the regulators make this a requirement for Uber to open or continue operating in their respective regions. Uber tries to negotiate a narrow scope for info disclosure as much as possible.
I'm pretty sure the principle doesn't apply here, as these are known regulations requiring the retention and transmission of data, not post-hoc warrants etc. It's like the IRS requiring you to keep receipts.
If its anything like most companies data retention boils down to "we keep everything that someone decided to log in an adhoc fashion, and we keep it forever unless we run out of disk space then we delete it again in an adhoc fashion".
And just think ... Uber and (mostly Silicon Valley) companies like it thought all along how easy it would be for "software to eat the world" and thus merely "disrupt" the establishment, "disrupt" the old school, "disrupt" and "democratize", "disrupt" the 1%'ers / elite power structures which pull the puppet strings of the state and federal regulators. Meritocracy eh?
This is kind of cheeky from Uber because there's no reason they could not report the exact regulatory agency requests to give us a better understanding of what is going on. Did they hand over the names and trip routes of 12 million people? Or just aggregate data like "a million people took trips to SFO".
This is a perfectly legitimate question by guelo. Instead of downvoting, could someone shed light on why transparency reports never give specifics on the actual authorities making the requests or the data given? With the exception of those under seal or gag, of course.
When I hail a taxi on the street, and pay cash, what does the driver/company know about me? They could take photos, collect DNA, etc. But there's no metadata, as there is with Uber and Lyft.
Do we actually know that? I got the impression that they were reporting much more than that. Maybe not to regulators. But to police and TLAs, presumably without warrants. That's the key concern, here. Another form of mass surveillance.
Yeah, so your parent is asking how much Uber, who obviously know more information about their riders than LocalTaxiCashCo., are doing to remove the excess on their responses to regulatory requests.
That's not the only thing regulators care about. In fact, frequently they don't care about a persons identity. They may want to know things like whether certain neighborhoods are being over/underserved
I'm not concerned about the regulators. What concerns me is the easy access by police and TLAs to so much data about who went where, when, and with whom. Mass surveillance, complementing collection through all the other methods.
The exact same information is collected by public transport systems where you have a pass which you top up with your credit card, if the authorities want access to this data they just get in touch with the transit authority. I hate it and avoid these systems where possible.
> provided information on more than 12 million riders and drivers to various U.S. regulators and on 469 users to state and federal law agencies
The article title is wrong I think -- or am I confused? This sentence sounds like they gave away regulatory information as pointed out here https://news.ycombinator.com/item?id=11484270 -- 469 users were targeted, not 12+ million.
> Uber said it got 415 requests from law enforcement agencies, a majority of which came from state governments, and that it was able to provide data in nearly 85 percent of the cases. A large number of the law enforcement requests were related to fraud investigations or the use of stolen credit cards, according to the report.
My math might be off, but I'm pretty sure 415, 469, and 12m+ are three separate figures... and I'm also pretty sure there were not 12m+ requests for cases related to uber fraud.
> Uber said it had not received any national security letters or orders under the Foreign Intelligence Surveillance act.
An NSL is typically reserved for companies who can give broad access to user data, such as requiring all previous and any future data for x amount of time for 3-hops from a single persons social network (which could be hundreds of people).
That plus obscure the target. So an NSL wouldn't be necessary if they could hit up the regulators for large data dumps. The only question then is providing real-time access/future data.
I'm not sure Uber fits the profile for NSLs. Primarily given the fact that Uber likely doesn't have social network data on their riders so a simple court order for a single users rides and GPS locations is probably all that's available for an NSA/FBI investigations. Unlike an email provider like Yahoo/Lavabit, or an ISP for example, which could provide multi-hop data.
I'm curious if they built the NSA/FBI a full realtime data feed access system the way Blackberry did [1] for their BBM system during G20 in Toronto in 2010. Since the founder of Uber spoke about having a "god-mode" system [2] in place to do pretty much the same. It wouldn't be hard to expose that same system to federal agencies (even voluntarily).
Uber likely doesn't have social network data on their riders
Uber does have a feature to split a bill, and has source,destination pairs for all its trips. I bet you can do some serious social graph construction with that data.
And, as with so many things in the privacy space, combining that data with other data sources (ISP intercepts of HTTPS traffic, for example) probably provides a clearer picture than one could get from either data set alone.
There's no reason the ISP couldn't intercept encrypted traffic or related metadata. They just can't read it.
Since wireless ISPs have been collecting and indefinitely retaining messaging data for many years, it's not beyond any reasonable expectation that wireline ISPs aren't retaining various things.
You only need to know which cell towers the phones are traveling past[1], and you get a nice relationship map (and movement data). I'm sure a similar analysis can be done with IP headers.
