FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Today — February 25th 2020Your RSS feeds

Facebook’s latest ‘transparency’ tool doesn’t offer much — so we went digging

By Natasha Lomas

Just under a month ago Facebook switched on global availability of a tool which affords users a glimpse into the murky world of tracking that its business relies upon to profile users of the wider web for ad targeting purposes.

Facebook is not going boldly into transparent daylight — but rather offering what privacy rights advocacy group Privacy International has dubbed “a tiny sticking plaster on a much wider problem”.

The problem it’s referring to is the lack of active and informed consent for mass surveillance of Internet users via background tracking technologies embedded into apps and websites, including as people browse outside Facebook’s own content garden.

The dominant social platform is also only offering this feature in the wake of the 2018 Cambridge Analytica data misuse scandal, when Mark Zuckerberg faced awkward questions in Congress about the extent of Facebook’s general web tracking. Since then policymakers around the world have dialled up scrutiny of how its business operates — and realized there’s a troubling lack of transparency in and around adtech generally and Facebook specifically

Facebook’s tracking pixels and social plugins — aka the share/like buttons that pepper the mainstream web — have created a vast tracking infrastructure which silently informs the tech giant of Internet users’ activity, even when a person hasn’t interacted with any Facebook-branded buttons.

Facebook claims this is just ‘how the web works’. And other tech giants are similarly engaged in tracking Internet users (notably Google). But as a platform with 2.2BN+ users Facebook has got a march on the lion’s share of rivals when it comes to harvesting people’s data and building out a global database of person profiles.

It’s also positioned as a dominant player in an adtech ecosystem which means it’s the one being fed with intel by data brokers and publishers who deploy tracking tech to try to survive in such a skewed system.

Meanwhile the opacity of online tracking means the average Internet user is none the wiser that Facebook can be following what they’re browsing all over the Internet. Questions of consent loom very large indeed.

Facebook is also able to track people’s usage of third party apps if a person chooses a Facebook login option which the company encourages developers to implement in their apps — again the carrot being to be able to offer a lower friction choice vs requiring users create yet another login credential.

The price for this ‘convenience’ is data and user privacy as the Facebook login gives the tech giant a window into third part app usage.

The company has also used a VPN app it bought and badged as a security tool to glean data on third party app usage — though it’s recently stepped back from the Onavo app after a public backlash (though that did not stop it running a similar tracking program targeted at teens).

Background tracking is how Facebook’s creepy ads function (it prefers to call such behaviorally targeted ads ‘relevant’) — and how they have functioned for years

Yet it’s only in recent months that it’s offered users a glimpse into this network of online informers — by providing limited information about the entities that are passing tracking data to Facebook, as well as some limited controls.

From ‘Clear History’ to “Off-Facebook Activity”

Originally briefed in May 2018, at the crux of the Cambridge Analytica scandal, as a ‘Clear History’ option this has since been renamed ‘Off-Facebook Activity’ — a label so bloodless and devoid of ‘call to action’ that the average Facebook user, should they stumble upon it buried deep in unlovely settings menus, would more likely move along than feel moved to carry out a privacy purge.

(For the record you can access the setting here — but you do need to be logged into Facebook to do so.)

The other problem is that Facebook’s tool doesn’t actually let you purge your browsing history, it just delinks it from being associated with your Facebook ID. There is no option to actually clear your browsing history via its button. Another reason for the name switch. So, no, Facebook hasn’t built a clear history ‘button’.

“While we welcome the effort to offer more transparency to users by showing the companies from which Facebook is receiving personal data, the tool offers little way for users to take any action,” said Privacy International this week, criticizing Facebook for “not telling you everything”.

As the saying goes, a little knowledge can be a dangerous thing. So a little transparency implies — well — anything but clarity. And Privacy International sums up the Off-Facebook Activity tool with an apt oxymoron — describing it as “a new window to the opacity”.

“This tool illustrates just how impossible it is for users to prevent external data from being shared with Facebook,” it writes, warning with emphasis: “Without meaningful information about what data is collected and shared, and what are the ways for the user to opt-out from such collection, Off-Facebook activity is just another incomplete glimpse into Facebook’s opaque practices when it comes to tracking users and consolidating their profiles.”

It points out, for instance, that the information provided here is limited to a “simple name” — thereby preventing the user from “exercising their right to seek more information about how this data was collected”, which EU users at least are entitled to.

“As users we are entitled to know the name/contact details of companies that claim to have interacted with us. If the only thing we see, for example, is the random name of an artist we’ve never heard before (true story), how are we supposed to know whether it is their record label, agent, marketing company or even them personally targeting us with ads?” it adds.

Another criticism is Facebook is only providing limited information about each data transfer — with Privacy International noting some events are marked “under a cryptic CUSTOM” label; and that Facebook provides “no information regarding how the data was collected by the advertiser (Facebook SDK, tracking pixel, like button…) and on what device, leaving users in the dark regarding the circumstances under which this data collection took place”.

“Does Facebook really display everything they process/store about those events in the log/export?” queries privacy researcher Wolfie Christl, who tracks the adtech industry’s tracking techniques. “They have to, because otherwise they don’t fulfil their SAR [Subject Access Request] obligations [under EU law].”

Christl notes Facebook makes users jump through an additional “download” hoop in order to view data on tracked events — and even then, as Privacy International points out, it gives up only a limited view of what has actually been tracked…

And it's just ridiculous.

FB doesn't show me the list of visits they recorded from a certain website in their web interface, no! I have to 'download my information', which takes a long time.

And then, I'm sure this is not all data they record when tracking a VIEW_CONTENT event: pic.twitter.com/qBO87Zp5YH

— Wolfie Christl (@WolfieChristl) January 29, 2020

“For example, why doesn’t Facebook list the specific sites/URLs visited? Do they infer data from the domains e.g. categories? If yes, why is this not in the logs?” Christl asks.

We reached out to Facebook with a number of questions, including why it doesn’t provide more detail by default. It responded with this statement attributed to spokesperson:

We offer a variety of tools to help people access their Facebook information, and we’ve designed these tools to comply with relevant laws, including GDPR. We disagree with this [Privacy International] article’s claims and would welcome the chance to discuss them with Privacy International.

Facebook also said it’s continuing to develop which information it surfaces through the Off-Facebook Activity tool — and said it welcomes feedback on this.

We also asked it about the legal bases it uses to process people’s information that’s been obtained via its tracking pixels and social plug-ins. It did not provide a response to those questions.

Six names, many questions…

When the company launched the Off-Facebook Activity tool a snap poll of available TechCrunch colleagues showed very diverse results for our respective tallies (which also may not show the most recent activity, per other Facebook caveats) — ranging from one colleague who had an eye-watering 1,117 entities (likely down to doing a lot of app testing); to several with several/a few hundred apiece; to a couple in the middle tens.

In my case I had just six. But from my point of view — as an EU citizen with a suite of rights related to privacy and data protection; and as someone who aims to practice good online privacy hygiene, including having a very locked down approach to using Facebook (never using its mobile app for instance) — it was still six too many. I wanted to find out how these entities had circumvented my attempts not to be tracked.

And in the case of the first one in the list who on earth it was…

Turns out cloudfront is an Amazon Web Services Content Delivery Network subdomain. But I had to go searching online myself to figure out that the owner of that particular domain is (now) a company called Nativo.

Facebook’s list provided only very bare bones information. I also clicked to delink the first entity, since it immediately looked so weird, and found that by doing that Facebook wiped all the entries — which meant I was unable to retain access to what little additional info it had provided about the respective data transfers.

Undeterred I set out to contact each of the six companies directly with questions — asking what data of mine they had transferred to Facebook and what legal basis they thought they had for processing my information.

(On a practical level six names looked like a sample size I could at least try to follow up manually — but remember I was the TechCrunch exception; imagine trying to request data from 1,117 companies, or 450 or even 57, which were the lengths of lists of some of my colleagues.)

This process took about a month and a lot of back and forth/chasing up. It likely only yielded as much info as it did because I was asking as a journalist; an average Internet user may have had a tougher time getting attention on their questions — though, under EU law, citizens have a right to request a copy of personal data held on them.

Eventually, I was able to obtain confirmation that tracking pixels and Facebook share buttons had been involved in my data being passed to Facebook in certain instances. Even so I remain in the dark on many things. Such as exactly what personal data Facebook received.

In one case I was told by a listed company that it doesn’t know itself what data was shared — only Facebook knows because it’s implemented the company’s “proprietary code”. (Insert your own ‘WTAF’ there.)

The legal side of these transfers also remains highly opaque. From my point of view I would not intentionally consent to any of this tracking — but in some instances the entities involved claim that (my) consent was (somehow) obtained (or implied).

In other cases they said they are relying on a legal basis in EU law that’s referred to as ‘legitimate interests’. However this requires a balancing test to be carried out to ensure a business use does not have a disproportionate impact on individual rights.

I wasn’t able to ascertain whether such tests had ever been carried out.

Meanwhile, since Facebook is also making use of the tracking information from its pixels and social plug ins (and seemingly more granular use, since some entities claimed they only get aggregate not individual data), Christl suggests it’s unlikely such a balancing test would be easy to pass for that tiny little ‘platform giant’ reason.

Notably he points out Facebook’s Business Tool terms state that it makes use of so called “event data” to “personalize features and content and to improve and secure the Facebook products” — including for “ads and recommendations”; for R&D purposes; and “to maintain the integrity of and to improve the Facebook Company Products”.

In a section of its legal terms covering the use of its pixels and SDKs Facebook also puts the onus on the entities implementing its tracking technologies to gain consent from users prior to doing so in relevant jurisdictions that “require informed consent” for tracking cookies and similar — giving the example of the EU.

“You must ensure, in a verifiable manner, that an end user provides the necessary consent before you use Facebook Business Tools to enable us to store and access cookies or other information on the end user’s device,” Facebook writes, pointing users of its tools to its Cookie Consent Guide for Sites and Apps for “suggestions on implementing consent mechanisms”.

Christl flags the contradiction between Facebook claiming users of its tracking tech needing to gain prior consent vs claims I was given by some of these entities that they don’t because they’re relying on ‘legitimate interests’.

“Using LI as a legal basis is even controversial if you use a data analytics company that reliably processes personal data strictly on behalf of you,” he argues. “I guess, industry lawyers try to argue for a broader applicability of LI, but in the case of FB business tools I don’t believe that the balancing test (a businesses legitimate interests vs. the impact on the rights and freedoms of data subjects) will work in favor of LI.”

Those entities relying on legitimate interests as a legal base for tracking would still need to offer a mechanism where users can object to the processing — and I couldn’t immediately see such a mechanism in the cases in question.

One thing is crystal clear: Facebook itself does not provide a mechanism for users to object to its processing of tracking data nor opt out of targeted ads. That remains a long-standing complaint against its business in the EU which data protection regulators are still investigating.

One more thing: Non-Facebook users continue to have no way of learning what data of theirs is being tracked and transferred to Facebook. Only Facebook users have access to the Off-Facebook Activity tool, for example. Non-users can’t even access a list.

Facebook has defended its practice of tracking non-users around the Internet as necessary for unspecified ‘security purposes’. It’s an inherently disproportionate argument of course. The practice also remains under legal challenge in the EU.

Tracking the trackers

SimpleReach (aka d8rk54i4mohrb.cloudfront.net)

What is it? A California-based analytics platform (now owned by Nativo) used by publishers and content marketers to measure how well their content/native ads performs on social media. The product began life in the early noughties as a simple tool for publishers to recommend similar content at the bottom of articles before the startup pivoted — aiming to become ‘the PageRank of social’ — offering analytics tools for publishers to track engagement around content in real-time across the social web (plugging into platform APIs). It also built statistical models to predict which pieces of content will be the most social and where, generating a proprietary per article score. SimpleReach was acquired by Nativo last year to complement analytics tools the latter already offered for tracking content on the publisher/brand’s own site.

