Offbeat

Legal

Uber's London licence appeal off to flying start: No, you cannot do driver eye tests via video link

Amid Greyball and hack cover-up, app biz isn't endearing itself


Updated A contrite Uber told Westminster Magistrates' Court today that it "fully accepts" last year's decision by Transport for London (TfL) to revoke its taxi operating licence as "justified".

TfL, the UK capital's transport regulator, wants the ban upheld, in part because of fears that spy-on-regulators tech Greyball was used in London.

TfL yanked Uber's licence to operate its ride-hailing app last year because it was not satisfied that the firm was, legally, a "fit and proper person" to run private hire cabs in London.

A taxi firm whose licence has been revoked by TfL can continue to operate until the outcome of any appeal.

TfL opposes Uber's appeal. Its barrister, Martin Chamberlain, told the court in his written submissions that it should take Uber's "historic conduct into account, when determining whether it is now a fit and proper person to hold a PHV operator's licence".

Barristers Tom de le Mare QC and Ranjit Bhose QC will tell the court on behalf of Uber that the taxi-app-cum-operator welcomes "the opportunity to continue to demonstrate its fitness and propriety, and is committed to trying to do that every day".

No, you cannot carry out eye tests by video link

Uber's written submissions included the staggering admission that its drivers were taking eye tests over a video-call-your-doctor service called Push Doctor. It said: "[Tom] Elvidge [head of Uber UK and Ireland] accepts that, with hindsight, the eye tests offered by the Push Doctor service may not have been adequate." TfL insisted to the company that these medical checks "could only be conducted in person".

Uber's full admission from its own court filings that its drivers used to take eye tests by video link. The practice has now been halted after TfL intervened/p>

TfL alleged that Elvidge "does not accept that it was clear and obvious that the proposed [video medical exam] solution was unsatisfactory".

Hacker badness

Helen Chapman, TfL's director of taxi licensing, made a number of witness statements in which she referenced the 2016 Uber hack, urging the court not to renew Uber's licence on the grounds that the company's corporate culture was too toxic for it to operate back then and that Uber's recent changes to detoxify itself have yet to bed in fully.

People within Uber tried to cover up the 2016 hack, which only came to light the following year. They even bunged the 20-year-old US hacker $100,000 to delete the data and keep stumm, which got them fired when new chief exec Dara Khosrowshahi found out what happened.

"Even after it became aware of that breach," said TfL's submissions, "[Uber] struggled to obtain the information it required from the other companies in the Uber group. Mr Elvidge candidly admits that this incident was a major driver in leading ULL [Uber London Ltd] to conclude that it needed to redefine its relationship with the other companies in the Uber Group."

Spying on spies, or blocking public safety checks?

Greyball is Uber's spy-on-regulators system. When Uber suspected that regulators were snooping around its drivers, their accounts were tagged by company employees so its systems did not display any nearby cars – preventing regulators from carrying out secret shopper-style checks on the taxi app's behaviour. When the existence of Greyball came to light, TfL reacted with alarm, asking Uber whether it had ever used the tech in the UK.

The company said in its written submissions: "Uber modified its systems to require employees seeking to apply such tags to obtain pre-approval by a manager and legal clearance. Violation of the policy would lead to disciplinary sanction."

TfL, in contrast, alleges that Uber manager Jo Bertram "approved the use of Greyball" for dodging regulatory checks, or what the transport regulator claimed Uber tried to depict as "over aggressive law enforcement". Bertram had left the company by September last year.

In addition, Uber later claimed that it has deactivated Greyball altogether. The firm characterised Greyball to The Register as a tool for "employee testing of new products" and repeated that it has not been "misused for the purpose of evading regulators", while avoiding our simple question as to whether the software had been used in the UK or not.

A "third-party systems expert" was later appointed by TfL, with Uber's consent, to investigate how the app platform operated and confirm that spot checks carried out by people posing as customers wouldn't be obstructed.

That's perfectly fair, thank you very much

Uber accepted that its previous allegations that taxi trade unions and established taxi firms had egged on TfL to shut down their competitor were "unfair". Uber also said that it "would never knowingly compromise public safety". Part of its newfound corporate social responsibility includes the use of "real-time identification checks for drivers using facial recognition technology in order to address any risk of account sharing or impersonation".

