181 comments

[ 2.9 ms ] story [ 217 ms ] thread
That's pretty interesting. It must be extremely risky for local employees to alert the main offices to lock down. I'd imagine obstruction of justice isn't a crime your average employee would risk.
Why would this count as obstruction of justice?
Deliberately hiding or destroying evidence to prevent it being found by police executing a proper search warrant is certainly obstruction of justice.

https://www.law.cornell.edu/uscode/text/18/1519

at the very least conspiracy to obstruct
If the police have a warrant for the data on that machine, then remotely locking it down will not matter.

All this protects Uber from is fishing expeditions where the police hope to come across an "unlocked door" so they can sift through everything hoping to find something.

I get that we don't like Uber, but I support this type of action and think it should be standard operating procedure for every organization.,

This has nothing to do with liking or disliking uber. If the police are executing illegal searches then Uber has every right to sue and recover damages. They, unlike your average natural person, have the coffers to pay for it such that they acquire the "don't fuck with us illegally or we'll financially ruin your department" reputation.

What I am worried about is the employee that gets directed to lock things down and then, as a result, is possibly personally targeted by police and prosecutor both for it.

If police have a proper search warrant then locking the computer will not matter, because the police will have a warrant to compel the company to turn over the specific evidence in question.
Pushing this way of thinking about it, you could also say that a raid from the police is useless in general since a judge can simply send a request compelling the company to turn over the evidence in the first place.
Yes, a raid, in this case, is almost certainly an abuse of force and an attempt to create social/emotional problems for Uber.
And shouldn't that be the case? Shouldn't a raid be a last resort when the evidence being sought is at high risk of disappearing?
There is no suggestion at this point that data is disappearing. HN is so weird sometimes. When Google, or Facebook, or whoever grants the authorities free access to our private data without a warrant everyone freaks out. Uber protects our private data and suddenly it's evil. I get that we don't like Uber, but principles still matter and I'm glad they are protecting their own data as well as any customer data from a fishing expedition by the authorities.

Now if Uber destroys or refuses to provide data covered under a properly scoped warrant, then I will gladly pick up the pitch fork with you.

A judge "can simply simply a request compelling the company to turn over evidence" in what jurisdiction?

My understanding of the majority of warrants are that they have a nebulous grasp on transnational corporations.

For example: if I (the police) have a French warrant and serve it on the Paris offices of Uber, but Uber has a pager service that performs whole disk encryption and sends the keys to a server in Panama, where does that leave me?

The French government isn't going to raise a diplomatic ruckus over a taxi company operating illegally in Paris.

And I'd strongly suspect a judge wouldn't be inclined to allow me to forceably repatriate the data (which data?) without further evidence (exactly why I was serving the warrant!).

So essentially, I don't see it as being technologically hard to construct a system where I am enabled to operate illegally in a country, as a matter of corporately-sanctioned policy, while skirting around local technical ability and federal legal will to call me to account.

The warrant is to "make the data available".

You can try saying "lol, the data is in Panama", but the judge is unlikely to care about that.

>For example: if I (the police) have a French warrant and serve it on the Paris offices of Uber, but Uber has a pager service that performs whole disk encryption and sends the keys to a server in Panama, where does that leave me?

The court will simply order you to cease all business functions in France until the data is provided to the court.

It's not that simple. I am not a lawyer, but...

At least for US law, there are split decisions. US v Microsoft (the Ireland case) [1] is currently pending a Supreme Court ruling.

I'd hazard to say that I'd be surprised if they didn't rule in favor of national security concerns, except that Jesner v. Arab Bank [2] is coincidentally also pending.

Given that the latter concerns the Alien Tort Statute [3], aka the ability of US law to be applied internationally, it will be an interesting pair of decisions.

I'm not familiar with how things work in France (other than rough knowledge of EU data privacy directives), but at least in the US things aren't as simple as "what the legal system wants via warrant, the legal system gets."

[1] https://en.m.wikipedia.org/wiki/Microsoft_Corp._v._United_St...

[2] https://www.oyez.org/cases/2017/16-499

[3] Subject of a fascinating episode of More Perfect, https://www.wnyc.org/story/enemy-of-mankind/

For the Ireland case we're talking about data about a third party criminal whose data happens to be stored by MSFT exclusively in another country.

That's not the case here with Uber. Uber itself, a Canadian company subject to Canadian law, is being compelled to provide data relevant to its own business within Canada. I would be very surprised if Canada allowed businesses to not provide relevant financial information to the tax man.

Relevant known financial information, sure. But that's a small, well-defined subset of Uber's corporate footprint.

What if the warrant was looking for memos on illegally circumventing local parking laws? Memos that may or may not exist?

If Uber hosts that Canadian-focused data on servers outside of Canadian jurisdiction, good luck getting ahold of it unless the government's willing to play the "We'll bankrupt you unless you give us something" card.

And my point is that kind of international leverage isn't available to, say, a suburb outside of Toledo. Which effectively means a company willing to play hardball with encryption (at great legal risk if they slip up) can have their cake (illegal corporate policies) and eat it too (not be held liable for illegal policies).

(comment deleted)
This is Uber, right? The company currently in trouble with another judge in another case for selectively (and not especially competently) turning over evidence?
>If police have a proper search warrant then locking the computer will not matter, because the police will have a warrant to compel the company to turn over the specific evidence in question.

Wrong. Compelling them to do so does not mean that compulsion will be successful. Encryption exists.

