FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Google is now publishing coronavirus mobility reports, feeding off users’ location history

By Natasha Lomas

Google is giving the world a clearer glimpse of exactly how much it knows about people everywhere — using the coronavirus crisis as an opportunity to repackage its persistent tracking of where users go and what they do as a public good in the midst of a pandemic.

In a blog post today the tech giant announced the publication of what it’s branding ‘COVID-19 Community Mobility Reports‘. Aka an in-house analysis of the much more granular location data it maps and tracks to fuel its ad-targeting, product development and wider commercial strategy to showcase aggregated changes in population movements around the world.

The coronavirus pandemic has generated a worldwide scramble for tools and data to inform government responses. In the EU, for example, the European Commission has been leaning on telcos to hand over anonymized and aggregated location data to model the spread of COVID-19.

Google’s data dump looks intended to dangle a similar idea of public policy utility while providing an eyeball-grabbing public snapshot of mobility shifts via data pulled off of its global user-base.

In terms of actual utility for policymakers Google’s suggestions are pretty vague. The reports could help government and public health officials “understand changes in essential trips that can shape recommendations on business hours or inform delivery service offerings”, it writes.

“Similarly, persistent visits to transportation hubs might indicate the need to add additional buses or trains in order to allow people who need to travel room to spread out for social distancing,” it goes on. “Ultimately, understanding not only whether people are traveling, but also trends in destinations, can help officials design guidance to protect public health and essential needs of communities.”

The location data Google is making public is similarly fuzzy — to avoid inviting a privacy storm — with the company writing it’s using “the same world-class anonymization technology that we use in our products every day”, as it puts it.

“For these reports, we use differential privacy, which adds artificial noise to our datasets enabling high quality results without identifying any individual person,” Google writes. “The insights are created with aggregated, anonymized sets of data from users who have turned on the Location History setting, which is off by default.”

“In Google Maps, we use aggregated, anonymized data showing how busy certain types of places are—helping identify when a local business tends to be the most crowded. We have heard from public health officials that this same type of aggregated, anonymized data could be helpful as they make critical decisions to combat COVID-19,” it adds, tacitly linking an existing offering in Google Maps to a coronavirus-busting cause.

The reports consist of per country, or per state, downloads (with 131 countries covered initially), further broken down into regions/counties — with Google offering an analysis of how community mobility has changed vs a baseline average before COVID-19 arrived to change everything.

So, for example, a March 29 report for the whole of the US shows a 47 per cent drop in retail and recreation activity vs the pre-CV period; a 22% drop in grocery & pharmacy; and a 19% drop in visits to parks and beaches. While the same date report for California shows a considerably greater drop in the latter (down 38% compared to the regional baseline); and slightly bigger decreases in both retail and recreation activity (down 50%) and grocery & pharmacy (-24%).

Google says it’s using “aggregated, anonymized data to chart movement trends over time by geography, across different high-level categories of places such as retail and recreation, groceries and pharmacies, parks, transit stations, workplaces, and residential”. The trends are displayed over several weeks, with the most recent information representing 48-to-72 hours prior, it adds.

The company says it’s not publishing the “absolute number of visits” as a privacy step, adding: “To protect people’s privacy, no personally identifiable information, like an individual’s location, contacts or movement, is made available at any point.”

Google’s location mobility report for Italy, which remains the European country hardest hit by the virus, illustrates the extent of the change from lockdown measures applied to the population — with retail & recreation dropping 94% vs Google’s baseline; grocery & pharmacy down 85%; and a 90% drop in trips to parks and beaches.

The same report shows an 87% drop in activity at transit stations; a 63% drop in activity at workplaces; and an increase of almost a quarter (24%) of activity in residential locations — as many Italians stay at home, instead of commuting to work.

It’s a similar story in Spain — another country hard-hit by COVID-19. Though Google’s data for France suggests instructions to stay-at-home may not be being quite as keenly observed by its users there, with only an 18% increase in activity at residential locations and a 56% drop in activity at workplaces. Perhaps because the pandemic has so far had a less severe impact on France, although numbers of confirmed cases and deaths continue to rise across the region.

While policymakers have been scrambling for data and tools to inform their responses to COVID-19, privacy experts and civil liberties campaigners have rushed to voice concerns about the impacts of such data-fuelled efforts on individual rights, while also querying the wider utility of some of this tracking.

And yes, the disclaimer is very broad. I'd say, this is largely a PR move.

Apart from this, Google must be held accountable for its many other secondary data uses. And Google/Alphabet is far too powerful, which must be addressed at several levels, soon. https://t.co/oksJgQAPAY

— Wolfie Christl (@WolfieChristl) April 3, 2020

Contacts tracing is another area where apps are fast being touted as a potential solution to get the West out of economically crushing population lockdowns — opening up the possibility of people’s mobile devices becoming a tool to enforce lockdowns, as has happened in China.

“Large-scale collection of personal data can quickly lead to mass surveillance,” is the succinct warning of a trio of academics from London’s Imperial College’s Computational Privacy Group, who have compiled their privacy concerns vis-a-vis COVID-19 contacts tracing apps into a set of eight questions app developers should be asking.

Discussing Google’s release of mobile location data for a COVID-19 cause, the head of the group, Yves-Alexandre de Montjoye, gave a general thumbs up to the steps it’s taken to shrink privacy risks.

Although he also called for Google to provide more detail about the technical processes it’s using in order that external researchers can better assess the robustness of the claimed privacy protections. Such scrutiny is of pressing importance with so much coronavirus-related data grabbing going on right now, he argues.

“It is all aggregated, they normalize to a specific set of dates, they threshold when there are too few people and on top of this they add noise to make — according to them — the data differentially private. So from a pure anonymization perspective it’s good work,” de Montjoye told TechCrunch, discussing the technical side of Google’s release of location data. “Those are three of the big ‘levers’ that you can use to limit risk. And I think it’s well done.”

“But — especially in times like this when there’s a lot of people using data — I think what we would have liked is more details. There’s a lot of assumptions on thresholding, on how do you apply differential privacy, right?… What kind of assumptions are you making?” he added, querying how much noise Google is adding to the data, for example. “It would be good to have a bit more detail on how they applied [differential privacy]… Especially in times like this it is good to be… overly transparent.”

While Google’s mobility data release might appear to overlap in purpose with the Commission’s call for EU telco metadata for COVID-19 tracking, de Montjoye points out there are likely to be key differences based on the different data sources.

“It’s always a trade off between the two,” he says. “It’s basically telco data would probably be less fine-grained, because GPS is much more precise spatially and you might have more data points per person per day with GPS than what you get with mobile phone but on the other hand the carrier/telco data is much more representative — it’s not only smartphone, and it’s not only people who have latitude on, it’s everyone in the country, including non smartphone.”

There may be country specific questions that could be better addressed by working with a local carrier, he also suggested. (The Commission has said it’s intending to have one carrier per EU Member State providing anonymized and aggregated metadata.)

On the topical question of whether location data can ever be truly anonymized, de Montjoye — an expert in data reidentification — gave a “yes and no” response, arguing that original location data is “probably really, really hard to anonymize”.

“Can you process this data and make the aggregate results anonymous? Probably, probably, probably yes — it always depends. But then it also means that the original data exists… Then it’s mostly a question of the controls you have in place to ensure the process that leads to generating those aggregates does not contain privacy risks,” he added.

Perhaps a bigger question related to Google’s location data dump is around the issue of legal consent to be tracking people in the first place.

While the tech giant claims the data is based on opt-ins to location tracking the company was fined $57M by France’s data watchdog last year for a lack of transparency over how it uses people’s data.

Then, earlier this year, the Irish Data Protection Commission (DPC) — now the lead privacy regulator for Google in Europe — confirmed a formal probe of the company’s location tracking activity, following a 2018 complaint by EU consumers groups which accuses Google of using manipulative tactics in order to keep tracking web users’ locations for ad-targeting purposes.

“The issues raised within the concerns relate to the legality of Google’s processing of location data and the transparency surrounding that processing,” said the DPC in a statement in February, announcing the investigation.

The legal questions hanging over Google’s consent to track likely explains the repeat references in its blog post to people choosing to opt in and having the ability to clear their Location History via settings. (“Users who have Location History turned on can choose to turn the setting off at any time from their Google Account, and can always delete Location History data directly from their Timeline,” it writes in one example.)

In addition to offering up coronavirus mobility porn reports — which Google specifies it will continue to do throughout the crisis — the company says it’s collaborating with “select epidemiologists working on COVID-19 with updates to an existing aggregate, anonymized dataset that can be used to better understand and forecast the pandemic”.

“Data of this type has helped researchers look into predicting epidemics, plan urban and transit infrastructure, and understand people’s mobility and responses to conflict and natural disasters,” it adds.

What does a pandemic say about the tech we’ve built?

By Natasha Lomas

There’s a joke* being reshared on chat apps that takes the form of a multiple-choice question — asking who’s the leading force in workplace digital transformation? The red-lined punchline is not the CEO or CTO, but: C) COVID-19.

There’s likely more than a grain of truth underpinning the quip. The novel coronavirus is pushing a lot of metaphorical buttons right now. “Pause” buttons for people and industries, as large swathes of the world’s population face quarantine conditions that can resemble house arrest. The majority of offline social and economic activities are suddenly off limits.

Such major pauses in our modern lifestyle may even turn into a full reset, over time. The world as it was, where mobility of people has been all but taken for granted — regardless of the environmental costs of so much commuting and indulged wanderlust — may never return to “business as usual.”

If global leadership rises to the occasion, then the coronavirus crisis offers an opportunity to rethink how we structure our societies and economies — to make a shift toward lower carbon alternatives. After all, how many physical meetings do you really need when digital connectivity is accessible and reliable? As millions more office workers log onto the day job from home, that number suddenly seems vanishingly small.

COVID-19 is clearly strengthening the case for broadband to be a utility — as so much more activity is pushed online. Even social media seems to have a genuine community purpose during a moment of national crisis, when many people can only connect remotely, even with their nearest neighbours.

Hence the reports of people stuck at home flocking back to Facebook to sound off in the digital town square. Now that the actual high street is off limits, the vintage social network is experiencing a late second wind.

Facebook understands this sort of higher societal purpose already, of course. Which is why it’s been so proactive about building features that nudge users to “mark yourself safe” during extraordinary events like natural disasters, major accidents and terrorist attacks. (Or indeed, why it encouraged politicians to get into bed with its data platform in the first place — no matter the cost to democracy.)

In less fraught times, Facebook’s “purpose” can be loosely summed to “killing time.” But with ever more sinkholes being drilled by the attention economy, that’s a function under ferocious and sustained attack.

Over the years the tech giant has responded by engineering ways to rise back to the top of the social heap — including spying on and buying up competition, or directly cloning rival products. It’s been pulling off this trick, by hook or by crook, for over a decade. Albeit, this time Facebook can’t take any credit for the traffic uptick; a pandemic is nature’s dark pattern design.

What’s most interesting about this virally disrupted moment is how much of the digital technology that’s been built out online over the past two decades could very well have been designed for living through just such a dystopia.

Seen through this lens, VR should be having a major moment. A face computer that swaps out the stuff your eyes can actually see with a choose-your-own-digital-adventure of virtual worlds to explore, all from the comfort of your living room? What problem are you fixing, VR? Well, the conceptual limits of human lockdown in the face of a pandemic quarantine right now, actually…

Virtual reality has never been a compelling proposition versus the rich and textured opportunity of real life, except within very narrow and niche bounds. Yet all of a sudden, here we all are — with our horizons drastically narrowed and real-life news that’s ceaselessly harrowing. So it might yet end up a wry punchline to another multiple choice joke: “My next vacation will be: A) Staycation, B) The spare room, C) VR escapism.”

It’s videoconferencing that’s actually having the big moment, though. Turns out even a pandemic can’t make VR go viral. Instead, long-lapsed friendships are being rekindled over Zoom group chats or Google Hangouts. And Houseparty — a video chat app — has seen surging downloads as barflies seek out alternative night life with their usual watering-holes shuttered.

Bored celebs are TikToking. Impromptu concerts are being live-streamed from living rooms via Instagram and Facebook Live. All sorts of folks are managing social distancing, and the stress of being stuck at home alone (or with family), by distant socializing: signing up to remote book clubs and discos; joining virtual dance parties and exercise sessions from bedrooms; taking a few classes together; the quiet pub night with friends has morphed seamlessly into a bring-your-own-bottle group video chat.

