The first cannabis startup to raise big money in Silicon Valley is in danger of burning out. TechCrunch has learned that pot delivery middleman Eaze has seen unannounced layoffs, and its depleted cash reserves threaten its ability to make payroll or settle its AWS bill. Eaze was forced to raise a bridge round to keep the lights on as it prepares to attempt major pivot to ‘touching the plant’ by selling its own marijuana brands through its own depots.
If Eaze fails, it could highlight serious growing pains amid the ‘green rush’ of startups into the marijuana business.
Eaze, the startup backed by some $166 million in funding that once positioned itself as the “Uber of pot” — a marketplace selling pot and other cannabis products from dispensaries and delivering it to customers — has recently closed a $15 million bridge round, according to multiple source. The fund was meant to keep the lights on as Eaze struggles to raise its next round of funding amid problems with making decent margins on its current business model, lawsuits, payment processing issues, and internal disorganization.
An Eaze spokesperson confirmed that the company is low on cash. Sources tell us that the company, which laid off some 30 people last summer, is preparing another round of cuts in the meantime. The spokesperson refused to discuss personnel issues but noted that there have been layoffs at many late stage startups as investors want to see companies cut costs and become more efficient.
From what we understand, Eaze is currently trying to raise a $35 million Series D round according to its pitch deck. The $15 million bridge round came from unnamed current investors. (Previous backers of the company include 500 Startups, DCM Ventures, Slow Ventures, Great Oaks, FJ Labs, the Winklevoss brothers, and a number of others.) Originally, Eaze had tried to raise a $50 million Series D, but the investor that was looking at the deal, Athos Capital, is said to have walked away at the eleventh hour.
Eaze is going into the fundraising with an enterprise value of $388 million, according to company documents reviewed by TechCrunch. It’s not clear what valuation it’s aiming for in the next round.
An Eaze spokesperson declined to discuss fundraising efforts but told TechCrunch, “The company is going through a very important transition right now, moving to becoming a plant-touching company through acquisitions of former retail partners that will hopefully allow us to more efficiently run the business and continue to provide good service to customers.
The news comes as Eaze is hoping to pull off a “verticalization” pivot, moving beyond online storefront and delivery of third-party products (rolled joints, flower, vaping products and edibles) and into sourcing, branding and dispensing the product directly. Instead of just moving other company’s marijuana brands between third-party dispensaries and customers, it wants to sell its own in-house brands through its own delivery depots to earn a higher margin. With a number of other cannabis companies struggling, the hope is that it will be able to acquire brands in areas like marijuana flower, pre-rolled joints, vaporizer cartridges, or edibles at low prices.
An Eaze spokesperson confirmed that the company plans to announce the pivot in the coming days, telling TechCrunch that it’s “a pretty significant change from provider of services to operating in that fashion but also operating a depot directly ourselves.”
The startup is already making moves in this direction, and is in the process of acquiring some of the assets of a bankrupt cannabis business out of Canada called Dionymed — which had initially been a partner of Eaze’s, then became a competitor, and then sued it over payment disputes, before finally selling part of its business. These assets are said to include Oakland dispensary Hometown Heart, which it acquired in an all-share transaction (“Eaze effectively bought the lawsuit,” is how one source described the sale). This will become Eaze’s first owned delivery depot.
In a recent presentation deck that Eaze has been using when pitching to investors — which has been obtained by TechCrunch — the company describes itself as the largest direct-to-consumer cannabis retailer in California. It has completed more than 5 million deliveries, served 600,000 customers and tallied up an average transaction value of $85.
To date, Eaze has only expanded to one other state beyond California, Oregon. Its aim is to add five more states this year, and another three in 2021. But the company appears to have expected more states to legalize recreational marijuana sooner, which would have provided geographic expansion. Eaze seems to have overextended itself too early in hopes of capturing market share as soon as it became available.
An employee at the company tells us that on a good day Eaze can bring in between $800,000 and $1 million in net revenue, which sounds great, except that this is total merchandise value, before any cuts to suppliers and others are made. Eaze makes only a fraction of that amount, one reason why it’s now looking to verticatlize into more of a primary role in the ecosystem. And that’s before considering all of the costs associated with running the business.
Eaze is suffering from a problem rampant in the marijuana industry: a lack of working capital. Since banks often won’t issue working capital loans to weed-related business, deliverers like Eaze can experience delays in paying back vendors. A source says late payments have pushed some brands to stop selling through Eaze.
Another drain on its finances have been its marketing efforts. A source said out-of-home ads (billboards and the like) allegedly were a significant expense at one point. It has to compete with other pot purchasing options like visiting retail stores in person, using dispensaries’ in-house delivery services, or buying via startups like Meadow that act as aggregated online points of sale for multiple dispensaries.
Indeed, Eaze claims that its pivot into verticalization will bring it $204 million in revenues on gross transactions of $300 million. It notes in the presentation that it makes $9.04 on an average sale of $85, which will go up to $18.31 if it successfully brings in ‘private label’ products and has more depot control.
The poor margins are only one of the problems with Eaze’s current business model, which the company admits in its presentation have led to an inconsistent customer experience and poor customer affinity with its brand — especially in the face of competition from a number of other delivery businesses.
Playing on the on-demand, delivery-of-everything theme, it connected with two customer bases. First, existing cannabis consumers already using some form of delivery service for their supply; and a newer, more mainstream audience with disposable income that had become more interested in cannabis-related products but might feel less comfortable walking into a dispensary, or buying from a black market dealer.
It is not the only startup that has been chasing that audience. Other competitors in the wider market for cannabis discovery, distribution and sales include Weedmaps, Puffy, Blackbird, Chill (a brand from Dionymed that it founded after ending its earlier relationship with Eaze), and Meadow, with the wider industry estimated to be worth some $11.9 billion in 2018 and projected to grow to $63 billion by 2025.
Eaze was founded on the premise that the gradual decriminalisation of pot — first making it legal to buy for medicinal use, and gradually for recreational use — would spread across the US and make the consumption of cannabis-related products much more ubiquitous, presenting a big opportunity for Eaze and other startups like it.
