FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

GM will bring an electric truck to market in 2021

By Kirsten Korosec

GM CEO Mary Barra said Thursday that the automaker will bring its first electric truck to market in the fall of 2021.

The comments were made Thursday during GM’s investor day. Later this evening, Tesla, which also plans to start selling an electric truck in 2021, will reveal its “cybertruck” at an event in Hawthorne, Calif. Reuters first reported the news.

“General Motors understands truck buyers and… people who are new coming into the truck market,” Barra said during the investor conference, explaining the company’s rationale for the move.

GM’s foray into electric trucks has been public before. Last month, the Detroit Free Press reported the that GM’s Detroit-Hamtramck Assembly Plant would remain open to produce an electric pickup under a deal between the UAW and the automaker.

This is the first time the company has provided a timeline.

Several other companies are expected to bring electric trucks to the marketplace in the next several years, including newcomer Rivian, Tesla and Ford.

A 10-point plan to reboot the data industrial complex for the common good

By Natasha Lomas

A posthumous manifesto by Giovanni Buttarelli, who until his death this summer was Europe’s chief data protection regulator, seeks to join the dots of surveillance capitalism’s rapacious colonization of human spaces, via increasingly pervasive and intrusive mapping and modelling of our data, with the existential threat posed to life on earth by manmade climate change.

In a dense document rich with insights and ideas around the notion that “data means power” — and therefore that the unequally distributed data-capture capabilities currently enjoyed by a handful of tech platforms sums to power asymmetries and drastic social inequalities — Buttarelli argues there is potential for AI and machine learning to “help monitor degradation and pollution, reduce waste and develop new low-carbon materials”. But only with the right regulatory steerage in place.

“Big data, AI and the internet of things should focus on enabling sustainable development, not on an endless quest to decode and recode the human mind,” he warns. “These technologies should — in a way that can be verified — pursue goals that have a democratic mandate. European champions can be supported to help the EU achieve digital strategic autonomy.”

“The EU’s core values are solidarity, democracy and freedom,” he goes on. “Its conception of data protection has always been the promotion of responsible technological development for the common good. With the growing realisation of the environmental and climatic emergency facing humanity, it is time to focus data processing on pressing social needs. Europe must be at the forefront of this endeavour, just as it has been with regard to individual rights.”

One of his key calls is for regulators to enforce transparency of dominant tech companies — so that “production processes and data flows are traceable and visible for independent scrutiny”.

“Use enforcement powers to prohibit harmful practices, including profiling and behavioural targeting of children and young people and for political purposes,” he also suggests.

Another point in the manifesto urges a moratorium on “dangerous technologies”, citing facial recognition and killer drones as examples, and calling generally for a pivot away from technologies designed for “human manipulation” and toward “European digital champions for sustainable development and the promotion of human rights”.

In an afterword penned by Shoshana Zuboff, the US author and scholar writes in support of the manifesto’s central tenet, warning pithily that: “Global warming is to the planet what surveillance capitalism is to society.”

There’s plenty of overlap between Buttarelli’s ideas and Zuboff’s — who has literally written the book on surveillance capitalism. Data concentration by powerful technology platforms is also resulting in algorithmic control structures that give rise to “a digital underclass… comprising low-wage workers, the unemployed, children, the sick, migrants and refugees who are required to follow the instructions of the machines”, he warns.

“This new instrumentarian power deprives us not only of the right to consent, but also of the right to combat, building a world of no exit in which ignorance is our only alternative to resigned helplessness, rebellion or madness,” she agrees.

There are no less than six afterwords attached to the manifesto — a testament to the store in which Buttarelli’s ideas are held among privacy, digital and human rights campaigners.

The manifesto “goes far beyond data protection”, says writer Maria Farrell in another contribution. “It connects the dots to show how data maximisation exploits power asymmetries to drive global inequality. It spells out how relentless data-processing actually drives climate change. Giovanni’s manifesto calls for us to connect the dots in how we respond, to start from the understanding that sociopathic data-extraction and mindless computation are the acts of a machine that needs to be radically reprogrammed.”

At the core of the document is a 10-point plan for what’s described as “sustainable privacy”, which includes the call for a dovetailing of the EU’s digital priorities with a Green New Deal — to “support a programme for green digital transformation, with explicit common objectives of reducing inequality and safeguarding human rights for all, especially displaced persons in an era of climate emergency”.

Buttarelli also suggests creating a forum for civil liberties advocates, environmental scientists and machine learning experts who can advise on EU funding for R&D to put the focus on technology that “empowers individuals and safeguards the environment”.

Another call is to build a “European digital commons” to support “open-source tools and interoperability between platforms, a right to one’s own identity or identities, unlimited use of digital infrastructure in the EU, encrypted communications, and prohibition of behaviour tracking and censorship by dominant platforms”.

“Digital technology and privacy regulation must become part of a coherent solution for both combating and adapting to climate change,” he suggests in a section dedicated to a digital Green New Deal — even while warning that current applications of powerful AI technologies appear to be contributing to the problem.

“AI’s carbon footprint is growing,” he points out, underlining the environmental wastage of surveillance capitalism. “Industry is investing based on the (flawed) assumption that AI models must be based on mass computation.

“Carbon released into the atmosphere by the accelerating increase in data processing and fossil fuel burning makes climatic events more likely. This will lead to further displacement of peoples and intensification of calls for ‘technological solutions’ of surveillance and border controls, through biometrics and AI systems, thus generating yet more data. Instead, we need to ‘greenjacket’ digital technologies and integrate them into the circular economy.”

Another key call — and one Buttarelli had been making presciently in recent years — is for more joint working between EU regulators towards common sustainable goals.

“All regulators will need to converge in their policy goals — for instance, collusion in safeguarding the environment should be viewed more as an ethical necessity than as a technical breach of cartel rules. In a crisis, we need to double down on our values, not compromise on them,” he argues, going on to voice support for antitrust and privacy regulators to co-operate to effectively tackle data-based power asymmetries.

“Antitrust, democracies’ tool for restraining excessive market power, therefore is becoming again critical. Competition and data protection authorities are realising the need to share information about their investigations and even cooperate in anticipating harmful behaviour and addressing ‘imbalances of power rather than efficiency and consent’.”

On the General Data Protection Regulation (GDPR) specifically — Europe’s current framework for data protection — Buttarelli gives a measured assessment, saying “first impressions indicate big investments in legal compliance but little visible change to data practices”.

He says Europe’s data protection authorities will need to use all the tools at their disposal — and find the necessary courage — to take on the dominant tracking and targeting digital business models fuelling so much exploitation and inequality.

He also warns that GDPR alone “will not change the structure of concentrated markets or in itself provide market incentives that will disrupt or overhaul the standard business model”.

“True privacy by design will not happen spontaneously without incentives in the market,” he adds. “The EU still has the chance to entrench the right to confidentiality of communications in the ePrivacy Regulation under negotiation, but more action will be necessary to prevent further concentration of control of the infrastructure of manipulation.”

Looking ahead, the manifesto paints a bleak picture of where market forces could be headed without regulatory intervention focused on defending human rights. “The next frontier is biometric data, DNA and brainwaves — our thoughts,” he suggests. “Data is routinely gathered in excess of what is needed to provide the service; standard tropes, like ‘improving our service’ and ‘enhancing your user  experience’ serve as decoys for the extraction of monopoly rents.”

There is optimism too, though — that technology in service of society can be part of the solution to existential crises like climate change; and that data, lawfully collected, can support public good and individual self-realization.

“Interference with the right to privacy and personal data can be lawful if it serves ‘pressing social needs’,” he suggests. “These objectives should have a clear basis in law, not in the marketing literature of large companies. There is no more pressing social need than combating environmental degradation” — adding that: “The EU should promote existing and future trusted institutions, professional bodies and ethical codes to govern this exercise.”

In instances where platforms are found to have systematically gathered personal data unlawfully Buttarelli trails the interesting idea of an amnesty for those responsible “to hand over their optimisation assets”– as a means of not only resetting power asymmetries and rebalancing the competitive playing field but enabling societies to reclaim these stolen assets and reapply them for a common good.

While his hope for Europe’s Data Protection Board — the body which offers guidance and coordinates interactions between EU Member States’ data watchdogs — is to be “the driving force supporting the Global Privacy Assembly in developing a common vision and agenda for sustainable privacy”.

The manifesto also calls for European regulators to better reflect the diversity of people whose rights they’re being tasked with safeguarding.

The document, which is entitled Privacy 2030: A vision for Europe, has been published on the website of the International Association of Privacy Professionals ahead of its annual conference this week.

Buttarelli had intended — but was finally unable — to publish his thoughts on the future of privacy this year, hoping to inspire discussion in Europe and beyond. In the event, the manifesto has been compiled posthumously by Christian D’Cunha, head of his private office, who writes that he has drawn on discussions with the data protection supervisor in his final months — with the aim of plotting “a plausible trajectory of his most passionate convictions”.

New York State Attorney General reportedly investigating WeWork

By Catherine Shu

WeWork is reportedly being investigated by the New York State Attorney General. According to Reuters, the NYAG’s questions include if WeWork founder and former CEO Adam Neumann engaged in self-dealing.

