by Isaac, Mike
Some scammers created giant makeshift circuit boards filled with hundreds of slots to insert SIM cards, the small microchips that allow mobile phones to communicate with a cellular network. Each SIM card in the circuit board acted as a new number that could automatically respond to a verification text for a newly created account, which the scammers then used to rack up more fake rides and bonuses. After the SIMs had been used, a scam artist replaced all the SIMs on the board with a fresh set of numbers and started the process all over again. Have hundreds or even thousands of “drivers” repeat that dozens of times per day, seven days a week, and it amounted to serious Uber losses.
Pham’s anti-fraud team was good. But there was only so much they could do; even as Uber saw success in cities like New York and San Francisco, Kalanick kept throwing more into the money pit that was China. All Pham and his engineers could do was try to stanch the bleeding.
Fraudsters weren’t the only problems with China. When it came to business, Uber shared something in common with the Chinese; they were both willing to play dirty. Ethics went out the window in China as DiDi and Uber fought for advantage.
DiDi’s city managers would pay local taxi operators to protest Uber’s peer-to-peer car services. They’d send fake texts to Uber’s drivers, claiming that Uber had shut down in China and that drivers should switch over to driving for DiDi. One of DiDi’s preferred tactics was to send new recruits over to Uber to join as engineers. As soon as they were hired they acted as moles, feeding proprietary Uber information back to DiDi and carrying out corporate sabotage on some of Uber’s internal systems.
While DiDi was busy infiltrating Uber’s ranks, the Chinese startup also received help from some of its largest, most powerful allies. Just as Google backed Uber in the United States, Tencent, one of the three largest technology companies in China, was one of DiDi’s biggest investors.
Tencent would occasionally block Uber’s account from WeChat, China’s most popular social network and messaging app, a serious blow to the Western company. WeChat is the Facebook of China. Blocking Uber on WeChat meant Tencent had scrubbed the company from the most important Chinese social media environment. Worse, being blocked cut Uber off from WeChat’s “wallet,” a feature that allows people to buy goods and services without cash or a credit card.
At first, Uber hadn’t understood how popular mobile wallets were in China. They launched only accepting credit cards, a form of payment that the Chinese just didn’t use; it took time for Uber to begin to accept mobile payments from WeChat and Alipay—some would say too much time. They eventually fought their way into various Chinese mobile wallets, only to be intermittently blocked from the biggest one by Tencent.
Some of Uber’s China problems were self-inflicted. For one, Uber still relied on Google Maps to guide drivers from pickup to drop-off. That proved to be a terrible choice; while Google has mapped much of the developed world with unmatched precision, China remains one of Google’s blind spots. Uber’s Google-powered navigation software often confused drivers with awful directions, and irritated riders who were frustrated when their driver took a slower route.
Uber had serious issues beyond China as well. All across Asia Kalanick was fighting taxi operators, governments, and well-funded competitors like Ola in India and Grab in Southeast Asia, two cutthroat ride-hailing startups that were willing to play just as dirty as DiDi.
Kalanick sent a twenty-four-year-old employee—Akshay BD—to be a front-line community manager in Bangalore. BD was scrappy, chasing cab drivers down the street to get them to sign up for driving for Uber. He had the hustle Kalanick wanted in an Uber general manager, especially one trying to drum up demand in one of the world’s largest markets.
But BD wasn’t prepared for what Ola and taxi companies would do to push back. In Mumbai, local taxi operators muscled up at Uber’s offices and tried to intimidate employees. Violence was not uncommon; in Bangalore, whenever BD took a ride home from work, he refused to let Uber drivers take him directly to his house; he knew competitors might follow him. In Hyderabad, one Uber driver committed suicide after he wasn’t able to make his car loan payments on time. An angry mob of drivers—some who drove for Uber, others employed by taxi organizations all too happy to stoke anger—showed up outside of Uber’s offices in early 2017 with the dead body of the thirty-four-year-old driver, M Kondaiah, dumping the corpse on the company’s front doorstep. If Uber’s wages for drivers in India weren’t so low, the group claimed, Kondaiah would still be alive today.