This is not normal — but nor is it surprising. We’re living in the most extraordinary time. And it seems a very human response to mass disruption and physical separation (not to mention the trauma of an ongoing public health emergency that’s killing thousands of people a day) to reach for even a moving pixel of human comfort. Contactless human contact is better than none at all.

Yet the fact all these tools are already out there, ready and waiting for us to log on and start streaming, should send a dehumanizing chill down society’s backbone.

It underlines quite how much consumer technology is being designed to reprogram how we connect with each other, individually and in groups, in order that uninvited third parties can cut a profit.

Back in the pre-COVID-19 era, a key concern being attached to social media was its ability to hook users and encourage passive feed consumption — replacing genuine human contact with voyeuristic screening of friends’ lives. Studies have linked the tech to loneliness and depression. Now that we’re literally unable to go out and meet friends, the loss of human contact is real and stark. So being popular online in a pandemic really isn’t any kind of success metric.

Houseparty, for example, self-describes as a “face to face social network” — yet it’s quite the literal opposite; you’re foregoing face-to-face contact if you’re getting virtually together in app-wrapped form.

The implication of Facebook’s COVID-19 traffic bump is that the company’s business model thrives on societal disruption and mainstream misery. Which, frankly, we knew already. Data-driven adtech is another way of saying it’s been engineered to spray you with ad-flavored dissatisfaction by spying on what you get up to. The coronavirus just hammers the point home.

The fact we have so many high-tech tools on tap for forging digital connections might feel like amazing serendipity in this crisis — a freemium bonanza for coping with terrible global trauma. But such bounty points to a horrible flip side: It’s the attention economy that’s infectious and insidious. Before “normal life” plunged off a cliff, all this sticky tech was labelled “everyday use;” not “break out in a global emergency.”

It’s never been clearer how these attention-hogging apps and services are designed to disrupt and monetize us; to embed themselves in our friendships and relationships in a way that’s subtly dehumanizing; re-routing emotion and connections; nudging us to swap in-person socializing for virtualized fuzz designed to be data-mined and monetized by the same middlemen who’ve inserted themselves unasked into our private and social lives.

Captured and recompiled in this way, human connection is reduced to a series of dilute and/or meaningless transactions; the platforms deploying armies of engineers to knob-twiddle and pull strings to maximize ad opportunities, no matter the personal cost.

It’s also no accident we’re seeing more of the vast and intrusive underpinnings of surveillance capitalism emerge, as the COVID-19 emergency rolls back some of the obfuscation that’s used to shield these business models from mainstream view in more normal times. The trackers are rushing to seize and colonize an opportunistic purpose.

Tech and ad giants are falling over themselves to get involved with offering data or apps for COVID-19 tracking. They’re already in the mass surveillance business, so there’s likely never felt like a better moment than the present pandemic for the big data lobby to press the lie that individuals don’t care about privacy, as governments cry out for tools and resources to help save lives.

First the people-tracking platforms dressed up attacks on human agency as “relevant ads.” Now the data industrial complex is spinning police-state levels of mass surveillance as pandemic-busting corporate social responsibility. How quick the wheel turns.

But platforms should be careful what they wish for. Populations that find themselves under house arrest with their phones playing snitch might be just as quick to round on high-tech gaolers as they’ve been to sign up for a friendly video chat in these strange and unprecedented times.

Oh, and Zoom (and others) — more people might actually read your “privacy policy” now they’ve got so much time to mess about online. And that really is a risk.

Every day there's a fresh Zoom privacy/security horror story. Why now, all at once?

It's simple: the problems aren't new but suddenly everyone is forced to use Zoom. That means more people discovering problems and also more frustration because opting out isn't an option. https://t.co/O9h8SHerok

— Arvind Narayanan (@random_walker) March 31, 2020

*Source is a private Twitter account called @MBA_ish

It’s still easy to find coronavirus mask ads on Facebook

By Natasha Lomas

Ads for face masks are still appearing on Facebook, Instagram and Google, according to a review of the platforms carried out by the Tech Transparency Project (TTP). This despite pledges by the platforms that they would stamp out ads which seek to profit from the coronavirus pandemic.

Facebook said on March 6 that it would temporarily ban commerce listings and advertisements for medical face masks, in an effort to combat price-gouging and misinformation during the COVID-19 crisis.

Google followed suit a few days later, saying it would temporarily ban all medical face mask ads “out of an abundance of caution”.

The risk of online misinformation exacerbating a global public health crisis has been front of mind for policymakers in many Western markets. Meanwhile front line medical staff continue to face shortages of vital personal protective equipment, such as N95 masks, as they battle rising rates of infection.

There has also been concern that online sellers are attempting to cash in on a public health crisis by price gouging and/or targeting Internet users with ads for substandard masks.

Early last week two democrat senators urged the US’ FTC to act, blasting Google for continuing to allow ads for face masks to be shown to Internet users.

A week later and ads are still circulating.

The TTP — a research project by the nonprofit Campaign for Accountability, a group which focuses on exposing misconduct and malfeasance in public life — reported finding web users still being targeted with face mask ads on Google this week.

It also conducted a review of Facebook and Instagram, and was able to find more than 130 pages on Facebook listing masks for sale, including some using the platform’s ecommerce tools. 

“One Facebook Page called ‘CoronaVirus Mask’ offers a ‘respiratory mask collection,’ with prices ranging from $32 to $37, and uses Facebook’s ‘Shop’ feature to display its merchandise and allow people to add purchases to their cart,” it writes in a blog post. “Facebook’s ‘check out on website’ button then directs users to complete the purchase on the seller’s website.”

“Facebook pages that use WhatsApp to establish contact with buyers are employing a tactic commonly used by wildlife and other traffickers, who often display goods on Facebook and then arrange the actual purchase through WhatsApp encrypted messages. The Facebook Page ‘Surgical Face Mask For Sale,’ for example, has a video showing boxes of medical masks and the seller’s WhatsApp number scrawled on a piece of paper,” it added.

“A visit to one of these Facebook pages often triggers recommendations for other pages selling face masks, a sign that the platform’s algorithms are actually amplifying the reach of these sketchy sellers. TTP, without logging into Facebook, went to the page for ‘Corona Mask Shop’ and was served up ‘Related Pages’ for ‘Corona Mask 247’ and ‘Corona MASK on sale.'”

TechCrunch conducted our own searches on Facebook today and while some obvious search terms returned no results a little tweaking of keywords choice and we were quickly able to find additional pages hawking face masks — such as the below example grabbed from a Facebook page calling itself ‘Face Mask Manufacturer’.

From this page Facebook’s algorithm then recommended more pages — with names like ‘Medical Masks’ and ‘Dispo mask for sale’ — which also appeared to be selling masks.

The TTP’s review also found mask ads circulating on Facebook-owned Instagram.

“One Instagram account for @coronavsmask reads, ‘Act now before it’s too late! GET your N95 Respiratory Face Mask NOW!’ It only has a single post but already counts over 6,300 followers,” it wrote. “An account created on March 14 called @handsanitizers_and_coronamask includes over a dozen posts offering such products.”

It also found “several” Instagram accounts that sell drugs had begun to incorporate medical face masks into their offerings.

At the time of writing Facebook had not responded to our request for comment on the findings.

In further searches the group was reproduced examples of Google’s third party advertising display network serving ads for face masks alongside news stories related to the coronavirus — an issue highlighted by Sen. Mark Warner in a tweet last week when he blasted the company for “still running ads for facemasks and other coronavirus scams”.

Why is @Google still running ads for facemasks and other coronavirus scams?

Despite promises from the company, all it takes is one Google search for "coronavirus" and "mask" and this is what you get. pic.twitter.com/2UsqviuQzt

— Mark Warner (@MarkWarner) March 18, 2020

“The Facebook mask pages were searched and collected on March 17-18 using the terms “corona mask,” “N95,” and “surgical mask” in Facebook’s search function,” a TTP spokesman told us when asked for more info about its review. “Of the more than 130 pages identified, 43 were created in the month of March, more than a dozen of those just days before TTP ran the searches.”

“We don’t have the same level of data from Instagram/Google. Instagram’s search function does not lend itself to the same search ability; it doesn’t bring up a list of accounts based on a single term like Facebook’s search function does. With Google, our goal was to show examples of Google-served ads; those were identified in news stories on March 18,” he added.

We reached out to Google for comment on the findings and a spokesman told us the company has a dedicated task force that has removed “millions” of ads in the past week alone — which he said jad already led to a sharp decrease in face mask ads. But Google said “opportunistic advertisers” had been trying to run “an unprecedented number” of these ads on its platforms.

Here’s Google’s statement:

Since January, we’ve blocked ads for products that aim to capitalise on coronavirus, including a temporary ban on face mask ads. In the past few weeks, we’ve seen opportunistic advertisers try to run an unprecedented number of these ads on our platforms. We have a dedicated task force working to combat this issue and have removed millions of ads in the past week alone. We’re monitoring the situation closely and continue to make real-time adjustments to protect our users.

Google declined to specify how many people it has working to identify and remove mask ads, saying only that the taskforce is made up of members from its product, engineering, enforcement and policy teams — and that it’s been set up with coverage across time zones.

It also said the examples highlighted by TTP are already over a week old and do not reflect the impact of its newest enforcement measures.

The company told us it’s analysing both ad content and how they’re served to enhance its takedown capacity.

Declining ad rates may signal a reset for startup SEM strategies

By Danny Crichton

With limited prospects for growth, one of the iron laws of economic downturns is that advertising is among the first budgets to be cut.

Advertising revenues have already cratered at many alt-weekly newspapers, which heavily rely on local events and restaurants that have been shuttered in the wake of the COVID-19 outbreak. BuzzFeed even went so far (as they do) to label it a “media extinction event.”

Clearly it’s bad times, but I wanted to get a lot more granular around the data for ad rates, particularly around top startups. So I compiled a list of a little more than 100 unicorns across a variety of sectors and explored how the prices of their search engine keywords have changed with the global pandemic that is sparking a global recession.

The results aren’t surprising — there has been a collapse in prices for almost all ads (with some very interesting exceptions we will get to in a bit). But the variations across startups in their online ad performance says a lot about industries like food delivery and enterprise software, and also the long-term revenue performance of Google, Facebook and other digital advertising networks.

A quick overview of the data

It’s common for startups to buy their own keywords on search engines like Google and the App Store. Owning that top rank guarantees that their own company’s page is the first result a user sees and prevents competitors from buying their name, potentially intercepting customers.

Mozilla expands its partnership with ad-free subscription service Scroll

By Anthony Ha

Mozilla just announced a new initiative called Firefox Better Web with Scroll, which combines the tracking protection built into its Firefox browser with the ad-free browsing experience offered by Scroll .

Last year, Firefox turned on something called Enhanced Tracking Protection for all its users by default, blocking third-party cookies and crypto-mining. Scroll, meanwhile, is startup that recently launched a subscription service allowing you to read sites like BuzzFeed News, Business Insider, Salon, Slate and Vox without ads, with the revenue split among the publishers that you’re actually visiting.

Mozilla has already been working with Scroll to collect feedback on this approach from small groups of Firefox users. Here’s how the company summarized its findings:

  • Users see ads as distracting and say their online experience is broken (in the tech world, we call it breakage).
  • Users care a great deal about supporting journalism. Many users intentionally choose not to install ad-blockers because of the impact that it would have on publishers.
  • Users want to support Mozilla because we’re a non-profit and put our users first with Firefox.

Now, anyone in the United States who’s interested in trying this out can sign up for a Firefox account and install the Scroll extension. They’ll need to pay for a Scroll subscription as well — the company’s currently charging an introductory price of $2.49 per month, with plans to eventually increase to $4.99.

In a blog post, Scroll said the results since launch are delivering on its promise to bring publishers more money than advertising — in fact, publishers are seeing an average $30 to $40 RPM (revenue per thousand pageviews) from Scroll visitors.

“The model works, and combined with Firefox’s best ever private browsing experience, we can bring a better web to many more,” the company said.

Facebook bans face mask ads to fight coronavirus price gouging

By Taylor Hatmaker

On Friday, Facebook announced that it would further attempt to limit coronavirus-related chaos on its platform by banning commerce listings and advertisements for medical face masks.

“We’re monitoring COVID19 closely and will make necessary updates to our policies if we see people trying to exploit this public health emergency,” Facebook Director of Product Management Rob Leathern said in an update on Twitter. “We’ll start rolling out this change in the days ahead.”