A WeWork spokesperson said in an email that “we have received an inquiry from the office of the New York State Attorney General and are cooperating in the matter.” TechCrunch also contacted the New York State Attorney General’s office for comment. WeWork is headquartered in New York City.

This comes less than a week after Bloomberg reported WeWork is the subject of a U.S. Securities and Exchange Commission inquiry into potential rule violations related to its cancelled IPO.

WeWork’s parent company, The We Company, announced on Sept. 30 that it was withdrawing its S-1 filing for an initial public offering, shortly after Neumann stepped down as CEO. In addition to questions about the company’s financial state, red flags for investors included that Neumann had borrowed against his WeWork shares and leased properties he owned back to the company.

An entity Neumann controlled also sold the company the right to use the word “We” for $5.9 million, though he later asked the company to unwind the agreement and returned the money after public criticism.

After receiving a lifeline from investor SoftBank worth up to $8 billion, WeWork is now engaging in major cost-cutting measures, including layoffs at Meetup, which it acquired for $200 million in 2017.

Microsoft announces changes to cloud contract terms following EU privacy probe

By Natasha Lomas

Chalk up another win for European data protection: Microsoft has announced changes to commercial cloud contracts following privacy concerns raised by European Union data protection authorities.

The changes to contactual terms will apply globally and to all its commercial customers — whether public or private sector entity, or large or small business, it said today.

The new contractual provisions will be offered to all public sector and enterprise customers at the beginning of 2020, it adds.

In October Europe’s data protection supervisor warned that preliminary results of an investigation into contractual terms for Microsoft’s cloud services had raised serious concerns about compliance with EU data protection rules and the role of the tech giant as a data processor for EU institutions.

Writing on its EU Policy blog, Julie Brill, Microsoft’s corporate VP for global privacy and regulatory affairs and chief privacy officer, announces the update to privacy provisions in the Online Services Terms (OST) of its commercial cloud contracts — saying it’s making the changes as a result of “feedback we’ve heard from our customers”.

“The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud,” she writes.

She also says the changes reflect those Microsoft developed in consultation with the Dutch Ministry of Justice and Security — which comprised both amended contractual terms and technical safeguards and settings — after the latter carried out risk assessments of Microsoft’s OST earlier this year and also raised concerns.

Specifically, Microsoft is accepting greater data protection responsibilities for additional processing involved in providing enterprise services, such as account management and financial reporting, per Brill:

Through the OST update we are announcing today we will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services. In the OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combatting cyberattacks on any Microsoft product or service; and complying with our legal obligations.

Microsoft currently designates itself as a data processor, rather than data controller for these administrative and operations functions that can be linked to provision of commercial cloud services, such as its Azure platform.

But under Europe’s General Data Protection framework a data controller has the widest obligations around handling personal data — with responsibility under Article 5 of the GDPR for the lawfulness, fairness and security of the data being processed — and therefore also greater legal risk should it fail to meet the standard.

So, from a regulatory point of view, Microsoft’s current commercial contract structure poses a risk for EU institutions of user data ending up being processed under a lower standard of legal protection than is merited.

The announced switch from data processor to controller should raise the bar around associated purposes that Microsoft may also provide to commercial customers of its cloud services.

For the latter purpose itself, Microsoft says it will remain the data processor, as well as for improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date.

In August a conference organized jointly by the EU’s data protection supervisor and and the Dutch Ministry brought together EU customers of cloud giants to work on a joint response to regulatory risks related to cloud software provision.

Earlier this year the Dutch Ministry obtained contractual changes and technical safeguards and settings in the amended contracts it agreed with Microsoft.

“The only substantive differences in the updated terms [that will roll out globally for all commercial cloud customers] relate to customer-specific changes requested by the Dutch MOJ, which had to be adapted for the broader global customer base,” Brill writes now.

Microsoft’s blog post also points to other global privacy-related changes it says were made following feedback from the Dutch MOJ and others — including a roll out of new privacy tools across major services; specific changes to Office 365 ProPlus; and increased transparency regarding use of diagnostic data.

‘Magic: The Gathering’ game maker exposed 452,000 players’ account data

By Zack Whittaker

The maker of Magic: The Gathering has confirmed that a security lapse exposed the data on hundreds of thousands of game players.

The game’s developer, the Washington-based Wizards of the Coast, left a database backup file in a public Amazon Web Services storage bucket. The database file contained user account information for the game’s online arena. But there was no password on the storage bucket, allowing who with the bucket’s name to access the files inside.

The bucket is not believed to have been exposed for long — since around early-September — but it was long enough for U.K. cybersecurity firm Fidus Information Security to find the database.

A review of the database file showed there were 452,634 players’ information, including about 470 email addresses associated with Wizards’ staff. The database included player names and usernames, email addresses, and the date and time of the account’s creation. The database also had user passwords, which were hashed and salted, making it difficult but not impossible to unscramble.

None of the data was encrypted. The accounts date back to at least 2012, according to our review of the data.

Fidus reached out to Wizards of the Coast but did not hear back. It was only after TechCrunch reached out that the game maker pulled the storage bucket offline.

Bruce Dugan, a spokesperson for the game developer, told TechCrunch in a statement: “We learned that a database file from a decommissioned website had inadvertently been made accessible outside the company.”

“We removed the database file from our server and commenced an investigation to determine the scope of the incident,” he said. “We believe that this was an isolated incident and we have no reason to believe that any malicious use has been made of the data,” but the spokesperson did not provide any evidence for this claim.

“However, in an abundance of caution, we are notifying players whose information was contained in the database and requiring them to reset their passwords on our current system,” he said.

Harriet Lester, Fidus’ director of research and development, said it was “surprising in this day and age that misconfigurations and lack of basic security hygiene still exist on this scale, especially when referring to such large companies with a userbase of over 450,000 accounts.”

“Our research team work continuously, looking for misconfigurations such as this to alert companies as soon as possible to avoid the data falling into the wrong hands. It’s our small way of helping make the internet a safer place,” she told TechCrunch.

The game maker said it informed the U.K. data protection authorities about the exposure, in line with breach notification rules under Europe’s GDPR regulations. The U.K.’s Information Commissioner’s Office did not immediately return an email to confirm the disclosure.

Companies can be fined up to 4% of their annual turnover for GDPR violations.

California’s new data privacy law brings U.S. closer to GDPR

By Walter Thompson
Dimitri Sirota Contributor
Dimitri Sirota is CEO and cofounder of data protection and privacy software company BigID. Sirota is an established serial entrepreneur, investor, mentor, and strategist in the technology and cyber security space.

Data privacy has become one of the defining business and cultural issues of our time.

Companies around the world are scrambling to properly protect their customers’ personal information (PI). However, new regulations have actually shifted the definition of the term, making everything more complicated. With the California Consumer Privacy Act (CCPA) taking effect in January 2020, companies have limited time to get a handle on the customer information they have and how they need to care for it. If they don’t, they not only risk being fined, but also loss of brand reputation and consumer trust — which are immeasurable.

California was one of the first states to provide an express right of privacy in its constitution and the first to pass a data breach notification law, so it was not surprising when state lawmakers in June 2018 passed the CCPA, the nation’s first statewide data privacy law. The CCPA isn’t just a state law — it will become the defacto national standard for the foreseeable future, because the sheer numbers of Californians means most businesses in the country will have to comply. The requirements aren’t insignificant. Companies will have to disclose to California customers what data of theirs has been collected, delete it and stop selling it if the customer requests. The fines could easily add up — $7,500 per violation if intentional, $2,500 for those lacking intent and $750 per affected user in civil damages.

Evolution of personal information

It used to be that the meaning of personally identifiable information (PII) from a legal standpoint was clear — data that can distinguish the identity of an individual. By contrast, the standard for mere PI was lower because there was so much more of it; if PI is a galaxy, PII was the solar system. However, CCPA, and the EU’s General Data Protection Regulation GDPR, which went into effect in 2018, have shifted the definition to include additional types of data that were once fairly benign. The CCPA enshrines personal data rights for consumers, a concept that GDPR first brought into play.

The GDPR states: “Personal data should be as broadly interpreted as possible,” which includes all data associated with an individual, which we call “contextual” information. This includes any information that can “directly or indirectly” identify a person, including real names and screen names, identification numbers, birth date, location data, network addresses, device IDs, and even characteristics that describe the “physical, physiological, genetic, mental, commercial, cultural, or social identity of a person.” This conceivably could include any piece of information about a person that isn’t anonymized.

With the CCPA, the United States is playing catch up to the GDPR and similarly expanding the scope of the definition of personal data. Under the CCPA, personal information is “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This includes a host of information that typically don’t raise red flags but which when combined with other data can triangulate to a specific individual like biometric data, browsing history, employment and education data, as well as inferences drawn from any of the relevant information to create a profile “reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.”

Know the rules, know the data

These regulations aren’t checklist rules; they require big changes to technology and processes, and a rethinking of what data is and how it should be treated. Businesses need to understand what rules apply to them and how to manage their data. Information management has become a business imperative, but most companies lack a clear road map to do it properly. Here are some tips companies can follow to ensure they are meeting the letter and the spirit of the new regulations.

  • Figure out which regulations apply to you

The regulatory landscape is constantly changing with new rules being adopted at a rapid rate.  Every organization needs to know which regulations they need to comply with and understand the distinctions between them. Some core aspects CCPA and GDPR share include data subject rights fulfillment and automated deletion. But there will be differences so having a platform that allows you to handle a heterogenous environment at scale is important.