In the US at least you can be held in contempt and jailed indefinitely for not providing the decryption keys. Presumably other countries have mechanisms to deal with this beyond, "Oh gee, you password protected it, guess you get to go free forever."
If I was designing a remote lockdown procedure to secure systems against a state, I would not design it such that local employees could unlock it without remote authorization, preferably from someone physically located in another legal jurisdiction.
Congratulations, you just won an injunction from the court which requires you cease all business functions in the country until the data is provided.
And now that my lawyers and sysadmins have had the chance to review it, possibly challenge it and come up with a means to provide the data required without giving government agents unfettered access to my systems, I will comply.
When you first replied I incorrectly assumed you were talking about refusing to ever comply with the warrant. But what you just described is exactly how it should go down.
It's not hard to imagine scenarios in which pulling out of a country to avoid providing secret information to that country's government is rational. Canada attempting to collect taxes on Uber rides is not one of those scenarios.
Perhaps, but it's difficult to imagine you're not in violation of some other kinds of laws for which there is ample evidence, and/or that no one in your organization is willing to talk.
Sure, and if I'm systematically violating local law, there might be international agreements that would get my home country to cooperate in an enforcement action against me. On the other hand, the local authorities might want user data that I hold in order to do something horrible to local users that my home country would not like to help them do.

But I digress. I think we've established that we agree the original security procedure with a secure remote lockout is a good idea.

I too, when faced with a search warrant from the police, often like to come up with a means where I give them what they want, or claim it doesn't exist, without giving them an opportunity to look around. They very much are understanding of this.
If you're just there to "look around" and don't already know exactly what you are expecting to find then you shouldn't have been given the warrant to begin with. This is a criminal investigation, not a fishing expedition.
Yeah, and the defenders of Uber's activities here are acting as if the warrant -was- a fishing warrant and wasn't properly scoped, when the validity of this assertion had zero to do with their decision to "Ripley" the office.

It wasn't to prevent an overreaching warrant, it was to prevent -any- warrant from being meaningfully served.

It wasn't an attempt to prevent any warrant at all. It was an attempt to prevent the authorities from accessing data NOT COVERED BY A WARRANT. Once Uber's lawyers have reviewed the warrant they will instruct the sysadmins to provide the covered data in a clean way which doesn't expose extra data. Simple as that.

Generally speaking warrants are not granted for "all of your data." Imagine if every time the authorities got a warrant for some data Google has about a particular suspect, Google would reveal all of its internal data about every user, all of Google's internal financial files, etc. That would be insane.

It appears in this case, Uber has designed a system with exactly that result: the police do not punish the local staff for the remote lockdown, and cannot punish the overseas sysadmins who caused it.
Can you point to a specific case where a defendant was coerced into decrypting some data? As far as I understand it, the 5th Amendment protects a citizen from such coercion.

If you have a physical device such as a Yubikey that unlocks your laptop, the court can order it to be given over, but the requirement that you produce the key from your own memory seems to be a different story.

The closest I can remember is there being a guy who was going through customs coming back to the US. His laptop was inspected, and he had left child porn open on the screen. The inspectors saw it. The guy quickly closed the laptop, causing it to sleep, and causing the disk encryption to kick in, requiring authentication. He was held in contempt when he refused to unlock the laptop.

That is a slightly different situation, as the evidence had been seen, and was known to be in the suspect's possession.

In another case a district judge ordered a Colorado woman to decrypt her laptop. The person did not have to reveal their password, as that might weirdly count as "testimony," but they did have to provide the unencrypted data. It was ruled that the act of production of data does not constitute testifying against yourself.

https://en.wikipedia.org/wiki/Key_disclosure_law#United_Stat...

The warrant is not for the password, but for the unencrypted data. You do not have to reveal your password, technically, but you do have to provide access to the unencrypted data. Since you do have access to the data, but refuse to provide it, you are failing to comply with the warrant.

There are two cases referenced in this wiki page which are relevant if you're curious. https://en.wikipedia.org/wiki/Key_disclosure_law#United_Stat...

And shredders. Let's not forget Enron :D
I’d imagine the employees aren’t told why they’re paging the number, just that they should.

The page might also trigger other processes such as alerting council, that they have the right to do.

So possibly not as risky?

That excuse, thin as it is, could perhaps have sufficed for the first occurrence of such an act. But now it's been publicized. And it's a bit hard to pretend that, during a police raid, you're secretly and cryptically notifying the higher-ups, for some mysterious reason that you are completely ignorant of. It's just not credible that an intelligent tech worker who works for Uber and knows how to read English would not figure this out.
But it's not in English and French.
> Deliberately hiding or destroying evidence

Is this what the on-site employees were doing though? According to the article they were:

> they’d been trained to page a number that alerted specially trained staff at company headquarters in San Francisco

Depending on whether they knew what the "specially trained staff" was "specially trained" to do, this seems logical and harmless? If the police came to my office I would probably text the company owner to find out WTF is going on.

No. Not logical and harmless. Yes, you might very well text the execs to find out what is going on, in plain English, like, "what the fuck is going on"? What you would not do is to send a cryptic, pre-arranged signal, which is what happened here.
> What you would not do is to send a cryptic, pre-arranged signal

Where are you getting this from the article? How do you know it is "cryptic"? Of course it is pre-arranged.

Uber is known to run into problems with the government (which includes law enforcement). I'm not surprised there's a protocol for what a manager should do in this situation. If I was hired to work there my first question would be WTF do I do if the police show up?

