Hello friends, and welcome back to Week in Review.
Last week, we dove into the truly bizarre machinations of the NFT market. This week, we’re talking about something that’s a little bit more impactful on the current state of the web — Apple’s NeuralHash kerfuffle.
In the past month, Apple did something it generally has done an exceptional job avoiding — the company made what seemed to be an entirely unforced error.
In early August — seemingly out of nowhere** — the company announced that by the end of the year they would be rolling out a technology called NeuralHash that actively scanned the libraries of all iCloud Photos users, seeking out image hashes that matched known images of child sexual abuse material (CSAM). For obvious reasons, the on-device scanning could not be opted out of.
This announcement was not coordinated with other major consumer tech giants, Apple pushed forward on the announcement alone.
Researchers and advocacy groups had almost unilaterally negative feedback for the effort, raising concerns that this could create new abuse channels for actors like governments to detect on-device information that they regarded as objectionable. As my colleague Zach noted in a recent story, “The Electronic Frontier Foundation said this week it had amassed more than 25,000 signatures from consumers. On top of that, close to 100 policy and rights groups, including the American Civil Liberties Union, also called on Apple to abandon plans to roll out the technology.”
(The announcement also reportedly generated some controversy inside of Apple.)
The issue — of course — wasn’t that Apple was looking at find ways that prevented the proliferation of CSAM while making as few device security concessions as possible. The issue was that Apple was unilaterally making a massive choice that would affect billions of customers (while likely pushing competitors towards similar solutions), and was doing so without external public input about possible ramifications or necessary safeguards.
A long story short, over the past month researchers discovered Apple’s NeuralHash wasn’t as air tight as hoped and the company announced Friday that it was delaying the rollout “to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.”
Having spent several years in the tech media, I will say that the only reason to release news on a Friday morning ahead of a long weekend is to ensure that the announcement is read and seen by as few people as possible, and it’s clear why they’d want that. It’s a major embarrassment for Apple, and as with any delayed rollout like this, it’s a sign that their internal teams weren’t adequately prepared and lacked the ideological diversity to gauge the scope of the issue that they were tackling. This isn’t really a dig at Apple’s team building this so much as it’s a dig on Apple trying to solve a problem like this inside the Apple Park vacuum while adhering to its annual iOS release schedule.
Image Credits: Bryce Durbin / TechCrunch /
Apple is increasingly looking to make privacy a key selling point for the iOS ecosystem, and as a result of this productization, has pushed development of privacy-centric features towards the same secrecy its surface-level design changes command. In June, Apple announced iCloud+ and raised some eyebrows when they shared that certain new privacy-centric features would only be available to iPhone users who paid for additional subscription services.
You obviously can’t tap public opinion for every product update, but perhaps wide-ranging and trail-blazing security and privacy features should be treated a bit differently than the average product update. Apple’s lack of engagement with research and advocacy groups on NeuralHash was pretty egregious and certainly raises some questions about whether the company fully respects how the choices they make for iOS affect the broader internet.
Delaying the feature’s rollout is a good thing, but let’s all hope they take that time to reflect more broadly as well.
** Though the announcement was a surprise to many, Apple’s development of this feature wasn’t coming completely out of nowhere. Those at the top of Apple likely felt that the winds of global tech regulation might be shifting towards outright bans of some methods of encryption in some of its biggest markets.
Back in October of 2020, then United States AG Bill Barr joined representatives from the UK, New Zealand, Australia, Canada, India and Japan in signing a letter raising major concerns about how implementations of encryption tech posed “significant challenges to public safety, including to highly vulnerable members of our societies like sexually exploited children.” The letter effectively called on tech industry companies to get creative in how they tackled this problem.
Here are the TechCrunch news stories that especially caught my eye this week:
LinkedIn kills Stories
You may be shocked to hear that LinkedIn even had a Stories-like product on their platform, but if you did already know that they were testing Stories, you likely won’t be so surprised to hear that the test didn’t pan out too well. The company announced this week that they’ll be suspending the feature at the end of the month. RIP.
FAA grounds Virgin Galactic over questions about Branson flight
While all appeared to go swimmingly for Richard Branson’s trip to space last month, the FAA has some questions regarding why the flight seemed to unexpectedly veer so far off the cleared route. The FAA is preventing the company from further launches until they find out what the deal is.
Apple buys a classical music streaming service
While Spotify makes news every month or two for spending a massive amount acquiring a popular podcast, Apple seems to have eyes on a different market for Apple Music, announcing this week that they’re bringing the classical music streaming service Primephonic onto the Apple Music team.
TikTok parent company buys a VR startup
It isn’t a huge secret that ByteDance and Facebook have been trying to copy each other’s success at times, but many probably weren’t expecting TikTok’s parent company to wander into the virtual reality game. The Chinese company bought the startup Pico which makes consumer VR headsets for China and enterprise VR products for North American customers.
Twitter tests an anti-abuse ‘Safety Mode’
The same features that make Twitter an incredibly cool product for some users can also make the experience awful for others, a realization that Twitter has seemingly been very slow to make. Their latest solution is more individual user controls, which Twitter is testing out with a new “safety mode” which pairs algorithmic intelligence with new user inputs.
Some of my favorite reads from our Extra Crunch subscription service this week:
Our favorite startups from YC’s Demo Day, Part 1
“Y Combinator kicked off its fourth-ever virtual Demo Day today, revealing the first half of its nearly 400-company batch. The presentation, YC’s biggest yet, offers a snapshot into where innovation is heading, from not-so-simple seaweed to a Clearco for creators….”
“…Yesterday, the TechCrunch team covered the first half of this batch, as well as the startups with one-minute pitches that stood out to us. We even podcasted about it! Today, we’re doing it all over again. Here’s our full list of all startups that presented on the record today, and below, you’ll find our votes for the best Y Combinator pitches of Day Two. The ones that, as people who sift through a few hundred pitches a day, made us go ‘oh wait, what’s this?’
All the reasons why you should launch a credit card
“… if your company somehow hasn’t yet found its way to launch a debit or credit card, we have good news: It’s easier than ever to do so and there’s actual money to be made. Just know that if you do, you’ve got plenty of competition and that actual customer usage will probably depend on how sticky your service is and how valuable the rewards are that you offer to your most active users….”
Europe’s top court has dealt another blow to ‘zero rating’ — ruling for a second time that the controversial carrier practice goes against the European Union’s rules on open Internet access.
‘Zero rating’ refers to commercial offers that can be made by mobile network operators to entice customers by excluding the data consumption of certain (often popular) apps from a user’s tariff.
The practice is controversial because it goes against the ‘level playing field’ principle of the open Internet (aka ‘net neutrality’).
EU legislators passed the bloc’s first set of open Internet/net neutrality rules back in 2015 — with the law coming into application in 2016 — but critics warned at the time over vague provisions in the regulation which they suggested could be used by carriers to undermine the core fairness principle of treating all Internet traffic the same.
Some regional telcos have continued to put out zero rating offers — which has led to a number of challenges to test the robustness of the law. But the viability of zero rating within the EU must now be in doubt given the double slap-down by the CJEU.
In its first major decision last year — relating to a challenge against Telenor in Hungary — the court found that commercial use of zero rating was liable to limit the exercise of end users’ rights within the meaning of the regulation.
Its ruling today — which relates to a challenge against zero rating by Vodafone and Telekom Deutschland in Germany (this time with a roaming component) — comes to what looks like an even clearer conclusion, with the court giving the practice very short shrift indeed.
“By today’s judgments, the Court of Justice notes that a ‘zero tariff’ option, such as those at issue in the main proceedings, draws a distinction within internet traffic, on the basis of commercial considerations, by not counting towards the basic package traffic to partner applications. Such a commercial practice is contrary to the general obligation of equal treatment of traffic, without discrimination or interference, as required by the regulation on open internet access,” it writes in a (notably brief) press release summarizing the judgement.
“Since those limitations on bandwidth, tethering or on use when roaming apply only on account of the activation of the ‘zero tariff’ option, which is contrary to the regulation on open internet access, they are also incompatible with EU law,” it added.
We’ve reached out to Vodafone and Telekom Deutschland for comment on the ruling.
In a statement welcoming the CJEU’s decision, the European consumer protection association BEUC’s senior digital policy officer, Maryant Fernández Pérez, subbed the ruling “very positive news for consumers and those who want the internet to stay open to all”.
“When companies like Vodafone use these ‘zero tariff’ rates, they essentially lock-in consumers and limit what the Internet can offer to them. Zero-rating is detrimental to consumer choice, competition, innovation, media diversity and freedom of information,” she added.
It’s been a long time coming but Facebook is finally feeling some heat from Europe’s much trumpeted data protection regime: Ireland’s Data Protection Commission (DPC) has just announced a €225 million (~$267M) for WhatsApp.
The Facebook-owned messaging app has been under investigation by the Irish DPC, its lead data supervisor in the European Union, since December 2018 — several months after the first complaints were fired at WhatsApp over how it processes user data under Europe’s General Data Protection Regulation (GDPR), once it begun being applied in May 2018.
Despite receiving a number of specific complaints about WhatsApp, the investigation undertaken by the DPC that’s been decided today was what’s known as an “own volition” enquiry — meaning the regulator selected the parameters of the investigation itself, choosing to fix on an audit of WhatsApp’s ‘transparency’ obligations.
A key principle of the GDPR is that entities which are processing people’s data must be clear, open and honest with those people about how their information will be used.
The DPC’s decision today (which runs to a full 266 pages) concludes that WhatsApp failed to live up to the standard required by the GDPR.
Its enquiry considered whether or not WhatsApp fulfils transparency obligations to both users and non-users of its service (WhatsApp may, for example, upload the phone numbers of non-users if a user agrees to it ingesting their phone book which contains other people’s personal data); as well as looking at the transparency the platform offers over its sharing of data with its parent entity Facebook (a highly controversial issue at the time the privacy U-turn was announced back in 2016, although it predated GDPR being applied).
In sum, the DPC found a range of transparency infringements by WhatsApp — spanning articles 5(1)(a); 12, 13 and 14 of the GDPR.
In addition to issuing a sizeable financial penalty, it has ordered WhatsApp to take a number of actions to improve the level of transparency it offer users and non-users — giving the tech giant a three-month deadline for making all the ordered changes.
In a statement responding to the DPC’s decision, WhatsApp disputed the findings and dubbed the penalty “entirely disproportionate” — as well as confirming it will appeal, writing:
“WhatsApp is committed to providing a secure and private service. We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision.”
It’s worth emphasizing that the scope of the DPC enquiry which has finally been decided today was limited to only looking at WhatsApp’s transparency obligations.
The regulator was explicitly not looking into wider complaints — which have also been raised against Facebook’s data-mining empire for well over three years — about the legal basis WhatsApp claims for processing people’s information in the first place.
So the DPC will continue to face criticism over both the pace and approach of its GDPR enforcement.
…system to add years until this fine will actually be paid – but at least it's a start… 10k cases per year to go!
— Max Schrems (@maxschrems) September 2, 2021
Indeed, prior to today, Ireland’s regulator had only issued one decision in a major cross-border cases addressing ‘Big Tech’ — against Twitter when, back in December, it knuckle-tapped the social network over a historical security breach with a fine of $550k.