  • Create a privacy compliance team that works well with others

Where top VCs are investing in fintech

By Arman Tabatabai

Over the past several years, ‘fintech’ has quietly become the unsung darling of venture.

A rapidly swelling pool of new startups is taking aim at the large incumbent institutions, complex processes and outdated unfriendly interfaces that mar billion dollar financial services verticals, such as insurtech, consumer lending, personal finance, or otherwise.  

In just the past summer, the startup community saw a multitude of hundred-million dollar fintech fundraises. In 2018, fintech companies were the source of close to 1,300 venture deals worth over $15 billion in North America and Europe alone according to data from Pitchbook. Over the same period, KPMG estimates that over $52 billion in investment pour into fintech initiatives globally. 

With the non-stop stream of venture capital flowing into the never-ending list of spaces that fall under the ‘fintech’ umbrella, we asked 12 leading fintech VCs who work at firms that span early to growth stages to share where they see the most opportunity and how they see the market evolving over the long-term.

The participants touched on a number of key trends in the space, including rapid innovation in fintech infrastructure, fintech companies embedding themselves in specific verticals and platforms, rebundling and unbundling of financial services offerings, the rise of challenger banks and the state of fintech valuations into 2020.

Charles Birnbaum, Partner, Bessemer Venture Partners

The great ‘rebundling’ of fintech innovation is in full swing. The emerging consumer leaders in fintech — Chime, SoFi, Robinhood, Credit Karma, and Bessemer portfolio company Betterment — are moving quickly to increase their share of wallet with their valuable customers and become a one-stop-shop for people’s financial lives.

In 2020, we anticipate continued entrepreneurial activity and investor enthusiasm around the infrastructure and middleware layers within the fintech ecosystem that are enabling further rebundling and a rapid convergence of product themes and business models across the consumer fintech landscape.

Many players now look like potential challenger bank models more akin to what we have seen unfold in Europe the past few years. Within consumer fintech, we at Bessemer are more focused on demographically-specific product offerings that tap into underserved themes, whether that be the financial problems facing the aging population in the US or new models to serve the underbanked or underserved population of consumers and small businesses.

Ian Sigalow, Co-founder & Partner, Greycroft

What trends are you most excited in fintech from an investing perspective? 

I suspect that many enterprise software companies become fintech companies over time — collecting payments on behalf of customers and growing revenues as your customers grow. We have seen this trend in many industries over the past few years. Business owners generally prefer a model that moves IT expenditures from Operating Expenses into Cost of Goods Sold, because they can increase prices and pass their entire budget onto the customer.

On the consumer side, we have already made investments in branchless banking, insurance (auto, home, health, workers comp), cross-border payments, alternative investments, loyalty cards/services, and roboadvisor services. The companies we funded are already a few years old, and I think we will have some interesting follow-on activity there over the next few years. We have been picking spots where we think we have an unfair competitive advantage.

Our fintech portfolio is also more global than other sectors we invest in. This is because there are opportunities to achieve billion dollar outcomes in fintech, even in countries that are much smaller than the United States. That is not true in many other sectors.

We have also seen trends emerge in the US and move abroad. As an example we seeded Flutterwave, which is similar to Stripe, and they have expanded across Africa. We were also the lead investor in Yeahka, which is similar to Square in China. These products are heavily localized —tin for instance Yeahka is the largest processor of QR code payments in the world, but QR code payments are not popular in the US yet.

How much time are you spending on fintech right now? Is the market under-heated, over-heated, or just right?

Fintech is about a quarter of my time right now. We continue to see interesting new ideas and the valuations have been more or less consistent over time. The broader market doesn’t impact us very much because we tend to have a 10 year holding period.

Are there startups that you wish you would see in the industry but don’t?

A network of ‘camgirl’ sites exposed millions of users and sex workers

By Zack Whittaker

A number of popular “camgirl” sites have exposed millions of sex workers and users after the company running the sites left the back-end database unprotected.

The sites, run by Barcelona-based VTS Media, include amateur.tv, webcampornoxxx.net, and placercams.com. Most of the sites’ users are based in Spain and Europe, but we found evidence of users across the world, including the United States.

According to Alexa traffic rankings, amateur.tv is one of the most popular in Spain.

The database, containing months-worth of daily logs of the site activities, was left without a password for weeks. Those logs included detailed records of when users logged in — including usernames and sometimes their user-agents and IP addresses, which can be used to identify users. The logs also included users’ private chat messages with other users, as well as promotional emails they were receiving from the various sites. The logs even included failed login attempts, storing usernames and passwords in plaintext. We did not test the credentials as doing so would be unlawful.

The exposed data also revealed which videos users were watching and renting, exposing kinks and private sexual preferences.

In all, the logs were detailed enough to see which users were logging in, from where, and often their email addresses or other identifiable information — which in some cases we could match to real-world identities.

Not only were users affected, the “camgirls” — who broadcast sexual content to viewers — also had some of their account information exposed.

The database was shut off last week, allowing us to publish our findings.

The “camgirl” site, which exposed millions of users’ and sex workers’ account data by failing to protect a backend database with a password. (Image: TechCrunch)

Researchers at Condition:Black, a cybersecurity and internet freedom firm, discovered the exposed database.

“This was a serious failure from a technical and compliance perspective,” said John Wethington, founder of Condition:Black. “After reviewing the sites’ data privacy policy and terms and conditions, it’s clear that users likely had no idea that their activities being monitored to this level of detail.”

“Users should always take into consideration the implications of their data leaking but especially where the implications could be life altering,” he said.

Data exposures — where companies inadvertently leave their own systems open for anyone to access — have become increasingly common in recent years. Dating sites are among those with some of the most sensitive data. Earlier this year, a group dating site 3Fun exposed over a million users’ data, allowing researchers to view users’ real-time locations without permission. These security lapses can be extremely damaging to their users, exposing private sexual encounters and preferences known only to the users themselves. The fallout following the 2016 hack of affair-focused site Ashley Madison resulted in families breaking up and several reports of suicides connected to the breach.

An email to VTS Media bounced over the weekend and could not be reached for comment.

Given both the company and its servers are located in Europe, the exposure of sexual preferences would fall under the “special categories” of GDPR rules, which require more protections. Companies can be fined up to 4% of their annual turnover for GDPR violations.

A spokesperson for the Spanish data protection authority (AEPD) did not respond to a request for comment outside business hours.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Sydney’s AirTree Ventures closes $275M fund as Aussie unicorns gather pace

By Mike Butcher

The Australian scene industry has, in the last few years, started to generate a swathe of startups that have broken through internationally. Prior to this current era, Australia was scene has very much a local market in tech terms, with only occasional breakouts, like Atlassian . In fact, it’s now gaining a reputation as a serial producer of high-quality tech platforms, the hottest of which right now is Canva, which recently raised an additional $85 million to bring its valuation to $3.2 billion, up from $2.5 billion in May. Investors in the company include Bond, General Catalyst, Bessemer Venture Partners, Blackbird and Sequoia China. Notably, Sydney-based AirTree Ventures also invested early.

So that momentum is further confirmed by the news that Airtree has closed its 3rd fund of $275m. This new fund comes after AirTree’s $250m fund in 2016 and a $60m fund in 2014. You can clearly see the buildup in these numbers.

John Henderson, Partner said: “The interest from investors in our fund is a stunning reflection on the performance of the entrepreneurs we’ve been lucky enough to back. We were humbled by overwhelming demand, but felt it was the right thing for our investors to maintain discipline and a consistent fund size across vintages.”

Australian venture capital was less than fashionable after the dotcom boom and bust, and local institutional capital in Australia and New Zealand all but disappeared, hence why we saw so few startups form the region.

AirTree’s $60m fund in 2014, broke that drought and Australia now boasts over 50 tech startups valued at $100 million, 14 over $500 million and produces one ‘unicorn’ per year on average.

Airtree has gone on to invest in Australian and Kiwi startups like Canva, Prospa, Secure Code Warrior, Athena, Flurosat, Brighte, Joyous, Thematic and A Cloud Guru. Prospa, Australia’s main online lender to small businesses, IPO’ed on the Australian Stock Exchange in June 2019.

Airtree can invest as little as $200k, but now has the firepower to own the pipeline all the way up the investment stack.

Craig Blair, Managing Partner commented: “As ex-founders, we have experienced the tough, lonely road ourselves. This empathy with the founder journey helps us focus on when to provide support and when to get out of the way. In our next fund, we’ll be expanding our suite of services and our network of connections, all designed to give our founders an unfair advantage.”

The VC also announced two promotions and a new executive hire:

• Elicia McDonald promoted to Principal, with a mandate to lead new investments
• Emily Close joining the investment team, promoted to Associate
• Melissa Ran leading AirTree’s Community and Advocacy efforts

AirTree’s latest fund is backed by six institutional investors from Australia including AustralianSuper, SunSuper and Statewide. The rest of the new fund comes from a range of successful entrepreneurs and family offices.

Henderson added: “An important portion of our portfolio is already in New Zealand and we remain very focused on supporting that market. We’ve been investing meaningful resources and funds in New Zealand since 2014 and we’ll have more Kiwi news to share soon.”

