FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdayYour RSS feeds

Fintech startups raised $34B in 2019

By Manish Singh

Financial services startups raised less money in 2019 than they did in 2018 as VC firms looked to back late stage firms and focused on developing markets, a new report has revealed.

According to research firm CB Insights’ annual report published this week, fintech startups across the world raised $33.9 billion* in total last year across 1,912 deals*, down from $40.8 billion they picked up by participating in 2,049 deals the year before.

It’s a comprehensive report, which we recommend you read in full here (your email is required to access it), but below are some of the key takeaways.

  • Early stage startups struggled to attract money: Per the report, financing for startups looking to close Seed or Series A dropped to a five-year low in 2019. On the flip side, money pouring into Series B or beyond startups was at record five-year high.

    Early-stage deals dropped to a 12-quarter low as deal share globally shifts to mid- and late-stages (CB Insights)

  • Emerging and frontier markets were at the centre stage of the most of the action: South America, Africa, Australia, and Southeast Asia all topped their annual highs last year.
  • Asia outpaced Europe in the second half of last year on both number of deals and bulk of capital raised. In Q3, European startups raised $1.6 billion through 95 deals, compared to $1.8 billion amassed by Asian startups across 157 deals. In Q4, a similar story was at play: European startups participated in 100 rounds to raise $1.2 billion, compared to $2.14 billion* raised by Asian startups across 125 deals*.
  • Emergence of 24 new fintech unicorns in 2019: 8 fintech startups including Next Insurance, Bight Health, Flywire, High Radius, Ripple, and Figure attained the unicorn status in Q4 2019, and 16 others made it to the list throughout the rest of the last year.

    The fintech market globally today has 67 unicorns as of earlier this month (CB Insights)

  • Insurtech sector, or startups such as Lemonade, Hippo, Next, Wefox, Bright Health that are offering insurance services, got a major boost last year. They raised 6.2 billion last year, up from $3.2 billion in 2018.
  • Startups building solutions such as invoicing and taxing services and payroll and payments solutions for small and medium businesses also received the nod of VCs. In the U.S. alone, where more than 140 startups are operating in the space, raised $4 billion. In many more markets, such startups are beginning to emerge. In India, for instance Open and NiYo are building neo-banks for small businesses and they both raised money last year.
  • Nearly 50% of all funding to fintech startups was concentrated in 83-mega rounds (those of size $100 million or above.): According to the research firm, 2019 was a record year for such rounds across the globe, except in Europe.

    2019 saw 83 mega-rounds totaling $17.2B, a record year in every market except Europe

  • Funding of Germany-based startups reached an annual high: 65 deals in 2019 resulted in $1.79 billion raise, compared to 56 deals and raise of $757 million in 2018, and 66 deals and $622 million raise in 2017.
  • Financial startups in Southeast Asia (SEA) raised $993 million across 124 rounds in 2019 in what was their best year.

*CB Insights report includes a $666 million financing round of Paytm . It was incorrectly reported by some news outlets and the $666 million raise was part of the $1 billion round the Indian startup had revealed weeks prior. We have adjusted the data accordingly.

Scaleway overhauls its dedicated servers

By Romain Dillet

French cloud-hosting company Scaleway is updating its lineup of dedicated servers and giving it a new name. Dedicated servers might not be the hot new thing, but many customers still rely on dedicated servers for predictable performances and pricing.

Scaleway originally started as Online.net as the hosting and data center division of Iliad. Its original dedicated servers were an instant hit back in 2005. You could rent your own server for €30 per month, with 1GB of RAM, unlimited 100Mbps bandwidth and 160GB of storage.

This sounds ridiculously underpowered today, but Dedibox has remained a well-known name when it comes to dedicated servers. More recently, Online .net launched a public cloud offering under the Scaleway brand with cloud instances, object storage, block storage, managed databases, etc.

Scaleway has become the main brand of the company, as cloud hosting probably has a brighter future than dedicated servers. Its dedicated server lineup is now called Scaleway Dedibox. This isn’t just a name change, as Scaleway wants to integrate its dedicated servers with its public cloud offering. You could use a dedicated server combined with a load balancer and cloud instances when you get a lot of traffic. Or you could use Scaleway’s managed database service combined with a dedicated server.

There are more than a hundred different configurations with dedicated servers starting at €8.99 per month, with 4GB of RAM, 1TB of storage and a 1GHz Intel CPU. But you can also rent a server with 384GB of RAM and 4TB of NVMe storage with an Intel Xeon Gold CPU for €439.99 per month.

Overall, Scaleway is running 100,000 servers, with customers in 150 different countries. Scaleway also offers bare metal cloud instances as an alternative to dedicated servers.

How to identify and remove KidsGuard ‘stalkerware’ from your phone

By Zack Whittaker

We reported today on KidsGuard, a powerful mobile spyware. Not only is the app secretly installed on thousands of Android phones without the owners’ consent, it also left a server open and unprotected, exposing the data it siphoned off from victims’ infected devices to the internet.

This consumer-grade spyware also goes by “stalkerware.” It’s often used by parents to monitor their kids, but all too frequently it’s repurposed for spying on a spouse without their knowledge or consent. These spying apps are banned from Apple and Google’s app stores, but those bans have done little to curb the spread of these privacy invading apps, which can read a victim’s messages, listen to their phone calls, track their real-time locations, and steal their contacts, photos, videos, and anything else on their phones.

Stalkerware has become so reviled by privacy experts, security researchers, and lawmakers that antivirus makers have promised to do more to better detect the spyware.

TechCrunch obtained a copy of the KidsGuard app. Using a burner Android phone with the microphones and cameras sealed, we tested the spyware’s capabilities. We also uploaded the app to online malware scanning service VirusTotal, which runs uploaded files against dozens of different antivirus makers. Only eight antivirus engines flagged the sample as malicious — including Kaspersky, a member of the Coalition Against Stalkerware, and F-Secure.

Yoong Jien Chiam, a researcher at F-Secure’s Tactical Defense unit, analyzed the app and found it can obtain “GPS locations, account name, on-screen screenshots, keystrokes, and is also accessing photos, videos, and browser history.”

KidsGuard’s developer, ClevGuard, does not make it easy to uninstall the spyware. But this brief guide will help you to identify if the spyware is on your device and how to remove it.

Before you continue, some versions of Android may have slightly different menu options, and you take these following steps at your own risk. This only removes the spyware, and does not delete any data that was uploaded to the cloud.

How to identify the spyware

If you have an Android device, go to SettingsApps, then scroll down and see if “System Update Service” is listed. This is what ClevGuard calls the app to disguise it from the user. If you see it, it is likely that you are infected with the spyware.

First, remove the spyware as a “device administrator”

Go to Settings > Security, then Device administrators then untick the “System Update Service” box, then hit Deactivate.

Then remove the app’s “usage access”

Now, go back to Settings > Security then scroll to Apps with usage access. Once here, tap on “System Update Service” then switch off the permit usage toggle.

Also remove the spyware’s “notification access”

Once that is done, go back to Settings > Sound & notification then go to Notification access. Now switch off the toggle for “System Update Service.”

Now you can uninstall the spyware from your device

Following those steps, you have effectively disabled the spyware. Now you are able to uninstall it. Go to Settings > Apps and scroll down to “System Update Service.” You should be able to hit Uninstall, but you may need to hit Force Stop first. Tap OK to uninstall the app. This may take a few minutes.

Secure your device again

Now that you’ve ridden your device of the spyware, you’ll need to enable a couple of settings that were switched off when your device was first infected. Firstly, go back to Settings > Security then switch off the toggle for Unknown sources. Secondly, go to the Play Store > Play Protect. If you have the option, select Turn on. Once it’s on, you should check to ensure that it “Looks good.”

As Morgan Stanley buys E-Trade, Robinhood preps social trading

By Josh Constine

Before it was worth $7.6 billion, the original idea for Robinhood was a stock trading social network. At my kitchen table in San Francisco in 2013, the founders envisioned an app for sharing hot tips to a feed complete with a leaderboard of whose predictions were most accurate. Once they had SEC approval, they pivoted towards the real money maker: letting people buy and sell stocks in the app, and pay to borrow cash to do so.

Now seven years later, Robinhood is subtly taking the first steps back to its start. Today it’s launching Profiles. For now, they let users see analytics about their portfolio like how concentrated they are in stocks vs options vs cryptocurrency, as well across different business sectors. Complete with usernames and a photo, Profiles let you follow self-made or Robinhood provided lists of stocks and other assets.

Profiles could give Robinhood’s customers the confidence to trade more, and create a sense of lock-in that stop them from straying to other brokerages that have dropped their per trade fees to zero to match the startup, like Charles Schwab, Ameritrade, and ETrade that was acquired for $13 billion today by Morgan Stanley, as reported by the Wall Street Journal.

The Profile features certainly sound helpful. They could reveal that your portfiolio is to centered around Tech, Media, and Telecom stocks, or that you’re ignoring cryptocurrency or corporations from your home state. Lists also makes it easier to track specific business verticals, save stocks to buy when you have the cash, or set aside some for deeper research. Robinhood pulls info from FactSet, Morningstar, and other trusted sources to figure out which stocks and ETFs go into sector lists, or you can make and name your own. Profiles and lists begin to roll out to all users next week.

But what’s most interesting is how profiles lay the foundation for Robinhood as a social network. It’s easy to imagine letting users follow other accounts or lists they create. The original Robinhood app let users make predictions like “17% increase in Facebook share price over the next 11 weeks” with comments to explain why. It showed users prediction accuracy, their average holding time for assets, a point score for smart foresight, community BUY or SELL ratings on stocks.

If Robinhood rebuilt some of these features, it might lessen the need for an expensive financial advisor or having enough cash to qualify for one with a different brokerage. Robinhood could let you crowdsource advice. “We understand the connotation of taking something from the rich and giving it to the poor. Robinhood is liberating information that’s locked up with professionals and giving it to the people” Robinhood co-founder and co-CEO Vlad Tenev told me back in 2013.

