
Uber says it gave U.S. agencies data on more than 12M users - t23
http://www.reuters.com/article/us-uber-tech-data-idUSKCN0X91R5
======
jakelarkin
read the report
[https://transparencyreport.uber.com/](https://transparencyreport.uber.com/)

the 12M users are mostly demands from regulatory authorities

\- 6M is California, likely CPUC

\- 3M is New York, probably the TLC there

that's how you get the data sets for analysis like
[http://toddwschneider.com/posts/analyzing-1-1-billion-nyc-
ta...](http://toddwschneider.com/posts/analyzing-1-1-billion-nyc-taxi-and-
uber-trips-with-a-vengeance/) which appear on HN periodically and are eagerly
upvoted

the regulators make this a requirement for Uber to open or continue operating
in their respective regions. Uber tries to negotiate a narrow scope for info
disclosure as much as possible.

(disclaimer: uber employee)

~~~
abrookewood
What are CPUC & TLC?

~~~
tlrobinson
Easily Googleable regulatory authorities in California and New York.

~~~
bcook
and perhaps even more relevantly defined in an HN post...

------
guelo
This is kind of cheeky from Uber because there's no reason they could not
report the exact regulatory agency requests to give us a better understanding
of what is going on. Did they hand over the names and trip routes of 12
million people? Or just aggregate data like "a million people took trips to
SFO".

~~~
steven2012
It's the exact same regulatory information that lyft and taxicab companies
hand over to regulators.

~~~
mirimir
When I hail a taxi on the street, and pay cash, what does the driver/company
know about me? They could take photos, collect DNA, etc. But there's no
metadata, as there is with Uber and Lyft.

~~~
oh_sigh
They know where you got picked up, where you got dropped off, how you paid

~~~
mirimir
Right. But they don't know my identity.

~~~
oh_sigh
That's not the only thing regulators care about. In fact, frequently they
don't care about a persons identity. They may want to know things like whether
certain neighborhoods are being over/underserved

~~~
mirimir
I'm not concerned about the regulators. What concerns me is the easy access by
police and TLAs to so much data about who went where, when, and with whom.
Mass surveillance, complementing collection through all the other methods.

~~~
catfest
The exact same information is collected by public transport systems where you
have a pass which you top up with your credit card, if the authorities want
access to this data they just get in touch with the transit authority. I hate
it and avoid these systems where possible.

------
robotkilla
The quote is actually:

> provided information on more than 12 million riders and drivers to various
> U.S. regulators and on 469 users to state and federal law agencies

The article title is wrong I think -- or am I confused? This sentence sounds
like they gave away regulatory information as pointed out here
[https://news.ycombinator.com/item?id=11484270](https://news.ycombinator.com/item?id=11484270)
\-- 469 users were targeted, not 12+ million.

> Uber said it got 415 requests from law enforcement agencies, a majority of
> which came from state governments, and that it was able to provide data in
> nearly 85 percent of the cases. A large number of the law enforcement
> requests were related to fraud investigations or the use of stolen credit
> cards, according to the report.

My math might be off, but I'm pretty sure 415, 469, and 12m+ are three
separate figures... and I'm also pretty sure there were not 12m+ requests for
cases related to uber fraud.

------
dmix
> Uber said it had not received any national security letters or orders under
> the Foreign Intelligence Surveillance act.

An NSL is typically reserved for companies who can give broad access to user
data, such as requiring all previous and any future data for x amount of time
for 3-hops from a single persons social network (which could be hundreds of
people).

That plus obscure the target. So an NSL wouldn't be necessary if they could
hit up the regulators for large data dumps. The only question then is
providing real-time access/future data.

I'm not sure Uber fits the profile for NSLs. Primarily given the fact that
Uber likely doesn't have social network data on their riders so a simple court
order for a single users rides and GPS locations is probably all that's
available for an NSA/FBI investigations. Unlike an email provider like
Yahoo/Lavabit, or an ISP for example, which could provide multi-hop data.

I'm curious if they built the NSA/FBI a full realtime data feed access system
the way Blackberry did [1] for their BBM system during G20 in Toronto in 2010.
Since the founder of Uber spoke about having a "god-mode" system [2] in place
to do pretty much the same. It wouldn't be hard to expose that same system to
federal agencies (even voluntarily).