Why did it appear in your Off-Facebook Activity list? Given it’s a b2b product it does not have a visible consumer brand of its own. And, to my knowledge, I have never visited its own website prior to investigating why it appeared in my Off-Facebook Activity list. Clearly, though, I must have visited a site (or sites) that are using its tracking/analytics tools. Of course an Internet user has no obvious way to know this — unless they’re actively using tools to monitor which trackers are tracking them.

In a further quirk, neither the SimpleReach (nor Nativo) brand names appeared in my Off-Facebook Activity list. Rather a domain name was listed — d8rk54i4mohrb.cloudfront.net — which looked at first glance weird/alarming.

I found this is owned by SimpleReach by using a tracker analytics service.

Once I knew the name I was able to connect the entry to Nativo — via news reports of the acquisition — which led me to an entity I could direct questions to.  

What happened when you asked them about this? There was a bit of back and forth and then they sent a detailed response to my questions in which they claim they do not share any data with Facebook — “or perform ‘off site activity’ as described on Facebook’s activity tool”.

They also suggested that their domain had appeared as a result of their tracking code being implemented on a website I had visited which had also implemented Facebook’s own trackers.

“Our technology allows our Data Controllers to insert other tracking pixels or tags, using us as a tag manager that delivers code to the page. It is possible that one of our customers added a Facebook pixel to an article you visited using our technology. This could lead Facebook to attribute this pixel to our domain, though our domain was merely a ‘carrier’ of the code,” they told me.

In terms of the data they collect, they said this: “The only Personal Data that is collected by the SimpleReach Analytics tag is your IP Address and a randomly generated id.  Both of these values are processed, anonymized, and aggregated in the SimpleReach platform and not made available to anyone other than our sub-processors that are bound to process such data only on our behalf. Such values are permanently deleted from our system after 3 months. These values are used to give our customers a general idea of the number of users that visited the articles tracked.”

So, again, they suggested the reason why their domain appeared in my Off-Facebook Activity list is a combination of Nativo/SimpleReach’s tracking technologies being implemented on a site where Facebook’s retargeting pixel is also embedded — which then resulted in data about my online activity being shared with Facebook (which Facebook then attributes as coming from SimpleReach’s domain).

Commenting on this, Christl agreed it sounds as if publishers “somehow attach Facebook pixel events to SimpleReach’s cloudfront domain”.

“SimpleReach probably doesn’t get data from this. But the question is 1) is SimpleReach perhaps actually responsible (if it happens in the context of their domain); 2) The Off-Facebook activity is a mess (if it contains events related to domains whose owners are not web or app publishers).”

Nativo offered to determine whether they hold any personal information associated with the unique identifier they have assigned to my browser if I could send them this ID. However I was unable to locate such an ID (see below).

In terms of legal base to process my information the company told me: “We have the right to process data in accordance with provisions set forth in the various Data Processor agreements we have in place with Data Controllers.”

Nativo also suggested that the Offsite Activity in question might have predated its purchase of the SimpleReach technology — which occurred on March 20, 2019 — saying any activity prior to this would mean my query would need to be addressed directly with SimpleReach, Inc. which Nativo did not acquire. (However in this case the activity registered on the list was dated later than that.)

Here’s what they said on all that in full:

Thank you for submitting your data access request.  We understand that you are a resident of the European Union and are submitting this request pursuant to Article 15(1) of the GDPR.  Article 15(1) requires “data controllers” to respond to individuals’ requests for information about the processing of their personal data.  Although Article 15(1) does not apply to Nativo because we are not a data controller with respect to your data, we have provided information below that will help us in determining the appropriate Data Controllers, which you can contact directly.

First, for details about our role in processing personal data in connection with our SimpleReach product, please see the SimpleReach Privacy Policy.  As the policy explains in more detail, we provide marketing analytics services to other businesses – our customers.  To take advantage of our services, our customers install our technology on their websites, which enables us to collect certain information regarding individuals’ visits to our customers’ websites. We analyze the personal information that we obtain only at the direction of our customer, and only on that customer’s behalf.

SimpleReach is an analytics tracker tool (Similar to Google Analytics) implemented by our customers to inform them of the performance of their content published around the web.  “d8rk54i4mohrb.cloudfront.net” is the domain name of the servers that collect these metrics.  We do not share data with Facebook or perform “off site activity” as described on Facebook’s activity tool.  Our technology allows our Data Controllers to insert other tracking pixels or tags, using us as a tag manager that delivers code to the page.  It is possible that one of our customers added a Facebook pixel to an article you visited using our technology.  This could lead Facebook to attribute this pixel to our domain, though our domain was merely a “carrier” of the code.

The SimpleReach tool is implemented on articles posted by our customers and partners of our customers.  It is possible you visited a URL that has contained our tracking code.  It is also possible that the Offsite Activity you are referencing is activity by SimpleReach, Inc. before Nativo purchased the SimpleReach technology. Nativo, Inc. purchased certain technology from SimpleReach, Inc. on March 20, 2019, but we did not purchase the SimpleReach, Inc. entity itself, which remains a separate entity unaffiliated with Nativo, Inc. Accordingly, any activity that occurred before March 20, 2019 pre-dates Nativo’s use of the SimpleReach technology and should be addressed directly with SimpleReach, Inc. If, for example, TechCrunch was a publisher partner of SimpleReach, Inc. and had SimpleReach tracking code implemented on TechCrunch articles or across the TechCrunch website prior to March 20, 2019, any resulting data collection would have been conducted by SimpleReach, Inc., not by Nativo, Inc.

As mentioned above, our tracking script collects and sends information to our servers based on the articles it is implemented on. The only Personal Data that is collected by the SimpleReach Analytics tag is your IP Address and a randomly generated id.  Both of these values are processed, anonymized, and aggregated in the SimpleReach platform and not made available to anyone other than our sub-processors that are bound to process such data only on our behalf. Such values are permanently deleted from our system after 3 months.  These values are used to give our customers a general idea of the number of users that visited the articles tracked.

We do not, nor have we ever, shared ANY information with Facebook with regards to the information we collect from the SimpleReach Analytics tag, be it Personal Data or otherwise. However, as mentioned above, it is possible that one of our customers added a Facebook retargeting pixel to an article you visited using our technology. If that is the case, we would not have received any information collected from such pixel or have knowledge of whether, and to what extent, the customer shared information with Facebook. Without more information, we are unable to determine the specific customer (if any) on behalf of which we may have processed your personal information. However, if you send us the unique identifier we have assigned to your browser… we can determine whether we have any personal information associated with such browser on behalf of a customer controller, and, if we have, we can forward your request on to the controller to respond directly to your request.

As a Data Processor we have the right to process data in accordance with provisions set forth in the various Data Processor agreements we have in place with Data Controllers.  This type of agreement is designed to protect Data Subjects and ensure that Data Processors are held to the same standards that both the GDPR and the Data Controller have put forth.  This is the same type of agreement used by all other analytics tracking tools (as well as many other types of tools) such as Google Analytics, Adobe Analytics, Chartbeat, and many others.

I also asked Nativo to confirm whether Insider.com (see below) is a customer of Nativo/SimpleReach.

The company told me it could not disclose this “due to confidentiality restrictions” and would only reveal the identity of customers if “required by applicable law”.

Again, it said that if I provided the “unique identifier” assigned to my browser it would be “happy to pull a list of personal information the SimpleReach/Nativo systems currently have stored for your unique identifier (if any), including the appropriate Data Controllers”. (“If we have any personal data collected from you on behalf of Insider.com, it would come up in the list of DataControllers,” it suggested.)

I checked multiple browsers that I use on multiple devices but was unable to locate an ID attached to a SimpleReach cookie. So I also asked whether this might appear attached to any other cookie.

Their response:

Because our data is either pseudonymized or anonymized, and we do not record of any other pieces of Personal Data about you, it will not be possible for us to locate this data without the cookie value.  The SimpleReach user cookie is, and has always been, in the “__srui” cookie under the “.simplereach.com” domain or any of its sub-domains. If you are unable to locate a SimpleReach user cookie by this name on your browser, it may be because you are using a different device or because you have cleared your cookies (in which case we would no longer have the ability to map any personal data we have previously collected from you to your browser or device). We do have other cookies (under the domains postrelease.com, admin.nativo.com, and cloud.nativo.com) but those cookies would not be related to the appearance of SimpleReach in the list of Off Site Activity on your Facebook account, per your original inquiry.

What did you learn from their inclusion in the Off-Facebook Activity list? There appeared to be a correlation between this domain and a publisher, Insider.com, which also appeared in my Off-Facebook Activity list — as both logged events bear the same date; plus Insider.com is a publisher so would fall into the right customer category for using Nativo’s tool.

Given those correlations I was able to guess Insider.com is a customer of Nativo. (I confirmed this when I spoke to Insider.com) — so Facebook’s tool is able to leak relational inferences related to the tracking industry by surfacing/mapping business connections that might not have been otherwise evident.

Insider.com

What is it? A New York based business media company which owns brands such as Business Insider and Markets Insider

Why did it appear in your Off-Facebook Activity list? I imagine I clicked on a technology article that appeared in my Facebook News Feed or elsewhere but when I was logged into Facebook

What happened when you asked them about this? After about a week of radio silence an employee in Insider’com’s legal department got in touch to say they could discuss the issue on background.

This person told me the information in the Off-Facebook Activity tool came from the Facebook share button which is embedded on all articles it runs on its media websites. They confirmed that the share button can share data with Facebook regardless of whether the site visitor interacts with the button or not.

In my case I certainly would not have interacted with the Facebook share button. Nonetheless data was passed, simply by merit of loading the article page itself.

Insider.com said the Facebook share button widget is integrated into its sites using a standard set-up that Facebook intends publishers to use. If the share button is clicked information related to that action would be shared with Facebook and would also be received by Insider.com (though, in this scenario, it said it doesn’t get any personalized information — but rather gets aggregate data).

Facebook can also automatically collect other information when a user visits a webpage which incorporates its social plug-ins.

Asked whether Insider.com knows what information Facebook receives via this passive route the company told me it does not — noting the plug-in runs proprietary Facebook code. 

Asked how it’s collecting consent from users for their data to be shared passively with Facebook, Insider.com said its Privacy Policy stipulates users consent to sharing their information with Facebook and other social media sites. It also said it uses the legal ground known as legitimate interests to provide functionality and derive analytics on articles.

In the active case (of a user clicking to share an article) Insider.com said it interprets the user’s action as consent.

Insider.com confirmed it uses SimpleReach/Nativo analytics tools, meaning site visitor data is also being passed to Nativo when a user lands on an article. It said consent for this data-sharing is included within its consent management platform (it uses a CMP made by Forcepoint) which asks site visitors to specify their cookie choices.

Here site visitors can choose for their data not to be shared for analytics purposes (which Insider.com said would prevent data being passed).

I usually apply all cookie consent opt outs, where available, so I’m a little surprised Nativo/SimpleReach was passed my data from an Insider.com webpage. Either I failed to click the opt out one time or failed to respond to the cookie notice and data was passed by default.

It’s also possible I did opt out but data was passed anyway — as there has been research which has found a proportion of cookie notifications ignore choices and pass data anyway (unintentionally or otherwise).

Follow up questions I sent to Insider.com after we talked:

1) Can you confirm whether Insider has performed a legitimate interests assessment?
2) Does Insider have a site mechanism where users can object to the passive data transfer to Facebook from the share buttons?