I hate Uber as much as the next fickle HN commenter, but the idea of sending a text/paging a number doesn't feel that odd.

Moreover, we should remember that Uber operate in countries whose police likely have a worse reputation than Canada's, so if the policy of "Page this number if the police (or people claiming to be the police) turn up" is applied uniformly across jurisdictions, that may be perfectly reasonable and a lot safer than Uber trying to make politicised judgements of which offices should be left to deal with the legal and security situation by themselves.
Alerting the central offices isn't a crime, and whoever is in the central offices can vanish behind a wall of bureaucratic malicious compliance.
It most certainly is a crime if it's done with foreknowledge of what the central office will then do, which is clear-cut obstruction of justice.

And from all reports, employees were specifically trained to do this, and they knew why. Open and shut case.

The only open and shut cases are when the accused is a minority with a public defender.
Oh sorry did our conversation about tech companies interrupt awareness about institutional racism?
Not to mention that the central office is in the US, and this seems to be used to lock/wipe computers in other countries, so much harder to prosecute them. However, if the person alerting the central office can be shown to have known the expected effect of their alert, then likely they'd still be guilty of obstruction of justice.
There are all sorts of acts that are not obstruction of justice, except when they obstruct justice.
Two thoughts in the other direction:

The internal alert might not have been "law enforcement has arrived with a warrant for our computers." It might have been more like "a bunch of armed men just demanded to be let into the building, I don't know who they are yet, shut everything down now and ask questions later."

Employees might have a legal obligation to protect some of the data that's accessible from their office computers. Maybe credit card and banking information, or health information for drivers?

> a bunch of armed men just demanded to be let into the building, I don't know who they are yet, shut everything down now and ask questions later

Yeah... Not buying it. Random armed men appear in the building and some employee is more worried about the company data, rather than calling police to alert/verify?

>It might have been more like "a bunch of armed men just demanded to be let into the building, I don't know who they are yet, shut everything down now and ask questions later."

The first thing the armed men will do is show identification and a warrant. This isn't a no-knock raid by a swat team in the middle of the night.

Judges tend not to take those kind of coy answers very well.

> The first thing the armed men will do is show identification and a warrant.

Are you an expert in identification and warrant? I never saw one, you could print a fake one and I couldn't tell if it's right. Same for any identification.

Once we talked about doing some relatively public MILSIM with friends. It didn't take 5 minutes for us to realize that it would end badly because of that. If your goal is to access Uber data or any big corporation for that matter, you can see how easy it would be to profit from that.

Thus, lock everything down and let legal experts actually take care of that seems like a pretty good solution to avoid this kind of situation. They are there to seize data, they can do it as much as they want. They can then force Uber to unencrypt the computers.

If they aren't police, the employees aren't likely to risk being shot by for locking down the computers. It's only if they believe that they are police that their actions make any sense.
If you are in a situation where you really believe that a group of men have arrived at your Uber branch office with guns, fake badges, fake warrants, and fake uniforms, you should probably just give them what they want. At that point, they are either police or they are effectively armed robbers.

If they're going to risk decades in jail anyway, there's a good chance they're just going to shoot you if you start telling them they can't have what they want.

Your job isn't worth risking obstruction charges or facing down criminals.

How would they prove who did it? It could be done with an encrypted message.
"""The name is an allusion to "Aliens," in which Sigourney Weaver's Ripley character says "Nuke the entire site from orbit.""""

Oh gosh, what a meeting that must have been with the devs who came up with this codename. This should go down in Tech History.

Actually this is pretty common, I use names from my favorite movies in code all the time. Star Wars, Harry Potter, etc. Especially when it fits the project or functionality.
My dog's name is Bishop, same source.
My last laptop was Nostromo, same place of inspiration.
I use Race Car designations GT40, R8, R18, 919,488
One of my favorites was a friends project who named a feature Kamino that created CLONES of VMs.
If the authorities had a warrant, why wouldn't they just take all the locked computers with them back for further investigation? Then they would have been able to have a judge order Uber to unlock the computers for forensics.

Uber's actions are similar to shredding evidence of tax evasion, which in the case of Arthur Anderson during the Enron scandal, resulted in federal obstruction of justice charges, and a strengthening of federal powers for charging of similar actions.[0]

Note: I am not a lawyer, nor a resident of Canada, so I am not sure if my proposal above is legal within that country. But it would seems to me that actions similar to the above have taken place in the USA in the case of tax evasion with probable cause.

[0] https://blj.ucdavis.edu/archives/vol-5-no-2/document-destruc...

> If the authorities had a warrant, why wouldn't they just take all the locked computers with them back for further investigation? Then they would have been able to have a judge order Uber to unlock the computers for forensics.

If I had to guess: Very little data is stored on site.

If all of your local office computing platform is basically a thin client, confiscating the local equipment with a warrant doesn't do much. You can take it away to a forensics lab and image its disks, but you're not going to get any usable data off it without a network connection into the corporate WAN, crypto keys, sending subpoenas to specific people for their login credentials, etc.

I know nothing about Uber's internal software architecture and network topology. But I would be very surprised if most of their day-to-day operational systems like ticketing, customer service, recruiting, finances, were not operated through TLS1.2 connections in a web browser to a set of intranet servers, located thousands of km away from where the branch offices are located.

Wait. wait.. if everything is "remote" (on Uber's cloud) then why all this drama of shutting down/locking machines? Just log everyone out and deny login attempts.

