FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Google’s new T&Cs include a Brexit ‘Easter egg’ for UK users

By Natasha Lomas

Google has buried a major change in legal jurisdiction for its UK users as part of a wider update to its terms and conditions that’s been announced today and which it says is intended to make its conditions of use clearer for all users.

It says the update to its T&Cs is the first major revision since 2012 — with Google saying it wanted to ensure the policy reflects its current products and applicable laws.

Google says it undertook a major review of the terms, similar to the revision of its privacy policy in 2018, when the EU’s General Data Protection Regulation started being applied. But while it claims the new T&Cs are easier for users to understand — rewritten using simpler language and a clearer structure — there are no other changes involved, such as to how it handles people’s data.

“We’ve updated our Terms of Service to make them easier for people around the world to read and understand — with clearer language, improved organization, and greater transparency about changes we make to our services and products. We’re not changing the way our products work, or how we collect or process data,” Google spokesperson Shannon Newberry said in a statement.

Users of Google products are being asked to review and accept the new terms before March 31 when they are due to take effect.

Reuters reported on the move late yesterday — citing sources familiar with the update who suggested the change of jurisdiction for UK users will weaken legal protections around their data.

However Google disputes there will be any change in privacy standards for UK users as a result of the shift. it told us there will be no change to how it process UK users’ data; no change to their privacy settings; and no change to the way it treats their information as a result of the move.

We asked the company for further comment on this — including why it chose not to make a UK subsidiary the legal base for UK users — and a spokesperson told us it is making the change as part of its preparations for the UK to leave the European Union (aka Brexit).

Like many companies, we have to prepare for Brexit,” Google said. “Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information. The protections of the UK GDPR will still apply to these users.”

Heather Burns, a tech policy specialist based in Glasgow, Scotland — who runs a website dedicated to tracking UK policy shifts around the Brexit process — also believes Google has essentially been forced to make the move because the UK government has recently signalled its intent to diverge from European Union standards in future, including on data protection.

“What has changed since January 31 has been [UK prime minister] Boris Johnson making a unilateral statement that the UK will go its own way on data protection, in direct contrast to everything the UK’s data protection regulator and government has said since the referendum,” she told us. “These bombastic, off-the-cuff statements play to his anti-EU base but businesses act on them. They have to.”

“Google’s transfer of UK accounts from the EU to the US is an indication that they do not believe the UK will either seek or receive a data protection adequacy agreement at the end of the transition period. They are choosing to deal with that headache now rather than later. We shouldn’t underestimate how strong a statement this is from the tech sector regarding its confidence in the Johnson premiership,” she added.

Asked whether she believes there will be a reduction in protections for UK users in future as a result of the shift Burns suggested that will largely depend on Google.

So — in other words — Brexit means, er, trust Google to look after your data.

“The European data protection framework is based around a set of fundamental user rights and controls over the uses of personal data — the everyday data flows to and from all of our accounts. Those fundamental rights have been transposed into UK domestic law through the Data Protection Act 2018, and they will stay, for now. But with the Johnson premiership clearly ready to jettison the European-derived system of user rights for the US-style anything goes model,” Burns suggested.

“Google saying there is no change to the way we process users’ data, no change to their privacy settings and no change to the way we treat their information can be taken as an indication that they stand willing to continue providing UK users with European-style rights over their data — albeit from a different jurisdiction — regardless of any government intention to erode the domestic legal basis for those rights.”

Reuters’ report also raises concerns about the impact of the Cloud Act agreement between the UK and the US — which is due to come into effect this summer — suggesting it will pose a threat to the safety of UK Google users’ data once it’s moved out of an EU jurisdiction (in this case Ireland) to the US where the Act will apply.

The Cloud Act is intended to make it quicker and easier for law enforcement to obtain data stored in the cloud by companies based in the other legal jurisdiction.

So in future, it might be easier for UK authorities to obtain UK Google users’ data using this legal instrument applied to Google US.

It certainly seems clear that as the UK moves away from EU standards as a result of Brexit it is opening up the possibility of the country replacing long-standing data protection rights for citizens with a regime of supercharged mass surveillance. (The UK government has already legislated to give its intelligence agencies unprecedented powers to snoop on ordinary citizens’ digital comms — so it has a proven appetite for bulk data.)

Again, Google told us the shift of legal base for its UK users will make no difference to how it handles law enforcement requests — a process it talks about here — and further claimed this will be true even when the Cloud Act applies. Which is a weasely way of saying it will do exactly what the law requires.

Google confirmed that GDPR will continue to apply for UK users during the transition period between the old and new terms. After that it said UK data protection law will continue to apply — emphasizing that this is modelled after the GDPR. But of course in the post-Brexit future the UK government might choose to model it after something very different.

Asked to confirm whether it’s committing to maintain current data standards for UK users in perpetuity, the company told us it cannot speculate as to what privacy laws the UK will adopt in the future… 😬

We also asked why it hasn’t chosen to elect a UK subsidiary as the legal base for UK users. To which it gave a nonsensical response — saying this is because the UK is no longer in the EU. Which begs the question when did the UK suddenly become the 51st American State?

Returning to the wider T&Cs revision, Google said it’s making the changes in a response to litigation in the European Union targeted at its terms.

This includes a case in Germany where consumer rights groups successfully sued the tech giant over its use of overly broad terms which the court agreed last year were largely illegal.