Security incidents usually increased around planned price cuts. From Uber headquarters in San Francisco, Kalanick would occasionally cut the fares for Uber rides in dozens of markets at a time. The effect rippled outward from the Bay Area to the rest of the world, affecting the livelihoods of millions of drivers in an instant. Kalanick did it to spur rider growth; it sometimes incited violence.
One incident involved an Indian man who arrived at an Uber outpost in hysterics, upset that Uber had yet again slashed prices. The man took out a canister, doused his body in gasoline and then brandished a lighter, threatening to set himself ablaze unless Uber raised its rates again. Security guards tackled the man, wrestled him to the ground, and stripped the lighter from his hands. This was not the only occurrence; a rash of suicides by self-immolation would soon follow.
One of the worst driver-related incidents in India occurred in December of 2014. A twenty-six-year-old finance worker had called an Uber after a work dinner to take her to her home in Gurgaon, a city outside of New Delhi. Shortly after her Uber arrived she dozed off in the back of the car. That was when her driver, Shiv Kumar Yadav, noticed she was asleep and diverted from the intended route.
Yadav switched off his cell phone, making the two untraceable to police or Uber headquarters. He found a secluded area, parked the car, climbed in the back seat and raped the young woman. Afterward, Yadav bullied her to stay silent; he said he would murder her if she told the police. Yadav drove her home. The woman called the police at 1:25 a.m. on Saturday. She had snapped a photo of Yadav’s license plate as he drove away from her apartment. The police arrested him the following day.
The story went viral almost immediately. The public—both in India as well as abroad—immediately blamed the incident on the lax security at Uber. Occurring just weeks after Kalanick’s public blow up with the journalist Sarah Lacy and the botched “charm offensive,” the rape accusation fueled the idea that Uber was misogynistic, a company that didn’t care about women, and offered a service that wasn’t safe. American press skewered Uber for the incident, which reinforced every negative stereotype that people held about Uber.
The Indian response was much more severe. Indian officials, sensing public outrage, immediately shut down all ride-hailing services in New Delhi, pending an investigation. General managers in Indian cities like Bangalore shuttered their headquarters and moved into hotels, an attempt to escape nonstop protests and threats at work. For six weeks, Uber employees in India even brought their parents and families into hotels with them; taxi officials were beating up Uber employees in the street.
Southeast Asia was another debacle. Grab, the predominant ride-hailing company in the region, was a tenacious competitor. Uber would spend nearly $1 billion fighting Grab. The result was an astonishing loss of nearly 50 percent of their market. After just four years, Uber held just 25 percent of the Southeast Asian market. Years later, Uber would have to sell off its Southeast Asia business for a 27.5 percent stake in Grab.†††††
All of this—the losses, the corporate subterfuge, the nonstop bare-knuckle street fighting, the literal violence—had an effect on Kalanick’s psyche. Kalanick was already a tense, competitive person. But China and Southeast Asia only served to grow his persecution complex. He began to feel that he was always being sabotaged or that friends or employees were trying to deceive him and harm the company. After the war for China, Kalanick’s cynicism would spread to other
parts of the business; it would never subside.
Those watching Uber back in the United States noted the trouble overseas, but most observers saw the company doing no wrong. Kalanick was living large.
With a blank checkbook at his disposal and no investors or board members to hold him accountable, Kalanick began to build a series of Uber offices that symbolized Uber’s success.
In Pittsburgh, where Uber was focused on engineering self-driving cars, Kalanick hired architects and industrial designers to build a futuristic-looking office from the ground up. The office was a model in extravagance, home to a few hundred employees. The firm placed two dozen different types of chairs, scattered across the building’s enormous office, for no other reason than they understood Kalanick loved different types of chairs. The office, when all was said and done, cost upwards of $40 million to create, or roughly $200,000 for each of the two hundred or so employees who worked in the satellite operation. Uber Santa Monica was home to a lavish beachfront property, also costing tens of millions of dollars.
