Until a report this week, Uber’s Surfcam’s use was thought to be limited to incidents uncovered in Singapore in 2017. For its part, Uber denies that it’s a “spyware.”
A rogue employee at rideshare behemoth Uber created and deployed a piece of information-gathering software in order to help his company get a leg up on the local competition in Australia, according to a report. The so-called “secret spyware program” was dubbed Surfcam, and was developed by the employee in 2015, according to an unnamed source who said he or she was a former senior Uber employee. The person told the Australian Broadcasting Corp.’s Four Corners team that the purpose of the malware was to allow Uber drivers to poach drivers from a ride-share competitor called GoCatch. GoCatch launched as a homegrown start-up in 2012, with backers that included international hedge-fund manager Alex Turnbull (who is also the son of former Australia Prime Minister Malcolm Turnbull). “Surfcam when used in Australia was able to put fledgling Australian competitors onto the ropes,” the former employee said in the report. “Surfcam allowed Uber Australia to see in real time all of the competitor cars online and to scrape data, such as the driver’s name, car registration and so on.” The source alleged that Uber used the intel to give competitive employment offers to GoCatch drivers to lure them away from working for the startup. “GoCatch would lose customers due to poaching of its drivers, draining their supply. With fewer and fewer drivers, [the idea was that] GoCatch would eventually fold,” the purported former Uber employee said. GoCatch in fact did not go out of business, but “the fact that Uber used hacking technologies to steal our data and our drivers is appalling,” GoCatch’s co-founder and chief executive, Andrew Campbell, told the outlet. “It had a massive impact on our business.” Meanwhile, an Uber spokesperson told Threatpost that the allegation that Surfcam was or is a “spyware” is far overstating its capabilities. “This employee didn’t even know how to code,” she said, disputing the notion that Surfcam is a sophisticated hacking tool that tracked the personal information of drivers. “He pulled a script off the internet and modified it to simply crawl publicly available information from websites. That’s not spyware. Unless those sites were leaking personal data, I don’t see how Surfcam could have obtained it.” It should be noted that this isn’t the first time that Uber and Surfcam have been in the headlines; in 2017, Bloomberg reported that the code was deployed in Singapore, against Grab, the local ride-share competitor there. “Surfcam, which hasn’t been previously reported, was named after the popular webcams in Australia and elsewhere that are pointed at beaches to help surfers monitor swells and identify the best times to ride them,” Bloomberg said in that report. It added that it “scraped data published online by competitors to figure out how many drivers were on their systems in real-time and where they were.” Until the ABC report, it was thought that the effort to undermine Grab — which became more popular in the city-state than its multinational rival and last year bought Uber’s assets in the region — was Surfcam’s only outing. For its part, Uber is unaware that Surfcam was ever used in Australia, according to the spokesperson, who thus did not confirm the ABC source’s claim that it was deployed against GoCatch.