In another case a year ago in France a court ordered Google to pay €30,000 for unfair terms — and ordered it to obtain valid consent from users for tracking their location and online activity.

Since at least 2016 the European Commission has also been pressuring tech giants, including Google, to fix consumer rights issues buried in their T&Cs — including unfair terms. A variety of EU laws apply in this area.

In another change being bundled with the new T&Cs Google has added a description about how its business works to the About Google page — where it explains its business model and how it makes money.

Here, among the usual ‘dead cat’ claims about not ‘selling your information’ (tl;dr adtech giants rent attention; they don’t need to sell actual surveillance dossiers), Google writes that it doesn’t use “your emails, documents, photos or confidential information (such as race, religion or sexual orientation) to personalize the ads we show you”.

Though it could be using all that personal stuff to help it build new products it can serve ads alongside.

Even further towards the end of its business model screed it includes the claim that “if you don’t want to see personalized ads of any kind, you can deactivate them at any time”. So, yes, buried somewhere in Google’s labyrinthine setting exists an opt out.

The change in how Google articulates its business model comes in response to growing political and regulatory scrutiny of adtech business models such as Google’s — including on data protection and antitrust grounds.

Lack of big tech GDPR decisions looms large in EU watchdog’s annual report

By Natasha Lomas

The lead European Union privacy regulator for most of big tech has put out its annual report which shows another major bump in complaints filed under the bloc’s updated data protection framework, underlining the ongoing appetite EU citizens have for applying their rights.

But what the report doesn’t show is any firm enforcement of EU data protection rules vis-a-vis big tech.

The report leans heavily on stats to illustrate the volume of work piling up on desks in Dublin. But it’s light on decisions on highly anticipated cross-border cases involving tech giants including Apple, Facebook, Google, LinkedIn and Twitter.

The General Data Protection Regulation (GDPR) began being applied across the EU in May 2018 — so is fast approaching its second birthday. Yet its file of enforcements where tech giants are concerned remains very light — even for companies with a global reputation for ripping away people’s privacy.

This despite Ireland having a large number of open cross-border investigations into the data practices of platform and adtech giants — some of which originated from complaints filed right at the moment GDPR came into force.

In the report the Irish Data Protection Commission (DPC) notes it opened a further six statutory inquiries in relation to “multinational technology companies’ compliance with the GDPR” — bringing the total number of major probes to 21. So its ‘big case’ file continues to stack up. (It’s added at least two more since then, with a probe of Tinder and another into Google’s location tracking opened just this month.)

The report is a lot less keen to trumpet the fact that decisions on cross-border cases to date remains a big fat zero.

Though, just last week, the DPC made a point of publicly raising “concerns” about Facebook’s approach to assessing the data protection impacts of a forthcoming product in light of GDPR requirements to do so — an intervention that resulted in a delay to the regional launch of Facebook’s Dating product.

This discrepancy (cross-border cases: 21 – Irish DPC decisions: 0), plus rising anger from civil rights groups, privacy experts, consumer protection organizations and ordinary EU citizens over the paucity of flagship enforcement around key privacy complaints is clearly piling pressure on the regulator. (Other examples of big tech GDPR enforcement do exist. Well, France’s CNIL is one.)

In its defence the DPC does have a horrifying case load. As illustrated by other stats its keen to spotlight — such as saying it received a total of 7,215 complaints in 2019; a 75% increase on the total number (4,113) received in 2018. A full 6,904 of which were dealt with under the GDPR (while 311 complaints were filed under the Data Protection Acts 1988 and 2003).

There were also 6,069 data security breaches notified to it, per the report — representing a 71% increase on the total number (3,542) recorded last year.

While a full 457 cross-border processing complaints were received in Dublin via the GDPR’s One-Stop-Shop mechanism. (This is the device the Commission came up with for the ‘lead regulator’ approach that’s baked into GDPR and which has landed Ireland in the regulatory hot seat. tl;dr other data protection agencies are passing Dublin A LOT of paperwork.)

The DPC necessarily has to do back and forth on cross border cases, as it liaises with other interested regulators. All of which, you can imagine, creates a rich opportunity for lawyered up tech giants to inject extra friction into the oversight process — by asking to review and query everything. [Insert the sound of a can being hoofed down the road]

Meanwhile the agency that’s supposed to regulate most of big tech (and plenty else) — which writes in the annual report that it increased its full time staff from 110 to 140 last year — did not get all the funding it asked for from the Irish government.

So it also has the hard cap of its own budget to reckon with (just €15.3M in 2019) vs — for example — Google’s parent Alphabet’s $46.1BN in full year 2019 revenue. So, er, do the math.

Nonetheless the pressure is firmly now on Ireland for major GDPR enforcements to flow.

One year of major enforcement inaction could be filed under ‘bedding in’; but two years in without any major decisions would not be a good look. (It has previously said the first decisions will come early this year — so seems to be hoping to have something to show for GDPR’s 2nd birthday.)

Some of the high profile complaints crying out for regulatory action include behavioral ads serviced via real-time bidding programmatic advertising (which the UK data watchdog has admitted for half a year is rampantly unlawful); cookie consent banners (which remain a Swiss Cheese of non-compliance); and adtech platforms cynically forcing consent from users by requiring they agree to being microtargeted with ads to access the (‘free’) service. (Thing is GDPR stipulates that consent as a legal basis must be freely given and can’t be bundled with other stuff, so… )

Full disclosure: TechCrunch’s parent company, Verizon Media (née Oath), is also under ongoing investigation by the DPC — which is looking at whether it meets GDPR’s transparency requirements under Articles 12-14 of the regulation.