WhatsApp’s first GDPR penalty is, by contrast, considerably larger — reflecting what EU regulators (plural) evidently consider to be a far more serious infringement of the GDPR.
Transparency is a key principle of the regulation. And while a security breach may indicate sloppy practice, systematic opacity towards people whose data your adtech empire relies upon to turn a fat profit looks rather more intentional; indeed, it’s arguably the whole business model.
And — at least in Europe — such companies are going to find themselves being forced to be up front about what they’re doing with people’s data.
The WhatsApp decision will rekindle the debate about whether the GDPR is working effectively where it counts most: Against the most powerful companies in the world, who are also of course Internet companies.
Under the EU’s flagship data protection regulation, decisions on cross border cases require agreement from all affected regulators — across the 27 Member States — so while the GDPR’s “one-stop-shop” mechanism seeks to streamline the regulatory burden for cross-border businesses by funnelling complaints and investigations via a lead regulator (typically where a company has its main legal establishment in the EU), objections can be raised to that lead supervisory authority’s conclusions (and any proposed sanctions), as has happened here, in this WhatsApp case.
Ireland originally proposed a far more low-ball penalty of up to €50M for WhatsApp. However other EU regulators objected to the draft decision on a number of fronts — and the European Data Protection Board (EDPB) ultimately had to step in and take a binding decision (issued this summer) to settle the various disputes.
Through that (admittedly rather painful) joint-working, the DPC was required to increase the size of the fine issued to WhatsApp. In a mirror of what happened with its draft Twitter decision — where the DPC has also suggested an even tinier penalty in the first instance.
While there is a clear time cost in settling disputes between the EU’s smorgasbord of data protection agencies — the DPC submitted its draft WhatsApp decision to the other DPAs for review back in December, so it’s taken well over half a year to hash out all the disputes about WhatsApp’s lossy hashing and so forth — the fact that ‘corrections’ are being made to its decisions and conclusions can land — if not jointly agreed but at least arriving via a consensus being pushed through by the EDPB — is a sign that the process, while slow and creaky, is working.
Even so, Ireland’s data watchdog will continue to face criticism for its outsized role in handling GDPR complaints and investigations — with some accusing the DPC of essentially cherry-picking which issues to examine in detail (by its choice and framing of cases) and which to elide entirely (by those issues it doesn’t open an enquiry into or complaints it simply drops or ignores), with its loudest critics arguing it’s therefore still a major bottleneck on effective enforcement of data protection rights across the EU. And the associated conclusion for that critique is that tech giants like Facebook are still getting a pretty free pass to violate Europe’s privacy rules.
But while it’s true that a $267M penalty is still the equivalent of a parking ticket for Facebook, orders to change how such adtech giants are able to process people’s information have the potential to be a far more significant correction on problematic business models. Again, though, time will be needed to tell.
In a statement on the WhatsApp decision today, noyb — the privacy advocay group founded by long-time European privacy campaigner Max Schrems, said: “We welcome the first decision by the Irish regulator. However, the DPC gets about ten thousand complaints per year since 2018 and this is the first major fine. The DPC also proposed an initial €50MK fine and was forced by the other European data protection authorities to move towards €225M, which is still only 0.08% of the turnover of the Facebook Group. The GDPR foresees fines of up to 4% of the turnover. This shows how the DPC is still extremely dysfunctional.”
Schrems also noted that he and noyb still have a number of pending cases before the DPC — including on WhatsApp.
In further remarks, Schrems and noyb said: “WhatsApp will surely appeal the decision. In the Irish court system this means that years will pass before any fine is actually paid. In our cases we often had the feeling that the DPC is more concerned with headlines than with actually doing the hard groundwork. It will be very interesting to see if the DPC will actually defend this decision fully, as it was basically forced to make this decision by its European counterparts. I can imagine that the DPC will simply not put many resources on the case or ‘settle’ with WhatsApp in Ireland. We will monitor this case closely to ensure that the DPC is actually following through with this decision.”
Summer is still technically in session, but a snowball is slowly developing in the world of apps, and specifically the world of in-app payments. A report in Reuters today says that the Competition Commission of India, the country’s monopoly regulator, will soon be looking at an antitrust suit filed against Apple over how it mandates that app developers use Apple’s own in-app payment system — thereby giving Apple a cut of those payments — when publishers charge users for subscriptions and other items in their apps.
The suit, filed by an Indian non-profit called “Together We Fight Society”, said in a statement to Reuters that it was representing consumer and startup interests in its complaint.
The move would be the latest in what has become a string of challenges from national regulators against app store operators — specifically Apple but also others like Google and WeChat — over how they wield their positions to enforce market practices that critics have argued are anti-competitive. Other countries that have in recent weeks reached settlements, passed laws, or are about to introduce laws include Japan, South Korea, Australia, the U.S. and the European Union.
And in India specifically, the regulator is currently working through a similar investigation as it relates to in-app payments in Android apps, which Google mandates use its proprietary payment system. Google and Android dominate the Indian smartphone market, with the operating system active on 98% of the 520 million devices in use in the country as of the end of 2020.
It will be interesting to watch whether more countries wade in as a result of these developments. Ultimately, it could force app store operators, to avoid further and deeper regulatory scrutiny, to adopt new and more flexible universal policies.
In the meantime, we are seeing changes happen on a country-by-country basis.
Just yesterday, Apple reached a settlement in Japan that will let publishers of “reader” apps (those for using or consuming media like books and news, music, files in the cloud and more) to redirect users to external sites to provide alternatives to Apple’s proprietary in-app payment provision. Although it’s not as seamless as paying within the app, redirecting previously was typically not allowed, and in doing so the publishers can avoid Apple’s cut.
South Korean legislators earlier this week approved a measure that will make it illegal for Apple and Google to make a commission by forcing developers to use their proprietary payment systems.
And last week, Apple also made some movements in the U.S. around allowing alternative forms of payments, but relatively speaking the concessions were somewhat indirect: app publishers can refer to alternative, direct payment options in apps now, but not actually offer them. (Not yet at least.)
Some developers and consumers have been arguing for years that Apple’s strict policies should open up more. Apple however has long said in its defense that it mandates certain developer policies to build better overall user experiences, and for reasons of security. But, as app technology has evolved, and consumer habits have changed, critics believe that this position needs to be reconsidered.
One factor in Apple’s defense in India specifically might be the company’s position in the market. Android absolutely dominates India when it comes to smartphones and mobile services, with Apple actually a very small part of the ecosystem.
As of the end of 2020, it accounted for just 2% of the 520 million smartphones in use in the country, according to figures from Counterpoint Research quoted by Reuters. That figure had doubled in the last five years, but it’s a long way from a majority, or even significant minority.
The antitrust filing in India has yet to be filed formally, but Reuters notes that the wording leans on the fact that anti-competitive practices in payments systems make it less viable for many publishers to exist at all, since the economics simply do not add up:
“The existence of the 30% commission means that some app developers will never make it to the market,” Reuters noted from the filing. “This could also result in consumer harm.”
Google is appealing the more than half a billion-dollar fine it got slapped with by France’s competition authority in July.
The penalty relates to the adtech giant’s approach toward paying news publishers for content reuse.
In a statement today, Sebastien Missoffe, a Google France VP and country manager, characterized the fine as “disproportionate” — claiming that the $592 million penalty is not justified in light of Google’s “efforts” to cut a deal with news publishers and comply with updated copyright rules. Which reads like fairly weak sauce, as defence statements go.
“We are appealing the French Competition Authority’s decision which relates to our negotiations between April and August 2020. We disagree with a number of legal elements, and believe that the fine is disproportionate to our efforts to reach an agreement and comply with the new law,” wrote Missoffe, adding: “Irrespective of this, we recognize neighboring rights and we continue to work hard to resolve this case and put deals in place. This includes expanding offers to 1,200 publishers, clarifying aspects of our contracts, and we are sharing more data as requested by the French Competition Authority in their July Decision.”
Back in 2019, the European Union agreed on an update to digital copyright rules which extended cover to the ledes of news stories — snippets of which aggregators such as Google News had for years routinely scraped and displayed.
Individual EU Member States then needed to transpose the updated pan-EU reforms into their national laws — with France leading the pack to do so.
The country’s competition watchdog has also been leading the charge in enforcing updated rules against Google — ordering the tech giant to negotiate with publishers last year and following that up with a whopping fine when publishers complained to it about how Google was treating those talks.
Announcing the penalty this summer, the Autorité de la Concurrence accused the tech giant of attempting to unilaterally impose a global news licensing product it operates upon local publishers in a bid to avoid having to put a separate financial value on neighbouring rights remuneration — where there is a legal requirement (under EU and French law) upon it to negotiate with said publishers…
The watchdog’s full list of grievances against Google’s modus operandi was very long — check out our earlier report here — so it’s not clear how much of a placeholder action this appeal by Google is.
Per Reuters, the Autorité has said the appeal will not hold up the penalty nor impede the timeline of the order it already issued — which, in mid July, gave Google a two month timeframe to revise its offer and provide publishers with all the required info, with the threat of daily fines (of €900,000) if it failed to meet all its requirements by then. So there are now only a couple of weeks to go before that deadline.
Google may thus be hoping that by announcing an appeal now it will help ‘concentrate’ publishers’ minds — and encourage them to accept — whatever tweaked offer it comes up with, hence its statement noting an ‘expanded’ offer (now covering 1,200 publishers), and talk of “clarifying aspects of our contracts” and “sharing more data”, all of which were areas where Google got roundly spanked by the Autorité.
The UK government has named the person it wants to take over as its chief data protection watchdog, with sitting commissioner Elizabeth Denham overdue to vacate the post: The Department of Digital, Culture, Media and Sport (DCMS) today said its preferred replacement is New Zealand’s privacy commissioner, John Edwards.
Edwards, who has a legal background, has spent more than seven years heading up the Office of the Privacy Commissioner In New Zealand — in addition to other roles with public bodies in his home country.
He is perhaps best known to the wider world for his verbose Twitter presence and for taking a public dislike to Facebook: In the wake of the 2018 Cambridge Analytica data misuse scandal Edwards publicly announced that he was deleting his account with the social media — accusing Facebook of not complying with the country’s privacy laws.
An anti-‘Big Tech’ stance aligns with the UK government’s agenda to tame the tech giants as it works to bring in safety-focused legislation for digital platforms and reforms of competition rules that take account of platform power.
— John Edwards (@JCE_PC) August 26, 2021
If confirmed in the role — the DCMS committee has to approve Edwards’ appointment; plus there’s a ceremonial nod needed from the Queen — he will be joining the regulatory body at a crucial moment as digital minister Oliver Dowden has signalled the beginnings of a planned divergence from the European Union’s data protection regime, post-Brexit, by Boris Johnson’s government.
Dial back the clock five years and prior digital minister, Matt Hancock, was defending the EU’s General Data Protection Regulation (GDPR) as a “decent piece of legislation” — and suggesting to parliament that there would be little room for the UK to diverge in data protection post-Brexit.