Robinhood would certainly need to be careful about scammy tips going viral. Improper safeguards could lead to pump and dump schemes where those late to buy in get screwed when prices snap back to reality.

But embracing social could leverage some of its strongest assets: the youthfulness of its userbase and the depth of connection to its users. The median age of a Robinhood customer is 30 and half say they’re first time investors. Being able to turn to friends or experts within the app might convince them to pull the trigger on trades.

Most online brokerages are somewhat undifferentiated beyond differences in pricing while their clunky, unstylized products don’t generate the same brand affinity as people have for Robinhood. Unsatisfied users could bail for a competitor at any time. Robinhood’s users are accustomed to social networking and the way it locks in users since they don’t want to abandon their community.

When I asked Robinhood Profiles’ product manager Shanthi Shanmugam directly about whether this was the start of more social trading features, they suspiciously dodged the question, telling me “When thinking about how to reflect who you are as an investor, we looked at how other apps represent you and it felt natural to leverage a design that felt more like a profile. When helping people group their investment ideas, it was easy to envision this as a playlist you might find on your favorite music app.”

That’s far from a denial. Offering social validation for trading could help Robinhood earn more from its customers despite their small total account balances. While Robinhood might have over 10 million accounts versus E-Trade’s 5.2 million and Morgan Stanley’s 3 million, but E-Trade’s average account size is $69,230 and Morgan Stanley’s is $900,000 while a survey found most of Robinhood’s held $1,000 to $5,000.

That all means that Robinhood earns less on interest sitting in users’ accounts than the old incumbents. But Robinhood earns the majority of its money on selling order flow and through its subscription Robinhood Gold feature that lets users pay monthly so they can borrow cash to trade with. Profiles and lists, and then eventually more social features, could get Robinhood’s users trading more so there’s more order flow to sell and more reason for them to buy subscriptions.

“Democratizing access is about lowering fees, minimums and other barriers people face — like confidence. Profiles and lists make finance easier to understand and more familiar for people” says Shanmugam. More social features built safely, more reassurance, more trading, more revenue. Robinhood has raised $910 million. But to outgun larger competitors like the newly assembled Morgan Stanley/E-Trade that’s matched its zero-fee pricing, Robinhood will have to win with product.

Canadian online pharmacy, PocketPills has raised $7.35 million as it expands into Quebec

By Jonathan Shieber

PocketPills, which bills itself as the sole online pharmacy operating in Canada, has raised $7.35 million in new financing as it expands across the country.

Through partnerships with insurers like Pacific Blue Cross the company provides co-insurance reductions for prescriptions. “We have an option for you to come and join our platform just like any pharmacy,” says company co-founder and chief operating officer, Harj Samra.

Samra launched the company in 2018 with Raj Gulia, a fellow proprietor of pharmacies across Canada, and the serial entrepreneur and co-founder of RocketFuel Abhinav Gupta. After RocketFuel’s public offering, Gupta was toying with several ideas for direct to consumer companies when he was approached by Gulia and Samra.

Together the three men launched PocketPills to bring the online pharmacy model to Canada as a way to save money for insurers.

The problem for insurers is that the use of generic drugs in Canada lags behind that of the U.S., says Gupta. “The difference is quite substantial. The U.S is about 90% generic fill rate and in Canada that number is at 70%,” he says. 

PocketPills covers everything that a regular Canadian pharmacy would outside of controlled substances and narcotics. The bulk of the company’s prescriptions to date are for medications for chronic conditions.

Now the company is looking to expand across the country, opening fulfillment locations in Nova Scotia and soon in Quebec.

To back that growth and continue its development, PocketPills turned to a large Canadian family office and the investment firm Waterbridge to finance its $7.35 million round.  

“PocketPills is timed well for massive value creation in the Canadian health care industry through its technology innovations. It has captured a sweet spot at the intersection of cost (insurers and employers), convenience (patients) and care (chronic diseases),” said Manish Kheterpal, Managing Partner, WaterBridge Ventures, in a statement.

 

Online learning marketplace Udemy raises $50M at a $2B valuation from Japanese publisher Benesse

By Ingrid Lunden

The internet has, for better or worse, become the default platform for people seeking information, and today one of the companies leveraging that to deliver educational content has raised some funding to fuel its next stage of growth. Udemy, which provides a marketplace offering some 150,000 different online learning courses from business analytics through to ukulele lessons, has picked up $50 million from a single investor, Benesse Holdings, the Japan-based educational publisher that has been Udemy’s partner in the country. The investment values Udemy at $2 billion post-money, it said.

This is a big jump since the startup last raised money, a $60 million round in 2016 that valued it at around $710 million (according to PitchBook data). With this round, Udemay has raised around $130 million in funding.

The plan will be to use the funding to expand all of Udemy’s business, which includes a vast array of courses for consumers that can be purchased a la carte — to date used by some 50 million students; as well as enterprise services, where Udemy works with companies like Adidas, General Mills, Toyota, Wipro, Pinterest and Lyft and others — 5,000 in all — to develop and administer subscription-based professional development courses. Udemy’s president Darren Shimkus describes this as a “Netflix-style” model, where users are presented with a dashboard listing a range of courses that they can take on demand.

Udemy will also be looking at improving how courses are delivered, as well as consider new areas it might move into more deeply to fit what Shimkus described as the biggest challenge for the company, and for the global workforce overall:

“The biggest challenge is for learners is to figure out what skills are emerging, what they can do to compete best in the global market,” he said. “We’re in a world that’s changing so quickly that skills that were valued just three or four years ago are no longer relevant. People are confused and don’t know what they should be learning.” That’s a challenge that also stands for businesses, he added, which are trying to work out what he described as their “three to five year human capital roadmap.”

The investment will also include a specific boost for Udemy’s international operations, starting with Japan but extending also to other markets where Udemy has seen strong growth, such as Brazil and India.

“We’ve worked closely with Benesse for several years, and this investment is a testament to the strength of our relationship and the opportunity ahead of us,” said Gregg Coccari, CEO of Udemy, in a statement. “Udemy is on a mission to improve lives through learning, and so is Benesse. 2020 will be a milestone year where we serve millions more students and enable thousands of businesses and governments to upskill their employees. This growth wouldn’t be possible without our expert instructors who partner with us every step of the way as we build this business.”

Benesse’s business spans instructional materials for children through to courses for adults both online and in in-person training centers — one of the better-known brands that it owns is Berlitz, which operates both virtual courses as well as a network of physical schools — and Udemy has been developing content alongside Benesse both in Japanese as well as English, Shimkus said, targeting both consumer and business markets.

“Access to the latest workplace skills is crucial for success everywhere, including Japan; and Udemy is the world’s largest marketplace enabling professional transformation. With this partnership, we envision a world where more people can continue to learn continuously throughout their lives,” said Tamotsu Adachi, Representative Director, President and CEO of Benesse Holdings Inc., in a statement. “Udemy and Benesse are incredibly synergistic businesses. This investment is the next progression in our business relationship and demonstrates our confidence in what we can accomplish together.”

Udemy’s expansion comes at a time when online education overall has generally continued to grow, although not without bumps.

Among those that compete at least in part with it, Coursera last year announced a $103 million round of funding at a $1 billion+ valuation and made its first acquisition to expand how it teaches programming and other computer science subjects. And in Asia, Byju’s in India is now valued at $8 billion after a quick succession of large growth rounds. We’ve also heard that Age of Learning, which quietly raised at a $1 billion valuation in 2016, is also gearing up for another round.

On the other hand, not all is rosy. Another big name in online learning, Udacity (not to be confused with Udemy), laid off 20% of its workforce amid a larger restructuring; and further afield, Kano — which merges online learning with DIY hardware kits — has also laid off and restructured in recent months. Meanwhile, we don’t seem to hear much these days from LinkedIn Learning, another would-be competitor that was rebranded Lynda.com after it was acquired by the social networking site (itself owned by Microsoft).

Unlike Coursera and others that aim for full degrees that are potentially aiming to disrupt higher education, Udemy focuses on short courses, either simply for the student’s own interest, or potentially for certifications from organizations that either help administer the courses or “own” the subject in question (for example, Cisco for networking certifications, or Microsoft regarding one of its software packages, or the PMI for a course related to project management).

Those courses are delivered by individuals who form the other half of Udemy’s two-sided marketplace. In the 10 years that it’s been in business, Udemy has worked with some 57,000 instructors to develop courses, and in the marketplace model, Shimkus told TechCrunch that those instructors have been netted $350 million in payments to date. (He would not disclose Udemy’s cut on those courses, nor whether the company is currently profitable.)

The company has a lot of areas that it has yet to tackle that present opportunities for how it might evolve. Working with enterprises but with a large base of consumer usage, there is, for example, a lot of scope to develop more data analytics about what is used, what is popular, and how to tailor courses in a better way to fit those models to improve outcomes and engagement. Another area potentially could see Udemy moving deeper into specific subject areas like language learning, where it offers some courses today but has a lot of scope for growing, particularly leaning on what Benesse has with Berlitz. To date, Udemy has made no acquisitions, but that is also an area that Shimkus said could be an option.

Walmart reports lower-than-expected Q4 earnings, despite e-commerce sales growth of 35%

By Sarah Perez

Walmart’s holiday quarter didn’t perform as expected. That’s the big news today from the retailer’s weak Q4 2019 earnings, which saw revenue of $141.67 billion versus the $142.55 expected and adjusted earnings per share of $1.38 versus the $1.44 expected. The company cited a number of factors, including “softer” than anticipated holiday sales in U.S. stores — particularly softer sales of toys, media and gaming, and apparel during the month of December.

Overall, the earnings point to the challenges for Walmart in a market where more consumers than ever are choosing to shop online. Walmart, meanwhile, still makes the bulk of its money from retail stores, not online, though it’s heavily investing in the latter. That leaves it at mercy of the sort of problems it faced in Q4 — like the trouble with the toy industry (that also hit Target), a lack of newness in gaming, a shorter holiday shopping season, and even a warmer winter than has depressed apparel sales across retailers.

