I am betting that, despite the long and rocky road ahead, Uber is eventually going to succeed. And we're going to see the emergence of a new corporate template.
Mind you, some of the other things uber has done, like hail a lyft and repeatedly cancel, are totally not ok.
This is an instance of it: Uber has shown in the past that they can wield considerable powers, and are prone to misuse it. Therefore, them collecting data about drivers, a population that is vulnerable towards Uber (and a subset of which we know is shared between the two platforms), is dangerous.
If you approach this dichotomy from the other side, can you imagine the NSA being described as doing no-brainer customer research ?
Also the NSA is doing a lot worse things and we know this for certain. I find it distressing how many people seemingly have forgotten about that. If the NSA were only going this far, I'd be pretty happy.
No it isn't. Not according to the article. According to the article a fraction of that information is provided as part of the app but Uber went ahead and exploited the lack of operational security on Lyft's side to crawl _all_ the information by traversing over information intended for other users. Repeatedly.
Pretty sure HN would agree with that.
The ethical line is "what is publically available following all laws and regulations".
Hell originated after Uber created fake rider accounts on Lyft and used software to trick Lyft’s system into thinking those riders were in certain locations. This allowed Uber to see the eight closest available Lyft drivers to each fake rider.
Creating fake accounts for this purpose is a violation of the current terms of service [1] (these might have been different in 2016):
9. Restricted Activities
h. forge headers or otherwise manipulate identifiers in order to disguise the origin of any information transmitted through the Lyft Platform;
l. use any robot, spider, site search/retrieval application, or other manual or automatic device or process to retrieve, index, scrape, “data mine”, or in any way reproduce or circumvent the navigational structure or presentation of the Lyft Platform or its contents;
[1] https://www.lyft.com/terms
When an end user breaks the terms of service of whatever system, most people would say that terms of service mean nothing. But since it's Uber, uuuuh, the scary terms of service!!!
That you have access to information (whether accidental or through deception) doesn't mean you're free to use that information any way you please. Especially when it comes to anti-competitive business practices.
That's OK?
Notice the careful non-statement by Lyft. It's hard to believe Lyft isn't doing exactly the same thing.
It's not questionable behavior to track what your competitor is doing. That's the first step toward beating them. And yes, Uber is trying to beat Lyft, just like Lyft is trying to beat Uber. That happy balance is a good thing for consumers.
It's pretty strange that I have to second-guess whether to post this comment since it could be interpreted as a defense of Uber. But the PR spin is getting to be a feeding frenzy.
Is all tracking now unethical? Under what circumstances should you be allowed to track other people? Google knows more about you than your significant other. Should they be allowed to do this? Is this ethically questionable? What is the categorical difference between Google and Uber? These are questions which have no clear and easy answer, but it's painted as if it's so clear-cut.
No, it's actually really easy to believe that Lyft isn't tricking Uber's computer systems into giving Lyft real-time info on Uber's drivers and fare prices. Please stop trying to make excuses for Uber's shitty behavior.
I just wish we could maybe turn down the heated discourse from the maximum setting, since people are quick to escalate. But my original comment certainly didn't help in that regard.
So, now that I've chosen to be in the hot-seat regarding Uber, who's up for a debate? Why is this particular behavior unethical? If it's true they accessed Lyft's API, under what circumstances is it ok to do this as a competitor? I promise I have an open mind.
(PS, thanks for the late level headedness!)
Assuming it's unethical, if you were asked at your company to build a script that accesses a competitor's API, what should you do?
Isn't it difficult to claim in general that collecting data using a competitor's services is inherently unethical?
If there isn't one, it seems like the argument again reduces down to "It's never okay for a competitor to use an API," which could be problematic.
That was enough reason for a 35 year prison charge, plus 1 million damages.
Of course, he was an activist, doing it for ideological reasons, against corporate interests. Contrary to what one might expect, the class justice system in the US punishes that much harder than a big corporation doing the same for the non-ideological reason of making more profit.
Most people here seem to think it's benign, just a company competing hard, but that seems hypocritical to me.
But Uber supposedly has no competition relation with drivers. Adding that drivers may choose to work both for Uber and Lyft, this gives Uber leverage against a category of population they have been known to abuse.
The danger here is the combination of undue knowledge and a de-facto dependency relation in the hands of a known offender.
My personal opinion on the state of the tech industry is we have a large ethics deficit, but this is beyond the point here.
How, or why, is that really easy to believe?
They just don't want to be seen making a big deal out of something that later turns out to be nothing.
There's an app that compares the price from Uber, Lyft and others services.
These two examples are using data from computer systems in a way companies didn't intend. Have you guys ever thought that search engines scraping your site is opt-out?
We are just repelling this because Uber has a bad reputation.
I'm not sure I see the similarity. Google never sent false queries to Bing - Google sent synthetic queries to their own infrastructure, and observed how Microsoft's software (search engine, toolbar etc.) responded to that. There's
That seems closer to if Uber had just hired a team of people to use Lyft and record their observations (which is still problematic, as one of the results is tracking people without their knowledge, but for different reasons than falsifying queries to scrape this data).
Could this be a CFAA violation? Are there any prosecutorial jurisdictions with lots of Lyfts and few or no Uber?
