
Uber reportedly tracked Lyft drivers using a program named ‘Hell’ - petergatsby
https://techcrunch.com/2017/04/12/hell-o-uber/
======
freedomben
I really hope that Uber's shenanigans get studied in ethics classes in
Computer Science and other technology degrees. When I was doing my CS degree,
we had a mandatory ethics class (which I hated at the time but in hindsight
think is a good thing). Ethical implications were something I hadn't
previously thought of much, but in the field I've encountered them many times.

Based on the news that has been coming out from Uber, I think it's time for
our industry to re-focus on the ethics of what we do. Being technologically
cool, doesn't make something good.

~~~
stass
What's unethical about this? They were doing market research. It's not much
different from stalking your competitor on google and going after the users
they advertise to.

~~~
DrJokepu
Intentionally accessing a protected computer system without authorization and
obtaining information from it is a federal criminal offense (18 USC 1030
(a)(2)(C)).

~~~
nikcub
The part of CFAA that classified breaking a EULA or Terms of Service as
unauthorized access is a horrible law that is frequently abused (most famously
Aaron Swartz)

It is rightfully broadly criticized, and that shouldn't change because Uber
are the perpetrators here

~~~
foldr
Just because you like Aaron Swartz doesn't mean that the law was 'abused'. He
flagrantly violated MIT's terms of service and knew that he was doing so.

~~~
nikcub
> He flagrantly violated MIT's terms of service and knew that he was doing so.

Yep and that shouldn't be a federal offense with ~20 year jail term with a
lifetime criminal record

It's private companies defining federal law and dictating enforcement for
their own purposes. You wouldn't let Wal-Mart define what it's own tax laws
are, or have McDonalds define what RICO is - having companies define what
theft or trespass are is just as absurd.

edit: the list of notable CFAA cases reads like a tragic comedy[0]

There is a case in there where someone was charged for encouraging his union
members to email complaints to a company and when it crashed their mail server
he was charged under the CFAA.

[https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#N...](https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act#Notable_cases_and_decisions_referring_to_the_Act)

~~~
foldr
The sentencing is up to the judge, not the law. Swartz was never sentenced to
anything. You are getting the 20 year figure from media outlets that added up
the maximum possible sentences for everything he was charged with, which bears
no relation to how sentencing actually works.

Also, it _obviously_ has to be a federal offense, since wires cross state
lines.

~~~
nikcub
> The sentencing is up to the judge

With 97% of federal cases ending in plea agreements sentencing is
overwealmingly in the hands of prosecutors.

In the Swartz case she wanted him to plead guilty to every single charge and
serve up to 6 years. Hence the suicide.

As leverage in negotiations they told him at trial he was facing up to 35.

~~~
foldr
>serve up to 6 years.

It was 6 months, not 6 years.
[http://archive.boston.com/metrodesk/2013/01/14/mit-
hacking-c...](http://archive.boston.com/metrodesk/2013/01/14/mit-hacking-case-
lawyer-says-aaron-swartz-was-offered-plea-deal-six-months-behind-
bars/hQt8sQI64tnV6FAd7CLcTJ/story.html)

>As leverage in negotiations they told him at trial he was facing up to 35.

Again, this is a nonsense figure. Can you give an example of someone who has
been sentenced to 35 years in jail for similar crimes?

~~~
nikcub
The whole point is that they don't sentence people to 35 years - they use that
as a threat to leverage them into pleading guilty. Hence the dictatorship-
level 99%+ conviction rates.

Same thing happen to Aaron, they hung a 7 year sentence around his neck if he
didn't please guilty to all charges and accept the deal they offered him.

Even the innocent would please guilty in those circumstances, it's the only
rational thing to do.

~~~
foldr
>they don't sentence people to 35 years - they use that as a threat to
leverage them into pleading guilty.

But you contradict this in your own post. They threatened him with a 7 year
jail term, not a 35 year jail term.