But Hancock is now out of government (aptly enough after a data leak showed him breaching social distancing rules by kissing his aide inside a government building), and the government mood music around data has changed key to something far more brash — with sitting digital minister Dowden framing unfettered (i.e. deregulated) data-mining as “a great opportunity” for the post-Brexit UK.
For months, now, ministers have been eyeing how to rework the UK’s current (legascy) EU-based data protection framework — to, essentially, reduce user rights in favor of soundbites heavy on claims of slashing ‘red tape’ and turbocharging data-driven ‘innovation’. Of course the government isn’t saying the quiet part out loud; its press releases talk about using “the power of data to drive growth and create jobs while keeping high data protection standards”. But those standards are being reframed as a fig leaf to enable a new era of data capture and sharing by default.
Dowden has said that the emergency data-sharing which was waived through during the pandemic — when the government used the pressing public health emergency to justify handing NHS data to a raft of tech giants — should be the ‘new normal’ for a post-Brexit UK. So, tl;dr, get used to living in a regulatory crisis.
A special taskforce, which was commissioned by the prime minister to investigate how the UK could reshape its data policies outside the EU, also issued a report this summer — in which it recommended scrapping some elements of the UK’s GDPR altogether — branding the regime “prescriptive and inflexible”; and advocating for changes to “free up data for innovation and in the public interest”, as it put it, including pushing for revisions related to AI and “growth sectors”.
The government is now preparing to reveal how it intends to act on its appetite to ‘reform’ (read: reduce) domestic privacy standards — with proposals for overhauling the data protection regime incoming next month.
Speaking to the Telegraph for a paywalled article published yesterday, Dowden trailed one change that he said he wants to make which appears to target consent requirements — with the minister suggesting the government will remove the legal requirement to gain consent to, for example, track and profile website visitors — all the while framing it as a pro-consumer move; a way to do away with “endless” cookie banners.
Only cookies that pose a ‘high risk’ to privacy would still require consent notices, per the report — whatever that means.
Oliver Dowden, the UK Minister for Digital, Culture, Media and Sport, says that the UK will break away from GDPR, and will no longer require cookie warnings, other than those posing a 'high risk'.https://t.co/2ucnppHrIm pic.twitter.com/RRUdpJumYa
— dan barker (@danbarker) August 25, 2021
“There’s an awful lot of needless bureaucracy and box ticking and actually we should be looking at how we can focus on protecting people’s privacy but in as light a touch way as possible,” the digital minister also told the Telegraph.
The draft of this Great British ‘light touch’ data protection framework will emerge next month, so all the detail is still to be set out. But the overarching point is that the government intends to redefine UK citizens’ privacy rights, using meaningless soundbites — with Dowden touting a plan for “common sense” privacy rules — to cover up the fact that it intends to reduce the UK’s currently world class privacy standards and replace them with worse protections for data.
If you live in the UK, how much privacy and data protection you get will depend upon how much ‘innovation’ ministers want to ‘turbocharge’ today — so, yes, be afraid.
It will then fall to Edwards — once/if approved in post as head of the ICO — to nod any deregulation through in his capacity as the post-Brexit information commissioner.
We can speculate that the government hopes to slip through the devilish detail of how it will torch citizens’ privacy rights behind flashy, distraction rhetoric about ‘taking action against Big Tech’. But time will tell.
Data protection experts are already warning of a regulatory stooge.
While the Telegraph suggests Edwards is seen by government as an ideal candidate to ensure the ICO takes a “more open and transparent and collaborative approach” in its future dealings with business.
In a particularly eyebrow raising detail, the newspaper goes on to report that government is exploring the idea of requiring the ICO to carry out “economic impact assessments” — to, in the words of Dowden, ensure that “it understands what the cost is on business” before introducing new guidance or codes of practice.
All too soon, UK citizens may find that — in the ‘sunny post-Brexit uplands’ — they are afforded exactly as much privacy as the market deems acceptable to give them. And that Brexit actually means watching your fundamental rights being traded away.
In a statement responding to Edwards’ nomination, Denham, the outgoing information commissioner, appeared to offer some lightly coded words of warning for government, writing [emphasis ours]: “Data driven innovation stands to bring enormous benefits to the UK economy and to our society, but the digital opportunity before us today will only be realised where people continue to trust their data will be used fairly and transparently, both here in the UK and when shared overseas.”
The lurking iceberg for government is of course that if wades in and rips up a carefully balanced, gold standard privacy regime on a soundbite-centric whim — replacing a pan-European standard with ‘anything goes’ rules of its/the market’s choosing — it’s setting the UK up for a post-Brexit future of domestic data misuse scandals.
You only have to look at the dire parade of data breaches over in the US to glimpse what’s coming down the pipe if data protection standards are allowed to slip. The government publicly bashing the privacy sector for adhering to lax standards it deregulated could soon be the new ‘get popcorn’ moment for UK policy watchers…
UK citizens will surely soon learn of unfair and unethical uses of their data under the ‘light touch’ data protection regime — i.e. when they read about it in the newspaper.
Such an approach will indeed be setting the country on a path where mistrust of digital services becomes the new normal. And that of course will be horrible for digital business over the longer run. But Dowden appears to lack even a surface understanding of Internet basics.
The UK is also of course setting itself on a direct collision course with the EU if it goes ahead and lowers data protection standards.
This is because its current data adequacy deal with the bloc — which allows for EU citizens’ data to continue flowing freely to the UK is precariously placed — was granted only on the basis that the UK was, at the time it was inked, still aligned with the GDPR.
So Dowden’s rush to rip up protections for people’s data presents a clear risk to the “significant safeguards” needed to maintain EU adequacy.
Back in June, when the Commission signed off on the UK’s adequacy deal, it clearly warned that “if anything changes on the UK side, we will intervene”. Moreover, the adequacy deal is also the first with a baked in sunset clause — meaning it will automatically expire in four years.
So even if the Commission avoids taking proactive action over slipping privacy standards in the UK there is a hard deadline — in 2025 — when the EU’s executive will be bound to look again in detail at exactly what Dowden & Co. have wrought. And it probably won’t be pretty.
The longer term UK ‘plan’ (if we can put it that way) appears to be to replace domestic economic reliance on EU data flows — by seeking out other jurisdictions that may be friendly to a privacy-light regime governing what can be done with people’s information.
Hence — also today — DCMS trumpeted an intention to secure what it billed as “new multi-billion pound global data partnerships” — saying it will prioritize striking ‘data adequacy’ “partnerships” with the US, Australia, the Republic of Korea, Singapore, and the Dubai International Finance Centre and Colombia.
Future partnerships with India, Brazil, Kenya and Indonesia will also be prioritized, it added — with the government department cheerfully glossing over the fact it’s UK citizens’ own privacy that is being deprioritized here.
“Estimates suggest there is as much as £11 billion worth of trade that goes unrealised around the world due to barriers associated with data transfers,” DCMS writes in an ebullient press release.
As it stands, the EU is of course the UK’s largest trading partner. And statistics from the House of Commons library on the UK’s trade with the EU — which you won’t find cited in the DCMS release — underline quite how tiny this potential Brexit ‘data bonanza’ is, given that UK exports to the EU stood at £294 billion in 2019 (43% of all UK exports).
So even the government’s ‘economic’ case to water down citizens’ privacy rights looks to be puffed up with the same kind of misleadingly vacuous nonsense as ministers’ reframing of a post-Brexit UK as ‘Global Britain’.
Everyone hates cookies banners, sure, but that’s a case for strengthening not weakening people’s privacy — for making non-tracking the default setting online and outlawing manipulative dark patterns so that Internet users don’t constantly have to affirm they want their information protected. Instead the UK may be poised to get rid of annoying cookie consent ‘friction’ by allowing a free for all on people’s data.
Mindset, a platform featuring personal story collections from recording artists, announced today that it raised $8.7 million in seed funding.
As co-founders of the K-pop-focused podcast production company DIVE Studios, brothers Brian Nam, Eric Nam and Eddie Nam noticed that the studio’s best-performing content came from podcast episodes where stars discussed how they handle struggles in their personal lives. So, the Nam brothers came up with the idea for Mindset, an off-shoot of DIVE Studios.
“We found that this was a unique selling point people really wanted more of — so we started to think about ways to really double-down on that aspect,” said CEO Brian Nam. “How do we provide more of this valuable content to Gen Z and young millennial audiences? We decided that there wasn’t really the right kind of platform out there for this type of storytelling, so we decided to develop our own mobile platform to uniquely share these stories in an audio format.”
Image Credits: Mindset
In its current format, Mindset features four audio collections from artists like Jae, Tablo, BM and Mindset co-founder Eric Nam, who happens to be a K-pop star himself. Each collection has 10 episodes of around 10 to 20 minutes long — the introductory episode is free, but to gain access to the rest of an individual artist’s collection, users must pay $24.99. The app also has free Boosters, which are Calm-like, five-minute clips of bedtime stories and motivational mantras.
“Up until now, the primary source of income, especially for musicians, has been touring, music streams and then maybe some endorsement deals, but we’re able to unlock this fourth one, which is monetizing your stories,” Nam said. “The pricing is similar to how they might price a ticket, or how they would sell merchandise.”
Mindset isn’t meant to be a therapy app. “We’re not licensed therapists, we don’t try to act like we are,” Nam said. Rather, it’s a way for artists to share more intimate experiences with their fans to show that behind they music, they’re people too.
Mindset launched in an MVP (minimum viable product) version in February. Nam declined to share active user or revenue numbers, but said that the app gained enough traction that by May, it raised venture funding. The $8.7 million round is led by Union Square Ventures with strategic participants like record executive Scooter Braun (of TQ Ventures), who has more recently made headlines over the Taylor Swift masters controversy. Other backers include Twitch co-founder Kevin Lin, Opendoor co-founder Eric Wu, and more.
“Scooter Braun was a strategic investor,” Nam told TechCrunch.
Braun has also worked with artists like Ariana Grande, Justin Bieber and Demi Lovato.
“He’s really opened a lot of doors for us to branch out into the Hollywood and Western space, where we traditionally came from the K-pop space,” Nam added.
Mindset is putting its seed funding toward content creation, hiring and product development. The app is currently available on iOS and Android, but it will officially launch on September 14. After that, Mindset will release another audio collection from an artist or actor every two weeks. Nam declined to share who these artists will be.
Nearly two years ago, contractors for Google’s Pittsburgh operations voted to join the United Steelworkers union in a bid to secure more labor rights representation. It was an early example of a building union movement for tech workers across the spectrum. But as other hard-fought battles have been waged among blue and white collar workers alike, both sides have continued hashing out negotiations. This week, those have finally resulted in something more concrete.
The contract workers held out for what they believed to be similar treatment as others in the tech industry. At the time, it seemed Google was hoping to stay out of the fray with HCL Technologies, the consulting company that staffed the workers.
“We work with lots of partners, many of which have unionized workforces, and many of which don’t,” Google said following the initial union vote. “As with all our partners, whether HCL’s employees unionize or not is between them and their employer. We’ll continue to partner with HCL.”
According to the USW, the 65 Pittsburgh-based workers have ratified the contract with HCL. It’s a three-year-deal that covers working conditions, job security and wages, per a note from the union.
