by Isaac, Mike
“Heaven and Hell” were just the beginning. Those programs fell under the umbrella of “competitive intelligence”—a friendlier phrase than corporate surveillance—which was shortened to an even more genial acronym, COIN. Everyone in the Valley had a version of COIN, in one way or another. The most widely used form involved scraping competitor data from websites, apps, and other publicly available repositories. “Scraping” was computer-speak for automating the collection of information through written programs and coded scripts. Uber’s most useful tool scraped information on pricing changes within the Lyft app, allowing Uber to systematically undercut its competitor.
Uber also purchased receipts from companies like Slice Intelligence. These data-brokerage firms bought reams of anonymized purchasing data from credit card companies and retailers, sliced up the results, analyzed them by sector, and packaged them for resale to other companies. Aggregate data for trip receipts from Lyft, for instance, allowed Uber to confirm its competitor’s prices. Combine that data with Uber’s scraped location and pricing data and the company could create a remarkably complete picture of Lyft’s business. Sullivan knew it wasn’t sporting. But it worked.
Besides surveillance, there were severe safety issues. The India rape scandal was just the tip of the iceberg. Unbeknownst to outsiders, Uber operations teams dealt with thousands of misconduct cases every year, including increasing instances of sexual assault. As the service grew, millions and ultimately billions of rides were taken. The power of large numbers meant that assaults and sex crimes were probably inevitable. But Uber had so lowered the bar to become a driver that people who might have been prevented from driving in the official taxi industry could easily join Uber. The problem became so significant that later, the company would create its own taxonomy of twenty-one different classifications of sexual misconduct and assault in order to properly organize the sheer number of annual incidents reported.
It would have been a public relations nightmare if the public knew that hundreds of drivers had been accused of sexually assaulting customers. When a new rape accusation or lawsuit was leveled against the company or a driver, some Uber employees would remind others that drivers are always “innocent until proven guilty.” Kalanick himself would repeat the phrase often, especially to the security and legal teams. Technically, it was true, and Uber had certainly seen its share of false claims and scams. But perhaps more than the assaulted riders, or the accused drivers, Kalanick felt it was Uber that was being persecuted. Outsiders were always scheming against Uber; enemies wanted to see his company fail. Uber was the real victim, he felt. “Innocent until proven guilty,” Kalanick reminded his employees. On occasion, when a sexual assault victim decided not to pursue litigation or if the evidence in a police report was not conclusive enough to prosecute, a round of cheers would ring out across the fifth floor of Uber HQ.
Beyond privacy and safety issues, Uber had another big problem. When Sullivan heard about it he almost didn’t believe it. According to executives at the company, Uber had been the victim of a massive hack earlier in 2014, a serious breach of the company’s data that compromised the names and license numbers of more than 50,000 Uber drivers. Uber had kept the hack secret. It didn’t know how to tell the public, much less if it even wanted to do so. Kalanick didn’t know the law, and had no interest in making these calls. Though he certainly didn’t want to spur a public backlash, he always thought it was up to the legal and security teams to figure out what the solution was—and most importantly, to make it go away. Sullivan knew it wasn’t that simple; Uber was required by California law to notify authorities of a data breach.
The breach had happened in May, and Uber discovered the effects of it in September. When Sullivan was arranging to join Uber, it was December—and the company hadn’t said a word.
During the recruiting process, Kalanick asked Sullivan to give a presentation to Uber’s executives on what Sullivan’s vision for security at Uber would be, if he got the job. Sullivan said he wanted to make security an integral part of Uber’s marketing strategy. Consumers, he believed, should think of Uber as far safer than taking a taxi. “Security should be a brand differentiator for us, not a minimum viable component,” he said.
Sullivan considered his options. He had been offered the job of chief security officer, overseeing a ragtag security team. Some thirty employees scattered across different groups inside of Uber. If Sullivan was going to help Uber—a sprawling, global operation—he’d have to bulk up the team. He’d also have to report directly to the CEO—a request the company accepted.