Google crawls public websites while respecting counter-measures like the `robots.txt` protocol. They also don't create fake accounts. They most certainly don't perform enumeration attacks to find more content to index.
This is nothing like what Google does. If Google did this, they'd be called out the same way.
Heck, if anything, this is similar to what Aaron Swartz did, except Aaron did it to make the information public rather than profit from it for financial gain -- and the data he did it with was neither sensitive nor private.
It's starting to feel like the campaign to pump up all the Russophobia
Did Uber try to obscure what they were doing by spreading the requests over various IPs to cover their tracks? This would indicate that they knew they were doing something malicious (which could affect sentencing if this is considered a federal crime under US law which it actually might be -- though IANAL).
If this really was "realtime", why didn't Lyft notice the unusual request volume? What could they have done to detect this as suspicious and investigate? Are there some specific lessons other companies could learn from this?
An app that did try to stop this type of behavior was Pokémon Go. It took them a while to do even halfway well.
This is not ethical. It's not.
If anything, this story distracts us from legit nasty business practices - like repeatedly cancelling on Lyft drivers to waste their time and lower their earnings.
Except they're really not. They accessed data from an API that is only available to the Lyft app by creating some fake profiles. That means their profiles couldn't legally have agreed to the app's terms and conditions, so it wasn't legally permissible for them to access the API. So no, they weren't just accessing information that Lyft were "sharing publicly".
They said that was really a program to deal with people violating their terms of service. So one would think, given Uber's demonstrated commitment to enforcing its own terms, they'd have the utmost respect for competitors' terms. Of course, if they violate competitors' terms to gain an advantage, then we know where they really stand and what their own standards are (i.e., no standards other than "anything that gets us ahead is good").
I don't think determining legality and harm should be a boolean operation. There are layers of subtly and nuance in most things, and the law is one of them. I don't think posting the F word on a forum where the owner doesn't want you to post it should be treated as an equal violation of the law as deliberately abusing your competition as a billion dollar business. The amount of damage, and perhaps potential damage should be considered. When I swear a reasonable person would think the harm is minimal. When I try to sabotage another company where the damage could result in billions of dollars of lost investment and thousands of jobs vanishing a reasonable person would think that's pretty bad. They're technically the same 'crime', but they're obviously not the same in scale.
In this particular case, Uber is guilty of breaching Lyft ToS's clause around no data mining. However, this seems like an insignificant infraction, there is likely to be zero legal penalty. Lyft's only recourse is to either shut down Uber's accounts or feed them bogus data.
Yes, T&C are the legal terms and conditions under which you have permission to use an app; violating them ought, geenrally, to be illegal, provided they are valid in form and process.
> Isn't that the same as using the F word on a forum when you agreed not to?
Yes, breaking that agreement could also be illegal. Why is that relevant?
> Didn't we go through all this with Aaron Swartz and one or two other high profile hackers?
Whether a thing should be illegal is a broader question than whether it should be criminal, which is a broader question than whether it should be covered under a particular criminal statute with particular penalties or pursued in a particular manner by prosecutors.
As technology goes, Aaron merely accessed what was already accessible to every user. Uber accessed information a single user wouldn't have had access to.
As ethics go, Aaron downloaded information that represented publicly funded research and would be available to the public if academic publishing wasn't so horribly defunct. Uber extracted operative business information that was only meant to be exposed a fraction at a time to provide specific services.
As motives go, Aaron tried to make information publicly available for free. Uber tried to poach Lyft's drivers and sabotage Lyft's operational model for financial gain.
The only value of Aaron's case in this discussion is as an example in the form of "If what Aaron did was grounds for criminal prosecution, how is what Uber did not a federal crime?".
Even if you disagree with the ethical aspects, Aaron exfiltrated information available to any normal user (just at a larger scale than intended) whereas Uber intentionally exploited a design flaw to access information not available to any individual user. If both crimes could be described as "doing X, and then doing the same thing again a lot more times" for Aaron X was "downloading a file intentionally made available to all users" whereas for Uber X was "downloading information only intended to be available to a single other user".
Uber
* created multiple fake accounts on lyft to know about it's drivers
* figured out that it's drivers were assigned numerical ids
* used said ids, to track lyft drivers.
imho, this is just figuring out your competition (say by signing up to the service) and then using this knowledge to improve your service (by incising drivers on both platforms to ditch one).
This is one of those "do things that don't scale" mean (or my interpretation of it). I say this because, one multi-billion $ "startup" is doing this to another multi-billion $ "startup".
Also, I'm sure this would never be an issue if Uber was not in the press for other crappy stuff they did.
I think this should be the most controversial part of the program. Essentially, Uber favored its drivers who used both Uber and Lyft at the expense of its drivers who were strictly loyal to Uber.
From their numerous gender bias and sexual harassment claims, to their CEO acting like a bratty spoiled 15yr old and bitching out a driver, to trying to skirt public safety laws by refusing to register their self-driving cars after being catered and begged to do so by government regulators simply because they don't give a fuck, to this whole Waymo lawsuit, to this. I think this shitty company needs a complete change of upper management.
(Not asking as a defense for them, I'm just curious, and cynical, I believe they all do this, but thats an ignorant belief as I dont know)