The fund raise follows news that AirTree portfolio company Property-tech start-up :Different has raised a second round of capital from AirTree, alongside Brisbane-based real estate fund PieLAB, as it expands into Queensland.

EU contracts with Microsoft raising ‘serious’ data concerns, says watchdog

By Natasha Lomas

Europe’s chief data protection watchdog has raised concerns over contractual arrangements between Microsoft and the European Union institutions which are making use of its software products and services.

The European Data Protection Supervisor (EDPS) opened an enquiry into the contractual arrangements between EU institutions and the tech giant this April, following changes to rules governing EU outsourcing.

Today it writes [with emphasis]: “Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services.”

We’ve reached out to Microsoft for comment.

A spokesperson for the company told Reuters: “We are committed to helping our customers comply with GDPR [General Data Protection Regulation], Regulation 2018/1725 and other applicable laws. We are in discussions with our customers in the EU institutions and will soon announce contractual changes that will address concerns such as those raised by the EDPS.”

The preliminary finding follows risk assessments carried out by the Dutch Ministry of Justice and Security, published this summer, which also found similar issues, per the EDPS.

At issue is whether contractual terms are compatible with EU data protection laws intended to protect individual rights across the region.

“Amended contractual terms, technical safeguards and settings agreed between the Dutch Ministry of Justice and Security and Microsoft to better protect the rights of individuals shows that there is significant scope for improvement in the development of contracts between public administration and the most powerful software developers and online service outsourcers,” the watchdog writes today.

“The EDPS is of the opinion that such solutions should be extended not only to all public and private bodies in the EU, which is our short-term expectation, but also to individuals.”

A conference, jointly organized by the EDPS and the Dutch Ministry, which was held in August, brought together EU customers of cloud giants to work on a joint response to tackle regulatory risks related to cloud software provision. The event agenda included a debate on what was billed as “Strategic Vendor Management with respect to hyperscalers such as Microsoft, Amazon Web Services and Google”.

The EDPS says the idea for The Hague Forum — as it’s been named — is to develop a common strategy to “take back control” over IT services and products sold to the public sector by cloud giants.

Such as by creating standard contracts with fair terms for public administration, instead of the EU’s various public bodies feeling forced into accepting T&Cs as written by the same few powerful providers.

Commenting in a statement today, assistant EDPS, Wojciech Wiewiórowski, said: “We expect that the creation of The Hague Forum and the results of our investigation will help improve the data protection compliance of all EU institutions, but we are also committed to driving positive change outside the EU institutions, in order to ensure maximum benefit for as many people as possible. The agreement reached between the Dutch Ministry of Justice and Security and Microsoft on appropriate contractual and technical safeguards and measures to mitigate risks to individuals is a positive step forward. Through The Hague Forum and by reinforcing regulatory cooperation, we aim to ensure that these safeguards and measures apply to all consumers and public authorities living and operating in the EEA.”

EU data protection law means data controllers who make use of third parties to process personal data on their behalf remain accountable for what’s done with the data — meaning EU public institutions have a responsibility to assess risks around cloud provision, and have appropriate contractual and technical safeguards in place to mitigate risks. So there’s a legal imperative to dial up scrutiny of cloud contracts.

In parallel, the EDPS has been pushing for greater transparency in consumer agreements too.

On the latter front Microsoft’s arrangements with consumers using its desktop OS remain under scrutiny in the EU. Earlier this year the Dutch data protection agency referred privacy concerns about how Windows 10 gathers user data to the company’s lead regulator in Europe.

While this summer the company made changes to its privacy policy for its VoIP product Skype and AI assistant Cortana after media reports revealed it employed contractors who could listen in to audio snippets to improve automated translation and inferences.

The French government, meanwhile, has been loudly pursuing a strategy of digital sovereignty to reduce the state’s reliance on foreign tech providers. Though kicking the cloud giant habit may prove harder than ditching Google search.

Startups Weekly: The unicorn from down under, an Uber TV show and All Raise’s expansion

By Kate Clark

Hello and welcome back to Startups Weekly, a weekend newsletter that dives into the week’s noteworthy news pertaining to startups and venture capital. Before I jump into today’s topic, let’s catch up a bit. Last week, I wrote about Revel, a recent graduate of Y Combinator that’s raised a small seed round.

Remember, you can send me tips, suggestions and feedback to kate.clark@techcrunch.com or on Twitter @KateClarkTweets. If you don’t subscribe to Startups Weekly yet, you can do that here.


What happened this week?

Uber the TV show

Is anyone surprised Mike Isaac’s “Super Pumped” is set to become a TV show? Travis Kalanick’s notorious journey to CEO of Uber and subsequent ouster was made for television. This week, news broke that Showtime’s Brian Koppelman and David Levien, the creators and showrunners of “Billions,” would develop the project, with Isaac himself on board to executive produce. I will be watching.

All Raise expansion

All Raise, an 18-month-old nonprofit organization that seeks to amplify the voices of and support women in tech, announced new chapters in Los Angeles and Boston this week. I spoke with leaders of the organization about expansion plans, new hires, product launches and more. “Women are hungry for the support and guidance we provide. I think the movement is just gathering momentum,” All Raise CEO Pam Kostka told me.

VCThe unicorn from down under

You’ve probably heard of Canva by now. The Australian tech company, which has developed a simplified graphic design tool, is worth a whopping $3.2 billion as of this week. Investors in the company include Bond, General Catalyst, Bessemer Venture Partners, Blackbird and Sequoia China. Alongside a fresh $85 million funding, Canva is also making its foray into enterprise with the launch of Canva for Enterprise. Read about that here.


What else?

  1. The Station, TechCrunch’s Kirsten Korosec’s new weekly newsletter, has officially launched. She is going deep each week on all things mobility and transportation. You can read her first one here and subscribe here.
  2. ‘Cloud kitchens’ is an oxymoron, says TechCrunch editor Danny Crichton. He penned an interesting piece this week, arguing cloud kitchens are just adding more competition to one of the most competitive industries in the world, and that isn’t a path to leverage.
  3. NASA made history this week when astronauts Christina H. Koch and Jessica Meir took part in the first-ever spacewalk in the agency’s history featuring only women. No, this isn’t startup-related but it’s pretty damn cool. Watch the video here.

EHJxl5XW4AAu3PN 1

NASA astronauts Christina H. Koch and Jessica Meir


VC deals


Startup spotlight: Petalfox. I discovered the business earlier this week. Basically, it’s a super easy way to order flowers, coffee and others goods via SMS. I’m trying it out. That’s all.


Equity

This week was honestly a treat. We had myself in the studio along with Alex Wilhelm and a special guest, Sarah Guo from Greylock Partners, a venture firm (obviously). Guo has the distinction of having the best-ever fun fact on the show. We kicked off with Grammarly, a company that recently put $90 million into its accounts. Then chatted about Lattice, Tempest, WeWork, SaaS, the future of valuations in Silicon Valley and more if you can believe it. Listen here.

Equity drops every Friday at 6:00 am PT, so subscribe to us on iTunesOvercast and all the casts.

India’s NoBroker raises $50M to help people buy and rent without real estate brokers

By Manish Singh

An Indian startup that is attempting to improve the way how people in the nation rent or buy an apartment by not paying any brokerage just raised a significant amount of capital to further expand its business.

NoBroker said on Wednesday it has raised $50 million in a new financing round. The Series D round for the Bangalore-based real estate property operator was led by Tiger Global Management and included participation from existing investors General Atlantic. The five-year-old startup, which closed its previous financing round in June, has raised $121 million to date. The new round valued NoBroker at about $300 million, a person familiar with the matter told TechCrunch.

NoBroker operates in Bengaluru, Chennai, Gurgaon, Mumbai, Hyderabad and Pune cities in India. The startup has established itself as one of the largest players in the real estate business. It operates over 2.5 million properties on its website and is adding more than 280,000 new users each month, Amit Kumar, cofounder and CEO of NoBroker, told TechCrunch in an interview.

Real estate brokers in India, as is true in other markets, help people find properties. But they can charge up to 10 months worth of rent (leasing) — or a single-digit percent of the apartment’s worth if someone is buying the property — in urban cities as their commission. NoBroker allows the owner of a property to directly connect with potential tenants to remove brokerage charges from the equation.

The startup makes money in three ways. First, it lets non-paying users get in touch with only nine property owners. Those who wish to contact more property owners are required to pay a fee. Second, property owners can opt to pay NoBroker to have its representatives deal with prospective buyers — in a move that ironically makes the startup serve as a broker.

NoBroker also offers end-to-end services such as rent agreements and movers and packers, for which it also charges a fee. The startup says it uses machine learning to speed up the transactions and make it service low-cost.

The new financing round is oddly smaller than $51 million NoBroker had raised in June this year. Saurabh Garg, chief business officer of NoBroker, told TechCrunch in an interview that the founding team did not want to dilute their stake in the startup, hence they opted for a smaller round.

NoBroker is competing with a number of players including heavily backed NestAway, which counts Goldman Sachs and Tiger Global among its investors. NestAway operates in eight cities and has raised north of $100 million to date. Budget hotel startup Oyo, which has already become one of the largest hotel businesses in the world, also operates in NoBroker’s territory with Oyo Living.