USW Tech Workers Ratify Historic First Contract at HCL https://t.co/VY8XLGThUr
— United Steelworkers (@steelworkers) July 30, 2021
“After close to two years of hard work, patience and solidarity from our members at HCL, we are proud of what we achieved in this agreement,” USW President Tom Conway said in a release tied to the news. “More than ever, our struggle with HCL shows that all workers deserve the protections and benefits of a union contract.”
Last week, with the deal nearing completion, HCL said in a statement provided to The Verge, “Throughout this process, HCL has been actively engaged in meaningful and fair discussions with the USW in good faith. We have been steadfast in our commitment to respect our employees’ right to pursue unionization should they choose to do so.”
In a release issued by USW, however, bargaining committee member Renata Nelson notes some clear tension in the process. “After ignoring our concerns, HCL tried to prevent us from forming a union, and when it failed, the company dragged out the negotiating process while sending our jobs overseas in retaliation,” Parks said in the release. “Now, with a strong union and contract in place, we’re confident that our voices will be heard.”
We’ve reached out to Google for comment.
Merqueo, which operates a full-stack, on-demand delivery service in Latin America, has landed $50 million in a Series C round of funding.
IDC Ventures, Digital Bridge and IDB Invest co-led the round, which also included participation from MGM Innova Group, Celtic House Venture Partners, Palm Drive Capital and previous shareholders. The financing brings the Bogota, Colombia-based startup’s total raised to $85 million since its 2017 inception.
Merqueo CEO and co-founder Miguel McAllister knows a thing or two about the delivery space in Latin America, having also co-founded Domicilios.com, a Latin American food delivery company that was bought by Berlin-based Delivery Hero and later merged with Brazil’s iFood.
McAllister describes Merqueo as a “pure-play online supermarket with a fully integrated grocery delivery service” that sources directly from large brands and local suppliers, bypassing intermediaries and “delivering directly from its dark store network.” (Dark stores are traditional retail stores that have been converted to local fulfillment centers.”
Merqueo offers more than 8,000 products, including fresh foods, packaged goods, home essentials, beverages and frozen products. It currently operates in more than 25 cities in Colombia, Mexico and Brazil and has over 600,000 users.
Image Credits: Merqueo
It must be doing something right. The startup is close to $100 million in “run-rate revenue,” according to McAllister, having grown more than 2.5x in 2020. Merqueo also reached positive cash flow in Colombia, its most mature market. Over the last year, large Latin American retail chains and retailers have approached the company about potentially acquiring it, McAllister said.
Part of the company’s success might be attributed to the speed and flexibility it offers. Users can choose how and when to receive their groceries according to their needs, with the startup offering delivery in as little as 10 minutes or three to four hours. Users can also schedule delivery of their groceries in two-hour intervals for the same day or the next day.
Also, owning and controlling the “entire” vertical supply chain gives it the ability to obtain better margins, offer competitive pricing and achieve healthy unit economics, according to McAllister.
Merqueo plans to use its new capital in part to expand geographically. The company is currently in phase one of its expansion to Brazil, entering initially in Sao Paulo later this month. Next year, it expects to launch in other Brazilian cities such as Rio de Janeiro, Fortaleza and Salvador de Bahia.
The market opportunity in Latin America is massive considering that online grocery sales only represent just 1% of the market –– far lower than in the U.S., EU or China, for example. Other players in the increasingly crowded space include GoPuff in the U.S., Getir out of Turkey and Mexico-based Jüsto, which raised $65 million in a Series A led by General Atlantic earlier this year.
“The pandemic accelerated the adoption of online grocery shopping in LatAm,” McAllister told TechCrunch. “The region went from 0.3% share of online groceries to 1%. And after the pandemic, we are seeing a 50% increase in the pace of user adoption.” Overall, the $85 billion e-commerce market in Latin America is growing rapidly, with projections of it reaching $116.2 billion in 2023.
Currently, Merqueo has over 1,300 employees in LatAm, up 60% from last year. It plans to continue hiring with the proceeds from the Series C round as well work “to become the largest and most ambitious dark stores network of Latin America.”
Alejandro Rodríguez, managing partner at IDC Ventures, is naturally bullish on Merqueo’s potential.
“From all the opportunities we looked into, Merqueo is undoubtedly the most advanced in the region. … The Merqueo team has proved they know how to scale the business and how to get to profitability,” Rodríguez told TechCrunch.
Online grocery delivery is a business with many technical and operational complexities, he said. In his view, Merqueo’s technology and operational expertise allow it to tackle those issues in a way that has led to “the best customer experience that we have seen in a scalable way.”
“They have the best combination of both great service metrics and healthy unit economics,” Rodríguez added.
Despite their rich engineering talent, Blockchain entrepreneurs in the EU often struggle to find backing due to the dearth of large funds and investment expertise in the space. But a big move takes place at an EU level today, as the European Investment Fund makes a significant investment into a blockchain and digital assets venture fund.
Fabric Ventures, a Luxembourg-based VC billed as backing the “Open Economy” has closed $130 million for its 2021 fund, $30 million of which is coming from the European Investment Fund (EIF). Other backers of the new fund include 33 founders, partners, and executives from Ethereum, (Transfer)Wise, PayPal, Square, Google, PayU, Ledger, Raisin, Ebury, PPRO, NEAR, Felix Capital, LocalGlobe, Earlybird, Accelerator Ventures, Aztec Protocol, Raisin, Aragon, Orchid, MySQL, Verifone, OpenOcean, Claret Capital, and more.
This makes it the first EIF-backed fund mandated to invest in digital assets and blockchain technology.
EIF Chief Executive Alain Godard said: “We are very pleased to be partnering with Fabric Ventures to bring to the European market this fund specializing in Blockchain technologies… This partnership seeks to address the need [in Europe] and unlock financing opportunities for entrepreneurs active in the field of blockchain technologies – a field of particular strategic importance for the EU and our competitiveness on the global stage.”
The subtext here is that the EIF wants some exposure to these new, decentralized platforms, potentially as a bulwark against the centralized platforms coming out of the US and China.
And yes, while the price of Bitcoin has yo-yo’d, there is now $100 billion invested in the decentralized finance sector and $1.5 billion market in the NFT market. This technology is going nowhere.
Fabric hasn’t just come from nowhere, either. Various Fabric Ventures team members have been involved in Orchestream, the Honeycomb Project at Sun Microsystems, Tideway, RPX, Automic, Yoyo Wallet, and Orchid.
Richard Muirhead is Managing Partner, and is joined by partners Max Mersch and Anil Hansjee. Hansjee becomes General Partner after leaving PayPal’s Venture Fund, which he led for EMEA. The team has experience in token design, market infrastructure, and community governance.
The same team started the Firestartr fund in 2012, backing Tray.io, Verse, Railsbank, Wagestream, Bitstamp, and others.
Muirhead said: “It is now well acknowledged that there is a need for a web that is user-owned and, consequently, more human-centric. There are astonishing people crafting this digital fabric for the benefit of all. We are excited to support those people with our latest fund.”
On a call with TechCrunch Muirhead added: “The thing to note here is that there’s a recognition at European Commission level, that this area is one of geopolitical significance for the EU bloc. On the one hand, you have the ‘wild west’ approach of North America, and, arguably, on the other is the surveillance state of the Chinese Communist Party.”
He said: “The European Commission, I think, believes that there is a third way for the individual, and to use this new wave of technology for the individual. Also for businesses. So we can have networks and marketplaces of individuals sharing their data for their own benefit, and businesses in supply chains sharing data for their own mutual benefits. So that’s the driving view.”
Not every startup wants to raise venture capital. And then there are those that do want to raise VC money but don’t want to use it for specific things.
In recent years, a number of firms have emerged looking to meet the credit needs of such venture-backed and growth startups: i80 Group is one of those firms.
Former Goldman Sachs investment banker Marc Helwani founded i80 in 2016 after investing in early-stage New York-based fintechs in 2014-2015 via his VC fund, Avenue A Ventures.
“It became very clear to me that fintech was going to explode,” he recalls. “At that time, it was still relatively new. And every time I spoke to a company, they would tell me, ‘We know how to raise VC, but what about the credit?’ I just saw this white space.”
For example, proptechs that buy homes on behalf of buyers don’t want to use venture money. Fintechs that want to make loans to consumers don’t want to use equity to do it. Instead, in those cases, credit might be more desirable.
Enter i80. The firm offers credit exclusively, and over the years has quietly committed more than $1 billion to over 15 companies –including real estate marketplace Properly, finance app MoneyLion and SaaS financing company Capchase — that have all raised a significant amount of venture capital but are looking for credit “to help them scale very efficiently and in a non-dilutive manner so they can retain more ownership of their companies,” Helwani said.
Its $1 billion milestone follows fund commitments nearing $500 million from an unnamed “leading global asset manager” as well as other institutional and retail investors.
Image Credits: Founder and Chief Investment Officer Marc Helwani / i80 Group
I80 — which derives its name from the highway that connects New York and San Francisco — is mainly focused on the fintech and proptech sectors.
“They are the two centers for the venture ecosystem,” Helwani said. “And we’re trying to be a bridge between those two cities.” I80 has offices in both locations and will soon be opening one in Montreal.
The firm works in conjunction with VC firms such as a16z (more formally known as Andreessen Horowitz); Affirm and PayPal co-founder Max Levchin’s SciFi; Khosla Ventures; Union Square Ventures; and QED.
“In a perfect world, venture capital would be called venture equity,” Helwani said. “VCs’ capital is critical for companies to hire and get office space. But when it comes time to do what the actual business is, such as provide loans or buy homes, capital like ours is very accretive without VCs and management losing ownership in the business. In these cases, using both credit and equity makes a lot of sense.”
Helwani is reluctant to call what i80 offers venture “debt.” He says that has a very specific connotation and is what Silicon Valley Bank and others like it do in providing debt as a percentage of a previous equity round. Instead, according to Helwani, i80’s approach is to minimize fees. The vast majority of its deals are “interest-rate related.”
“With mortgages, for example, we never think about the fees upfront, and focus more on the interest rate,” Helwan said. “We believe the more transparent we are, the more companies will want to work with us.”
I80 conducts quarterly calls with VCs and for now, that’s how it typically sources most of its deal flow. It also gets referrals. Helwani believes that i80 stands out from other firms also offering credit in that it’s “not trying to be credit investors in VC clothing.”
He also thinks that the fact that the i80 team is made of operators, as well as investors, is a contributing factor.
The firm is set to close another half a dozen deals in the next 60 to 90 days, and then plans to set its sights on raising more capital.
“We want to fill this void, and help companies raise money in their subsequent rounds at higher valuations,” Helwani said.
Over the weekend, an international consortium of news outlets reported that several authoritarian governments — including Mexico, Morocco, and the United Arab Emirates — used spyware developed by NSO Group to hack into the phones of thousands of their most vocal critics, including journalists, activists, politicians and business executives.