607 Uber drivers have been dismissed, according to TfL's legal filings, with 221 immediately suspended from working "on public safety grounds".

The London Taxi Drivers' Association (LTDA), a trade union for black cab drivers, has itself urged the court to rule that Uber drivers operating outside London are doing so illegally.

The case is scheduled to continue until Wednesday 27 June. Uber seeks restoration of its licence for 18 months so its corporate changes can become "fully embedded and [be] put to the test". ®

Updated to add on June 26

The court has ruled: Uber has been granted a 15-month probationary license, and must foot TfL's legal bills.

Send us news
59 Comments

Break out your emergency change process and patch this ransomware-friendly bug ASAP, says VMware

File upload vuln lets miscreants hijack vCenter Server

VMware has disclosed a critical bug in its flagship vSphere and vCenter products and urged users to drop everything and patch it. The virtualization giant also offered a workaround.

The bug is one of 19 disclosed today by VMware. The worst of the bunch is CVE-2021-22005, described as "an arbitrary file upload vulnerability in the Analytics service" that's part of vCenter Server. The flaw is rated 9.8/10 in severity using the Common Vulnerability Scoring System.

"A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file," states VMware's advisory.

Continue reading

Database containing personal info on 106m people who traveled to Thailand found open to the internet – report

Misconfigured Elasticsearch server blamed

A database containing personal information on 106 million international travelers to Thailand was exposed to the public internet this year, a Brit biz claimed this week.

Bob Diachenko, head of cybersecurity research at product-comparison website Comparitech, said the Elasticsearch data store contained visitors' full names, passport numbers, arrival dates, visa types, residency status, and more. It was indexed by search engine Censys on August 20, and spotted by Diachenko two days later. There were no credentials in the database, which is said to have held records dating back a decade.

“There are many people who would prefer their travel history and residency status not be publicized, so for them there are obvious privacy issues,” wrote Comparitech editor Paul Bischoff on the company’s blog.

Continue reading

Now America's financial watchdog probes 'frat house' Activision Blizzard

Plus: Chief Legal Officer exits as court battles loom

The SEC has launched an investigation into Activision Blizzard, and has subpoenaed several current and former employees, including CEO Bobby Kotick, the California games giant confirmed on Tuesday.

Activision has been hit with separate lawsuits from its home state’s Department of Fair Employment and Housing, and the federal government’s National Labor Relations Board. That first one, filed in July, accused the company of fostering a "frat boy" culture that led to lower pay for female employees, sex and race discrimination, and sexual harassment.

Staff publicly spoke out against the Activision on social media and urged executives to enforce new policies, such as being transparent about salaries. They claim in the second lawsuit that they were intimidated by bosses, and attempts at forming a union were thwarted.

Continue reading

Suex to be you: Feds sanction cryptocurrency exchange for handling payments from 8+ ransomware variants

Russia-based biz targeted in Uncle Sam's crack down on cyber-extortion

The US Treasury on Tuesday sanctioned virtual cryptocurrency exchange Suex OTC for handling financial transactions for ransomware operators, an intervention that's part of a broad US government effort to disrupt online extortion and related cyber-crime.

Suex is registered in the Czech Republic but operates out of offices in Russia. According to the US Treasury, more than 40 per cent of the firm's known transaction history involves illicit entities, and that it handled payments from at least eight ransomware variants.

Crypto-coin forensics outfit Chainalysis claims Suex has received more than $160m in Bitcoin since 2018 from ransomware and other illicit operations. As such, the Treasure Department has determined that the firm provides material support to cybercriminals and has added Suex to its Office of Foreign Assets Control (OFAC) designated entities list.

Continue reading

SEC takes legal action after crowdfunded marijuana investment scheme appears to go up in smoke

Platform and individuals charged in first case of its kind

US financial watchdogs have launched legal action against a cannabis-related investment scheme said to be the first case involving crowdfunding regulation.

The Securities and Exchange Commission (SEC) filed a complaint against three people – named as Robert Shumake Jr, Willard Jackson, and Nicole Birch – and Texan firm 420 Real Estate in the Eastern District court in Michigan, claiming the trio had been involved in selling nearly $2m in unregistered securities through two crowdfunding schemes.