But NoBroker’s Kumar said he does not see Oyo and other startups as competition. Instead, “these other players are some of its largest clients,” he said. India’s real estate industry is estimated to grow to $1 trillion in worth by 2030.

Where top VCs are investing in edtech

By Eric Peckham

Education is a $4 trillion market globally in urgent need of overall — so where within education are top venture capitalists optimistic about startups building large businesses by providing new solutions?

According to EdSurge, $1.45 billion of venture capital (a mere 1.1% of the $130 billion in US venture funding) was invested in education startups in the US in 2018; there were only 112 education-focused deals. In line with the trend in venture capital overall, this represented an increase in overall capital but a concentration in fewer deals (mainly large late-stage rounds).

Education is regarded as a tough market for achieving VC scale returns. Selling into school districts and universities is difficult and slow, and freemium models that go direct-to-teachers have struggled to monetize.

New software, content, and financing solutions for learning outside the traditional school system are more compelling business opportunities. This is particularly the case in vocational training where the return on investment of an educational program or tool can be quantitatively measured in job offers and salary increases

I asked four leading edtech VCs and six of the top generalist VCs (who have a track record of education investments) to share where they see opportunity in this sector:

  • Jennifer Carolan, Reach Capital
  • Amit Mukherjee, NEA
  • Michael Staton, Learn Capital
  • Annie Kadavy, Redpoint Ventures
  • Aydin Senkut, Felicis Ventures
  • Matt Greenfield, Rethink Education
  • Hemant Taneja, General Catalyst Partners
  • Marlon Nichols, MaC Venture Capital
  • Jan Lynn-Matern, Emerge Education
  • Charles Birnbaum, Bessemer Venture Partner

Here are their answers…

GettyImages 925988314

Image via Getty Images / doyata

Jennifer Carolan, General Partner at Reach Capital (an education-focused VC firm in Palo Alto with investments including Abl, BetterLesson, Epic!, Handshake, Holberton School, Newsela, Outschool, and Tinkergarten):

“Human-centered learning has been traditionally limited to one’s physical geography but technology is unlocking learning opportunities that never before existed.  We’re particularly interested in the marketplaces that are better matching supply and demand across experiential learning, educator coaching, tutoring, and online small groups.

Auto workers’ strike pushes GM losses past $1 billion

By Kirsten Korosec

The workers strike against General Motors — now in its third week — has cost the automaker more than $1 billion during the third quarter, according to a research note from J.P. Morgan analyst Ryan Brickman.

And those losses are accelerating with each passing week. GM lost about $480 million during the first week of the strike and another $575 million in the second, according to Brickman. GM is losing about $82 million of potential profit in North America every day.

TechCrunch will update the article if GM responds to a request for comment.

The effects of the production stoppage, which began Sept. 16 when 49,000 United Auto Workers went on strike, is causing a ripple effect through the Detroit automaker’s global operations. AP reported Tuesday that GM has shut down its pickup truck and transmission factories in Silao, Mexico, affecting 6,000 workers there. GM has also had to close an engine factory in Mexico and an assembly plant in Canada because of the strike.

“GM’s US production stopped immediately when the UAW [United Auto Workers] walked off the job on September 16 and we estimate its Canadian and Mexican facilities became progressively impacted throughout the first week,” Brinkman wrote in his research note this week.

Jefferies analyst Philippe Houchois also weighed in this week noting that the strike could restrict GM’s ability to make investments.

While pay, benefits and the status of temporary workers are the primary drivers of the strike, so are concerns about changes within the automaker towards electrification. GM and the rest of the automotive industry are pouring money into developing electric vehicles. But this shift is also affecting workers because electric vehicles, which require fewer parts, are easier to build. The UAW has said the shift from gas to electric engines could lead to a loss of 35,000 jobs over the next few years, according to a research study conduct by the union and recently noted by CNBC.

Last November GM CEO and Chairman Mary Barra announced plans to cut more than 14,000 jobs in North America, shutter factories and eliminate several car models in an effort to transform into a nimble company focused on high-margin SUVs, crossovers and trucks and investments in future products like electric and autonomous vehicles.

The actions were meant to safeguard the automaker from an expected downturn in the U.S. market and increase GM’s annual free cash flow by about $6 billion. But it has also caused discontent and concern among workers.

Europe’s top court says active consent is needed for tracking cookies

By Natasha Lomas

Europe’s top court has ruled that pre-checked consent boxes for dropping cookies are not legally valid.

Consent must be obtained prior to storing or accessing non-essential cookies, such as tracking cookies for targeted advertising. Consent cannot be implied or assumed.

It’s a decision that — at stroke — plunges websites into legal hot water in Europe if their cookie notices don’t ask for consent first. As many don’t, preferring not to risk their ability to track users for ad targeting.

Now they could be risking a big fine under EU privacy laws if they don’t obtain valid consent for tracking.

Full text of the CJEU cookie ruling improves understanding of #GDPR consent. Preselected fields make it impossible to detect if user consented. #ePrivacy https://t.co/rzuVEzGtRi

— Lukasz Olejnik (@lukOlejnik) October 1, 2019

Sites that have relied upon opting EU users into ad-tracking cookies in the hopes they’ll just click okay to make the cookie banner go away are in for a rude awakening.

Or, to put it another way, the ruling should put a stop to some, er, ‘creative’ interpretations of the rules around cookies that manage to completely miss the point of the law…

ehem

at here refreshing Curia press release page & noticed their own non-compliant #cookie notice – spot the irony on their cookie information page – looks like the Court are about to render their own site illegal wrt to pre-ticked boxes… a little embarrassing… #privacy #planet49 pic.twitter.com/ewdEqQqrvb

— Alexander Hanff (@alexanderhanff) October 1, 2019

The decision is also likely to influence the ongoing reform of ePrivacy rules — which govern online tracking.

While the outcome of that very heavily lobbied piece of legislation remains to be seen today’s ruling is clearly a win for privacy.

Planet49 case

The backstory to today’s ruling is that a German court asked the CJEU for a decision in a case relating to a lottery website, Planet49, which had required users to consent to the storage of cookies in order to play a promotional game.

In an earlier opinion an influential advisor to the court also took the view that affirmative action not simple inaction must be necessary to constitute consent.

Today the CJEU agreed, handing down a final judgement which makes it plain that consent can’t be assumed — it requires an active opt-in from users.

In a punchily brief press release the court writes:

In today’s judgment, the Court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a prechecked checkbox which that user must deselect to refuse his or her consent.

That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.

The Court notes that consent must be specific so that the fact that a user selects the button to participate in a promotional lottery is not sufficient for it to be concluded that the user validly gave his or her consent to the storage of cookies.

Furthermore, according to the Court, the information that the service provider must give to a user includes the duration of the operation of cookies and whether or not third parties may have access to those cookies.

So, to sum up, pre-checked consent boxes (or cookie banners that tell you a cookie has already been dropped and pointlessly invite you to click ‘ok’) aren’t valid under EU law. 

Furthermore cookie consent can’t be bundled with another purpose (in the Planet49 case the promotional lottery) — at least if that fuzzy signal is being used to stand for consent.

There’s also an interesting new requirement which looks set to shrink the ability of service operators to obfuscate how persistently they’re tracking Internet users.

For consent to cookies to be legally valid the court now says the user must be provided with some specific information on the tracking, namely: How long the cookie will operate, and who their data will be shared with. So, er, awkward…

The most interesting thing is how the Court justifies that info on cookie duration/those who can access should be provided. ePrivacy refers to data protection law on the information provided, but as ePrivacy is not always about personal data, the info reqs in DP don't always fit

— Michael Veale (@mikarv) October 1, 2019

What's more interesting: sites must inform about the duration of cookie validity. This is interesting insight, and was not generally followed. Should be identical to 'Expires' or 'Max-Age' setting when cookies are set. Does it also apply to SameSite configuration? #GDPR #ePrivacy pic.twitter.com/f55AtbqArb

— Lukasz Olejnik (@lukOlejnik) October 1, 2019

“Extending information requirement to include cookie configuration details is an interesting twist that will provide more information to users,” Dr. Lukasz Olejnik, an independent cybersecurity advisor and research associate at the Center for Technology and Global Affairs at Oxford University, told us.

“Sites will need to be wary to be sure that the user-facing text matches the actually used values of max-age or expires attributes. It is also interesting to wonder if sites will want to provide similar information about other cookie attributes.”

Safe to day, there will be some long faces in the ad industry today.

“The Court has made clear that consent should always be manifested in an active manner, and may not be presumed. Therefore, online operators should ensure that they do not collect consent by asking users to unclick a pre-formulated declaration of consent,” said Luca Tosoni, a research fellow in computers and law at the University of Oslo, also commenting on the court ruling.

ePrivacy reform

As we’ve reported before very many sites and services in Europe have, at best, been playing lip-service to EU cookie consent requirements — despite the advent of tighter rules coming into force last year under the General Data Protection Regulation (GDPR), which says that consent must be specific, informed and freely given to be a valid legal basis. And despite — more recently — further guidance from DPAs clarifying the rules around consent.

“Before the entry into force of the GDPR, the conditions for consent were interpreted differently across Europe. Today’s judgment is important as it brings some clarity on what should be considered valid consent under EU data protection law,” Tosoni also told us, saying he expects the ruling to result in changes to many cookie notifications.

