Millions have fled Russia’s invasion, but where housing is expensive and scarce, countries like Estonia are paying shipping firms to offer refugees safe but tight quarters.
Thousands of refugees from Ukraine have been sent to so-called filtration camps, where they have been interrogated and then forced to resettle to Russia. Some Ukrainians escaped to Estonia. They told us their stories.
Russia appeared to shrink its already narrowed goals to take the Donbas region, as NATO and its two newest applicants, Sweden and Finland, practiced war games near Russia’s border.
Kaja Kallas, the prime minister, remembers Soviet annexation and repression and sees the same brutality in occupied Ukraine, which she believes is fighting for all of Europe.
At NATO, our focus should be simple.
The Eastern European countries had sought to buy Pegasus, spyware made by an Israeli firm, to carry out intelligence operations against Russia, according to people with knowledge of the discussions.
The Baltics, wedged between Russia and Belarus, have been likened to a modern-day West Berlin. Many here worry that if Ukraine falls, they might be next.
The Estonian American conductor Paavo Järvi chose to remain in Moscow temporarily to lead a Russian youth orchestra: “I felt a responsibility.”
The right lessons can teach us all how to spot it.
Brussels is proud to be providing military aid, but Moscow may see it as a dangerous intervention and could move to disrupt the flow of arms through Poland.
The former Soviet satellite state is welcoming British companies looking to escape the tangle of regulations and financial obstacles of doing business in Europe.
The manufacturing industry took a hard hit from the Covid-19 pandemic, but there are signs of how it is slowly starting to come back into shape — helped in part by new efforts to make factories more responsive to the fluctuations in demand that come with the ups and downs of grappling with the shifting economy, virus outbreaks and more. Today, a businesses that is positioning itself as part of that new guard of flexible custom manufacturing — a startup called Fractory — is announcing a Series A of $9 million (€7.7 million) that underscores the trend.
The funding is being led by OTB Ventures, a leading European investor focussed on early growth, post-product, high-tech start-ups, with existing investors Trind Ventures, Superhero Capital, United Angels VC, Startup Wise Guys and Verve Ventures also participating.
Founded in Estonia but now based in Manchester, England — historically a strong hub for manufacturing in the country, and close to Fractory’s customers — Fractory has built a platform to make it easier for those that need to get custom metalwork to upload and order it, and for factories to pick up new customers and jobs based on those requests.
Fractory’s Series A will be used to continue expanding its technology, and to bring more partners into its ecosystem.
To date, the company has worked with more than 24,000 customers and hundreds of manufacturers and metal companies, and altogether it has helped crank out more than 2.5 million metal parts.
To be clear, Fractory isn’t a manufacturer itself, nor does it have no plans to get involved in that part of the process. Rather, it is in the business of enterprise software, with a marketplace for those who are able to carry out manufacturing jobs — currently in the area of metalwork — to engage with companies that need metal parts made for them, using intelligent tools to identify what needs to be made and connecting that potential job to the specialist manufacturers that can make it.
The challenge that Fractory is solving is not unlike that faced in a lot of industries that have variable supply and demand, a lot of fragmentation, and generally an inefficient way of sourcing work.
As Martin Vares, Fractory’s founder and MD, described it to me, companies who need metal parts made might have one factory they regularly work with. But if there are any circumstances that might mean that this factory cannot carry out a job, then the customer needs to shop around and find others to do it instead. This can be a time-consuming, and costly process.
“It’s a very fragmented market and there are so many ways to manufacture products, and the connection between those two is complicated,” he said. “In the past, if you wanted to outsource something, it would mean multiple emails to multiple places. But you can’t go to 30 different suppliers like that individually. We make it into a one-stop shop.”
On the other side, factories are always looking for better ways to fill out their roster of work so there is little downtime — factories want to avoid having people paid to work with no work coming in, or machinery that is not being used.
“The average uptime capacity is 50%,” Vares said of the metalwork plants on Fractory’s platform (and in the industry in general). “We have a lot more machines out there than are being used. We really want to solve the issue of leftover capacity and make the market function better and reduce waste. We want to make their factories more efficient and thus sustainable.”
The Fractory approach involves customers — today those customers are typically in construction, or other heavy machinery industries like ship building, aerospace and automotive — uploading CAD files specifying what they need made. These then get sent out to a network of manufacturers to bid for and take on as jobs — a little like a freelance marketplace, but for manufacturing jobs. About 30% of those jobs are then fully automated, while the other 70% might include some involvement from Fractory to help advise customers on their approach, including in the quoting of the work, manufacturing, delivery and more. The plan is to build in more technology to improve the proportion that can be automated, Vares said. That would include further investment in RPA, but also computer vision to better understand what a customer is looking to do, and how best to execute it.