It found a willing audience among consumers, but also tech workers in the Bay Area, a tight market for recruitment.
“I was excited for the opportunity to join the cannabis industry,” one source said. “It has for the most part has gotten a bad rap, and I saw Eaze’s mission as a noble thing, and the team seemed like good people.”
Eaze CEO Ro Choy
That impression was not to last. The company, this employee was told when joining, had plenty of funding with more on the way. The newer funding never materialised, and as Eaze sought to figure out the best way forward, the company cycled through different ideas and leadership: former Yammer executive Keith McCarty, who cofounded the company with Roie Edery (both are now founders at another Cannabis startup, Wayv), left, and the CEO role was given to another ex-Yammer executive, Jim Patterson, who was then replaced by Ro Choy, who is the current CEO.
“I personally lost trust in the ability to execute on some of the vision once I got there,” the ex-employee said. “I thought that on one hand a picture was painted that wasn’t the truth. As we got closer and as I’d been there longer and we had issues with funding, the story around why we were having issues kept changing.” Several sources familiar with its business performance and culture referred to Eaze as a “shitshow”.
The quick shifts in strategy were a recurring pattern that started well before the company got tight financial straits.
One employee recalled an acquisition Eaze made several years ago of a startup called Push for Pizza. Founded by five young friends in Brooklyn, Push for Pizza had gone viral over a simple concept: you set up your favourite pizza order in the app, and when you want it, you pushed a single button to order it. (Does that sound silly? Don’t forget, this was also the era of Yo, which was either a low point for innovation, or a high point for cynicism when it came to average consumer intelligence… maybe both.)
Eaze’s idea, the employee said, was to take the basics of Push for Pizza and turn it into a weed app, Push for Kush. In it, customers could craft their favourite mix and, at the touch of a button, order it, lowering the procurement barrier even more.
The company was very excited about the deal and the prospect of the new app. They planned a big campaign to spread the word, and held an internal event to excite staff about the new app and business line.
“They had even made a movie of some kind that they showed us, featuring a caricature of Jim” — the CEO at a the time — “hanging out of the sunroof of a limo.” (I’ve been able to find the opening segment of this video online, and the Twitter and Instagram accounts that had been created for Push for Kush, but no more than that.)
Then just one week later, the whole plan was scrapped, and the founders of Push for Pizza fired. “It was just brushed under the carpet,” the former employee said. “No one could get anything out of management about what had happened.”
Something had happened, though: the company had been taking payments by card when it made the acquisition, but the process was never stable and by then it had recently gone back to the cash-only model. Push for Kush by cash was less appealing. “They didn’t think it would work,” the person said, adding that this was the normal course of business at the startup. “Big initiatives would just die in favor of pushing out whatever new thing was on the product team’s radar.”
Eaze’s spokesperson confirmed that “we did acquire Push For Pizza . . but ultimately didn’t choose to pursue [launching Push For Kush].”
Payments were a recurring issue for the startup. Eaze started out taking payments only in cash — but as the business grew, that became increasingly problematic. The company found itself kicked off the credit card networks and was stuck with a less traceable, more open to error (and theft) cash-only model at a time when one employee estimated it was bringing in between $800,000 and $1 million per day in sales.
Eventually, it moved to cards, but not smoothly: Visa specifically did not want Eaze on its platform. Eaze found a workaround, employees say, but it was never above board, which became the subject of the lawsuit between Eaze and Dionymed. Currently the company appear to only take payments via debit cards, ACH transfer, and cash, not credit card.
Another incident sheds light on how the company viewed and handled security issues.
At one point, employees allegedly discovered that Eaze was essentially storing all of its customer data — including users’ signatures and other personal information — in an Azure bucket that was not secured, meaning that if anyone was nosing around, it could be easily discovered and exploited.
The vulnerability was brought to the company’s attention. It was something that was up to product to fix, but the job was pushed down the list. It ultimately took seven months to patch this up. “I just kept seeing things with all these huge holes in them, just not ready for prime time,” one ex-employee said of the state of products. “No one was listening to engineers, and no one seemed to be looking for viable products.” Eaze’s spokesperson confirms a vulnerability was discovered but claims it was promptly resolved.
Today, the issue is a more pressing financial one: the company is running out of money. Employees have been told the company may not make its next payroll, and AWS will shut down its servers in two days if it doesn’t pay up.
Eaze’s spokesperson tried to remain optimistic while admitting the dire situation the company faces. “Eaze is going to continue doing everything we can to support customers and the overall legal cannabis industry. We’re excited about the future and acknowledge the challenges that the entire community is facing.”
As medicinal and recreational marijuana access became legal in some states in the latter 2010s, entrepreneurs and investors flocked to the market. They saw an opportunity to capitalize on the end of a major prohibition — a once in a lifetime event. But high government taxes, enduring black markets, intense competition, and a lack of financial infrastructure willing to deal with any legal haziness have caused major setbacks.
While the pot business might sound chill, operations like Eaze depend on coordinating high-stress logistics with thin margins and little room for error. Plenty of food delivery startups from Sprig to Munchery went under after running into similar struggles, and at least banks and payment processors would work with them. With the odds stacked against it, Eaze has a tough road ahead.
India’s trade minister isn’t impressed with Amazon’s new $1 billion investment in the country.
A day after Amazon chief executive Jeff Bezos announced that his company is pumping in an additional $1 billion into its India operations, making the total local investment to date $6.5 billion, the nation’s trade minister Piyush Goyal said Amazon’s investment was not a big favor to the country.
“They may have put in a billion dollars, but then, if they make a loss of a billion dollars every year then they jolly well have to finance that billion dollars,” Goyal said in a conference on Thursday organized by think tank Observer Research Foundation. “So it’s not as if they are doing a great favor to India when they invest a billion dollars.”
The remark from the Indian minister comes days after the nation’s antitrust watchdog announced a probe into Amazon India and Walmart-owned Flipkart’s alleged predatory practices.