Seeking to put a positive spin on 2019’s total lack of a big tech privacy reckoning, commissioner Helen Dixon writes in the report: “2020 is going to be an important year. We await the judgment of the CJEU in the SCCs data transfer case; the first draft decisions on big tech investigations will be brought by the DPC through the consultation process with other EU data protection authorities, and academics and the media will continue the outstanding work they are doing in shining a spotlight on poor personal data practices.”

In further remarks to the media Dixon said: “At the Data Protection Commission, we have been busy during 2019 issuing guidance to organisations, resolving individuals’ complaints, progressing larger-scale investigations, reviewing data breaches, exercising our corrective powers, cooperating with our EU and global counterparts and engaging in litigation to ensure a definitive approach to the application of the law in certain areas.

“Much more remains to be done in terms of both guiding on proportionate and correct application of this principles-based law and enforcing the law as appropriate. But a good start is half the battle and the DPC is pleased at the foundations that have been laid in 2019. We are already expanding our team of 140 to meet the demands of 2020 and beyond.”

One notable date this year also falls when GDPR turns two — because a Commission review of how the regulation is functioning is looming in May.

That’s one deadline that may help to concentrate minds on issuing decisions.

Per the DPC report, the largest category of complaints it received last year fell under ‘access request’ issues — whereby data controllers are failing to give up (all) people’s data when asked — which amounted to 29% of the total; followed by disclosure (19%); fair processing (16%); e-marketing complaints (8%); and right to erasure (5%).

On the security front, the vast bulk of notifications received by the DPC related to unauthorised disclosure of data (aka breaches) — with a total across the private and public sector of 5,188 vs just 108 for hacking (though the second largest category was actually lost or stolen paper, with 345).

There were also 161 notification of phishing; 131 notification of unauthorized access; 24 notifications of malware; and 17 of ransomeware.

Tradeshift cuts headcount by three figures in effort to turn towards profitability

By Mike Butcher

Last month, Tradeshift, a platform for supply chain payments which has achieved unicorn status in recent years, had some good news and some bad news. It announced a Series F funding round of $240 million in equity and debt, raised from a combination of existing and new investors. It’s now raised a total of $661 million since it started in 2008 and investors include Goldman Sachs, Principal Strategic Investments and Wipro Ventures among others.

The new funding came despite talk of a possible IPO last year. In effect, this new funding round was an admission by the company that it was delaying any IPO and setting the company “on a direct path to profitability in the near future,” which is exactly the kind of noises many larger tech firms have made in the wake of the WeWork and Peloton issues with the public markets.

During that announcement CEO and co-founder Christian Lanng also admitted that the drive toward profitability would mean a cost-cutting exercise ahead of any possible IPO.

Lanng said this would likely mean reducing headcount in its expensive San Francisco offices, but reallocating resources and talent to locations where that is more affordable.

The company has made no formal announcement about the detail on that, but yesterday we got confirmation from the European tech press that the cuts were indeed starting to bite.

The Danish version of ComputerWorld reported that the staffing cuts have now run into three figures and were conducted in mid-January.

The cuts came from headcount at the company’s offices in Copenhagen, San Francisco and other offices.

Mikkel Hippe Brun, a co-founder of Tradeshift and head of the company’s Asian business, confirmed the information to ComputerWorld, but indicated that “there are still some consultations around the world, where we are subject to different rules about notifications and opportunities to raise objections.”

However, he said that the company still has more than 1,000 employees worldwide, which is “significantly more employees” than two years ago.

At the same time, the company has also brought in new executives from SAP, Oracle and Microsoft, among others, as the company tightens its belt, according to ComputerWorld.

Tradeshift has an impressive array of investors, such as Goldman Sachs, although it’s notable that this doesn’t include any of the usual round of typical SaaS-oriented Valley VCs.

Tradeshift customers have included Air France KLM, Kuehne + Nagel International AG, DHL, Fujitsu, HSBC, Siemens, Société Générale, Unilever and Volvo.

Eight Sleep CEO says his startup is more than a mattress company

By Lucas Matney

Matteo Franceschetti, CEO of Eight Sleep, would prefer that you don’t call his startup a mattress company.

Eight Sleep does sell mattresses, albeit smart ones packed with sensors and temperature regulation controls. The company has raised north of $70 million from backers including Founders Fund and Khosla Ventures. A great deal of this funding surrounds the idea that there is more untapped potential in the sleep economy than existing players in the space have been able to imagine.

While Franceschetti says he intends for his company to remain private for the “foreseeable future,” Eight Sleep is in a less-than-comfortable spot following Casper’s botched IPO last week. Though Casper’s stock popped on its first day of trading, the process of pricing its shares ended up leaving its private investors a bit less than ecstatic. Casper debuted trading at a value of $575 million, a far cry from the $1.1 billion private market valuation it had previously achieved.

Franceschetti has been aiming to transform Eight Sleep into a company more focused on a robust tech platform than your average bed-in-a-box company. The startup’s initial effort, a smart sleep cover for your existing mattress, evolved into a mattress with a layer of sensors that then transformed into a sensor-laden mattress with a heating and cooling unit, called “The Pod.” The company’s product development has aimed to build out a more end-to-end platform for sleep, something Franceschetti says has made him reticent to compare his company to other direct-to-consumer mattress companies.