> I'm not sure Uber fits the profile for NSLs. Primarily given the fact that Uber likely doesn't have social network data on their riders so a simple court order for a single users rides and GPS locations is probably all that's available for an NSA/FBI investigations. Unlike an email provider like Yahoo/Lavabit, or an ISP for example, which could provide multi-hop data.
Well, the Uber app on Android requires access to the user's address book, call log, and location, so I'd say Uber does have valuable social network information. This is not a unique capability for an Android app, however.
Knowing who went to or from a single location at around the same time would be super interesting for counter-terrorism. Of course, the intelligent terrorist would pay with cash, which means no Uber except in India, Southeast Asia, and a few others [1].
Which raises real questions, since taxis in some regions have cameras but Uber cars may not.
They already do this, that is track all the locations of cell phones to see if there are two people that "magically" happen to travel somewhere together in unusual pattern. Example I saw was two people at random times "happening" to get on the same mass transit system.
States don't need that data because they can get even better data from telecoms & banks already with less hassle. They know your IMEI, billing information, credit card information and the location of your cellphone. Uber is completely dependent on people's cell phones as it is, so NSL-ing them adds nothing new, like the contents of communication.
The data they want is pickup, dropoff, type of car used, amount paid etc.
By the way. Relevant here. Juno is apparently offering drivers 50/month just to keep their app running. This allows them to track all that info from lyft uber arro. Pretty patentable... And Juno hasn't even laumched here in Manhattan.
> An NSL is typically reserved for companies who can give broad access to user data, such as requiring all previous and any future data for x amount of time for 3-hops from a single persons social network (which could be hundreds of people).
"3-hops" may very well be the entire network in most cases.
Has the legality of removing that canary, if they were to receive an order that requires secrecy, been confirmed or tested in court ever? I.e. the claim of "we didn't tell people you served us an NSL, we just stopped telling people we hadn't, so we didn't break the instruction to not tell anyone"?
Well, by its nature it wouldn't be an open proceeding because of the pure ridiculousness of secrecy in these types of cases, so we might not be able to confirm it like that. That said, I haven't seen anyone arrested at any of the organizations that have removed their canaries yet, so it seems like the legal theory remains as sound as expected.
Warrant canaries are so vague that it may technically breach the gag but it doesn't give any information that the gag orders attached to/in NSLs mainly that the targets of NSLs can't find out that their information was requested. Once a year site/company wide canaries provide no actionable information and don't even threaten to expose abuses that would show up as an inordinate number of letters being sent to a particular company that I doubt the government really cares about them in the slightest.
Don't get your hopes up. Laws are interpreted and applied by humans. If the order says you can't tell others you got the letter, no amount of information-theoretic trickery gets around that.
This can require you to lie, and I hate such laws, but that only happens if you deliberately box yourself in by setting up a warrant canary. You can avoid lying by sticking to a policy of "we cannot comment on whether we have received a request with a gag order".
My immediate thought was, "12 million? Either governmental bodies in the US are really ramping up their social mapping efforts (in a very unusually transparent way), or this isn't a typical privacy/intelligence-related article."
The latter proved to be correct, and thus, I don't think it's as sensational a revelation as I'm sure many news agencies and privacy-conscious individuals will spin it to be.
Relevant excerpts:
>A large number of the law enforcement requests were related to fraud investigations or the use of stolen credit cards, according to the report.
>Uber said it had not received any national security letters or orders under the Foreign Intelligence Surveillance act.
This could never happen in the old times when you paid taxis with cash. Nobody knew who you were and where you travelled to from where. At some point, there will be people who don't recognize that sort of notion of privacy: it will be the norm that each leg of everyone's journey is tracked and recorded. Yet, Uber is super convenient so it's only the logical thing to do today.
I always imagined that governments would have to increasingly tighten their grip on control and surveillance to approach that 1984 envinronment which has been looming for a couple of decades now. I would have expected that welfare states where government control is generally considered a good thing and which thus receives little opposition would gradually sink deeper into it――like that frog in a kettle being heated till the water starts boiling――until the contrast to more free countries would be blatant.
However, in the last ten years or so, it seems that people, and people even in the more free countries, are volunteering into all that very control by themselves, under the name of convenience. We use Facebook, Uber, Google, Android because it's easy and convenient and opens up social possibilities previously unheard of――surely an argument to be defended――and that is how most of us give up privacy practically for free.
Things are generally so well these days that there's little need to worry about privacy in practice. It's only the more dubious circumstances where it suddenly begins to matter who knows what you've been doing and where. In contrast, if an average person is not online today he will partially be an outcast somewhat among his peers. Thus, the social incentives will, in the average, drive people to surrender their privacy online to get connected to their friends.