“National courts and data protection authorities across the EU will need to follow the Court’s interpretation when assessing whether controllers have validly obtained consent. In turn, this should lead to more harmonization in enforcement across Europe, in particular with regard to cookie notices. Thus, I would expect many operators to change their non-compliant consents to conform with the ruling.”

EU law on cookie consent dates back much earlier than the GDPR — to the prior Data Protection Directive and the still in force ePrivacy Directive — Article 5(3) of which specifies that for cookies to be used users must give opt-in consent after being provided with clear and comprehensive information (with only a limited exception for ‘strictly necessary’ cookies).

Although European legislators have been trying for years to agree on an update to the ePrivacy Directive.

A draft proposal for an ePrivacy Regulation was introduced by the Commission at the start of 2017. But negotiations have been anything but smooth — with a blitz of lobbying from the adtech and telecoms industries pushing against a firm requirement for opt-in consent to tracking.

The CJEU’s clarity that consent is required to store and access cookies pushes in the opposite direction. And that firm legal line protecting individual privacy from background tracking technologies should be harder for legislators to ignore.

“Today’s ruling is likely to have a significant impact on the ongoing negotiations on the ePrivacy Regulation which is set to regulate cookie usage, an issue on which European legislators are struggling to find an agreement,” Tosoni also told us, adding: “In the past, the Court’s rulings have had an important impact on the development of the GDPR.”

In the meanwhile, the judgement should at least force some of the more cynical and/or stupid cookie banners to be quietly replaced with something that at least asks for consent.

Cookie walls

That said, the ruling does not resolve all the problems around cookie consent.

Specifically the court has not waded into the contentious forced consent/cookie wall issue. This is where a site requires consent to advertising cookies as the ‘price’ for accessing the sought for service, with the only other option being to leave.

Earlier this year the Dutch DPA deemed cookie walls to be illegal. But the agency’s interpretation is open to legal challenge. Only the CJEU can have the final word.

In the Planet49 case the court sidestepped the issue — saying the referring court did not ask it to rule on the question of “whether it is compatible with the requirement that consent be ‘freely given’, within the meaning of Article 2(h) of Directive 95/46 and of Article 4(11) and Article 7(4) of Regulation 2016/679, for a user’s consent to the processing of his personal data for advertising purposes to be a prerequisite to that user’s participation in a promotional lottery, as appears to be the case in the main proceedings”.

“In those circumstances, it is not appropriate for the Court to consider that question,” it wrote.

Likely it’s doing so because another case is already set to consider that question. Tosoni says he expects the Orange Romania case — which is pending before the court — to further clarify the requirements of valid consent in the context of it being ‘freely given’.

“Some uncertainty on the requirements of valid consent remains. Indeed, in today’s judgment, the Court has primarily clarified what constitutes unambiguous and specific consent, but the Court has, for example, not clarified what degree of autonomy a data subject should enjoy when choosing whether or not to give consent for the latter to be considered “freely given”,” he said.

“Today’s judgment does not provide an answer on the legality of cookie walls, which require consent to access the underlying service.  The Court found that it was unable to address this point, as the referring German court had not asked the ECJ to assess the legality of making participation in a lottery — the service at issue in the case — subject to giving advertising cookie consent.  Further clarity on this issue may come from the Orange Romania case, which is currently pending before the ECJ.”

We’ve reached out to the IAB Europe for a response to the ruling and to ask what advice it will be issuing to its members. At the time of writing it had not yet responded to these questions. 

Silicon Valley is terrified of California’s privacy law. Good.

By Zack Whittaker

Silicon Valley is terrified.

In a little over three months, California will see the widest-sweeping state-wide changes to its privacy law in years. California’s Consumer Privacy Act (CCPA) kicks in on January 1 and rolls out sweeping new privacy benefits to the state’s 40 million residents — and every tech company in Silicon Valley.

California’s law is similar to Europe’s GDPR. It grants state consumers a right to know what information companies have on them, a right to have that information deleted and the right to opt-out of the sale of that information.

For California residents, these are extremely powerful provisions that allow consumers access to their own information from companies that collect an increasingly alarming amount of data on their users. Look no further than Cambridge Analytica, which saw Facebook profile page data weaponized and used against millions to try to sway an election. And given some of the heavy fines levied in recent months under GDPR, tech companies will have to brace for more fines when the enforcement provision kicks in six months later.

No wonder the law has Silicon Valley shaking in its boots. It absolutely should.

It’s no surprise that some of the largest tech companies in the U.S. — most of which are located in California — lobbied to weaken the CCPA’s provisions. These companies don’t want to be on the hook for having to deal with what they see as burdensome requests enshrined in the state’s new law any more than they currently are for Europeans with GDPR.

Despite the extensive lobbying, California’s legislature passed the bill with minor amendments, much to the chagrin of tech companies in the state.

“Don’t let this post-Cambridge Analytica ‘mea culpa’ fool you into believing these companies have consumers’ best interests in mind,” wrote the ACLU’s Neema Singh Guliani last year, shortly after the bill was signed into law. “This seeming willingness to subject themselves to federal regulation is, in fact, an effort to enlist the Trump administration and Congress in companies’ efforts to weaken state-level consumer privacy protections,” she wrote.

Since the law passed, tech giants have pulled out their last card: pushing for an overarching federal bill.

In doing so, the companies would be able to control their messaging through their extensive lobbying efforts, allowing them to push for a weaker statute that would nullify some of the provisions in California’s new privacy law. In doing so, companies wouldn’t have to spend a ton on more resources to ensure their compliance with a variety of statutes in multiple states.

Just this month, a group of 51 chief executives — including Amazon’s Jeff Bezos, IBM’s Ginni Rometty and SAP’s Bill McDermott — signed an open letter to senior lawmakers asking for a federal privacy bill, arguing that consumers aren’t clever enough to “understand rules that may change depending upon the state in which they reside.”

Then, the Internet Association, which counts Dropbox, Facebook, Reddit, Snap, Uber (and just today ZipRecruiter) as members, also pushed for a federal privacy law. “The time to act is now,” said the industry group. If the group gets its wish before the end of the year, the California privacy law could be sunk before it kicks in.

And TechNet, a “national, bipartisan network of technology CEOs and senior executives,” also demanded a federal privacy law, claiming — and without providing evidence — that any privacy law should ensure “businesses can comply with the law while continuing to innovate.” Its members include major venture capital firms, including Kleiner Perkins and JC2 Ventures, as well as other big tech giants like Apple, Google, Microsoft, Oracle and Verizon (which owns TechCrunch).

You know there’s something fishy going on when tech giants and telcos team up. But it’s not fooling anyone.

“It’s no accident that the tech industry launched this campaign right after the California legislature rejected their attempts to undermine the California Consumer Privacy Act,” Jacob Snow, a technology and civil liberties attorney at the ACLU of Northern California, told TechCrunch.

“Instead of pushing for federal legislation that wipes away state privacy law, technology companies should ensure that Californians can fully exercise their privacy rights under the CCPA on January 1, 2020, as the law requires,” he said.

There’s little lawmakers in Congress can do in three months before the CCPA deadline, but it won’t stop tech giants from trying.

Californians might not have the CCPA for long if Silicon Valley tech giants and their lobbyists get their way, but rest easy knowing the consumer won — for once.

Ginkgo Bioworks’ dev shop for genetic programming is now worth $4 billion

By Jonathan Shieber

Ginkgo Bioworks is now worth $4 billion after a $290 million capital infusion that will give the company the cash to dramatically expand its developer shop for genetic programming.

The Boston-based company is one of a handful of U.S.-based early-stage companies that are on the forefront of developing the tools to modify genetic material for everyday applications.

“Cells are programmable similar to computers because they run on digital code in the form of DNA.” said Jason Kelly, CEO and co-founder of Ginkgo Bioworks, in a statement. “Ginkgo has the best compiler and debugger for writing genetic code and we use it program cells for customers in a range of industries. Today’s fundraise will allow us expand our technology and continue our drive to bring biology into every physical goods industry – materials, clothing, electronics, food, pharmaceuticals, and more. They are all biotech industries but just don’t know it yet.”

Ginkgo makes money in two ways. The company sells its development services to anyone who comes in with an idea. Kelly said that it’d be like any agreement with an entrepreneur who hires a coding shop to develop an application.

For example, if an entrepreneur wanted to develop houseplants that smelled like roses or lilies, they could approach Ginkgo, pay a (not-insignificant) fee, and Ginkgo would do the research into designing something like a lily-scented fern. (Kelly puts the sticker price on that kind of development somewhere in the neighborhood of $10 million, so a founder best believe their product can sell.)

“You don’t need to come in with deep biological know-how,” Kelly says. “The question is, is capital interested in the problem?”

The other way that Ginkgo is approaching the market is by taking equity stakes in businesses that rely on its technology.

Those take the form of joint ventures with companies like Bayer (the first joint venture partner for Ginkgo) and the launch of Joyn, a $100 million spin-out that was created in the summer of 2018.

The two companies are collaborating on the development of seeds that require less fertilizer for growth — something that could save the industry millions and decrease pollution associated with traditional chemical fertilizers.

