Audit Phase: V-DIG (Digital Forensics / Technology Supply Chain)
Target: Uber Technologies, Inc. (NYSE: UBER)
Audit Date: 2026-05-01
Research Basis: Training-data knowledge through April 2026; corporate filings, press reporting, NGO publications, and trade press. Live web retrieval was unavailable during the underlying research session. Evidence older than five years is marked [pre-2020]. Where currency of a relationship cannot be confirmed without live retrieval, this is noted explicitly.
Wiz (Cloud Security — CSPM)
Wiz, an Israeli-founded cloud security company (founded 2020; principal R&D in Tel Aviv, incorporated in the United States), was publicly cited as an enterprise customer reference in connection with its May 2022 Series D fundraising round 5. Customer disclosures associated with that announcement identified Uber among the enterprise customers using Wiz’s cloud security posture management (CSPM) platform 18. The reported deployment covers cloud misconfiguration detection, vulnerability prioritisation, and multi-cloud visibility across Uber’s Amazon Web Services and Google Cloud Platform environments 518. The Wiz relationship, if current, represents integration into a broad infrastructure-level security monitoring function rather than a peripheral or siloed tool deployment. Status: relationship reported as of 2022; currency as of 2026 is unconfirmed — live retrieval was unavailable (see Evidence Gaps).
CyberArk (Privileged Access Management)
CyberArk, an Israeli-founded cybersecurity company (founded 1999; R&D headquarters in Petah Tikva, Israel; commercial headquarters in Newton, Massachusetts), provides privileged access management (PAM), credential vaulting, and secrets management infrastructure. CyberArk has publicly listed Uber in its enterprise customer references 17. The most substantive public evidence of this deployment arose from the September 2022 Lapsus$-linked breach of Uber’s internal systems 234: attacker-captured screenshots that circulated publicly following the incident displayed Uber’s internal CyberArk vault interface, confirming that CyberArk PAM was live and embedded in Uber’s identity and access management (IAM) infrastructure at the time of the breach 23. Uber filed an 8-K disclosure with the SEC regarding the incident 20. Post-incident reporting characterised the compromise of privileged credentials as central to the attacker’s lateral movement 4[^7 — see S7 in source inventory]. Status: confirmed as deployed as of September 2022; whether CyberArk remains the primary PAM platform following post-breach remediation is not publicly disclosed.
NICE Systems / NICE CXone (Workforce Management & Contact Centre Analytics)
NICE Systems (founded 1986; headquartered in Ra’anana, Israel), through its cloud division NICE CXone, provides workforce management, quality assurance, and contact centre interaction analytics platforms. NICE has disclosed ride-sharing and gig-economy platform clients in its enterprise customer communications, and industry trade press has linked NICE CXone to Uber’s customer support operations infrastructure 19. The reported scope covers contact centre workforce scheduling, interaction recording, and analytics. Status: relationship reported in trade press and NICE enterprise disclosures; no directly named joint press release or Uber SEC filing confirms the relationship. Treat as reported but not formally confirmed by either party in a named public announcement.
Palo Alto Networks (Network Security)
Palo Alto Networks (incorporated and headquartered in Santa Clara, California) was co-founded by Nir Zuk, an Israeli national, and maintains significant R&D operations in Israel. It is among the most widely deployed enterprise next-generation firewall and network security platforms globally. Uber’s post-breach engineering disclosures and security infrastructure blog posts reference network security tooling consistent with Palo Alto Networks products 9, but no named public confirmation of a Uber–Palo Alto Networks vendor relationship has been identified in corporate filings, named press releases, or credible trade press. Co-founder national origin alone does not constitute a vendor relationship; this entry records that no positive finding was returned.
The following vendors were evaluated against public corporate filings, named press releases, SEC EDGAR full-text disclosures, and credible trade press. No public evidence of a named, confirmed vendor relationship between Uber and any of these entities was identified:
Uber’s technology engineering function is predominantly in-house 91. The company builds the majority of its platform software internally and contracts directly with technology vendors rather than through systems integrators or managed service providers acting as intermediaries for Israeli-origin technology. No public evidence has been identified of a systems integrator or IT consultancy engaged by Uber that has specifically mandated or deployed Israeli-origin technology as a named deliverable within a disclosed Uber programme.
Uber has deployed driver-facing identity verification and real-time ID check features across its platform globally. This system requires drivers to periodically submit selfie photographs matched against their registered profile image. Publicly available information attributes the underlying technology to Microsoft Azure Cognitive Services and/or third-party identity verification platforms integrated via Uber’s cloud infrastructure partnerships 1. No public evidence has been identified of Uber deploying facial recognition, biometric identification, gait analysis, or behavioural analytics technology sourced from Israeli-origin vendors, including but not limited to:
Uber operates its own in-house fraud detection, dynamic pricing (surge pricing), and driver and rider behaviour analytics systems, built on proprietary machine learning infrastructure documented in the Uber Engineering Blog 9. These systems are not attributed to Israeli-origin vendors in any public disclosure or engineering post 9. No public evidence has been identified of Uber procuring Israeli-origin predictive policing tools, social media monitoring platforms, or workforce surveillance software.