Bezos, who is in India this week, has sought to meet with India’s Prime Minister Narendra Modi, but his request has yet to be approved, a person familiar with the matter told TechCrunch.
Goyal reiterated that foreign e-commerce players would have to abide by the local law if they want to continue to operate in the nation. He said the watchdog’s allegations were “an area of concern for every Indian.”
“We allowed every entity to come to India in a marketplace model. A marketplace model is an agnostic model where buyers and sellers are free to trade. If they establish an agreement, then the transaction is between the buyer and seller. The marketplace cannot own the inventory, cannot have control over the inventory, cannot determine prices, and cannot have an algorithm that influences how products from different sellers are listed on the platform,” he added.
“We have several rules for marketplaces in India. As long as one follows them, they are free to operate in India,” he said. Some of the allegations that are being investigated in India surround the alleged violation of these very aforementioned guidelines.
Goyal’s comments may further escalate the tension between Amazon and the Indian government. Last year, U.S. senators criticized New Delhi after it restricted foreign companies from selling inventory from their own subsidiaries. The move forced Amazon and Flipkart to abruptly pull hundreds of thousands of goods from their marketplaces.
In a tweet late Tuesday, President Trump criticized Apple for refusing “to unlock phones used by killers, drug dealers and other violent criminal elements.” Trump was specifically referring to a locked iPhone that belonged to a Saudi airman who killed three U.S sailors in an attack on a Florida base in December.
It’s only the latest example of the government trying to gain access to a terror suspect’s device it claims it can’t access because of the encryption that scrambles the device’s data without the owner’s passcode.
The government spent the past week bartering for Apple’s help. Apple said it had given to investigators “gigabytes of information,” including “iCloud backups, account information and transactional data for multiple accounts.” In every instance it received a legal demand, Apple said it “responded with all of the information” it had. But U.S. Attorney General William Barr accused Apple of not giving investigators “any substantive assistance” in unlocking the phone.
Presidential candidate Pete Buttigieg has lost his campaign’s chief information security officer, citing “differences” with the campaign over its security practices.
Mick Baccio, who served under the former South Bend mayor’s campaign for the White House, left his position earlier this month.
The Wall Street Journal first reported the news. TechCrunch also confirmed Baccio’s resignation, who left less than a year after joining the Buttigieg campaign.
“I had fundamental philosophical differences with campaign management regarding the architecture and scope of the information security program,” Baccio told TechCrunch.
“We thank him for the work he did to protect our campaign against attacks,” said Buttigieg spokesperson Chris Meagher. The spokesperson said that the campaign had retained a new security firm, but would not say which company.
Baccio was the only known staffer to oversee cybersecurity out of all the presidential campaigns. News of his departure comes at a time just months to go before millions of Americans are set to vote in the 2020 presidential campaign.
But concerns have been raised about the overall security posture of the candidates’ campaigns, as well as voting and election infrastructure across the United States, ahead of the vote.
A report from a government watchdog last March said Homeland Security “does not have dedicated staff” focused on election infrastructure. Since then, security researchers found many of the largest voting districts are vulnerable to simple cyberattacks, such as sending malicious emails designed to look like a legitimate message, a type of tactic used by Russian operatives during the 2016 presidential election.
In October, Iran-backed hackers unsuccessfully targeted President Trump’s re-election campaign.
The Pallone-Thrune TRACED Act, a bipartisan bit of legislation that should make life harder for the villains behind robocalls, was signed into law today by the president. It’s still possible to get things done in D.C. after all!
We’ve covered the TRACED Act several times previously, as robocalls are, in addition to being horribly annoying, a uniquely annoying high-tech threat. Using clever targeting and spoofing technology, scammers are placing millions of calls that at best irritate and at worst take advantage of the vulnerable.
The new law won’t end that practice overnight, but it does add some useful tools to regulators’ toolboxes. Here’s how I summarized the bill’s provisions earlier this month:
FCC Chairman Ajit Pai was effusive in his praise in a statement:
I applaud Congress for working in a bipartisan manner to combat illegal robocalls and malicious caller ID spoofing. And I thank the President and Congress for the additional tools and flexibility that this law affords us. Specifically, I am glad that the agency now has a longer statute of limitations during which we can pursue scammers and I welcome the removal of a previously-required warning we had to give to unlawful robocallers before imposing tough penalties.
And I thank the American people for never letting us forget how fed up they are with scam, spoofed robocalls. It’s their voices that power our never-ceasing push to fight back against the scourge of robocalls and malicious spoofing.
The FCC is limited in what it can do, and even major fines like this $120 million one have had a negligible effect on the nefarious industry. “Like emptying the ocean with a teaspoon,” said Commissioner Jessica Rosenworcel at the time.
Here’s hoping the TRACED Act amounts to more than a bigger spoon. We’ll find out as regulators and the mobile industry grow into their new capabilities and begin the long process of actually applying them to the problem. It may take months or more to see any real abatement, but at least we’re taking concrete steps.
Huawei reported resilient revenue for 2019 on Tuesday as the embattled Chinese technology group continues to grow despite prolonged American campaign against its business, but cautioned that growth next year could prove more challenging.
Eric Xu, Huawei’s rotating chairman, wrote in a New Year’s message to employees that the company’s revenue has topped 850 billion Chinese yuan ($122 billion) this year, a new record high for the Chinese group and an 18% increase over the previous year.
Xu said Huawei, the second largest smartphone maker globally, sold 240 million handsets this year, up from 206 million last year.
“These figures are lower than our initial projections, yet business remains solid and we stand strong in the face of adversity,” he wrote.
He acknowledged that Huawei is confronting a “strategic and long-term” campaign against its business by the U.S. government. If the campaign persists for long, it would create even more “difficult” environment for the 32-year-old firm to “survive and thrive,” he said.
Survival would be the company’s first priority in 2020, he said.
The U.S. added Huawei to the Commerce Department’s trade blacklist this year, and placed new restrictions on its ability to sell to — and maintain commercial relations with — American companies. The U.S. government has also urged its allies to not use Huawei products in building the next generation of their telecom network infrastructure, alleging that the Chinese company poses a threat to national security.