Since that first spinout, Ginkgo has created three other companies. There’s the $122 million deal to produce rare cannabinoids with the Canadian cannabis company, Cronos; a partnership with Roche that was born out of Ginkgo’s acquisition of Warp Drive Bio; and Motif Foodworks, which is working on manufacturing alternative proteins with a $120 million in financing.

Alongside these large-scale initiatives, Ginkgo has signed partnerships with the West Coast powerhouse accelerator program from Y Combinator and a new Boston-based life sciences-focused group called Petri to conduct development work for startups from those programs in exchange for an equity stake.

“We’re not going to have all the good ideas,” says Kelly. “We want to tap the much larger pool of smart people and really have them building on our platform. Of all of the people we can give value to, we can give the most to startups. If we can offer them to do their biowork without all of the fixed costs of build a lab,” that’s valuable, he says.

Investors in the company include Y Combinator, DCVC, MassChallenge, Felicis Ventures, General Atlantic, Baillie Gifford, Bill Gates, and Viking Global.

Private search engine Qwant’s new CEO is Mozilla Europe veteran Tristan Nitot

By Natasha Lomas

French startup Qwant, whose non-tracking search engine has been gaining traction in its home market as a privacy-respecting alternative to Google, has made a change to its senior leadership team as it gears up for the next phase of growth.

Former Mozilla Europe president, Tristan Nitot, who joined Qwant last year as VP of advocacy, has been promoted to chief executive, taking over from François Messager — who also joined in 2018 but is now leaving the business. Qwant co-founder, Eric Leandri, meanwhile, continues in the same role as president.

Nitot, an Internet veteran who worked at Netscape and helped to found Mozilla Europe in 1998, where he later served as president and stayed until 2015 before leaving to write a book on surveillance, brings a wealth of experience in product and comms roles, as well as open source.

Most recently he spent several years working for personal cloud startup, Cozy Cloud.

“I’m basically here to help [Leandri] grow the company and structure the company,” Nitot tells TechCrunch, describing Qwant’s founder as an “amazing entrepreneur, audacious and visionary”.

Market headwinds have been improving for the privacy-focused Google rival in recent years as concern about foreign data-mining tech giants has stepped up in Europe.

Last year the French government announced it would be switching its search default from Google to Qwant. Buying homegrown digital tech now apparently seen as a savvy product choice as well as good politics.

Meanwhile antitrust attention on dominant search giant Google, both at home and abroad, has led to policy shifts that directly benefit search rivals — such as an update of the default lists baked into its chromium engine which was quietly put out earlier this year.

That behind the scenes change saw Qwant added as an option for users in the French market for the first time. (On hearing the news a sardonic Leandri thanked Google — but suggested Qwant users choose Firefox or the Brave browser for a less creepy web browsing experience.)

“A lot of companies and institutions have decided and have realized basically that they’ve been using a search engine which is not European. Which collects data. Massively. And that makes them uncomfortable,” says Nitot. “They haven’t made a conscious decision about that. Because they bring in a computer which has a browser which has a search engine in it set by default — and in the end you just don’t get to choose which search engine your people use, right.

“And so they’re making a conscious decision to switch to Qwant. And we’ve been spending a lot of time and energy on that — and it’s paying off big time.”

As well as the French administration’s circa 3M desktops being switched by default to Qwant (which it expects will be done this quarter), the pro-privacy search engine has been getting traction from other government departments and regional government, as well as large banks and schools, according to Nitot.

He credits a focus on search products for schoolkids with generating momentum, such as Qwant Junior, which is designed for kids aged 6-12, and excludes sex and violence from search results as well as being ad free. (It’s set to get an update in the next few weeks.) It has also just been supplemented by Qwant School: A school search product aimed at 13-17 year olds.

“All of that creates more users — the kids talk to their parents about Qwant Junior, and the parents install Qwant.com for them. So there’s a lot of momentum creating that growth,” Nitot suggests.

Qwant says it handled more than 18 billion search requests in 2018.

A growing business needs money to fuel it of course. So fundraising efforts involving convertible bonds is one area Nitot says he’ll be focused on in the new role. “We are raising money,” he confirms.

Increasing efficiency — especially on the engineering front — is another key focus for the new CEO.

“The rest will be a focus on the organization, per se, how we structure the organization. How we evolve the company culture. To enable or to improve delivery of the engineering team, for example,” he says. “It’s not that it’s bad it’s just that we need to make sure every dollar or every euro we invest gives as much as possible in return.”

Product wise, Nitot’s attention in the near term will be directed towards shipping a new version of Qwant’s search engine that will involve reengineering core tech to improve the quality of results.

“What we want to do [with v2] is to improve the quality of the results,” he says of the core search product. “You won’t be able to notice any difference, in terms of quality, with the other really good search engines that you may use — except that you know that your privacy is respected by Qwant.

“[As we raise more funding] we will be able to have a lot more infrastructure to run better and more powerful algorithms. And so we plan to improve that internationally… Every language will benefit from the new search engine. It’s also a matter of money and infrastructure to make this work on a web scale. Because the web is huge and it’s growing.

“The new version includes NLP (Natural Language Processing) technology… for understanding language, for understanding intentions — for example do you want to buy something or are you looking for a reference… or a place or a thing. That’s the kind of thing we’re putting in place but it’s going to improve a lot for every language involved.”

Western Europe will be the focus for v2 of the search engine, starting with French, German, Italian, Spanish and English — with a plan to “go beyond that later on”.

Nitot also says there will also be staggered rollouts (starting with France), with Qwant planning to run old and new versions in parallel to quality check the new version before finally switching users over.

“Shipping is hard as we used to say at Mozilla,” he remarks, refusing to be fixed to a launch date for v2 (beyond saying it’ll arrive in “less than a year”). “It’s a universal rule; shipping a new product is hard, and that’s what we want to do with version 2… I’ve been writing software since 1980 and so I know how predictions are when it comes to software release dates. So I’m very careful not to make promises.”

Developing more of its own advertising technologies is another focus for Qwant. On this front the aim is to improve margins by leaning less on partners like Microsoft .

“We’ve been working with partners until now, especially on the search engine result pages,” says Nitot. “We put Microsoft advertising on it. And our goal is to ramp up advertising technologies so that we rely on our own technologies — something that we control. And that hopefully will bring a better return.”

Like Google, Qwant monetizes searches by serving ads alongside results. But unlike Google these are contextual ads, meaning they are based on general location plus the substance of the search itself; rather than targeted ads which entail persistent tracking and profiling of Internet users in order to inform the choice of ad (hence feeling like ads are stalking you around the Internet).

Serving contextual ads is a choice that lets Qwant offer a credible privacy pledge that Mountain View simply can’t match.

Yet up until 2006 Google also served contextual ads, as Nitot points out, before its slide into privacy-hostile microtargeting. “It’s a good old idea,” he argues of contextual ads. “We’re using it. We think it really is a valuable idea.” 

Qwant is also working on privacy-sensitive ad tech. One area of current work there is personalization. It’s developing a client-side, browser-based encrypted data store, called Masq, that’s intended to store and retrieve application data through a WebSocket connection. (Here’s the project Masq Github page.)

“Because we do not know the person that’s using the product it’s hard to make personalization of course. So we plan to do personalization of the product on the client side,” he explains. “Which means the server side will have no more details than we currently do, but on the client side we are producing something which is open source, which stores data locally on your device — whether that’s a laptop or smartphone — in the browser, it is encrypted so that nobody can reuse it unless you decide that you want that to happen.

“And it’s open source so that it’s transparent and can be audited and so that people can trust the technology because it runs on their own device, it stores on their device.”

“Right now it’s at alpha stage,” Nitot adds of Masq, declining to specify when exactly it might be ready for a wider launch.

The new CEO’s ultimate goal for Qwant is to become the search engine for Europe — a hugely ambitious target that remains far out of reach for now, with Google still commanding in excess of 90% regional marketshare. (A dominance that has got its business embroiled in antitrust hot water in Europe.)

Yet the Internet of today is not the same as the Internet of yesterday when Netscape was a browsing staple — until Internet Explorer knocked it off its perch after Microsoft bundled its rival upstart as the default browser on Windows. And the rest, as they say, is Internet history.

Much has changed and much is changing. But abuses of market power are an old story. And as regulators act against today’s self-interested defaults there are savvy alternatives like Qwant primed and waiting to offer consumers a different kind of value.

“Qwant is created in Europe for the European citizens with European values,” says Nitot. “Privacy being one of these values that are central to our mission. It is not random that the CNIL — the French data protection authority — was created in France in 1978. It was the first time that something like that was created. And then GDPR [General Data Protection Regulation] was created in Europe. It doesn’t happen by accident. It’s a matter of values and the way people see their life and things around them, politics and all that. We have a very deep concern about privacy in France. It’s written in the European declaration of human rights.

“We build a product that reflects those values — so it’s appealing to European users.”

Brexit means clear your cookies for democracy

By Natasha Lomas

Brexit looks set to further sink the already battered reputation of tracking cookies after a Buzzfeed report yesterday revealed what appears to be a plan by the UK’s minority government to use official government websites to harvest personal data on UK citizens for targeting purposes.

According to leaked government documents obtained by the news site, the prime minister has instructed government departments to share website usage data that’s collected via gov.uk websites with ministers on a cabinet committee tasked with preparing for a ‘no deal’ Brexit.