Uber needed Sullivan far more than Sullivan needed Uber. But Joe was ready for a challenge. And by then, he had bought the sales pitch and taken a liking to the smooth-talking CEO, Travis Kalanick.
Sullivan didn’t come from the tech world. The oldest of seven children, he “rebelled” against his hippie parents—his father a sculptor and painter, his mother a schoolteacher and writer—by going to law school. While young tech entrepreneurs were building software with wide-eyed optimism, Sullivan spent his twenties as a federal prosecutor, confronting the worst of what humanity had to offer. Robert S. Mueller, a decorated war hero who would later go on to investigate President Donald J. Trump, handpicked Sullivan to work in the computer hacking and intellectual property cybercrime unit, a prestige position in the Northern District US Attorney’s Office in San Francisco. Sullivan had studied cyberlaw at the University of Miami, where he earned his JD, and threw himself into challenging cases involving trade secrets and corporate espionage during the late ’90s boom. By the time the bubble had burst in 2000 he had made a name for himself.
Sullivan stood tall at around 6'2", yet his posture was always slightly hunched, hands tucked into his pockets. His brown, bushy eyebrows and neatly combed chestnut hair gave him a non-threatening look. After years in government suits, he compromised with dadcore jeans and button-downs, and eventually moved to a more tech-friendly jeans and T-shirt combo. His high cheekbones, broad forehead, and wide-set eyes made his default expression a kind of restful stoicism, even in the face of complex information security problems.
He spoke quickly and clinically, his dispassionate attitude forged over his years as a lawyer. The most emotion you’d see was a raised eyebrow, or perhaps a knowing smirk when telling war stories from his days as a prosecutor. Laughter never came in more than a chuckle, like the joke was a secret he kept to himself.
Sullivan didn’t exude the natural charisma of a flashy trial lawyer, but people liked him. He was geeky without being entirely antisocial, he was willing to work hard, and he went after the bad guys. Everyone who knew Joe said he was solid—an all-around dependable guy.
After trying his fill of cybercrime cases on a government salary, Sullivan got the itch to go in-house. In 2002, Sullivan landed a job at eBay, then a tech powerhouse with growing revenue, bright prospects and millions of daily auctions from buyers and sellers online.
It was also rife with fraud. As a senior director of trust and safety, Sullivan spent most of his time hunting down scammers who used the platform to con web novices out of thousands of dollars. As millions of people came online for the first time, they weren’t ready for the fraudsters, hawking fake listings for valuable Beanie Babies and collectible baseball cards that had never existed in the first place.
Most scams were as simple as a seller completing a sale and then never mailing the merchandise to the buyer. But some were more intricate. One scheme involved a con artist offering to pay an honest seller outside of eBay, then sending a bounced check. If the merchant complained, they would have little recourse since the purchase wasn’t completed on eBay itself. The worst scam was often the simplest: a seller mailing a customer nothing but an empty box. Tens of thousands of these frauds occurred on eBay every year, and were becoming only more prevalent as the site grew in popularity.
At eBay, Sullivan’s job was part detective, part digital police officer. It was just like going after the thieves and scammers he
encountered as a prosecutor. Only this time, it was better. In court, he had to put together a meticulous case to take down a single defendant. Maybe a few at a time if they went after a syndicate. At eBay, his teams of anti-fraud experts caught hundreds of scammers every day, booting them from the platform. He created entire systems designed to defang the bad guys. And when a big, organized crime syndicate came along and tried its hand at eBay scams, Sullivan and his teams were there to stop them.