In October, U.S. Commerce Secretary Wilbur Ross said in a conference in New Delhi that he hopes that India, the world’s second largest telecom market, “does not inadvertently subject itself to untoward security risk” by using 5G equipment from Huawei.
But not all U.S. allies have heeded its advice. On Monday, Huawei secured a major victory in India, which approved Huawei’s request to participate in trials of its 5G spectrum.
“We thank the Indian government for their continued faith in Huawei,” Jay Chen, the company’s India CEO said in a statement. “We firmly believe that only technology innovations and high quality networks will be the key to rejuvenating the Indian telecom industry,” he added.
Wikimedia Foundation, the nonprofit group that operates Wikipedia and a number of other projects, has urged the Indian government to rethink the proposed changes to the nation’s intermediary liability rules that would affect swathes of companies and the way more than half a billion people access information online.
The organization has also urged the Indian government to make public the latest proposed changes to the intermediary rules so that all stakeholders have a chance to participate in a “robust and informed debate about how the internet should be governed in India.”
India proposed changes to intermediary rules (PDF) in late December last year and it is expected to approve it in the coming months. Under the proposal, the Indian Ministry of Electronics and IT requires “intermediary” apps — which as per its definition, includes any service with more than 5 million users — to set up a local office and have a senior executive in the nation who can be held responsible for any legal issues.
Amanda Keton, general counsel of Wikimedia Foundation, said on Thursday that India’s proposed changes to the intermediary rules may have serious impact on Wikipedia’s business — as it operates an open editing model that relies on users to contribute new articles and make changes to existing articles on Wikipedia — as well as those of other organizations.
The rules may also create a “significant financial burden” for nonprofit technology organizations and impede free expression rights for internet users in India, she said. Wikimedia Foundation conveyed its concerns to Ravi Shankar Prasad, the Minister of Electronics and IT in India. The company also published the letter on its blog for the world to see.
India’s latest changes to intermediary rules, which have been drafted to make the internet a safer experience for local residents, also require intermediaries to deploy automated tools “for proactively identifying and removing or disabling public access to unlawful information or content.”
The proposed changes have raised concerns for many. In a joint letter (PDF) earlier this year, Mozilla, Microsoft’s GitHub and Wikimedia had cautioned the Indian government that requiring intermediaries to proactively purge their platforms of unlawful content “would upend the careful balance set out in the existing law which places liability on the bad actors who engage in illegal activities, and only holds companies accountable when they know of such acts.”
The groups also cautioned that drafted measures “would significantly expand surveillance requirements on internet services.” Several trade bodies in India, that represent a number of major firms including Google and Facebook, have also suggested major changes to the proposal.
In the open letter published today, Wikimedia’s Keton reiterated several of those concerns, adding that “neither participants in the consultation nor the public have seen a new draft of these rules since [last year].” She also requested the government to redefine, how it has in another recently proposed set of rules, the way it classifies an entity as an intermediary as the current version seems to have far-reaching scope.
More than 770 million users from India visited Wikipedia last month, and Wikimedia has run programs to invite people to expand the online encyclopedia in Indic languages.
Keton also urged the government to rethink the requirement to bring “traceability” on online communication, as doing so is a “serious threat to freedom of expression as it could interfere with the ability of Wikipedia contributors to freely participate in the project.” (On the point of traceability, WhatsApp has said complying to such requirement would compromise encryption for every user.)
Russia has begun testing a national internet system that would function as an alternative to the broader web, according to local news reports. Exactly what stage the country has reached is unclear, but certainly the goal of a resilient — and perhaps more easily controlled — internet is being pursued.
The internet, of course, is made up of a global web of infrastructure that must interface physically, virtually and, increasingly, politically with the countries to which it connects. Some countries, like China, have opted to very carefully regulate that interface, controlling which websites, apps and services can be accessed from the local side of that interface.
Russia has increasingly leaned toward that approach, with President Putin signing a law earlier this year there, Runet, which would build the necessary infrastructure to maintain, essentially, a separate internal internet should such a thing become necessary (or convenient).
Speaking earlier this week to the state-owned news outlet Tass, Putin explained that this was purely a defensive play.
Runet, he said, “is aimed only at preventing adverse consequences of global disconnection from the global network, which is largely controlled from abroad. This is the point, this is what sovereignty is — to have our resources that can be turned on so that we would not be cut from the Internet.”
More recent reports, in Tass and Pravda as relayed by the BBC, indicated that this effort has gone beyond the theoretical to the practical. Tests were done on the vulnerability of the so-called Internet of Things, which must have been disheartening if Russian IoT devices have security practices as poor as U.S. ones. Whether the local net could stand up against “external negative influences,” whatever those are, was also looked into.
It’s no small task, what Russia is attempting here, and while the talk is ostensibly of sovereignty and robust infrastructure, the tensions between the U.S., Russia, China, North Korea and other countries with advanced cyberwarfare capabilities are unmistakably also part of it.
A Russian internet disconnected from the world would probably right now be almost non-functional. Russia, like everyone else, relies on resources located elsewhere in the world constantly, and duplication of many of those resources would be necessary to make it possible for the internet to work anything like normally, should the country decide to retreat into its shell for whatever reason.
A separate DNS system would be necessary, as would physical infrastructure connecting parts of the country directly to the rest, which at present must do so through international connections. And that’s just to create the basic possibility of a working Russian intranet.
It’s hard to object to the idea of a robust “sovereign internet” should such a thing become necessary, but it’s hard not to think of it as preparation for conflict to come rather than simple investment in national infrastructure.
That said, what exactly Runet will grow to be and how it will be used are still a matter of speculation until we receive more specific reports of its capabilities and intended purposes.
The FBI has used these secret demands — known as national security letters — to compel credit giants to turn over non-content information, such as records of purchases and locations, that the agency deems necessary in national security investigations. But these letters have no judicial oversight and are typically filed with a gag order, preventing the recipient from disclosing the demand to anyone else — including the target of the letter.