Currently Fractory’s platform can help fill orders for laser cutting and metal folding services, including work like CNC machining, and it’s next looking at industrial additive 3D printing. It will also be looking at other materials like stonework and chip making.
Manufacturing is one of those industries that has in some ways been very slow to modernize, which in a way is not a huge surprise: equipment is heavy and expensive, and generally the maxim of “if it ain’t broke, don’t fix it” applies in this world. That’s why companies that are building more intelligent software to at least run that legacy equipment more efficiently are finding some footing. Xometry, a bigger company out of the U.S. that also has built a bridge between manufacturers and companies that need things custom made, went public earlier this year and now has a market cap of over $3 billion. Others in the same space include Hubs (which is now part of Protolabs) and Qimtek, among others.
One selling point that Fractory has been pushing is that it generally aims to keep manufacturing local to the customer to reduce the logistics component of the work to reduce carbon emissions, although as the company grows it will be interesting to see how and if it adheres to that commitment.
In the meantime, investors believe that Fractory’s approach and fast growth are strong signs that it’s here to stay and make an impact in the industry.
“Fractory has created an enterprise software platform like no other in the manufacturing setting. Its rapid customer adoption is clear demonstrable feedback of the value that Fractory brings to manufacturing supply chains with technology to automate and digitise an ecosystem poised for innovation,” said Marcin Hejka in a statement. “We have invested in a great product and a talented group of software engineers, committed to developing a product and continuing with their formidable track record of rapid international growth
Estonia-based Membo — which is backed by Y Combinator and will be presenting at the incubator’s Summer 2021 Demo Day next week — is aiming to take a slice of the premium end of grocery shopping in Europe and a bite out of supermarket giants’ continued dominance of the traditional weekly food shop.
On-demand food delivery in Europe is of course a highly competitive business with rapid-fire market moves and bursts of consolidation among app makers making a kind of sizzling startup stir-fry. Online grocery delivery, by contrast, tends to be a bit more sedate. Although there is some overlap, with developments like dark stores.
Interest in app-based grocery shopping also had an especially big boost during the pandemic — which has fired up consumer interest in doing the weekly shop online so that’s now driving more startup activity and capacity from supermarket giants trying to meet increased demand for online delivery.
Entering this fray is Membo — which, starting in Estonia, has built an app-based marketplace for local food producers to sell directly to consumers, cutting out other middlemen as the startup handles delivery logistics and billing.
Its service is live in the Estonian cities of Tallin and Tartu, currently. So most of us can merely oggle the mouth-watering fare for now.
Food producers display their wares in Membo’s app, which it likens to a virtual farmers’ market — allowing shoppers to browse and buy from multiple high quality, local fresh food producers and have everything delivered to them in one go. Its business model is based on taking a commission on orders made via its platform.
Products ordered via Membo can be delivered to customers in one of (currently) three slots a week. So within a few days or even next day. The startup batches customer orders to send to producers who only have to send one bulk order back to Membo’s centralized warehouse — where its staff take care of the packing and distribution to fulfil all the individual customer orders.
It launched the service last December and has seen 30% month on month growth over the past eight months — with, to date, 4,000+ orders sent out and customer numbers reaching over 1,400.
While local produce — and therefore the environmental benefits of sourcing food locally (lower ‘food miles’) — is a big feature of what Membo is selling it does also offer food from further afield — shipping Spanish oranges to its Estonia-based shoppers, for example — in order that it can provide customers with a full range of groceries and do things like be able to offer certain seasonal produce at different times of the year.
A full inventory is also important for it to be able to compete with traditional supermarkets on the ‘single weekly shop’ convenience front too, of course.
At present there are 800+ items listed on Membo’s platform from some different 65 producers. (And while groceries are its core offering it says it’s keeping an open mind about how that might expand — noting it recently added a locally produced pet food producer to its inventory, for example.)
But the overarching idea is for the food Membo sells to be as locally sourced to the customer as possible — which obviously has positive knock on impact on freshness and therefore overall grocery quality.
“Everything that we’re doing stems from the insight that people ordering their weekly groceries actually care much more about freshness and quality of their food than they actually care about 15 minute deliveries,” says co-founder and CEO Vahur Hansen, who cut his startup teeth working as an early engineer for TransferWise (now Wise).
“Coming from that insight we set out to build a model that can guarantee that when you order from us, every item in your cart always arrives as the freshest version possible. As an example… when you order trout from us the same trout was caught the day before. You get dairy produce that was specifically prepared for your delivery. You get oranges that were picked from the tree 24 hours ago. That’s the sort of reality that we’re focused on.”
