Uber’s Secret, Encrypted, Far-Reaching Investigation Into Opposing Counsel

Sign INVESTIGATION and Gavel on Wooden Table
computer-security-guide-cover-2nd-ed

4-Step Computer Security Upgrade

Learn to encrypt your files, secure your computer when using public Wi-Fi, enable two-factor authentication, and use good passwords.

Echoing the familiar story of David and Goliath, one Uber customer’s lawsuit against the company’s co-founder alleging the practice of raising prices during certain situations violates antitrust laws was a considered to be a long shot. Worse still, in this case, Goliath has ex-CIA personnel scrutinizing the reputation of both the plaintiff and his lawyer.

According to court declarations made by Andrew Schmidt, the lawyer who represented the plaintiff against Uber, his friends had begun receiving calls from a stranger asking some odd questions claiming it was for a project “profiling up-and-coming labor lawyers in the US.”

Schmidt became suspicious when friends of his client began receiving similar calls asking about everything from the nature of their relationship to the identity of the real “driving force” behind the lawsuit, all under the auspices of a project on “up-and-coming researchers in environmental conservation.” The company’s lawyers insisted Uber was not involved. But it appears they very much were.

An investigation that Uber initially claimed it knew nothing about began with a simple request from Uber’s general counsel to the company’s chief security officer in December 2015: “Could we find out a little more about this plaintiff?” One of Uber’s almost-entirely redacted court filings claims that the investigation arose from security concerns about the lawsuit targeting Uber’s CEO rather than Uber itself, a tactic that skirted Uber’s otherwise ironclad arbitration agreement.

Uber hired Ergo, a security firm headed by an ex-CIA employee, to conduct a “very under the radar investigation” assessing whether the plaintiff “had it in” for Uber’s CEO. Representatives from Uber and Ergo also agreed on some “‘light-touch’ reputational due diligence” (so many buzzwords!) on the relationship between the plaintiff and his lawyer since they appeared to be friends.

Ergo initially blamed the overreach of the investigation on “an employee who had gone rogue” and has remained adamant that it never engaged in a “bad faith effort to thwart the litigation process.” However, Ergo has been open about the fact that it had research analysts who used false pretenses to initiate conversations with third parties, but says that there is nothing wrong with that.

Not only does the broad scope of the investigation pose a novel issue, but also the methods through which Uber communicated with Ergo. Most of the communications between Uber and Ergo were over encrypted channels.

While an increasingly common security measure, the supposed irretrievability of some encrypted messages raised questions about discovery that have yet to be parsed out. Uber initially claimed that the company’s head of “global threat intelligence” advised using encrypted emails to “avoid potential discovery issues,” but later said the encryption was necessary “to protect against data breaches of Ergo’s mail servers.”

Earlier messages were through emails were encrypted with a PGP security extension called Enigmail which allows the use of authentication and encryption features provided. After some emails failed to decrypt, Uber’s head of Global Threat Intelligence suggested moving the conversation to an encrypted messaging app called Wickr which uses military-grade encryption and automatically deletes messages after a preset period.

Email records showed Uber’s Global Threat Intelligence head exchanging Wickr screen names with Ergo officers. Right after that, the PGP Enigmail emails stopped entirely (with the exception of transmitting some “preferred legal language” three days later and submitting the final report after another 12 days). Even so, Uber denied communicating over Wickr. Because Wickr automatically deletes messages after a set period of time, it has not been possible to prove otherwise.

On June 7th, the judge overseeing the case ruled that there was enough evidence to provide a reasonable perception of fraud and that Ergo’s investigation was “raising a serious risk of perverting the process of justice before this court.” With these issues still undecided, this case has potentially far-reaching effects on what encrypted communications are discoverable as well as how far parties can go into investigating opposing counsel. How these issues are handled could set a narrative for cases where David wants to take Goliath to court for years to come.

Subscribe

Get Lawyerist in Your Inbox, Daily

Current Articles
Current Lab Discussions