Even as large as Walmart’s stores are, they’re still constrained by shelf space and square footage. And when inventory doesn’t move as quickly as it should, sales suffer. In Q4, Walmart’s U.S. same-store sales were up 1.9%, which was short of the 2.3% expected.

By comparison, Amazon’s holiday results crushed expectations. It reported record sales, Prime membership that soared to 150 million paying subscribers, and one-day and same-day deliveries that quadrupled over the same quarter the prior year.

So far, Walmart, like Target and others, has been fairly successful in taking the hybrid approach to retail — meaning its brick-and-mortar business and online side aren’t separated, but rather work together to drive shoppers into stores to pick up their online purchases. Walmart’s pickup business, including online grocery pickup, is helping capture market share and grow Walmart’s overall e-commerce sales.

That remained true in Q4, as e-commerce sales were up 35% with online grocery helping drive those increases. Walmart even boasted grocery sales on a two-year stacked basis were its “best in the past 10 years.” The retailer has also been quickly expanding the number of stores that support online grocery, and ended the year with nearly 3,200 grocery pickup locations and 1,600 stores offering grocery delivery.

However, in a quarter that’s all about boosting business by way of holiday shopping, it’s worth noting that Walmart’s e-commerce sales were up by 41% last quarter, more than the 35% in Q4.

One area where Walmart may need to more quickly expand in the months ahead is its Delivery Unlimited service. Launched in 2019, the membership program for grocery delivery competes with Instacart and others by allowing grocery delivery customers to save on their per-delivery fees by way of a monthly or annual subscription. The company didn’t offer an update on where the program is now available, though it had planned for 50% coverage across the U.S. by year-end.

Meanwhile, Target has now expanded its Shipt same-day grocery delivery service to include non-grocery items from its stores, and has integrated Shipt directly with its own app and on Target.com. And of course, Amazon’s Prime members can shop grocery thanks to Whole Foods, as well as rush their everyday orders courtesy of Amazon’s ever-faster ship times.

In addition, Walmart’s still unprofitable e-commerce business faced other struggles in 2019. Some of its acquisitions in apparel haven’t paid off as anticipated. Last year Walmart sold off Modcloth, Bonobos laid off staff and founder Andy Dunn left. Walmart also shut down Jet.com’s city grocery business, and it just wrapped up its experimental shopping service Jet black.

Walmart additionally pointed to issues in Q4 related to political unrest in Chile, which disrupted the majority of its stores. However, Sam’s Club, Walmex, China and Flipkart did well.

“The holiday season delivered positive transaction growth and underlying expense leverage was strong for the
quarter. However, it wasn’t as good as expected due to lower sales volumes and some pressure related to
associate scheduling,” said Walmart CFO Brett Biggs, in a statement. “We understand the factors that affected our results and are developing plans to address them. We remain confident in our business strategy and our ability to deliver value and convenience for our customers through an integrated omnichannel offering across the globe,” he added.

The retailer also offered lowered 2021 guidance, with earnings expected in the range of $5.00 to $5.15, below analysts’ estimates of $5.22. Walmart said this doesn’t include any impact from the coronavirus outbreak, but it’s continuing to monitor the situation.

Facebook pushes EU for dilute and fuzzy internet content rules

By Natasha Lomas

Facebook founder Mark Zuckerberg is in Europe this week — attending a security conference in Germany over the weekend where he spoke about the kind of regulation he’d like applied to his platform ahead of a slate of planned meetings with digital heavyweights at the European Commission.

“I do think that there should be regulation on harmful content,” said Zuckerberg during a Q&A session at the Munich Security Conference, per Reuters, making a pitch for bespoke regulation.

He went on to suggest “there’s a question about which framework you use”, telling delegates: “Right now there are two frameworks that I think people have for existing industries — there’s like newspapers and existing media, and then there’s the telco-type model, which is ‘the data just flows through you’, but you’re not going to hold a telco responsible if someone says something harmful on a phone line.”

“I actually think where we should be is somewhere in between,” he added, making his plea for Internet platforms to be a special case.

At the conference he also said Facebook now employs 35,000 people to review content on its platform and implement security measures — including suspending around 1 million fake accounts per day, a stat he professed himself “proud” of.

The Facebook chief is due to meet with key commissioners covering the digital sphere this week, including competition chief and digital EVP Margrethe Vestager, internal market commissioner Thierry Breton and Věra Jourová, who is leading policymaking around online disinformation.

The timing of his trip is clearly linked to digital policymaking in Brussels — with the Commission due to set out its thinking around the regulation of artificial intelligence this week. (A leaked draft last month suggested policymaker are eyeing risk-based rules to wrap around AI.)

More widely, the Commission is wrestling with how to respond to a range of problematic online content — from terrorism to disinformation and election interference — which also puts Facebook’s 2BN+ social media empire squarely in regulators’ sights.

Another policymaking plan — a forthcoming Digital Service Act (DSA) — is slated to upgrade liability rules around Internet platforms.

The detail of the DSA has yet to be publicly laid out but any move to rethink platform liabilities could present a disruptive risk for a content distributing giant such as Facebook.

Going into meetings with key commissioners Zuckerberg made his preference for being considered a ‘special’ case clear — saying he wants his platform to be regulated not like the media businesses which his empire has financially disrupted; nor like a dumbpipe telco.

On the latter it’s clear — even to Facebook — that the days of Zuckerberg being able to trot out his erstwhile mantra that ‘we’re just a technology platform’, and wash his hands of tricky content stuff, are long gone.

Russia’s 2016 foray into digital campaigning in the US elections and sundry content horrors/scandals before and since have put paid to that — from nation-state backed fake news campaigns to livestreamed suicides and mass murder.

Facebook has been forced to increase its investment in content moderation. Meanwhile it announced a News section launch last year — saying it would hand pick publishers content to show in a dedicated tab.

The ‘we’re just a platform’ line hasn’t been working for years. And EU policymakers are preparing to do something about that.

With regulation looming Facebook is now directing its lobbying energies onto trying to shape a policymaking debate — calling for what it dubs “the ‘right’ regulation”.

Here the Facebook chief looks to be applying a similar playbook as the Google’s CEO, Sundar Pichai — who recently tripped to Brussels to push for AI rules so dilute they’d act as a tech enabler.

In a blog post published today Facebook pulls its latest policy lever: Putting out a white paper which poses a series of questions intended to frame the debate at a key moment of public discussion around digital policymaking.

Top of this list is a push to foreground focus on free speech, with Facebook questioning “how can content regulation best achieve the goal of reducing harmful speech while preserving free expression?” — before suggesting more of the same: (Free, to its business) user-generated policing of its platform.

Another suggestion it sets out which aligns with existing Facebook moves to steer regulation in a direction it’s comfortable with is for an appeals channel to be created for users to appeal content removal or non-removal. Which of course entirely aligns with a content decision review body Facebook is in the process of setting up — but which is not in fact independent of Facebook.

Facebook is also lobbying in the white paper to be able to throw platform levers to meet a threshold of ‘acceptable vileness’ — i.e. it wants a proportion of law-violating content to be sanctioned by regulators — with the tech giant suggesting: “Companies could be incentivized to meet specific targets such as keeping the prevalence of violating content below some agreed threshold.”

It’s also pushing for the fuzziest and most dilute definition of “harmful content” possible. On this Facebook argues that existing (national) speech laws — such as, presumably, Germany’s Network Enforcement Act (aka the NetzDG law) which already covers online hate speech in that market — should not apply to Internet content platforms, as it claims moderating this type of content is “fundamentally different”.

“Governments should create rules to address this complexity — that recognize user preferences and the variation among internet services, can be enforced at scale, and allow for flexibility across language, trends and context,” it writes — lobbying for maximum possible leeway to be baked into the coming rules.

“The development of regulatory solutions should involve not just lawmakers, private companies and civil society, but also those who use online platforms,” Facebook’s VP of content policy, Monika Bickert, also writes in the blog.

“If designed well, new frameworks for regulating harmful content can contribute to the internet’s continued success by articulating clear ways for government, companies, and civil society to share responsibilities and work together. Designed poorly, these efforts risk unintended consequences that might make people less safe online, stifle expression and slow innovation,” she adds, ticking off more of the tech giant’s usual talking points at the point policymakers start discussing putting hard limits on its ad business.

PhotoSquared app exposed customer photos and shipping labels

By Zack Whittaker

Popular photo printing app PhotoSquared has exposed thousands of customer photos, addresses, and orders details.

At least ten thousand shipping labels were stored in a public Amazon Web Services (AWS) storage bucket. There was no password on the bucket, allowing anyone who knew the easy-to-guess web address access to the customer data. All too often, these AWS storage buckets are misconfigured and set to “public” and not “private.”

The exposed data included high-resolution user-uploaded photos and generated shipping labels, dating back to 2016 and was updating by the day. The app has more than 100,000 users, according to its Google Play listing.

It’s not known how long the storage bucket was left open.

One of the customer orders, including photos and the customer’s shipping address. The exposed storage bucket also had thousands of shipping labels. (Image: TechCrunch)

Security researchers provided the name of the exposed bucket to TechCrunch. We matched a number of shipping labels against existing public records, and contacted PhotoSquared on Wednesday to warn of the exposure.

Keith Miller, chief executive of Strategic Factory, which owns Photosquared, confirmed that the data was no longer exposed, but Miller declined to say if it planned to inform customers or regulators under data breach notification laws.

At the time of writing, PhotoSquared has made no reference to the security lapse on its website or its social media accounts.

Sundance: Feels Good Man charts a path of redemption for Pepe

By Matthew Panzarino

Can a meme be redeemed? That’s the central question in Arthur Jones’ Feels Good Man — a documentary that premiered at Sundance this year charting the course of the creator of Pepe the Frog, a comic book character turned universally recognized meme, as he attempts to reclaim it from racists and shitposters.