My other question is, if all the data is in the cloud in SFO, wouldn't the data technically reside in the US?

Looks to me like the Canadian police were hoping to get lucky. That some user wouldn't have enough time to log out.

What is the difference between "locking" and "logging [someone] out"?
> "Uber's actions are similar to shredding evidence of tax evasion"

But Uber didn't delete or otherwise destroy the evidence. It locked the evidence while preserving it, so that it can provide the required amount of data if / when properly served with a warrant.

The whole point of the warrant was that the government suspected Uber of hiding evidence. Allowing them to pick and choose the data they unlocked from the servers would be counter-productive.
In Canada, like in the US, warrants have to be specific about what exactly the police are looking for. If the warrant really was "give us all your data so we can see if you're hiding something", that's not legally okay, and I can't blame them for trying to prevent the disclosure.
It seems unlikely that logging out doesn't destroy the data stored on that system. Of course, the data still exists somewhere, but that particular raid is likely thwarted. If it were any company other than Uber I'd say this would surprise me. Usually companies rely on a auto logoff timer, but this is an active method in response to a raid. It looks awfully like obstruction of justice to me. The digital equivalent of flushing your weed down the toilet.
(comment deleted)
When the police show up to my door with a search warrant, I tell them to wait outside while I gather the items they ask for. Oh look, no evidence of crimes.
> If the authorities had a warrant, why wouldn't they just take all the locked computers with them back for further investigation?

Don't mind. If the police has good evidence, they will show up later and take some of the Uber's servers that hold the relevant data.

Seems like a reasonable way to prevent overly-broad fishing by law enforcement. If they have a warrant they can request information through legal channels.

The raids are just theatre.

Uber has already been seen to act adversarial to law enforcement, raids are utilized to try and limit Uber's ability to conceal information. I have no doubt in my mind that Uber would willingly fail to comply to requests for information.
The mirror image of your argument is just as applicable:

Law enforcement has already been seen to act adversarial to private interests, remotely logging out of computers is utilized to try and limit law enforcement's ability to obtain information beyond the scope of a warrant. There is little doubt that law enforcement would willingly take information beyond the scope of the warrant and later find a way to use it against them.

> Law enforcement has already been seen to act adversarial to private interests

If enforcing law is seen as adversarial to private interests, then those private interests are by definition, against the law.

Really? By that logic the private interest of a lot of non-white drivers of staying alive must be against the law. The time for hero worship and blind trust is over.
Try reading the article before you comment.

>> When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they’d obtained a warrant to collect. The investigators left without any evidence.

Or with a different spin.

Locking your computers that are no longer in company possession is a common Enterprise control. They take protecting your data seriously!

If the authorities need the data on the computers the will surely present a properly scoped warrant!

Yours doesn’t discuss the timing or police raids, so it’s not as simple as saying the OP is a spin.
The police are not special in this regard. The police are not your friend. There's no need to invite the police in to go on a fishing expedition for something they don't have enough probable cause of to get a sufficient warrant.
The article specifically says they had a warrant. This software actively obstructed that warrant.
Then the information that is properly scoped in the warrant will be revealed to the authorities. What won't happens is the police will not be given free rein to go on a fishing expedition to random data not specifically granted in the warrant. That's all we're talking about here, the authorities didn't get to go on a fishing expedition.
What? No, that's not what happened. It's not a piece of software that says "here, based on the scope of your warrant, here's the information you require".

It says, in about as many words, "FOAD until our counsel green lights unlocking, potentially before or after some housecleaning".

>It's not a piece of software that says "here, based on the scope of your warrant, here's the information you require".

Correct, Uber's lawyers will be able to review and perhaps fight the warrant in courts. Uber's sysadmins will have time to figure out how to reveal the required data in a clean way that does not compromise the rest of Uber's data which includes but is not limited to data about where private citizens travel from time to time.

>"FOAD until our counsel green lights unlocking

Perfect, yes it does say this. We should all say this. Would you like Google or Facebook or whatever other service you use to reveal your private information if the government does not provide a proper warrant?

>potentially before or after some housecleaning".

Okay, well in this imaginary scenario Uber would be guilty of tampering with evidence and I'm confident Canada has relevant laws.

> if the government does not provide a proper warrant?

How or in what way was this warrant deemed to be improper? There was zero consideration of that, instead it was "nuke from orbit" at first sight.

By the judicial system, obviously. Uber's lawyers will review the warrant and if they agree that it's proper they will instruct their sysadmins to provide ONLY THE DATA COVERED BY THE WARRANT to authorities. If they don't feel the warrant is proper, they will fight it in court. The vast majority of times warrants are upheld, so really all that happens is the authorities are only granted access to the data they had probable cause to request. What you're suggesting is that the authorities should have access to anything and everything that a person who happened to be logged in at the time of the raid had access too.

You are suggesting that the authorities should always be granted arbitrary access to a random amount of data, which is almost certainly not relevant to their case, any time they get a warrant for any data at all.

Further, you are acting as if that article is the end of the story, but it's not. There will be legal review by relevant professionals and Uber will provide whatever it is legally required to provide.

Having a warrant doesn't mean that it's a valid warrant for the what police say it is for, nor does it mean that anybody at Uber's montreal offices is qualified to make that call.

Locking down the computers until Uber's lawyers have had a chance to verify what the warrant covers and what access the investigators are entitled to seems like a fairly prudent security measure.