“The product, from a fundamental point of view, is built for Europeans — and sort of for the European mentality,” he also tells TechCrunch. “It’s not new for people [here] to have this sort of mission/feel on being able to consume local produce. Europeans all over, in every country, they know that they need to support their local producers but they also know that local producers really make the best products for them. And for us the bigger goal is to build a cross-European, high quality producer network — coupled with very efficient logistics — so that we can, anywhere, deliver high quality local producers across Europe.”
On the last mile delivery side, the team has tried a few different approaches but is currently outsourcing that to delivery partners — with Hansen reiterating it makes sense for it to stay focused on the core logistics piece.
“When we started with this product we realized that we’re more of a logistics company than an actual store. So everything that we do is logistics in trying to figure out how to organize the quickest producer to end customer delivery.”
Given the target segment is premium groceries, Membo shoppers’ baskets are unsurprisingly more valuable than the average food delivery app — which conversely cater to impulse buys and hyper quick convenience. (Toothpaste, chocolate bars, takeaways, that sort of thing.)
So although there can be some overlap in the basic nature of what’s offered for delivery by Membo vs the average on-demand food delivery app there is more than enough clear blue water separating its value proposition vs — for example — the stuff that even a dark store operator like Spain’s Glovo can bike to your door.
It is very hard for hyper speedy delivery focused players to handle fresh produce and get it intact and in date to the customer’s door. Non-perishable, long shelf life products — processed foods, bottled drinks, toiletries etc — or indeed meal deliveries from restaurants which are set up to dish up takeaway are far easier for such platforms to manage and deliver. So grocery freshness is an especially difficult USP for such apps to compete on.
The question then is how large is the market for freshness and quality in the grocery space vs hyper quick, push-button convenience.
Membo’s bet is that delivering quality groceries is ultimately the more sustainable app business to be in. And it looks like a solid one. Certainly in a wealthy region like Northern Europe.
“It’s definitely a different model to dark stores — where they need to have mini warehouses spread across all cities — and also for us, unit economics wise, it’s a very good thing, because you can really save on scale,” says Hansen, discussing how Membo’s model contrasts with on-demand delivery apps doing grocery deliveries out of networks of dark stores.
“The fact that us needing one big warehouse as opposed to like ten smaller ones really effects our unit economics positively.”
“They capture impulse buys — and we capture planned out weekly grocery baskets,” he goes on. “Based on my research, our grocery baskets are at least 50% higher than for the sort of ‘convenience’ grocery apps. Right now it’s around $50 for an average customer. So from a very practical point of view we already see that — people come to our site to really order all of our fresh produce. As opposed to just a few items.”
There is another differentiating factor in play too.
Membo isn’t relying on a retail model that requires predicting customer demand in advance — so its business can be leaner and more efficient. Which also sums to less food being wasted — something else Membo’s target buyers are probably going to appreciate too. (The typical Membo customer is a 27-55 year old suburban mother who likes to cook for their family and prepare weekly meals ahead, per Hansen — someone who “really appreciates high quality, mostly eco ingredients for the food that they make”.)
“We set out to avoid food sitting in our warehouse and all the fresh produce that comes to our warehouse in the morning — it’s based on orders and it gets sent out to end customers the same evening. And also as a side effect of that model for the local food produce that we serve — there’s no food waste,” he says, adding: “Everything that arrives to our warehouse has already been ordered by our customers and our warehouse, essentially, is empty by the end of the day.”
It’s still early days for Membo of course. But it has big expansion plans in the region.
It’s been using its home market as a “playground” for fine-tuning its model and operations ahead of planned scaling into other European markets — with an eye on potential launches in Switzerland, Germany or France.
Markets with a rich network of local food producers who can be persuaded to sell their wares more directly to consumers via its platform will take priority, per Hansen, who says a range of factors will be involved in deciding where it goes next — so clearly the local competitive mix will also be key.
(Europe-based rivals include the UK’s Farmdrop — which targets a similarly discerning grocery shopper, who cares where their food is coming from and has the money to pay a quality premium, offering farmer sourced produce direct to UK consumers via its own online platform.)
“We’ve been using Estonia as a playground to figure out what is the exact operating model under which we can guarantee freshness for every item. So we’re been fine-tuning our product and building it so that we know it’s a sustainable business before going into expansion,” he says, adding: “That’s also one of the things that YC has really taught us.
“Build a working business and don’t go into scaling mode too quickly. But we are getting to the point where we’re already mapping bigger Western European countries and really honing in — trying to figure out what is the best combination of all of these factors to go in.”
Prior to taking in investment from YC, Membo had raised a little pre-seed funding to get going — although Hansen notes that its team remains small and expenses are therefore pretty lean. Its pre-seed backers included the CEO and VP of growth at Estonian ride-hailing startup Bolt, as well as some of Hansen’s ex colleagues at (Transfer)Wise.