[1]
[http://www.bloomberg.com/news/articles/2013-06-17/blackberry...](http://www.bloomberg.com/news/articles/2013-06-17/blackberry-
defends-smartphone-security-after-g-20-spying-report)

[2] [http://www.buzzfeed.com/johanabhuiyan/uber-is-
investigating-...](http://www.buzzfeed.com/johanabhuiyan/uber-is-
investigating-its-top-new-york-executive-for-privacy)

~~~
pcl
_Uber likely doesn 't have social network data on their riders_

Uber does have a feature to split a bill, and has source,destination pairs for
all its trips. I bet you can do some serious social graph construction with
that data.

And, as with so many things in the privacy space, combining that data with
other data sources (ISP intercepts of HTTPS traffic, for example) probably
provides a clearer picture than one could get from either data set alone.

~~~
nsgi
What makes you think ISPs are intercepting HTTPS traffic, or have the ability
to do so?

~~~
Spooky23
There's no reason the ISP couldn't intercept encrypted traffic or related
metadata. They just can't read it.

Since wireless ISPs have been collecting and indefinitely retaining messaging
data for many years, it's not beyond any reasonable expectation that wireline
ISPs aren't retaining various things.

~~~
pdkl95
You only need to know which cell towers the phones are traveling past[1], and
you get a nice relationship map (and movement data). I'm sure a similar
analysis can be done with IP headers.

[1] [http://apps.washingtonpost.com/g/page/national/how-the-
nsa-i...](http://apps.washingtonpost.com/g/page/national/how-the-nsa-is-
tracking-people-right-now/634/)

------
blackbagboys
The report can be found here:
[https://transparencyreport.uber.com/](https://transparencyreport.uber.com/)

Interestingly, Uber does appear to have included an explicit NSL warrant
canary.

~~~
eric_h
I only skimmed - I'm curious which portion you suggest is an explicit warrant
canary?

~~~
aeling
Not GP, but I would assume:

> As of the date of this report, Uber has not received a National Security
> Letter or FISA order.

~~~
corin_
Has the legality of removing that canary, if they were to receive an order
that requires secrecy, been confirmed or tested in court ever? I.e. the claim
of "we didn't tell people you served us an NSL, we just stopped telling people
we hadn't, so we didn't break the instruction to not tell anyone"?

~~~
djcapelis
Well, by its nature it wouldn't be an open proceeding because of the pure
ridiculousness of secrecy in these types of cases, so we might not be able to
confirm it like that. That said, I haven't seen anyone arrested at any of the
organizations that have removed their canaries yet, so it seems like the legal
theory remains as sound as expected.

------
kobayashi
My immediate thought was, "12 million? Either governmental bodies in the US
are really ramping up their social mapping efforts (in a very unusually
transparent way), or this isn't a typical privacy/intelligence-related
article."

The latter proved to be correct, and thus, I don't think it's as sensational a
revelation as I'm sure many news agencies and privacy-conscious individuals
will spin it to be.

Relevant excerpts:

>A large number of the law enforcement requests were related to fraud
investigations or the use of stolen credit cards, according to the report.

>Uber said it had not received any national security letters or orders under
the Foreign Intelligence Surveillance act.

------
yason
This could never happen in the old times when you paid taxis with cash. Nobody
knew who you were and where you travelled to from where. At some point, there
will be people who don't recognize that sort of notion of privacy: it will be
the norm that each leg of everyone's journey is tracked and recorded. Yet,
Uber is super convenient so it's only the logical thing to do today.

I always imagined that governments would have to increasingly tighten their
grip on control and surveillance to approach that 1984 envinronment which has
been looming for a couple of decades now. I would have expected that welfare
states where government control is generally _considered a good thing_ and
which thus receives little opposition would gradually sink deeper into
it――like that frog in a kettle being heated till the water starts
boiling――until the contrast to more free countries would be blatant.

However, in the last ten years or so, it seems that people, and people even in
the more free countries, are volunteering into all that very control by
themselves, under the name of convenience. We use Facebook, Uber, Google,
Android because it's easy and convenient and opens up social possibilities
previously unheard of――surely an argument to be defended――and that is how most
of us give up privacy practically for free.

Things are generally so well these days that there's little need to worry
about privacy in practice. It's only the more dubious circumstances where it
suddenly begins to matter who knows what you've been doing and where. In
contrast, if an average person is not online today he will partially be an
outcast somewhat among his peers. Thus, the social incentives will, in the
average, drive people to surrender their privacy online to get connected to
their friends.

On the other hand, I don't see the online world to be avoided either per se.
It's simply enough that there's a backup. If things get bad, you can disappear
from online services and revert to seeing people face to face. It'll be a bit
more cumbersome but hey that's how it worked for centuries before. My concern
there is whether the state itself still supports handling things offline. If
you have to be online to pay (lacking cash), or to travel (no anonymous paper
tickets), or to drive (no cars without live connection for telemetry, law
enforcement and insurance purposes), or walk (face-recognising security
cameras everywhere) then it becomes very difficult to revert back to the
1900's.