Insider.com did not respond to my additional questions.

What did you learn from their inclusion in the Off-Facebook Activity list? That Insider.com is a customer of Nativo/SimpleReach.

Rei.com

What is it? A California-based ecommerce website selling outdoor gear

Why did it appear in your Off-Facebook Activity list? I don’t recall ever visiting their site prior to looking into why it appeared in the list so I’m really not sure

What happened when you asked them about this? After saying it would investigate it followed up with a statement, rather than detailed responses to my questions, in which it claims it does not hold any personal data associated with — presumably — my TechCrunch email, since it did not ask me what data to check against.

It also appeared to be claiming that it uses Facebook tracking pixels/tags on its website, without explicitly saying as much, writing that: “Facebook may collect information about your interactions with our websites and mobile apps and reflect that information to you through their Off-Facebook Activity tool.”

It claims it has no access to this information — which it says is “pseudonymous to us” but suggested that if I have a Facebook account Facebook could link any browsing on Rei’s site to my Facebook’s identity and therefore track my activity.

The company also pointed me to a Facebook Help Center post where the company names some of the activities that might have resulted in Rei’s website sending activity data on me to Facebook (which it could then link to my Facebook ID) — although Facebook’s list is not exhaustive (included are: “viewing content”, “searching for an item”, “adding an item to a shopping cart” and “making a donation” among other activities the company tracks by having its code embedded on third parties’ sites).

Here’s Rei’s statement in full:

Thank you for your patience as we looked into your questions.  We have checked our systems and determined that REI does not maintain any personal data associated with you based on the information you provided.  Note, however, that Facebook may collect information about your interactions with our websites and mobile apps and reflect that information to you through their Off-Facebook Activity tool. The information that Facebook collects in this manner is pseudonymous to us — meaning we cannot identify you using the information and we do not maintain the information in a manner that is linked to your name or other identifying information. However, if you have a Facebook account, Facebook may be able to match this activity to your Facebook account via a unique identifier unavailable to REI. (Funnily enough, while researching this I found TechCrunch in MY list of Off-Facebook activity!)

For a complete list of activities that could have resulted in REI sharing pseudonymous information about you with Facebook, this Facebook Help Center article may be useful.  For a detailed description of the ways in which we may collect and share customer information, the purposes for which we may process your data, and rights available to EEA residents, please refer to our Privacy Policy.  For information about how REI uses cookies, please refer to our Cookie Policy.

As a follow up question I asked Rei to tell me which Facebook tools it uses, pointing out that: “Given that, just because you aren’t (as I understand it) directly using my data yourself that does not mean you are not responsible for my data being transferred to Facebook.”

The company did not respond to that point.

I also previously asked Rei.com to confirm whether it has any data sharing arrangements with the publisher of Rock & Ice magazine (see below). And, if so, to confirm the processes involved in data being shared. Again, I got no response to that.

What did you learn from their inclusion in the Off-Facebook Activity list? Given that Rei.com appeared alongside Rock & Ice on the list — both displaying the same date and just one activity apiece — I surmised they have some kind of data-sharing arrangement. They are also both outdoors brands so there would be obvious commercial ‘synergies’ to underpin such an arrangement.

That said, neither would confirm a business relationship to me. But Facebook’s list heavily implies there is some background data-sharing going on

Rock & Ice magazine 

What is it? A climbing magazine produced by a California-based publisher, Big Stone Publishing

Why did it appear in your Off-Facebook Activity list? I imagine I clicked on a link to a climbing-related article in my Facebook feed or else visited Rock & Ice’s website while I was logged into Facebook in the same browser session

What happened when you asked them about this? After ignoring my initial email query I subsequently received a brief response from the publisher after I followed up — which read:

The Rock and Ice website is opt in, where you have to agree to terms of use to access the website. I don’t know what private data you are saying Rock and Ice shared, so I can’t speak to that. The site terms are here. As stated in the terms you can opt out.

Following up, I asked about the provision in the Rock & Ice website’s cookie notice which states: “By continuing to use our site, you agree to our cookies” — asking whether it’s passing data without waiting for the user to signal their consent.

(Relevant: In October Europe’s top court issued a ruling that active consent is necessary for tracking cookies, so you can’t drop cookies prior to a user giving consent for you to do so.)

The publisher responded:

You have to opt in and agree to the terms to use the website. You may opt out of cookies, which is covered in the terms. If you do not want the benefits of these advertising cookies, you may be able to opt-out by visiting: http://www.networkadvertising.org/optout_nonppii.asp.

If you don’t want any cookies, you can find extensions such as Ghostery or the browser itself to stop and refuse cookies. By doing so though some websites might not work properly.

I followed up again to point out that I’m not asking about the options to opt in or opt out but, rather, the behavior of the website if the visitor does not provide a consent response yet continues browsing — asking for confirmation Rock & Ice’s site interprets this state as consent and therefore sends data.

The publisher stopped responding at that point.

Earlier I had asked it to confirm whether its website shares visitor data with Rei.com? (As noted above, the two appeared with the same date on the list which suggests data may be being passed between them.) I did not get a respond to that question either.

What did you learn from their inclusion in the Off-Facebook Activity list? That the magazine appears to have a data-sharing arrangement with outdoor retailer Rei.com, given how the pair appeared at the same point in my list. However neither would confirm this when I asked

MatterHackers

What is it? A California-based retailer focused on 3D printing and digital manufacturing

Why did it appear in your Off-Facebook Activity list? I honestly have no idea. I have never to my knowledge visited their site prior to investigating why they should appear on my Off Site Activity list.

I remain pretty interested to know how/why they managed to track me. I can only surmise I clicked on some technology-related content in my Facebook feed, either intentionally or by accident.

What happened when you asked them about this? They first asked me for confirmation that they were on my list. After I had sent a screenshot, they followed up to say they would investigate. I pushed again after hearing nothing for several weeks. At this point they asked for additional information from the Off-Facebook Activity tool — namely more granular metrics, such as a time and date per event and some label information — to help with tracking down this particular data-exchange.

I had previously provided them with the date (as it appears in the screenshot) but it’s possible to download additional an additional level of information about data transfers which includes per event time/date-stamps and labels/tags, such as “VIEW_CONTENT” .

However, as noted above, I had previously selected and deleted one item off of my Off-Facebook Activity list, after which Facebook’s platform had immediately erased all entries and associated metrics. There was no obvious way I could recover access to that information.

“Without this information I would speculate that you viewed an article or product on our site — we publish a lot of ‘How To’ content related to 3D printing and other digital manufacturing technologies — this information could have then been captured by Facebook via Adroll for ad retargeting purposes,” a MatterHackers spokesman told me. “Operationally, we have no other data sharing mechanism with Facebook.”

Subsequently, the company confirmed it implements Facebook’s tracking pixel on every page of its website.

Of the pixel Facebook writes that it enables website owners to track “conversions” (i.e. website actions); create custom audiences which segment site visitors by criteria that Facebook can identify and match across its user-base, allowing for the site owner to target ads via Facebook’s platform at non-customers with a similar profile/criteria to existing customers that are browsing its site; and for creating dynamic ads where a template ad gets populated with product content based on tracking data for that particular visitor.

Regarding the legal base for the data sharing, MatterHackers had this to say: “MatterHackers is not an EU entity, nor do we conduct business in the EU and so have not undertaken GDPR compliance measures. CCPA [California’s Consumer Privacy Act] will likely apply to our business as of 2021 and we have begun the process of ensuring that our website will be in compliance with those regulations as of January 1st.”

I pointed out that GDPR is extraterritorial in scope — and can apply to non-EU based entities, such as if they’re monitoring individuals in the EU (as in this case).

Also likely relevant: A ruling last year by Europe’s top court found sites that embed third party plug-ins such as Facebook’s like button are jointly responsible for the initial data processing — and must either obtain informed consent from site visitors prior to data being transferred to Facebook, or be able to demonstrate a legitimate interest legal basis for processing this data.

Nonetheless it’s still not clear what legal base the company is relying on for implementing the tracking pixel and passing data on EU Facebook users.

When asked about this MatterHacker COO, Kevin Pope, told me:

While we appreciate the sentiment of GDPR, in this case the EU lacks the legal standing to pursue an enforcement action. I’m sure you can appreciate the potential negative consequences if any arbitrary country (or jurisdiction) were able to enforce legal penalties against any website simply for having visitors from that country. Techcrunch would have been fined to oblivion many times over by China or even Thailand (for covering the King in a negative light). In this way, the attempted overreach of the GDPR’s language sets a dangerous precedent.
To provide a little more detail – MatterHackers, at the time of your visit, wouldn’t have known that you were from the EU until we cross-referenced your session with  Facebook, who does know. At that point you would have been filtered from any advertising by us. MatterHackers makes money when our (U.S.) customers buy 3D printers or materials and then succeed at using them (hence the how-to articles), we don’t make any money selling advertising or data.
Given that Facebook does legally exist in the EU and does have direct revenues from EU advertisers, it’s entirely appropriate that Facebook should comply with EU regulations. As a global solution, I believe more privacy settings options should be available to its users. However, given Facebook’s business model, I wouldn’t expect anything other than continued deflection (note the careful wording on their tool) and avoidance from them on this issue.

What did you learn from their inclusion in the Off-Facebook Activity List? I found out that an ecommerce company I had never heard of had been tracking me

Wallapop

What is it? A Barcelona-based peer-to-peer marketplace app that lets people list secondhand stuff for sale and/or to search for things to buy in their proximity. Users can meet in person to carry out a transaction paying in cash or there can be an option to pay via the platform and have an item posted

Why did it appear in your Off-Facebook Activity list? This was the only digital activity that appeared in the list that was something I could explain — figuring out I must have used a Facebook sign-in option when using the Wallapop app to buy/sell. I wouldn’t normally use Facebook sign-in but for trust-based marketplaces there may be user benefits to leveraging network effects.

What happened when you asked them about this? After my query was booted around a bit a PR company that works with Wallapop responded asking to talk through what information I was trying to ascertain.

After we chatted they sent this response — attributed to sources from Wallapop:

Same as it happens with other apps, wallapop can appear on our users’ Facebook Off Site Activity page if they have interacted in any way with the platform while they were logged in their Facebook accounts. Some interaction examples include logging in via Facebook, visiting our website or having both apps opened and logged.

As other apps do, wallapop only shares activity events with Facebook to optimize users’ ad experience. This includes if a user is registered in wallapop, if they have uploaded an item or if they have started a conversation. Under no circumstance wallapop shares with Facebook our users’ personal data (including sex, name, email address or telephone number).

At wallapop, we are thoroughly committed with the security of our community and we do a safe treatment of the data they choose to share with us, in compliance with EU’s General Data Protection Regulation. Under no circumstance these data are shared with third parties without explicit authorization.

I followed up to ask for further details about these “activity events” — asking whether, for instance, Wallapop shares messaging content with Facebook as well as letting the social network know which items a user is chatting about.

“Under no circumstance the content of our users’ messages is shared with Facebook,” the spokesperson told me. “What is shared is limited to the fact that a conversation has been initiated with another user in relation to a specific item, this is, activity events. Under no circumstance we would share our users’ personal information either.”

Of course the point is Facebook is able to link all app activity with the user ID it already has — so every piece of activity data being shared is personal data.

I also asked what legal base Wallapop relies on to share activity data with Facebook. They said the legal basis is “explicit consent given by users” at the point of signing up to use the app.

“Wallapop collects explicit consent from our users and at any time they can exercise their rights to their data, which include the modification of consent given in the first place,” they said.

