Ex-Lyft driver claims Uber's Hell project violated privacy laws
The complaint argues Uber's GPS tracking breached the Federal Wiretap Act
25/04/2017: Uber has been hit by another blow this week, as a former Lyft driver has filed a complaint against the company alleging it used bespoke software to spy on rivals' drivers, an action that would violate US state privacy laws.
The lawsuit claims that a secret internal program known as 'Hell' was used to track drivers and build a database of those employees that worked for both Uber and Lyft. This data would then be used to prioritise sending work to those employees who used both services, in an effort to tempt drivers away from using Lyft.
By using Hell spyware, "Uber employees, contractors, and/or agents were able to access the location of up to eight Lyft drivers at one time and obtain their unique Lyft ID. Each Lyft ID is unique, akin to a social security number, which allowed Uber to track Lyft drivers' locations over time", the filing to the US District Court for the Northern District of California reads.
"Uber was looking for overlap between the location data so that it could target drivers working for both platforms in order to improve the Uber platform and harm the Lyft platform," the complaint states.
Uber's Hell program was used "millions of times" between 2014 and 2016, according to the complaint. As a result, Lyft reportedly suffered from a lack of drivers, preventing the company from operating a cheap service, and leaving customers with inflated wait times.
The former Lyft employee argues that this represents "unlawful invasion of privacy and interception of electronic communications and images in violation of the Federal Wiretap Act".
The suit states that around 315,000 drivers were working for Lyft in 2016, 60% of whom had also worked for Uber. The remainder, about 126,000 drivers, worked exclusively for Lyft and could be considered an entire class of plaintiff, the filing argues.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
The Hell program, first surfaced by the Information on 12 April, was initially dismissed by Uber, which refuted claims it prioritised drivers. However, since then the company has been silent.
This is not the first time Uber has been accused of misusing tracking software. Uber allegedly violated data protection laws when it apparently used software known as "Heaven View" to track the positions of "high profile politicians, celebrities, and even personal acquaintances of Uber employees, including ex-boyfriends/girlfriends and ex-spouses", according to a lawsuit last year.
Meanwhile, Uber made use of a tool known as "Greyball", the New York Times revealed last month, to track law enforcement and officials trying to clamp down on Uber services. As the company was operating in cities such as Boston and Portland without state permission, the program allowed Uber to avoid sting operations trying to shut down its service.
The NYT this week reported that Apple threatened to kick Uber's app off iOS for violating Apple privacy rules by using tracking software to stop fraud in China.
IT Pro has approached both Uber and Lyft for comment, but did not receive a reply at the time of publication.
13/04/2017: Uber reportedly targeted Lyft drivers with "Hell" program
In an effort to remain at the top of the ride-hailing pyramid, Uber reportedly developed a program that exploited its major competitor, Lyft.
A report by The Information claimed the secretive software-based program, referred to as "Hell," kept tabs on Lyft drivers between 2014 and 2016, before Uber ended it sometime in 2016. The devilish name was allegedly given to contrast the previous "God View" and "Heaven" programs, which allowed Uber to internally track its own drivers and employees.
A small group of data scientists and top Uber executives, including CEO Travis Kalanick, initially developed Hell by creating fake rider accounts for Lyft, it's alleged. The location of these accounts were then edited, allowing those behind the program to see where Lyft vehicles were throughout an entire city.
The report suggests the employees were also able to determine which drivers were "double-apping," or driving for both Lyft and Uber. Uber supposedly obtained this information upon realising that Lyft drivers had unchanging, special numbered IDs. These IDs allowed the group to continuously monitor pinpointed Lyft drivers.
The ride-hailing giant then reportedly offered incentives to these drivers, such as bonuses for reaching a target amount of rides, in the hope of getting them to ditch Lyft and drive solely for Uber.
Kalanick and his secretive group also allegedly sent more riders to double-apping drivers than to drivers who worked exclusively for Uber.
IT Pro has contacted both Uber and Lyft for comment, but hadn't received a response at the time of publication.
A Lyft spokesperson did, however, provide The Information with a statement (via TechCrunch), saying: "We are in a competitive industry. However, if true, these allegations are very concerning."
Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.