The sweet, gentle pacing of the doc fits well with the calm, sensitive demeanor of its creator Matt Furie . Furie is described as “ethereal” by one of his friends in the piece and that’s mostly true. As Pepe is created, then coopted by the residents of 4chan and turned into a meme representing ennui, disenfranchisement and white supremacy in turn, Furie takes it mostly in stride.

But he’s not without passion, as lines begin to be crossed and Pepe becomes registered as hate speech by the Anti-Defamation League, Furie sees an opportunity to try to reclaim his symbol. He’s unsuccessful for the same reason anything is popular on the internet — there are simply too many nerve endings to properly anesthetize them all.

The vast majority of the people that use Pepe are completely unaware of its origins. And the general community of Internet people that communicate via memes go a step beyond that to being un-able to even grasp the concept of ownership. Once something has entered into the cultural bloodstream of the Internet, its origins often dwindle to insignificance.

That doesn’t, of course, stop a creator from existing or caring how their creation is used. And the portrait painted here of a gentle and caring artist forced to watch the subversion and perversion of his creation is heartbreaking and important.

Feels Good Man stands above the pack of docs about internet cultural phenomenon. It peels back enough of the layers of the onion to be effective in ways that analysis of culturally complex idioms born online are often deficient.

Too many times over the years we’ve seen online movements analyzed with an overly simplistic point of view. And the main way they typically fall down is by not including the influence and effect of that staple of online life: trolls. People doing things for the hell of it who then become a part of a larger movement but always have that arms length remove to fall back on, able to claim that it was just a gag.

Jones mentioned during a Q&A after the screening that they wanted Furie’s art to be a character, to have a part to play throughout the film. In addition to scenes of Matt drawing, this is best accomplished by the absolutely gorgeous animation sequences that Jones and a team of animators created of Pepe and the rest of the Boy’s Club characters. They’re delightful and welcome respite from the somewhat hammer-like nature of the dark places Pepe is unwittingly drawn by the various subcultures he is adopted by.

It’s not a perfect film, the sequences with an occultist are goofy in a way that doesn’t fit with the overall flavor of the piece. But it’s probably one of the better documentary films ever made about the Internet era and well worth watching when it gets picked up.

Pew: 30% of US adults have used online dating; 12% found a committed relationship from it

By Sarah Perez

Dating app usage in the U.S. is on the rise, but so are the issues it brings. According to a new Pew Research Center report on online dating, out today, 30% of U.S. adults have at some point used a dating app or website. That’s up from just 11% in 2013. A smaller number of U.S.adults, 12%, said they found a long-term relationship via online dating. In addition, a majority of users reported an overall positive experience with online dating. But when drilling down into specific areas, some significant issues around harassment surfaced.

The study found that 37% of online dating users said someone on a site or app continued to contact them after they said they were not interested. 35% said they were sent an explicit message or image they didn’t ask for, and 28% called them an offensive name. A smaller percentage (9%) said they were threatened with physical harm.

Across the board, these numbers were much higher for women than for men, the study found.

48% of women using online dating said someone continued to contact them after they said no; 46% received unwanted explicit images; 33% were called offensive names, and 11% were threatened with physical harm.

For younger women, these figures shot up even higher.

Six-in-ten women ages 18 to 34 using online dating services said someone via a dating site or app continued to contact them after they said they were not interested; 57% received unwanted explicit images; 44% were called offensive names, and 19% were threatened physically.

Younger adults were also more likely to be using online dating apps or websites than older adults. This is likely due to a combination of factors, including the younger generation’s comfort and ease with newer technology, as well as the fact that many older users leave dating apps because they eventually find themselves in long-term relationships.

Pew found that LGB adults were also twice as likely as straight adults to have used a dating app or website, at 55% to 28%.

Another interesting finding from the Pew study is the success rate of online dating.

Dating market leader Tinder has more fully embraced the younger demographic in recent months and now targets users looking for a “single” lifestyle where dating remains casual and settling down is years away. As the largest, most successful dating platform in the U.S., raking in $1.2 billion in 2019, Tinder is capable of driving industry trends.

On that note, while 30% of U.S. adults have used online dating, only 12% of U.S. adults said they found a committed relationship or got married, as a result of that usage (or 39% of online daters). That’s still higher than in 2013, when 11% of U.S. adults used online dating, but only 3% of adults said they found committed relationships or marriage with someone they met through dating apps or websites.

There were some differences between the 2013 survey and today’s, but the overall trend towards increased usage and improved results remains accurate, Pew says.

Despite the issues associated with online dating, more people (57%) reported a positive experience compared with a negative one (42%). But overall, Pew found that people were fairly ambivalent about how online dating apps and sites impact dating and relationships in America. Half of Americans believe the apps have neither a positive nor a negative impact, for example.

But when current dating app users were asked how the platforms made them feel, more said they felt frustrated (45%) instead of hopeful, pessimistic (35%) instead of optimistic, and insecure (25%) instead of confident. This is despite the same group of users saying they found it easy to find people they were attracted to online who seemed like someone they wanted to meet, among other positives.

 

In addition, a significant portion of U.S. adults (46%) said they don’t think it’s safe to meet people through apps and dating sites. A larger proportion of women believed this (53%) than men (39%) — figures that are likely related to women being more often the target of harassment on the apps.

The full study delves deeper into dating app use and user sentiment along a number of lines, including demographic breakdowns, breakdowns by level of education, and user opinion.

Overall, the results come across as muddled. Largely, users seem fine with online dating. Many think it’s easy enough to find potential matches, even if it’s not all that safe. To some extent, users seem to have also accepted being harassed as just part of the online dating experience, given that a majority felt positively about online dating overall, despite the harassment they received.

Other parts of the study seem to point to an understanding of the superficialness of online dating platforms, citing how important photos were to the experience (71% said that’s very important) compared with other values that may make someone more compatible — like hobbies and interests (36% said they’re very important), religion (25% said they’re very important), politics (14%), or even type of relationship someone wants (63%).

A majority of people also believed dating apps were rife with people lying and scamming — 71% and 50%, respectively, said they think it’s very common to find these activities on online dating sites and apps.

In the end, it seems that those who found success with online dating view it more positively than those who haven’t — which is similar to how things work offline, as well.

Pew’s research was conducted from Oct 16 to 28, 2019 across a panel of 4,860 respondents. The full report is here.

UK Council websites are letting citizens be profiled for ads, study shows

By Natasha Lomas

On the same day that a data ethics advisor to the UK government has urged action to regulate online targeting a study conducted by pro-privacy browser Brave has highlighted how Brits are being profiled by the behavioral ad industry when they visit their local Council’s website — perhaps seeking info on local services or guidance about benefits including potentially sensitive information related to addiction services or disabilities.

Brave found that nearly all UK Councils permit at least one company to learn about the behavior of people visiting their sites, finding that a full 409 Councils exposed some visitor data to private companies.

While many large councils (serving 300,000+ people) were found exposing site visitors to what Brave describes as “extensive tracking and data collection by private companies” — with the worst offenders, London’s Enfield and Sheffield City Councils, exposing visitors to 25 data collectors apiece.

Brave argues the findings represent a conservative illustration of how much commercial tracking and profiling of visitors is going on on public sector websites — a floor, rather than a ceiling — given it was only studying landing pages of Council sites without any user interaction, and could only pick up known trackers (nor could the study look at how data is passed between tracking and data brokering companies).

Nor is the first such study to warn that public sector websites are infested with for-profit adtech. A report last year by Cookiebot found users of public sector and government websites in the EU being tracked when they performed health-related searches — including queries related to HIV, mental health, pregnancy, alcoholism and cancer.

Brave’s study — which was carried out using the webxray tool — found that almost all (98%) of the Councils used Google systems, with the report noting that the tech giant owns all five of the top embedded elements loaded by Council websites, which it suggests gives the company a god-like view of how UK citizens are interacting with their local authorities online.

The analysis also found 198 of the Council websites use the real-time bidding (RTB) form of programmatic online advertising. This is notable because RTB is the subject of a number of data protection complaints across the European Union — including in the UK, where the Information Commissioner’s Office (ICO) itself has been warning the adtech industry for more than half a year that its current processes are in breach of data protection laws.

However the UK watchdog has preferred to bark softly in the industry’s general direction over its RTB problem, instead of taking any enforcement action — a response that’s been dubbed “disastrous” by privacy campaigners.

One of the smaller RTB players the report highlights — which calls itself the Council Advertising Network (CAN) — was found sharing people’s data from 34 Council websites with 22 companies, which could then be insecurely broadcasting it on to hundreds or more entities in the bid chain.

Slides from a CAN media pack refer to “budget conscious” direct marketing opportunities via the ability to target visitors to Council websites accessing pages about benefits, child care and free local activities; “disability” marketing opportunities via the ability to target visitors to Council websites accessing pages such as home care, blue badges and community and social services; and “key life stages” marketing  opportunities via the ability to target visitors to Council websites accessing pages related to moving home, having a baby, getting married or losing a loved one.

This is from the Council Advertising Network's media pack. CAN is a small operation. They are just trying to take a small slide of the Google and IAB "real-time bidding" cake. But this gives an insight in to how insidious this RTB stuff is. pic.twitter.com/b1tiZi1p4P

Johnny Ryan (@johnnyryan) February 4, 2020

Brave’s report — while a clearly stated promotion for its own anti-tracking browser (given it’s a commercial player too) — should be seen in the context of the ICO’s ongoing failure to take enforcement action against RTB abuses. It’s therefore an attempt to increase pressure on the regulator to act by further illuminating a complex industry which has used a lack of transparency to shield massive rights abuses and continues to benefit from a lack of enforcement of Europe’s General Data Protection Regulation.

And a low level of public understanding of how all the pieces in the adtech chain fit together and sum to a dysfunctional whole, where public services are turned against the citizens whose taxes fund them to track and target people for exploitative ads, likely contributes to discouraging sharper regulatory action.

But, as the saying goes, sunlight disinfects.