It’s not clear how linking up citizens use of essential government portals could further ‘no deal’ prep.

Rather the suspicion is it’s a massive, consent-less voter data grab by party political forces preparing for an inevitable general election in which the current Tory PM plans to campaign on a pro-Brexit message.

The instruction to pool gov.uk usage data as a “top priority” is also being justified internally in instructions to civil servants as necessary to accelerate plans for a digital revolution in public services — an odd ASAP to be claiming at a time of national, Brexit-induced crisis when there are plenty more pressing priorities (given the October 31 EU exit date looming).

A government spokesperson nonetheless told Buzzfeed the data is being collected to improve service delivery. They also claimed it’s “anonymized” data.

“Individual government departments currently collect anonymised user data when people use gov.uk. The Government Digital Service is working on a project to bring this anonymous data together to make sure people can access all the services they need as easily as possible,” the spokesperson said, further claiming: “No personal data is collected at any point during the process, and all activity is fully compliant with our legal and ethical obligations.”

However privacy experts quickly pointed out the nonsense of trying to pretend that joined up user data given a shared identifier is in any way anonymous.

So the "it's anonymised" is a lie. You cannot combine individual visits into a single journey without having a shared user identifier. Even a shared pseudonymisation method is a million miles away from "anonymised". https://t.co/TSv7TGLrK6

— Eerke Boiten (@EerkeBoiten) September 10, 2019

 

For those struggling to keep up with the blistering pace of UK political developments engendered by Brexit, this is a government led by a new (and unelected) prime minister, Boris ‘Brexit: Do or Die’ Johnson, and his special advisor, digital guru Dominic Cummings, of election law-breaking Vote Leave campaign fame.

Back in 2015 and 2016, Cummings, then the director of the official Vote Leave campaign, masterminded a plan to win the EU referendum by using social media data to profile voters — blitzing them with millions of targeted ads in final days of the Brexit campaign.

Vote Leave was later found to have channelled money to Cambridge Analytica-linked Canadian data firm Aggregate IQ to target pro-Brexit ads via Facebook’s platform. Many of which were subsequently revealed to have used blatantly xenophobic messaging to push racist anti-EU messaging when Facebook finally handed over the ad data.

Setting aside the use of xenophobic dark ads to whip up racist sentiment to sell Brexit to voters, and ongoing questions about exactly how Vote Leave acquired data on UK voters for targeting them with political ads (including ethical questions about the use of a football quiz touting a £50M prize run on social media as a mass voter data-harvesting exercise), last year the UK’s Electoral Commission found Vote Leave had breached campaign spending limits through undeclared joint working with another pro-Brexit campaign — via which almost half a million pounds was illegally channeled into Facebook ads.

The Vote Leave campaign was fined £61k by the Electoral Commission, and referred to the police. (An investigation is possibly ongoing.)

Cummings, the ‘huge brain’ behind Vote Leave’s digital strategy, did not suffer a dent in his career as a consequence of all this — on the contrary, he was appointed by Johnson as senior advisor this summer, after Johnson won the Conservative leader contest and so became the third UK PM since the 2016 vote for Brexit.

With Cummings at his side, it’s been full steam ahead for Johnson on social media ads and data grabs, as we reported last month — paving the way for a hoped for general election campaign, fuelled by ‘no holds barred’ data science. Democratic ethics? Not in this digitally disruptive administration!

The Johnson-Cummings pact ignores entirely the loud misgivings sounded by the UK’s information commissioner — which a year ago warned that political microtargeting risks undermining trust in democracy. The ICO called then for an ethical pause. Instead Johnson stuck up a proverbial finger by installing Cummings in No.10.

The UK’s Digital, Culture, Media and Sport parliamentary committee, which tried and failed to get Cummings to testify before it last year as part of a wide-ranging enquiry into online disinformation (a snub for which Cummings was later found in contempt of parliament), also urged the government to update election law as a priority last summer — saying it was essential to act to defend democracy against data-fuelled misinformation and disinformation. A call that was met with cold water.

This means the same old laws that failed to prevent ethically dubious voter data-harvesting during the EU referendum campaign, and failed to prevent social media ad platforms and online payment platforms (hi, Paypal!) from being the conduit for illegal foreign donations into UK campaigns, are now apparently incapable of responding to another voter data heist trick, this time cooked up at the heart of government on the umbrella pretext of ‘preparing for Brexit’.

The repurposing of government departments under Johnson-Cummings for pro-Brexit propaganda messaging also looks decidedly whiffy…

Duty-free shopping with the EU is coming back, if we leave without a deal.

People travelling to EU countries will be able to buy beer, spirits, wine and tobacco without duty being applied in the UK.

🍺🍷Read more👇https://t.co/a46CvaE8lJ pic.twitter.com/uqvzPtoFbO

— HM Treasury (@hmtreasury) September 10, 2019

Given Cummings' focus on data science in the Vote Leave campaign the sudden urgent need for big data collection is extremely concerning. We need immediate clarity about how citizens' data will be protected and won’t be misused for party political purposes.https://t.co/1qtyI6fUJ4

— Tom Watson (@tom_watson) September 10, 2019

Asked about the legality of the data pooling gov.uk plan as reported by Buzzfeed, an ICO spokesperson told us: “People should be able to make informed choices about the way their data is used. That’s why organisations have to ensure that they process personal information fairly, legally and transparently. When that doesn’t happen, the ICO can take action.”

Can — but hasn’t yet.

It’s also not clear what action the ICO could end up taking to purge UK voter data that’s already been (or is in the process of being) sucked out of the Internet to be repurposed for party political purposes — including, judging by the Vote Leave playbook, for microtargeted ads that promote a no holds barred ‘no deal’ Brexit agenda.

One thing is clear: Any action would need to be swiftly enacted and robustly enforced if it were to have a meaningful chance of defending democracy from ethics-free data-targeting.

Sadly, the ICO has yet to show an appetite for swift and robust action where political parties are concerned.

Likely because a report it put out last fall essentially called out all UK political parties for misusing people’s data. It followed up saying it would audit the political parties starting early this year — but has yet to publish its findings.

Concerned opposition MPs are left tweeting into the regulatory abyss — decrying the ‘coup’ and forlornly pressing for action… Though if the political boot were on the other foot it might well be a different story.

Among the cookies used on gov.uk sites are Google Analytics cookies which store information on how visitors got to the site; the pages visited and length of time spent on them; and items clicked on. Which could certainly enable rich profiles to be attached to single visitors IDs.

Visitors to gov.uk properties can switch off Google Analytics measurement cookies, as well as denying gov.uk communications and marketing cookies, and cookies that store preferences — with only “strictly necessary” cookies (which remember form progress and serve notifications) lacking a user toggle.

What should concerned UK citizens to do to defend democracy against the data science folks we’re told are being thrown at the Johnson-Cummings GSD data pooling project? Practice good privacy hygiene.

Clear your cookies. Indeed, switch off gov.uk cookies. Deny access wherever and whenever possible.

It’s probably also a good idea to use a fresh browser session each time you need to visit a government website and close the session (with cookies set to clear) immediately you’re done.

When the laws have so spectacularly failed to keep up with the data processors, limiting how your information is gathered online is the only way to be sure. Though as we’ve written before it’s not easy.

Privacy is personal and unfortunately, with the laws lagging, the personal is now trivially cheap and easy to weaponize for political dark arts that treat democracy as a game of PR, debasing the entire system in the process.

If you want to make it more difficult for Dominic Cummings and The Charlatan to scrape data from Government sources to help them turn our democracy into a Turkey-on-the-Thames can I suggest you turn off cookies here? https://t.co/czXnmNtTaj

— Jo Maugham QC (@JolyonMaugham) September 11, 2019

Despite Brexit, UK startups can compete with Silicon Valley to win tech talent

By Arman Tabatabai
Mehul Patel Contributor
Mehul Patel is the CEO of Hired , the marketplace that matches tech talent with the world's most innovative companies.

Brexit has taken over discourse in the UK and beyond. In the UK alone, it is mentioned over 500 million times a day, in 92 million conversations — and for good reason. While the UK has yet to leave the EU, the impact of Brexit has already rippled through industries all over the world. The UK’s technology sector is no exception. While innovation endures in the midst of Brexit, data reveals that innovative companies are losing the ability to attract people from all over the world and are suffering from a substantial talent leak. 

It is no secret that the UK was already experiencing a talent shortage, even without the added pressure created by today’s political landscape. Technology is developing rapidly and demand for tech workers continues to outpace supply, creating a fiercely competitive hiring landscape.

The shortage of available tech talent has already created a deficit that could cost the UK £141 billion in GDP growth by 2028, stifling innovation. Now, with Brexit threatening the UK’s cosmopolitan tech landscape — and the economy at large — we may soon see international tech talent moving elsewhere; in fact, 60% of London businesses think they’ll lose access to tech talent once the UK leaves the EU.

So, how can UK-based companies proactively attract and retain top tech talent to prevent a Brexit brain drain? UK businesses must ensure that their hiring funnels are a top priority and focus on understanding what matters most to tech talent beyond salary, so that they don’t lose out to US tech hubs. 

Brexit aside, why is San Francisco more appealing than the UK?

❌