The Uber Tapes: can a data breach be ethical?

124,000 records. 83,000 emails and 1,000 other files involving conversations, spanning four years, from 2013 to 2017.

There’s no doubt that that amounts to a significant data breach.

But when the leaked data shows a concerted attempt by a company to get unfairly preferential treatment from government ministers (and even government leaders), and undermine a thriving pre-existing business ecosystem, it raises the question: is there such a thing as an ethical data breach.

That’s the central question posed by what are being dubbed The Uber Tapes.

The Persuasion Budget

The tapes show a corporate career of intensive lobbying by the Uber taxi company, amounting to $90m of spending per year, to persuade, cajole, pressure, and even, arguably, corrupt politicians to allow Uber concessions, promotion, and even, it’s argued, exemption from regulations that would have potentially crippled its business model.

Uber’s boss during the time covered by the data breach was Travis Kalanick, who was on first names with then-Monsieur and now President Emmanuel Macron of France while French taxi drivers rioted against the interloping company. Monsieur Macron told Kalanick he would reform France’s laws so they favored Uber’s interests.

Former EU Digital Commissioner Neelie Kroes, at the time a leading official in Brussels, held talks to join Uber before her term as commissioner ended. She went on to lobby for Uber, in what is being called a potential breach of EU ethics rules.

And in the UK, both then-Chancellor of the Exchequer, George Osborne, current Home Secretary, Priti Patel, and recent contender for the Premiership, Sajid Javid, took meetings with Uber, while the company’s ultimate target is revealed as being the man who was then Mayor of London – Boris Johnson. Johnson was recently ousted from his position as Prime Minister by his own party, many members of which found they could no longer serve “with integrity” in a government led by him.

An Obvious Target

Johnson was an obvious target, since as Mayor, he had significant influence on the rules that applied to taxi companies in Britain’s capital city. At the time, there were proposals due to come into place that would have seriously curtailed Uber’s operations in London.

Correlation should never be mistaken for causation, but the proposals were dropped, allegedly due to pressure from Cabinet Ministers on Johnson. The Uber Tapes themselves reveal that George Osborne regarded himself as “responsible” for the Uber-positive outcome.

And while these were isolated incidents within the scope of the $90-million-per-year influencing and marketing strategy, it’s worth recording that Uber at the time was aware of its deeply negative reputation. It was fighting several court cases around the world, mired in allegations of sexual harassment, and seeking to brush off its own data breach issues.

And insiders at Uber knew this was going on. In fact, even the company’s shareholders knew – so much so that they forced Travis Kalanick out of his position in 2017, and forced his replacement by Dara Khosrowshahi, who was put in place with the specific agenda of cleaning up both Uber’s image and its act.

“The drivers were being very badly let down.” Mark MacGann, Uber whistleblower.

Good Data Breaches?

The issue for the tech industry in all of this of course is not that Uber was a terrible company run in an aggressive way, that sought through a large persuasion-budget to get advantages from politicians. If anyone in the western world had enough of a problem with that principle for it to matter, the whole of the lobbying community would cease to exist overnight.

The issue for the tech industry is whether some data breaches are actually for the public good (rather than just the public interest). Where are the lines on data breaches when it comes to, for instance, work emails that were written with one intention, but are publicly shared by a third party, without the consent of their original author, for another purpose entirely – such as to alert the public to unpleasant, dangerous, corrupt, or illegal business practices?

Are there ever any “good” data breaches, if they alert the public to duplicity, seeking of unfair influence, etc.?

Just Say No?

This is an issue that has plagued not just the tech industry but the world for more than a decade, and has never really been properly addressed. In the same way that the “war on drugs” amounted to some extent to the idea “Just Say No,” there has been a blanket condemnation of data breaches because they are… well… breaches, and breaches by their very nature should not happen if the systems that underpin the way we live in the 21^st century are to appear robust.

But breaches continue to happen, some for the good and information of the public, some, arguably, for their ruination. The use of the idea of potential data breaches to sway elections, for instance, as experienced by former Secretary of State, Hillary Clinton, could be seen as the weaponization of data breaches for political gain. Even the idea that she might have been responsible for data breaches by using a personal email server, cost her dearly in her Presidential campaign, with some commentators contending that it lost the race for her entirely.

“Although we did not find clear evidence that Secretary Clinton or her colleagues intended to violate laws governing the handling of classified information, there is evidence that they were extremely careless in their handling of very sensitive, highly classified information.” James Comey, Director, FBI, investigating Presidential Candidate Hillary Clinton’s use of emails.

The leak of the Panama Papers (some 11.5 million leaked documents, amounting to 2.6 Terrabytes of data) on the other hand, which included attorney-client privileged communications from Panamanian law firm Mossack Fonseca to over 214,000 corporate clients, revealed intensely embarrassing details of how those clients (and individuals in them) conducted their business. The leaker in that case, still known only as John Doe because he/she believes their life is in danger, claimed their motivation was down to income inequality: they leaked the documents “simply because I understood enough about their contents to realize the scale of the injustices they described.”

Legitimate whistleblowing or massive data breach driven by ideology?

Wikileaks

That’s a question that’s been at the center of the WikiLeaks/Julian Assange case, too.

Assange founded Wikileaks as an “embassy for the world’s most persecuted documents.” Stripped of its tone of manifest destiny, that means it took secrets – any secrets of sufficient importance – and published them in the full light of public scrutiny.

Assange fell foul of the law when he published classified US military documents, particularly relating to the wars in Iraq and Afghanistan. When one man, or one entity, can act as an exposure agent for whole nation states and the way they and their military behave, how are we to judge them? Righteous tellers of unpalatable truths, potentially protected by the Whistleblowers Act of 1989 in the US? Or dangerous forces, able to destabilize military campaigns, political campaigns, business empires, and more, on a whim?

The same question comes up time and again, from Assange, through the Panama Papers, through Clinton’s emails, to Uber. Is there such a thing as an ethical data breach, and what does it look like if there is?

“An embassy for the world’s most persecuted documents.” Julian Assange, Wikileaks.

The Predatory Sparrow

Ethical data breaches have tech industry implications, because there’s some evidence that hackers have started moving into real-world terrorism, with the actions of a group called Predatory Sparrow. It’s been identified as the body behind activities ranging from a massive data breach to starting fires in the real world through their actions.

The attacks were targeted at Iranian steel makers, but were allegedly in response to unspecified acts of aggression by the Islamic Republic.

In a video explaining its actions, the group said “These companies are subject to international sanctions and continue their operations despite the restrictions. These cyber-attacks are being carried out carefully to protect innocent individuals.”

Good data breach? Bad data breach? Ethical data breach?

What Price Data Security?

If there’s a justifiable notion of an acceptable data breach or not will largely depend on whether you agree with the point of view of each individual leaker – whether you believe they serve some greater good, or are merely salving their own consciences.

And a second point – a vital point for the tech industry – is that they keep on happening. The tech industry is in a permanent state of war with people who want to leak confidential data (for “good,” for “ill,” or merely for a fat bag of cash) – and it keeps on suffering devastating (or impressive) losses in the fight. The challenge for the industry is to figure out how to make it much, much harder for large-scale data breaches to occur in the first place.

And then to work out every computation of who the good guys are, and make sure only they have access to watertight data security.

Of course, to do that, you need to figure out a consistent definition of what a good data breach might look like. Wikileaks? Panama? Uber? The jury has been out a long time – it needs to deliver a verdict before any kind of data war can be won.

“These cyber-attacks are being carried out carefully to protect innocent individuals.” Predatory Sparrow, Iranian steel leakers.