AssoConnect is a service that helps you manage your nonprofit organization

By Romain Dillet

Meet AssoConnect, a French startup that is building a software-as-a-service application to give you all the tools you need to manage your non-profit organization (association in French).

The company just raised a $7.7 million (€7 million) funding round with XAnge and ISAI leading the round. Various business angels, such as Nicolas Macquin, Rodolphe Carle, Michaël Benabou, Thibaud Elzière and Phil Tesler are also participating in today’s funding round.

Many non-profit organizations use tools and services that aren’t really designed for this type of organizations. Some manage members in an Excel spreadsheet, waste a ton of time with accounting tasks and leave money on the table by making it hard to accept donations and memberships.

AssoConnect combines multiple services in its web interface. First, it lets you centralize information about your members in a single database. It acts as a light CRM and you can create multiple groups of members depending on what they do in the organization.

Second, AssoConnect handles memberships and donations directly. You can create a form that interacts directly with your database to help new users join your organization. You can also create a donation module that can automatically generate tax forms. You can also create an online store if you’re selling goods.

If you don’t have a website already, you can use AssoConnect’s template-based website builder. You can also create events and email your members from AssoConnect using Mailgun.

Finally, the startup tries to generate accurate accounting reports based on donations, membership fees, ticket sales, etc. That’s why it makes sense to centralize everything through AssoConnect.

The service offers a free tier for organizations with 30 members or less. But you’ll have to pay a monthly subscription fee if you have higher needs. It’s a tough sell given that non-profit organizations usually don’t have a ton of money to spend on tools and services.

But the company has managed to convince 10,000 French organizations to switch to AssoConnect so far. Up next, AssoConnect wants to hire 80 people in 2020 and launch its service in the U.S.

Challenger business bank Qonto raises $115 million round led by Tencent and DST Global

By Romain Dillet

French startup Qonto has raised a $115 million Series C funding round led by Tencent and DST Global. Today’s news comes a few days after another French fintech startup, Lydia, raised some money from Tencent.

Existing investors Valar and Alven are also participating in today’s funding round. TransferWise co-founder Taavet Hinrikus and Adyen CFO Ingo Uytdehaage are also joining the round. Qonto says it represents the largest funding round for a French fintech company.

Qonto is a challenger bank, or a neobank, but for B2B use cases. Instead of attracting millions of customers like N26 or Monzo, Qonto is serving small and medium companies as well as freelancers in Europe.

According to the startup, business banking in Europe is broken. The company thinks it can provide a much better user experience with an online and mobile-first product.

The company has managed to attract 65,000 companies over the past two years and a half. The product is currently live in France, Italy, Spain and Germany. In 2019 alone, Qonto managed €10 billion in transaction volume.

With today’s funding round, the company plans to double down on its existing markets, develop new features that make the platform work better in each country based on local needs and hire more people. The team should grow from 200 to 300 employees within a year.

Qonto obtained a payment institution license in June 2018 and has developed its own core banking infrastructure. Around 50% of the company’s user base is currently using Qonto’s own core banking system. Others are still relying on a third-party partner.

Moving from one back end to another requires some input from customers, which explains why there are still some customers using the legacy infrastructure. Over the coming months, Qonto plans to launch new payment features that should convince more users to switch to Qonto’s back end.

Even more important, Qonto plans to obtain a credit institution license, which could open up a ton of possibilities when it comes to features and revenue streams. The company says that it should have its new license by the end of the year.

For instance, you could imagine being able to get a credit card, apply for an overdraft and get a small loan with Qonto.

Compared to traditional banks, Qonto lets you open a bank account more easily. After signing up, Qonto offers a modern interface with your activity. You can export your transactions in no time, manage your expenses and get real-time notifications. Qonto also integrates with popular accounting tools.

When it comes to payment methods, Qonto gives you a French IBAN as well as debit cards. You can order physical or virtual cards whenever you want, customize limits and freeze a card. Qonto also supports direct debit and checks. Like many software-as-a-service products, you can also manage multiple user accounts and customize permission levels.

France improves stock options policies for startup employees

By Romain Dillet

A couple of weeks ago, France’s digital minister Cédric O announced some changes when it comes to stock options in France. President Emmanuel Macron is going to talk about the new policy today ahead of the World Economic Forum.

While I don’t want to be too technical, here’s a quick overview of the changes.

First, the price of stock options (also known as BSPCE in France) won’t be based on the same VC-determined valuation. Let’s take an example — a VC fund invests in a Series A round, valuing the company at €12 million.

If you join the company after, you can get stock options based on a lower valuation, which increases the chances of higher returns. Going forward, there will be a different valuation for employees getting stock options.

Second, if you work for a foreign startup but you’re based in France, you couldn’t receive stock options. For instance, if you’re a Citymapper employee — a startup that is headquartered in London — based out of the Paris office, you could forget about stock options. Employees based in France can now receive stock options even if the company isn’t incorporated in France.

Third, the French Tech Visa now also works for foreign companies with an office in Paris. If you work for Berlin-based N26 and you want to hire a great Brazilian data scientist in your Paris office, you can now go through the fast-track visa process for startup employees.

Last year, VC firm Index Ventures coordinated an effort to overhaul stock option policies across Europe by lobbying policymakers. Hundreds of tech CEOs have signed the ‘Not Optional’ letter since then.

According to Index Ventures, Germany, Spain and Belgium are the lowest-ranked European countries when it comes to the regulatory framework around stock options.