“Users give their explicit consent by clicking in the corresponding box when they register in the app, where they also get the chance to opt out and not do it. If later on they want to change the consent they gave in first instance, they also have that option through the app. All the information is clearly available on our Privacy Policy, which is GDPR compliant.”

“At wallapop we take our community’s privacy and security very seriously and we follow recommendations from the Spanish Data Protection Agency,” it added

What did you learn from their inclusion in the Off-Facebook Activity list? Not much more than I would have already guessed — i.e. that using a Facebook sign-in option in a third party app grants the social media giant a high degree of visibility into your activity within another service.

In this case the Wallapop app registered the most activity events of all six of the listed apps, displaying 13 vs only one apiece for the others — so it gave a bit of a suggestive glimpse into the volume of third party app data that can be passed if you opt to open a Facebook login wormhole into a separate service.

Before yesterdayYour RSS feeds

Google’s new T&Cs include a Brexit ‘Easter egg’ for UK users

By Natasha Lomas

Google has buried a major change in legal jurisdiction for its UK users as part of a wider update to its terms and conditions that’s been announced today and which it says is intended to make its conditions of use clearer for all users.

It says the update to its T&Cs is the first major revision since 2012 — with Google saying it wanted to ensure the policy reflects its current products and applicable laws.

Google says it undertook a major review of the terms, similar to the revision of its privacy policy in 2018, when the EU’s General Data Protection Regulation started being applied. But while it claims the new T&Cs are easier for users to understand — rewritten using simpler language and a clearer structure — there are no other changes involved, such as to how it handles people’s data.

“We’ve updated our Terms of Service to make them easier for people around the world to read and understand — with clearer language, improved organization, and greater transparency about changes we make to our services and products. We’re not changing the way our products work, or how we collect or process data,” Google spokesperson Shannon Newberry said in a statement.

Users of Google products are being asked to review and accept the new terms before March 31 when they are due to take effect.

Reuters reported on the move late yesterday — citing sources familiar with the update who suggested the change of jurisdiction for UK users will weaken legal protections around their data.

However Google disputes there will be any change in privacy standards for UK users as a result of the shift. it told us there will be no change to how it process UK users’ data; no change to their privacy settings; and no change to the way it treats their information as a result of the move.

We asked the company for further comment on this — including why it chose not to make a UK subsidiary the legal base for UK users — and a spokesperson told us it is making the change as part of its preparations for the UK to leave the European Union (aka Brexit).

Like many companies, we have to prepare for Brexit,” Google said. “Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information. The protections of the UK GDPR will still apply to these users.”

Heather Burns, a tech policy specialist based in Glasgow, Scotland — who runs a website dedicated to tracking UK policy shifts around the Brexit process — also believes Google has essentially been forced to make the move because the UK government has recently signalled its intent to diverge from European Union standards in future, including on data protection.

“What has changed since January 31 has been [UK prime minister] Boris Johnson making a unilateral statement that the UK will go its own way on data protection, in direct contrast to everything the UK’s data protection regulator and government has said since the referendum,” she told us. “These bombastic, off-the-cuff statements play to his anti-EU base but businesses act on them. They have to.”

“Google’s transfer of UK accounts from the EU to the US is an indication that they do not believe the UK will either seek or receive a data protection adequacy agreement at the end of the transition period. They are choosing to deal with that headache now rather than later. We shouldn’t underestimate how strong a statement this is from the tech sector regarding its confidence in the Johnson premiership,” she added.

Asked whether she believes there will be a reduction in protections for UK users in future as a result of the shift Burns suggested that will largely depend on Google.

So — in other words — Brexit means, er, trust Google to look after your data.

“The European data protection framework is based around a set of fundamental user rights and controls over the uses of personal data — the everyday data flows to and from all of our accounts. Those fundamental rights have been transposed into UK domestic law through the Data Protection Act 2018, and they will stay, for now. But with the Johnson premiership clearly ready to jettison the European-derived system of user rights for the US-style anything goes model,” Burns suggested.

“Google saying there is no change to the way we process users’ data, no change to their privacy settings and no change to the way we treat their information can be taken as an indication that they stand willing to continue providing UK users with European-style rights over their data — albeit from a different jurisdiction — regardless of any government intention to erode the domestic legal basis for those rights.”

Reuters’ report also raises concerns about the impact of the Cloud Act agreement between the UK and the US — which is due to come into effect this summer — suggesting it will pose a threat to the safety of UK Google users’ data once it’s moved out of an EU jurisdiction (in this case Ireland) to the US where the Act will apply.

The Cloud Act is intended to make it quicker and easier for law enforcement to obtain data stored in the cloud by companies based in the other legal jurisdiction.

So in future, it might be easier for UK authorities to obtain UK Google users’ data using this legal instrument applied to Google US.

It certainly seems clear that as the UK moves away from EU standards as a result of Brexit it is opening up the possibility of the country replacing long-standing data protection rights for citizens with a regime of supercharged mass surveillance. (The UK government has already legislated to give its intelligence agencies unprecedented powers to snoop on ordinary citizens’ digital comms — so it has a proven appetite for bulk data.)

Again, Google told us the shift of legal base for its UK users will make no difference to how it handles law enforcement requests — a process it talks about here — and further claimed this will be true even when the Cloud Act applies. Which is a weasely way of saying it will do exactly what the law requires.

Google confirmed that GDPR will continue to apply for UK users during the transition period between the old and new terms. After that it said UK data protection law will continue to apply — emphasizing that this is modelled after the GDPR. But of course in the post-Brexit future the UK government might choose to model it after something very different.

Asked to confirm whether it’s committing to maintain current data standards for UK users in perpetuity, the company told us it cannot speculate as to what privacy laws the UK will adopt in the future… 😬

We also asked why it hasn’t chosen to elect a UK subsidiary as the legal base for UK users. To which it gave a nonsensical response — saying this is because the UK is no longer in the EU. Which begs the question when did the UK suddenly become the 51st American State?

Returning to the wider T&Cs revision, Google said it’s making the changes in a response to litigation in the European Union targeted at its terms.

This includes a case in Germany where consumer rights groups successfully sued the tech giant over its use of overly broad terms which the court agreed last year were largely illegal.

In another case a year ago in France a court ordered Google to pay €30,000 for unfair terms — and ordered it to obtain valid consent from users for tracking their location and online activity.

Since at least 2016 the European Commission has also been pressuring tech giants, including Google, to fix consumer rights issues buried in their T&Cs — including unfair terms. A variety of EU laws apply in this area.

In another change being bundled with the new T&Cs Google has added a description about how its business works to the About Google page — where it explains its business model and how it makes money.

Here, among the usual ‘dead cat’ claims about not ‘selling your information’ (tl;dr adtech giants rent attention; they don’t need to sell actual surveillance dossiers), Google writes that it doesn’t use “your emails, documents, photos or confidential information (such as race, religion or sexual orientation) to personalize the ads we show you”.

Though it could be using all that personal stuff to help it build new products it can serve ads alongside.

Even further towards the end of its business model screed it includes the claim that “if you don’t want to see personalized ads of any kind, you can deactivate them at any time”. So, yes, buried somewhere in Google’s labyrinthine setting exists an opt out.

The change in how Google articulates its business model comes in response to growing political and regulatory scrutiny of adtech business models such as Google’s — including on data protection and antitrust grounds.

Google gobbling Fitbit is a major privacy risk, warns EU data protection advisor

By Natasha Lomas

The European Data Protection Board (EDPB) has intervened to raise concerns about Google’s plan to scoop up the health and activity data of millions of Fitbit users — at a time when the company is under intense scrutiny over how extensively it tracks people online and for antitrust concerns.

Google confirmed its plan to acquire Fitbit last November, saying it would pay $7.35 per share for the wearable maker in an all-cash deal that valued Fitbit, and therefore the activity, health, sleep and location data it can hold on its more than 28M active users, at ~$2.1 billion.

Regulators are in the process of considering whether to allow the tech giant to gobble up all this data.

Google, meanwhile, is in the process of dialling up its designs on the health space.

In a statement issued after a plenary meeting this week the body that advises the European Commission on the application of EU data protection law highlights the privacy implications of the planned merger, writing: “There are concerns that the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to the fundamental rights to privacy and to the protection of personal data.”

Just this month the Irish Data Protection Commission (DPC) opened a formal investigation into Google’s processing of people’s location data — finally acting on GDPR complaints filed by consumer rights groups as early as November 2018  which argue the tech giant uses deceptive tactics to manipulate users in order to keep tracking them for ad-targeting purposes.

We’ve reached out to the Irish DPC — which is the lead privacy regulator for Google in the EU — to ask if it shares the EDPB’s concerns.

The latter’s statement goes on to reiterate the importance for EU regulators to asses what it describes as the “longer-term implications for the protection of economic, data protection and consumer rights whenever a significant merger is proposed”.

It also says it intends to remain “vigilant in this and similar cases in the future”.

The EDPB includes a reminder that Google and Fitbit have obligations under Europe’s General Data Protection Regulation to conduct a “full assessment of the data protection requirements and privacy implications of the merger” — and do so in a transparent way, under the regulation’s principle of accountability.

“The EDPB urges the parties to mitigate the possible risks of the merger to the rights to privacy and data protection before notifying the merger to the European Commission,” it also writes.

We reached out to Google for comment but at the time of writing it had not provided a response nor responded to a question asking what commitments it will be making to Fitbit users regarding the privacy of their data.

Fitbit has previously claimed that users’ “health and wellness data will not be used for Google ads”.

However big tech has a history of subsequently steamrollering founder claims that ‘nothing will change’. (See, for e.g.: Facebook’s WhatsApp U-turn on data-linking.)

“The EDPB will consider the implications that this merger may have for the protection of personal data in the European Economic Area and stands ready to contribute its advice on the proposed merger to the Commission if so requested,” it adds.

We’ve also reached out to the European Commission’s competition unit for a response to the EDPB’s statement.

Lack of big tech GDPR decisions looms large in EU watchdog’s annual report

By Natasha Lomas

The lead European Union privacy regulator for most of big tech has put out its annual report which shows another major bump in complaints filed under the bloc’s updated data protection framework, underlining the ongoing appetite EU citizens have for applying their rights.

But what the report doesn’t show is any firm enforcement of EU data protection rules vis-a-vis big tech.

The report leans heavily on stats to illustrate the volume of work piling up on desks in Dublin. But it’s light on decisions on highly anticipated cross-border cases involving tech giants including Apple, Facebook, Google, LinkedIn and Twitter.

The General Data Protection Regulation (GDPR) began being applied across the EU in May 2018 — so is fast approaching its second birthday. Yet its file of enforcements where tech giants are concerned remains very light — even for companies with a global reputation for ripping away people’s privacy.

This despite Ireland having a large number of open cross-border investigations into the data practices of platform and adtech giants — some of which originated from complaints filed right at the moment GDPR came into force.

In the report the Irish Data Protection Commission (DPC) notes it opened a further six statutory inquiries in relation to “multinational technology companies’ compliance with the GDPR” — bringing the total number of major probes to 21. So its ‘big case’ file continues to stack up. (It’s added at least two more since then, with a probe of Tinder and another into Google’s location tracking opened just this month.)

The report is a lot less keen to trumpet the fact that decisions on cross-border cases to date remains a big fat zero.

Though, just last week, the DPC made a point of publicly raising “concerns” about Facebook’s approach to assessing the data protection impacts of a forthcoming product in light of GDPR requirements to do so — an intervention that resulted in a delay to the regional launch of Facebook’s Dating product.