No public evidence has been identified of Israeli-origin surveillance or biometric technology reaching Uber via third-party platforms, managed security services, or bundled enterprise suites.
Uber is a consumer of hyperscale public cloud infrastructure and does not operate its own physical data centres 11[^12 — see S22]. Its primary cloud providers are:
Google Cloud and AWS both operate or have announced infrastructure availability zones in Israel. Because Uber uses both providers, workloads could technically be processed in or transit Israeli-region infrastructure depending on routing and architecture configuration. However, no public evidence has been identified that Uber has specifically designated, contracted for, or publicly disclosed data residency within Israeli cloud regions 11.
Project Nimbus is a reported $1.2 billion cloud infrastructure contract between the Israeli government and Google Cloud and Amazon Web Services, announced in 2021 6. Uber is a customer of both Google Cloud and AWS. However, no public evidence has been identified that Uber participates in, is a sub-contractor to, benefits from, or has any contractual relationship with Project Nimbus. Uber’s cloud consumption relationship with Google and AWS is as a commercial enterprise customer, not as a participant in sovereign or government cloud programmes 6.
No public evidence has been identified of Uber:
– Holding government cloud contracts with Israeli state institutions;
– Marketing or contracting services for data sovereignty or infrastructure resilience specifically for Israeli state or military bodies;
– Operating, leasing, or co-locating dedicated data centre infrastructure within Israel.
No public evidence has been identified of Uber holding contracts, partnerships, memoranda of understanding, or service agreements with the Israeli Ministry of Defence, Israel Defence Forces (IDF), the Shin Bet (ISA), Mossad, Unit 8200, or any other Israeli state security or intelligence body.
No public evidence has been identified — in press reporting, official sources, academic literature, or NGO research — of Uber’s commercially available technology (ride-hailing platform, Uber Eats delivery, Uber Freight, or associated AI/ML systems) being deployed for military, intelligence, or law enforcement surveillance applications within Israel or the occupied territories.
Uber is a ride-hailing and logistics platform company. Its commercial product lines (mobility, delivery, freight) do not encompass the development, licensing, or sale of offensive cyber capabilities, zero-day exploit tools, digital weapons systems, or dual-use cyber-physical attack tooling. No public evidence has been identified of any such activity in any jurisdiction.
Uber’s core algorithmic systems — routing optimisation, dynamic surge pricing, fraud detection, demand forecasting, and driver/rider matching — are built on proprietary machine learning infrastructure developed and operated internally 9. These systems are documented across Uber’s Engineering Blog and are not attributed to Israeli-origin AI vendors in any public disclosure 9.
No public evidence has been identified of Uber providing AI, machine learning models, computer vision capabilities, or autonomous decision-support systems to Israeli state, military, security, or law enforcement bodies.
Uber’s AI and ML models are trained on proprietary operational data generated by Uber’s own global platform (trip data, pricing signals, fraud signals, delivery fulfilment data) 9. No public evidence has been identified of Uber’s AI models being trained on, or given access to, civilian population surveillance data, intercepted communications, or datasets originating from Israel or the occupied Palestinian territories.
Uber’s Advanced Technologies Group (ATG), which conducted autonomous vehicle research and development, was divested — sold to Aurora Innovation — in December 2020 8. The ATG programme was focused exclusively on civilian road vehicle autonomy. No public evidence has been identified of Uber’s autonomous vehicle research having any military application, or of any component of the Aurora transaction involving Israeli state or defence entities 8. Post-divestiture, Uber holds no autonomous vehicle development operations.
Uber has faced civil society and regulatory scrutiny regarding the opacity of its surge pricing and driver deactivation algorithms in various jurisdictions (primarily US, EU, and UK) 1[^2 — see S1, S2]. These concerns are domestic labour and consumer protection issues; no such scrutiny has been identified as relating to Israeli state technology provision or occupation-related harm.
No public evidence has been identified of Uber operating an R&D facility, engineering office, innovation laboratory, or accelerator programme within Israel. Uber’s principal engineering and R&D centres, as disclosed in its annual reports, are located in San Francisco (headquarters), New York, Amsterdam, Bangalore, and Hyderabad 1.
Uber launched Uber Eats delivery operations in the Tel Aviv market in 2019 ([pre-2020]) [^7 — see S11, S27]. This constituted a commercial operations presence, not an R&D or technology development footprint. In May 2020, Uber announced the withdrawal of Uber Eats from the Israeli market as part of a broader retreat from eight markets globally 7. Status: discontinued as of May 2020. No subsequent re-entry into the Israeli market has been identified in public disclosures.
