Last week I discussed the California Superior Court decision that ruled that under California law Uber and Lyft must classify their ridesharing drivers as employees, rather than independent contractors. In response to that ruling, both companies had threatened to shut down service across the state. Yesterday, an appeals court issued a stay on that ruling, allowing both companies to continue operations, “pending resolution” of their appeal of the initial order. As I mentioned in my last blog post, the rideshare giant’s strategy currently appears to be “run out the clock,” until the November election, when California voters will decide on Proposition 22, which would establish a new classification for drivers. So for now those Californians who are willing to brave getting into a rideshare will be able to do so – while Uber and Lyft also explore more creative solutions, in case Prop 22 doesn’t pass.
Also on Thursday, another court case tied to Uber was just starting. Federal prosecutors in San Francisco filed criminal charges against Uber’s former security chief, Joe Sullivan. Sullivan is charged with two felony counts for failing to disclose a 2016 Uber data breach to federal investigators who were investigating similar earlier incidents that had occurred in 2014. In the 2016 incident, an outside hacker was paid $100,000 by Uber after the hacker revealed they had acquired access to the information of 57 million riders and drivers. Beyond the payment, Uber faced further criticism for failing to reveal the incident for a full year. Two of the hackers involved later plead guilty to charges related to the hack, and they are both awaiting federal sentencing. In 2018 Uber paid $148 million to settle a suit brought by state attorneys general related to the hack, while the FTC expanded a previous data breach settlement in reaction to the incident. Beyond the lack of transparency (to the public and law enforcement) Uber’s major misstep, at least in my view, is the payment itself. While many companies, Uber included, sponsor “bug bounties,” where outside security researchers are rewarded for reporting security flaws in a company’s products, this payment fell outside of that structure. Rather, it seems more like a ransom payment to less than scrupulous hackers. While Uber is far from the only company to have faced data breaches (or to have paid off hackers), this case should be a wake-up call for all mobility companies – a reminder that they have to be very careful with the customer data they are collecting, least they fall prey to a data breach, and, just as importantly, when a breach occurs, they have to face it with transparency, both to the public and investigators.
The third Uber-related this month involves another former Uber employee, Anthony Levandowski, who was sentenced to 18 months in prison for stealing automated vehicle trade secrets from Google. In 2016, Levandowski left Google’s automated vehicle project to start his own AV tech company, which was in turn acquired by Uber. Levandowski was accused of downloading thousands of Google files related to AVs before he left, leading to a suit between Google’s Waymo and Uber, which was settled for roughly $250 million. There are a lot more details involved in the case, but it highlights some of the many challenges Uber, and the mobility industry at large, face.
Mobility and AVs are a huge business, with a lot of pressure to deliver products and receive high valuations in from investors and IPOs. That can incentivize misbehavior, whether it be stealing intellectual property or concealing data breaches. Given how central mobility technologies are to people’s daily lives, the public deserves to be able to trust the companies developing and deploying those technologies – something undermined by cases like these.