This discrepancy (cross-border cases: 21 – Irish DPC decisions: 0), plus rising anger from civil rights groups, privacy experts, consumer protection organizations and ordinary EU citizens over the paucity of flagship enforcement around key privacy complaints is clearly piling pressure on the regulator. (Other examples of big tech GDPR enforcement do exist. Well, France’s CNIL is one.)

In its defence the DPC does have a horrifying case load. As illustrated by other stats its keen to spotlight — such as saying it received a total of 7,215 complaints in 2019; a 75% increase on the total number (4,113) received in 2018. A full 6,904 of which were dealt with under the GDPR (while 311 complaints were filed under the Data Protection Acts 1988 and 2003).

There were also 6,069 data security breaches notified to it, per the report — representing a 71% increase on the total number (3,542) recorded last year.

While a full 457 cross-border processing complaints were received in Dublin via the GDPR’s One-Stop-Shop mechanism. (This is the device the Commission came up with for the ‘lead regulator’ approach that’s baked into GDPR and which has landed Ireland in the regulatory hot seat. tl;dr other data protection agencies are passing Dublin A LOT of paperwork.)

The DPC necessarily has to do back and forth on cross border cases, as it liaises with other interested regulators. All of which, you can imagine, creates a rich opportunity for lawyered up tech giants to inject extra friction into the oversight process — by asking to review and query everything. [Insert the sound of a can being hoofed down the road]

Meanwhile the agency that’s supposed to regulate most of big tech (and plenty else) — which writes in the annual report that it increased its full time staff from 110 to 140 last year — did not get all the funding it asked for from the Irish government.

So it also has the hard cap of its own budget to reckon with (just €15.3M in 2019) vs — for example — Google’s parent Alphabet’s $46.1BN in full year 2019 revenue. So, er, do the math.

Nonetheless the pressure is firmly now on Ireland for major GDPR enforcements to flow.

One year of major enforcement inaction could be filed under ‘bedding in’; but two years in without any major decisions would not be a good look. (It has previously said the first decisions will come early this year — so seems to be hoping to have something to show for GDPR’s 2nd birthday.)

Some of the high profile complaints crying out for regulatory action include behavioral ads serviced via real-time bidding programmatic advertising (which the UK data watchdog has admitted for half a year is rampantly unlawful); cookie consent banners (which remain a Swiss Cheese of non-compliance); and adtech platforms cynically forcing consent from users by requiring they agree to being microtargeted with ads to access the (‘free’) service. (Thing is GDPR stipulates that consent as a legal basis must be freely given and can’t be bundled with other stuff, so… )

Full disclosure: TechCrunch’s parent company, Verizon Media (née Oath), is also under ongoing investigation by the DPC — which is looking at whether it meets GDPR’s transparency requirements under Articles 12-14 of the regulation.

Seeking to put a positive spin on 2019’s total lack of a big tech privacy reckoning, commissioner Helen Dixon writes in the report: “2020 is going to be an important year. We await the judgment of the CJEU in the SCCs data transfer case; the first draft decisions on big tech investigations will be brought by the DPC through the consultation process with other EU data protection authorities, and academics and the media will continue the outstanding work they are doing in shining a spotlight on poor personal data practices.”

In further remarks to the media Dixon said: “At the Data Protection Commission, we have been busy during 2019 issuing guidance to organisations, resolving individuals’ complaints, progressing larger-scale investigations, reviewing data breaches, exercising our corrective powers, cooperating with our EU and global counterparts and engaging in litigation to ensure a definitive approach to the application of the law in certain areas.

“Much more remains to be done in terms of both guiding on proportionate and correct application of this principles-based law and enforcing the law as appropriate. But a good start is half the battle and the DPC is pleased at the foundations that have been laid in 2019. We are already expanding our team of 140 to meet the demands of 2020 and beyond.”

One notable date this year also falls when GDPR turns two — because a Commission review of how the regulation is functioning is looming in May.

That’s one deadline that may help to concentrate minds on issuing decisions.

Per the DPC report, the largest category of complaints it received last year fell under ‘access request’ issues — whereby data controllers are failing to give up (all) people’s data when asked — which amounted to 29% of the total; followed by disclosure (19%); fair processing (16%); e-marketing complaints (8%); and right to erasure (5%).

On the security front, the vast bulk of notifications received by the DPC related to unauthorised disclosure of data (aka breaches) — with a total across the private and public sector of 5,188 vs just 108 for hacking (though the second largest category was actually lost or stolen paper, with 345).

There were also 161 notification of phishing; 131 notification of unauthorized access; 24 notifications of malware; and 17 of ransomeware.

Alphabet takes the wind out of its Makani energy kites

By Frederic Lardinois

Google today announced that it is calling it quits on its efforts to build and monetize its Makani wind energy kites. Makani, which was founded in 2006, came into Google/Alphabet seven years ago as a Google X project. Last year, the company spun it out of X and made it a standalone Alphabet unit. Now, Makani’s time at Alphabet as an “Other Bet” is at an end. The company is still hoping to work with Shell, one of its earliest partners, to see how the technology can be used in another way, though.

“After considering many factors, I believe that the road to commercial viability is a much longer and riskier road than we’d hoped and that it no longer makes sense for Makani to be an Alphabet company,” says Astro Teller, captain of Moonshots at X and xhairman of the Makani board, in a statement. Teller, it’s worth noting, does not oversee Alphabet’s Other Bets.

“While it’s tempting to say that all climate-related ideas deserve investment, remaining clear-eyed and directing resources to the opportunities where we think we can have the greatest impact isn’t just good business; it’s essential when it comes to a problem as urgent as the climate crisis,” Teller added.

While at X/Alphabet, the team managed to get a 20kW demonstration project off the ground and expanded this to a unit capable of producing up to 600kW. Still, though, Alphabet clearly didn’t see a path forward to turning Makani into a viable (and profitable) project in the long run.

“Creating an entirely new kind of wind energy technology means facing business challenges as well as engineering challenges,” writes Fort Felker, who became the lead for Makani at X in 2015. “Despite strong technical progress, the road to commercialization is longer and riskier than hoped, so from today Makani’s time at Alphabet is coming to an end.”

Back in the day, when it first acquired Makani, Google probably wouldn’t have worried all that much about whether this project made good business sense. Those freewheeling times at Google are behind us, though, and, at this point, there is an expectation that even these forward-looking Other Bets have to become standalone businesses in the long run.

HQ Trivia shuts down after acquisition falls through

By Josh Constine

HQ Trivia is dead. Today the company laid off its full staff of 25 and will cease operation of its trivia, sports and word guessing games, a source close to the company confirmed.

HQ Trivia had a deal in the works to be acquired, but the buyer pulled out yesterday and investors aren’t willing to fund it any longer, CEO and co-founder Rus Yusupov said in a statement attained by CNN Business’ Kerry Flynn:

“We received an offer from an established business to acquire HQ and continue building our vision, had definitive agreements and legal docs, and a projected closing date of tomorrow, and for reasons we are still investigating, they suddenly changed their position and despite our best efforts, we were unable to reach an agreement,” Yusupov writes. “Unfortunately, our lead investors are no longer willing to fund the company, and so effective today, HQ will cease operations and move to dissolution. All employees and contractors will be terminated as of today.”

With HQ we showed the world the future of TV. We didn’t get to where we hoped but we did stretch the world’s imagination for what’s possible on our smartphones. Thanks to everyone who helped build this and thanks for playing.

— Rus (@rus) February 14, 2020

Launched in October 2017, TechCrunch wrote the first coverage of the 12-question live video trivia game started by two of the former Vine founders. Users could win real money by answering all the questions and not being eliminated in multiple daily games. HQ Trivia had raised more than $15 million, including a Series A led by Founders Fund. At one point it had more than 2.3 million concurrent players.

hq trivia app 1

But eventually the novelty began to wear off. Cheaters came in, splitting the prize money down to just a few dollars or cents per winner. Copycats emerged internationally. Engineering issues led users to get kicked out of the game.

Then tragedy struck. Co-founder Colin Kroll passed away. That exacerbated internal problems at HQ Trivia. Product development was slow, leading users to grow tired of the game. New game types and viral features materialized too late.

A failed internal mutiny saw staffers prepare to petition the board to remove Yusupov from the CEO position. When he caught wind of the plot, organizers of the revolt were fired. Morale sunk. By July 2019, downloads were just 8% of their previous year’s, and 20% of the staff was laid off. HQ managed about 15 million all-time installs, peaking at 2 million in February 2018, while last month it had just 67,000, according to Sensor Tower.

The demise of HQ Trivia demonstrates the fickle nature of the gaming industry, and the startup scene as a whole. Momentary traction is no guarantee of future success. Products must continually evolve and adapt to their audience to stay relevant. And executives must forge ahead while communicating clearly with their teams, even amongst uncertainty, or find their companies withered by the rapid passing of time.

Facebook Dating launch blocked in Europe after it fails to show privacy workings

By Natasha Lomas

Facebook has been left red-faced after being forced to call off the launch date of its dating service in Europe because it failed to give its lead EU data regulator enough advanced warning — including failing to demonstrate it had performed a legally required assessment of privacy risks.

Late yesterday Ireland’s Independent.ie newspaper reported that the Irish Data Protection Commission (DPC) had sent agents to Facebook’s Dublin office seeking documentation that Facebook had failed to provide — using inspection and document seizure powers set out in Section 130 of the country’s Data Protection Act.

In a statement on its website the DPC said Facebook first contacted it about the rollout of the dating feature in the EU on February 3.

“We were very concerned that this was the first that we’d heard from Facebook Ireland about this new feature, considering that it was their intention to roll it out tomorrow, 13 February,” the regulator writes. “Our concerns were further compounded by the fact that no information/documentation was provided to us on 3 February in relation to the Data Protection Impact Assessment [DPIA] or the decision-making processes that were undertaken by Facebook Ireland.”

Facebook announced its plan to get into the dating game all the way back in May 2018, trailing its Tinder-encroaching idea to bake a dating feature for non-friends into its social network at its F8 developer conference.

It went on to test launch the product in Colombia a few months later. And since then it’s been gradually adding more countries in South American and Asia. It also launched in the US last fall — soon after it was fined $5BN by the FTC for historical privacy lapses.

At the time of its US launch Facebook said dating would arrive in Europe by early 2020. It just didn’t think to keep its lead EU privacy regulator in the loop — despite the DPC having multiple (ongoing) investigations into other Facebook-owned products at this stage.

Which is either extremely careless or, well, an intentional fuck you to privacy oversight of its data-mining activities. (Among multiple probes being carried out under Europe’s General Data Protection Regulation, the DPC is looking into Facebook’s claimed legal basis for processing people’s data under the Facebook T&Cs, for example.)

The DPC’s statement confirms that its agents visited Facebook’s Dublin office on February 10 to carry out an inspection — in order to “expedite the procurement of the relevant documentation”.

Which is a nice way of the DPC saying Facebook spent a whole week still not sending it the required information.

“Facebook Ireland informed us last night that they have postponed the roll-out of this feature,” the DPC’s statement goes on.

Which is a nice way of saying Facebook fucked up and is being made to put a product rollout it’s been planning for at least half a year on ice.

The DPC’s head of communications, Graham Doyle, confirmed the enforcement action, telling us: “We’re currently reviewing all the documentation that we gathered as part of the inspection on Monday and we have posed further questions to Facebook and are awaiting the reply.”

“Contained in the documentation we gathered on Monday was a DPIA,” he added.

This begs the question why Facebook didn’t send the DPIA to the DPC on February 3 — unless of course this document did not actually exist on that date…

We’ve reached out to Facebook for comment and to ask when it carried out the DPIA.

We’ve also asked the DPC to confirm its next steps. The regulator could ask Facebook to make changes to how the product functions in Europe if it’s not satisfied it complies with EU laws.