Loi de finances 2020 : des mesures fortes pour les startups et leurs salariés. Soutien continu et renforcé aux entreprises de la #FrenchTech qui créeront + de 25 000 emplois directs en 2020 partout en France et pour tous les niveaux de compétence #PLF2020 pic.twitter.com/4qGafp5zYH

— Cédric O (@cedric_o) December 30, 2019

Harvestr gathers user feedback in one place

By Romain Dillet

Meet Harvestr, a software-as-a-service startup that wants to help product managers centralize customer feedback from various places. Product managers can then prioritize outstanding issues and feature requests. Finally, the platform helps you get back to your customers once changes have been implemented.

The company just raised a $650,000 funding round led by Bpifrance with various business angels also participating, such as 360Learning co-founders Nicolas Hernandez and Guillaume Alary as well as Station F director Roxanne Varza through the Atomico Angel Programme.

Harvestr integrates directly with Zendesk, Intercom, Salesforce, Freshdesk, Slack and Zapier. For instance, if a user opens a ticket on Zendesk and another user interacts with your support team through an Intercom chat widget, everything ends up in Harvestr.

Once you have everything in the system, Harvestr helps you prioritize tasks that seem more urgent or that are going to have a bigger impact.

When you start working on a feature or when you’re about to ship it, you can contact your users who originally reached out to talk to you about it.

Eventually, Harvestr should help you build a strong community of power users around your product. And there are many advantages in pursuing this strategy.

First, you reward your users by keeping them in the loop. It should lead to higher customer satisfaction and lower churn. Your most engaged customers could also become your best ambassadors to spread the word around.

Harvestr costs $49 per month for 5 seats and $99 per month for 20 seats. People working for 360Learning, HomeExchange, Dailymotion and other companies are currently using it.

Matera raises $11.2 million to let you handle residential property management yourself

By Romain Dillet

Matera, the French startup formerly known as illiCopro, is raising an $11.2 million funding round (€10 million). The company has been building a SaaS platform to give you all the tools you need to handle property management for your residential building.

Index Ventures is leading the round, with existing investor Samaipata also participating. Business angels, such as Bertrand Jelensperger, Paulin Dementhon and Marc-David Choukroun are also participating.

In France, there are two ways to handle property management of residential buildings. Co-owners of the hallways, elevator and common space of the building can either hire a company to do it and handle all the pesky tasks, or you can do it yourself.

Matera wants to target the second category — co-owners who want to manage their building themselves. Other startups, such as Bellman, have chosen a different approach. Matera has built a web-based platform to view information, communicate with other co-owners and make sure everything is up-to-date.

Everybody has their own account and can access the platform. Co-owners meet regularly to handle outstanding issues. Matera centralizes all topics, helps you write a report and checks that it complies with legal requirements.

Matera then handles everything that involves money. You can collect money from co-owners every month and check how your money is spent. The platform tries to do the heavy lifting when it comes to accounting.

Finally, Matera helps you manage contracts with partners — elevator maintenance, heating maintenance, cleaning company, water, electricity, insurance, taking care of the garden, etc. You get an address book for your partners, and the company is working on a way to help you switch to another partner from the platform.

If there’s something you don’t feel comfortable doing yourself, Matera can help you work with legal, accounting, insurance and construction experts.

So far, Matera has managed to attract 1,000 residential buildings representing 25,000 users. The company plans to expand to other European countries in the future, starting with Belgium, Spain, Italy and Germany. With today’s funding round, the company plans to hire 100 persons.

Mozilla lays off 70 as it waits for new products to generate revenue

By Frederic Lardinois

Mozilla laid off about 70 employees today, TechCrunch has learned.

In an internal memo, Mozilla chairwoman and interim CEO Mitchell Baker specifically mentions the slow rollout of the organization’s new revenue-generating products as the reason for why it needed to take this action. The overall number may still be higher, though, as Mozilla is still looking into how this decision will affect workers in the U.K. and France. In 2018, Mozilla Corporation (as opposed to the much smaller Mozilla Foundation) said it had about 1,000 employees worldwide.

“You may recall that we expected to be earning revenue in 2019 and 2020 from new subscription products as well as higher revenue from sources outside of search. This did not happen,” Baker writes in her memo. “Our 2019 plan underestimated how long it would take to build and ship new, revenue-generating products. Given that, and all we learned in 2019 about the pace of innovation, we decided to take a more conservative approach to projecting our revenue for 2020. We also agreed to a principle of living within our means, of not spending more than we earn for the foreseeable future.”

Mozilla has decided to lay some folks off and restructure things. All the leads in QA got let go. I haven’t been let go (so far). No idea what I will be working on or who I will be reporting to. Some good work friends let go :(

— Chris Hartjes (@grmpyprogrammer) January 15, 2020

Baker says laid-off employees will receive “generous exit packages” and outplacement support. She also notes that the leadership team looked into shutting down the Mozilla innovation fund but decided that it needed it in order to continue developing new products. In total, Mozilla is dedicating $43 million to building new products.

“As we look to the future, we know we must take bold steps to evolve and ensure the strength and longevity of our mission,” Baker writes. “Mozilla has a strong line of sight to future revenue generation, but we are taking a more conservative approach to our finances. This will enable us to pivot as needed to respond to market threats to internet health, and champion user privacy and agency.”

The organization last reported major layoffs in 2017.