The plight of the innocent in the US system is very real, but irrelevant to
the case of AS, as he was very clearly and unambiguously guilty.

~~~
nikcub
There is no contradiction. Let me break it down again.

The original DOJ press release[0] when Schwartz was charged:

> If convicted on these charges, SWARTZ faces up to 35 years in prison

That maximum sentence is not uncommon in CFAA cases as most charges carry 10
or 5 years and layering charges together is very common (ex Mathew Keys faced
25 years on 3 charges for sharing a password)

Facing 35 years Swartz enters plea talks and is offered 6 months recommended,
up to 6 years but guilty to all charges

The prosecutors tell him if he doesnt take that deal and goes to trial then
they'll be seeking a 7 year minimum 35 year max

A lot has been written about the problems with not just federal sentencing and
plea agreements (internationally it is a unique system) but also specific
problems with CFAA and sentencing guidelines:

[https://www.eff.org/deeplinks/2013/03/41-months-weev-
underst...](https://www.eff.org/deeplinks/2013/03/41-months-weev-
understanding-how-sentencing-guidelines-work-cfaa-cases-0)

[0] [https://web-
beta.archive.org/web/20110724043722/https://www....](https://web-
beta.archive.org/web/20110724043722/https://www.justice.gov/usao/ma/news/2011/July/SwartzAaronPR.html)

~~~
foldr
Again, 35 years is simply the figure derived by adding up all of the maximum
sentences. Swartz had good legal advice. He knew he wasn't going to be
sentenced to 35 years in jail.

The problems with plea agreements relate largely to innocent people being
pressured into taking them because a trial is too risky. Swartz had clearly
violated the law, so he would have had nothing to gain from going to trial in
any jurisdiction.

See e.g. here for further analysis:

[http://volokh.com/2013/01/16/the-criminal-charges-against-
aa...](http://volokh.com/2013/01/16/the-criminal-charges-against-aaron-swartz-
part-2-prosecutorial-discretion/)

>... realistically, Swartz was facing anything from probation to a few years
in jail if he went to trial — depending largely on how you value the loss he
caused — and either a 4 months in jail or 0-6 months in jail if he pled
guilty.

~~~
nikcub
How does that justify having a ridiculous 35 year sentence hanging over
somebody for a terms of use violation? That is murder levels of sentencing

The case was far from clear cut, weev had his case overturned and the Lori
Drew case was overturned specifically because the judge said terms of use
violations don't apply under CFAA

I read Orin Kerr a lot, abd agree with almost all of what he says in the
series he wrote on the Swartz case - I only didn't buy his justification that
overprosecution is ok because all the other prosecutors also do it

Swartz's main concern was a lifetime criminal record and not being able to
work, and second pleading guilty to charges that he (and many others) don't
agree he was guilty to

I def agree with Kerr that the unauthorized access statutes need to be
reformed tho, that would have the Swartz case irrelevant and placed it back
where it belonged - in a civil court

~~~
foldr
>How does that justify having a ridiculous 35 year sentence hanging over
somebody for a terms of use violation?

It's arithmetic. The maximum sentences are what they are, and their sum is
what it is. Justification doesn't come into it. But a 35 year sentence was
never "hanging over him". He had good legal advice. He knew that he would not
go to jail for 35 years.

>The case was far from clear cut,

He physically broke into one of their network closets while attempting to
disguise his identity. If that doesn't count as unauthorized access, nothing
does.

>Swartz's main concern was a lifetime criminal record and not being able to
work

Which, as Kerr points out, makes it absolutely baffling that he did this in
the first place. It's often glossed over, but it really was an enormously
stupid thing to do. It's sad that he got himself into so much trouble by doing
it, but I can't see how anyone else is to blame for that. Especially when he'd
already had fair warning after the PACER incident.

------
dnautics
I strongly prefer lyft's side, haven't used uber in years and the last year I
drove for ridesharing I exclusively drove for lyft and not uber, but I really
don't have a problem with this. OF COURSE you should collect intelligence on
your competitor's activities - if they expose information publically (e.g.
showing the cars on the app / API) and cross-correlating with the uber drivers
that still are logged on - what is the objection to this?

Mind you, some of the other things uber has done, like hail a lyft and
repeatedly cancel, are totally not ok.

~~~
eridius
Collecting intelligence is one thing. But deliberately abusing your
competitor's systems in a way they did not intend to allow in order to collect
intelligence is not only ethically wrong, but also likely illegal, as this
article mentions.

~~~
ckastner
Indeed. Quoting the article:

 _Hell originated after Uber created fake rider accounts on Lyft and used
software to trick Lyft’s system into thinking those riders were in certain
locations. This allowed Uber to see the eight closest available Lyft drivers
to each fake rider._

~~~
dnautics
This is a very "benign" fake, akin to scraping a website for information...
Moreover, you could just as easily do it with a 'real' account; and just use
the 'real' account far... Less often than you're using it to scrape the info.

~~~
ckastner
This wasn't public information to be scraped, hence the requirement for an
account.