Under GDPR there’s a requirement for data controllers to bake privacy by design and default into products which are handling people’s information. And a dating product clearly is.

While a DPIA — which is a process whereby planned processing of personal data is assessed to consider the impact on the rights and freedoms of individuals — is a requirement under the GDPR when, for example, individual profiling is taking place or there’s processing of sensitive data on a large scale.

Again, the launch of a dating product on a platform such as Facebook — which has hundreds of millions of regional users — would be a clear-cut case for such an assessment to be carried out ahead of any launch.

CCPA won’t be enough to fix tech’s data entitlement problem

By Walter Thompson
Fredrick Lee Contributor
Fredrick “Flee” Lee is chief information security officer at Gusto, the people platform for 100,000 small businesses nationwide. He previously led security at Square after holding senior security roles at Bank of America, Twilio and NetSuite.

When the California Consumer Privacy Act (CCPA) rolled out on January 1st, many companies were still scrambling to become compliant with the data privacy regulation, which is estimated to cost businesses $55 billion. But even checking all of the compliance boxes isn’t enough to safeguard consumer data. The past few years of rampant breaches and data misuse have shown how quickly personal details can fall into the wrong hands. They’ve also shown how often simple user error enabled by poor data practices leads to big consequences.

The way to solve this issue isn’t solely through legislation — it’s companies taking a hard look at their behavior and processes. Laws like CCPA and GDPR help set the groundwork for change, but they don’t address the broader issue: businesses feel entitled to people’s data even when it’s not part of their core product offering and have encoded that entitlement into their processes.

Legislated and top-down calls for accountability won’t fix the problem on their own. To protect consumers, companies need to architect internal systems around data custodianship rather than data ownership. Doing so will establish processes that not only hit compliance benchmarks but make responsible data handling the default action.

Privacy compliance over true procedural change is a cop-out

The prevailing philosophy in Silicon Valley is one of data ownership, which impacts how consumers’ personal information is used. The consequences have been widely reported on everything from the revelations surrounding Cambridge Analytica to Uber’s 57-million-user data breach. Tech companies are losing the trust of customers, partners and governments around the world. In fact, Americans’ perception of tech companies has steadily dropped since 2015. More must be done to win it back.

Companies that rely on regulations like CCPA and GDPR to guide their data policies essentially ask someone else to draw the line for them, so they can come as close to it as possible — which leads to a “check-the-box” approach to compliance rather than a core philosophy that prioritizes the privacy expectations of their customers. If tech and security leaders build data policies with privacy in mind, we won’t have to spend valuable resources meeting government regulations.

How to take the entitlement out of data handling

Responsible, secure data handling is achievable for every company. The most important step is for businesses to go beyond the bare minimum when reevaluating their data access processes. What’s been most helpful for the companies I’ve worked with is organizing these practices around a simple idea: You can’t lose what you don’t have.

In practice, this idea is known as the Principle of Least Privilege, whereby companies give employees only the data access they need to do their jobs effectively. Here’s an example that applies to most customer-facing businesses out there: Say I’m a customer service rep and a person calls me about a problem with their account. If I operate according to the Principle of Least Privilege, the following data access rules would apply:

  1. I would only have access to that specific customer’s account information;
  2. I would only have access to the specific part of their account where the problem is happening;
  3. I would only have access until the problem is solved.

Sounds intuitive, right? Yet, many companies — particularly those operating without the Principle of Least Privilege in place — discovered through the GDPR and CCPA compliance process that their data access controls did not work this way. This is how major breaches happen. An employee downloads an entire database — much more data than they need to perform a specific task — their laptop is compromised, and suddenly hackers can access the entire database.

POLP works because it introduces a bit of friction into the data-request process. The goal here is to make the right decision easy and the wrong decision harder, so everyone is intentional about their data use. How a company achieves this will differ based on their business model and growth stage. One option is to have only a single database with an added layer of infrastructure that grants data access through POLP rules.

Alternatively, companies can work these rules into their CRM software. In the example I mentioned, the system would grant data access to a rep only when it recognizes a corresponding customer support case. If an employee tries to access data that is not directly tied to a customer problem, they would encounter an additional login step like two-factor authentication.

There’s no one-size-fits-all approach; rather, data access should operate on a spectrum. For one business, it may mean limiting data access to a single business account and the related set of customer information. At another company, an engineer may need access to multiple customers’ information to fix a product issue. When this happens, the data access should be both time-bound and highly visible, so that other employees can see how the data is used. There may also be times when an employee needs to access data in the aggregate to do their job — for example, to run a report. In this case, the data should always be anonymized.

Protecting consumer data is a moral obligation, not just a legal one

The power of privacy-focused data processes and a system like the Principle of Least Privilege is that, by design, they guide employees to use data with the customer’s best interest in mind. The Golden Rule should apply: We each must treat consumer data in the way we’d want our own data used. With the right functional procedures in place, infrastructure can make responsible data access intuitive.

No company is entitled to data; they are entrusted with it. Consumers must be aware of how their data is treated and hold companies accountable. Regulations like CCPA make this easier, but businesses must uphold their end of the bargain.

Trust, not data, is the most valuable currency for businesses today. But current data practices do nothing to earn that trust and we can’t count on regulation alone to change that. Only practices built with privacy and transparency in mind can bring back customer trust and keep personal data protected.

Where top VCs are investing in open source and dev tools (Part 1 of 2)

By Arman Tabatabai

The once-polarizing world of open-source software has recently become one of the hotter destinations for VCs.

As the popularity of open source increases among organizations and developers, startups in the space have reached new heights and monstrous valuations.

Over the past several years, we’ve seen surging open-source companies like Databricks reach unicorn status, as well as VCs who cashed out behind a serious number of exits involving open-source and dev tool companies, deals like IBM’s Red Hat acquisition or Elastic’s late-2018 IPO. Last year, the exit spree continued with transactions like F5 Networks’ acquisition of NGINX and a number of high-profile acquisitions from mainstays like Microsoft and GitHub.

Similarly, venture investment in new startups in the space has continued to swell. More investors are taking shots at finding the next big payout, with annual invested capital in open-source and dev tool startups increasing at a roughly 10% compounded annual growth rate (CAGR) over the last five years, according to data from Crunchbase. Furthermore, attractive returns in the space seem to be adding more fuel to the fire, as open-source and dev tool startups saw more than $2 billion invested in the space in 2019 alone, per Crunchbase data.

As we close out another strong year for innovation and venture investing in the sector, we asked 18 of the top open-source-focused VCs who work at firms spanning early to growth stages to share what’s exciting them most and where they see opportunities. For purposes of length and clarity, responses have been edited and split (in no particular order) into part one and part two of this survey. In part one of our survey, we hear from:

Africa Roundup: Trump’s Nigeria ban, Paga’s acquisition and raises, Flutterwave’s $35M and Sendy’s $20M

By Jake Bright

The first month of the new year saw Africa enter the fray of U.S. politics. The Trump administration announced last week it would halt immigration from Nigeria — Africa’s most populous nation with the continent’s largest economy and leading tech sector.

The presidential proclamation stops short of a full travel ban on the country of 200 million, but it suspends immigrant visas for Nigerians seeking citizenship and permanent resident status in the U.S.

The latest regulations are said not to apply to non-immigrant, temporary visas for tourist, business and medical visits.

The new policy follows Trump’s 2017 travel ban on predominantly Muslim countries. The primary reason for the latest restrictions, according to the Department of Homeland Security, was that the countries did not “meet the Department’s stronger security standards.”

Nigeria’s population is roughly 45 percent Muslim and the country has faced problems with terrorism, largely related to Boko Haram in its northeastern territory.

Restricting immigration to the U.S. from Nigeria, in particular, could impact commercial tech relations between the two countries.

Nigeria is the U.S.’s second largest African trading partner and the U.S. is the largest foreign investor in Nigeria.

Increasingly, the nature of the business relationship between the two countries is shifting to tech. Nigeria is steadily becoming Africa’s capital for VC, startups, rising founders and the entry of Silicon Valley companies.

Recent reporting by VC firm Partech shows Nigeria has become the number one country in Africa for venture investment. Much of that funding comes from American sources. The U.S. is arguably Nigeria’s strongest partner on tech and Nigeria, Silicon Valley’s chosen gateway for entering Africa. Examples include Visa’s 2019 investment in Nigerian fintech companies Flutterwave and Interswitch and Facebook and Google’s expansion in Nigeria.

On the ban’s impact, “U.S. companies will suffer and Nigerian companies will suffer,” Bosun Tijani, CEO of Lagos based incubator CcHub, told TechCrunch .

Nigerian entrepreneur Iyinoluwa Aboyeji, who co-founded two tech companies — Flutterwave and Andela — with operations in the U.S. and Lagos, posted his thoughts on the latest restrictions on social media.

“Just had an interesting dinner convo about this visa ban with Nigerian tech professionals in the U.S. Sad… but silver lining is all the amazing and experienced Nigerian talent in U.S. tech companies who will now head on home,” he tweeted.

Notable market moves in African tech last month included an acquisition, global expansion and a couple big raises.

Nigerian digital payments startup Paga acquired Apposit, a software development company based in Ethiopia, for an undisclosed amount.

The Lagos-based venture also announced it would launch its payment products in Mexico this year and in Ethiopia imminently, CEO Tayo Oviosu told TechCrunch

The moves come a little over a year after Paga raised a $10 million Series B round and Oviosu announced the company’s intent to expand globally while speaking at Disrupt San Francisco.

Paga will leverage Apposit — which is U.S. incorporated but operates in Addis Ababa — to support that expansion into East Africa and Latin America.

Paga has created a multi-channel network to transfer money, pay bills, and buy goods digitally. The company has 14 million customers in Nigeria who can transfer funds from one of Paga’s 24,411 agents or through the startup’s mobile apps.

With the acquisition, Paga absorbs Apposit’s tech capabilities and team of 63 engineers. The company will direct its boosted capabilities and total workforce of 530 to support its expansion.

On the raise side, San Francisco and Lagos-based fintech startup Flutterwave (previously mentioned) raised a $35 million Series B round and announced a partnership with Worldpay FIS for payments in Africa.

FIS also joined the round, led by US VC firms Greycroft and eVentures, with the participation of Visa and African fund CRE Venture Capital .

The company will use the funding to expand capabilities to provide more solutions around the broader needs of its clients. Uber, Booking.com and Jumia are among the big names that use Flutterwave to process payments.

Last month, Africa’s logistics startup space gained another multi-million-dollar round with global backing. Kenyan company Sendy, an on-demand platform that connects clients to drivers and vehicles for goods delivery, raised a $20 million Series B led by Atlantica Ventures. Toyota Tsusho Corporation, a trade and investment arm of Japanese automotive company Toyota, also joined the round.

Sendy’s raise came within six months of Nigerian trucking logistics startup Kobo360’s $20 million Series A backed by Goldman Sachs. In November, East African on-demand delivery venture Lori Systems hauled in $30 million supported by Chinese investors.

The company plans to use its raise for new developer hires, to improve the tech of its platform, and toward expansion in West Africa in 2020.

Sendy’s $20 million round also includes an R&D arrangement with Toyota Tsusho Corporation to optimize trucks for the West African market, Sendy CEO Mesh Alloys told TechCrunch.

More Africa-related stories @TechCrunch

African tech around the ‘net

Venture investing in elder tech

By Walter Thompson
Will Robbins Contributor
Will Robbins is an early-stage investor at Contrary.

Senior citizens are not early adopters of new technology; many of our 65+ friends and family might not use much tech in the first place. That said, two-thirds of America’s 50 million seniors use the internet and more than 40% own a smartphone, according to a 2017 Pew study.