But the crown jewel was San Francisco. After outgrowing a handful of other offices, Kalanick leased several floors at 1455 Market Street—a bunker-like space in the middle of downtown—and soon rebuilt in high Uber style. Holes were knocked between two of the concrete floors to build a transparent glass staircase connecting the two levels. The multi-million-dollar staircase led to his favorite of the many Uber spaces, this one designed to reflect Kalanick’s taste. He dubbed the aesthetic “Blade Runner meets Paris,” a slew of black granite and see-through glass conference rooms, to be inhabited round the clock by engineers hunched over their silver MacBooks.
Managers spent hours strategizing in the most clandestine place in the building: the “War Room.” Custom designed with boutique architects and furniture designers, the War Room was a large conference room placed dead center of Uber’s primary office floor, a box encased in glass held for important strategy meetings. Digital clocks on the wall displayed the hour in San Francisco, New York, London, Dubai, Singapore—all on twenty-four-hour time—as if company leaders were in the White House Situation Room.
If the occasion was secretive enough, one could flip a switch that changed all of the glass to a frosted, translucent look, a way to hide company secrets from outsiders—or from other parts of the organization.
Kalanick’s new offices grew more and more opulent over time. But Kalanick never worried about money, as he could always raise more.
Chapter 15 notes
††††† Mike Brown would later be pushed out of the company. His exit package included tens of millions of dollars in stock.
Chapter 16
THE APPLE PROBLEM
As Uber bled cash by the bucketful in China, Kalanick was breathing down his engineers’ necks to solve the problem. It was a recurring theme at Uber: something went wrong, the boss wanted it taken care of, and he didn’t much care how you got it done. Just get it done.
When Kalanick’s CTO, Thuan Pham, began to spin up an anti-fraud strike team, he was given tremendous latitude. Uber fraud engineers would have to be thoughtful, fast on their feet, and ready to improvise. Kalanick said he would protect the team from internal politics, and pledged to give its members whatever funds or support they needed.
One of the recruits was Quentin,‡‡‡‡‡ a sharp, thirty-year-old product manager who had won awards as a grad student at MIT and after college worked on search products at Google. Colleagues described Quentin as clever, kind to his co-workers, soft-spoken—diametrically opposite the alpha male “Uber bro” employee archetype. Quentin would not be doing keg stands with Uber’s operations managers out in the field.
One of Quentin’s defining qualities, co-workers said, was his nervous energy, and the caution with which he approached the world and interacted with others. Even his body language, they said, was defensive; in conversations he kept his body slightly turned away. And he gave long, hard looks at people, as if he was sizing them up. An apt personality, they believed, for a job assessing risk and security.
At the beginning of 2014, Uber employed around 500 people. By October of that year, Uber had more than tripled in size, and was adding new employees by the day. Under Quentin, Uber’s risk, account security, fraud and abuse prevention teams grew to more than 150 people. Everyone worked hard at Uber, but Quentin’s team worked harder than most. He and a few close colleagues helped to orchestrate some of the drug busts in New York, limited widespread fraud in China, and helped repair other areas in which Uber was bleeding money and facing liabilities. He was valuable.
When he started in March 2014, Quentin’s team faced a very specific headache. Two years earlier, Apple released a version of its iOS mobile software that killed outside access to the unique identification number of every iPhone, the so-called IMEI number, or “international mobile equipment identity” number.
The update was a hallmark of Tim Cook’s Apple. Unlike its rivals Google, Facebook, and Amazon, Apple’s business didn’t rely on hoovering up personal data from its customers. Facebook and Google were advertising companies, and as such relied on discovering every digital detail of its customers’ lives in order to target them with ads. Uber’s method of identifying fraudsters made use of digital surveillance techniques common to Silicon Valley’s largest companies.
That practice ran against some of Apple’s long-espoused principles, specifically an individual’s right to privacy. Steve Jobs had valued consumer privacy, but his successor, Tim Cook, was a fanatic. He believed Apple’s users should have complete control of their private digital lives. And if an Apple customer decided to wipe their iPhone clean of data, no one else—individuals, family members, companies, law enforcement—should be able to find a trace of that data on the device afterwards. Wiping an iPhone was final; the data was gone.