Update: We’re banning ads and commerce listings selling medical face masks. We’re monitoring COVID19 closely and will make necessary updates to our policies if we see people trying to exploit this public health emergency. We’ll start rolling out this change in the days ahead.

— Rob Leathern (@robleathern) March 7, 2020

As fears of a novel coronavirus epidemic swell worldwide, online platforms have scrambled to stop price gouging and health misinformation. Amazon is working to eradicate “high priced offers” on products like hand sanitizer and face masks from its marketplace, while Ebay has banned all listings for N95 and N100 face masks, hand sanitizer and alcohol wipes. The online auction site will also reject any listings exploiting terms like “COVID-19” and “coronavirus.”

On Wednesday, Senator Ed Markey (D-MA) wrote an open letter to Amazon’s Jeff Bezos expressing concern over “continued reports of price gouging and a lack of transparency” on the site.

“No one should be allowed to reap a windfall from fear and human suffering,” Markey wrote, adding that online retailers have a “particular responsibility” to protect consumers in the midst of the coronavirus outbreak.

Earlier this week, Facebook announced that coronavirus-related searches on its platform would be greeted with an automatic pop-up featuring information from the World Health Organization and local health authorities.

“Given the developing situation, we’re working with national ministries of health and organizations like the WHO, CDC and UNICEF to help them get out timely, accurate information on the coronavirus,” Mark Zuckerberg wrote in an update on his company’s efforts. “We’re giving the WHO as many free ads as they need for their coronavirus response along with other in-kind support.”

The company is also focused on curtailing potentially life-threatening coronavirus misinformation, removing ads, conspiracy theories and treatment claims with no scientific basis. Facebook’s decision to disable ads for face masks comes at a time when health authorities are urging well people to forgo buying the masks, both because they are not necessary for healthy individuals to wear and because demand for the masks is constricting their supply for the medical workers who need them most.

Break-even ads can generate free brand awareness

By Walter Thompson
Julian Shapiro Contributor
Julian Shapiro is the founder of BellCurve.com, a growth marketing team that trains startups in advanced growth, helps you hire senior growth marketers and finds you vetted growth agencies. He also writes at Julian.com.

We’ve aggregated many of the world’s best growth marketers into one community. Twice a month we ask them to share their most effective growth tactics, and we compile them into this growth report.

This is how you stay up-to-date on growth marketing tactics — with advice that’s hard to find elsewhere.

Our community consists of 1,000 startup founders and VPs of growth from later-stage companies. We have 400 YC founders, plus senior marketers from companies including Medium, Docker, Invision, Intuit, Pinterest, Discord, Webflow, Lambda School, Perfect Keto, Typeform, Modern Fertility, Segment, Udemy, Puma, Cameo and Ritual.

You can participate in our community by joining Demand Curve’s marketing webinars, Slack group or marketing training program.

Without further ado, on to our community’s advice.


How Gmail decides which emails go to spam

Twitter CEO’s weak argument why investors shouldn’t fire him

By Josh Constine

Twitter CEO Jack Dorsey might not spend six months a year in Africa, claims the real product development is under the hood, and gives an excuse for deleting Vine before it could become TikTok. Today he tweeted, via Twitter’s investor relations account, a multi-pronged defense of his leadership and the company’s progress.

The proclamations come as notorious activist investor Elliott Management prepares to pressure Twitter into a slew of reforms, potentially including replacing Dorsey with a new CEO, Bloomberg reported last week. Sources confirmed to TechCrunch that Elliott has taken a 4% to 5% stake in Twitter. Elliott has previously bullied eBay, AT&T, and othe major corporations into making changes and triggered CEO departures.

…Focusing on one job and increasing accountability has made a huge difference for us. One of our core jobs is to keep people informed. We want to be a service that people turn to… to see what’s happening, to be a credible source that people learn from.

— Twitter Investor Relations (@TwitterIR) March 5, 2020

Specifically, Elliott is seeking change because of Twitter’s weak market performance, which as of last month had fallen 6.2% since July 2015 while Facebook had grown 121%. The corporate raider reportedly takes issue with Dorsey also running fintech giant Square, and having planned to spend up to six months a year in Africa. Dorsey tweeted that “Africa will define the future (especially the bitcoin one!)”, despite cryptocurrency having little to do with Twitter.

Rapid executive turnover is another sore spot. Finally, Twitter is seen as moving glacially slow on product development, with little about its core service changing in the past five years beyond a move from 140 to 280 characters per tweet. Competing social apps like Facebook and Snapchat have made landmark acquisitions and launched significant new products like Marketplace, Stories, and Discover.

Dorsey spoke today at the Morgan Stanley investor conference, though apparently didn’t field questions about Elliott’s incursion. The CEO did take to his platform to lay out an argument for why Twitter is doing better than it looks, though without mentioning the activist investor directly. That type of response without mentioning to whom it’s directed, is popularly known as a subtweet. Here’s what he outlined:

On democracy: Twitter has prioritized healthy conversation and now “the #1 initiative is the integrity of the conversation around the elections” around the world, which it’s learning from. It’s now using humans and machine learning to weed out misinformation, yet Twitter still hasn’t rolled out labels on false news despite Facebook launching them in late 2016.

On revenue: Twitter expects to complete a rebuild of its core ad server in the first half of 2020, and it’s improving the experience of mobile app install ads so it can court more performance ad dollars. This comes seven years late to Facebook’s big push around app install ads.

On shutting down products: Dorsey claims that “5 years ago we had to do a really hard reset and that takes time to build from… we had been a company that was trying to do too many things…” But was it? Other than Moments, which largely flopped, and the move to the algorithmic feed ranking, Twitter sure didn’t seem to be doing too much and was already being criticized for slow product evolution as it tried to avoid disturbing its most hardcore users.

On stagnanation: “Some people talk about the slow pace of development at Twitter. The expectation is to see surface level changes, but the most impactful changes are happening below the surface” Dorsey claims, citing using machine learning to improve feed  and notification relevance

Yet it seems telling that Twitter suddenly announced yesterday that it was testing Instagram Stories-esque feature Fleets in Brazil. No launch event. No US beta. No indication of when it might roll out elsewhere. It seems like hasty and suspiciously convenient timing for a reveal that might convince investors it is actually building new things.

On talent: Twitter is apparently hiring top engineers “that maybe we couldn’t get 3 years ago”. 2017 was also Twitter’s share price low point of $14 compared to $34 today, so it’s not much of an accomplishment that hiring is easier now. Dorsey claims that “Engineering is my main focus. Everything else follows from that.” Yet it’s been years since fail whales were prevalent, and the core concern now is that there’s not enough to do on Twitter, rather than what it does offer doesn’t function well.

On Jack himself: Dorsey says he should have added more context “about my intention to spend a few months in Africa this year”, including its growing population that’s still getting online. Yet the “Huge opportunity especially for young people to join Twitter” seemed far from his mind as he focused on how crypto trading was driving adoption of Square’s Cash App

“I need to reevaluate” the plan to work from Africa “in light of COVID-19 and everything else going on”. That makes coronavirus a nice scapegoat for the decision while the phrase “everything else” is doing some very heavy lifting in the face of Elliott’s activist investing.

Photographer: Cole Burston/Bloomberg via Getty Images

On fighting harassment: Nothing. The fact that Twitter’s most severe ongoing problem doesn’t even get a mention should clue you in to how many troubles have stacked up in front of Dorsey

Running Twitter is a big job. So big it’s seen a slew of leaders ranging from founders like Ev Williams to hired guns like Dick Costolo peel off after mediocre performance. If Dorsey wants to stay CEO, that should be his full-time, work-from-headquarters gig.

This isn’t just another business. Twitter is a crucial communications utility for the world. Its absence of innovation, failure to defend vulnerable users, and an inability to deliver financially has massive repercussions for society. It means Twitter hasn’t had the products or kept the users to earn the profits to be able to invest in solving its problems. Making Twitter live up to its potential is no sidehustle.

mParticle raises $45M to help marketers unify customer data

By Anthony Ha

mParticle, which helps companies like Spotify, Paypal and Starbucks umanage their customer data, is announcing that it has raised $45 million in Series D funding.

Co-founder and CEO Michael Katz told me that the company has benefited from broader shifts — like new privacy regulation and the shift away from cookie-based browser tracking — that increase brands’ needs for a platform like mParticle that uses “modern data infrastructure” to deliver a personalized experience for customers without running afoul of any regulations.

As result, he said mParticle has nearly quintupled its revenue since it raised a $35 million Series C in 2017. (The company has raised more than $120 million total.)

“The challenges that we solve are universal,” Katz said. “It doesn’t matter if there’s a small company or big company. Data fragmentation, data quality, consistent change in the privacy landscape, consistent change in the technology ecosystem, these are universal challenges.”

Perhaps for that very reason, a whole industry of customer data platforms has sprung up since mParticle was founded back in 2013, all offering tools to help marketers create a single view of their customers by unifying data from various sources. Even big players like Adobe and Salesforce have announced their own CDPs as part of their larger marketing clouds.

When asked about the competition, Katz said, “The market has responded overwhelmingly by saying, ‘I don’t want one vendor to rule everything for me.’ Why be beholden to one suite of tools that’s just an amalgamation of products that were built in the early 2000s?”

Instead, he argued that mParticle customers want “a best-in-breed combination of independent solutions that can be integrated seamlessly.”

Getting back to the new funding — Arrowroot Capital led the round, with the firm’s managing partner Matthew Safaii joining mParticle’s board of directors. Existing investors also participated.

Katz said the funding will be spent in three broad areas: building new products, scaling its global data infrastructure and finding new partners. In fact, the company is also announcing a partnership with LiveRamp, through which mParticle customers can combine their first-party data with the third-party party data from Liveramp.

“We see this partnership with Liveramp as an opportunity to extend the surface area by which our customers can deliver highly personalized, privacy-friendly experiences,” Katz said.

Pinterest adds DoorDash exec and Caviar lead Gokul Rajaram to its board

By Sarah Perez

Pinterest is bringing on a new board member. The company announced today it has appointed Gokul Rajaram, Caviar lead at soon-to-go-public DoorDash, to its board of directors and as a member of its Nominating and Corporate Governance Committee. The addition signals Pinterest’s desire to bring more digital advertising expertise to its board, given Rajaram’s experience as product director of Ads at Facebook and product management director at Google AdSense.

“Gokul brings great experience and innovation to our Board and we look forward to his many contributions,” said Pinterest CEO and co-founder Ben Silbermann, in a statement. “His proven track record in shopping, digital advertising and content will be incredibly beneficial as we continue to bring inspirational experiences to users and advertisers on Pinterest,” he added.

Currently, Rajaram serves on DoorDash’s executive team where he leads the premium food ordering service, Caviar, which DoorDash acquired from Square last year for $410 million. The Caviar deal included Rajaram and team, in addition to the service’s restaurant partnerships. At Square, Rajaram spent five years heading Caviar and before that, had led several product development teams.

Rajaram’s background also includes time at Facebook and Google, where he focused on digital ads. At Facebook, he helped the company transform its ads business to become mobile-first. And at Google, he helped launch the Google AdSense product and grow it into a substantial portion of Google’s business, Pinterest notes.

Other relevant experience includes time on RetailMeNot’s board, as well as an investor and advisor to numerous startups, including those that intersected retail/e-commerce, analytics and social — like Pinterest-focused Piquora, mobile ad company Vungle, retail advertising startup PromoteIQ and many others.

Today, Rajaram additionally serves on the boards of The Trade Desk and Course Hero.

Rajaram has a bachelor’s degree in Computer Science Engineering from the Indian Institute of Technology, Kanpur where he was class valedictorian. He received an MBA from The Massachusetts Institute of Technology and a Master of Computer Science from the University of Texas at Austin, where he received the MCD University Fellowship.

His addition to Pinterest’s board comes at a time when the company’s ad business is growing.

Earlier this month, Pinterest reported revenues for 2019 had topped $1 billion, up 51% over 2018. In the fourth quarter alone, Pinterest saw $400 million in revenue, up 46% year-over-year, and beating analyst forecasts of $371.2 million. Feed-based Shopping Ads contributed heavily to this growth, with the ads more than doubling in the second half of 2019 compared with the first. Pinterest also said its investment in measurement tools had been paying off. In Q4, conversion campaigns — which let advertisers track from pin clicks to actions, like adding items to a cart — grew by 150%.

The company said during earnings that scaling its ads business would continue to be a strategic priority in 2020, as it looks to capture more mid-size and international advertisers and make the service more shoppable.

