clock menu more-arrow no yes mobile

Filed under:

Uber’s security practices come under fire (again) after new evidence comes to light in the Alphabet lawsuit

A former Uber employee claims some of the company’s security officers worked to actively avoid creating a “paper trail.”

Uber sign outside its office building Smith Collection / Gado / Getty Images

Just days after admitting that it suppressed information about a data hack in 2016 — inviting new federal and statewide questions — Uber’s security practices have come under fire yet again. This time, it’s at the hands of a former global intelligence employee named Richard Jacobs.

After Jacobs was terminated from Uber, his attorney wrote a 30-page letter detailing allegations about some of the ride-hail company’s information security practices. That letter has now been submitted as evidence in Alphabet’s trade-secret misappropriation lawsuit against Uber.

The letter, if true, could serve to handicap Uber as it prepares to face off against Alphabet in front of a jury. Already, Alphabet has requested that a judge notify the pending jury that Uber has destroyed documents and evidence that could have been relevant to the lawsuit.

The letter, which is still under seal, adds fuel to that claim. For one, Uber did not turn it over until late last week when a California U.S. attorney notified the presiding judge in the case, William Alsup, that it existed.

Moreover, in the letter, Jacobs’s attorney alleges that Uber’s now-former chief security officer Joe Sullivan and other security officers, including Craig Clark and Matt Henley, actively advocated using ephemeral or disappearing messaging services — like Wickr — to avoid creating a paper trail that could serve to hurt the company in the case of a lawsuit.

Jacobs further claimed that these and other staffers advocated using non-attributable devices that couldn’t be tied back to Uber.

The unit they operated within was called Marketplace Analytics, and was created to obtain competitive intelligence, Jacobs testified in court on Tuesday.

Uber has yet to comment on these allegations.

Sullivan and Clark, however, were terminated last week for the way they handled the 2016 data breach. According to newly minted CEO Dara Khosrowshahi, Sullivan’s team paid the two individuals who hacked the company $100,000 to delete the data, and did not notify the users affected.

Now Uber may face even more trouble, as a number of new documents will be open to discovery. In response to these claims, Alsup has ordered Uber to produce all documents related to ephemeral messaging services dating back to December 2015.

The allegations in the letter further hit at Uber’s core argument against Alphabet’s claims of trade-secret misappropriations: None of the trade secrets ever touched Uber’s servers. If the letter is accurate, Alsup said, it may be the case that Alphabet’s proprietary information existed in this parallel “shadow system” the company had in place.

The case from Alphabet’s self-driving arm, Waymo, rests heavily on evidence the company found that its former employer Anthony Levandowski downloaded 14,000 files of proprietary information just days before starting a new company that he eventually sold to Uber.

Levandowski has since been fired from the company, and Uber says none of those files ever made it to its servers.

It’s important to remember Jacobs’s allegations are just that. In fact, during his testimony, Jacobs walked back some of the claims in the letter, and said that he came to a settlement with Uber after his attorney originally sent that letter to the company’s deputy general counsel, Angela Padilla.

Uber agreed to settle with him for $4.5 million, some of which is being paid out to Jacobs as a consulting fee. According to his testimony, Jacobs is advising the company on an internal investigation.

This development is just the latest in a series of legal issues the company is navigating. Uber is currently facing separate federal probes from the U.S. Department of Justice and other agencies into some of its privacy and security practices.

This article originally appeared on

Sign up for the newsletter Today, Explained

Understand the world with a daily explainer plus the most compelling stories of the day.