Uber paid off hackers, WeWork buys Meetup, Expensify's SmartScan "garbage"


Hello and welcome to Oversharing, a newsletter about the proverbial sharing economy.

If you’re returning from last week, thanks! If you’re new, nice to have you! (Over)share the love and tell your friends to sign up here. Hope everyone had a nice Thanksgiving. This is issue eighty-four, published November 28, 2017.

Duty to disclose.

How are things Uber? Fine, fine, nothing to see here:

  • Five U.S. senators want Uber to tell them when it discovered a massive data breach and what it did to respond.

  • Missouri Attorney General Josh Hawley's office says it's investigating Uber over the ride-hailing company's massive data breach.

  • Uber Technologies is being sued by the city of Chicago and Cook County on claims the ride-hailing company's 2016 data breach harmed "tens, if not hundreds, of thousands" of area residents.

  • Massachusetts Attorney General Maura Healey, a Democrat, told WGBH-FM on Wednesday that she's requesting documents and other information from Uber, adding her office is "keeping all criminal and civil options on the table."

  • New York's state Attorney General has opened an investigation into a massive data breach at Uber.

  • New Mexico Attorney General Hector Balderas wants Uber to release additional information about the ride-hailing company's massive data breach, including how many New Mexico residents had their personal information exposed.

  • The chair of the group of European data protection authorities—known as the Article 29 Working Party—said on Thursday the data breach would be discussed at its meeting on Nov. 28 and 29.

Oh alright, everything is not fine, but maybe Uber would pay you $100,000 to say it is? That was what it paid hackers to buy their silence after they stole the personal data of 50 million Uber riders and about 7 million drivers in October 2016. "None of this should have happened and I will not make excuses for it," said Dara Khosrowshahi, who reportedly learned of the security breach two weeks into his jobas Uber CEO in September. That's slightly better than his predecessor Travis Kalanick, who found out about the hack in November 2016 and authorized the $100,000 payment to hackers.

Meanwhile, Japanese tech giant SoftBank, which is contemplating a multibillion-dollar investment into the well oiled machine that is Uber Technologies Inc., was informed of the incident about three weeks ago, "consistent with our duty to disclose to a potential investor, even though our information at the time was preliminary and incomplete," says Uber, which has rarely cared about its duty to do anything. SoftBank is expected to launch its tender offer for Uber shares today, with an initial bid that would value the company at around $48 billion, a roughly 30% discount to its stated valuation of $68 billion.

Some people are worried that the data breach and subsequent cover-up could hurt Uber's lofty valuation as the SoftBank deal moves forward. There is also the opposing school of thought, that "corporate breaches are becoming so routine that they shouldn't weigh on a company's valuation," aka the "lol nothing matters" approach to corporate governance.

It will be interesting to see what happens. Despite the "general belief" that Dara "has six months of slack until he starts getting tagged with Uber's problems" I suspect this data breach will be the real diving line between old and new CEOs. It happened on Travis's watch but, unlike most other Uber scandals this year, was made public on Dara's. The Congressional inquiries and attorney general investigations and so on will also be Dara's to sort out. You could almost feel bad for the guy, who wasn't aware of this breach when he took the job, except this is Uber, so he should have known exactly what he was in for.

The 11th hour.

Elsewhere in Uber, the trial with Waymo over alleged theft of trade secrets is scheduled to begin Dec. 4, unless Waymo's 11th-hour request to delay the case is approved. The company is asking for additional time to do discovery after US district judge William Alsup received a letter over the weekend from the Justice Department and in response ordered Uber to make three of its people—Richard Jacobs, Ed Russo, and Angela Padilla—available at today's final pretrial conference, "by subpoena if necessary," to give testimony, potentially under oath.

What revelations that Justice Department letter contained remain, for the moment, a heavily redacted mystery:

There are also these redacted descriptions of unredacted things:

Anyway, Waymo says the "only possible conclusion is that Uber intentionally withheld the Jacobs Letter and related materials to prevent Waymo from discovering material evidence in this case." The company claims it is "entitled to" depose Kalanick (again), Padilla, the lawyer who advised Uber on its search for "misappropriated material," and others. Tl;dr everyone is in for a fun final pretrial conference today.


A few months after raising $760 million in new funding at a $20 billion valuation, WeWork is on a shopping spree. Today the shared offices cult bought Meetup, an app with about 35 million members that helps people meet up offline for professional networking and hobbies, for an undisclosed amount. That follows a deal last week for WeWork to lead a $32 million investment into The Wing, a New York-based women's club; the late October acquisition of Flatiron School, a New York-based coding academy; and the late October purchase of Lord & Taylor's flagship store on Fifth Avenue, which WeWork plans to convert into its headquarters.

The deals broadly suggest WeWork's interest in bolstering its social offerings. WeWork has long claimed that people choose its trendy, expensive offices not just for the fruit water and beer-on-tap but also because they foster a sense of community, a "physical social network" for young people. "It's less about utilization and much more about that fundamental mission of connecting people to their purpose," Shiva Rajaraman, WeWork's chief product officer, told the New York Times about the Meetup acquisition. "This is a great tool to introduce people to their passions."

