Senior executives at Uber ordered the use of a “kill switch” to prevent police and regulators from accessing sensitive data during raids on its offices in at least six countries, leaked files reveal.
The instructions to block authorities from accessing its IT systems were part of a sophisticated global operation by the Silicon Valley company to thwart law enforcement.
The Uber files, a cache of confidential company data leaked to the Guardian, reveal how the company deployed its kill switch at least 12 times in France, the Netherlands, Belgium, India, Hungary and Romania.
Uber developed its kill switch systems in the midst of a flurry of raids by police and officials, who were gathering evidence that could be used to shut down Uber’s unlicensed taxi service, impound vehicles or prosecute drivers.
During one raid in Paris, the leak shows Uber executives pretending to “appear confused” as officers circled their desk demanding to see data. They discussed shutting down office access to the company’s main IT systems while simultaneously watching police searching computers for evidence.
Legal experts said the actions documented in the data raised questions about possible breaches of laws against obstructing justice in France, the Netherlands, India and Hungary.
While it was known that Uber had used a kill switch system in some countries, including Canada and Hong Kong, the leaked files reveal its use was more extensive than previously known – and show how it was executed with the involvement of senior executives.
Emails show both Travis Kalanick, Uber’s former chief executive, and Zac de Kievit, its former legal director in Europe, instructing IT staff to “kill” access to computer systems. Similar instructions were issued by Pierre-Dimitri Gore-Coty, who is still part of Uber’s 11-strong executive team.
Uber said its software “should never have been used to thwart legitimate regulatory action”. A spokesperson for Kalanick, who stepped down as chief executive in 2017, said the kill switch was not used to obstruct justice in any country. She said Kalanick had never been charged in any jurisdiction for obstruction of justice or any related offence.
‘The police won’t be able to get much’
The earliest mention of the use of a kill switch in the Uber files relates to two raids in France in late 2014.
On 17 November, following months of simmering anger from traditional taxi services, who felt Uber’s unlicensed ride-sharing model was unfair competition, officials from the competition regulator, the DGCCRF, swooped on Uber’s French HQ in a business park in the 19th arrondissement of Paris.
Already on alert after a raid in Lyon three days earlier, the company acted fast.
In a message sent at 3.14pm, apparently after the raid had begun, De Kievit emailed an Uber IT engineer in Denmark, saying: “Please kill access now,” copying in executives including Kalanick and Gore-Coty, who ran Uber’s operations in western Europe.
Thirteen minutes later, the technician wrote back, confirming the procedure was “done now”.
This approach to what staff called “unexpected visitors” would evolve the following year after a raid in Brussels by police investigating Uber’s use of regular drivers without a cab licence, a service known at the time as UberPop.
Belgian authorities wanted to obtain company data about drivers, which was held on servers in the US, documents show. Eight armed officers wearing bulletproof vests descended on the Brussels office unannounced on 12 March 2015, accompanied by half a dozen IT experts.
Unlike in France, police took steps to ensure local staff could not communicate with Uber HQ back in San Francisco during the raid. Later that day, De Kievit emailed executives, including Kalanick: “Our team were detained and did not have an opportunity to raise the kill switch.”
Nonetheless, Uber bosses appear to have approved an alternative method of trying to restrict what police might find. Kalanick, Gore-Coty and Uber’s lawyers were copied into emails in which senior IT engineers discussed cutting access to laptops that had already been confiscated.
In one message, a senior technician told Uber’s chief lobbyist in Europe, Mark MacGann, that he had done this via an administrative system called Casper. “Lock has been initiated on the machines that were seized,” he wrote.
Later that year, a Belgian court order forced Uber to suspend its unlicensed UberPop service in the country. But Uber executives had learned a valuable lesson from the experience, emails exchanged among executives show.
Four days after the Brussels raid, officers from France’s “Boers” police unit, whose job it was to detect fake taxis, swarmed into the Paris office via two different doors. Uber’s lawyers were prevented from entering the premises.
By then, Uber had “heightened our preparedness” in the light of what happened in Brussels, according to an email sent from MacGann to David Plouffe, Uber’s head of policy and strategy, after the raid.
“Access to IT tools was cut immediately, so the police won’t be able to get much if anything,” he reported. A source present that day recalls computer screens simply went black seconds after police arrived in the office, as if they had been powered down.