The SEC also charged the registered funding portal that hosted the offerings – TruCrowd – and its CEO Vicent Petrescu (name spelt as listed), with violating Section 4A(a)(5) of the Securities Act and violating crowdfunding rules, alleging they "served as gatekeepers and, as such, were responsible for taking measures to reduce the risk of fraud."

Continue reading

Canonical gives administrators the chance to drag their feet a bit more on Ubuntu upgrades

Two more years! Two more years!

There was good news today for administrators looking nervously at their aging Ubuntu boxes. A few more years of support is now on offer as Canonical brings 14.04 and 16.04 LTS into the 10-year fold.

Users still running on 14.04 LTS (Trusty Tahr), released back in April 2014, now have until April 2024 (up from 2022) to make the move to something more recent. 16.04 LTS (Xenial Xerus), which dropped into Extended Security Maintenance (ESM) in April this year, has had this extended from April 2024 to April 2026.

Ubuntu has been quietly updating its support and blog posts to reflect the change.

Continue reading

US Congress ponders setting up permanent UFO investigation office

Nothing to do with little green men, mind, unless they can be defined as state or non-state actors

Two intelligence funding appropriation bills currently awaiting approval from the US Congress contain within them sections for the creation of a new office to investigate UFO sightings.

Interest in UFOs – known as UAPs or Unidentified Aerial Phenomena in current US defence parlance – has increased over recent months following the preliminary release of an official US government report on UAP incidents in June this year [PDF].

The report was compiled by a Pentagon-mandated body known as the UAP Task Force after a number of videos featuring US Navy pilots intercepting unidentified objects were leaked in 2017, followed by a New York Times article in December of that year which revealed that the US Department of Defense's secret Advanced Aerospace Threat Identification Program to investigate UAPs was still running, despite the Pentagon claiming it had been shut down in 2012.

Continue reading

Open Source Jobs Report: Explosive cloud growth knocks Linux off top spot for desired skillsets

455% hike in demand for Kubernetes qualifications causes a stir

The Linux Foundation and edX's latest annual Open Source Jobs Report highlights an explosion of interest in cloud technologies that has bumped Linux off the skillset top spot for the first time.

"Much of the world is rebounding from the economically crippling lockdowns of COVID-19, and hiring people with the right skills is proving to be a challenge," Clyde Seepersad, senior veep and general manager for training and certification at the Linux Foundation, claimed in the report's introduction.

Continue reading

JEDI contract might be no more, but case should live on, says Oracle: DoD only wants Amazon, Microsoft for new cloud deal

Just when you thought it was safe to get out of the courtroom

Oracle has asked the US Supreme court not to dismiss its case over the $10bn Joint Enterprise Defense Infrastructure (JEDI) contract, despite the US Department of Defense officially axing the $10bn procurement deal.

"Cases do not become moot simply because a defendant issues a press release claiming to have ceased its misconduct," thundered Oracle in a supplemental brief [PDF] in its action against the DoD, Oracle America, Inc. vs United States, et al, filed last week.

"The government asserts that the Department of Defense mooted this case by cancelling JEDI, the procurement contract that Oracle has challenged," complained Big Red.

Continue reading

Fivetran snags $565m funding round as Snowflake attempts to eat its lunch with in-house data integration tools

Also buys data replication company HVR for $700m

Automated data integration outfit Fivetran has confirmed a $565m funding round – valuing the company at $5.6bn, roughly the GDP of Montenegro.

Meanwhile, the 2013-founded company has used some of its startup capital and bought data replication firm HVR, which employs log-based change data capture (CDC) technology, in a cash-and-stock deal worth around $700m.

The investment arm of web pioneer Marc Andreessen (a16z) led the Fivetran funding round, which also included General Catalyst, CEAS Investments, and Matrix Partners, and takes the total startup capital to $730m to date.

Continue reading

UK's Surveillance Commissioner warns of 'ethically fraught' facial recognition tech concerns

How about being an anonymous face in a crowd? Is that not allowed anymore?

Facial recognition technology (FRT) may need to be regulated in much the same way as some ethically sensitive medical techniques to ensure there are sufficient safeguards in place to protect people's privacy and freedoms.

That’s according to Professor Fraser Sampson, the UK Government’s Surveillance Camera Commissioner (SCC), who works with the Home Office overseeing tech-related surveillance in the UK.

Continue reading