“Pinterest is a beloved brand that inspires people to create a life they love,” said Gokul Rajaram, about his board appointment. “I’ve always been excited about Pinterest’s mission and impact on people’s everyday lives, and am thrilled to help Ben, Evan, and the team continue building amazing products that empower people and advertisers around the world,” he said.

Rajaram joins other Pinterest board members Jeffrey Jordan, GP at Andreessen Horowitz; Leslie Kilgore, previously Netflix CMO; BVP partner Jeremy Levine; Fredric Reynolds, previously CFO at CBS; Michelle Wilson, previously from Amazon legal; and Pinterest co-founders Evan Sharp and Ben Silbermann.

 

 

Facebook’s latest ‘transparency’ tool doesn’t offer much — so we went digging

By Natasha Lomas

Just under a month ago Facebook switched on global availability of a tool which affords users a glimpse into the murky world of tracking that its business relies upon to profile users of the wider web for ad targeting purposes.

Facebook is not going boldly into transparent daylight — but rather offering what privacy rights advocacy group Privacy International has dubbed “a tiny sticking plaster on a much wider problem”.

The problem it’s referring to is the lack of active and informed consent for mass surveillance of Internet users via background tracking technologies embedded into apps and websites, including as people browse outside Facebook’s own content garden.

The dominant social platform is also only offering this feature in the wake of the 2018 Cambridge Analytica data misuse scandal, when Mark Zuckerberg faced awkward questions in Congress about the extent of Facebook’s general web tracking. Since then policymakers around the world have dialled up scrutiny of how its business operates — and realized there’s a troubling lack of transparency in and around adtech generally and Facebook specifically

Facebook’s tracking pixels and social plugins — aka the share/like buttons that pepper the mainstream web — have created a vast tracking infrastructure which silently informs the tech giant of Internet users’ activity, even when a person hasn’t interacted with any Facebook-branded buttons.

Facebook claims this is just ‘how the web works’. And other tech giants are similarly engaged in tracking Internet users (notably Google). But as a platform with 2.2BN+ users Facebook has got a march on the lion’s share of rivals when it comes to harvesting people’s data and building out a global database of person profiles.

It’s also positioned as a dominant player in an adtech ecosystem which means it’s the one being fed with intel by data brokers and publishers who deploy tracking tech to try to survive in such a skewed system.

Meanwhile the opacity of online tracking means the average Internet user is none the wiser that Facebook can be following what they’re browsing all over the Internet. Questions of consent loom very large indeed.

Facebook is also able to track people’s usage of third party apps if a person chooses a Facebook login option which the company encourages developers to implement in their apps — again the carrot being to be able to offer a lower friction choice vs requiring users create yet another login credential.

The price for this ‘convenience’ is data and user privacy as the Facebook login gives the tech giant a window into third part app usage.

The company has also used a VPN app it bought and badged as a security tool to glean data on third party app usage — though it’s recently stepped back from the Onavo app after a public backlash (though that did not stop it running a similar tracking program targeted at teens).

Background tracking is how Facebook’s creepy ads function (it prefers to call such behaviorally targeted ads ‘relevant’) — and how they have functioned for years

Yet it’s only in recent months that it’s offered users a glimpse into this network of online informers — by providing limited information about the entities that are passing tracking data to Facebook, as well as some limited controls.

From ‘Clear History’ to “Off-Facebook Activity”

Originally briefed in May 2018, at the crux of the Cambridge Analytica scandal, as a ‘Clear History’ option this has since been renamed ‘Off-Facebook Activity’ — a label so bloodless and devoid of ‘call to action’ that the average Facebook user, should they stumble upon it buried deep in unlovely settings menus, would more likely move along than feel moved to carry out a privacy purge.

(For the record you can access the setting here — but you do need to be logged into Facebook to do so.)

The other problem is that Facebook’s tool doesn’t actually let you purge your browsing history, it just delinks it from being associated with your Facebook ID. There is no option to actually clear your browsing history via its button. Another reason for the name switch. So, no, Facebook hasn’t built a clear history ‘button’.

“While we welcome the effort to offer more transparency to users by showing the companies from which Facebook is receiving personal data, the tool offers little way for users to take any action,” said Privacy International this week, criticizing Facebook for “not telling you everything”.

As the saying goes, a little knowledge can be a dangerous thing. So a little transparency implies — well — anything but clarity. And Privacy International sums up the Off-Facebook Activity tool with an apt oxymoron — describing it as “a new window to the opacity”.

“This tool illustrates just how impossible it is for users to prevent external data from being shared with Facebook,” it writes, warning with emphasis: “Without meaningful information about what data is collected and shared, and what are the ways for the user to opt-out from such collection, Off-Facebook activity is just another incomplete glimpse into Facebook’s opaque practices when it comes to tracking users and consolidating their profiles.”

It points out, for instance, that the information provided here is limited to a “simple name” — thereby preventing the user from “exercising their right to seek more information about how this data was collected”, which EU users at least are entitled to.

“As users we are entitled to know the name/contact details of companies that claim to have interacted with us. If the only thing we see, for example, is the random name of an artist we’ve never heard before (true story), how are we supposed to know whether it is their record label, agent, marketing company or even them personally targeting us with ads?” it adds.

Another criticism is Facebook is only providing limited information about each data transfer — with Privacy International noting some events are marked “under a cryptic CUSTOM” label; and that Facebook provides “no information regarding how the data was collected by the advertiser (Facebook SDK, tracking pixel, like button…) and on what device, leaving users in the dark regarding the circumstances under which this data collection took place”.

“Does Facebook really display everything they process/store about those events in the log/export?” queries privacy researcher Wolfie Christl, who tracks the adtech industry’s tracking techniques. “They have to, because otherwise they don’t fulfil their SAR [Subject Access Request] obligations [under EU law].”

Christl notes Facebook makes users jump through an additional “download” hoop in order to view data on tracked events — and even then, as Privacy International points out, it gives up only a limited view of what has actually been tracked…

And it's just ridiculous.

FB doesn't show me the list of visits they recorded from a certain website in their web interface, no! I have to 'download my information', which takes a long time.

And then, I'm sure this is not all data they record when tracking a VIEW_CONTENT event: pic.twitter.com/qBO87Zp5YH

— Wolfie Christl (@WolfieChristl) January 29, 2020

“For example, why doesn’t Facebook list the specific sites/URLs visited? Do they infer data from the domains e.g. categories? If yes, why is this not in the logs?” Christl asks.

We reached out to Facebook with a number of questions, including why it doesn’t provide more detail by default. It responded with this statement attributed to spokesperson:

We offer a variety of tools to help people access their Facebook information, and we’ve designed these tools to comply with relevant laws, including GDPR. We disagree with this [Privacy International] article’s claims and would welcome the chance to discuss them with Privacy International.

Facebook also said it’s continuing to develop which information it surfaces through the Off-Facebook Activity tool — and said it welcomes feedback on this.

We also asked it about the legal bases it uses to process people’s information that’s been obtained via its tracking pixels and social plug-ins. It did not provide a response to those questions.

Six names, many questions…

When the company launched the Off-Facebook Activity tool a snap poll of available TechCrunch colleagues showed very diverse results for our respective tallies (which also may not show the most recent activity, per other Facebook caveats) — ranging from one colleague who had an eye-watering 1,117 entities (likely down to doing a lot of app testing); to several with several/a few hundred apiece; to a couple in the middle tens.

In my case I had just six. But from my point of view — as an EU citizen with a suite of rights related to privacy and data protection; and as someone who aims to practice good online privacy hygiene, including having a very locked down approach to using Facebook (never using its mobile app for instance) — it was still six too many. I wanted to find out how these entities had circumvented my attempts not to be tracked.

And in the case of the first one in the list who on earth it was…

Turns out cloudfront is an Amazon Web Services Content Delivery Network subdomain. But I had to go searching online myself to figure out that the owner of that particular domain is (now) a company called Nativo.

Facebook’s list provided only very bare bones information. I also clicked to delink the first entity, since it immediately looked so weird, and found that by doing that Facebook wiped all the entries — which meant I was unable to retain access to what little additional info it had provided about the respective data transfers.

Undeterred I set out to contact each of the six companies directly with questions — asking what data of mine they had transferred to Facebook and what legal basis they thought they had for processing my information.

(On a practical level six names looked like a sample size I could at least try to follow up manually — but remember I was the TechCrunch exception; imagine trying to request data from 1,117 companies, or 450 or even 57, which were the lengths of lists of some of my colleagues.)

This process took about a month and a lot of back and forth/chasing up. It likely only yielded as much info as it did because I was asking as a journalist; an average Internet user may have had a tougher time getting attention on their questions — though, under EU law, citizens have a right to request a copy of personal data held on them.

Eventually, I was able to obtain confirmation that tracking pixels and Facebook share buttons had been involved in my data being passed to Facebook in certain instances. Even so I remain in the dark on many things. Such as exactly what personal data Facebook received.

In one case I was told by a listed company that it doesn’t know itself what data was shared — only Facebook knows because it’s implemented the company’s “proprietary code”. (Insert your own ‘WTAF’ there.)

The legal side of these transfers also remains highly opaque. From my point of view I would not intentionally consent to any of this tracking — but in some instances the entities involved claim that (my) consent was (somehow) obtained (or implied).

In other cases they said they are relying on a legal basis in EU law that’s referred to as ‘legitimate interests’. However this requires a balancing test to be carried out to ensure a business use does not have a disproportionate impact on individual rights.

I wasn’t able to ascertain whether such tests had ever been carried out.

Meanwhile, since Facebook is also making use of the tracking information from its pixels and social plug ins (and seemingly more granular use, since some entities claimed they only get aggregate not individual data), Christl suggests it’s unlikely such a balancing test would be easy to pass for that tiny little ‘platform giant’ reason.

Notably he points out Facebook’s Business Tool terms state that it makes use of so called “event data” to “personalize features and content and to improve and secure the Facebook products” — including for “ads and recommendations”; for R&D purposes; and “to maintain the integrity of and to improve the Facebook Company Products”.

In a section of its legal terms covering the use of its pixels and SDKs Facebook also puts the onus on the entities implementing its tracking technologies to gain consent from users prior to doing so in relevant jurisdictions that “require informed consent” for tracking cookies and similar — giving the example of the EU.

“You must ensure, in a verifiable manner, that an end user provides the necessary consent before you use Facebook Business Tools to enable us to store and access cookies or other information on the end user’s device,” Facebook writes, pointing users of its tools to its Cookie Consent Guide for Sites and Apps for “suggestions on implementing consent mechanisms”.

Christl flags the contradiction between Facebook claiming users of its tracking tech needing to gain prior consent vs claims I was given by some of these entities that they don’t because they’re relying on ‘legitimate interests’.

“Using LI as a legal basis is even controversial if you use a data analytics company that reliably processes personal data strictly on behalf of you,” he argues. “I guess, industry lawyers try to argue for a broader applicability of LI, but in the case of FB business tools I don’t believe that the balancing test (a businesses legitimate interests vs. the impact on the rights and freedoms of data subjects) will work in favor of LI.”

Those entities relying on legitimate interests as a legal base for tracking would still need to offer a mechanism where users can object to the processing — and I couldn’t immediately see such a mechanism in the cases in question.

One thing is crystal clear: Facebook itself does not provide a mechanism for users to object to its processing of tracking data nor opt out of targeted ads. That remains a long-standing complaint against its business in the EU which data protection regulators are still investigating.

One more thing: Non-Facebook users continue to have no way of learning what data of theirs is being tracked and transferred to Facebook. Only Facebook users have access to the Off-Facebook Activity tool, for example. Non-users can’t even access a list.

Facebook has defended its practice of tracking non-users around the Internet as necessary for unspecified ‘security purposes’. It’s an inherently disproportionate argument of course. The practice also remains under legal challenge in the EU.

Tracking the trackers

SimpleReach (aka d8rk54i4mohrb.cloudfront.net)

What is it? A California-based analytics platform (now owned by Nativo) used by publishers and content marketers to measure how well their content/native ads performs on social media. The product began life in the early noughties as a simple tool for publishers to recommend similar content at the bottom of articles before the startup pivoted — aiming to become ‘the PageRank of social’ — offering analytics tools for publishers to track engagement around content in real-time across the social web (plugging into platform APIs). It also built statistical models to predict which pieces of content will be the most social and where, generating a proprietary per article score. SimpleReach was acquired by Nativo last year to complement analytics tools the latter already offered for tracking content on the publisher/brand’s own site.