Over the course of the last few months, Mozilla started testing a number of new products, most of which will be subscription-based once they launch. The marquee feature here is including its Firefox Private Network and a device-level VPN service that is yet to launch, but will cost around $4.99 per month.

All of this is part of the organization’s plans to become less reliant on income from search partnerships and to create more revenue channels. In 2018, the latest year for which Mozilla has published its financial records, about 91% of its royalty revenues came from search contracts.

We have reached out to Mozilla for comment and will update this post once we hear more.

Update (1pm PT): In a statement posted to the Mozilla blog, Mitchell Baker reiterates that Mozilla had to make these cuts in order to fund innovation. “Mozilla has a strong line of sight on future revenue generation from our core business,” she writes. “In some ways, this makes this action harder, and we are deeply distressed about the effect on our colleagues. However, to responsibly make additional investments in innovation to improve the internet, we can and must work within the limits of our core finances”


Here is the full memo:

Office of the CEO <officeoftheceo@mozilla.com>
to all-moco-mofo

Hi all,

I have some difficult news to share. With the support of the entire Steering Committee and our Board, we have made an extremely tough decision: over the course of today, we plan to eliminate about 70 roles from across MoCo. This number may be slightly larger as we are still in a consultation process in the UK and France, as the law requires, on the exact roles that may be eliminated there. We are doing this with the utmost respect for each and every person who is impacted and will go to great lengths to take care of them by providing generous exit packages and outplacement support. Most will not join us in Berlin. I will send another note when we have been able to talk to the affected people wherever possible, so that you will know when the notifications/outreach are complete.

This news likely comes as a shock and I am sorry that we could not have been more transparent with you along the way. This is never my desire. Reducing our headcount was something the Steering Committee considered as part of our 2020 planning and budgeting exercise only after all other avenues were explored. The final decision was made just before the holiday break with the work to finalize the exact set of roles affected continuing into early January (there are exceptions in the UK and France where we are consulting on decisions.) I made the decision not to communicate about this until we had a near-final list of roles and individuals affected.

Even though I expect it will be difficult to digest right now, I would like to share more about what led to this decision. Perhaps you can come back to it later, if that’s easier.

You may recall that we expected to be earning revenue in 2019 and 2020 from new subscription products as well as higher revenue from sources outside of search. This did not happen. Our 2019 plan underestimated how long it would take to build and ship new, revenue-generating products. Given that, and all we learned in 2019 about the pace of innovation, we decided to take a more conservative approach to projecting our revenue for 2020. We also agreed to a principle of living within our means, of not spending more than we earn for the foreseeable future.

This approach is prudent certainly, but challenging practically. In our case, it required difficult decisions with painful results. Regular annual pay increases, bonuses and other costs which increase from year-to-year as well as a continuing need to maintain a separate, substantial innovation fund, meant that we had to look for considerable savings across Mozilla as part of our 2020 planning and budgeting process. This process ultimately led us to the decision to reduce our workforce.

At this point, you might ask if we considered foregoing the separate innovation fund, continuing as we did in 2019. The answer is yes but we ultimately decided we could not, in good faith, adopt this. Mozilla’s future depends on us excelling at our current work and developing new offerings to expand our impact. And creating the new products we need to change the future requires us to do things differently, including allocating funds, $43M to be specific, for this purpose. We will discuss our plans for making innovation robust and successful in increasing detail as we head into, and then again at, the All Hands, rather than trying to do so here.

As we look to the future, we know we must take bold steps to evolve and ensure the strength and longevity of our mission. Mozilla has a strong line of sight to future revenue generation, but we are taking a more conservative approach to our finances. This will enable us to pivot as needed to respond to market threats to internet health, and champion user privacy and agency.

I ask that we all do what we can to support each other through this difficult period.

Mitchell

Mobile payment app Lydia raises $45 million round led by Tencent

By Romain Dillet

French startup Lydia is raising a $45 million Series B round (€40 million). Tencent is leading the round with existing investors CNP Assurances, XAnge and New Alpha also participating.

If you live in France, chances are you already know Lydia quite well. The company has become a ubiquitous mobile payment app, especially for people under 30 years old. Think about it as a sort of Square Cash or Venmo, but for France.

“At first, we wanted to raise less but we ended up raising more,” Lydia co-founder and CEO Cyril Chiche told me in a phone interview.

The company has managed to attract 3 million users in France. More impressive, 25% of French people between 18 and 30 years old have a Lydia account — and 5,000 people sign up every day. Lydia currently has 90 employees.

More recently, the company has expanded beyond peer-to-peer payment. First, the company wants to help you manage your money in many different ways with an important value — everything should happen in real time.

You can create multiple Lydia accounts to put some money aside or use money in that sub-account for a specific purpose. That feature alone turns the app into a versatile money management app.

For instance, you can associate a Lydia payment card with a Lydia account and a virtual card with another Lydia account — that virtual card works with Apple Pay, Google Pay, Samsung Pay and more. You can change those settings in real time.

You can share accounts with other Lydia users. And shared accounts are truly shared — everyone can top up and withdraw money from that account. You can spend directly from that account or withdraw money to another account.

You can also turn any Lydia account into a money pot account. In just a few taps, you can generate a link and share it with your friends so that they can add money using their regular payment card or a Lydia account.