Asked what steps he would like the regulator to take, Brave’s chief policy officer, Dr Johnny Ryan, told TechCrunch: “I want the ICO to use its powers of enforcement to end the UK’s largest data breach. That data breach continues, and two years to the day after I first blew the whistle about RTB, Simon McDougall wrote a blog post accepting Google and the IAB’s empty gestures as acts of substance. It is time for the ICO to move this over to its enforcement team, and stop wasting time.”

We’re reached out to the ICO for a response to the report’s findings.

UPDATE: Los Angeles-based CREXi raises $30 million for its online real estate marketplace

By Jonathan Shieber

Los Angeles is one of the most desirable locations for commercial real estate in the United States, so it’s little wonder that there’s something of a boom in investments in technology companies servicing the market coming from the region.

It’s one of the reasons that CREXi, the commercial real estate marketplace, was able to establish a strong presence for its digital marketplace and toolkit for buyers, sellers and investors.

Since the company raised its last institutional round in 2018, it has added more than 300,000 properties for sale or lease across the U.S. and increased its user base to 6 million customers, according to a statement.

It has now raised $30 million in new financing from new investors, including Mitsubishi Estate Company (“MEC”), Industry Ventures and Prudence Holdings . Previous investors Lerer Hippeau Ventures and Jackson Square Ventures also participated in the financing.

CREXi makes money three ways. There’s a subscription service for brokers looking to sell or lease property; an auction service where CREXi will earn a fee upon the close of a transaction; and a data and analytics service that allows users to get a view into the latest trends in commercial real estate based on the vast collection of properties on offer through the company’s services.

The company touts its service as the only technology offering that can take a property from marketing to the close of a sale or lease without having to leave the platform.

According to chief executive Mike DeGiorgio, the company is also recession-proof thanks to its auction services. “As more distressed properties hit the market, the best way to sell them is through an online auction,” DeGiorgio says.

So far, the company has seen $700 billion of transactions flow through the platform, and roughly 40% of those deals were exclusive to the company.

“The CRE industry is evolving, and market players, especially younger, digitally native generations are seeking out platforms that provide free and open access to information,” said Gavin Myers, general partner at Prudence Holdings, in a statement. “CREXi directly addresses this market need, providing fair access to a range of CRE information. As CREXi continues to build out its stable of services, features, and functionality, we’re thrilled to partner with them and support the company’s continued momentum.”

CREXi joins the ranks of startups based in Los Angeles that have raised money to reshape the real estate industry. Estimates from Built in LA count roughly 127 companies, which have raised in excess of $2.4 billion, active in the real estate industry in Los Angeles. These companies range from providers of short-term commercial office space, like Knotel, or co-working companies like WeWork, to companies focused on servicing the real estate industry like Luxury Presence, which raised a $5 million round earlier in the year.

Due to inaccurate information provided by the company, an initial version of this story indicated that CREXi had raised $29 million in its Series B round. The correct number is $30 million.

Google’s latest user-hostile design change makes ads and search results look identical

By Natasha Lomas

Did you notice a recent change to how Google search results are displayed on the desktop?

I noticed something last week — thinking there must be some kind of weird bug messing up the browser’s page rendering because suddenly everything looked similar: A homogenous sea of blue text links and favicons that, on such a large expanse of screen, come across as one block of background noise.

I found myself clicking on an ad link — rather than the organic search result I was looking for.

Here, for example, are the top two results for a Google search for flight search engine ‘Kayak’ — with just a tiny ‘Ad’ label to distinguish the click that will make Google money from the click that won’t…

Turns out this is Google’s latest dark pattern: The adtech giant has made organic results even more closely resemble the ads it serves against keyword searches, as writer Craig Mod was quick to highlight in a tweet this week.

There's something strange about the recent design change to google search results, favicons and extra header text: they all look like ads, which is perhaps the point? pic.twitter.com/TlIvegRct1

— Craig Mod (@craigmod) January 21, 2020

Last week, in its own breezy tweet, Google sought to spin the shift as quite the opposite — saying the “new look” presents “site domain names and brand icons prominently, along with a bolded ‘Ad’ label for ads”:

Last year, our search results on mobile gained a new look. That’s now rolling out to desktop results this week, presenting site domain names and brand icons prominently, along with a bolded “Ad” label for ads. Here’s a mockup: pic.twitter.com/aM9UAbSKtv

— Google SearchLiaison (@searchliaison) January 13, 2020

But Google’s explainer is almost a dark pattern in itself.

If you read the text quickly you’d likely come away with the impression that it has made organic search results easier to spot since it’s claiming components of these results now appear more “prominently” in results.

Yet, read it again, and Google is essentially admitting that a parallel emphasis is being placed — one which, when you actually look at the thing, has the effect of flattening the visual distinction between organic search results (which consumers are looking for) and ads (which Google monetizes).

Another eagle-eyed user Twitter, going by the name Luca Masters, chipped into the discussion generated by Mod’s tweet — to point out that the tech giant is “finally coming at this from the other direction”.

They're finally coming at this from the other direction:https://t.co/XYkHjVrE8X

— Luca K. B. Masters (@lkbm) January 21, 2020

‘This’ being deceptive changes to ad labelling; and ‘other direction’ being a reference to how now it’s organic search results being visually tweaked to shrink their difference vs ads.

Google previously laid the groundwork for this latest visual trickery by spending earlier years amending the look of ads to bring them closer in line with the steadfast, cleaner appearance of genuine search results.

Except now it’s fiddling with those too. Hence ‘other direction’.

Masters helpfully quote-tweeted this vintage tweet (from 2016), by journalist Ginny Marvin — which presents a visual history of Google ad labelling in search results that’s aptly titled “color fade”; a reference to the gradual demise of the color-shaded box Google used to apply to clearly distinguish ads in search results.

Those days are long gone now, though.

Color fade: A history of Google ad labeling in search results https://t.co/guo3jc4kwz pic.twitter.com/LMYqhmgfyE

— Ginny Marvin (@GinnyMarvin) July 25, 2016

 

Now a user of Google’s search engine has — essentially — only a favicon between them and an unintended ad click. Squint or you’ll click it.

This visual trickery may be fractionally less confusing in a small screen mobile environment — where Google debuted the change last year. But on a desktop screen these favicons are truly minuscule. And where to click to get actual information starts to feel like a total lottery.

A lottery that’s being stacked in Google’s favor because confused users are likely to end up clicking more ad links than they otherwise would, meaning it cashes in at the expense of web users’ time and energy.

Back in May, when Google pushed this change on mobile users, it touted the tweaks as a way for sites to showcase their own branding, instead of looking like every other blue link on a search result page. But it did so while simultaneously erasing a box-out that it had previously displayed around the label ‘Ad’ to make it stand out.

That made it “harder to differentiate ads and search results,” as we wrote then — predicting it will “likely lead to outcry”.

There were certainly complaints then. And there will likely be more now — given the visual flattening of the gap between ad clicks and organic links looks even more confusing for users of Google search on desktop.

We reached out to Google to ask for a response to the latest criticism that the new design for search results makes it almost impossible to distinguish between organic results and ads. But the company ignored repeat requests for comment.

Of course it’s true that plenty of UX design changes face backlash, especially early on. Change in the digital realm is rarely instantly popular. It’s usually more ‘slow burn’ acceptance.

But there’s no consumer-friendly logic to this one. (And the slow burn going on here involves the user being cast in the role of the metaphorical frog.)

Instead, Google is just making it harder for web users to click on the page they’re actually looking for — because, from a revenue-generating perspective, it prefers them to click an ad.

It’s the visual equivalent of a supermarket putting a similarly packaged own-brand right next to some fancy branded shampoo on the shelf — in the hopes a rushed shopper will pluck the wrong one. (Real life dark patterns are indeed a thing.)

It’s also a handy illustration of quite how far away from the user Google’s priorities have shifted, and continue to drift.

“When Google introduced ads, they were clearly marked with a label and a brightly tinted box,” says UX specialist Harry Brignull. “This was in stark contrast to all the other search engines at the time, who were trying to blend paid listings in amongst the organic ones, in an effort to drive clicks and revenue. In those days, Google came across as the most honest search engine on the planet.”

Brignull is well qualified to comment on dark patterns — having been calling out deceptive design since 2010 when he founded darkpatterns.org.

“I first learned about Google in the late 1990s. In those days you learned about the web by reading print magazines, which is charmingly quaint to look back on. I picked up a copy of Wired Magazine and there it was – a sidebar talking about a new search engine called ‘Google’,” he recalled. “Google was amazing. In an era of portals, flash banners and link directories, it went in the opposite direction. It didn’t care about the daft games the other search engines were playing. It didn’t even seem to acknowledge they existed. It didn’t even seem to want to be a business. It was a feat of engineering, and it felt like a public utility.

“The original Google homepage was recognised a guiding light of purism in digital design. Search was provided by an unstyled text field and button. There was nothing else on the homepage. Just the logo. Search results were near-instant and they were just a page of links and summaries – perfection with nothing to add or take away. The back-propagation algorithm they introduced had never been used to index the web before, and it instantly left the competition in the dust. It was proof that engineers could disrupt the rules of the web without needing any suit-wearing executives. Strip out all the crap. Do one thing and do it well.”

“As Google’s ambitions changed, the tinted box started to fade. It’s completely gone now,” Brignull added.

The one thing Google very clearly wants to do well now is serve more ads. It’s chosen to do that deceptively, by steadily — and consistently — degrading the user experience. So a far cry from “public utility”.

And that user-friendly Google of old? Yep, also completely gone.

UK watchdog sets out ‘age appropriate’ design code for online services to keep kids’ privacy safe

By Natasha Lomas

The UK’s data protection watchdog has today published a set of design standards for Internet services which are intended to help protect the privacy and safety of children online.

The Information Commissioner’s Office (ICO) has been working on the Age Appropriate Design Code since the 2018 update of domestic data protection law — as part of a government push to create ‘world-leading’ standards for children when they’re online.