So where’s the disconnect? Why are modern software companies largely non-compatible with one of the nation’s largest demographics?

Starting with day-to-day care

The most notorious venture-funded eldertech startups were historically focused on building better healthcare and day-to-day living solutions. Honor built a managed marketplace for in-home care; YC startup GoGoGrandparent is Uber for people who don’t use apps; Umbrella* helps seniors get tasks done around the house.

The concept behind these companies is that daily basics are the root of other problems affecting seniors. If you have any issues with your home or mobility, for example, you end up exposing yourself to scams that frequently plague seniors, as well as health and safety risks. That’s not to mention the financial burden — most retirees have a modest budget or fixed income. Even if a service like TaskRabbit is somehow accessible to a senior, it’s not affordable in the long-term when lifespans and future costs are impossible to predict.

Nigeria is becoming Africa’s unofficial tech capital

By Jake Bright

Africa has one of the world’s fastest growing tech markets and Nigeria is becoming its unofficial capital.

While the West African nation is commonly associated with negative cliches around corruption and terrorism — which persist as serious problems, and influenced the Trump administration’s recent restrictions on Nigerian immigration to the U.S.

Even so, there’s more to the country than Boko Haram or fictitious princes with inheritances.

Nigeria has become a magnet for VC, a hotbed for startup formation and a strategic entry point for Silicon Valley. As a frontier market, there is certainly a volatility to the country’s political and economic trajectory. The nation teeters back and forth between its stereotypical basket-case status and getting its act together to become Africa’s unrivaled superpower.

The upside of that pendulum is why — despite its problems — so much American, Chinese and African tech capital is gravitating to Nigeria.

Demographics

“Whatever you think of Africa, you can’t ignore the numbers,” Africa’s richest man Aliko Dangote told me in 2015, noting that demographics are creating an imperative for global businesses to enter the continent.

African fintech firm Flutterwave raises $35M, partners with Worldpay

By Jake Bright

San Francisco and Lagos-based fintech startup Flutterwave has raised a $35 million Series B round and announced a partnership with Worldpay FIS for payments in Africa.

With the funding, Flutterwave will invest in technology and business development to grow market share in existing operating countries, CEO Olugbenga Agboola — aka GB — told TechCrunch.

The company will also expand capabilities to offer more services around its payment products.

More than payments

“We don’t just want to be a payment technology company, we have sector expertise around education, travel, gaming, e-commerce, fintech companies. They all use our expertise,” said GB.

That means Flutterwave will provide more solutions around the broader needs of its clients.

The Nigerian-founded startup’s main business is providing B2B payments services for companies operating in Africa to pay other companies on the continent and abroad.

Launched in 2016, Flutterwave allows clients to tap its APIs and work with Flutterwave developers to customize payments applications. Existing customers include Uber, Booking.com and e-commerce company Jumia.

In 2019, Flutterwave processed 107 million transactions worth $5.4 billion, according to company data.

Flutterwave did the payment integration for U.S. pop-star Cardi B’s 2019 performances in Nigeria and Ghana. Those are two of the countries in which the startup operates, in addition to South Africa, Uganda, Kenya, Tanzania, Zambia, the U.K. and Rwanda.

Flutterwave Cardi B Nigeria“We want to scale in all those markets and be the payment processor of choice,” GB said.

The company will hire more business development staff and expand its developer team to create more sector expertise, according to GB.

“Our business goes beyond payments. People don’t want to just make payments, they want to do something,” he said. And Fluterwave aims to offer more capabilities toward what those clients want to do in Africa.

GB Flutterwave disrupt

Olugbenga Agboola, aka GB

“If you are a charity that wants to raise money for cancer research in Ghana, or you want to sell online, or you’re Cardi B…who wants to do concerts in Africa…we want to be able to set up payments, write the code and create the platform for those needs,” GB explained.

That also means Flutterwave, which built its early client base across global companies, aims to serve smaller African businesses, including startups. Current customers include African-founded tech companies, such as moto ride-hail venture Max.ng.

Worldpay partnership

The new round makes Flutterwave the payment provider for Worldpay in Africa.

“With this partnership, any Worldpay merchant in Europe or the U.S. can accept any African payment. If someone goes to pay Netflix with an African card, it just works,” GB said.

In 2019, Worldpay was acquired for a reported $35 billion by FIS, a U.S. financial services provider. At the time of the purchase, it was projected the two companies would generate revenues of $12 billion annually, yet neither has notable presence in Africa.

Therein lies the benefit of collaborating with Flutterwave.

FIS’s Head of Ventures Joon Cho confirmed the partnership with TechCrunch. FIS also backed Flutterwave’s $35 million Series B. US VC firms Greycroft and eVentures led the round, with participation of Visa, Green Visor and African fund CRE Venture Capital.

Flutterwave’s latest funding brings the company’s total investment to $55 million and follows a year in which the fintech venture announced a series of weighty partnerships.

In July 2019, the startup joined forces with Chinese e-commerce company Alibaba’s Alipay to offer digital payments between Africa and China.

The Alipay collaboration followed one between Flutterwave and Visa to launch a consumer payment product for Africa, called GetBarter.

Flutterwave and African fintech

Flutterwave’s $35 million round and latest partnership are among the reasons the startup has become a standout in Africa’s digital-finance landscape.

As a sector, fintech gains the bulk of dealflow and the majority of startup capital flowing to African startups annually. VC to Africa totaled $1.35 billion in 2019, according to WeeTracker’s latest stats.

While a number of payment startups and products have scaled — see Paga in Nigeria and M-Pesa in Kenya — the majority of the continent’s fintech companies are P2P in focus and segregated to one or two markets.

Flutterwave’s platform has served the increased B2B business payment needs spurred by the decade of growth and reform that has occurred in Africa’s core economies.

The value the startup has created is underscored not just by transactional volume the company generates, but the partnerships it has attracted.

A growing list of the masters of the payment universe — Visa, Alipay, Worldpay — have shown they need Flutterwave to do finance in Africa.

Cyral announces $11M Series A to help protect data in cloud

By Ron Miller

Cyral, an early-stage startup that helps protect data stored in cloud repositories, announced an $11 million Series A today. The company also revealed a previous undisclosed $4.1 million angel investment, making the total $15.1 million.

The Series A was led by Redpoint Ventures. A.Capital Ventures, Costanoa VC, Firebolt, SV Angel and Trifecta Capital also participated in on the round.

Cyral co-founder and CEO Manav Mital says the company’s product acts as a security layer on top of cloud data repositories — whether databases, data lakes, data warehouse or other data repository — helping identify issues like faulty configurations or anomalous activity.

Mital says that unlike most security data products of this ilk, Cyral doesn’t use an agent or watch points to try to detect signals that indicate something is happening to the data. Instead, he says that Cyral is a security layer attached directly to the data.

“The core innovation of Cyral is to put a layer of visibility attached right to the data endpoint, right to the interface where application services and users talk to the data endpoint, and in real time see the communication,” Mital explained.

As an example, he says that Cyral could detect that someone has suddenly started scanning rows of credit card data, or that someone was trying to connect to a database on an unencrypted connection. In each of these cases, Cyral would detect the problem, and depending on the configuration, send an alert to the customer’s security team to deal with the problem, or automatically shut down access to the database before informing the security team.

It’s still early days for Cyral, with 15 employees and a handful of early access customers. Mital says for this round he’s working on building a product to market that’s well-designed and easy to use.

He says that people get the problem he’s trying to solve. “We could walk into any company and they are all worried about this problem. So for us getting people interested has not been an issue. We just want to make sure we build an amazing product,” he said.

Can a $30 pair of wireless earbuds actually be any good?

By Brian Heater

2019 was the year wireless earbuds went mainstream. The category has been around much longer, of course, and Apple really broke the whole thing open a full three years ago, with the release of the first AirPods, but sales exploded in 2019. The category experienced a 183% YOY increase in shipments last quarter, according to a new study.

The space continues to be driven by Apple, which currently controls 43% of the market (a number that will likely increase with the arrival of the AirPod Pros), but its near future seems destined to be defined by a race to the bottom. With Apple, Samsung, Sony and Google battling it out for the high end of the market, other players are determined to undercut the competition on price.

At $30, JLab’s Go Air True Wireless Earbuds (the first and last time I’m going to type that full name) are positioned right around Xiaomi’s category defining AirDots. The Chinese manufacturer controls around 7% of the market (a notch above Samsung’s more premium offerings), and it seems well positioned to repeat its fitness band marketshare success with such offerings.

So, where does that leave JLab? Well, there’s a lot of market to be had. As more phone manufacturers eschew headphone jacks on even midrange handsets, there’s bound to be a rush on low-price wireless earbuds. The Go Air are, well, nothing if not that. Price is their defining characteristic. And honestly, that’s fine.

Here’s the thing: I’ve been walking around with the AirPods Pro in my ears for a while now. I was less hot on the original AirPods, but these really feel like the category done right. But it’s not fair to any party involved to compare the two. You can buy eight and a third pairs of these for the price of the Pros. Different price points, different markets, different consumers.

And while it’s true that JLab has already gone a ways toward saturating the market with different models, low cost is the defining characteristic. The company claims to be the top manufacturer of sub-$100 wireless earbuds in the U.S. And the Go Airs are the lowest of the low. On paper, it’s certainly a good deal. The earbuds are light, get five hours on a charge (plus 15 from the case) and are sweat resistant.

I’ve only been playing around with them for the day, and I’ll got a smattering of complaints. The sound isn’t what you would deem “good.” In fact, they’re pretty reminiscent of that $10 pair of earbuds you bought at Walgreens in a pinch. The earbuds and the charging case both feel cheap (and I certainly can’t speak to how long they’ll last), while a USB C or even microUSB port has been traded for a half-USB connector dongle.

Also, unlike most models, the earbuds don’t automatically shut off when they leave your ears. Though that might be more feature than bug for some. Mostly, you just have to remember to pause playback on our phone. The headphones can operate independently of one another, so you can keep one bud in at a time.

Honestly, any quibble I have here comes with the giant, red lettered caveat that the things are only $30. If nothing else, it shows how quickly such products have gone from luxury to commodity. It’s kind of crazy, honestly. If you want premium headphones, look elsewhere, obviously. For something serviceable and more than anything, cheap, the Go Airs scratch that itch.

They’ll hit retail in March.

Just how good was 2019 for wireless headphones? Very, very good.

By Brian Heater

Companies sold a lot of wireless headphones in 2019. You already knew that though, right? What you probably didn’t know was precisely how many constitutes the aforementioned “lot.” New numbers from Canalys shed a light on those successes. The research firm’s classification of audio products is a little wonky, but it drives the point home nonetheless.

In their terms, we’re talking specifically about “true wireless stereo” products under the umbrella of “smart personal audio devices” — in other words, wireless headphones. Taken as a whole, the category (which also includes tethered wireless earbuds and over/on ear wireless headphones) hit 96.7 million shipments in Q3, making a 53 percent year over year growth. For the fourth quarter (including the holidays), the number is expected to break 100 million, pushing things to around 350 million for the full year.

The “true wireless stereo” segment (fully wireless earbuds) saw a 183% growth for the quarter, overtaking wireless earphones and wireless headphones in the process. Another not surprising thing: Apple led the pack, far and away. The company controls 43% of the market, per the firm. Xiaomi and Samsung are a distant second and third, respectively, at 7% and 6%, respectively. And Apple’s numbers will likely continue to look pretty good with the warm reception of the AirPods Pro.

The market is likely to get even more interesting in 2020 with the arrival of new products from giants like Google and Microsoft, coupled with an increased presence of low cost alternatives. But Apple’s stranglehold, particularly among iOS users, will be a tough one to break.