Only a few tech companies, including Facebook, Google, and Microsoft, have disclosed that they have ever received one or more national security letters. Since the law changed in 2015 in the wake of the Edward Snowden disclosures that revealed the scope of the U.S. government’s surveillance operations, recipients have been allowed to petition the FBI to be cut loose from the gag provisions and publish the letters with redactions.
Since the Snowden revelations, tech companies have embraced transparency reports to inform their users of government demands for their data. But other major data collectors, such as smart home makers, have lagged behind. Some, like credit agencies, have failed to step up altogether.
Three lawmakers — Democratic senators Ron Wyden and Elizabeth Warren, and Republican senator Rand Paul — have sent letters to Equifax, Experian, and TransUnion, expressing their “alarm” as to why the credit giants have failed to disclose the number of government demands for consumer data they receive.
“Because your company holds so much potentially sensitive data on so many Americans and collects this information without obtaining consent from these individuals, you have a responsibility to be transparent about how you handle that data,” the letters said. “Unfortunately, your company has not provided information to policymakers or the public about the type or the number of disclosures that you have made to the FBI.”
Spokespeople for Equifax, Experian, and TransUnion did not respond to a request for comment outside business hours.
It’s not known how many national security letters were issued to the credit agencies since the legal powers were signed into law in 2001. The New York Times said the national security letters to credit agencies were a “small but telling fraction” of the overall half-million FBI-issued demands made to date.
Other banks and financial institutions, as well as universities, cell service and internet providers, were targets of national security letters, the documents revealed.
The senators have given the agencies until December 27 to disclose the number of demands each has received.
India maintained a shutdown of the internet in the states of Assam and Meghalaya on Friday, now into 36 hours, to control protests over a controversial and far-reaching new citizen rule.
The shutdown of the internet in Assam and Meghalaya, home to more than 32 million people, is the latest example of a worrying worldwide trend employed by various governments: preventing people from communicating on the web and accessing information.
And India, the world’s second largest internet market with more than 650 million connected users, continues to exercise this measure more than any other nation.
On Thursday, India’s president Ram Nath Kovind approved the Citizenship Amendment Bill, a day after the country’s Parliament passed it. The law offers a path to Indian citizenship for non-Muslim minorities from three neighboring countries (Afghanistan, Pakistan and Bangladesh) — not for the country’s own Muslim minority.
Shortly after the bill was passed, protests broke out in the streets in the northeastern states of Assam and Meghalaya, where residents have long been concerned about immigration from the aforementioned nations. In Meghalaya, texting services have been suspended, too.
Soldiers are seen through the wreckage of a vehicle which was set on fire by demonstrators during a protest against the government’s Citizenship Amendment Bill (CAB) in Guwahati on December 13, 2019. (Photo by BIJU BORO/AFP via Getty Images)
Officials in the state of Assam said, “Social media platforms like Facebook, WhatsApp, Twitter, and YouTube are likely to be used for spreading of rumors and also for transmission of information like pictures, videos and text that have the potential to inflame passions and thus exacerbate the law and order situation.”
There is currently no official word on when the internet services would be resumed at these two places.
Preventing people from a medium that enables them to stay in touch with one another, and access news and information, is becoming a common phenomenon in several nations, though none come close to India.
Access Now, a digital rights group, reported earlier this year that India alone had about 134 of 196 documented shutdowns in 2018. According to Internet Shutdowns, a service operated by New Delhi-based digital advocacy group Software Law and Freedom Centre, there have been about 91 documented cases of internet shutdowns in India this year.
In Jammu and Kashmir, the Indian government shut down the internet for 133 days after stripping the majority Muslim territory of its autonomy in August. The service has only been partially restored.
Sleek, a startup that is making it easier for other startups and companies to incorporate and operate in Singapore and Hong Kong, said today it has extended its seed financing round to raise $5 million.
The extended seed round for the two-year-old startup was led by private investors Pierre Lorinet and Fabio Blom, and MI8, an Asia-focused European-backed private investment company.
Sleek also counts a number of high-profile individuals among its investors, including Martin Crawford, former Group CEO of corporate services giant Vistral; Olivier Gerhardt, founder of Wavecell; Eric Barbier, founder of TransferTo; and Olivier Legrand, MD Asia at Linkedin.
Sleek, founded by French entrepreneurs Julien Labruyere and Adrien Barthel, today helps more than 2,000 startups and companies in Singapore and Hong Kong, an additional market it extended to in mid-2019. Some of its clients include Yours Cosmetics (funded by Sequoia), Aspire Financials (which raised $30 million recently), Ematic Solutions, Devialet, and oil and gas giant Total.
As we wrote about them in June this year, Sleek not only helps startups and companies incorporate themselves in Singapore (and now, Hong Kong), but also takes care of their accounting, taxes, regulatory compliance and other administrative work.
Sleek founders Julien Labruyere (right) and Adrien Barthel (left)
Singapore and Hong Kong have emerged as epicenters for startups and tech worldwide. “Hong Kong is a historical Asian financial hub, with six times more operating companies than in Singapore and an amazing business ecosystem,” said Barthel, adding that despite the current situation in Hong Kong, the business is growing in the market.
Both Singapore and Hong Kong today offer a range of benefits, including government-backed startup programs to attract businesses, but setting up shops there still requires a lot of paperwork.
The traditional way of dealing with accounting and incorporation is a cumbersome task, and is the last thing founders want to deal with, Barthel explained to TechCrunch in an interview. Plus, there’s no transparency in what the actual cost of doing these tasks would be, he said.
Sleek offers a subscription business, where it charges a fixed amount — about $600 — to its customers each year. Starting a second year, it waives some of its fee, said Barthel. “We also offer a simple dashboard for our clients to quickly check the progress we have made on any front,” he added.
To make the deal even better, Sleek offers vouchers with subscriptions to AWS, Stripe, Google Cloud — that they are likely going to use in their businesses anyway — worth thousands of dollars. The startup also connects its partner entrepreneurs with financial institutions to help them access working capital.