A leaked list of 50,000 phone numbers of potential surveillance targets was obtained by Paris-based journalism non-profit Forbidden Stories and Amnesty International, and shared with the reporting consortium, including the Washington Post and The Guardian. Researchers analyzed the phones of dozens of victims to confirm they were targeted by the NSO’s Pegasus spyware, which can access all of the data on a person’s phone. The reports also confirm new details of the government customers themselves, which NSO Group closely guards. Hungary, a member of the European Union where privacy from surveillance is supposed to be a fundamental right for its 500 million residents, is named as an NSO customer.
The reporting shows for the first time how many individuals are likely targets of NSO’s intrusive device-level surveillance. Previous reporting had put the number of known victims in the hundreds or over a thousand.
NSO Group sharply rejected the claims. NSO has long said that it doesn’t know who its customers target, which it reiterated in a statement to TechCrunch on Monday.
Researchers at Amnesty, whose work was reviewed by the Citizen Lab at the University of Toronto, found that NSO can deliver Pegasus by sending a victim a link which when opened infects the phone, or silently and without any interaction at all through a “zero-click” exploit, which takes advantage of vulnerabilities in the iPhone’s software. Citizen Lab researcher Bill Marczak said in a tweet that NSO’s zero-clicks worked on iOS 14.6, which until today was the most up-to-date version.
Amnesty’s researchers showed their working by publishing meticulously detailed technical notes and a toolkit that they said may help others identify if their phones have been targeted by Pegasus.
The Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently. Amnesty said that more forensic traces were found on iPhones than Android devices, which makes it easier to detect on iPhones. MVT will let you take an entire iPhone backup (or a full system dump if you jailbreak your phone) and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO’s infrastructure that might be sent by text message or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a whole new copy.
The Terminal output from the MVT toolkit, which scans iPhone and Android backup files for indicators of compromise. (Image: TechCrunch)
The toolkit works on the command line, so it’s not a refined and polished user experience and requires some basic knowledge of how to navigate the terminal. We got it working in about ten minutes, plus the time to create a fresh backup of an iPhone, which you will want to do if you want to check up to the hour. To get the toolkit ready to scan your phone for signs of Pegasus, you’ll need to feed in Amnesty’s IOCs, which it has on its GitHub page. Any time the indicators of compromise file updates, download and use an up-to-date copy.
Once you set off the process, the toolkit scans your iPhone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the results of the scan. If the toolkit finds a possible compromise, it will say so in the outputted files. In our case, we got one “detection,” which turned out to be a false positive and has been removed from the IOCs after we checked with the Amnesty researchers. A new scan using the updated IOCs returned no signs of compromise.
Given it’s more difficult to detect an Android infection, MVT takes a similar but simpler approach by scanning your Android device backup for text messages with links to domains known to be used by NSO. The toolkit also lets you scan for potentially malicious applications installed on your device.
The toolkit is — as command line tools go — relatively simple to use, though the project is open source so not before long surely someone will build a user interface for it. The project’s detailed documentation will help you — as it did us.
You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.
France has hit Google with a fine of half a billion euros after finding major breaches in how it negotiated with publishers to remunerate them for reuse of their content — as is required under a pan-EU reform of digital copyright law which extended neighbouring rights to news snippets.
The size of the fine is notable as it’s over half of the entire $1BN news licensing pot that Google announced last October — when it said it would be paying news publishers “to create and curate high-quality content” to appear on its platforms.
At the time, the move that looked intended to shrink Google’s exposure to legal mandates to pay publishers for content reuse by pushing them to accept commercial terms which give it broad rights to ‘showcase’ their content.
France’s watchdog has now called out — and sanctioned — the practice.
The half a billion euro penalty is also notable for being considerably more than Google had already agreed to pay French publishers, according to Reuters — which reported, back in February, that the tech giant had inked a deal with a group of 121 publishers to pay them just $76M over three years.
France’s competition authority said today that it’s applying the sanction of €500 million ($592M) against the tech giant for failing to comply with a number of injunctions related to its earlier, April 2020 decision — when the watchdog ordered Google to negotiate in good faith with publishers to remunerate them for displaying their protected content.
Initially, Google sought to evade the neighbouring news right by stopping displaying snippets of content alongside links it showed in Google News in France. But the watchdog found that was likely to be an abuse of its dominant position — and ordered Google to stop circumventing the law and negotiate with publishers to pay for the reuse in good faith.
The Autorité de la Concurrence is not happy with how Google has gone about this, though.
A number of publishers complained to it that the negotiations were not carried out in good faith and that Google did not provide them with key information necessary to inform payments.
The Syndicate of magazine press publishers (SEPM), the Alliance de Presse d’Information Générale (APIG) and Agence France Presse (AFP) made complaints in August/September 2020 — kicking off the investigation by the watchdog and today’s announcement of a major penalty.
Further fines — of up to €900,000 per day — could be headed Google’s way if it continues to breach the watchdog’s injunctions and fails to supply publishers with all the required information within a new two-month deadline.
In a press release detailing its investigation, the Autorité said Google sought to unilaterally impose its global news licensing product, aka ‘Showcase’, under a partnership the tech giant calls Publisher Curated News — in negotiations with publishers — pushing for the legal neighbouring right to be incorporated as “an ancillary component with no separate financial valuation”.
Publishers requests to break out copyright remuneration negotiations were denied, per the watchdog’s investigation.
It also found Google “unjustifiably” reduced the scope of negotiations with regard to the scope of income derived from the display of protected news content — with Google telling publishers that only advertising income from Google Search pages posting news content should be taken into account in determining the level of remuneration due.
The authority found this exclusion of income from other Google services and all indirect income related to this content to be in breach of the copyright law and its earlier compliance order.
Google also “deliberately circumscribed” the scope of the law on neighboring rights by excluding titles that do not have a Political and General Information certificate — which the watchdog couched as a “bad faith” interpretation of the code on intellectual property.
It also found the tech giant sought to exclude press agencies from renumeration related to their content when used by third party publishers — highlighting that as another breach of its April 2020 decision, by further noting: “The French legislator has been very explicit on the need to include press agencies.”
In another finding, it said Google had only provided publishers with “partial” and “insufficient” information for a “transparency assessment of renumeration due”; and further accused the tech giant of delaying until just a few days before the injunction deadline to provide it — so of being “late” too.
The authority’s investigation highlights compliance problems with another injunction — related to an obligation of neutrality in how protected content is presented on Google’s platforms — with the watchdog writing on that: “The strategy put in place by Google has thus strongly encouraged publishers to accept the contractual conditions of the Showcase service and to renounce negotiations relating specifically to the current uses of protected content, which was the subject of the Injunctions, under penalty of seeing their exposure and their remuneration degraded compared to their competitors who would have accepted the proposed terms. Google cannot therefore claim to have taken the necessary measures to prevent its negotiations from affecting the presentation of protected content in its services.”
Another injunction sought to prevent Google from seeking to leverage its dominance by offsetting remunerations paid to publishers for the neighbouring rights.
On this the watchdog also took issue with its approach — noting that its Showcase product requires publishers to make not just snippets of their content available for display on Google’s platforms but “large extracts” and even whole articles.
It also found that Google linked participation in the Showcase program to subscription to another service called Subscribe with Google (SwG) — enabling it to link negotiation on neighboring rights with the subscription of new services that could financially benefit its business.
Under a subhead which denounces what it found as “extremely serious practices”, the authority goes on to accuse Google of “a deliberate, elaborate and systematic strategy of non-compliance” — and of continuing an already years-long “opposition strategy” to the principle of neighbouring rights; and then, after they’d been baked into EU and French law, seeking to “minimize the concrete scope of those rights as much as possible”.
Google has, the authority asserts, sought to use a global strategy to close down publishers’ ability to negotiate for remuneration for their content reuse at a national level — using its Showcase product as a cloak for “avoiding or limiting as much as possible” payments to publishers; and, simultaneously, seeking to use negotiations on neighboring rights as an opportunity to obtain access to new content by press publishers that could allow it to collect additional income, such as from subscriptions to press titles.
“The sanction of 500 million euros takes into account the exceptional seriousness of the breaches observed and that the behavior of Google has further delayed the proper application of the law on neighboring rights, which aimed to better take into account the value of content from publishers and news agencies included on the platforms. The Authority will be extremely vigilant about the correct application of its decision, as non-execution can now lead to periodic penalty payments,” added the watchdog’s president, Isabelle de Silva, in a statement (which we’ve translated from French).
The half a billion euro fine and the warning to Google that its practices will attract daily fines if it persists in ignoring the injunctions put the tech giant on notice that the detail of commercial deals won’t be allowed to fly under the radar in France.
Any more attempts to shape a self-serving version of ‘compliance’ are likely to attract further sanction from the watchdog — which also recently applied a number of interoperability requirements on Google’s ad business (and slapped it with a $268M fine), also acting on complaints from publishers.
While anything Google agrees to in France on the neighbouring rights issue is likely to set the bar for what it can achieve with commercial deals elsewhere — at least in other EU markets, where the copyright extension also applies (once it’s been transposed into a Member State’s national law).
In a statement responding to the authority’s sanction, Google expressed disappointment with the outcome of the investigation — claiming to have acted in good faith throughout negotiations with publishers:
“We are very disappointed with this decision — we have acted in good faith throughout the entire process. The fine ignores our efforts to reach an agreement, and the reality of how news works on our platforms. To date, Google is the only company to have announced agreements on neighbouring rights. We are also about to finalize an agreement with AFP that includes a global licensing agreement, as well as the remuneration of their neighbouring rights for their press publications.”
The tech giant went on to suggest that the authority’s decision is “primarily” related to negotiations in France which took place between May and September 2020, further claiming it has continued to engage with publishers and press agencies since then to find “solutions”.
By way of example it pointed to a January 2021 framework agreement inked with the Alliance de la Presse d’Information Générale — which it claims covers every IPG title (Information de Presse Générale) in a “transparent and non-discriminatory way”. It also pointed to agreements it has inked with other publications in the market, including Le Monde, Courrier International, L’Obs, Le Figaro, Libération, and L’Express.
Google also reiterated its confident it can sign a global licensing agreement with Agence France Presse — which it said it also wants to include remuneration of neighbouring rights for press publications from the agency.
“Our objective remains the same: We want to turn the page with a definitive agreement,” it added, saying it would take the French Competition Authority’s “feedback into consideration and adapt our offers” and that: “We are already engaging with press publishers and agencies beyond IPG, by covering publications that are recognised by the CPPAP as ‘online press services’, and we reiterate our offer to have an independent third party in a position to evaluate our offers and allow us to base our discussions on facts.”
Other major fines for Google in France in recent years include the aforementioned $268M for adtech abuses last month; $120 for dropping tracking cookies without consent back in December; $166M in December 2019 for opaque and inconsistent ad rules; and $57M for privacy violations in January 2019.
Beyond the EU, Australia recently passed a law which requires tech giants, Google and Facebook, to enter mandatory arbitration with publishers for reuse of their content if they fail to agree commercial terms on their own.
Its law has attracted considerable attention worldwide as legislators grapple with how to rein in powerful tech platforms and ensure the sustainability of traditional news businesses whose revenues have been hit by the Internet-driven shift to digital publishing.