Google Pixel 4a renders include a headphone jack and hole-punch display

By Brian Heater

It’s the slowest week of the year for gadget news. Christmas is in the rearview, and it’s a few days until the new year. After that, it’s a straight shot to CES and then MWC. Meantime, best we’ve got going for us are a handful of rumors, including a peek at what Google’s next budget handset might could potentially possibly conceivably look like.

Per renders from OnLeaks and 91Mobiles, a vision of the Pixel 4a has appeared — or, a render, rather. The handset will no doubt be an important one for Google. After all, the 3a (pictured at top) helped the company recover from some lackluster sales last year. A couple of pieces jump out at first glance. The display appears to finally buck the company’s longtime notch dependency, in favor of a hole punch camera on the front.

Perhaps even more compelling, the device seems to hold the torch for the headphone jack. In 2020, that could well be a standout feature even among mid-range handsets. As the company eloquently put it around the time of the 3a’s release, “a lot of people have headphones.”

And here comes my last late #Christmas gift in form of your very first and early look at the #Google #Pixel4a!
360° video + gorgeous 5K renders + dimensions, on behalf of my Friends over @91mobiles -> https://t.co/rsvRkjVOln pic.twitter.com/sqG6J5knSR

— Steve H.McFly (@OnLeaks) December 28, 2019

Other notable features on the forthcoming device includes the addition of the squircle phone bump on the rear, a design element borrowed from the Pixel 4. Likely the handset will stick to a single camera, instead of adopting the flagship’s truly excellent dual-camera setup. Even so, Google’s been able to accomplish some solid imaging technology with just the one sensor, courtesy of clever ML software.

The display, too, will be slightly larger than its predecessor, bumping up one or two tenths of an inch. The handset is reportedly dropping around May, probably just in time for I/O 2020.

Remembering the startups we lost in 2019

By Brian Heater

All manner of startups fail for all manner of reasons. But there’s one constant: this is an incredibly difficult business. Launching a successful company isn’t just a matter of drive and finding the right people (though both, clearly, are important). Doing well in this business requires the stars to align perfectly on a billion different things.

A cursory look at this year’s batch of companies doesn’t find any story quite as spectacular as last year’s big Theranos flameout, which gave us a best-selling book, documentary, podcast series and upcoming Adam McKay/Jennifer Lawrence film. Some, like MoviePass, however, may have come close.

And for every Theranos, there are dozens of stories of hardworking founders with promising products that simply couldn’t make it to the finish line. There’s also room for debate about what is and isn’t a startup. For our purposes, we’re focusing here on independent startups, not digital initiatives from larger companies — though in at least one case, the startup was acquired by a larger company before shutting down.

So without further ado, here are some of the biggest and most fascinating startups that closed up shop in 2019. 

Anki (2010 – 2019)

Total raised: $182 million

In 2013, a promising young hardware startup showcased a new generation of slot cars onstage at the World Wide Developer Conference keynote. It was quite an honor for a young company. Apple was clearly impressed with how Overdrive pushed the limits of what could be done on the iPhone.

Three years later, Anki released Cozmo. The plucky little robot was the result of large investment, including the hiring of ex-Pixar and Dreamworks animators brought on board to craft a high range of emotions in the robot’s eyes. In late 2018, the company launched the similar but adult-focused Vector robot. By April 2019, Anki had shut its doors, in spite of selling 1.5 million robots and “hundreds of thousands” of Cozmo models.

Chariot (2014 – 2019)

Total raised: $3 million, acquired by Ford in 2017

Chariot was a shuttle startup hoping to reinvent mass transit with a fleet of vans for commuters. The routes, supposedly, were determined based on a “crowdsourced” vote.

After acquiring the service two years ago, Ford shut it down at the beginning of 2019. The company didn’t offer many details, except to say that “in today’s mobility landscape, the wants and needs of customers and cities are changing rapidly.”

Daqri (2010 – 2019)

Total raised: $132 million

Daqri, another high-flying, heavily funded AR headset business, shut its doors around September and completed an asset sale. The company is one of many in the sector that failed to succeed in its efforts to court enterprise customers, as well as in its efforts to compete with Magic Leap, Microsoft and others.

Daqri was, at one point, speaking with a large private equity firm about financing ahead of a potential IPO, but as the technical realities facing other AR companies came to light, the firm backed out and the deal crumbled, according to earlier TechCrunch reporting. Sadly, Daqri wasn’t the only AR business to crumble this year.

HomeShare

Total raised: $4.7 million

HomeShare

HomeShare tried to deal with the challenge of rapidly rising housing costs by matching roommates who shared apartments split into “micro-rooms.” The company said that as of March, it had about 1,000 active residents.

As part of the shutdown, HomeShare said residents would not be getting back the deposits for their partitions — but they would be able to keep the divider or sell it.

Jibo (2012 – 2018/19)

Total raised: $72.7 million

Between Anki and Jibo, you could say it was a tough year for consumer social robots. But then, there’s never been a great year for the category. Not yet, at least. Like the sad death of the original Aibo before it, Jibo’s end was punctuated by the incredibly depressing nature of watching an adorable robot friend draw its final breath. Jibo did just that in April, telling consumers, “I want to say I’ve really enjoyed our time together. Thank you very, very much for having me around.”

Jibo technically died in late-2018, but we’re making an exception due to the dramatic nature of its demise. The end came in spite of a successful crowdfunding campaign and a healthy amount of venture capital raised. In spite of it all, the startup was forced to lay off most of its staff and then, ultimately, send Jibo upstate to live on the robo-farm.

MoviePass (2011 – 2019)

Total raised: $68.7 million, acquired by Helios and Matheson in 2017

Image: Bryce Durbin / TechCrunch

Holy hell. Where to even start with this one? When we were putting this list together, one TechCruncher remarked that he swore MoviePass shut down years ago. That’s because (not unlike some current political events), the ticket subscription service’s magnificent train wreck of a demise appeared to unfold over the course of several years, in excruciating slow motion. We wrote a lot about it. A lot, a lot.

In fact, there seemed to be a new disaster every week, as the company hemorrhaged money, limited its service, experience outages, borrowed even more money, was forced to enter a kind of zombie state and had a massive data breech. Oh, and then there was the John Gotti movie it financed that was arguably even worse. By the end of it all, MoviePass’ ultimate demise almost felt like an act of mercy.

Munchery (2010 – 2019)

Total raised: $125 million

One of the first startup scandals of 2019 involved a once well-known meal delivery startup, Munchery . After the business emailed its customers notifying them of its imminent shutdown, its vendors came forward with a slew of accusations. Namely, the food delivery startup took advantage of them in its final hours, knowingly allowing them to continue making deliveries it couldn’t pay for.

The company’s sudden demise sparked a debate around accountability. While the CEO and its venture capital investors stayed largely silent, its vendors cried out for an explanation and even protested outside the offices of Sherpa Capital, one of Munchery’s backers, in search of answers and payments.

Nomiku (2012 – 2019)

Total raised: $145,000

One of the most recent additions to this list, Bay Area-based food startup Nomiku called it quits earlier this month. The company helped pioneer the consumer sous vide category, only to see the market flooded by competing devices. In multiple successful Kickstarter campaigns totaling $1.3 million, backing from Samsung Ventures and an attempted pivot into meal plans, the startup just couldn’t survive.

“The total climate for food tech is different than it used to be,” CEO Lisa Fetterman told TechCrunch. “There was a time when food tech and hardware were much more hot and viable. I think a company can survive a few hurdles, and a few challenges [ …] For me, it was the perfect storm of all these things.”

ODG (1999 – 2019)

Total raised: $58 million

A pioneer in the AR glasses space, news emerged of Osterhout Design Group’s (ODG) demise in the first few weeks of January. Only a couple of years ago, the company raised a $58 million financing — less than a year later, it had burned through its funding and couldn’t pay employees. By early 2018, ODG had lost half of its workforce as it sought loans to pay back employees. By early 2019, only a skeleton crew awaited a patent sale after acquisitions from several large tech companies, including Facebook and Magic Leap, fell through.

“I hope Magic Leap is a huge success. I want everyone in AR to be a huge success,” Osterhout said in an interview with TechCrunch in 2017. “[Augmented reality] is going to be transformative.”

Omni (2014 – 2019)

Total raised: $35.3 million

The startup began as a physical storage company, then tried to pivot after selling off its physical storage operations to competitor Clutter in May — it tried, unsuccessfully, to build a white-label software platform that would allow brick-and-mortar merchants to operate their own businesses for renting and selling products.

As part of the shutdown, roughly 10 Omni engineers were hired by Coinbase.

Scaled Inference (2014 – 2019)

Total raised: $17.6 million 

Founded by former Googlers Olcan Sercinoglu and Dmitry Lepikhin, Scaled Inference made headlines in 2014 with a plan to build machine learning and artificial intelligence technology similar to what’s used internally by companies like Google, and making it available as a cloud service that can be used by anyone. The ambitions were grand and attracted investors like Felicis Ventures, Tencent and Khosla Ventures.

Unfortunately, the company was forced to call it quits recently. Former CEO Sercinoglu tells us the shutdown was a result of a lack of funding due to insufficient commercial traction. “We were working on various options until the last minute and retained the team as long as we could, but it did not work out. On the plus side, we were able to be transparent with the team throughout the process,” he said.

Sinemia (2015 – 2019)

Total raised: $1.9 million

Sinemia

It was a rough year for MoviePass -style movie ticket subscription services in general. Sinemia seemed at first to be a more sustainable competitor, but it was plagued by subscriber complaints and even lawsuits around app issues, hidden charges and policies for shuttering accounts.

In April, the company announced that it was ending U.S. operations. To be clear, it did not say that it was shutting down entirely (much of its staff was based in Turkey), but the company’s website has since gone offline. If Sinemia survives in some form, it has disappeared from view.

Unicorn Scooters (2018 – 2019)

Total raised: $150,000

Unicorn Scooters was one of the first fatalities of the electric scooter craze of 2018, though certainly not the last. As the story goes, the business spent way too much money on Facebook and Google ads; the startup quickly shut down with no money left over to issue refunds for more than 300 of its $699 scooters that had been ordered.

The not-so-aptly named Unicorn had completed the Y Combinator startup accelerator only a few months before it called it quits, likely making it one of the fastest YC grads to shutter post-graduation. “Unfortunately, the cost of the ads were just too expensive to build a sustainable business,” Unicorn’s CEO Nick Evans wrote, according to The Verge. “And as the weather continued to get colder throughout the US and more scooters from other companies came on to the market, it became harder and harder to sell Unicorns, leading to a higher cost for ads and fewer customers.”

Vreal (2015 – 2019)

Total raised: $15 million

Db1b2YnUQAE P9n

via @VrealOfficial twitter

Vreal was an ambitious game-streaming platform that aimed to let VR users explore the worlds in which live-streamers were playing. Those users could walk around streamers as avatars, or they could explore on their own as passive observers while listening to the live-streamer blast their way through zombies.

“Unfortunately, the VR market never developed as quickly as we all had hoped, and we were definitely ahead of our time,” the company said in a blog post. “As a result, Vreal is shutting down operations and our wonderful team members are moving on to other opportunities.”

Beats Solo Pro Review: More Than a Fashion Statement

By Parker Hall
With great battery life, sound, and fit, Beats' latest noise-canceling on-ears are among the best headphones you can buy.

15 Delightful Gifts for Music Lovers and Audiophiles

By Parker Hall, Michael Calore
From headphones and speakers to accessories for their vinyl LPs, these gift ideas will appeal to any audio lover.
❌