Barthel said before signing up a client, Sleek does its own due diligence. “Singapore, for instance, has stringent KYC (know your customer) processes. Among other things, we use a number of APIs that are tied with all the major global databases to ensure that our potential clients are not doing notorious business,” he said.
Sleek, which today employs 85 people, will use the fresh capital to expand its tech team, build new features for clients and increase its operational capacity.
Space industry heavyweight Northrop Grumman has signed a customer for the launch of its first OmegA rocket, a medium/heavy-lift launch vehicle that it’s currently readying for flight with a target of spring 2021 for its first-ever flight.
OmegA will unlock additional payload capacity versus the launch systems that Northrop Grumman has developed and flown previously, with the primary goal of being able to serve the interests of the company’s top customers — defense and national security agencies. OmegA’s development has been funded in part through U.S. government contracts, including a $792 million Launch Services Agreement it signed with the U.S. Air Force to finish the rocket’s design, as well as to furnish and prepare the launch sites from which it’ll take off.
The first customer, however, won’t be the USAF, but will instead be Saturn Satellite Networks. This is a certification flight for the Air Force, in fact, but it’ll also carry two of Saturn’s NationSats satellites to orbit.
Commercial service is definitely part of the plan for what OmegA will seek to provide, on top of the work it’s going to do delivering national security payloads on behalf of the U.S. NationSats are intended to be smaller geostationary orbital satellites (ones that remain in a specific place above the Earth as it rotates) to serve the needs of smaller clients. They can range between around 1,300 lbs and 3,800 lbs, but OmegA can carry more than 17,000 pounds to geostationary transfer orbit, so even with two on board it’s not straining capacity of the launch system.
One of the largest civil liberties groups in the U.S. is suing two Homeland Security agencies for failing to turn over documents it requested as part of a public records request about a controversial cell phone surveillance technology.
The American Civil Liberties Union filed suit against Customs & Border Protection (CBP) and Immigration & Customs Enforcement (ICE) in federal court on Wednesday after the organization claimed the agencies “failed to produce records” relating to cell site simulators — or “stingrays.”
Stingrays impersonate cell towers to trick cell phones into connecting to them, allowing its operator to collect unique identifiers from the device and determine their location. The devices are used for surveillance, but also ensnare all other devices in their range. It’s believed newer, more advanced devices can intercept all the phone calls and text messages in range.
A government oversight report in 2016 said both CBP and ICE collectively spent $13 million on buying dozens of stingrays, which the agencies used to “locate people for arrest and prosecution,” the ACLU said.
But little else is known about stingray technology because the cell phone snooping technology is sold exclusively to police departments and federal agencies under strict non-disclosure agreements with the device manufacturer.
The ACLU filed a Freedom of Information Act request in 2017 to learn more about the technology and how it’s used, but both agencies failed to turn over any documents, it said.
The civil liberties organization said there is evidence to suggest that records exist, but has “exhausted all administrative remedies” to obtain the documents. Now it wants the courts to compel the agencies to turn over the records, “not only to shine a light on the government’s use of powerful surveillance technology in the immigration context, but also to assess whether its use of this technology complies with constitutional and legal requirements and is subject to appropriate oversight and control,” the filing said.
The group wants the agencies’ training materials and guidance documents, and records to show where and when stingrays were deployed across the United States.
CBP spokesperson Nathan Peeters said the agency does not comment on pending litigation as a matter of policy. A spokesperson for ICE did not comment.
We’ve talked about securing your startup, the need to understand phishing risks and how not to handle a data breach. But we haven’t yet discussed one of the more damaging threats that all businesses large and small face: the insider threat.
The insider threat is exactly as it sounds — someone within your organization who has malicious intent. Your employees will be one of your biggest assets, but human beings are the weakest link in the security chain. Your staff are already in a privileged position — in the sense that they are in a place where they have access to far more than they would as an outsider. That means taking data, either maliciously or inadvertently, is easier for staff than it might be for a hacker.
“Organizations need to understand that the threats coming from inside their organizations are as critical as, if not more dangerous than, the threats coming from the outside,” said Stephanie Carruthers, a social engineering expert who serves as chief people hacker at IBM X-Force Red, a division of Big Blue that looks for breaches in IoT devices before — and after — they go to market.
Insider risks can become active threats for many reasons. Some individuals may become disgruntled, some want to blow the whistle on wrongdoing and others can be approached (or even manipulated) by career criminals over debts or other matters in their private life.
There are plenty of examples, many not too far back in recent history.
India has proposed groundbreaking new rules that would require companies to garner consent from citizens in the country before collecting and processing their personal data. But at the same time, the new rules also state that companies would have to hand over “non-personal” data of their users to the government, and New Delhi would also hold the power to collect any data of its citizens without consent to serve sovereignty and larger public interest.
The new rules, proposed in “Personal Data Protection Bill 2019,” a copy of which leaked on Tuesday, would permit New Delhi to “exempt any agency of government from application of Act in the interest of sovereignty and integrity of India, the security of the state, friendly relations with foreign states, public order.”
If the bill passes — and it is expected to be discussed in the parliament in the coming weeks — select controversial laws drafted more than a decade ago would remain unchanged.
Another proposed rule would grant New Delhi the power to ask any “data fiduciary or data processor” to hand over “anonymized” “non-personal data” for the purpose of better governance, inform its policies and deliver services to citizens.
New Delhi’s new bill — which was passed by the Union Cabinet last week, but has yet to be formally shared with the public — could create new challenges for Google, Facebook, Twitter, ByteDance’s TikTok and other companies that are already facing some regulatory heat in the nation.
India conceptualized this bill two years ago and in the years since, it has undergone significant changes. An earlier draft of the bill that was formally made public last year had stated that the Indian government must not have the ability to collect or process personal data of its citizens, unless a lawful procedure was followed.
Ambiguity over who the Indian government considers an “intermediary” or a “social media” platform, or a “social media intermediary” are yet to be fully resolved, however. In the latest version, the bill appears to not include payment services, internet service providers, search engines, online encyclopedias, email services and online storage services as “social media intermediaries.”