If somebody showed up at your office with a piece of paper saying they were allowed access to everything on your computer, would you unquestioningly give them that access? Personally, I'd hope any services that I trust my data to wouldn't give up access without some verification that it's a legitimate request.

If there becomes reason for the courts to weigh in I would not bet on a lot of judges buying into that logic.
Why wouldn't a judge buy the logic that the purpose of security is to deny access to anyone not explicitly authorized? I mean it's not like there needs to be a special provision to detect and allow police.
Because the warrant was obtained for the information. Judges generally frown upon cuteness used to try and be 'technically correct' regarding their orders.
I think there's a sort of... for lack of a better term, I'll call it information arbitrage, going on here.

The person who first see the police is likely a receptionist or similar who does not have access to the information specified by the warrant. That person, quite reasonably makes the local management aware the police are present immediately.

Management hasn't encountered the police or seen the warrant yet. They don't know the nature of the encounter, but they know they're supposed to tell corporate immediately. They do so, and make no attempt to prevent the execution of the warrant once they have received it.

Corporate, located in another country doesn't know what's going on except that people claiming to be police showed up at a foreign office. They initiate a lockdown of the local computers until legal can sort it out.

Now if management read a warrant demanding access to something on local computers, then made a call to corporate they knew would cause those computers to be remotely locked, they could be in trouble. I make no comment here about whether Uber is good, but Uber is definitely smart.

> present a properly scoped warrant!

Gosh, I first read this as "a poorly scoped warrant" and didn't think twice about it.

As I understand it, Ripley's purpose is to destroy evidence in anticipation of a lawfully conducted search. If so, this would likely contravene anti-spoliation laws in the U.S., among other jurisdictions. See, e.g., http://apps.americanbar.org/abastore/products/books/abstract...
Destroy Evidence is strong phrasing. The evidence still exists, its just no longer within the scope of the police warrants. My interpretation of the article is that the information is all stored on Uber's US-based servers and the tool remotely revokes the satellite offices' connection to the servers, probably also shutting down the machines so nothing is left recoverable in memory.

In weaker, but likely relatively accurate words: They're logging all of their remote users out of Google Drive so the authorities can't access the spreadsheets there. In essence. That's what I'm reading.

Point being, Uber could still be compelled to present the evidence in court, and Uber may comply with that compulsion. Does a Canadian warrant give the Canadian government the right to access information stored on a server in the United States? The answer to that is an emphatic No. Does it give them the right to possess an API key which would allow them to access information stored on a server in the United States? Does this change if it could be reasonably expected that the information was, at some point, in the ephemeral memory, not even a hard disk as far as we know, of a computer on Canadian soil?

I really don't know. We all knew the global power of the internet would begin to raise questions like this, and our legal framework simply hasn't dealt with them yet.

> probably also shutting down the machines so nothing is left recoverable in memory.

That seems like it would fit the definition of “destroy” to me.

Well firstly, no cloud storage system works with 0 locally cached data. What Uber are essentially doing is deleting evidence covered by the warrant by deleting the local copies. The evidence may exist elsewhere, but that doesn't mean that deleting the evidence covered by the warrant is any less illegal.

Once the warrant is served, anything done to delete anything off that computer is obstruction of justice, it doesn't matter what the mechanism of storage is- whether it's RAM, Hard Disk or floppy disk.

Secondly, the warrant is what compels uber to give access to the evidence, there's no 'We don't feel like it right now, go to the courts to try something else'. The ability of the authorities to gain evidence through other legal avenues provides literally no defence for uber in failing to comply with a warrant.

From the article it looks like they did have a warrant. Denying the police from executing that warrant is probably against the law (I know it is in the US; not sure in Canada)
Who did the "denying" though?

Someone in Canada just paged a number they'd been trained to when cops show up. That could easily be no more obstructing that calling your lawyer immediately (depending on what you could prove they knew about what'd happen then).

Some team in San Francisco remotely shut down (and possibly deleted data/evidence from) company machines. Anybody on that team might want to forgo any planned trips to Canada, but it'd be a long stretch to think Canada would try to extradite them to face contempt of court charges.

> Who did the "denying" though?...Some team in San Francisco remotely shut down

"Uber", the legal person is who. Why does HN think the law is a series of fixed instructions rigidly executed by a computer and can be easily hacked by overly clever constructs? "Well, I didn't shoot my wife, I just set-off the first domino on this rube goldburg machine - the hamster pulled the trigger - gotcha! ha ha ha".

This will be put in front of a judge, and they will see through this for what it is.

Yeah - I 100% agree that a judge will interpret this appropriately, but the dumb idea of "corporate personhood" still means there's questions to ask about who genuinely risks going to jail in a cross jurisdictional problem like this.

It's pretty clear "Uber the legal person" is pretty happy breaking laws and has a long history of not suffering any real personal consequences. I'm reasonably sure a Canadian judge doesn't even have an existentially dangerous penalty they could apply to Uber-the-legal-person. Worst case seems to be they could shut Uber down in Canada and jail some local senior management. Uber-the-global-corporation probably has contingency plans and has determined and budgeted for that risk. That's their "business as usual".

"The law", while generally robust locally against clever constructs, is probably not as effective a tool against globally distributed corporations - at least not in a very satisfying "Yeah, someone's gonna pay for that" kind of way...

And in case my self-admitted Uber hate impacts anyone's view of that last sentence - see also Apple stashing huge cash reserves off shore to reduce their tax burden or Starbucks running a a loss in high tax countries by paying high prices for coffee and royalties to parts of themselves in more favourably-taxed countries - "Oh look, we made no profit in this country, no tax for _you_!"
"Well, I didn't shoot my wife. I just called up my best friend and told him how I'm sleeping at a hotel after I found her in bed with the mailman."