The UK’s Competition and Markets Authority has, for example, described Australia’s backstop of mandatory arbitration if commercial negotiations fail as a “sensible” approach — at at time when the government is working on shaping an ex ante regulation regime to enable competition authorities to pro-actively tackle abuses by platforms with strategic market power.
Ahead of Australia’s law being passed, Google had warned that it might have to close its services in the country if legislators went ahead and also suggested the quality could degrade or that it may have to start to charge for products. In the event, it did not shut up shop down under.
The tech giant was also an active lobbyist against the EU’s plan to extend digital copyright to cover snippets of news content — and, as recently as 2019, it was vowing never to pay for news.
A few years later it announced the $1BN pot to pay publishers to licence content. But Google’s eventual bill for its ad business piggybacking upon others’ journalism may be rather larger than that.
The consumer protection association umbrella group, the Beuc, said today that together with eight of its member organizations it’s filed a complaint with the European Commission and with the European network of consumer authorities.
“The complaint is first due to the persistent, recurrent and intrusive notifications pushing users to accept WhatsApp’s policy updates,” it wrote in a press release.
“The content of these notifications, their nature, timing and recurrence put an undue pressure on users and impair their freedom of choice. As such, they are a breach of the EU Directive on Unfair Commercial Practices.”
After earlier telling users that notifications about the need to accept the new policy would become persistent, interfering with their ability to use the service, WhatsApp later rowed back from its own draconian deadline.
However the app continues to bug users to accept the update — with no option not to do so (users can close the policy prompt but are unable to decline the new terms or stop the app continuing to pop-up a screen asking them to accept the update).
“In addition, the complaint highlights the opacity of the new terms and the fact that WhatsApp has failed to explain in plain and intelligible language the nature of the changes,” the Beuc went on. “It is basically impossible for consumers to get a clear understanding of what consequences WhatsApp’s changes entail for their privacy, particularly in relation to the transfer of their personal data to Facebook and other third parties. This ambiguity amounts to a breach of EU consumer law which obliges companies to use clear and transparent contract terms and commercial communications.”
The organization pointed out that WhatsApp’s policy updates remain under scrutiny by privacy regulations in Europe — which it argues is another factor that makes Facebook’s aggressive attempts to push the policy on users highly inappropriate.
And while this consumer-law focused complaint is separate to the privacy issues the Beuc also flags — which are being investigated by EU data protection authorities (DPAs) — it has called on those regulators to speed up their investigations, adding: “We urge the European network of consumer authorities and the network of data protection authorities to work in close cooperation on these issues.”
The Beuc has produced a report setting out its concerns about the WhatsApp ToS change in more detail — where it hits out at the “opacity” of the new policies, further asserting:
“WhatsApp remains very vague about the sections it has removed and the ones it has added. It is up to users to seek out this information by themselves. Ultimately, it is almost impossible for users to clearly understand what is new and what has been amended. The opacity of the new policies is in breach of Article 5 of the UCTD [Unfair Contract Terms Directive] and is also a misleading and unfair practice prohibited under Article 5 and 6 of the UCPD [Unfair Commercial Practices Directive].”
Reached for comment on the consumer complaint, a WhatsApp spokesperson told us:
“Beuc’s action is based on a misunderstanding of the purpose and effect of the update to our terms of service. Our recent update explains the options people have to message a business on WhatsApp and provides further transparency about how we collect and use data. The update does not expand our ability to share data with Facebook, and does not impact the privacy of your messages with friends or family, wherever they are in the world. We would welcome an opportunity to explain the update to Beuc and to clarify what it means for people.”
The Commission was also contacted for comment on the Beuc’s complaint — we’ll update this report if we get a response.
The complaint is just the latest pushback in Europe over the controversial terms change by Facebook-owned WhatsApp — which triggered a privacy warning from Italy back in January, followed by an urgency procedure in Germany in May when Hamburg’s DPA banned the company from processing additional WhatsApp user data.
Although, earlier this year, Facebook’s lead data regulator in the EU, Ireland’s Data Protection Commission, appeared to accept Facebook’s reassurances that the ToS changes do not affect users in the region.
German DPAs were less happy, though. And Hamburg invoked emergency powers allowed for in the General Data Protection Regulation (GDPR) in a bid to circumvent a mechanism in the regulation that (otherwise) funnels cross-border complaints and concerns via a lead regulator — typically where a data controller has their regional base (in Facebook/WhatsApp’s case that’s Ireland).
Such emergency procedures are time-limited to three months. But the European Data Protection Board (EDPB) confirmed today that its plenary meeting will discuss the Hamburg DPA’s request for it to make an urgent binding decision — which could see the Hamburg DPA’s intervention set on a more lasting footing, depending upon what the EDPB decides.
In the meanwhile, calls for Europe’s regulators to work together to better tackle the challenges posed by platform power are growing, with a number of regional competition authorities and privacy regulators actively taking steps to dial up their joint working — in a bid to ensure that expertise across distinct areas of law doesn’t stay siloed and, thereby, risk disjointed enforcement, with conflicting and contradictory outcomes for Internet users.
There seems to be a growing understanding on both sides of the Atlantic for a joined up approach to regulating platform power and ensuring powerful platforms don’t simply get let off the hook.
Swiss Post, the former state-owned mail delivery firm which became a private limited company in 2013, diversifying into logistics, finance, transport and more (including dabbling in drone delivery) while retaining its role as Switzerland’s national postal service, has acquired a majority stake in Swiss-Hungarian startup Tresorit, an early European pioneer in end-to-end-encrypted cloud services.
Terms of the acquisition are not being disclosed. But Swiss Post’s income has been falling in recent years, as (snailmail) letter volumes continue to decline. And a 2019 missive warned its business needed to find new sources of income.
Tresorit, meanwhile, last raised back in 2018 — when it announced an €11.5M Series B round, with investors including 3TS Capital Partners and PortfoLion. Other backers of the startup include business angels and serial entrepreneurs like Márton Szőke, Balázs Fejes and Andreas Kemi. According to Crunchbase Tresorit had raised less than $18M over its decade+ run.
It looks like a measure of the rising store being put on data security that a veteran ‘household’ brand like Swiss Post sees strategic value in extending its suite of digital services with the help of a trusted startup in the e2e encryption space.
‘Zero access’ encryption was still pretty niche back when Tresorit got going over a decade ago but it’s essentially become the gold standard for trusted information security, with a variety of players now offering e2e encrypted services — to businesses and consumers.
Announcing the acquisition in a press release today, the pair said they will “collaborate to further develop privacy-friendly and secure digital services that enable people and businesses to easily exchange information while keeping their data secure and private”.
Tresorit will remain an independent company within Swiss Post Group, continuing to serve its global target regions of EU countries, the UK and the US, with the current management (founders), brand and service also slated to remain unchanged, per the announcement.
The 2011-founded startup sells what it brands as “ultra secure” cloud services — such as storage, file syncing and collaboration — targeted at business users (it has 10,000+ customers globally); all zipped up with a ‘zero access’ promise courtesy of a technical architecture that means Tresorit literally can’t decrypt customer data because it does not hold the encryption keys.
It said today that the acquisition will strengthen its business by supporting further expansion in core markets — including Germany, Austria and Switzerland. (The Swiss Post brand should obviously be a help there.)
The pair also said they see potential for Tresorit’s tech to expand Swiss Post’s existing digital product portfolio — which includes services like a “digital letter box” app (ePost) and an encrypted email offering. So it’s not starting from scratch here.
Commenting on the acquisition in a statement, Istvan Lam, co-founder and CEO of Tresorit, said: “From the very beginning, our mission has been to empower everyone to stay in control of their digital valuables. We are proud to have found a partner in Swiss Post who shares our values on security and privacy and makes us even stronger. We are convinced that this collaboration strengthens both companies and opens up new opportunities for us and our customers.”
Asked why the startup decided to sell at this point in its business development — rather than taking another path, such as an IPO and going public — Lam flagged Swiss Post’s ‘trusted’ brand and what he dubbed a “100% fit” on values and mission.
“Tresorit’s latest investment, our biggest funding round, happened in 2018. As usual with venture capital-backed companies, the lifecycle of this investment round is now beginning to come to an end,” he told TechCrunch.
“Going public via an IPO has also been on our roadmap and could have been a realistic scenario within the next 3-4 years. The reason we have decided to partner now with a strategic investor and collaborate with Swiss Post is that their core values and vision on data privacy is a 100% fit with our values and mission of protecting privacy. With the acquisition, we entered a long-term strategic partnership and are convinced that with Tresorit’s end-to-end encryption technology and the trusted brand of Swiss Post we will further develop services that help individuals and businesses exchange information securely and privately.”
“Tresorit has paved the way for true end-to-end encryption across the software industry over the past decade. With the acquisition of Tresorit, we are strategically expanding our competencies in digital data security and digital privacy, allowing us to further develop existing offers,” added Nicole Burth, a member of the Swiss Post Group executive board and head of communication services, in a supporting statement.
Switzerland remains a bit of a hub for pro-privacy startups and services, owing to a historical reputation for strong privacy laws.
However, as Republik reported earlier this year, state surveillance activity in the country has been stepping up — following a 2018 amendment to legislative powers that expanded intercept capabilities to cover digital comms.
Such encroachments are worrying but may arguably make e2e encryption even more important — as it can offer a technical barrier against state-sanctioned privacy intrusions.
At the same time, there is a risk that legislators perceive rising use of robust encryption as a threat to national security interests and their associated surveillance powers — meaning they could seek to counter the trend by passing even more expansive legislation that directly targets and or even outlaws the use of e2e encryption. (Australia has passed an anti-encryption law, for instance, while the UK cemented its mass surveillance capabilities back in 2016 — passing legislation which includes powers to compel companies to limit the use of encryption.)
At the European Union level, lawmakers have also recently been pushing an agenda of ‘lawful access’ to encrypted data — while simultaneously claiming to support the use of encryption on data security and privacy grounds. Quite how the EU will circle that square in legislative terms remains to be seen.
But there are also some more positive legal headwinds for European encryption startups like Tresorit: A ruling last summer by Europe’s top court dialled up the complexity of taking users’ personal data out of the region — certainly when people’s information is flowing to third countries like the US where it’s at risk from state agencies’ mass surveillance.
Asked if Tresorit has seen a rise in interest in the wake of the ‘Schrems II’ ruling, Lam told us: “We see the demand for European-based SaaS cloud services growing in the future. Being a European-based company has already been an important competitive advantage for us, especially among our business and enterprise customers.”
EU law in this area contains a quirk whereby the national security powers of Member States are not so clearly factored in vs third countries. And while Switzerland is not an EU Member it remains a closely associated country, being part of the bloc’s single market.
Nevertheless, questions over the sustainability of Switzerland’s EU data adequacy decision persist, given concerns that its growing domestic surveillance regime does not provide individuals with adequate redress remedies — and may therefore be violating their fundamental rights.
If Switzerland loses EU data adequacy it could impact the compliance requirements of digital services based in the country — albeit, again, e2e encryption could offer Swiss companies a technical solution to circumvent such legal uncertainty. So that still looks like good news for companies like Tresorit.