One of the proposed rules, that is directly aimed at Facebook, Twitter, and any other social media company that enables “interaction between two or more users,” requires them to give their users an option to verify their identity and then publicly have such status displayed on their profile — similar to the blue tick that Facebook and Twitter reserve for celebrities and other accounts of public interest.
Last week news outlet Reuters reported portions of the bill, citing unnamed sources. The report claimed that India was proposing the voluntary identity-verification requirement to curb the spread of false information.
As social media companies grapple with the spread of false information, that have resulted in at least 30 deaths in India, the Narendra Modi-led government, which itself is a big consumer of social media platforms, has sought to take measures to address several issues.
Over the last two years, the Indian government has asked WhatsApp, which has amassed more than 400 million users in India, to “bring traceability” to its platform in a move that would allow the authority to identify the people who are spreading the information.
WhatsApp has insisted that any such move would require breaking encryption, which would compromise the privacy and security of more than a billion people globally.
The bill has not specifically cited government’s desires to contain false information for this proposal, however. Instead the bill insists that this would bring more “transparency and accountability.”
Some critics have expressed concerns over the proposed rules. Udbhav Tiwari, a public policy advisor at Mozilla, said New Delhi’s bill would “represent new, significant threats to Indians’ privacy. If Indians are to be truly protected, it is urgent that parliament reviews and addresses these dangerous provisions before they become law.”
A purported agent of the Chinese intelligence service is seeking asylum in Australia, bringing with him explosive allegations of widespread interference in political affairs in that country, Taiwan, and elsewhere. He claims also to have run a cyberterrorism campaign against supporters of Hong Kong independence.
Wang “William” Liqiang, indicated to Australian news outlet The Age that during a deep cover assignment intended to manipulate the 2020 presidential election in Taiwan, he decided to defect and expose the Chinese networks from abroad.
In addition to The Age, Wang spoke with the Sydney Morning Herald and 60 Minutes; the various outlets appear to be planning a broader release of the contents of his interviews on Monday.
Wang has reportedly explained in detail the inner workings of a Hong Kong-listed company called China Innovation Investment Limited, which the government has allegedly been using as a front to infiltrate various universities, political groups, and media companies.
He claims to have personally been involved in the infamous kidnapping of Lee Bo and other booksellers in Hong Kong whose disappearance prompted widespread protests.
He also says that he helped direct a “cyber army” to dox, attack, and otherwise harass Hong Kong’s independence protestors, and that he was working on establishing one to affect the 2020 election in Taiwan.
Operations in Australia and other countries were implied but not detailed in initial reports of Wang’s defection. He is reportedly currently at an undisclosed location in Sydney pending formal protections from the Australian government.
More information is expected to be revealed on Monday by the outlets Wang spoke to, so stay tuned.
The FCC has finally put the seal of approval on its plan to cut funding going to equipment from companies it deems a “national security threat,” currently an exclusive club of two: Huawei and ZTE.
No money from the FCC’s $8.5 billion Universal Service Fund, used to subsidize purchases to support the rollout of communications infrastructure, will be spent on equipment from these companies.
“We take these actions based on evidence in the record as well as longstanding concerns from the executive and legislative branches,” said FCC Chairman Ajit Pai in a statement. “Both companies have close ties to China’s Communist government and military apparatus. Both companies are subject to Chinese laws broadly obligating them to cooperate with any request from the country’s intelligence services and to keep those requests secret. Both companies have engaged in conduct like intellectual property theft, bribery, and corruption.”
The Chinese companies have faced federal scrutiny for years and vague suspicions of selling compromised hardware that the government there could take advantage of, but it was only at the beginning of 2019 that things began to heat up with the controversial arrest of Huawei CFO Meng Wanzhou. The companies, it hardly needs mentioning, have vehemently denied all allegations.
Increasingly complicated relations between China and the U.S. generally compounded the difficulty of ZTE and Huawei operating in the States, as well as selling to or purchasing from American companies.
The FCC’s new rule was actually proposed well before things escalated, a fact that Commissioner Jessica Rosenworcel, though she supported the measure, emphasized.
“This is not hard,” she wrote in a statement accompanying the new rule. “It should not have taken us eighteen months to reach the conclusion that federal funds should not be used to purchase equipment that undermines national security.”
Working out the details may have been difficult, however, given the generally chaotic state of the federal government right now. For instance, one month this summer it was going to be illegal for U.S. firms to sell their products to Huawei — and then it wasn’t. Just yesterday several Senators wrote to protest the Department of Commerce issuing licenses to firms doing business with Huawei.
Furthermore, it may be a financial burden for smaller carriers to comply with these rules. There’s a plan for that, though, as Chairman Pai explained: “To mitigate the financial impact of this requirement, particularly on small, rural carriers, we propose to establish a reimbursement program to help offset the cost of transitioning to more trusted vendors.”
Another, earlier proposal, to make communications companies actively remove hardware purchased from those companies, was not considered at November’s open FCC meeting. I’ve asked the agency about this and will update if I hear back.
The highest court in Pennsylvania has ruled that the state’s law enforcement cannot force suspects to turn over their passwords that would unlock their devices.
The state’s Supreme Court said compelling a password from a suspect is a violation of the Fifth Amendment, a constitutional protection that protects suspects from self-incrimination.
It’s not an surprising ruling, given other state and federal courts have almost always come to the same conclusion. The Fifth Amendment grants anyone in the U.S. the right to remain silent, which includes the right to not turn over information that could incriminate them in a crime. These days, those protections extend to the passcodes that only a device owner knows.
But the ruling is not expected to affect the ability by police to force suspects to use their biometrics — like their face or fingerprints — to unlock their phone or computer.
Because your passcode is stored in your head and your biometrics are not, prosecutors have long argued that police can compel a suspect into unlocking a device with their biometrics, which they say are not constitutionally protected. The court also did not address biometrics. In a footnote of the ruling, the court said it “need not address” the issue, blaming the U.S. Supreme Court for creating “the dichotomy between physical and mental communication.”