When someone else in the chain has agency, the argument for it being a rube goldberg machine gets a lot weaker. While some would argue that what the husband did here is bad, it certainly wasn't murder - not unless a lot of other factors come into play.

The problem with that variation is that:

1. Both sub-entities are part of the same company

2. One is acting on instructions from the other

So how about this:

"As a Corleone, have a very tight-knit family, and the senior members are afforded a great deal of respect. My uncle the gun enthusiast firmly instructed me that if I were to ever discover my wife in bed with the mailman, I should immediately leave him a message, unlock the doors and windows, and leave the house until he calls me back with additional advice."

I'm by no means a fan of Uber, (and I'm not in Canada) but keeping information from plain sight != hiding evidence.

Come back with a better warrant.

I really hope some law enforcement agency will someday classify uber as a: "organized crime group". I don't mean the drivers --- but management is doing absolutely everything to obsruct law enforncement (for example --- making it virtually impossible for transport inspection to call Uber vehicles).
Uber should have been prosecuted under RICO from the very first day they began coordinating unlicensed, illegal taxi cab operations. Why they weren't remains an open and interesting question.
Impressive (and stupid) I'm really astonished to laughter by Uber more and more. They're trying to be a darknet company operating in clearnet... Make up your mind you shady fellows
I honestly don't see a problem with this. If it weren't for the fact that it's a company this this site hates it would be hailed as a marvel innovation against states that are increasingly cavalier about disrespecting people's digital rights and privacy. If the police have all the proper warrants there's no reason they can't seize the locked servers and workstations and compel them to unlock them after the fact.

To me this just falls under the category of unauthorized access. If my threat model included people physically present using force to access my sysadmins' computers I would be implementing the same security with a company-wide lock-down triggered by a panic button on every machine.

Did you read the article? Please explain why you think it’s unauthorized access.

>> When the call came in, staffers quickly remotely logged off every computer in the Montreal office, making it practically impossible for the authorities to retrieve the company records they’d obtained a warrant to collect. The investigators left without any evidence.

I think the parent's point is that if there is a warrant to collect information, the machines can be seized and the company compelled to comply. This move prevents overreach in the moment.
This doesn't just prevent overreach, it prevents any collection. Also known as "obstruction" (and possibly "destruction").
So you want the police to start physically impounding property, instead of just getting the data it had a warrant to collect? How is that preventing overarch? It seems to be demanding it!
(comment deleted)
(If it were me) Yes! It's annoying as hell to have them haul off my workstations but I would much rather them seize the locked and encrypted data while legal has time to do the due-diligence on the warrant and come up with a plan for compliance.

I keep my head above water so I really don't really care if the police can access the data. I do have a problem with the raid giving them access to data well beyond the scope of their warrant and relying on the courts to pare it down after the fact.

Just because Police have some warrant does not mean you have to make their job easy. Uber is doing the right thing.
(comment deleted)
Determining authorized access is a process. Processes take time.

Just because some people in uniforms show up at your door and demand access, doesn't mean that's the entire process. Even if they have a nice piece of paper from a court, it's just the start of the process.

What if its just a ruse and they aren't really cops? What if they are cops, but the government is corrupt? What if the warrant was obtained in a faulty manner?

This sort of measure allows the company to engage with the process in a less disadvantaged way.

> What if its just a ruse and they aren't really cops?

Making a mistake in this regard gets you a obstruction of justice charge. Call a lawyers, but don't expect a judge not to take this badly when they have issued a warrant.

> What if they are cops, but the government is corrupt? What if the warrant was obtained in a faulty manner?

That's for the lawyers to deal with in court. Once again, obstruction of justice on a legally issued warrant is going to be bad news for you.

Uber is still operational in those countries and Uber execs dont have international arrest warrants of them. Based on that, it looks like Uber was correct in blocking access.
It also conveniently gives Uber more time to cover up whatever illegal activities they may have been up to.

This is the whole point of why police conduct raids:

...to use the element of surprise to arrest targets that they believe may hide contraband or other evidence, resist arrest, be politically sensitive, or simply be elsewhere during the day.

https://en.m.wikipedia.org/wiki/Police_raid

Apparently Ripley doesn't wipe data from the computers. It just locks them. If the authorities have the legal right to seize them and compel Uber to give them access then all it bought Uber was some time to pursue legal remedies.
How does it give them more time? Shouldn't the goal of seizure is to remove access to something to someone and remove him the capacity to alter evidence?

If he refuses to comply or try to alter the evidence while complying, sure, they are guilty and I'm pretty sure there's a legal process for this situation, but at this point right now if they seized the data, they can no longer alter it.

(comment deleted)
I'm certainly no Uber defender, but I don't see a problem with this. Uber operates in some pretty lousy jurisdictions.

However, the problem is that this represents a nuclear escalation that I'm not sure tech companies really want to have.

These warrants will probably now move directly to "comply or shut down."

I suspect that the next time this occurs, the police will decide that intimidation is the better part of valor, seize EVERYTHING, arrest EVERYBODY, and tell Uber to come sort it out.

They may not be able to get Uber, but I suspect that they will grind enough employees through the police and legal system with enough force that everybody will think twice about calling a shutdown number ever again.

> Uber operates in some pretty lousy jurisdictions.