Elsewhere in the WeWorld, WeWork is building a grade school for kindergarteners, because "there's no reason why children in elementary schools can't be launching their own businesses," to quote WeWork co-founder Rebekah Neumann. The company also quietly opened a bar over the summer, the Mailroom, in Manhattan's Financial District, under a high rise that includes WeWork offices and dorm-style WeLive residences. In October, it opened a gym.

Of course there remains the skeptical view that WeWork is built on "showmanship, an expansive vision, and the occasional shot of tequila," and other inconvenient facts, i.e., that vacancy rates at WeWork have reportedly risen, forcing the company to work harder to draw tenants. But to worry about such things is to fundamentally misunderstand the WeGeneration, which comes to WeWork not for an office but "for energy, for culture," to quote co-founder Adam Neumann. With its latest spate of purchases, that's what WeWork is giving them.

The Mechanical Turk.

Expensify is a software company started in 2009 to automate the painful task of compiling expense reports. It does this using "SmartScan" technology that gleans details like merchant, date, and price from a picture of a receipt. It's raised just shy of $30 million, from investors including OpenView Venture Partners, Barracuda Networks, and Travis Kalanick as an angel. Its 4.5 million users and more than 300,000 companies include some of today's hottest startups, like Uber, Square, Snapchat, and Instacart.

Expensify claims to process billions of dollars a year, and reimburse millions of dollars a day, aided by SmartScan and its investments into "automation in the expense reporting process." That is presumably a selling point for the company since the receipts it handles can contain sensitive personal information, like names, email addresses, pickup and dropoff spots, hotel check-ins, even bank routing numbers. The last thing Expensify would want to do is let that information float around for just anyone to read:

Rochelle LaPlante works for Amazon Mechanical Turk, an online hub where an army of Amazon-approved independent contractors complete "human intelligence tasks" ("HITS") such as transcriptions, image tagging, and line-editing, usually for a couple cents. The name Mechanical Turk alludes to the "automaton" chess player that astounded Europeans in the late 18th century, but was later revealed to be an elaborate hoax controlled by a hidden human chess master.

Last week LaPlante was browsing HITs on Mechanical Turk when she spotted several postings from Expensify bearing "people's very personal information." These included a printout of an Uber receipt showing the customer's name and route through New York; a receipt from a bakery in California; a receipt from a ramen place in California; and an invoice for a stay at a hotel in Riyadh, Saudi Arabia, complete with the guest's name, bank account number, and itemized expenses, mostly involving the bar. Another Twitter user reported browsing Expensify jobs on Mechanical Turk to see "boarding passes, hotel receipts… medical receipts, addresses, signatures." On each HIT, "guidelines" instructed the worker to "enter the amount the customer actually paid."

After LaPlante tweeted about this, Expensify founder and CEO David Barrett published a blog post on Nov. 25 about a "new privacy-enhancing feature" the company is rolling out, "Private SmartScan." Barrett says Private SmartScan "enables organizations to take direct control of the privacy and security concerns of human transcription" by hiring their own "24/7 team of human transcription agents" to process their receipts on Mechanical Turk, which sounds like a very convoluted way of outsourcing the work Expensify was hired to do back to its own clients.

Oh but its gets weirder. In a second post on Nov. 27, Barrett added that "there was no breach"; the receipts on Mechanical Turk belonged to "less than 0.00004% of users—none of whom are paying customers"; and that at any rate there is nothing important on a receipt, "that's why receipts are so commonly thrown out—because they are literally garbage." Also: "anybody concerned by the real-world risks of a vetted, tested transcriptionist reading their Uber receipt should probably consider the vastly more immediate and life-threatening consequences of getting into that stranger’s car in the first place."

"Life is not without risks," Barrett concludes, a statement I must assume he intended to reassure the 4.5 million users and 300,000 corporate clients who have entrusted Expensify with the safe handling of their day-to-day expenses, I mean, er, garbage.

Other stuff.

Payday apps "like a drug" for employees. Inside Airbnb's Russian Money-Laundering Problem. Winter is coming for China's bike-sharing market. Uber's Japan president departs for WeWork. Who's Lobbying for Uber? Lyft raises another $500 million in funding. Lyft partners with Carlson Wagonlit Travel. Lyft gets permit to test driverless cars in California. Uber trial service halted in Tel Aviv. Uber's in-house crime fighter. Uber User Fraudulently Billed Over $200 for Foods Orders on UberEats. Woman scammed out of $52,000 by fake Airbnb host. Amazon Merchants Continue to Find Ways to Cheat. The Frenzy to Lure Amazon. Albertsons Companies partner with Instacart. Doctolib raises $42 million for appointment-booking platform. San Francisco-based ed-tech company stumbles. Airbnb adds payment-splitting function. Driverless car winners and losers. The Crowdsourced Delivery Report. "Airbnb for your kitchen table." The "Airbnb of Wifi" Looks Sketchy as Hell.

Thanks again for subscribing to Oversharing! If you, in the spirit of the sharing economy, would like to share this newsletter with a friend, you can suggest they sign up here. Send tips, comments, and SmartScan garbage to oversharingstuff@gmail.com.