The following month, during the second of two raids in Amsterdam by the Dutch transport authority the ILT, top executives took charge of the kill switch strategy.
At 9.25am, Gore-Coty emailed the same technician in Denmark who had cut access in Paris the year before, ordering him to repeat the trick. Seven minutes after Gore-Coty’s email, Kalanick followed up, copying in Uber’s lawyers: “Please hit the kill switch ASAP … Access must be shut down in AMS [Amsterdam].”
Amsterdam was Uber’s European HQ and it had to be defended at all costs. Fortunately for Uber, it had not only fine-tuned its protocols since Brussels, but learned to predict raids and prepare accordingly.
Weeks earlier, De Kievit had told senior colleagues that raids were likely and that the company had hired an “off-site storage facility and moved all of our paper there”. A list of everyone in the office had been compiled “to ensure an IT kill gets everyone”.
De Kievit was taken into custody and questioned about his role in cutting IT access. He was fined €750 for non-compliance with an official order, according to the Amsterdam public prosecutor.
‘Try a few laptops, appear confused’
But senior staff were hailing the lawyer’s approach by the time of another raid, in Paris, on 6 July 2015. The arrival of about 20 police and officials from France’s tax inspectorate, shortly before 8am, prompted a flurry of text messages among senior staff about how to dupe them.
Thibaud Simphal, then the manager of Uber France, and now the company’s global head of sustainability, took to his phone and kept MacGann and De Kievit informed.
MacGann told him: “Use the ‘Zachary De Kievit’ playbook: try a few laptops, appear confused when you cannot get access, say that IT team is in SF [San Francisco] and fast asleep, and anyway this is all controlled by [Dutch parent company] Uber BV so they should write to Uber BV with their request.”
Simphal responded: “Oh yeah we’ve used that playbook so many times by now the most difficult part is continuing to act surprised!”
As investigators began searching laptops, executives fired dozens of messages back and forth, discussing how to secretly hamper their efforts.
At 8.34am, Simphal realised that access to Gore-Coty’s computer had not been cut and that any investigator could still access internal systems unless something was done. “Pierre, try and close that single tab if you can,” he texted. Minutes later, at 8.38am, De Kievit confirmed he was working with colleagues “re P’s computer”.
But Simphal could only watch as police examined the laptop, asking colleagues: “Why is it not cut? They’re browsing his [Google] drive.” Police had by then gained access to “very sensitive data”, he warned, adding that they “don’t seem to know what they’re looking for”.
The messages suggest police warned staff that they could be taken into custody if laptops were blocked, yet the conversation about how to impede the investigation appears to have continued.
“I would give them access to the computer but in the background we cut access to cloud,” De Kievit wrote at 8.57am. Two minutes later, a Paris employee confirmed that “access has been cut for Pierre”. “I’m next, so make sure my login is cut,” he added.
In a statement, Uber said it had stopped using the kill switch in 2017, when Dara Khosrowshahi replaced Kalanick as chief executive and overhauled its corporate culture. MacGann said: “On every occasion where I was personally involved in ‘kill switch’ activities, I was acting on the express orders from my management in San Francisco.”
Simphal did not respond directly to questions about the use of a kill switch but said Uber’s problems with regulators and law enforcement came during “very difficult periods” that also proved to be “learning experiences”. De Kievit did not return a request for comment.
A spokesperson for Kalanick said the kill switch was “not designed or implemented to obstruct justice”. She said it was used to “protect intellectual property and the privacy of […] customers, and ensure due process rights are respected in the event of an extrajudicial raid”.
His lawyers said because no data was permanently deleted in the process, authorities could still obtain it later.
The spokesperson said Kalanick did not oversee the systems, which did not involve data deletion and were approved by Uber’s lawyers. Kalanick “has never been charged in any jurisdiction for obstruction of justice or any related offence,” she added.
Gore-Coty, who now runs the food delivery service Uber Eats, told the Guardian he regretted some of Uber’s tactics, which led to him being fined €30,000 in 2016 for running an illegal taxi service, a decision that was upheld on appeal earlier this year. The case, in which Uber, Gore-Coty and Simphal are defendants, is subject to a new appeal to the French supreme court. At the time the kill switch was used, Gore-Coty said, he was “young and inexperienced and too often took direction from superiors with questionable ethics”.