Creating fake accounts for this purpose is a violation of the current terms of
service [1] (these might have been different in 2016):

 _9\. Restricted Activities_

 _h. forge headers or otherwise manipulate identifiers in order to disguise
the origin of any information transmitted through the Lyft Platform;_

 _l. use any robot, spider, site search /retrieval application, or other
manual or automatic device or process to retrieve, index, scrape, “data mine”,
or in any way reproduce or circumvent the navigational structure or
presentation of the Lyft Platform or its contents;_

[1] [https://www.lyft.com/terms](https://www.lyft.com/terms)

~~~
andoon
Terms of service are not law.

When an end user breaks the terms of service of whatever system, most people
would say that terms of service mean nothing. But since it's Uber, uuuuh, the
scary terms of service!!!

~~~
UncleMeat
With how the CFAA works, yes this sort of thing can absolutely be against the
law. "Unauthorized" is a pretty broad term.

------
guelo
Trying to think through how Hell must have worked, Uber must have decoded
Lyft's encrypted Rest APIs and were able to hit an endpoint that returned the
8 nearest available rides given a user and geolocation. Given a large metro
area such as LA, you would probably need to make hundreds of requests with
fake geolocations to be able to map out the whole area. You would probably
only need to do it maybe every 5-10 minutes to get decent resolution for a
semi-live map. Depending on Lyft's rate limiting you might get by with in the
order of dozens of fake accounts. Given Lyft's scale this would probably be
small undetectable noise in their analytics and wouldn't really degrade their
systems. I would say it's only semi-shady, probably doesn't rise to the level
of civil or criminal lawsuits.

~~~
vostrocity
Uber could just run Android or iOS emulators running Lyft with fake user
accounts and fake geolocation.

~~~
huac
The article claims that's how it worked

------
perfmode
It's only because Uber's view of its own drivers is known as heaven/god view.

edit: discussed in article.

Call me a pessimist, but I am betting that, despite the long and rocky road
ahead, Uber is eventually going to succeed. And we're going to see the
emergence of a new corporate template.

------
sebleon
I don't see how this is nefarious, Uber is scraping data that Lyft is sharing
publicly. And based on Lyft's response, my hunch is that they do the same
thing.

If anything, this story distracts us from legit nasty business practices -
like repeatedly cancelling on Lyft drivers to waste their time and lower their
earnings.

~~~
onion2k
_Uber is scraping data that Lyft is sharing publicly._

Except they're really not. They accessed data from an API that is only
available to the Lyft app by creating some fake profiles. That means their
profiles couldn't legally have agreed to the app's terms and conditions, so it
wasn't legally permissible for them to access the API. So no, they weren't
just accessing information that Lyft were "sharing publicly".

~~~
averagewall
Do you think it's OK for violating the T&Cs of an app to be illegal? Isn't
that the same as using the F word on a forum when you agreed not to? Didn't we
go through all this with Aaron Swartz and one or two other high profile
hackers?

~~~
onion2k
_Do you think it 's OK for violating the T&Cs of an app to be illegal?_

I don't think determining legality and harm should be a boolean operation.
There are layers of subtly and nuance in most things, and the law is one of
them. I don't think posting the F word on a forum where the owner doesn't want
you to post it should be treated as an equal violation of the law as
deliberately abusing your competition as a billion dollar business. The amount
of damage, and perhaps _potential_ damage should be considered. When I swear a
reasonable person would think the harm is minimal. When I try to sabotage
another company where the damage could result in billions of dollars of lost
investment and thousands of jobs vanishing a reasonable person would think
that's pretty bad. They're technically the same 'crime', but they're obviously
not the same in scale.

~~~
sebleon
Legality should be boolean - either you're following the law or you're not. If
guilty, however, the penalty should be proportionate to the harm done.

In this particular case, Uber is guilty of breaching Lyft ToS's clause around
no data mining. However, this seems like an insignificant infraction, there is
likely to be zero legal penalty. Lyft's only recourse is to either shut down
Uber's accounts or feed them bogus data.