People's behaviour can be reverted but if the non-private way of doing things
gets cemented into the fabric of the society in the form of how the state
operates, then it will be very hard to opt out.

~~~
kobayashi
The frog that doesn't get out of the water and allows itself to be boiled to
death is a misnomer - the experiment involved a frog which had its brain
removed IIRC, and a normal frog will just jump out.

That story bothers me almost as much as misattributed quotes.

Edit: ...uh, why the downvotes?

~~~
jaytaylor
Perhaps due to no citation for claim?

~~~
kobayashi
Source: [http://conservationmagazine.org/2011/03/frog-fable-
brought-t...](http://conservationmagazine.org/2011/03/frog-fable-brought-to-
boil/)

------
magoon
The tides turn when your government starts investigating people, versus
investigating crimes.

~~~
CamperBob2
From the article, it sounds like these investigations are mainly run-of-the-
mill criminal cases:

    
    
       A large number of the law enforcement requests were 
       related to fraud investigations or the use of stolen 
       credit cards, according to the report.
    

But why that would require 12 million user records to be disclosed to the
government, of course, is another question entirely.

~~~
jcl
Per the article, the 12 million records were disclosed to "regulators", not
law enforcement. From "transparencyreport.uber.com", it looks like the primary
consumers were California (~5M) and NYC (~3M), followed by various other
cities, states, and airports.

~~~
krapp
"regulators" who likely share their data freely with the government or law
enforcement anyway. I see no reason to make a distinction where no practical
distinction exists.

------
k-mcgrady
The vast majority of the requests are by 'regulators'. Anyone able to provide
info on what that actually means?

Edit: Could the link be changed to the actual Uber post instead of the almost
infoless Reuters article? After reading the actual report the regulator stuff
doesn't worry me too much.

------
Gabriel_Martin
What to do when your self-driving car decides to drive you to the police?
[https://news.ycombinator.com/item?id=11149653](https://news.ycombinator.com/item?id=11149653)

------
capote
Is this _totally_ new or have there been [rumors | accusations | scandals]
about Uber with respect to privacy/data selling before?

~~~
superuser2
Here is one of many articles from an ongoing spat between Uber and the
Calfornia regulators over how much data they were demanding:
[https://www.theguardian.com/technology/2016/jan/13/uber-
fine...](https://www.theguardian.com/technology/2016/jan/13/uber-fined-
millions-data-dispute-california)

~~~
capote
Whoa, I was unaware.

------
aranw
This only mention's the data within the U.S. and U.S. Riders but would be
interesting to see what countries try request regarding Riders from outside of
there country. For example has the U.S. government agencies been requesting
data for Riders in other cities/countries from around the world and have they
given said data or not?

------
nissehulth
The most recent Uber Android app requested access to app history and browser
history. There may be a legitimate reason for this but I can't see it.

------
jessaustin
OK this is creepy, but it's even creepier when e.g. Progressive Insurance use
their Snapshot® device to do the same thing without telling anyone.

------
Scoundreller
Note to self: list my "home" address as the address a door or two down.

------
therealmarv
wait, did they gave an entire DB dump away? 12M users?!

------
civilian
Is the grammar in this headline really awkward to anyone else? "Uber says gave
U.S. agencies data on more than 12 million users"

Either it should be "Uber says they gave" or "Uber gave". :/

~~~
dang
Newspaper headlines have a domain-specific grammar, in which this is perfectly
legal. But ok, have an 'is'.

~~~
alanh
Tabloid headlines have their own sub-form, which would be:

> Uber: We gave US agencies your data!

------
miracle_code
Whut? The agencies know no ends, lol.. Who'd thunk it?

------
mavdi
This is some mass data level submission. Thanks for the transparency but at
the same time, goodbye Uber.

~~~
capote
Well hang on a second. Shouldn't we at least let this play out so we see what
exactly the data was, what their criteria for giving in to the requests were,
etc?

Or is there something immediately shocking about this besides the numbers?

~~~
wavefunction
It sounds like there was no subpoena attached to the request, which is
immediately shocking that a company feels so free to divulge the details of
their customers. They also divulged the details of that journalist they were
miffed at a few years ago. To me it seems like a pattern with Uber.

~~~
true_religion
They divulge the parameters of their operation in NY and California because
the state governments require them to in order to continue operating.

Uber likely isn't giving up any more information than your typical taxi
company does to ensure they aren't falling afoul of transport regulations.