The unanticipated iOS software update was very bad news for Uber. Chinese fraudsters loved to use stolen iPhones to create fake accounts and sign up for the service. If Uber’s security team discovered one of the accounts was fake and blocked it, all a fraudster had to do was erase the iPhone of its data and create another new account, which took only a few minutes and was endlessly repeatable. To counter the tactic, Uber had spent months building a database of IMEI numbers, which helped the company keep track of which iPhones had already been used to create new Uber accounts. Before the 2012 iOS update, if Uber saw someone using the same devices to create new accounts over and over again, they knew they had found a scam artist and could quickly ban them from the network. After 2012, however, Uber lost access to the serial numbers and went back to square one.
But then, in 2014, Quentin’s team found a way around it. After Apple’s iOS software release, about a half dozen companies sprang up overnight that claimed they could detect the sacred IMEI. Quentin tested a few of them before landing on InAuth, Inc., a small firm based in Boston. With just a smattering of code inside Uber’s mobile app, InAuth could track down the device identification number of the iPhone used to install the app, a technique known as “fingerprinting” in the security and fraud industry. Once a phone was “fingerprinted,” it was much easier for Uber to tell if it was being used for fraud. Just a few months after starting at Uber, Quentin signed a contract with InAuth.
It worked perfectly. Before Uber had started using InAuth, fraud in China and other major cities cost Uber tens of millions of dollars every week—and occasionally even more than that. After Uber built a new version of its app with the InAuth code installed, Quentin watched the fraud numbers fall off a cliff. When a scammer tried to create a new account on a device Uber had fingerprinted, Uber’s anti-fraud systems would kick in and the account would be banned automatically. Finally, after years of being ripped off, Uber had found a way to fight back.
There was one problem: InAuth’s service blatantly violated Apple’s rules regarding user privacy. So everything between Uber and InAuth had to be kept secret. if Apple fo
und out, both Uber and InAuth could be in serious trouble, and could even get Uber’s app banned from the iPhone.
At some point in his or her career, every mobile software engineer in Silicon Valley has come up against the vague, byzantine rules of the App Store. Each year, Apple would update its mobile software. A simple tweak in Apple’s software practices could make or break an entire startup business plan. To build mobile software, especially for Apple, was to be in a state of constant anxiety and frustration. When developers submitted new apps to the App Store they would wait for a response like pilgrims at the Oracle of Delphi. Sometimes Apple would answer helpfully. Other times Apple would say nothing at all.
Quentin and his team skirted the privacy rules because they felt like they didn’t have a choice. They needed to deal with the enormous fraud problem, and Apple wasn’t giving Uber any other options. If Uber and InAuth could keep a low profile, perhaps the fraud team could escape detection.
They would have no such luck. In mid-November 2014, BuzzFeed ran its story about the infamous dinner where Emil Michael suggested doing oppositional research on journalists. Most public attention at the time focused on Michael.
But during the “charm offensive” Josh Mohrer, Uber’s brash and cocky general manager in Manhattan, had made a grave mistake. In an interview that week he let slip a mention of an early version of “Heaven,” a tool that provided a “God View” of riders on trips in real time. The reporter had taken an Uber to meet with Mohrer that afternoon. Mohrer bragged that he had tracked her the whole way. The comment would not go unnoticed.
Eight days after the first story broke, Quentin’s team was hit with a bombshell. As scrutiny intensified in the wake of Uber’s recent scandals, an enterprising young hacker in Arizona named Joe Giron had decoded Uber’s Android application and found the list of data access permissions Uber’s app requested upon installation. The litany went far beyond what most Uber users expected: phone book, camera access, text message conversation logs, access to Wi-Fi connections. These were permissions that were suspect for any app to request, much less a taxi service. Why would a ride-hailing app need access to their customers’ text messages or camera? It was seen as a broad overreach into users’ privacy. Not only was Uber willing to go after journalists, but the company also wanted to know everything about you and your phone.