Sullivan’s favorite story involved the Romanians. Romania was a nexus of fraud. Until 2003, Romania didn’t have a single cybercrime law on the books. Combine that laxity with a number of organized criminal outfits and a generation of savvy programmers and you had a pirate’s cove of malefactors. The scams would usually involve offering high-priced electronics for a deep discount, which would fetch immediate bidders across eBay. After someone sent $2,000 USD for a big-screen TV, for example, the Romanians would disappear. The fraudsters worked out of internet cafes in Bucharest and accepted only Western Union wire transfers, making it difficult for police to locate them. And since the syndicates were run by the Romanian or Russian mafia, local law enforcement never pursued cases, fearing their own safety.
Sullivan wasn’t afraid. After he and his colleagues took down one of the biggest Romanian eBay fraud rings, eBay flew him to Bucharest to testify in court—at his own request. As Sullivan took the stand, he was flanked by two beefy local police guards. Each of them held an AK-47 and wore a jet-black balaclava—a woolen mask that fully covered the face—for fear they would be identified and later killed by the local mafia after the trial. Sullivan, donning his old uniform of suit and tie, delivered hours of testimony that helped put the fraudsters behind bars. He didn’t wear a mask.
After eBay and a two-year stint at eBay’s sister company, PayPal, Sullivan was presented with an even more intriguing challenge. By the end of 2008, a young, buzzy startup had come calling. Facebook—then closing in on 150 million users—had an opening on its legal team. Sullivan leapt at the chance; Facebook’s growth was explosive, and Mark Zuckerberg’s ambitions were boundless. He wanted to bring the entire world online and plug it into his social network. That kind of opportunity was a no-brainer for Sullivan. He took the job.
If eBay gave Sullivan a chance to operate like a Navy SEAL, working on security at Facebook was like commanding his own private army. Facebook was a daily destination for scammers and fraudsters, just like eBay. But it also harbored pedophiles, stalkers, vengeful ex-boyfriends, blackmailers—you name it. In the six-and-a-half years Sullivan spent at Facebook, the company rose to become the world’s largest repository of personal information, and he was the man charged with watching over all of it. After just a year, he was promoted to chief security officer.
Sullivan’s group actively pursued so-called “bad actors,” those intending to do harm on the internet. They weaponized lawsuits against spammers and scammers who flooded Facebook with garbage posts. They played cat-and-mouse games with cyberbullies, and fingered rings of Russian cybercriminals, turning them over to the FBI.
His approach was different than other security types in Silicon Valley.
“A lot of companies stop at playing defense,” Sullivan once said in an interview. “We spend a lot of time trying to figure out who’s sitting on the other side of cybercrime.”
Sullivan’s tactics were best exemplified one weekend during his time at Facebook, when he got a frantic call from a friend, a female co-worker from Facebook. She had been browsing Match.com one evening, looking for a date, when things started heating up with a construction worker from San Jose. As the flirting went on, she sent the man a topless photo. The stranger’s next message alarmed her: the man told her he had researched her background, and knew she worked at a famous Silicon Valley company. If she didn’t wire him $10,000 cash, he threatened to email the topless photo to her entire company.
Sullivan knew what to do. He and a colleague took control of her Match.com account, and attempted to lure the blackmailer into revealing his identity. The best way, Sullivan knew, was to push the scammer toward a payment system. For digital detectives like Sullivan, online payments often provided the best chance at finding clues to an attacker’s identity. Certain banks, for instance, would block attempts at money transfers to specific areas, which narrowed down the list of potential countries where the scammer could be located. Sullivan would also add incorrect details when making a payment, an intentional maneuver that made the transactions fail to go through. After the payments failed enough times, the attacker would give additional details about his account location, which helped Sullivan narrow the location details further.
Backtracking the blackmailer’s steps through the payment system led Sullivan to a former Google intern, now located in Nigeria. After finding his address in Lagos, Sullivan hired a local lawyer to confront the guy at a coffee shop in Nigeria. The intern immediately confessed to the scam and handed over his computer and email account information.