UK lawmakers have grown increasingly concerned about the ‘datafication’ of children when they go online and may be too young to legally consent to being tracked and profiled under existing European data protection law.

The ICO’s code is comprised of 15 standards of what it calls “age appropriate design” — which the regulator says reflects a “risk-based approach”, including stipulating that setting should be set by default to ‘high privacy’; that only the minimum amount of data needed to provide the service should be collected and retained; and that children’s data should not be shared unless there’s a reason to do so that’s in their best interests.

Profiling should also be off by default. While the code also takes aim at dark pattern UI designs that seek to manipulate user actions against their own interests, saying “nudge techniques” should not be used to “lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections”.

“The focus is on providing default settings which ensures that children have the best possible access to online services whilst minimising data collection and use, by default,” the regulator writes in an executive summary.

While the age appropriate design code is focused on protecting children it is applies to a very broad range of online services — with the regulator noting that “the majority of online services that children use are covered” and also stipulating “this code applies if children are likely to use your service” [emphasis ours].

This means it could be applied to anything from games, to social media platforms to fitness apps to educational websites and on-demand streaming services — if they’re available to UK users.

“We consider that for a service to be ‘likely’ to be accessed [by children], the possibility of this happening needs to be more probable than not. This recognises the intention of Parliament to cover services that children use in reality, but does not extend the definition to cover all services that children could possibly access,” the ICO adds.

Here are the 15 standards in full as the regulator describes them:

  1. Best interests of the child: The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.
  2. Data protection impact assessments: Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service, which arise from your data processing. Take into account differing ages, capacities and development needs and ensure that your DPIA builds in compliance
    with this code.
  3. Age appropriate application: Take a risk-based approach to recognising the age of individual users and ensure you effectively apply the standards in this code to child users. Either establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing, or apply the standards in this code to all your users instead.
  4. Transparency: The privacy information you provide to users, and other published terms, policies and community standards, must be concise, prominent and in clear language suited to the age of the child. Provide additional specific ‘bite-sized’ explanations about how you use personal data at the point that use is activated.
  5. Detrimental use of data: Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
  6. Policies and community standards: Uphold your own published terms, policies and community standards (including but not limited to privacy policies, age restriction, behaviour rules and content policies).
  7. Default settings: Settings must be ‘high privacy’ by default (unless you can demonstrate a compelling reason for a different default setting, taking account of the best interests of the child).
  8. Data minimisation: Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged. Give children separate choices over which elements they wish to activate.
  9. Data sharing: Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
  10. Geolocation: Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking account of the best interests of the child). Provide an obvious sign for children when location tracking is active. Options which make a child’s location visible to others must default back to ‘off’ at the end of each session.
  11. Parental controls: If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.
  12. Profiling: Switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).
  13. Nudge techniques: Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
  14. Connected toys and devices: If you provide a connected toy or device ensure you include effective tools to enable conformance to this code.
  15. Online tools: Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.

The Age Appropriate Design Code also defines children as under the age of 18 — which offers a higher bar than current UK data protection law which, for example, puts only a 13-year-age limit for children to be legally able to give their consent to being tracked online.

So — assuming (very wildly) — that Internet services were to suddenly decide to follow the code to the letter, setting trackers off by default and not nudging users to weaken privacy-protecting defaults by manipulating them to give up more data, the code could — in theory — raise the level of privacy both children and adults typically get online.

However it’s not legally binding — so there’s a pretty fat chance of that.

Although the regulator does make a point of noting that the standards in the code are backed by existing data protection laws, which it does regulate and can legally enforceable (and which include clear principles like ‘privacy by design and default’) — pointing out it has powers to take action against law breakers, including “tough sanctions” such as orders to stop processing data and fines of up to 4% of a company’s global turnover.

So, in a way, the regulator appears to be saying: ‘Are you feeling lucky data punk?’

The code also still has to be laid before parliament for approval for a period of 40 sitting days — with the ICO saying it will come into force 21 days after that, assuming no objections. Then there’s a further 12 month transition period after it comes into force — to “give online services time to conform”. So there’s a fair bit of slack built in before any action may be taken to tackle flagrant nose-thumbers.

Last April the UK government published a white paper setting out its proposals for regulating a range of online harms — including seeking to address concern about inappropriate material that’s available on the Internet being accessed by children.

The ICO’s Age Appropriate Design Code is intended to support that effort. So there’s also a chance that some of the same sorts of stipulations could be baked into the planned online harms bill.

“This is not, and will not be, ‘law’. It is just a code of practice,” said Neil Brown, an Internet, telecoms and tech lawyer at Decoded Legal, discussing the likely impact of the suggested standards. “It shows the direction of the ICO’s thinking, and its expectations, and the ICO has to have regard to it when it takes enforcement action but it’s not something with which an organisation needs to comply as such. They need to comply with the law, which is the GDPR [General Data Protection Regulation] and the DPA [Data Protection Act] 2018.

“The code of practice sits under the DPA 2018, so companies which are within the scope of that are likely to want to understand what it says. The DPA 2018 and the UK GDPR (the version of the GDPR which will be in place after Brexit) covers controllers established in the UK, as well as overseas controllers which target services to people in the UK or monitor the behaviour of people in the UK. Merely making a service available to people in the UK should not be sufficient.”

“Overall, this is consistent with the general direction of travel for online services, and the perception that more needs to be done to protect children online,” Brown also told us.

“Right now, online services should be working out how to comply with the GDPR, the ePrivacy rules, and any other applicable laws. The obligation to comply with those laws does not change because of today’s code of practice. Rather, the code of practice shows the ICO’s thinking on what compliance might look like (and, possibly, goldplates some of the requirements of the law too).”

Organizations that choose to take note of the code — and are in a position to be able to demonstrate they’ve followed its standards — stand a better chance of persuading the regulator they’ve complied with relevant privacy laws, per Brown.

“Conversely, if they want to say that they comply with the law but not with the code, that is (legally) possible, but might be more of a struggle in terms of engagement with the ICO,” he added.

Zooming back out, the government said last fall that it’s committed to publishing draft online harms legislation for pre-legislative scrutiny “at pace”.

But at the same time it dropped a controversial plan included in a 2017 piece of digital legislation which would have made age checks for accessing online pornography mandatory — saying it wanted to focus on a developing “the most comprehensive approach possible to protecting children”, i.e. via the online harms bill.

How comprehensive the touted ‘child protections’ will end up being remains to be seen.

Brown suggests age verification could come through as a “general requirement”, given the age verification component of the Digital Economy Act 2017 was dropped — and “the government has said that these will be swept up in the broader online harms piece”.

The government has also been consulting with tech companies on possible ways to implement age verification online.

However the difficulties of regulating perpetually iterating Internet services — many of which are also operated by companies based outside the UK — have been writ large for years. (And are now mired in geopolitics.)

While the enforcement of existing European digital privacy laws remains, to put it politely, a work in progress

Tencent to grow gaming empire with $148M acquisition of Conan publisher Funcom in Norway

By Ingrid Lunden

Tencent, one of the world’s biggest videogaming companies by revenue, today made another move to help cement that position. The Chinese firm has made an offer to fully acquire Funcom, the games developer behind Conan Exiles (and others in the Conan franchise), Dune and some 28 other titles. The deal, when approved, would value the Oslo-based company at $148 million (NOK 1.33 billion) and give the company a much-needed cash injection to follow through on longer-term strategy around its next generation of games.

Funcom is traded publicly on the Oslo Stock Exchange, and the board has already recommended the offer, which is being made at NOK 17 per share, or around 27% higher than its closing share price the day before (Tuesday).

The news is being made with some interesting timing. Today, Tencent competes against the likes of Sony, Microsoft and Nintendo in terms of mass-market, gaming revenues. But just earlier this week, it was reported that ByteDance — the publisher behind breakout social media app TikTok — was readying its own foray into the world of gaming.

That would set up another level of rivalry between the two companies, since Tencent also has a massive interest in the social media space, specifically by way of its messaging app WeChat . While many consumers will have multiple apps, when it comes down to it, spending money in one represents a constraint on spending money in another.

Today, Tencent is one of the world’s biggest video game companies: in its last reported quarter (Q3 in November), Tencent said that it make RMB28.6 billion ($4.1 billion) in online gaming revenue, with smartphone games accounting for RMB24.3 billion of that.

Acquisitions and controlling stakes form a key part of the company’s growth strategy in gaming. Among its very biggest deals, Tencent paid $8.6 billion for a majority stake in Finland’s Supercell back in 2016. It also has a range of controlling stakes in Riot Games, Epic, Ubisoft, Paradox, Frontier and Miniclip. These companies, in turn, also are making deals: just earlier this month it was reported (and sources have also told us) that Miniclip acquired Israel’s Ilyon Games (of Bubble Shooter fame) for $100 million.

Turning back to Funcom, Tencent was already an investor in the company: it took a 29% stake in it in September 2019 in a secondary deal, buying out KGJ Capital (which had previously been the biggest shareholder).

“Tencent has a reputation for being a responsible long-term investor, and for its renowned operational capabilities in online games,” said Funcom CEO Rui Casais at the time. “The insight, experience, and knowledge that Tencent will bring is of great value to us and we look forward to working closely with them as we continue to develop great games and build a successful future for Funcom.”

In retrospect, this was laying the groundwork and relationships for a bigger deal just months down the line. 

“We have a great relationship with Tencent as our largest shareholder and we are very excited to be part of the Tencent team,” Casais said in a statement today. “We will continue to develop great games that people all over the world will play, and believe that the support of Tencent will take Funcom to the next level. Tencent will provide Funcom with operational leverage and insights from its vast knowledge as the leading company in the game space.”

The rationale for Funcom is that the company had already determined that it needed further investment in order to follow through on its longer-term strategy.

According to a statement issued before it recommended the offer, the company is continuing to build out the “Open World Survival segment” using the Games-as-a-Service business model (where you pay to fuel up with more credits); and is building an ambitious Dune project set to launch in two years.