------
Buge
Interesting how they didn't punish drivers who also drove for Lyft, they
actually rewarded drivers who also drove for Lyft with better Uber offers.

~~~
yesiamyourdad
Uber & Lyft need a large pool of drivers readily available. The quick pickup
is a key part of the experience that makes them superior to taxis. Especially
drivers who are rated well. I'd be kind of surprised if a driver's rating
didn't factor into their entire incentive program. I carried a 4.9 Uber rating
by the time I quit driving and they were issuing some really attractive
incentives by the end.

------
mifeng
>If there were several Uber drivers near an Uber rider but one of those
drivers was also frequently available on the Lyft network, as seen by the Hell
program, Uber’s ride-dispatch team was supposed to “tip” that ride request to
the driver who was “dual apping,” or typically looking for riders through both
the Lyft and Uber apps, sometimes by using two different smartphones at the
same time. The person involved in the program called it “privileged dispatch”
and said Uber aimed to use that to squeeze Lyft’s supply of drivers. [from the
original article on The Information]

I think this should be the most controversial part of the program.
Essentially, Uber favored its drivers who used both Uber and Lyft at the
expense of its drivers who were strictly loyal to Uber.

------
RoyTyrell
What is wrong with Uber's management? I don't think I've ever read anything
positive about the company.

From their numerous gender bias and sexual harassment claims, to their CEO
acting like a bratty spoiled 15yr old and bitching out a driver, to trying to
skirt public safety laws by refusing to register their self-driving cars after
being catered and begged to do so by government regulators simply because they
don't give a fuck, to this whole Waymo lawsuit, to this. I think this shitty
company needs a complete change of upper management.

------
yesiamyourdad
I drove for both Lyft and Uber last year, and I could swear that Uber was
tracking Lyft. I'd get a call for an Uber and while fumbling around with the
phone getting to the Lyft app to drop driver mode, I'd get a Lyft call in.
Totally anecdotal, but it happened enough that I noticed. Eventually I quit
trying to double dip, it was just too stressful. I'd make a call on which to
use based on the incentives being offered, basically, or if things were slow
on one I'd switch to the other.

------
free2rhyme214
At this point, what hasn't Uber done?

~~~
Razengan
At this point, is anyone else feeling like there's might be some vendetta-
driven campaign directed against them?

~~~
douche
Somebody very much wants them to fail.

It's starting to feel like the campaign to pump up all the Russophobia

~~~
pluma
Except there's more evidence of Uber's failings than for the accusations
levied against Russia.

------
blazespin
I love how "There has been some recent tension between her and Kalanick, with
some investors blaming bad press for Uber’s woes (wrong!), although sources
said that was expected given all the controversies at the company of late."
becomes "Uber’s head of communications Rachel Whetstone recently quit,
reportedly because of conflicts with Kalanick."

------
sillysaurus3
_Lyft said “We are in a competitive industry. However, if true, these
allegations are very concerning.”_

Notice the careful non-statement by Lyft. It's hard to believe Lyft isn't
doing exactly the same thing.

It's not questionable behavior to track what your competitor is doing. That's
the first step toward beating them. And yes, Uber is trying to beat Lyft, just
like Lyft is trying to beat Uber. That happy balance is a good thing for
consumers.

It's pretty strange that I have to second-guess whether to post this comment
since it could be interpreted as a defense of Uber. But the PR spin is getting
to be a feeding frenzy.

Is _all_ tracking now unethical? Under what circumstances should you be
allowed to track other people? Google knows more about you than your
significant other. Should they be allowed to do this? Is this ethically
questionable? What is the categorical difference between Google and Uber?
These are questions which have no clear and easy answer, but it's painted as
if it's so clear-cut.

~~~
eridius
> _It 's hard to believe Lyft isn't doing exactly the same thing._

No, it's actually really easy to believe that Lyft isn't tricking Uber's
computer systems into giving Lyft real-time info on Uber's drivers and fare
prices. Please stop trying to make excuses for Uber's shitty behavior.

~~~
Razengan
_> it's actually really easy to believe that Lyft isn't tricking Uber's
computer systems_

How, or why, is that really easy to believe?

~~~
eridius
Because most companies don't intentionally break the law or engage in
fraudulent activity. Just because Uber does this all the time doesn't mean
Uber's competitors must do it too.

------
JumpCrisscross
> _[Uber] used software to trick Lyft’s system into thinking those riders were
> in certain locations_

Could this be a CFAA violation? Are there any prosecutorial jurisdictions with
lots of Lyfts and few or no Uber?

~~~
pluma
I'd be surprised if this couldn't be spun into a federal crime if there's any
interest in taking this to court and involving the authorities.

------
decker
I always wondered why Uber showed fake cars on their map. I remember them
citing "technical" issues which seemed suspicious given that it's not a hard
problem, and Lyft actually shows car locations. I wouldn't be surprised if the
fake cars came about as a result of the Hell program when they realized car
locations could be used against them.