More recently, the company has introduced “the market”, a marketplace of other financial products. From the Lydia app, you can borrow up to €1,000 in just a few seconds. You can also insure your phone and other mobile devices. You can get some free credit when you open a bank account, insure your home with Luko, switch to another electricity and gas provider, compare mobile phone and internet providers and more.

And that strategy is going to be key in the future. “We have an ambitious goal, which is turning Lydia into a mobile financial service app,” Chiche said.

He also pointed out that the company that has been the most successful when it comes to creating a mobile marketplace of financial products is Tencent with WeChat.

“Tencent is also the number one player in the video game industry, and there’s no industry with as much user engagement,” Chiche said. Tencent acquired Supercell, bought 40% of Epic Games, acquired Riot Games (League of Legends), invested in Ubisoft, Activision Blizzard, Discord, etc. Lydia hopes that it can learn from Tencent on the user engagement front.

Compared to many fintech startups, Lydia doesn’t want to replace banks altogether — the company says it wants to build a meta-banking app. Peer-to-peer payments represent the top of the funnel and a great user acquisition strategy thanks to networking effects.

You can then connect your Lydia account with your bank account and your debit card. This way, you can send money back and forth between your Lydia accounts and your bank account. As a user, that strategy slowly pays off over time. After a while, you end up spending money directly from your Lydia account and relying more heavily on Lydia’s native payment features, with your bank account acting as a money back end.

At the bottom of the funnel, Lydia hopes that it can turn active Lydia users into paid customers with a handful of in-house and third-party financial products. In other words, Lydia doesn’t want to become a credit institution like a traditional bank, it wants to become a financial hub. Expanding the marketplace will be a big focus for the company going forward.

While Lydia is available in other European countries, Lydia is still massively used in its home market with other markets lagging behind. With today’s funding round, growth in foreign countries is going to be the second key topic.

Mass surveillance for national security does conflict with EU privacy rights, court advisor suggests

By Natasha Lomas

Mass surveillance regimes in the UK, Belgium and France which require bulk collection of digital data for a national security purpose may be at least partially in breach of fundamental privacy rights of European Union citizens, per the opinion of an influential advisor to Europe’s top court issued today.

Advocate general Campos Sánchez-Bordona’s (non-legally binding) opinion, which pertains to four references to the Court of Justice of the European Union (CJEU), takes the view that EU law covering the privacy of electronic communications applies in principle when providers of digital services are required by national laws to retain subscriber data for national security purposes.

A number of cases related to EU states’ surveillance powers and citizens’ privacy rights are dealt with in the opinion, including legal challenges brought by rights advocacy group Privacy International to bulk collection powers enshrined in the UK’s Investigatory Powers Act; and a La Quadrature du Net (and others’) challenge to a 2015 French decree related to specialized intelligence services.

At stake is a now familiar argument: Privacy groups contend that states’ bulk data collection and retention regimes have overreached the law, becoming so indiscriminately intrusive as to breach fundamental EU privacy rights — while states counter-claim they must collect and retain citizens’ data in bulk in order to fight national security threats such as terrorism.

Hence, in recent years, we’ve seen attempts by certain EU Member States to create national frameworks which effectively rubberstamp swingeing surveillance powers — that then, in turn, invite legal challenge under EU law.

The AG opinion holds with previous case law from the CJEU — specifically the Tele2 Sverige and Watson judgments — that “general and indiscriminate retention of all traffic and location data of all subscribers and registered users is disproportionate”, as the press release puts it.

Instead the recommendation is for “limited and discriminate retention” — with also “limited access to that data”.

“The Advocate General maintains that the fight against terrorism must not be considered solely in terms of practical effectiveness, but in terms of legal effectiveness, so that its means and methods should be compatible with the requirements of the rule of law, under which power and strength are subject to the limits of the law and, in particular, to a legal order that finds in the defence of fundamental rights the reason and purpose of its existence,” runs the PR in a particularly elegant passage summarizing the opinion.

The French legislation is deemed to fail on a number of fronts, including for imposing “general and indiscriminate” data retention obligations, and for failing to include provisions to notify data subjects that their information is being processed by a state authority where such notifications are possible without jeopardizing its action.

Belgian legislation also falls foul of EU law, per the opinion, for imposing a “general and indiscriminate” obligation on digital service providers to retain data — with the AG also flagging that its objectives are problematically broad (“not only the fight against terrorism and serious crime, but also defence of the territory, public security, the investigation, detection and prosecution of less serious offences”).

The UK’s bulk surveillance regime is similarly seen by the AG to fail the core “general and indiscriminate collection” test.

There’s a slight carve out for national legislation that’s incompatible with EU law being, in Sánchez-Bordona’s view, permitted to maintain its effects “on an exceptional and temporary basis”. But only if such a situation is justified by what is described as “overriding considerations relating to threats to public security or national security that cannot be addressed by other means or other alternatives, but only for as long as is strictly necessary to correct the incompatibility with EU law”.

If the court follows the opinion it’s possible states might seek to interpret such an exceptional provision as a degree of wiggle room to keep unlawful regimes running further past their legal sell-by-date.

Similarly, there could be questions over what exactly constitutes “limited” and “discriminate” data collection and retention — which could encourage states to push a ‘maximal’ interpretation of where the legal line lies.

Nonetheless, privacy advocates are viewing the opinion as a positive sign for the defence of fundamental rights.

In a statement welcoming the opinion, Privacy International dubbed it “a win for privacy”. “We all benefit when robust rights schemes, like the EU Charter of Fundamental Rights, are applied and followed,” said legal director, Caroline Wilson Palow. “If the Court agrees with the AG’s opinion, then unlawful bulk surveillance schemes, including one operated by the UK, will be reined in.”