“Such increased focus would require a redirection of resources from other initiatives, the most significant being the co-op shooter game, initially scheduled for release during 2020 that has been impacted by scope changes due to external/market pressures with increasingly strong competition and internal delays,” the board writes, and if it goes ahead with its strategy, “It is likely that the Company will need additional financing to supplement the revenue generated from current operations.”

Glovo exits the Middle East and drops two LatAm markets in latest food delivery crunch

By Natasha Lomas

The new year isn’t even a month old and the food delivery crunch is already taking big bites. Spain’s Glovo has today announced it’s exiting four markets — which it says is part of a goal of pushing for profitability by 2021.

Also today, Uber confirmed rumors late last year by announcing it’s offloading its Indian Eats business to local rival Zomato — which will see it take a 9.99% stake in the Indian startup.

In other recent news Latin America focused on-demand delivery app Rappi announced 6% staff layoffs.

On-demand food delivery apps may be great at filling the bellies of hungry consumers fast but startups in this space have yet to figure out how to deliver push-button convenience without haemorrhaging money at scale.

So the question even some investors are asking is how they can make their model profitable?

Middle East exit

The four markets Glovo is leaving are Turkey, Egypt, Uruguay and Puerto Rico.

The exits mean its app footprint is shrinking to 22 markets, still with a focus on South America, South West Europe, and Eastern Europe and Africa.

Interestingly, Glovo is here essentially saying goodbye to the Middle East — despite its recent late stage financing round being led by Abu Dhabi state investment company, Mubadala. (It told us last month that regional expansion was not part of Mubadala’s investment thesis.)

Commenting on the exits in a statement, Glovo co-founder and CEO, Oscar Pierre, said: “This has been a very tough decision to take but our strategy has always been to focus on markets where we can grow and establish ourselves among the top two delivery players while providing a first-class user experience and value for our Glovers, customers and partners.”

Last month Pierre told us the Middle East looks too competitive for Glovo to expand further.

In the event it’s opted for a full exit — given both Egypt and Turkey are being dropped (despite the latter being touted as one of Glovo’s fastest growing markets just over a year ago, at the time of its Series D).

“Leaving these four markets will help us to further strengthen our leadership position in South West and Eastern Europe, LatAm and other African markets, and reach our profitability targets by early 2021,” Pierre added.

Glovo said its app will continue to function in the four markets “for a few weeks” after today — adding that it’s offering “support and advice to couriers, customers and partners throughout this transition”.

“I want to place on record our thanks to all of our Glovers, customers and partners in the markets from which we’re withdrawing for their hard work, dedication, commitment and ongoing support,” Pierre added.

The exits sum to Glovo withdrawing from eight out of a total 306 cities.

It also said the eight cities collectively generated 1.7% of its gross sales in 2019 — so it’s signalling the move doesn’t amount to a major revenue hit.

The startup disclosed a $166M Series E raise last month — which pushed the business past a unicorn valuation. Pierre told us then that the new financing would be used to achieve profitability “as early as 2021”, foreshadowing today’s announcement of a clutch of market exits.

Glovo has said its goal is to become the leading or second delivery platform in all the markets where it operates — underlining the challenges of turning a profit in such a hyper competitive, thin margin space which also involves major logistical complexities with so many moving parts (and people) involved in each transaction.

As food delivery players reconfigure their regional footprints — via market exits and consolidation — better financed platforms will be hoping they’ll be left standing with a profitable business to shout about (and the chance to grow again by gobbling up less profitable rivals or else be consumed themselves). So something of a new race is on.

Back in November in an on-stage interview at TechCrunch Disrupt Berlin, Uber Eats and Glovo discussed the challenges of turning a profit — with Glovo co-founder Sacha Michaud telling us he expects further consolidation in the on-demand delivery space. (Though the pair claimed there had been no acquisition talks between Uber and Glovo.)

Michaud said then that Glovo is profitable on a per unit economics basis in “some countries” — but admitted it “varies a lot country by country”.

Spain and Southern Europe are the best markets for Glovo, he also told us, confirming it generates operating profit there. “Latin America will become operation profitable next year,” he predicted.

Glovo’s exit from Egypt actually marks the end of a second act in the market.

The startup first announced it was pulling the plug on Egypt in April 2019 — but returned last summer, at the behest of its investor Delivery Hero (a rival food delivery startup which has a stake in Glovo), according to Michaud’s explanation on stage.

However there was also an intervention by Egypt’s competition watchdog. And local press reported the watchdog had ordered Glovo to resume operations — accusing it and its investor of colluding to restrict competition in the market (Delivery Hero having previously acquired Egyptian food delivery rival, Otlob).

What the watchdog makes of today’s announcement of a final bow out could thus be an interesting wrinkle.

Asked about Egypt, a Glovo spokesperson told us: “Egypt has been a very complex market for us, we were sad to leave the first time and excited to return when we did so last summer. However, our strategy has always been to be among the top two delivery players in every market we enter and have a clear path to profitability. Unfortunately, in Egypt there is not a clear path to profitability.”

Whither profitability?

So what does a clear path to profitability in the on-demand delivery space look like?

Market maturity/density appears to be key, with Glovo only operating in one city apiece in the other two markets it’s leaving, Uruguay and Puerto Rico, for example — compared to hundreds across its best markets, Spain and Italy, where it’s operating out of the red.

This suggests that other markets in South America — where Glovo similarly has just a toe-hold, of a single or handful of cities, and less time on the ground, such as Honduras or Panama — could be vulnerable to further future exits as the company reconfigures to try to hit full profitability in just around a year’s time.

But there are likely lots of factors involved in making the unit economics stack up so it’s tricky to predict.

Food delivered on-demand makes up the majority of Glovo’s orders per market but its app also touts being able to deliver ‘anything’ — from groceries to pharmaceuticals to the house keys you left at home — which it claims as a differentiating factor vs rival food-delivery-only apps.

A degree of variety also looks to be a key ingredient in becoming a sustainable on-demand delivery business — as scale and cross selling appear to where the unit economics can work.

Groceries are certainly a growing focus for Glovo which has been investing in setting up networks of dark supermarkets to support fast delivery of convenience style groceries as well as ready-to-eat food — thereby expanding opportunities for cross-selling to its convenience-loving food junkies at the point of appetite-driven (but likely loss-making) lunch and dinner orders.

Last year Michaud told us that market “maturity” supports profitability. “At the end of the day the more orders we have the better the whole ecosystem works,” he said.

While Uber Eats’ general manager for Northern and Eastern Europe, Charity Safford, also pointed to “scale” as the secret sauce for still elusive profits.

“Where we start to see more and more trips happening this is definitely where we see the unit economics improving — so our job is really to figure out all of the use cases we can put into people’s hands to get that application used as much as possible,” she said.

It’s instructive that Uber is shifting towards a ‘superapp’ model — revealing its intent last year to fold previously separate lines of business, such as rides and Eats, into a single one-stop-shop app which it began rolling out last year. So it’s also able to deliver or serve an increasing number of things (and/or services).

The tech giant has also been testing subscription passes which combine access to a range of its offerings under one regular payment. While Glovo launched a ‘Prime’ monthly subscription offering unlimited deliveries of anything its couriers can bike around for a fixed monthly cost back in 2018.

When it comes to the quest for on-demand profitability all roads so seem to lead to trying to become the bit of Amazon’s business that Amazon hasn’t already built out and swiped.

African fintech firm Flutterwave raises $35M, partners with Worldpay

By Jake Bright

San Francisco and Lagos-based fintech startup Flutterwave has raised a $35 million Series B round and announced a partnership with Worldpay FIS for payments in Africa.

With the funding, Flutterwave will invest in technology and business development to grow market share in existing operating countries, CEO Olugbenga Agboola — aka GB — told TechCrunch.

The company will also expand capabilities to offer more services around its payment products.

More than payments

“We don’t just want to be a payment technology company, we have sector expertise around education, travel, gaming, e-commerce, fintech companies. They all use our expertise,” said GB.

That means Flutterwave will provide more solutions around the broader needs of its clients.

The Nigerian-founded startup’s main business is providing B2B payments services for companies operating in Africa to pay other companies on the continent and abroad.

Launched in 2016, Flutterwave allows clients to tap its APIs and work with Flutterwave developers to customize payments applications. Existing customers include Uber, Booking.com and e-commerce company Jumia.

In 2019, Flutterwave processed 107 million transactions worth $5.4 billion, according to company data.

Flutterwave did the payment integration for U.S. pop-star Cardi B’s 2019 performances in Nigeria and Ghana. Those are two of the countries in which the startup operates, in addition to South Africa, Uganda, Kenya, Tanzania, Zambia, the U.K. and Rwanda.

Flutterwave Cardi B Nigeria“We want to scale in all those markets and be the payment processor of choice,” GB said.

The company will hire more business development staff and expand its developer team to create more sector expertise, according to GB.

“Our business goes beyond payments. People don’t want to just make payments, they want to do something,” he said. And Fluterwave aims to offer more capabilities toward what those clients want to do in Africa.

GB Flutterwave disrupt

Olugbenga Agboola, aka GB

“If you are a charity that wants to raise money for cancer research in Ghana, or you want to sell online, or you’re Cardi B…who wants to do concerts in Africa…we want to be able to set up payments, write the code and create the platform for those needs,” GB explained.

That also means Flutterwave, which built its early client base across global companies, aims to serve smaller African businesses, including startups. Current customers include African-founded tech companies, such as moto ride-hail venture Max.ng.

Worldpay partnership

The new round makes Flutterwave the payment provider for Worldpay in Africa.

“With this partnership, any Worldpay merchant in Europe or the U.S. can accept any African payment. If someone goes to pay Netflix with an African card, it just works,” GB said.

In 2019, Worldpay was acquired for a reported $35 billion by FIS, a U.S. financial services provider. At the time of the purchase, it was projected the two companies would generate revenues of $12 billion annually, yet neither has notable presence in Africa.