------
pjc50
Please note that the whole "illegal access to a computer system" business is
what Aaron Scwartz was being prosecuted for. I don't think we want to promote
a restrictive idea about what constitutes authorised use of a system, just so
we can have a go at an unpopular taxi service.

~~~
pluma
The two situations are very different.

As technology goes, Aaron merely accessed what was already accessible to every
user. Uber accessed information a single user wouldn't have had access to.

As ethics go, Aaron downloaded information that represented publicly funded
research and would be available to the public if academic publishing wasn't so
horribly defunct. Uber extracted operative business information that was only
meant to be exposed a fraction at a time to provide specific services.

As motives go, Aaron tried to make information publicly available for free.
Uber tried to poach Lyft's drivers and sabotage Lyft's operational model for
financial gain.

The only value of Aaron's case in this discussion is as an example in the form
of "If what Aaron did was grounds for criminal prosecution, how is what Uber
did not a federal crime?".

Even if you disagree with the ethical aspects, Aaron exfiltrated information
available to any normal user (just at a larger scale than intended) whereas
Uber intentionally exploited a design flaw to access information not available
to any individual user. If both crimes could be described as "doing X, and
then doing the same thing again a lot more times" for Aaron X was "downloading
a file intentionally made available to all users" whereas for Uber X was
"downloading information only intended to be available to a single other
user".

------
Apocryphon
So is Uber just getting its dirty laundry wikileaked more than American
intelligence services are now or what

------
waronsanity
Is Uber the only tech company using unethical and immoral practices to take
out the competition? or the only one to be caught?

(Not asking as a defense for them, I'm just curious, and cynical, I believe
they all do this, but thats an ignorant belief as I dont know)

------
JustSomeNobody
>Hell originated after Uber created fake rider accounts on Lyft and used
software to trick Lyft’s system into thinking those riders were in certain
locations. This allowed Uber to see the eight closest available Lyft drivers
to each fake rider.

This is not ethical. It's not.

------
throwawayosiu1
I would really like to know what is unethical (or even illegal) about this
(just so I can understand this correctly).

Uber

* created multiple fake accounts on lyft to know about it's drivers

* figured out that it's drivers were assigned numerical ids

* used said ids, to track lyft drivers.

imho, this is just figuring out your competition (say by signing up to the
service) and then using this knowledge to improve your service (by incising
drivers on both platforms to ditch one).

This is one of those "do things that don't scale" mean (or my interpretation
of it). I say this because, one multi-billion $ "startup" is doing this to
another multi-billion $ "startup".

Also, I'm sure this would never be an issue if Uber was not in the press for
other crappy stuff they did.

------
freeplatform
Are user location credentials often accidentally exposed in other app's APIs?
This isn't something I have much knowledge in and am just wondering how often
this is a security issue.

------
_jezell_
Doesn't seem much different than Google indexing the web. They were just
crawling Lyft.

~~~
pluma
They created fake accounts with fake geolocation to extract information, then
they exploited a design flaw in Lyft's software to perform an enumeration
attack that allowed them to extract full information about all drivers in real
time in order to exploit that information financially.

Google crawls public websites while respecting counter-measures like the
`robots.txt` protocol. They also don't create fake accounts. They most
certainly don't perform enumeration attacks to find more content to index.

This is nothing like what Google does. If Google did this, they'd be called
out the same way.

Heck, if anything, this is similar to what Aaron Swartz did, except Aaron did
it to make the information public rather than profit from it for financial
gain -- and the data he did it with was neither sensitive nor private.

------
pkkim
If I were Lyft, I might try to detect what traffic is coming from suspect
clients and present an inaccurate view to them to maximize inefficient
spending on Uber's part. This seems like it should be easy to do without
harming someone in case you inaccurately label someone as illegitimate.

~~~
pluma
It is interesting that Lyft didn't detect this malicious behaviour and this
raises some questions.

Did Uber try to obscure what they were doing by spreading the requests over
various IPs to cover their tracks? This would indicate that they knew they
were doing something malicious (which could affect sentencing if this is
considered a federal crime under US law which it actually might be -- though
IANAL).

If this really was "realtime", why didn't Lyft notice the unusual request
volume? What could they have done to detect this as suspicious and
investigate? Are there some specific lessons other companies could learn from
this?

~~~
kyrra
Detecting these kinds of behaviors is hard without generating false positives.
GPS on phones arent always the most reliable thing, especially if the user is
opening and closing the app.

An app that did try to stop this type of behavior was Pokémon Go. It took them
a while to do even halfway well.

------
mtgx
That's appropriate, considering Uber itself seem to have been born in Hell.