The CJEU will issue its ruling at a later date — typically between three to six months after an AG opinion.

The opinion comes at a key time given European Commission lawmakers are set to rethink a plan to update the ePrivacy Directive, which deals with the privacy of electronic communications, after Member States failed to reach agreement last year over an earlier proposal for an ePrivacy Regulation — so the AG’s view will likely feed into that process.

This makes the revised e-Privacy Regulation a *huge* national security battleground for the MSes (they will miss the UK fighting for more surveillance) and is v relevant also to the ongoing debates on “bulk”/mass surveillance, and MI5’s latest requests… #ePR

— Ian Brown (@1Br0wn) January 15, 2020

The opinion may also have an impact on other legislative processes — such as the talks on the EU e-evidence package and negotiations on various international agreements on cross-border access to e-evidence — according to Luca Tosoni, a research fellow at the Norwegian Research Center for Computers and Law at the University of Oslo.

“It is worth noting that, under Article 4(2) of the Treaty on the European Union, “national security remains the sole responsibility of each Member State”. Yet, the advocate general’s opinion suggests that this provision does not exclude that EU data protection rules may have direct implications for national security,” Tosoni also pointed out. 

“Should the Court decide to follow the opinion… ‘metadata’ such as traffic and location data will remain subject to a high level of protection in the European Union, even when they are accessed for national security purposes.  This would require several Member States — including Belgium, France, the UK and others — to amend their domestic legislation.”

Waymo buys Latent Logic, drives deeper into simulation and Europe

By Kirsten Korosec

Waymo has acquired Latent Logic, a UK company that spun out of Oxford University’s computer science department, as the autonomous vehicle company seeks to beef up its simulation technology.

The acquisition also marks the launch of Waymo’s first European engineering hub will be in Oxford, UK. This likely won’t be the end of Waymo’s expansion and investment in Europe and the UK. The former Google self-driving project that is now an Alphabet business said it will continue to look for opportunities to grow the team in the UK and Europe.

Earlier this year, Waymo locked in an exclusive partnership with Renault and Nissan to research how commercial autonomous vehicles might work for passengers and packages in France and Japan. In October, Waymo said that its working with Renault to study the possibility of establishing an autonomous transportation route in Paris.

Waymo has made simulation a one of the pillars of its autonomous vehicle development program. But Latent Logic could help Waymo make its simulation more realistic by using a form of machine learning called imitation learning.

Imitation learning models human behavior of motorists, cyclists and pedestrians. The idea is that by modeling the mistakes and imperfect driving of humans, the simulation will become more realistic and theoretically improve Waymo’s behavior prediction and planning.

Waymo isn’t sharing financial details of the acquistion. But it appears that the two founders Shimon Whiteson and João Messia, CEO Kirsty Lloyd-Jukes and key members of the engineering and technical team will join Waymo. The Latent Logic team will remain in Oxford.

“By joining Waymo, we are taking a big leap towards realizing our ambition of safe, self-driving vehicles,” said Latent Logic co-founder and chief scientist Shimon Whiteson. “In just two years, we have made significant progress in using imitation learning to simulate real human behaviors on the road. I’m excited by what we can now achieve in combining this expertise with the talent, resources and progress Waymo have already made in self-driving technology.”

Yubo raises $12.3 million for its social app for teens

By Romain Dillet

French startup Yubo has raised a $12.3 million funding round led by Iris Capital and Idinvest Partners. Existing investors Alven, Sweet Capital and Village Global are also participating. The startup has managed to attract 25 million users over the years — there are currently tens of thousands of people signing up to the platform every day.

Yubo is building a social media app for young people under 25 with one focus in particular on helping teenagers meeting new people and creating friendships. Compared to the most popular social media apps out there, Yubo isn’t focused on likes and followers.

Instead, the app helps you build your own tiny little community of friends. Yubo wants to become a familiar place where you belong, even if high school sucks for instance.

More details in my previous profile of the company:

In addition to meeting new people, you can start conversations and create live video streams to hang out together. Each stream represents a micro-community of people interacting through both video and a live chat.

Since 2015, Yubo users have sent each other 10 billion messages and started 30 million live video streams. Overall, the user base has generated 2 billion friendships.

Soon, users will be able to turn on screensharing to show something on their phones. And at some point in 2020, Yubo should release Yubo Web in order to expand Yubo beyond your smartphone and enable new use cases, such as video game live-streaming.

With today’s funding round, the company wants to attract users in new markets. Yubo is mostly active in the U.S., Canada, the U.K., Nordic countries, Australia and France. Up next, the startup is going to focus on Japan and Brazil. The company plans to hire 35 new people.

When it comes to business model, the company started monetizing its app in October 2018 with in-app purchases to unlock new features. In 2019, the startup has generated $10 million in revenue.

Yubo will also use this funding round to improve safety. It’s a never-ending process, especially when there are young people using your platform. The company already partners with Yoti for age verification. Users will soon be able to create a blocklist of certain words to customize their experience.

In addition to continuous work on flagging tools and live-stream moderation algorithms in order to detect inappropriate content, the company will also increase the size of its moderation team. The company has also put together a safety board with Alex Holmes, Annie Mullins, Travis Bright, Mick Moran, Dr. Richard Graham and Anne Collier.

❌