Why did it appear in your Off-Facebook Activity list? Given it’s a b2b product it does not have a visible consumer brand of its own. And, to my knowledge, I have never visited its own website prior to investigating why it appeared in my Off-Facebook Activity list. Clearly, though, I must have visited a site (or sites) that are using its tracking/analytics tools. Of course an Internet user has no obvious way to know this — unless they’re actively using tools to monitor which trackers are tracking them.

In a further quirk, neither the SimpleReach (nor Nativo) brand names appeared in my Off-Facebook Activity list. Rather a domain name was listed — d8rk54i4mohrb.cloudfront.net — which looked at first glance weird/alarming.

I found this is owned by SimpleReach by using a tracker analytics service.

Once I knew the name I was able to connect the entry to Nativo — via news reports of the acquisition — which led me to an entity I could direct questions to.  

What happened when you asked them about this? There was a bit of back and forth and then they sent a detailed response to my questions in which they claim they do not share any data with Facebook — “or perform ‘off site activity’ as described on Facebook’s activity tool”.

They also suggested that their domain had appeared as a result of their tracking code being implemented on a website I had visited which had also implemented Facebook’s own trackers.

“Our technology allows our Data Controllers to insert other tracking pixels or tags, using us as a tag manager that delivers code to the page. It is possible that one of our customers added a Facebook pixel to an article you visited using our technology. This could lead Facebook to attribute this pixel to our domain, though our domain was merely a ‘carrier’ of the code,” they told me.

In terms of the data they collect, they said this: “The only Personal Data that is collected by the SimpleReach Analytics tag is your IP Address and a randomly generated id.  Both of these values are processed, anonymized, and aggregated in the SimpleReach platform and not made available to anyone other than our sub-processors that are bound to process such data only on our behalf. Such values are permanently deleted from our system after 3 months. These values are used to give our customers a general idea of the number of users that visited the articles tracked.”

So, again, they suggested the reason why their domain appeared in my Off-Facebook Activity list is a combination of Nativo/SimpleReach’s tracking technologies being implemented on a site where Facebook’s retargeting pixel is also embedded — which then resulted in data about my online activity being shared with Facebook (which Facebook then attributes as coming from SimpleReach’s domain).

Commenting on this, Christl agreed it sounds as if publishers “somehow attach Facebook pixel events to SimpleReach’s cloudfront domain”.

“SimpleReach probably doesn’t get data from this. But the question is 1) is SimpleReach perhaps actually responsible (if it happens in the context of their domain); 2) The Off-Facebook activity is a mess (if it contains events related to domains whose owners are not web or app publishers).”

Nativo offered to determine whether they hold any personal information associated with the unique identifier they have assigned to my browser if I could send them this ID. However I was unable to locate such an ID (see below).

In terms of legal base to process my information the company told me: “We have the right to process data in accordance with provisions set forth in the various Data Processor agreements we have in place with Data Controllers.”

Nativo also suggested that the Offsite Activity in question might have predated its purchase of the SimpleReach technology — which occurred on March 20, 2019 — saying any activity prior to this would mean my query would need to be addressed directly with SimpleReach, Inc. which Nativo did not acquire. (However in this case the activity registered on the list was dated later than that.)

Here’s what they said on all that in full:

Thank you for submitting your data access request.  We understand that you are a resident of the European Union and are submitting this request pursuant to Article 15(1) of the GDPR.  Article 15(1) requires “data controllers” to respond to individuals’ requests for information about the processing of their personal data.  Although Article 15(1) does not apply to Nativo because we are not a data controller with respect to your data, we have provided information below that will help us in determining the appropriate Data Controllers, which you can contact directly.

First, for details about our role in processing personal data in connection with our SimpleReach product, please see the SimpleReach Privacy Policy.  As the policy explains in more detail, we provide marketing analytics services to other businesses – our customers.  To take advantage of our services, our customers install our technology on their websites, which enables us to collect certain information regarding individuals’ visits to our customers’ websites. We analyze the personal information that we obtain only at the direction of our customer, and only on that customer’s behalf.

SimpleReach is an analytics tracker tool (Similar to Google Analytics) implemented by our customers to inform them of the performance of their content published around the web.  “d8rk54i4mohrb.cloudfront.net” is the domain name of the servers that collect these metrics.  We do not share data with Facebook or perform “off site activity” as described on Facebook’s activity tool.  Our technology allows our Data Controllers to insert other tracking pixels or tags, using us as a tag manager that delivers code to the page.  It is possible that one of our customers added a Facebook pixel to an article you visited using our technology.  This could lead Facebook to attribute this pixel to our domain, though our domain was merely a “carrier” of the code.

The SimpleReach tool is implemented on articles posted by our customers and partners of our customers.  It is possible you visited a URL that has contained our tracking code.  It is also possible that the Offsite Activity you are referencing is activity by SimpleReach, Inc. before Nativo purchased the SimpleReach technology. Nativo, Inc. purchased certain technology from SimpleReach, Inc. on March 20, 2019, but we did not purchase the SimpleReach, Inc. entity itself, which remains a separate entity unaffiliated with Nativo, Inc. Accordingly, any activity that occurred before March 20, 2019 pre-dates Nativo’s use of the SimpleReach technology and should be addressed directly with SimpleReach, Inc. If, for example, TechCrunch was a publisher partner of SimpleReach, Inc. and had SimpleReach tracking code implemented on TechCrunch articles or across the TechCrunch website prior to March 20, 2019, any resulting data collection would have been conducted by SimpleReach, Inc., not by Nativo, Inc.

As mentioned above, our tracking script collects and sends information to our servers based on the articles it is implemented on. The only Personal Data that is collected by the SimpleReach Analytics tag is your IP Address and a randomly generated id.  Both of these values are processed, anonymized, and aggregated in the SimpleReach platform and not made available to anyone other than our sub-processors that are bound to process such data only on our behalf. Such values are permanently deleted from our system after 3 months.  These values are used to give our customers a general idea of the number of users that visited the articles tracked.

We do not, nor have we ever, shared ANY information with Facebook with regards to the information we collect from the SimpleReach Analytics tag, be it Personal Data or otherwise. However, as mentioned above, it is possible that one of our customers added a Facebook retargeting pixel to an article you visited using our technology. If that is the case, we would not have received any information collected from such pixel or have knowledge of whether, and to what extent, the customer shared information with Facebook. Without more information, we are unable to determine the specific customer (if any) on behalf of which we may have processed your personal information. However, if you send us the unique identifier we have assigned to your browser… we can determine whether we have any personal information associated with such browser on behalf of a customer controller, and, if we have, we can forward your request on to the controller to respond directly to your request.

As a Data Processor we have the right to process data in accordance with provisions set forth in the various Data Processor agreements we have in place with Data Controllers.  This type of agreement is designed to protect Data Subjects and ensure that Data Processors are held to the same standards that both the GDPR and the Data Controller have put forth.  This is the same type of agreement used by all other analytics tracking tools (as well as many other types of tools) such as Google Analytics, Adobe Analytics, Chartbeat, and many others.

I also asked Nativo to confirm whether Insider.com (see below) is a customer of Nativo/SimpleReach.

The company told me it could not disclose this “due to confidentiality restrictions” and would only reveal the identity of customers if “required by applicable law”.

Again, it said that if I provided the “unique identifier” assigned to my browser it would be “happy to pull a list of personal information the SimpleReach/Nativo systems currently have stored for your unique identifier (if any), including the appropriate Data Controllers”. (“If we have any personal data collected from you on behalf of Insider.com, it would come up in the list of DataControllers,” it suggested.)

I checked multiple browsers that I use on multiple devices but was unable to locate an ID attached to a SimpleReach cookie. So I also asked whether this might appear attached to any other cookie.

Their response:

Because our data is either pseudonymized or anonymized, and we do not record of any other pieces of Personal Data about you, it will not be possible for us to locate this data without the cookie value.  The SimpleReach user cookie is, and has always been, in the “__srui” cookie under the “.simplereach.com” domain or any of its sub-domains. If you are unable to locate a SimpleReach user cookie by this name on your browser, it may be because you are using a different device or because you have cleared your cookies (in which case we would no longer have the ability to map any personal data we have previously collected from you to your browser or device). We do have other cookies (under the domains postrelease.com, admin.nativo.com, and cloud.nativo.com) but those cookies would not be related to the appearance of SimpleReach in the list of Off Site Activity on your Facebook account, per your original inquiry.

What did you learn from their inclusion in the Off-Facebook Activity list? There appeared to be a correlation between this domain and a publisher, Insider.com, which also appeared in my Off-Facebook Activity list — as both logged events bear the same date; plus Insider.com is a publisher so would fall into the right customer category for using Nativo’s tool.

Given those correlations I was able to guess Insider.com is a customer of Nativo. (I confirmed this when I spoke to Insider.com) — so Facebook’s tool is able to leak relational inferences related to the tracking industry by surfacing/mapping business connections that might not have been otherwise evident.

Insider.com

What is it? A New York based business media company which owns brands such as Business Insider and Markets Insider

Why did it appear in your Off-Facebook Activity list? I imagine I clicked on a technology article that appeared in my Facebook News Feed or elsewhere but when I was logged into Facebook

What happened when you asked them about this? After about a week of radio silence an employee in Insider’com’s legal department got in touch to say they could discuss the issue on background.

This person told me the information in the Off-Facebook Activity tool came from the Facebook share button which is embedded on all articles it runs on its media websites. They confirmed that the share button can share data with Facebook regardless of whether the site visitor interacts with the button or not.

In my case I certainly would not have interacted with the Facebook share button. Nonetheless data was passed, simply by merit of loading the article page itself.

Insider.com said the Facebook share button widget is integrated into its sites using a standard set-up that Facebook intends publishers to use. If the share button is clicked information related to that action would be shared with Facebook and would also be received by Insider.com (though, in this scenario, it said it doesn’t get any personalized information — but rather gets aggregate data).

Facebook can also automatically collect other information when a user visits a webpage which incorporates its social plug-ins.

Asked whether Insider.com knows what information Facebook receives via this passive route the company told me it does not — noting the plug-in runs proprietary Facebook code. 

Asked how it’s collecting consent from users for their data to be shared passively with Facebook, Insider.com said its Privacy Policy stipulates users consent to sharing their information with Facebook and other social media sites. It also said it uses the legal ground known as legitimate interests to provide functionality and derive analytics on articles.

In the active case (of a user clicking to share an article) Insider.com said it interprets the user’s action as consent.

Insider.com confirmed it uses SimpleReach/Nativo analytics tools, meaning site visitor data is also being passed to Nativo when a user lands on an article. It said consent for this data-sharing is included within its consent management platform (it uses a CMP made by Forcepoint) which asks site visitors to specify their cookie choices.

Here site visitors can choose for their data not to be shared for analytics purposes (which Insider.com said would prevent data being passed).

I usually apply all cookie consent opt outs, where available, so I’m a little surprised Nativo/SimpleReach was passed my data from an Insider.com webpage. Either I failed to click the opt out one time or failed to respond to the cookie notice and data was passed by default.

It’s also possible I did opt out but data was passed anyway — as there has been research which has found a proportion of cookie notifications ignore choices and pass data anyway (unintentionally or otherwise).

Follow up questions I sent to Insider.com after we talked:

1) Can you confirm whether Insider has performed a legitimate interests assessment?
2) Does Insider have a site mechanism where users can object to the passive data transfer to Facebook from the share buttons?

Insider.com did not respond to my additional questions.

What did you learn from their inclusion in the Off-Facebook Activity list? That Insider.com is a customer of Nativo/SimpleReach.

Rei.com

What is it? A California-based ecommerce website selling outdoor gear

Why did it appear in your Off-Facebook Activity list? I don’t recall ever visiting their site prior to looking into why it appeared in the list so I’m really not sure

What happened when you asked them about this? After saying it would investigate it followed up with a statement, rather than detailed responses to my questions, in which it claims it does not hold any personal data associated with — presumably — my TechCrunch email, since it did not ask me what data to check against.

It also appeared to be claiming that it uses Facebook tracking pixels/tags on its website, without explicitly saying as much, writing that: “Facebook may collect information about your interactions with our websites and mobile apps and reflect that information to you through their Off-Facebook Activity tool.”

It claims it has no access to this information — which it says is “pseudonymous to us” but suggested that if I have a Facebook account Facebook could link any browsing on Rei’s site to my Facebook’s identity and therefore track my activity.