Since when was Canada considered a lousy jurisdiction? Last I checked, most of the jurisdictions they operate in are no worse than the US. Unless you’re saying that all first world countries are lousy jurisdictions, I think you are being rather hyperbolic.

Kazakhstan, Belarus, Russia and Ukraine fall below the middle of the corruption perceptions list. China and Morocco fall about the center of that list.

I can easily see this tool having been built for operating in those kinds of countries.

What's upsetting people is that this got used in a country which is nominally not corrupt in order to hide from "proper" law enforcement.

If this was being used to hide from a raid in Russia, people would be cheering instead.

> If this was being used to hide from a raid in Russia, people would be cheering instead.

Personally, I wouldn’t be cheering. I’m of the mind that if you’re going to do business in a country, you can’t choose to ignore the local laws and expect zero repercussions.

That said, do I care that Uber built this system, nope! But I would laugh if it backfired on them and got them into more legal trouble.

Montreal struggles with far more corruption than your average Canadian city. That Uber manages to operate in that mob town is a miracle.
I hate to tell you this, but when a judge issues a warrant, denying (even through this method) is clearly obstruction of justice. That's right, if you work for Uber, and you help them do this, you can, and will go to jail - are you willing to go to jail just to protect Uber from potential legal problems?
Why? Locking computers that aren't in company possession is common practice. You have to prove it's obstruction of justice.
No, people served with court orders have to obey those orders. All people have to show is that the orders weren't complied with.
They also can probably get off if they show the warrant was defective. But that’s a risk you take. If the warrant was valid and you didn’t comply, you’re in trouble.
from the article: Uber built a whole system and gave it a swaggering name. It takes the procedure just one step further, but what a step.

Actively building a specific system to counter a warrant is probably going to go a long way to prove its obstruction. Uber's less than lawful reputation won't help here.

It's by definition. If you fail to comply with a court ordered search, you're in contempt of court. You go to jail.
I notice Uber have probably-intentionally crossed jurisdictions here.

Some guy in Canada pages a number - as the company training teaches - hen cops show up. That's plausibly not an attempt to fail to comply with a court order. Pretty sure telling your boss your office is being raided isn't an easy thing to prove contempt for, especially if it's company policy in subpoena-able training manuals.

Then some anonymous team initiates a nuke-it-from-orbit sitewide computer lockdown remotely from the US. Where they're quite likely fairly well shielded from Canadian contempt-of-court rulings.

Sneaky.

So, here's where your theory is flawed:

Many people equate standards in criminal law to "beyond any doubt", when the reality is "beyond reasonable doubt".

When you write a program like this, and you can be shown to have executed it at a police raid, _followed by_ a call to your company's general counsel (or in this case to a "special team", "specially trained" to run a program called "Ripley", with the purpose of "nuking a site from orbit") to advise them, the claim that "this is common practice" goes out the window and "we're specifically obstructing a warrant until counsel/whatever other process happens takes place" becomes entirely "reasonable" as a depiction of what you are doing.

Oh come off it. This is a company, not a person. Uber has an official and public business model that relies on breaking the law. Laws that constrain anti-citizen business practices like tax evasion and labor violations should be highly enforceable, and the system described in the article is expressly designed to impede that enforcement. This is bad for everyone -- not a freedom issue.
How is this different than shutting down your phone at the border crossing?
It is dramatically different -- so different, in fact, that I suspect you haven't even attempted to think about it. Maybe willfully so.

You are a person entitled to rights. A company is not a person. Border searches are warrantless, arbitrary, and lack any oversight whatsoever. The company was searched by a court order signed by a judge for suspicion of a specific crime. In every way possible, these situations are entirely different.

Uber does lots of really screwed up stuff but I would not consider this particular event to be one of them.
I wouldn’t do that if the practice was taking place in my jurisdiction. Interference with a search warrant is not good for an individual.
Long time ago, in a galaxy far far away I was on a receiving end of this because of one of the customers that we had. We went through an extensive training, including direct meetings with people from USAO. The bottom line of those instructions was :

* there are too many entities that may think they can get this information

* you are to ignore them all, execute a physical intrusion protocol (lock every and make everything inaccessible ) and notify your contact at USAO.

* our legal signed off on it.

We have executed intrusion protocol four times during my time there. In one case it involved a dick waving contest between state police and state court and USAO, USMS and federal court.

The bottom line, learned in trenches, is that if you are a reasonably big fish, you classify all search warrants as intrusions and deal with them as you deal with other physical intrusions. Documents/data will be turned over in an orderly fashion by your legal.

In my opinion it's not your job to willingly provide self-incriminating evidence. I have no idea if that legally applies to corporations (particularly in Canada) but this seems like a precaution I would expect every business to take.

You would hope they wouldn't need to take it, but if I were CEO of a company I would order the computers shut down even if everything were above-the-book.

Of course, maybe that's why I'm not CEO of a company. Who knows.

(My post is about England. I'm not sure abot other countries.)

That's true if they've just come knocking. But at the point they have warrants you're risking prison.

Court orders are orders, and they are to be obeyed in full and on time.

You've never been through the family court have you?
Here's a reasonably recent document from the President of the Family Court division in England.

https://www.judiciary.gov.uk/wp-content/uploads/JCO/Document...