No acquisitions of Israeli-origin technology companies by Uber have been identified in public records, SEC filings, or press reporting through the knowledge cutoff 115168. Notable Uber acquisitions reviewed and confirmed as non-Israeli-origin include:
Uber Ventures, Uber’s investment arm, has not been publicly identified as a strategic investor in Israeli technology startups or Israeli venture funds in any disclosed filing or named press announcement as of the knowledge cutoff. No public evidence identified of Uber acquisitions or strategic investments in Israeli technology entities.
Uber holds a substantial global patent portfolio, primarily in navigation, ride-matching, dynamic pricing, and autonomous systems, filed through the USPTO 1. No public evidence has been identified of co-development arrangements, licensing agreements, or joint patent filings between Uber and Israeli-domiciled entities or Israeli research institutions (including Technion – Israel Institute of Technology, Hebrew University of Jerusalem, or the Weizmann Institute of Science).
Uber’s R&D expenditure is disclosed in its annual 10-K filings with the SEC 1. The FY2023 10-K records substantial R&D investment directed primarily at platform engineering, safety systems, and logistics optimisation. No portion of disclosed R&D expenditure is identified as allocated to Israeli partnerships, joint ventures, or in-country programmes.
Uber Freight’s technology partnerships and logistics analytics vendor relationships are not comprehensively disclosed in public filings or trade press. No public evidence has been identified of Israeli-origin logistics, fleet analytics, or AI platforms embedded in the Uber Freight product. (See Evidence Gaps for scope limitation.)
Amnesty International’s Technology team and Human Rights Watch have each published substantive reports examining the surveillance industry, corporate technology provision to authoritarian governments, and the role of technology companies in the occupied Palestinian territories (2021–2023) 1314. However, no report specifically addressing Uber’s technology relationships with the Israeli state, Israeli military or intelligence bodies, or its historical operations in occupied territories has been identified in either organisation’s published catalogue 1314.
No UN Special Rapporteur reports, Responsible Business and Human Rights assessments, or peer-reviewed academic studies specifically examining Uber in the context of Israeli technology supply chains have been identified.
The BDS (Boycott, Divestment, Sanctions) National Committee maintains public campaign target lists of companies and brands 12. As of the knowledge cutoff, Uber does not appear on the BDS movement’s primary campaign target lists. The BDS movement’s technology-sector campaigns have focused principally on companies with direct Project Nimbus contracts (Google, Amazon), direct weapons or surveillance system contracts, or significant operational or commercial presence in Israeli settlements 12. Uber’s May 2020 withdrawal from the Israeli Uber Eats market 7 and the absence of identified defence or intelligence technology relationships mean Uber does not meet the primary criteria applied by BDS to its technology sector campaign targets.
No public evidence has been identified of an organised boycott, divestment, or sanctions campaign specifically targeting Uber on grounds of technology provision to Israeli state entities.
Uber operates a public bug bounty programme through HackerOne, which has been active since at least 2016 10. This programme is a standard commercial security practice with no identified connection to Israeli state security bodies or intelligence relationships.
No public evidence has been identified of regulatory inquiries, legal challenges, export control actions, or sanctions-related investigations involving Uber’s technology sales or services to Israeli state entities.
Uber has faced extensive regulatory actions globally — including labour classification litigation (UK, EU, US), data privacy enforcement (GDPR investigations in the Netherlands and France, FTC actions), and ride-hailing licensing disputes across multiple jurisdictions — none of which are related to Israeli state technology provision 1[^2 — see S1, S2]. The September 2022 cybersecurity breach generated an SEC 8-K filing 20 and subsequent regulatory attention regarding incident disclosure obligations; this is a domestic US securities compliance matter.
[pre-2020] This incident resulted in an FTC settlement and the criminal conviction of Uber’s former Chief Security Officer. No Israeli state dimension identified.https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001543151&type=10-K&dateb=&owner=include&count=10 ↩↩↩↩↩↩↩↩
https://www.nytimes.com/2022/09/15/technology/uber-hacking-breach.html ↩↩↩↩↩
https://www.wired.com/story/uber-hack-social-engineering-breach-2022/ ↩↩↩↩↩
https://www.darkreading.com/attacks-breaches/uber-lapsus-breach-what-happened ↩↩↩↩
https://techcrunch.com/2022/05/10/wiz-raises-300m-series-d/ ↩↩↩↩
https://www.theguardian.com/technology/2021/oct/12/google-amazon-workers-protest-project-nimbus-israel-military-contract ↩↩
https://www.reuters.com/article/us-uber-eats-markets/uber-eats-to-pull-out-of-eight-markets-idUSKBN22J1LN ↩↩
https://www.reuters.com/article/uber-aurora/uber-sells-self-driving-car-unit-to-aurora-idUSKBN28S1OJ ↩↩↩↩
https://hackerone.com/uber ↩
https://bdsmovement.net/Act-Now-Against-These-Companies-and-Brands ↩↩
https://www.theverge.com/2020/7/21/21332594/uber-routematch-acquisition-transit-software ↩↩
https://www.nice.com/resources/press-releases/ ↩
https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&CIK=0001543151&type=8-K&dateb=&owner=include&count=10 ↩↩↩↩