The company also pointed me to a Facebook Help Center post where the company names some of the activities that might have resulted in Rei’s website sending activity data on me to Facebook (which it could then link to my Facebook ID) — although Facebook’s list is not exhaustive (included are: “viewing content”, “searching for an item”, “adding an item to a shopping cart” and “making a donation” among other activities the company tracks by having its code embedded on third parties’ sites).

Here’s Rei’s statement in full:

Thank you for your patience as we looked into your questions.  We have checked our systems and determined that REI does not maintain any personal data associated with you based on the information you provided.  Note, however, that Facebook may collect information about your interactions with our websites and mobile apps and reflect that information to you through their Off-Facebook Activity tool. The information that Facebook collects in this manner is pseudonymous to us — meaning we cannot identify you using the information and we do not maintain the information in a manner that is linked to your name or other identifying information. However, if you have a Facebook account, Facebook may be able to match this activity to your Facebook account via a unique identifier unavailable to REI. (Funnily enough, while researching this I found TechCrunch in MY list of Off-Facebook activity!)

For a complete list of activities that could have resulted in REI sharing pseudonymous information about you with Facebook, this Facebook Help Center article may be useful.  For a detailed description of the ways in which we may collect and share customer information, the purposes for which we may process your data, and rights available to EEA residents, please refer to our Privacy Policy.  For information about how REI uses cookies, please refer to our Cookie Policy.

As a follow up question I asked Rei to tell me which Facebook tools it uses, pointing out that: “Given that, just because you aren’t (as I understand it) directly using my data yourself that does not mean you are not responsible for my data being transferred to Facebook.”

The company did not respond to that point.

I also previously asked Rei.com to confirm whether it has any data sharing arrangements with the publisher of Rock & Ice magazine (see below). And, if so, to confirm the processes involved in data being shared. Again, I got no response to that.

What did you learn from their inclusion in the Off-Facebook Activity list? Given that Rei.com appeared alongside Rock & Ice on the list — both displaying the same date and just one activity apiece — I surmised they have some kind of data-sharing arrangement. They are also both outdoors brands so there would be obvious commercial ‘synergies’ to underpin such an arrangement.

That said, neither would confirm a business relationship to me. But Facebook’s list heavily implies there is some background data-sharing going on

Rock & Ice magazine 

What is it? A climbing magazine produced by a California-based publisher, Big Stone Publishing

Why did it appear in your Off-Facebook Activity list? I imagine I clicked on a link to a climbing-related article in my Facebook feed or else visited Rock & Ice’s website while I was logged into Facebook in the same browser session

What happened when you asked them about this? After ignoring my initial email query I subsequently received a brief response from the publisher after I followed up — which read:

The Rock and Ice website is opt in, where you have to agree to terms of use to access the website. I don’t know what private data you are saying Rock and Ice shared, so I can’t speak to that. The site terms are here. As stated in the terms you can opt out.

Following up, I asked about the provision in the Rock & Ice website’s cookie notice which states: “By continuing to use our site, you agree to our cookies” — asking whether it’s passing data without waiting for the user to signal their consent.

(Relevant: In October Europe’s top court issued a ruling that active consent is necessary for tracking cookies, so you can’t drop cookies prior to a user giving consent for you to do so.)

The publisher responded:

You have to opt in and agree to the terms to use the website. You may opt out of cookies, which is covered in the terms. If you do not want the benefits of these advertising cookies, you may be able to opt-out by visiting: http://www.networkadvertising.org/optout_nonppii.asp.

If you don’t want any cookies, you can find extensions such as Ghostery or the browser itself to stop and refuse cookies. By doing so though some websites might not work properly.

I followed up again to point out that I’m not asking about the options to opt in or opt out but, rather, the behavior of the website if the visitor does not provide a consent response yet continues browsing — asking for confirmation Rock & Ice’s site interprets this state as consent and therefore sends data.

The publisher stopped responding at that point.

Earlier I had asked it to confirm whether its website shares visitor data with Rei.com? (As noted above, the two appeared with the same date on the list which suggests data may be being passed between them.) I did not get a respond to that question either.

What did you learn from their inclusion in the Off-Facebook Activity list? That the magazine appears to have a data-sharing arrangement with outdoor retailer Rei.com, given how the pair appeared at the same point in my list. However neither would confirm this when I asked

MatterHackers

What is it? A California-based retailer focused on 3D printing and digital manufacturing

Why did it appear in your Off-Facebook Activity list? I honestly have no idea. I have never to my knowledge visited their site prior to investigating why they should appear on my Off Site Activity list.

I remain pretty interested to know how/why they managed to track me. I can only surmise I clicked on some technology-related content in my Facebook feed, either intentionally or by accident.

What happened when you asked them about this? They first asked me for confirmation that they were on my list. After I had sent a screenshot, they followed up to say they would investigate. I pushed again after hearing nothing for several weeks. At this point they asked for additional information from the Off-Facebook Activity tool — namely more granular metrics, such as a time and date per event and some label information — to help with tracking down this particular data-exchange.

I had previously provided them with the date (as it appears in the screenshot) but it’s possible to download additional an additional level of information about data transfers which includes per event time/date-stamps and labels/tags, such as “VIEW_CONTENT” .

However, as noted above, I had previously selected and deleted one item off of my Off-Facebook Activity list, after which Facebook’s platform had immediately erased all entries and associated metrics. There was no obvious way I could recover access to that information.

“Without this information I would speculate that you viewed an article or product on our site — we publish a lot of ‘How To’ content related to 3D printing and other digital manufacturing technologies — this information could have then been captured by Facebook via Adroll for ad retargeting purposes,” a MatterHackers spokesman told me. “Operationally, we have no other data sharing mechanism with Facebook.”

Subsequently, the company confirmed it implements Facebook’s tracking pixel on every page of its website.

Of the pixel Facebook writes that it enables website owners to track “conversions” (i.e. website actions); create custom audiences which segment site visitors by criteria that Facebook can identify and match across its user-base, allowing for the site owner to target ads via Facebook’s platform at non-customers with a similar profile/criteria to existing customers that are browsing its site; and for creating dynamic ads where a template ad gets populated with product content based on tracking data for that particular visitor.

Regarding the legal base for the data sharing, MatterHackers had this to say: “MatterHackers is not an EU entity, nor do we conduct business in the EU and so have not undertaken GDPR compliance measures. CCPA [California’s Consumer Privacy Act] will likely apply to our business as of 2021 and we have begun the process of ensuring that our website will be in compliance with those regulations as of January 1st.”

I pointed out that GDPR is extraterritorial in scope — and can apply to non-EU based entities, such as if they’re monitoring individuals in the EU (as in this case).

Also likely relevant: A ruling last year by Europe’s top court found sites that embed third party plug-ins such as Facebook’s like button are jointly responsible for the initial data processing — and must either obtain informed consent from site visitors prior to data being transferred to Facebook, or be able to demonstrate a legitimate interest legal basis for processing this data.

Nonetheless it’s still not clear what legal base the company is relying on for implementing the tracking pixel and passing data on EU Facebook users.

When asked about this MatterHacker COO, Kevin Pope, told me:

While we appreciate the sentiment of GDPR, in this case the EU lacks the legal standing to pursue an enforcement action. I’m sure you can appreciate the potential negative consequences if any arbitrary country (or jurisdiction) were able to enforce legal penalties against any website simply for having visitors from that country. Techcrunch would have been fined to oblivion many times over by China or even Thailand (for covering the King in a negative light). In this way, the attempted overreach of the GDPR’s language sets a dangerous precedent.
To provide a little more detail – MatterHackers, at the time of your visit, wouldn’t have known that you were from the EU until we cross-referenced your session with  Facebook, who does know. At that point you would have been filtered from any advertising by us. MatterHackers makes money when our (U.S.) customers buy 3D printers or materials and then succeed at using them (hence the how-to articles), we don’t make any money selling advertising or data.
Given that Facebook does legally exist in the EU and does have direct revenues from EU advertisers, it’s entirely appropriate that Facebook should comply with EU regulations. As a global solution, I believe more privacy settings options should be available to its users. However, given Facebook’s business model, I wouldn’t expect anything other than continued deflection (note the careful wording on their tool) and avoidance from them on this issue.

What did you learn from their inclusion in the Off-Facebook Activity List? I found out that an ecommerce company I had never heard of had been tracking me

Wallapop

What is it? A Barcelona-based peer-to-peer marketplace app that lets people list secondhand stuff for sale and/or to search for things to buy in their proximity. Users can meet in person to carry out a transaction paying in cash or there can be an option to pay via the platform and have an item posted

Why did it appear in your Off-Facebook Activity list? This was the only digital activity that appeared in the list that was something I could explain — figuring out I must have used a Facebook sign-in option when using the Wallapop app to buy/sell. I wouldn’t normally use Facebook sign-in but for trust-based marketplaces there may be user benefits to leveraging network effects.

What happened when you asked them about this? After my query was booted around a bit a PR company that works with Wallapop responded asking to talk through what information I was trying to ascertain.

After we chatted they sent this response — attributed to sources from Wallapop:

Same as it happens with other apps, wallapop can appear on our users’ Facebook Off Site Activity page if they have interacted in any way with the platform while they were logged in their Facebook accounts. Some interaction examples include logging in via Facebook, visiting our website or having both apps opened and logged.

As other apps do, wallapop only shares activity events with Facebook to optimize users’ ad experience. This includes if a user is registered in wallapop, if they have uploaded an item or if they have started a conversation. Under no circumstance wallapop shares with Facebook our users’ personal data (including sex, name, email address or telephone number).

At wallapop, we are thoroughly committed with the security of our community and we do a safe treatment of the data they choose to share with us, in compliance with EU’s General Data Protection Regulation. Under no circumstance these data are shared with third parties without explicit authorization.

I followed up to ask for further details about these “activity events” — asking whether, for instance, Wallapop shares messaging content with Facebook as well as letting the social network know which items a user is chatting about.

“Under no circumstance the content of our users’ messages is shared with Facebook,” the spokesperson told me. “What is shared is limited to the fact that a conversation has been initiated with another user in relation to a specific item, this is, activity events. Under no circumstance we would share our users’ personal information either.”

Of course the point is Facebook is able to link all app activity with the user ID it already has — so every piece of activity data being shared is personal data.

I also asked what legal base Wallapop relies on to share activity data with Facebook. They said the legal basis is “explicit consent given by users” at the point of signing up to use the app.

“Wallapop collects explicit consent from our users and at any time they can exercise their rights to their data, which include the modification of consent given in the first place,” they said.

“Users give their explicit consent by clicking in the corresponding box when they register in the app, where they also get the chance to opt out and not do it. If later on they want to change the consent they gave in first instance, they also have that option through the app. All the information is clearly available on our Privacy Policy, which is GDPR compliant.”

“At wallapop we take our community’s privacy and security very seriously and we follow recommendations from the Spanish Data Protection Agency,” it added

What did you learn from their inclusion in the Off-Facebook Activity list? Not much more than I would have already guessed — i.e. that using a Facebook sign-in option in a third party app grants the social media giant a high degree of visibility into your activity within another service.

In this case the Wallapop app registered the most activity events of all six of the listed apps, displaying 13 vs only one apiece for the others — so it gave a bit of a suggestive glimpse into the volume of third party app data that can be passed if you opt to open a Facebook login wormhole into a separate service.

App Samurai closes a $2.4M Series A funding round led by 212 Ventures

By Mike Butcher

App Samurai, a platform to market mobile apps, has closed an investment of $2.4 million in Series A funding, led by 212 Ventures and co-invested by Collective Spark, 500 Startups and Degerhan Usluel. It’s now raised a total of $4.6 million which will be used to develop the mobile advertising group’s product portfolio and global expansion.
 
Founded in 2016, the App Samurai Group is used by app makers to grow their apps by using a portfolio of products including a user acquisition platform (App Samurai), a real-time mobile ad fraud detection and prevention solution (Interceptd), and an in-app engagement solution (Storyly). 

Commenting on the raise, Emre Fadillioglu, CEO and Co-Founder, App Samurai Inc said in a statement:“This $2.4m investment aligns with our 2020 globalization strategy and will accelerate our talent acquisition and geographical footprint. Our priority now is to bring the brightest minds together, to drive greater transparency, integrity and efficiency for the mobile marketing ecosystem.”
 