> What I fear is an even greater cause for concern – and it is for me a real concern – is something symptomatic of a deeply rooted culture in the family courts which, however long established, will no longer be tolerated. I refer to the slapdash, lackadaisical and on occasions almost contumelious attitude which still far too frequently characterises the response to orders made by family courts. There is simply no excuse for this. Orders, including interlocutory orders, must be obeyed and complied with to the letter and on time. Too often they are not. They are not preferences, requests or mere indications; they are orders. This principle applies as much to orders by way of interlocutory case management directions as to any other species of order. The court is entitled to expect – and from now on family courts will demand – strict compliance with all such orders. Both parties and non-parties to whom orders are addressed must take heed. Noncompliance with an order by anyone is bad enough. It is a particularly serious matter if the defaulter is a public body. Non-compliance with orders should be expected to have and will usually have a consequence: see Re W (A Child), Re H (Children) [2013] EWCA Civ 1177.

But you're talking about a parent ignoring court orders, I guess, in which case this one is more relevant: a mother made false allegations of abuse against the father, and continued to do so; and removed the child; and continued to do so; and she did those things after being ordered not to, and she got a (suspended) prison sentence as a result: http://www.bailii.org/ew/cases/EWHC/Fam/2017/3358.html

> The judge had indicated that she was prepared to authorise disclosure of her Judgment to the Judge at the Kingston Crown Court, and that if the 1st Respondent objected she would be required to make her objections known. On 25th January 2016, the judge ordered her judgment may be released to the sentencing judge. The 1st Respondent received a four-month sentence, suspended for six months on 27th January 2017.

EDIT: And here's a direct link to the cases he mentions at the end of the para I link above: http://www.bailii.org/ew/cases/EWCA/Civ/2013/1177.html

It is your job not to destroy evidence that you have a reasonable belief is about to be lawfully requested by law enforcement. Shutting down your computers is destroying the contents of RAM, so if you have a reasonable belief that the police are about to request access to the contents of your RAM, then you have illegally destroyed evidence.
Misleading headline here on HN; the source article correctly used past tense, since this system is no longer used. The comments comparing this to "shredding" and "destroying" evidence are also misleading; Ripley did not destroy information.
Ok, we've changed the title to use the article's subtitle.

The submitted title was "Uber remotely locks computers during police raids to block information access". Since the site guidelines ask submitters not to use article titles when they're misleading or linkbait, I assume the submitter was trying to helpfully follow the rules. It's better to use representative language from the article itself, though, to avoid blunders—and in this case the subtitle can easily be shortened.

So, what else this horrible Uber does? Maybe it locks office doors at night so that random people cannot enter and take whatever they want?
More like, putting all documents in their lockboxes (which exist for a good reason) when the police show up during normal business hours with a warrant.
Details on the specific warrants are scarce in the listed article, but if the police had a warrant for specific data, it seems strange that they would be raiding satellite locations. Moreover, with a properly scoped warrant, my understanding is that authorities may seize locked devices and compel Uber to unlock them.

While I am loathe to defend Uber, these measures appear designed explicitly to prevent police fishing expeditions, which I am fully in favour of, and to serve little further purpose.

The equivalent here would be locking the door at noon while there's people in the building. Why would you need to "nuke the site from orbit" during business hours? What kind of competitor are you protecting against? One that breaks in in broad daylight with guns and steals servers? It's a system designed to thwart the collection of evidence. And that's very very illegal.
Why are governments around the globe so keen in taking down Uber?
Because they're not keen on people whose business model is: "having laws is a cost we don't need to pay".
In many cities and countries the taxi industries have successfully ‘captured’ the regulatory authority, and now the regulations mainly exist to restrict competition.
This article doesn't specify exactly the legal problem here. Maybe the article just lacks key details, like how Uber violated the warrant or the legal repercussions they could face.

The article vaguely makes it sound like Uber acted within their rights and the police just don't like that they didn't find a bunch of unlocked computers to rummage through, by virtue of what it omits. I don't have a problem with that. If their warrant amounts to a fishing expedition, it actually sounds like harassment of Uber. A warrant should specify something you have some likelihood of finding. If the police walked away empty handed and Uber doesn't face charges for destroying evidence, it seems like they had a bad warrant to begin with.

This is exactly what I'd want a company holding my personal data to do. There are lots of problems with Uber, but this is one of the good things.
Judges that sign off on search warrants will not be happy with this and will very much want to know what Uber is so concerned about hiding from proper law enforcement. In essence, judges that sign warrants will smell something very fishy here and they will not be happy. Uber is, of course, free to piss-off judges. However, they are not free from the consequences of pissed-off judges. Uber has also shown that they are just fine with handing employees over to the mercy of pissed-off judges, something at an individual without a stellar legal team is unlikely to view as a walk on the beach.
I really hope justice is served one way or another. This action by Uber feels really shady to me (much worse than Google's tax evasion loopholes). What would be the consequences if something like this happened in a European country such as Germany?
Article is a bit vague. It doesn’t mention the police (it seems they were tax inspectors), and although it does say they had a warrant it doesn’t seem likely that police with a warrant wouldn’t have just seized the machines.
So far, I haven't been super against most of uber's law flouting: taxi service stuff, tax stuff.

However, as they grow, as they get autonomous cars, as they get autonomous drones, once they get to the point where there could be more serious consequences, I'd like to see more accountability.

From now on the police should cut power and network access to Uber’s offices just before they conduct their raids.
Couldn't law enforcement cut internet access before the raid to prevent this?
Then you just lock your machines down when there's no internet access.
Hope uber gets banned and lyft takes their spot. My recent trip to canada was pretty shite using uber.