After they gained access, they discovered the scammer’s activities had gone far beyond Sullivan’s female friend; the intern was part of an enormous, ongoing Match.com scam. He had been extorting dozens of Silicon Valley female employees out of money for months, dangling the threat of sending their nude photos out to their companies if they didn’t pay up. Not only did Sullivan save his friend’s reputation, he was able to notify the other women being extorted that they had finally caught the blackmailer, ending months of anguish.
Whether it was hackers in Romania running massive fraud schemes or blackmailers bilking innocent women, Joe Sullivan was good at finding people on the internet, and keeping people safe. It was the reason he had been recruited to Uber. And it was why Sullivan ultimately said yes to the job. He looked at Uber and saw a rat’s nest of problems: widespread fraud, competitors across four continents, hackers laying siege to the company’s valuable stockpile of personal information. Plus, Uber offered him the chance to be more than an internet cop; the very nature of Uber’s service meant dealing with things that can go wrong in the physical world, with millions of Uber riders in actual cars every single day.
Months before Sullivan joined Uber, he helped the company clean up the mess around the breach of its systems; Uber reported the breach, as is legally required of companies, in February 2015—nine months after the hack had happened. It would not be the company’s last data breach; another attacker would crack Uber’s systems in 2016. It would, however, be the last time Sullivan and Kalanick would come forward voluntarily to admit Uber had been hacked. The decision to keep quiet would prove more costly than either man could have imagined.
But by the time Sullivan arrived at Uber in April 2015, he realized he had a much bigger problem on his hands than fraud or thievery.
He needed to keep Uber’s drivers from getting murdered.
Not two weeks into Sullivan’s new job, he got an urgent call on his cell phone. One of Uber’s drivers had been killed in Guadalajara, and operations managers on the ground suspected the local taxi companies were responsible.
For months, Uber Mexico had been under attack by the local taxi cartels. The violence had started slowly at first; a physical altercation here, vandalization there. But things soon escalated. Much like their kin in American cities, Mexican taxi operators had spent thousands of dollars on licenses, permits, training classes, and other state-mandated items just to pick up passengers in Mexico. But now the unions watched helplessly as Uber siphoned off business. As the cabbies grew more desperate, beatings, ransackings and robberies of Uber drivers grew common. Many were assaulted to intimidate others from joining Uber.
“We are not going to leave them alone,” Esteban Meza de la Cruz, a taxi driver and union leader who represented about 13,000 drivers, said at the time. “We are tracking them and hunting them down.”
By the time Sullivan had arrived, violence had spread from busted lips and bruised heads. People were dying, and it was happening all over the world. Law enforce
ment offered little help. The death of a taxi driver wasn’t exactly a top priority for Guadalajaran police. Sullivan’s calls went unanswered. Frustrated, Sullivan started calling old friends from the intelligence community. One former FBI contact shed light on the situation: “Guadalajara is cartel country,” Sullivan’s friend at the Bureau told him. “We don’t send people there.”
Countries like Brazil were even worse. Kalanick had tapped Ed Baker, a former Facebook growth executive, to grow South America. He encouraged city managers in São Paolo or Rio de Janeiro to sign up as many riders and drivers as possible. To limit “friction” in the sign-up experience, Uber allowed riders to sign up without requiring them to provide identity beyond an email—easily faked—or a phone number. Further, Brazil was largely a cash-based economy where credit cards weren’t in common use, so there was no payment or identity data to gather on the individual riders.
For thieves and angry taxi cartels, it was the perfect crime. A person could sign up for Uber anonymously with a faked email, then play a version of “Uber roulette”: They’d hail Ubers, then cause mayhem. Cars were stolen and burned, drivers assaulted, robbed, and occasionally murdered. The company stuck with Baker’s low-friction system, even as violence increased.
Osvaldo Luis Modolo Filho, a fifty-two-year-old driver, was murdered by a teenage couple who hailed a ride using a fake name and chose to pay in cash. After stabbing Modolo repeatedly with a pair of blue-handled kitchen knives, the couple took off in Modolo’s black SUV, leaving him in the middle of the street.