Its direct competitors include Traffic Guard, Scalarr, Forensiq, Machine, 21 Metrics, FraudScore and FraudLogix while indirect competitors include Adjust, AppsFlyer, Tune and Kochava.

How to identify and remove KidsGuard ‘stalkerware’ from your phone

By Zack Whittaker

We reported today on KidsGuard, a powerful mobile spyware. Not only is the app secretly installed on thousands of Android phones without the owners’ consent, it also left a server open and unprotected, exposing the data it siphoned off from victims’ infected devices to the internet.

This consumer-grade spyware also goes by “stalkerware.” It’s often used by parents to monitor their kids, but all too frequently it’s repurposed for spying on a spouse without their knowledge or consent. These spying apps are banned from Apple and Google’s app stores, but those bans have done little to curb the spread of these privacy invading apps, which can read a victim’s messages, listen to their phone calls, track their real-time locations, and steal their contacts, photos, videos, and anything else on their phones.

Stalkerware has become so reviled by privacy experts, security researchers, and lawmakers that antivirus makers have promised to do more to better detect the spyware.

TechCrunch obtained a copy of the KidsGuard app. Using a burner Android phone with the microphones and cameras sealed, we tested the spyware’s capabilities. We also uploaded the app to online malware scanning service VirusTotal, which runs uploaded files against dozens of different antivirus makers. Only eight antivirus engines flagged the sample as malicious — including Kaspersky, a member of the Coalition Against Stalkerware, and F-Secure.

Yoong Jien Chiam, a researcher at F-Secure’s Tactical Defense unit, analyzed the app and found it can obtain “GPS locations, account name, on-screen screenshots, keystrokes, and is also accessing photos, videos, and browser history.”

KidsGuard’s developer, ClevGuard, does not make it easy to uninstall the spyware. But this brief guide will help you to identify if the spyware is on your device and how to remove it.

Before you continue, some versions of Android may have slightly different menu options, and you take these following steps at your own risk. This only removes the spyware, and does not delete any data that was uploaded to the cloud.

How to identify the spyware

If you have an Android device, go to SettingsApps, then scroll down and see if “System Update Service” is listed. This is what ClevGuard calls the app to disguise it from the user. If you see it, it is likely that you are infected with the spyware.

First, remove the spyware as a “device administrator”

Go to Settings > Security, then Device administrators then untick the “System Update Service” box, then hit Deactivate.

Then remove the app’s “usage access”

Now, go back to Settings > Security then scroll to Apps with usage access. Once here, tap on “System Update Service” then switch off the permit usage toggle.

Also remove the spyware’s “notification access”

Once that is done, go back to Settings > Sound & notification then go to Notification access. Now switch off the toggle for “System Update Service.”

Now you can uninstall the spyware from your device

Following those steps, you have effectively disabled the spyware. Now you are able to uninstall it. Go to Settings > Apps and scroll down to “System Update Service.” You should be able to hit Uninstall, but you may need to hit Force Stop first. Tap OK to uninstall the app. This may take a few minutes.

Secure your device again

Now that you’ve ridden your device of the spyware, you’ll need to enable a couple of settings that were switched off when your device was first infected. Firstly, go back to Settings > Security then switch off the toggle for Unknown sources. Secondly, go to the Play Store > Play Protect. If you have the option, select Turn on. Once it’s on, you should check to ensure that it “Looks good.”

Google’s new T&Cs include a Brexit ‘Easter egg’ for UK users

By Natasha Lomas

Google has buried a major change in legal jurisdiction for its UK users as part of a wider update to its terms and conditions that’s been announced today and which it says is intended to make its conditions of use clearer for all users.

It says the update to its T&Cs is the first major revision since 2012 — with Google saying it wanted to ensure the policy reflects its current products and applicable laws.

Google says it undertook a major review of the terms, similar to the revision of its privacy policy in 2018, when the EU’s General Data Protection Regulation started being applied. But while it claims the new T&Cs are easier for users to understand — rewritten using simpler language and a clearer structure — there are no other changes involved, such as to how it handles people’s data.

“We’ve updated our Terms of Service to make them easier for people around the world to read and understand — with clearer language, improved organization, and greater transparency about changes we make to our services and products. We’re not changing the way our products work, or how we collect or process data,” Google spokesperson Shannon Newberry said in a statement.

Users of Google products are being asked to review and accept the new terms before March 31 when they are due to take effect.

Reuters reported on the move late yesterday — citing sources familiar with the update who suggested the change of jurisdiction for UK users will weaken legal protections around their data.

However Google disputes there will be any change in privacy standards for UK users as a result of the shift. it told us there will be no change to how it process UK users’ data; no change to their privacy settings; and no change to the way it treats their information as a result of the move.

We asked the company for further comment on this — including why it chose not to make a UK subsidiary the legal base for UK users — and a spokesperson told us it is making the change as part of its preparations for the UK to leave the European Union (aka Brexit).

Like many companies, we have to prepare for Brexit,” Google said. “Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information. The protections of the UK GDPR will still apply to these users.”

Heather Burns, a tech policy specialist based in Glasgow, Scotland — who runs a website dedicated to tracking UK policy shifts around the Brexit process — also believes Google has essentially been forced to make the move because the UK government has recently signalled its intent to diverge from European Union standards in future, including on data protection.

“What has changed since January 31 has been [UK prime minister] Boris Johnson making a unilateral statement that the UK will go its own way on data protection, in direct contrast to everything the UK’s data protection regulator and government has said since the referendum,” she told us. “These bombastic, off-the-cuff statements play to his anti-EU base but businesses act on them. They have to.”

“Google’s transfer of UK accounts from the EU to the US is an indication that they do not believe the UK will either seek or receive a data protection adequacy agreement at the end of the transition period. They are choosing to deal with that headache now rather than later. We shouldn’t underestimate how strong a statement this is from the tech sector regarding its confidence in the Johnson premiership,” she added.

Asked whether she believes there will be a reduction in protections for UK users in future as a result of the shift Burns suggested that will largely depend on Google.

So — in other words — Brexit means, er, trust Google to look after your data.

“The European data protection framework is based around a set of fundamental user rights and controls over the uses of personal data — the everyday data flows to and from all of our accounts. Those fundamental rights have been transposed into UK domestic law through the Data Protection Act 2018, and they will stay, for now. But with the Johnson premiership clearly ready to jettison the European-derived system of user rights for the US-style anything goes model,” Burns suggested.

“Google saying there is no change to the way we process users’ data, no change to their privacy settings and no change to the way we treat their information can be taken as an indication that they stand willing to continue providing UK users with European-style rights over their data — albeit from a different jurisdiction — regardless of any government intention to erode the domestic legal basis for those rights.”

Reuters’ report also raises concerns about the impact of the Cloud Act agreement between the UK and the US — which is due to come into effect this summer — suggesting it will pose a threat to the safety of UK Google users’ data once it’s moved out of an EU jurisdiction (in this case Ireland) to the US where the Act will apply.

The Cloud Act is intended to make it quicker and easier for law enforcement to obtain data stored in the cloud by companies based in the other legal jurisdiction.

So in future, it might be easier for UK authorities to obtain UK Google users’ data using this legal instrument applied to Google US.

It certainly seems clear that as the UK moves away from EU standards as a result of Brexit it is opening up the possibility of the country replacing long-standing data protection rights for citizens with a regime of supercharged mass surveillance. (The UK government has already legislated to give its intelligence agencies unprecedented powers to snoop on ordinary citizens’ digital comms — so it has a proven appetite for bulk data.)

Again, Google told us the shift of legal base for its UK users will make no difference to how it handles law enforcement requests — a process it talks about here — and further claimed this will be true even when the Cloud Act applies. Which is a weasely way of saying it will do exactly what the law requires.

Google confirmed that GDPR will continue to apply for UK users during the transition period between the old and new terms. After that it said UK data protection law will continue to apply — emphasizing that this is modelled after the GDPR. But of course in the post-Brexit future the UK government might choose to model it after something very different.

Asked to confirm whether it’s committing to maintain current data standards for UK users in perpetuity, the company told us it cannot speculate as to what privacy laws the UK will adopt in the future… 😬

We also asked why it hasn’t chosen to elect a UK subsidiary as the legal base for UK users. To which it gave a nonsensical response — saying this is because the UK is no longer in the EU. Which begs the question when did the UK suddenly become the 51st American State?

Returning to the wider T&Cs revision, Google said it’s making the changes in a response to litigation in the European Union targeted at its terms.

This includes a case in Germany where consumer rights groups successfully sued the tech giant over its use of overly broad terms which the court agreed last year were largely illegal.

In another case a year ago in France a court ordered Google to pay €30,000 for unfair terms — and ordered it to obtain valid consent from users for tracking their location and online activity.

Since at least 2016 the European Commission has also been pressuring tech giants, including Google, to fix consumer rights issues buried in their T&Cs — including unfair terms. A variety of EU laws apply in this area.

In another change being bundled with the new T&Cs Google has added a description about how its business works to the About Google page — where it explains its business model and how it makes money.

Here, among the usual ‘dead cat’ claims about not ‘selling your information’ (tl;dr adtech giants rent attention; they don’t need to sell actual surveillance dossiers), Google writes that it doesn’t use “your emails, documents, photos or confidential information (such as race, religion or sexual orientation) to personalize the ads we show you”.

Though it could be using all that personal stuff to help it build new products it can serve ads alongside.

Even further towards the end of its business model screed it includes the claim that “if you don’t want to see personalized ads of any kind, you can deactivate them at any time”. So, yes, buried somewhere in Google’s labyrinthine setting exists an opt out.

The change in how Google articulates its business model comes in response to growing political and regulatory scrutiny of adtech business models such as Google’s — including on data protection and antitrust grounds.

Retail optimization startup Teikametrics raises $15M as it expands beyond Amazon and beyond ads

By Anthony Ha

Teikametrics, a startup that helps retailers optimize their online ad spending, has raised $15 million in additional funding.

The company launched with the goal of helping Amazon sellers advertise more effectively. More recently, it launched a similar partnership with Walmart.

CEO Alasdair McLean-Foreman said that on both platforms, the startup’s Flywheel platform can improve the ad-buying process using retailer data about things like transactions, inventory and pricing.

McLean-Foreman praised Amazon for creating “an incredible closed loop” where “millions of consumers [are] meeting millions of suppliers across the long tail.” And of the other online platforms, he said Walmart is “the one that’s closest to parity.”

He added that by working with Teikametrics, retailers (whether they’re third-party sellers, or brands promoting products that Amazon and Walmart are selling themselves) can optimize their campaigns across both marketplaces, and eventually on other platforms as well.

McLean-Foreman added that the company will be launching products that go beyond advertising later this year. His vision is for Teikametrics to use that same data to create a retail “operating system” that optimize every aspect of a retailer’s business, including inventory and pricing.

“It’s about creating very simple solution to a very, very complicated problem that is much more dynamic and much more complicated than just the ads,” he said.

The Boston-headquartered startup raised a $10 million Series A in 2018. The new round was led by Jump Capital, with participation from Granite Point Capital, Jerry Hausman (an MIT econometrics professor who also serves as a scientific advisor) and Ed Baker (former head of growth at Facebook and Uber).

Teikametrics says it’s working with more than 3,000 brands, including Clarks, Razer, Power Practical, Zipline Ski and Mark Cuban’s Brands. It also recently hired former Amazon ad executive Srini Guddanti as its chief product officer.

Looking at the broader retail and advertising landscape, McLean-Foreman acknowledged, “AI is almost a buzzword,” but he argued, “We are actually AI-first. The product itself is automation, it is intelligent decision-making.”

He added, “Advertising is a huge lever to pull and a really good problem for AI to solve, but I’m super excited to apply those same AI components or solutions to an even bigger problem at the same time.”

Bloomberg memes push Instagram to require sponsorship disclosure

By Josh Constine

Instagram is changing its advertising rules to require political campaigns’ sponsored posts from influencers to use its Branded Content Ads tool that adds a disclosure label of “Paid Partnership With”. The change comes after the Bloomberg presidential campaign paid meme makers to post screenshots that showed him asking them to make him look cool.

Instagram provided this statement to TechCrunch:

“Branded content is different from advertising, but in either case we believe it’s important people know when they’re seeing paid content on our platforms. That’s why we have an Ad Library where anyone can see who paid for an ad and why we require creators to disclose any paid partnerships through our branded content tools. After hearing from multiple campaigns, we agree that there’s a place for branded content in political discussion on our platforms. We’re allowing US-based political candidates to work with creators to run this content, provided the political candidates are authorized and the creators disclose any paid partnerships through our branded content tools.”