The EU for all its lethargy, faults and fetishization of bureaucracy, is, ultimately, a good idea. It might be 64 years from the formation of the European Common Market, but it is 29 years since the EU’s formation in the Maastricht Treaty, and this international entity is definitely still acting like an indecisive millennial, happy to flit around tech startup policy. It’s long due time for this digital nomad to commit to one ‘location’ on how it treats startups.
If there’s one thing we can all agree on, this is a unique moment in time. The COVID-19 pandemic has accelerated the acceptance of technology globally, especially in Europe. Thankfully, tech companies and startups have proven to be more resilient than much of the established economy. As a result, the EU’s political leaders have started to look towards the innovation economy for a more sustainable future in Europe.
But this moment has not come soon enough.
The European tech scene is still lagging behind its US and Asia counterparts in numbers of startups created, talent in the tech sector, financing rounds, and IPOs / exits. It doesn’t help, of course, that the European market is so fractionalized, and will be for a long time to come.
But there is absolutely no excuse when it comes to the EU’s obligations to reform startup legislation, taxation, and the development of talent, to “level the playing field” against the US and Asian tech giants.
But, to put it bluntly: The EU can’t seem to get its shit together around startups.
Consider this litany of proposals.
Starting as far back a 2016 we had the Start-Up and Scale-Up Initiative. We even had the Scale-Up Manifesto in the same year. Then there was the Cluj Recommendations (2019), and the Not Optional campaign for options reform in 2020.
Let’s face it, the community of VC´s, founders, and startup associations in Europe has been saying mostly the same things for years, to national and European leaders.
Finally, this year, we got something approaching a summation of all these efforts.
Portugal, which has the European presidency for the first half of this year, took the bull by its horns and created something approaching a final draft of what the EU needs.
After, again, intense consultations with European ecosystem stakeholders, it identified eight best practices in order to level the playing field covering the gamut of issues such as fast startup creation, talent, stock options, innovation in regulation and access to finance. You name it, it covered it.
These were then put into the Startup Nations Standard and presented to the European Council at Digital Day on March 19th, together with the European Commission’s DG CNECT and its Commissioner Tierry Breton. I wrote about this at the time.
Would the EU finally get a grip, and sign up for these evidently workable proposals?
It seemed, at least, that we might be getting somewhere. Some 25 member states signed the declaration that day, and perhaps for the first time, the political consensus seemed to be forming around this policy.
Indeed, a body set up to shepherd the initiative (the European Startup Nations Alliance) was even announced by Portuguese Prime Minister António Costa which, he said, would be tasked with monitoring, developing and optimizing the standards, collecting data from the member states on their success and failure, and reporting on its findings in a bi-annual conference aligned with the changing presidency of the European Council.
It would seem we could pop open a chilled bottle of DOC Bairrada Espumante and celebrate that Europe might finally start implementing at least the basics from these suggested policies.
But no. With the pandemic still raging, it seemed the EU’s leaders still had plenty of time on their hands to ponder these subjects.
Thus it was that the Scaleup Europe initiative emerged from the mind of Emmanuel Macron, assembling a select group of 150+ of Europe’s leading tech founders, investors, researchers, corporate CEOs, and government officials to do some more pondering about startups. And then there was the Global Powerhouse Initiative of DG Research & Innovations Commissioner Mariya Gabriel.
Yes, ladies and gentlemen. We were about to go through this process all over again, with the EU acting as if it had the memory span of a giant goldfish.
Now, I’m not arguing that all these collective actions are a bad thing. But, by golly, European startups need more decisive action than this.
As things stand, instead of implementing the very reasonable Portuguese proposals, we will now have to wait for the EU’s wheels to slowly turn until the French presidency comes around next year.
That said, with any luck, a body to oversee the implementation of tech startup policy that is mandated by the European community, composed of organisation like La French Tech, Startup Portugal and Startup Estonia, might finally seem within reach.
But to anyone from the outside, it feels again as if the gnashing of EU policy teeth will have to go on yet longer. With the French calling for a ‘La French Tech for Europe’ and the Portuguese having already launched ESNA, the efforts seem far from coordinated.
In the final analysis, tech startup founders and investors could not care less where this new body comes from or which country launches it.
After years of contributions, years of consultations, the time for action is now.
It’s time for EU member states to agree, and move forward, helping other member states catch up based on established best practices.
It’s time for the long-awaited European Tech Giants to blossom, take on the US-born Big Tech Giants, and for Europe to finally punch its weight.
Microsoft-owned LinkedIn has committed to doing more to quickly purge illegal hate speech from its platform in the European Union by formally signing up to a self-regulatory initiative that seeks to tackle the issue through a voluntary Code of Conduct.
In statement today, the European Commission announced that the professional social network has joined the EU’s Code of Conduct on Countering Illegal Hate Speech Online, with justice commissioner, Didier Reynders, welcoming LinkedIn’s (albeit tardy) participation, and adding in a statement that the code “is and will remain an important tool in the fight against hate speech, including within the framework established by digital services legislation”.
“I invite more businesses to join, so that the online world is free from hate,” Reynders added.
While LinkedIn’s name wasn’t formally associated with the voluntary Code before now it said it has “supported” the effort via parent company Microsoft, which was already signed up.
In a statement on its decision to formally join now, it also said:
“LinkedIn is a place for professional conversations where people come to connect, learn and find new opportunities. Given the current economic climate and the increased reliance jobseekers and professionals everywhere are placing on LinkedIn, our responsibility is to help create safe experiences for our members. We couldn’t be clearer that hate speech is not tolerated on our platform. LinkedIn is a strong part of our members’ professional identities for the entirety of their career — it can be seen by their employer, colleagues and potential business partners.”
In the EU ‘illegal hate speech’ can mean content that espouses racist or xenophobic views, or which seeks to incite violence or hatred against groups of people because of their race, skin color, religion or ethnic origin etc.
A number of Member States have national laws on the issue — and some have passed their own legislation specifically targeted at the digital sphere. So the EU Code is supplementary to any actual hate speech legislation. It is also non-legally binding.
The initiative kicked off back in 2016 — when a handful of tech giants (Facebook, Twitter, YouTube and Microsoft) agreed to accelerate takedowns of illegal speech (or well, attach their brand names to the PR opportunity associated with saying they would).
Since the Code became operational, a handful of other tech platforms have joined — with video sharing platform TikTok signing up last October, for example.
But plenty of digital services (notably messaging platforms) still aren’t participating. Hence the Commission’s call for more digital services companies to get on board.
At the same time, the EU is in the process of firming up hard rules in the area of illegal content.
Last year the Commission proposed broad updates (aka the Digital Services Act) to existing ecommerce rules to set operational ground rules that they said are intended to bring online laws in line with offline legal requirements — in areas such as illegal content, and indeed illegal goods. So, in the coming years, the bloc will get a legal framework that tackles — at least at a high level — the hate speech issue, not merely a voluntary Code.
The EU also recently adopted legislation on terrorist content takedowns (this April) — which is set to start applying to online platforms from next year.
But it’s interesting to note that, on the perhaps more controversial issue of hate speech (which can deeply intersect with freedom of expression), the Commission wants to maintain a self-regulatory channel alongside incoming legislation — as Reynders’ remarks underline.
Brussels evidently sees value in having a mixture of ‘carrots and sticks’ where hot button digital regulation issues are concerned. Especially in the controversial ‘danger zone’ of speech regulation.
So, while the DSA is set to bake in standardized ‘notice and response’ procedures to help digital players swiftly respond to illegal content, by keeping the hate speech Code around it means there’s a parallel conduit where key platforms could be encouraged by the Commission to commit to going further than the letter of the law (and thereby enable lawmakers to sidestep any controversy if they were to try to push more expansive speech moderation measures into legislation).
The EU has — for several years — had a voluntary a Code of Practice on Online Disinformation too. (And a spokeswoman for LinkedIn confirmed it has been signed up to that since its inception, also through its parent company Microsoft.)
And while lawmakers recently announced a plan to beef that Code up — to make it “more binding”, as they oxymoronically put it — it certainly isn’t planning to legislate on that (even fuzzier) speech issue.
In further public remarks today on the hate speech Code, the Commission said that a fifth monitoring exercise in June 2020 showed that on average companies reviewed 90% of reported content within 24 hours and removed 71% of content that was considered to be illegal hate speech.
It added that it welcomed the results — but also called for signatories to redouble their efforts, especially around providing feedback to users and in how they approach transparency around reporting and removals.
The Commission has also repeatedly calls for platforms signed up to the disinformation Code to do more to tackle the tsunami of ‘fake news’ being fenced on their platforms, including — on the public health front — what they last year dubbed a coronavirus infodemic.
The COVID-19 crisis has undoubtedly contributed to concentrating lawmakers’ minds on the complex issue of how to effectively regulate the digital sphere and likely accelerated a number of EU efforts.
An international coalition of consumer protection, digital and civil rights organizations and data protection experts has added its voice to growing calls for a ban on what’s been billed as “surveillance-based advertising”.
The objection is to a form of digital advertising that relies upon a massive apparatus of background data processing which sucks in information about individuals, as they browse and use services, to create profiles which are used to determine which ads to serve (via multi-participant processes like the high speed auctions known as real-time bidding).
The EU’s lead data protection supervisor previously called for a ban on targeted advertising which relies upon pervasive tracking — warning over a multitude of associated rights risks.
Last fall the EU parliament also urged tighter rules on behavioral ads.
Back in March, a US coalition of privacy, consumer, competition and civil rights groups also took collective aim at microtargeting. So pressure is growing on lawmakers on both sides of the Atlantic to tackle exploitative adtech as consensus builds over the damage associated with mass surveillance-based manipulation.
At the same time, momentum is clearly building for pro-privacy consumer tech and services — showing the rising store being placed by users and innovators on business models that respect people’s data.
The growing uptake of such services underlines how alternative, rights-respecting digital business models are not only possible (and accessible, with many freemium offerings) but increasingly popular.
In an open letter addressing EU and US policymakers, the international coalition — which is comprised of 55 organizations and more than 20 experts including groups like Privacy International, the Open Rights Group, the Center for Digital Democracy, the New Economics Foundation, Beuc, Edri and Fairplay — urges legislative action, calling for a ban on ads that rely on “systematic commercial surveillance” of Internet users in order to serve what Facebook founder Mark Zuckerberg likes, euphemistically, to refer to as ‘relevant ads’.
The problem with Zuckerberg’s (self-serving) framing is that, as the coalition points out, the vast majority of consumers don’t actually want to be spied upon to be served with these creepy ads.
Any claimed ‘relevance’ is irrelevant to consumers who experience ad-stalking as creepy and unpleasant. (And just imagine how the average Internet user would feel if they could peek behind the adtech curtain — and see the vast databases where people are profiled at scale so their attention can be sliced and diced for commercial interests and sold to the highest bidder).
The coalition points to a report examining consumer attitudes to surveillance-based advertising, prepared by one of the letter’s signatories (the Norwegian Consumer Council; NCC), which found that only one in ten people are positive about commercial actors collecting information about them online — and only one in five think ads based on personal information are okay.
1/4 80-90% of people online don't want to be spied on for 'more relevant ads,' finds @Forbrukerradet's report.
