Choose Your City
Change City

Exclusive: Current and former Uber security staffers cast doubt on spying claims

By Joseph Menn and Heather Somerville

SAN FRANCISCO (Reuters) - The former security chief of Uber Technologies Inc. [UBER.UL] swore in a closed legal proceeding that he knew of no attempts to steal trade secrets from anyone, including Alphabet Inc's self-driving unit Waymo, and would be "shocked" if that had occurred.

In a deposition taken in mid-December near San Francisco, Joe Sullivan, Uber's security chief from 2015 to 2017, said that the most explosive claims made by another former Uber employee of unethical and illegal behavior by members of his security team were false.

The testimony, described to Reuters by people familiar with it, came in connection with a lawsuit brought by Waymo which accuses arch rival Uber of stealing trade secrets.

Sullivan's testimony has not been made public. He has not spoken in open court or spoken publicly since leaving Uber in November, when he was fired following an investigation.

The previously unreported testimony from the onetime senior Uber official, as well as interviews conducted by Reuters with five current and former Uber employees, rebuts statements made in an explosive 37-page letter last year that triggered the internal probe and drew the attention of federal prosecutors, who are still investigating.

The letter was written by an attorney for Richard Jacobs, a security analyst who worked at Uber from 2016 to 2017 and was about to be fired, Jacobs has acknowledged.

Jacobs' lawyer wrote that Uber's security apparatus was engaged in stealing trade secrets, spying on rival executives and wiretapping, among other questionable behavior.

Uber's internal probe of Jacobs' claims also uncovered something new, which was not mentioned in Jacobs' letter: an undisclosed 2016 data breach and a $100,000 payout to a hacker in Florida. This discovery led to Uber firing Sullivan and legal deputy Craig Clark for failing to have the company disclose the breach to customers and regulators.

Waymo seized on the claims made by Jacobs because they explicitly mentioned that Uber had stolen Waymo trade secrets, and Waymo was already suing Uber in a federal court for theft of trade secrets.

Sullivan in his testimony and the other executives in interviews with Reuters questioned Uber's decision to pay Jacobs a $7.5 million settlement and offer him a consulting contract in connection with his threats to expose Uber's alleged wrongdoing.

An Uber spokesman did not comment on the implication of Sullivan's testimony, but said that Uber had already substantiated some of Jacobs' claims, although nothing related to Waymo. He added that the company is "changing the way we do business, putting integrity at the core of everything we do." A spokeswoman for Waymo declined to comment.

Jacobs' attorney in the Waymo case, Martha Boersch, who did not write the 37-page-letter, did not respond to requests for comment. Jacobs did not respond to a request for comment.

Attorneys for Waymo have said in court that over the nearly year-long case they have amassed a file of evidence against Uber and were ready to go to trial before the revelation of the Jacobs letter, which came days before the original trial date. On Friday, Waymo filed a court document that said it had corroborated some of Jacobs' claims about Uber's data-gathering efforts against rivals, but the specifics were redacted.

In interviews with Reuters, three current Uber executives repeated Sullivan's rejection of Jacobs' claims and said they were unaware of any of the lawbreaking allegations by Jacobs. They called false Jacobs' statements that the security unit had misused attorney-client privilege or encouraged the use of ephemeral messaging services in order to cover up improper behavior.

Uber received the letter from Jacobs in May 2017, but it was not publicly disclosed until November, when federal prosecutors shared the letter with the judge overseeing the Uber-Waymo lawsuit. The judge delayed the trial to allow Waymo attorneys to question Sullivan and other Uber employees about the letter.

In his own recent court appearance in the Waymo case, Jacobs stood by his claims that Uber's security team spied on and stole from competitors and tried to cover its tracks. But he admitted he was not aware of Uber stealing anything from Waymo, contradicting part of his letter. He attributed the contradiction to a miscommunication with the attorney who wrote it on his behalf.

Though the new accounts contest most of Jacobs’ claims, his letter played a major and previously undisclosed role in the bitter battle for control over Uber, according to the current and former top executives.

It landed in May as Kalanick and the board were clashing over his role at the company and directors were hearing the results of other investigations, including one into sex harassment.

Kalanick resigned under pressure the following month.

By then, a committee of directors had assumed oversight of the investigation into the Jacobs letter, led by law firm WilmerHale, which eventually uncovered an event that was not in the Jacobs letter: the 2016 data breach, the current and former executives said.

In interviews with Reuters, current and former members of Sullivan's security team provided details of the hack that were previously unreported, and they defended the payout Uber made to the Florida hacker.

In the emails among Uber security staff and a representative for the hacker, Uber treated the breach as a "bug bounty,” something normally reserved for hackers who discover weaknesses in a system without extracting data.

Investigations chief Mat Henley established the hacker’s identity and secretly obtained access to electronic records showing that the Uber data had been deleted, giving Sullivan and other members of the security team comfort that it had not reached any criminals, the security staffers said. With no data on the loose and a danger to customers, they felt Uber did not have to disclose the breach to regulators.

In addition, they said Sullivan was not responsible for Uber's decision about whether to disclose data breaches to regulators since this decision was made by the legal department.

Uber declined to discuss the details of responsibility for disclosure decisions. But it has made clear that the Florida breach should have been disclosed under various regulations and in fairness to users and drivers.

(Reporting by Joseph Menn and Heather Somerville; Editing by Jonathan Weber & Shri Navaratnam)