Instagram explains to TechCrunch that branded content is different from advertising because Facebook doesn’t receive any payment and it can’t be targeted. If marketers or political campaigns pay to boost the reach of sponsored content, it’s then subject to Instagram’s ad policies and goes in its Ad Library for seven years.

But previously, Instagram banned political operations from running branded content because the policies that applied to it covered all monetization mediums on Instagram, including ad breaks and subscriptions that political entities are blocked from using. Facebook didn’t want to be seen as giving monetary contributions to campaigns, especially as the company tries to appear politically neutral.

Yet now Instagram is changing the rule and not just allowing but requiring political campaigns to use the Branded Content Ads tool when paying influencers to post sponsored content. That’s because Instagram and Facebook don’t get paid for these sponsorships. It’s now asking all sponsorships, including the Bloomberg memes retroactively, to be disclosed with a label using this tool. That would add a “Paid Partnership with Bloomberg 2020” warning to posts and Stories that the campaign paid meme pages and other influencers to post. This rule change is starting in the US today.

Instagram was moved to make the change after Bloomberg DM memes flooded the site. The New York Times’ Taylor Lorenz reported that the Bloomberg campaign worked with Meme 2020, an organization led by the head of the “FuckJerry” account’s Jerry Media company Mick Purzycki, to recruit and pay the influencers. Their posts made it look like Bloomberg himself had Direct Messaged the creators asking them to post stuff that would make him relevant to a younger audience.

Part of the campaign’s initial success came because users weren’t fully sure if the influencers’ posts were jokes or ads, even if they were disclosed with #ad or “yes this is really sponsored by @MikeBloomberg”. There’s already been a swift souring of public perception on the meme campaign, with some users calling it cringey and posting memes of Bernie Sanders, who’s anti-corporate stance pits him opposite of Bloomberg.

The change comes just two days after the FTC voted to review influencer marketing guidelines and decide if advertisers and platforms might be liable for penalties for failing to mandate disclosure.

At least the Democratic field of candidates is finally waking up to the power of memes to reach a demographic largely removed from cable television and rally speeches. The Trump campaign has used digital media to great effect, exploiting a lack of rules against misinformation in Facebook ads to make inaccurate claims and raise money. With all his baked in media exposure from being President already, the Democratic challengers need all the impressions they can get.

AdQuick raises $6M to conquer an advertising market Google and Facebook won’t

By Lucas Matney

With Google and Facebook yielding massive control over the online ad market leaving only scraps for other ad platforms, perhaps it was only natural that tech startups would take a step back and start to look for opportunities in selling billboards.

AdQuick, a marketplace for out of home (OOH) advertising, tells TechCrunch that it has closed a $6 million Series A led by Initialized Capital with participation from WndrCo, Shrug Capital, The Todd & Rahul Angel Fund and rapper Nas. The startup has now raised $9.4 million to date.

AdQuick isn’t in the business of renting out advertising space they own. Like traditional channels they connect the ad space owner with a buyer and take a commission on the purchase. Unlike some other channels, they’ve tried to inject the ad analytics of the web into the process so that buyers understand what they’re paying for impressions and can point brands to higher ROI locations where they might not have been looking.

“You know while the digital market is just so overbid and essentially controlled by Facebook and Google, the returns on investment from out of home ads keeps going up because people out in public have to see and experience them,” Initialized’s Alexis Ohanian, who led the deal, tells TechCrunch.

In recent months, startups like ZeroDown and Brex have coated San Francisco in outdoor advertising campaigns, while the explosion of direct-to-consumer brands has led startups with massive online ad spends beginning to look at the prices of a billboard on the 101. It’s not just ad real estate in SF or New York or LA that’s seeing increased demand, CEO Matt O’Connor tells TechCrunch that the OOH ad market is seeing big growth across the board.

“It’s the only non-online channel growing, and it’s actually growing faster in the last year than it has in the past decade,” O’Connor says. “A big tailwind is that brands are looking to spend offline earlier than they ever have in their history because it’s gotten so expensive that they’re forced to look for channels with better payback.”

The key opportunity AdQuick is tapping into is the 30-35% of OOH ad space they estimate went unused in the Unites States last year.

Taking on digital ad space sold by Google and Facebook means leveling the playing field and part of determining that real world ad’s ROI can mean relying on the same creepy ad analytics services that connect web habits and location data of de-identified devices for serving online ads, but such are the ills of the advertising world in 2020. These processes allow ad buyers to gain a better idea of what their investment in bench advertising in Cheyenne, Wyoming is actually going to mean in terms of impressions and how much they are paying per pair of eyeballs.

One thing AdQuick isn’t interested in is trying to find an entry point to the the non-OOH digital ad market. “That’s pretty bloody water that’s been picked over by both the duopoly and the thousands of other quote unquote adtech companies,” O’Connor says.

Contextual advertising company GumGum raises $22M

By Anthony Ha

GumGum is announcing that it’s raised $22 million from existing investors, including Morgan Stanley Expansion Capital, NEA spinout NewView Capital and Upfront Ventures — money that CEO Phil Schraeder said he’ll use to pursue a more aggressive acquisition strategy.

This Series D comes nearly five years after GumGum raised a $26 million Series C. Schraeder told me the company’s “core business has been profitable for years,” and that GumGum now has the ability to turn profitability “on or off” depending on how quickly it wants to grow.

“We have historically not done M&A or acquisitions — those are going to be part of what we do going forward,” he said. “We have built an amazing, strong, profitable balance sheet and team and presence in-market that we want to accelerate and grow.”

Schraeder has been at GumGum for nearly a decade, starting out as vice president of finance before becoming COO, CFO, president — and finally CEO, after co-founder Ophir Tanz stepped down last year to run the company’s dental industry-focused spinout Pearl.

Based in Santa Monica, Calif., GumGum was founded in 2008. The team developed computer vision technology that could identify the content of an image, then place an appropriate ad alongside the picture.

This is the core business that Schraeder was referring to, which he said GumGum has used as a “foundation” to expand into new areas like sports sponsorships and in-video advertising (the in-video unit has already been tested with Sprint and other brands, with a broader launch scheduled for the second quarter of this year).

GumGum demo

The company also recently launched Verity for Publishers, which the company says uses both natural language processing and computer vision to analyze the content of a page, ensuring that it’s brand-safe and relevant for advertisers.

Schraeder said that even here, GumGum’s foundation in image analysis remains important, because simple keyword detection won’t cut it — for example, photos can help Verity determine that a “shooting” story is about basketball, rather than a violent tragedy. GumGum plans to launch a similar product for advertisers, called Verity for Brands, later this year.

Schraeder argued that this kind of contextual understanding of online content will become increasingly important to advertisers, particularly as cookies become less and less useful as a way to track and target consumers.

“For the industry, this is what’s going to help us — better user experiences leveraging the context on the page, integrated advertising that brings back the positive view of advertising,” he said.

The company is also announcing that it has appointed Lisa Licht to its board of directors. Licht was formerly the CMO at Live Nation Entertainment, and now runs a consultancy that works with AllBright, Illumination Animation, the Metrograph and Exploding Kitten.

“As I see it, this is the ideal time to get behind GumGum,” Licht said in a statement. “They have outpaced the market in terms of growth year-after-year, maintained profitability and now there’s an obvious inflection point at hand for contextual advertising in digital. That’s an area where GumGum already has a significant edge, so I’m looking forward to helping expand its lead in that area, while also contributing to success across the full breadth of GumGum’s business.”

FTC votes to review influencer marketing rules & penalties

By Josh Constine

Undisclosed influencer marketing posts on social media should trigger financial penalties, according to a statement released today by the Federal Trade Commission’s Rohit Chopra. The FTC has voted 5-0 to approve a Federal Register notice calling for public comments on questions related to whether The Endorsement Guides for advertising need to be updated.

“When companies launder advertising by paying an influencer to pretend that their endorsement or review is untainted by a financial relationship, this is illegal payola,” Chopra writes. “The FTC will need to determine whether to create new requirements for social media platforms and advertisers and whether to activate civil penalty liability.”

Currently the non-binding Endorsement Guides stipulate that “when there is a connection between an endorser and a seller of an advertised product that could affect the weight or credibility of the endorsement, the connection must be clearly and conspicuously disclosed.” In the case of social media, that means creators need to note their post is part of an “ad,” “sponsored” content or “paid partnership.”

But Chopra wants the FTC to consider making those rules official by “Codifying elements of the existing endorsement guides into formal rules so that violators can be liable for civil penalties under Section 5(m)(1)(A) and liable for damages under Section 19.” He cites weak enforcement to date, noting that in the case of department store Lord & Taylor not insisting 50 paid influencers specify their posts were sponsored, “the Commission settled the matter for no customer refunds, no forfeiture of ill-gotten gains, no notice to consumers, no deletion of wrongfully obtained personal data, and no findings or admission of liability.”

Strangely, Chopra fixates on Instagram’s Branded Content Ads that let marketers pay to turn posts by influencers tagging brands into ads. However, these ads include a clear “Sponsored. Paid partnership with [brand]” and seem to meet all necessary disclosure requirements. He also mentions concerns about sponcon on YouTube and TikTok.

Additional targets of the FTC’s review will be use of fake or incentivized reviews. It’s seeking public comment on whether free or discounted products influence reviews and should require disclosure, how to handle affiliate links and whether warnings should be posted by advertisers or review sites about incentivized reviews. It also wants to know about how influencer marketing affects and is understood by children.

Chopra wisely suggests the FTC focus on the platforms and advertisers that are earning tons of money from potentially undisclosed influencer marketing, rather than the smaller influencers themselves who might not be as well versed in the law and are just trying to hustle. “When individual influencers are able to post about their interests to earn extra money on the side, this is not a cause for major concern,” he writes, but “when we do not hold lawbreaking companies accountable, this harms every honest business looking to compete fairly.”

While many of the social media platforms have moved to self-police with rules about revealing paid partnerships, there remain gray areas around incentives like free clothes or discount rates. Codifying what constitutes incentivized endorsement, formally demanding social media platforms to implement policies and features for disclosure and making influencer marketing contracts state that participation must be disclosed would all be sensible updates.

Society has enough trouble with misinformation on the internet, from trolls to election meddlers. They should at least be able to trust that if someone says they love their new jacket, they didn’t secretly get paid for it.

Former Krux and Salesforce execs raise $15M for their marketing data startup Habu

By Anthony Ha

Marketing startup Habu is emerging from stealth today and announcing that it has already raised $15 million in Series A funding.

The company comes out of super{set}, the startup studio created by Krux founders Tom Chavez and Vivek Vaidya. In fact, Chavez is Habu’s chairman, Vaidya serves as CTO and their former Krux colleague Matt Kilmartin (who eventually became chief customer officer for Salesforce’s consumer engagement platform after Salesforce acquired Krux) is the startup’s CEO.

Kilmartin told me that Habu was created to solve a “still elusive” marketing challenge — delivering “omni-channel orchestration for the entire customer journey.” In other words, he’s saying that chief marketing officers are still struggling to deliver personalized messages to potential customers across every channel and at every stage.

Kilmartin argued that’s because they’re challenged by new privacy regulations, plus the fact that many marketing tools struggle to integrate data from the major digital ad platforms. And then there are the limitations of the big marketing clouds (including Kilmartin’s old employer Salesforce), which he said are “stitching together all the stuff they bought — their goal is to have everyone go all-in on one of their stacks.”

So Habu isn’t trying to build yet another marketing platform. Instead, the company describes its core product as a “marketing data operating system” that can be used alongside the aforementioned clouds, bringing a company’s customer data together across platforms, then providing automated insights and recommendations on how to use that data to deliver personalized marketing. And it does this in a way that complies with privacy regulations like GDPR and CCPA.

“We’re trying not to be a platform,” Kilmartin said. “It’s a modular, interoperable suite of services.”

Habu’s software can pull in a marketer’s first-party customer data, as well as data from platforms like Google and Facebook. Kilmartin said that while these platforms remain a “blind spot” for many marketers, “They have APIs and frameworks to be able to do this, it just requires a level of sophistication. And there just aren’t that many extra data scientists that these brands have sitting around.”

In addition to super{set}, Habu’s funding comes from Ridge Ventures. And although Habu is only launching publicly today, it already has customers in the CPG and media industries.

Update: An earlier version of this story incorrectly identified some of Habu’s customers.

❌