Peter Goldberger, president of the ACLU of Pennsylvania, who presented the arguments before the court, said it was “fundamental” that suspects have the right to “to avoid self-incrimination.”
Despite the spate of rulings in recent years, law enforcement have still tried to find their way around compelling passwords from suspects. The now-infamous Apple-FBI case saw the federal agency try to force the tech giant to rewrite its iPhone software in an effort to beat the password on the handset of the terrorist Syed Rizwan Farook, who with his wife killed 14 people in his San Bernardino workplace in 2015. Apple said the FBI’s use of the 200-year-old All Writs Act would be “unduly burdensome” by putting potentially every other iPhone at risk if the rewritten software leaked or was stolen.
The FBI eventually dropped the case without Apple’s help after the agency paid hackers to break into the phone.
Brett Max Kaufman, a senior staff attorney at the ACLU’s Center for Democracy, said the Pennsylvania case ruling sends a message to other courts to follow in its footsteps.
“The court rightly rejects the government’s effort to create a giant, digital-age loophole undermining our time-tested Fifth Amendment right against self-incrimination,” he said. “The government has never been permitted to force a person to assist in their own prosecution, and the courts should not start permitting it to do so now simply because encrypted passwords have replaced the combination lock.”
“We applaud the court’s decision and look forward to more courts to follow in the many pending cases to be decided next,” he added.
In passing a short-term funding bill to avoid a U.S. government shutdown, Congress has also extended the government’s legal powers allowing it to collect daily millions of Americans’ call records.
Buried in a funding bill passed by the House this week was a clause that extended the government’s so-called Section 215 powers, which allow the National Security Agency to compel phone providers to turn over daily logs — known as “metadata” — of their customers’ calls, including their phone numbers, when the call was made and the call’s duration. The program is designed to allow intelligence analysts to sift through vast amounts of data to identify links between suspected terrorists. But the program also collects millions of wholly domestic phone calls between Americans, which courts have ruled unconstitutional.
Although it’s believed all the major phone carriers have been told to feed their call logs to the government, a top secret court order leaked by whistleblower Edward Snowden only confirmed Verizon — which owns TechCrunch — as an unwitting participant in the program.
The Senate approved the funding bill on Thursday after a 74-20 vote. The bill will now go to the president’s desk, averting a midnight government shut down, but also confirming the Section 215 powers will be extended until March 15.
The Senate voted 74-20 to approve the bill (Image: C-SPAN)
But although the powers are to be extended, the program itself is said to have been shut down.
After the Snowden disclosures in 2013, Congress moved to rein in the NSA’s call collection powers amid public outcry. In 2015, lawmakers passed the Freedom Act, which allowed the continued collection of call records but ostensibly with greater oversight. Since the Freedom Act passed, the number of records collected has rocketed. But during that time the NSA was forced to come clean and admit that it “overcollected” Americans’ call records on two separate occasions, prompting the agency to delete hundreds of millions of call logs.
The second incident led the NSA to shut down the call records collection program. But the Trump administration has renewed efforts to restart the program by pushing for the legal powers to be reauthorized.
The Electronic Frontier Foundation, which first noted the legal extension, said it was “disappointed” that lawmakers “hid an extension of these authorities in a funding bill, without debate and without consideration of meaningful privacy and civil liberties safeguards to include.”
A source in the Senate said the three-month extension came as a surprise, but that the additional time would allow lawmakers more time to properly debate reforms to the program without rushing it through before the end of the year.
Uber says the number of legal demands for riders’ data made by U.S. and Canadian authorities has risen sharply in the past year.
The ride-hailing company said the number of law enforcement demands for user data during 2018 are up 27% on the year earlier, according to its annual transparency report published Wednesday. Uber said the rise in demands was partly due to its business growing in size, but also a “rising interest” from governments to access data on its customers.
Uber said it received 3,825 demands for 21,913 user accounts from the U.S. government, with the company turning over some data in 72% of cases, during 2018.
That’s up from 2,940 demands for 17,181 user accounts a year earlier, with a slightly higher compliance rate of 73%.
Canadian authorities submitted 161 demands for data on 593 user accounts during 2018.
Uber said that the rise in demands for customer data presents a challenge for the ride-hailing company, previously valued at $82 billion, which went public in May. “Our responsibility to preserve consumer privacy while meeting regulatory and public safety obligations will become increasingly complex and challenging as we field a growing number of government requests for data every year,” said Uttara Sivaram, global privacy and security public policy manager at Uber.
The company also said it disclosed ride information on 34 million users to U.S. regulators and 1.8 million users to Canadian regulators, such as local taxi and transport authorities. Uber said it is mandated to give over the information to regulators as part of the “bespoke legal and regulatory requirements to which we are subject,” which can include pickup and drop-off locations, fares, and other data that may “identify individual riders,” the company said.
Uber isn’t the only company fielding a record number of demands from governments. Apple, Amazon, Facebook and Twitter have all reported a rise in government demands over the past year as their customer base continues to grow while governments become increasingly hungry for companies’ data.
But Uber’s figures offer insight into only the largest portions of its businesses — its consumer and business ride-hailing services, food delivery and electric scooters — and only covers North America, despite operating in hundreds of cities around the world.
Despite the rise in overall law enforcement requests, Uber said it “has not received a national security request” to date.
Such disclosures are rare but not unheard of. Most national security demands, such as orders issued by the Foreign Intelligence Surveillance Court and FBI-issued subpoenas, are coupled with secrecy rules that prevent the companies from disclosing anything about the demand. By proactively posting these so-called “warrant canary” statements, companies can quietly reveal when they have received such orders by removing the statements from their websites.
Apple famously used a warrant canary in its first transparency report in the wake of the NSA surveillance scandal, as revealed by whistleblower Edward Snowden. In 2016, Reddit quietly removed its warrant canary suggesting it had received a classified order.
Although the First Amendment protects government-compelled speech, the legality of warrant canaries remains legally questionable.
An earlier version of this report incorrectly stated Sivaram’s title. This has been corrected.