Therein lies the benefit of collaborating with Flutterwave.

FIS’s Head of Ventures Joon Cho confirmed the partnership with TechCrunch. FIS also backed Flutterwave’s $35 million Series B. US VC firms Greycroft and eVentures led the round, with participation of Visa, Green Visor and African fund CRE Venture Capital.

Flutterwave’s latest funding brings the company’s total investment to $55 million and follows a year in which the fintech venture announced a series of weighty partnerships.

In July 2019, the startup joined forces with Chinese e-commerce company Alibaba’s Alipay to offer digital payments between Africa and China.

The Alipay collaboration followed one between Flutterwave and Visa to launch a consumer payment product for Africa, called GetBarter.

Flutterwave and African fintech

Flutterwave’s $35 million round and latest partnership are among the reasons the startup has become a standout in Africa’s digital-finance landscape.

As a sector, fintech gains the bulk of dealflow and the majority of startup capital flowing to African startups annually. VC to Africa totaled $1.35 billion in 2019, according to WeeTracker’s latest stats.

While a number of payment startups and products have scaled — see Paga in Nigeria and M-Pesa in Kenya — the majority of the continent’s fintech companies are P2P in focus and segregated to one or two markets.

Flutterwave’s platform has served the increased B2B business payment needs spurred by the decade of growth and reform that has occurred in Africa’s core economies.

The value the startup has created is underscored not just by transactional volume the company generates, but the partnerships it has attracted.

A growing list of the masters of the payment universe — Visa, Alipay, Worldpay — have shown they need Flutterwave to do finance in Africa.

Privacy experts slam UK’s ‘disastrous’ failure to tackle unlawful adtech

By Natasha Lomas

The UK’s data protection regulator has been slammed by privacy experts for once again failing to take enforcement action over systematic breaches of the law linked to behaviorally targeted ads — despite warning last summer that the adtech industry is out of control.

The Information Commissioner’s Office (ICO) has also previously admitted it suspects the real-time bidding (RTB) system involved in some programmatic online advertising to be unlawfully processing people’s sensitive information. But rather than take any enforcement against companies it suspects of law breaches it has today issued another mildly worded blog post — in which it frames what it admits is a “systemic problem” as fixable via (yet more) industry-led “reform”.

Yet it’s exactly such industry-led self-regulation that’s created the unlawful adtech mess in the first place, data protection experts warn.

The pervasive profiling of Internet users by the adtech ‘data industrial complex’ has been coming under wider scrutiny by lawmakers and civic society in recent years — with sweeping concerns being raised in parliaments around the world that individually targeted ads provide a conduit for discrimination, exploit the vulnerable, accelerate misinformation and undermine democratic processes as a consequence of platform asymmetries and the lack of transparency around how ads are targeted.

In Europe, which has a comprehensive framework of data protection rights, the core privacy complaint is that these creepy individually targeted ads rely on a systemic violation of people’s privacy from what amounts to industry-wide, Internet-enabled mass surveillance — which also risks the security of people’s data at vast scale.

It’s now almost a year and a half since the ICO was the recipient of a major complaint into RTB — filed by Dr Johnny Ryan of private browser Brave; Jim Killock, director of the Open Rights Group; and Dr Michael Veale, a data and policy lecturer at University College London — laying out what the complainants described then as “wide-scale and systemic” breaches of Europe’s data protection regime.

The complaint — which has also been filed with other EU data protection agencies — agues that the systematic broadcasting of people’s personal data to bidders in the adtech chain is inherently insecure and thereby contravenes Europe’s General Data Protection Regulation (GDPR), which stipulates that personal data be processed “in a manner that ensures appropriate security of the personal data”.

The regulation also requires data processors to have a valid legal basis for processing people’s information in the first place — and RTB fails that test, per privacy experts — either if ‘consent’ is claimed (given the sheer number of entities and volumes of data being passed around, which means it’s not credible to achieve GDPR’s ‘informed, specific and freely given’ threshold for consent to be valid); or ‘legitimate interests’ — which requires data processors carry out a number of balancing assessment tests to demonstrate it does actually apply.

“We have reviewed a number of justifications for the use of legitimate interests as the lawful basis for the processing of personal data in RTB. Our current view is that the justification offered by organisations is insufficient,” writes Simon McDougall, the ICO’s executive director of technology and innovation, developing a warning over the industry’s rampant misuse of legitimate interests to try to pass off RTB’s unlawful data processing as legit.

The ICO also isn’t exactly happy about what it’s found adtech doing on the Data Protection Impact Assessment front — saying, in so many words, that it’s come across widespread industry failure to actually, er, assess impacts.

“The Data Protection Impact Assessments we have seen have been generally immature, lack appropriate detail, and do not follow the ICO’s recommended steps to assess the risk to the rights and freedoms of the individual,” writes McDougall.

“We have also seen examples of basic data protection controls around security, data retention and data sharing being insufficient,” he adds.

Yet — again — despite fresh admissions of adtech’s lawfulness problem the regulator is choosing more stale inaction.

In the blog post McDougall does not rule out taking “formal” action at some point — but there’s only a vague suggestion of such activity being possible, and zero timeline for “develop[ing] an appropriate regulatory response”, as he puts it. (His preferred ‘E’ word in the blog is ‘engagement’; you’ll only find the word ‘enforcement’ in the footer link on the ICO’s website.)

“We will continue to investigate RTB. While it is too soon to speculate on the outcome of that investigation, given our understanding of the lack of maturity in some parts of this industry we anticipate it may be necessary to take formal regulatory action and will continue to progress our work on that basis,” he adds.

McDougall also trumpets some incremental industry fiddling — such as trade bodies agreeing to update their guidance — as somehow relevant to turning the tanker in a fundamentally broken system.

(Trade body the Internet Advertising Bureau’s UK branch has responded to developments with an upbeat note from its head of policy and regulatory affairs, Christie Dennehy-Neil, who lauds the ICO’s engagement as “a constructive process”, claiming: “We have made good progress” — before going on to urge its members and the wider industry to implement “the actions outlined in our response to the ICO” and “deliver meaningful change”. The statement climaxes with: “We look forward to continuing to engage with the ICO as this process develops.”)

McDougall also points to Google removing content categories from its RTB platform from next month (a move it announced months back, in November) as an important development; and seizes on the tech giant’s recent announcement of a proposal to phase out support for third party cookies within the next two years as ‘encouraging’.

Privacy experts have responded with facepalmed outrage to yet another can-kicking exercise by the UK regulator — warning that cosmetic tweaks to adtech won’t fix a system that’s designed to feast off an unlawful and inherently insecure high velocity background trading of Internet users’ personal data.

“When an industry is premised and profiting from clear and entrenched illegality that breach individuals’ fundamental rights, engagement is not a suitable remedy,” said UCL’s Veale in a statement. “The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now.”

ICO believes that cosmetic fixes can do the job when it comes to #adtech. But no matter how secure data flows are and how beautiful cookie notices are, can people really understand the consequences of their consent? I'm convinced that this consent will *never* be informed. 1/2 https://t.co/1avYt6lgV3

— Karolina Iwańska (@ka_iwanska) January 17, 2020

The trio behind the RTB complaints (which includes Veale) have also issued a scathing collective response to more “regulatory ambivalence” — denouncing the lack of any “substantive action to end the largest data breach ever recorded in the UK”.

“The ‘Real-Time Bidding’ data breach at the heart of RTB market exposes every person in the UK to mass profiling, and the attendant risks of manipulation and discrimination,” they warn. “Regulatory ambivalence cannot continue. The longer this data breach festers, the deeper the rot sets in and the further our data gets exploited. This must end. We are considering all options to put an end to the systemic breach, including direct challenges to the controllers and judicial oversight of the ICO.”

Wolfie Christl, a privacy researcher who focuses on adtech — including contributing to a recent study looking at how extensively popular apps are sharing user data with advertisers — dubbed the ICO’s response “disastrous”.

“Last summer the ICO stated in their report that millions of people were affected by thousands of companies’ GDPR violations. I was sceptical when they announced they would give the industry six more months without enforcing the law. My impression is they are trying to find a way to impose cosmetic changes and keep the data industry happy rather than acting on their own findings and putting an end to the ubiquitous data misuse in today’s digital marketing, which should have happened years ago. The ICO seems to prioritize appeasing the industry over the rights of data subjects, and this is disastrous,” he told us.

“The way data-driven online marketing currently works is illegal at scale and it needs to be stopped from happening,” Christl added. “Each day EU data protection authorities allow these practices to continue further violates people’s rights and freedoms and perpetuates a toxic digital economy.

“This undermines the GDPR and generally trust in tech, perpetuates legal uncertainty for businesses, and punishes companies who comply and create privacy-respecting services and business models.

“Twenty months after the GDPR came into full force, it is still not enforced in major areas. We still see large-scale misuse of personal information all over the digital world. There is no GDPR enforcement against the tech giants and there is no enforcement against thousands of data companies beyond the large platforms. It seems that data protection authorities across the EU are either not able — or not willing — to stop many kinds of GDPR violations conducted for business purposes. We won’t see any change without massive fines and data processing bans. EU member states and the EU Commission must act.”

The US government should stop demanding tech companies compromise on encryption

By Zack Whittaker

In a tweet late Tuesday, President Trump criticized Apple for refusing “to unlock phones used by killers, drug dealers and other violent criminal elements.” Trump was specifically referring to a locked iPhone that belonged to a Saudi airman who killed three U.S sailors in an attack on a Florida base in December.

It’s only the latest example of the government trying to gain access to a terror suspect’s device it claims it can’t access because of the encryption that scrambles the device’s data without the owner’s passcode.

The government spent the past week bartering for Apple’s help. Apple said it had given to investigators “gigabytes of information,” including “iCloud backups, account information and transactional data for multiple accounts.” In every instance it received a legal demand, Apple said it “responded with all of the information” it had. But U.S. Attorney General William Barr accused Apple of not giving investigators “any substantive assistance” in unlocking the phone.

❌