— EDRi (@edri) June 23, 2021
A full third of respondents to the survey were “very negative” about microtargeted ads — while almost half think advertisers should not be able to target ads based on any form of personal information.
The report also highlights a sense of impotence among consumers when they go online, with six out of ten respondents feeling that they have no choice but to give up information about themselves.
That finding should be particularly concerning for EU policymakers as the bloc’s data protection framework is supposed to provide citizens with a suite of rights related to their personal data that should protect them against being strong-armed to hand over info — including stipulating that if a data controller intends to rely on user consent to process data then consent must be informed, specific and freely given; it can’t be stolen, strong-armed or sneaked through using dark patterns. (Although that remains all too often the case.)
Forced consent is not legal under EU law — yet, per the NCC’s European survey, a majority of respondents feel they have no choice but to be creeped on when they use the Internet.
That in turn points to an ongoing EU enforcement failure over major adtech-related complaints, scores of which have been filed in recent years under the General Data Protection Regulation (GDPR) — some of which are now over three years old (yet still haven’t resulted in any action against rule-breakers).
Over the past couple of years EU lawmakers have acknowledged problems with patchy GDPR enforcement — and it’s interesting to note that the Commission suggested some alternative enforcement structures in its recent digital regulation proposals, such as for oversight of very large online platforms in the Digital Services Act (DSA).
In the letter, the coalition suggests the DSA as the ideal legislative vehicle to contain a ban on surveillance-based ads.
Negotiations to shape a final proposal which EU institutions will need to vote on remain ongoing — but it’s possible the EU parliament could pick up the baton to push for a ban on surveillance ads. It has the power to amend the Commission’s legislative proposals and its approval is needed for draft laws to be adopted. So there’s plenty still to play for.
“In the US, we urge legislators to enact comprehensive privacy legislation,” the coalition adds.
The coalition is backing up its call for a ban on surveillance-based advertising with another report (also by the NCC) which lays out the case against microtargeting — summarizing the raft of concerns that have come to be attached to manipulative ads as awareness of the adtech industry’s vast, background people-profiling and data trading has grown.
Listed concerns not only focus on how privacy-stripping practices are horrible for individual consumers (enabling the manipulation, discrimination and exploitation of individuals and vulnerable groups) but also flag the damage to digital competition as a result of adtech platforms and data brokers intermediating and cannibalizing publishers’ revenues — eroding, for example, the ability of professional journalism to sustain itself and creating the conditions where ad fraud has been able to flourish.
Another contention is that the overall health of democratic societies is put at risk by surveillance-based advertising — as the apparatus and incentives fuel the amplification of misinformation and create security risks, and even national security risks. (Strong and independent journalism is also, of course, a core plank of a healthy democracy.)
“This harms consumers and businesses, and can undermine the cornerstones of democracy,” the coalition warns.
“Although we recognize that advertising is an important source of revenue for content creators and publishers online, this does not justify the massive commercial surveillance systems set up in attempts to ‘show the right ad to the right people’,” the letter goes on. “Other forms of advertising technologies exist, which do not depend on spying on consumers, and cases have shown that such alternative models can be implemented without significantly affecting revenue.
“There is no fair trade-off in the current surveillance-based advertising system. We encourage you to take a stand and consider a ban of surveillance-based advertising as part of the Digital Services Act in the EU, and the for U.S. to enact a long overdue federal privacy law.”
The letter is just the latest salvo against ‘toxic adtech’. And advertising giants like Facebook and Google have — for several years now — seen the pro-privacy writing on the wall.
Hence Facebook’s claimed ‘pivot to privacy‘; its plan to lock in its first party data advantage (by merging the infrastructure of different messaging products); and its keen interest in crypto.
It’s also why Google has been working on a stack of alternative adtech that it wants to replace third party tracking cookies. Although its proposed replacement — the so-called ‘Privacy Sandbox‘ — would still enable groups of Internet users to be opaquely clustered by its algorithms in ‘interest’ buckets for ad targeting purposes which still doesn’t look great for Internet users’ rights either. (And concerns have been raised on the competition front too.)
Where its ‘Sandbox’ proposal is concerned, Google may well be factoring in the possibility of legislation that outlaws — or, at least, more tightly controls — microtargeting. And it’s therefore trying to race ahead with developing alternative adtech that would have much the same targeting potency (maintaining its market power) but, by swapping out individuals for cohorts of web users, could potentially sidestep a ban on ‘microtargeting’ technicalities.
Legislators addressing this issue will therefore need to be smart in how they draft any laws intended to tackle the damage caused by surveillance-based advertising.
Certainly they will if they want to prevent the same old small- and large-scale manipulation abuses from being perpetuated.
The NCC’s report points to what it dubs as “good alternatives” for digital advertising models which don’t depend on the systematic surveillance of consumers to function. And which — it also argues — provide advertisers and publishers with “more oversight and control over where ads are displayed and which ads are being shown”.
The problem of ad fraud is certainly massively underreported. But, well, it’s instructive to recall how often Facebook has had to ‘fess up to problems with self reported ad metrics…
“It is possible to sell advertising space without basing it on intimate details about consumers. Solutions already exist to show ads in relevant contexts, or where consumers self-report what ads they want to see,” the NCC’s director of digital policy, Finn Myrstad, noted in a statement.
“A ban on surveillance-based advertising would also pave the way for a more transparent advertising marketplace, diminishing the need to share large parts of ad revenue with third parties such as data brokers. A level playing field would contribute to giving advertisers and content providers more control, and keep a larger share of the revenue.”
Here at TechCrunch, we’re big fans of startup competitions. From our Extra Crunch Live Pitch-offs all the way up to the world-famous Disrupt Startup Battlefield, we can’t get enough of ’em. So we’re hooking up with Extreme Tech Challenge (XTC) to present the Extreme Tech Challenge Global Finals, a startup competition focused on powering a more sustainable, equitable, inclusive, and healthy world.
Extreme Tech Challenge is the world’s largest transformative tech startup competition and forum for the leaders of tomorrow to be able to unleash their full potential. Last year, the competition attracted startups from 87 countries, and the 52 finalists raised more than $167M in venture investment since being selected.
This year, over 3700 startups applied from 92 countries across XTC’s competition tracks: Agtech, Food & Water, Cleantech & Energy, Edtech, Enabling Tech, Fintech, Healthtech, and Mobility & Smart Cities. Check out the 80 Global Finalists that emerged from this competitive pool. The Category winners and the Special Awards winners will make it to the Global Finals stage.
Join the Extreme Tech Challenge on 7/22 to meet the world’s best purpose-driven startups making the world better through transformative tech. Network with corporations, VCs, & founders. Get your free tickets here!
Today, we’re excited to share the agenda of the event with you.
What are the breakthrough tech innovations transforming industries to build a radically better world? How can business, government, philanthropy, and the startup community come together to create a better tomorrow? Hear from these industry veterans and thought leaders about how technology can not only shape the future, but also where the biggest opportunities lie, including some exciting news about XTC and the United Nation’s Food and Agriculture Organization.
Sustainability is the key to our planet’s future and our survival, but it’s also going to be incredibly lucrative and a major piece of our world economy. Hear from these seasoned investors and founders how VCs and startups alike are thinking about greentech and how that will evolve in the coming years.
The reason we’re all here – the XTC Category and Special Awards Winners get their chance to pitch their transformative tech ideas to a panel of expert judges and hear their feedback. XTC is a global platform that connects exceptional, purpose-driven startups with a network of investors, corporations, and mentors to help them raise capital, launch corporate collaborations, and scale their world-changing startups.
According to the EPA, the U.S. alone produces 292.4 million tons of waste a year. Can technology help this massive – and growing – issue? Leon Farrant (Green Li-ion), Matanya Horowitz (AMP Robotics), and Elizabeth Gilligan (Material Evolution) will discuss their companies’ unique approaches to dealing with the problem.
The reason we’re all here – the XTC Category and Special Awards Winners get their chance to pitch their transformative tech ideas to a panel of expert judges and hear their feedback, in this second and final round.
Bioengineering may soon provide compelling, low-carbon alternatives in industries where even the best methods produce significant emissions. By utilizing natural and engineered biological processes, we may soon have low-carbon textiles from Algiknit, lab-grown premium meats from Orbillion Bio, and fuels captured from waste emissions via LanzaTech. Leaders from these companies will join our panel to talk about how bioengineering can do its part in the fight against climate change.
The judging panel will crown the global winner of Extreme Tech Challenge 2021 and also announce the winner of the Female Founder Award.
Join thousands of investors, corporate executives, startups, and policymakers to network via video chat.
Join the Extreme Tech Challenge on July 22 to meet the world’s best purpose-driven startups making the world better through transformative tech. Network with corporations, VCs, & founders. Get your free tickets here!
One of the country’s most powerful unions, the International Brotherhood of Teamsters, confirmed today that it plans to make a nationwide push to unionize Amazon warehouse workers and drivers. And it won’t be a gentle one.
The news was first reported by Motherboard, which obtained a video and resolution announcing the effort. As the organization explained, the plan to unionize Amazon’s growing logistics business has been underway for some time, and the failure in Bessemer to do so — after the grassroots effort faced intense opposition from Amazon itself — illustrates why such an endeavor is necessary.
As Teamsters National Director for Amazon Randy Korgan explained in a recent op-ed on Salon that hinted at the effort:
I see that Teamster locals across the country are already stepping up to meet the challenge by engaging members, building large volunteer organizing committees, building strong community-labor alliances and integrating transformative social justice organizing into their work.
As we saw in the closely-watched National Labor Relations Board (NLRB) election at Amazon’s Bessemer, Alabama warehouse, the company is willing to violate the law and spare no expense to keep its workers from forming a union.
Building genuine worker power at Amazon will take shop-floor militancy by Amazon workers and solidarity from warehousing and delivery Teamsters.
The Teamsters’ plan, assuming a passing vote at this week’s 30th quinquennial International Convention, is to create a special Amazon Division that will fund and aid unionizing efforts in the company’s workforces around the country.
While Amazon repeats loudly and at every possible occasion its commitment to safe and well paid jobs, reports continue to come out of workers in horrendous conditions, callous management, and stagnant wages. As to the last, while Amazon has established a $15 minimum wage at the company, others have pointed out that this is far less than many warehouse workers and drivers were making at other jobs — which have now lowered their compensation to follow Amazon’s lead.
The conflict at Bessemer, in which Amazon was accused of union-busting tactics and dirty tricks to sink a traditional union voting process, has prompted the Teamsters to adopt a different approach.
— Teamsters (@Teamsters) June 22, 2021
According to Motherboard, the organization is planning “a series of pressure campaigns involving work stoppages, petitions, and other collective action,” in the hopes that Amazon will find unionization and negotiation preferable. I’ve asked the company for comment on the matter and will update if I hear back.
This is one of the union’s highest priority efforts for the next few years, though it did not specify any particular timeline or budget — no doubt because much of that depends on the situation they find on the ground. But Amazon’s hundreds of thousands of workers represent an enormous untapped working group, the unionization of which could realize similarly enormous sums in benefits for them.
The full text of the resolution will be published when it is provided to the local unions for a vote, at which point it will be embedded below in this article.