Corporate espionage is nothing new in the business world. Every company would like to know what its competitors are doing behind closed doors and to gain an edge on the market. While tempting, these practices are illegal and usually are not espionage in the way we think of clandestine operations. However, Uber is currently being investigated for actually spying on Lyft drivers.

Your Driver is… Bond?

While it may not have been as action-packed as a Bond movie, Uber has gotten in some hot water for its spying activity. The company realized there was a flaw in the system of its main competitor, Lyft, and thoroughly exploited that flaw. The spying program ran for two years, 2014 to 2016. The program was called “Hell” and it may be raising all sorts of itself for the company.

The objective of this program was to identify Uber drivers who also drove for Lyft. These “double-appers” are not technically violating any agreement with either company by driving for the other, but for obvious reasons both companies would like to have their drivers be loyal to them alone. So if Uber were to identify one of its drivers in the Lyft system, Uber would attempt to convince that driver to give up his or her gig with Lyft, rather than penalizing them.

Because of this, the FBI’s New York office is now investigating whether this amounts to corporate espionage, as well as whether it illegally interfered with Lyft. This latest revelation just adds to the mountain of legal cases brought against Uber. Clearly, the company has seen better days.

Is This Illegal?

My gut reaction to all this is that Uber has committed a crime here, but I am no corporate lawyer. It strikes me that at the very least the company was encroaching on the privacy of not only its drivers, but the drivers of its main competitor. When hackers and other cybercriminals exploit vulnerabilities in systems, we call that a crime. Just because a large corporation is doing something similar does not mean it is “just business.” Happily, Uber did not release troves of personal information on drivers or double-appers, nor did it extort people for money like the majority of cybercriminals out there. However, this is hardly any consolation.

That being said, Lyft should have been more careful in vetting its code to ensure this sort of thing did not happen in the first place. While the crux of the blame falls on Uber for violating the privacy rights of Lyft drivers, Lyft also needs to do a better job at protecting its own drivers from such attacks.

This will be an interesting legal situation that may set some precedent for who is at fault when code vulnerabilities are exploited. Can the exploitation of code be considered ethical if companies do not properly vet their systems? My guess is no, but this investigation will let us know one way or the other.