On the other hand, I don't see the online world to be avoided either per se. It's simply enough that there's a backup. If things get bad, you can disappear from online services and revert to seeing people face to face. It'll be a bit more cumbersome but hey that's how it worked for centuries before. My concern there is whether the state itself still supports handling things offline. If you have to be online to pay (lacking cash), or to travel (no anonymous paper tickets), or to drive (no cars without live connection for telemetry, law enforcement and insurance purposes), or walk (face-recognising security cameras everywhere) then it becomes very difficult to revert back to the 1900's.
People's behaviour can be reverted but if the non-private way of doing things gets cemented into the fabric of the society in the form of how the state operates, then it will be very hard to opt out.
The problem with this theory is that every time 'big brother' is empowered, all other parties are empowered as well. People can organize easier than ever before against malicious causes. The number of communication channels available to us is growing each day, making it increasingly impossible for any one entity to control all of them. People and entities trying to leverage private information are increasingly under the microscope themselves. Perhaps one day congressmen are mandated to conduct all their work on camera, similar to the way policemen do. Technology doesn't care about intent. Some people will use it for good and others for bad.
Edit: For clarity, my position is that no Uber customer's routes should be accessed without a warrant. However, even if they fail to observe the constitution, they will eventually loose. There may be a politician writing a law today so that his uber rides to visit his mistress stay private.
The frog that doesn't get out of the water and allows itself to be boiled to death is a misnomer - the experiment involved a frog which had its brain removed IIRC, and a normal frog will just jump out.
That story bothers me almost as much as misattributed quotes.
Since you brought up that detail I just wanted to remark that this is an interesting example of truth vs value.
Most people don't know what sort of experiment it was. Now that you did mention it, I'm quite sure I've heard at least one alternative truth about the frog but I don't consciously remember it.
The reason nobody cares is that the value of the story lies elsewhere from what actually happened or might have happened in reality. Nearly nobody was there so who knows (maybe there never even was a frog?) but as you know people use it to illustrate the scenario where something adapts to specific circumstances while failing to recognize the complete change.
Interestingly, the story could actually be anything, like a scene from a well-known cartoon or any story or fairytale encompassing the same principle. Human understanding is as much about stories and words as it's about facts, and even more so for human communication.
Per the article, the 12 million records were disclosed to "regulators", not law enforcement. From "transparencyreport.uber.com", it looks like the primary consumers were California (~5M) and NYC (~3M), followed by various other cities, states, and airports.
"regulators" who likely share their data freely with the government or law enforcement anyway. I see no reason to make a distinction where no practical distinction exists.
Just for perspective, 12 million users (assuming this is US-based) is 3.7% of the US population in aggregate. This is an even higher percentage of Uber's US user base (probably by a factor of 10 or 20).
The weasel words here are "A large number" because the spin statement is intended to portray an image to the reader that is absent in actual fact. If there were a majority, or a high percentage, they surely would have trumpted said high percentage. Instead, the ambiguous "a large number" is used, which could mean "999"
I believe that for that particular type of fraud the distinction between people and users becomes important — especially with a product that has a user sponsor new user promotion, fakes accounts are probably common. That could explain the alarmingly large number of _accounts_ being investigated, presumably not as many individuals.
The vast majority of the requests are by 'regulators'. Anyone able to provide info on what that actually means?
Edit: Could the link be changed to the actual Uber post instead of the almost infoless Reuters article? After reading the actual report the regulator stuff doesn't worry me too much.
This only mention's the data within the U.S. and U.S. Riders but would be interesting to see what countries try request regarding Riders from outside of there country. For example has the U.S. government agencies been requesting data for Riders in other cities/countries from around the world and have they given said data or not?
Well hang on a second. Shouldn't we at least let this play out so we see what exactly the data was, what their criteria for giving in to the requests were, etc?
Or is there something immediately shocking about this besides the numbers?
It sounds like there was no subpoena attached to the request, which is immediately shocking that a company feels so free to divulge the details of their customers. They also divulged the details of that journalist they were miffed at a few years ago. To me it seems like a pattern with Uber.
the 12M users are mostly demands from regulatory authorities
- 6M is California, likely CPUC
- 3M is New York, probably the TLC there
that's how you get the data sets for analysis like http://toddwschneider.com/posts/analyzing-1-1-billion-nyc-ta... which appear on HN periodically and are eagerly upvoted
the regulators make this a requirement for Uber to open or continue operating in their respective regions. Uber tries to negotiate a narrow scope for info disclosure as much as possible.
(disclaimer: uber employee)