I met Joe Sullivan in 2013 at Def Con, the hacker convention in Las Vegas, when he was the boring, neatly-dressed head of security for Facebook who believed that working while listening to music on headphones is a “quirky” habit. Sullivan was responsible for introducing the company’s generous bug bounty program, in which Facebook pays security researchers to identify flaws in its code that could expose it or its users to attackers. The bug bounty program needed a minimum payout, Sullivan reasoned, so people could feel that it was worth their time, but he didn’t want to put an upper limit on it. “To me one of the interesting things was figuring out how much do you pay,” he told me at the time. “It's one of the fun things to debate inside the company between the engineers.”
I found myself thinking about this conversation last week after Bloomberg and others reported that Sullivan, who left Facebook for Uber in 2015, had paid hackers $100,000 in October 2016 to delete stolen data for 57 million Uber drivers and riders. Sullivan then tracked down the two hackers and made them sign disclosure agreements, with the approval of former CEO Travis Kalanick, The New York Times reported. “To further conceal the damage, Uber executives also made it appear as if the payout had been part of a ‘bug bounty,’” the Times wrote.
“I know as a consumer, I want to know how my information is used and I want to know who has access to it,” Sullivan told me in 2013. This would presumably include wanting to know when hackers discover 57 million names, email addresses, phone numbers, and about 600,000 driver’s licenses, but maybe Sullivan’s opinions changed.
“I know as a consumer, I want to know how my information is used and I want to know who has access to it.”
Uber fired Sullivan and now says his actions violated disclosure laws. After the news came out, some security experts defended Sullivan, saying that $100,000 was a low price to pay for protecting 57 million users (just how Sullivan was able to guarantee that the hackers didn’t keep some copy of the data is unclear). Clearly Sullivan and Kalanick agreed $100,000 was worth it, if only to save the company some bad press — Uber was in the middle of negotiating with the Federal Trade Commission (FTC) for failing to disclose an unrelated data breach in 2014. This was just one of Sullivan’s many ethical breaches at the transportation company, however.
- Uber has a documented habit of surveilling people it deems to be a potential threat, including employees, competitors, and its opponents in court. Sullivan was the one to order underlings to dig up dirt on the conservationist Stephen Meyer, who sued Uber for price fixing.
- Sullivan operated autonomously and secretly. Sources also told Bloomberg that Sullivan had made himself more nimble by becoming Uber’s deputy general counsel, which let him “assert attorney-client privilege on his communications with colleagues and make his e-mails more difficult for a prosecutor to subpoena.” Bloomberg wrote in October that “Sullivan’s work is largely a mystery to the company’s board.”
- Sullivan was in charge of a team formerly known as Competitive Intelligence or COIN, according to Bloomberg, which oversaw projects like “Hell,” which spied on Lyft drivers. Sullivan shut down Hell but kept other programs like it, and COIN was renamed to “Marketplace Analytics” and then again to “Marketplace Integrity.” The 57 million-person hack came to light because Uber’s board hired a law firm to investigate Sullivan’s teams, including COIN.
- On Tuesday, a former Uber employee alleged that Sullivan encouraged his teams to use ephemeral messaging apps in order to “make sure we didn’t create a paper trail that would come back to haunt the company in any potential criminal or civil litigation.”
Uber is now the target of at least three potential class action lawsuits, at least five state attorney general investigations, and an inquiry by the FTC because of Sullivan’s decision to pay off hackers and cover up his mistakes. And with a history like his, it’s possible that there are other ethical violations that we don’t even know about.