Outvio, an Estonian startup that provides a white-label SaaS fulfillment solution for medium-sized and large online retailers in Spain and Estonia, has closed a $3 million early-stage financing round led by Change Ventures. Also participating were TMT Investments (London), Fresco Capital (San Francisco), and Lemonade Stand (Tallinn). Several angels also joined the round including James Berdigans (Printify) and Kristjan Vilosius (Katana MRP). This is the startup’s first institutional round of funding, after bootstrapping since 2018.
Online retailers usually have to use a number of different tools or hire expensive developers to create in-house shipping solutions. Outvio offers online stores of any size a post-purchase shipping experience, which seeks to replicate an Amazon-style experience where customers can also return packages. Among others, itcompetes with ShippyPro, which runs out of Italy and has raised $5 million to date.
Juan Borras, co-founder and CEO of Outvio said: “We can give any online store all the tools needed to offer a superior post-sale customer experience. We can integrate at different points in their fulfilment process, and for large merchants, save them hundreds of thousands in development costs alone.”
He added: “What happens after the purchase is more important than most shops realize. More than 88% of consumers say it is very important for them that retailers proactively communicate every fulfilment and delivery stage. Not doing so, especially if there are problems, often results in losing that client. Our mission is to help online stores streamline everything that happens after the sale, fueling repeat business and brand-loyal customers with the help of a fantastic post-purchase experience.”
Rait Ojasaar, Investment Partner at lead investor Change Ventures commented: “While online retailing has a long way to go, the expectations of consumers are increasing when it comes to delivery time and standards. The same can be said about the online shop operators who increasingly look for more advanced solutions with consumer-like user experience. The Outvio team has understood exactly what the gap in the market is and has done a tremendous job of finding product-market fit with their modern fulfilment SaaS platform.”
Doubly off the beaten track, the Estonian town is full of life and culture, especially music. And if travel is going to change its ways, it’s a good place to start.
Working remotely while abroad has obvious appeal. But the tax consequences vary depending on where you go. Here’s what to know.
The European Union told airlines to avoid Belarusian airspace after the country forced a commercial flight to land in order to arrest a journalist.
Earlybird Digital East Fund — a fund associated with Germany’s Earlybird VC, but operating separately — has launched a €200m ($242m) successor fund. The fund’s focus will remain the same as before: a Seed and Series-A fund focusing on what’s known as ‘Emerging Europe’, in other words, countries stretching from the Baltics to Central and Eastern Europe, and Turkey. The firm has also promoted Mehmet Atici, who’s been with the firm for eight years, to Partner. The new fund has made four investments so far: FintechOS, Payhawk, Picus, and Binalyze.
The back-story to DEF is a fascinating tale of what happened to Europe in the last 15 years, as tech took off and Europeans returned from Silicon Valley.
Following his exit from SelectMinds (where he was the Founder & CEO) in 2005, Cem Sertoglu moved back to Turkey. Although he says he “accidentally became the first angel investor” there, he was clearly the right man, in the right place, at the right time. He told me: “I was very lucky and ended up writing the first checks in some of the first large outcomes in Turkey.”
In 2013, Sertoglu partnered with Evren Ucok (the first angel in Peak Games and Trendyol), and Roland Manger (Earlybird). Dan Lupu, a Romanian investor who had covered the region for Intel Capital, joined them, and together they raised the ‘Earlybird Digital East Fund I’ set at $150m fund in 2014, focusing on CEE and Turkey. This was and is an area where there can be high-quality ventures to be found, but very little in the way of VC.
Thereafter, between 2014 and 2019, the fund invested in UiPath, Hazelcast, and Obilet. UiPath has become a global leader in the area known as ‘Robotic Process Automation (RPA). Hazelcast is a low latency data processing platform startup with Turkish roots. Obilet is a marketplace focused for the massive Turkish intercity bus travel market. DEF has also exited Vivense, Dolap, and EMbonds and in more recent times the fund has exited Vivense, the “Wayfair of Turkey” to Actera, the top local PE fund.
The team had spectacular early success. Peak Games, Trendyol, YemekSepeti and GittiGidiyor are the four largest Turkish tech exits to date. Digital East Fund was an investor in all of them. Peak games exited for $1.8 billion in cash to Zynga only last year.
As of Q4 2020, the fund’s metrics are:
Investment Multiple: 24.9x
Gross IRR: 104.4%
Net IRR: 84.1%
So in VC terms, they have done pretty well.
I interviewed Sertoglu to unpack the story of Earlybird Digital East Fund.
He told me DEF has achieved a 17 times investment multiple on a $150 million fund. He thinks “this might be the biggest European VC fund performance in history, and it’s not coming from Berlin, it’s not coming from London, but it’s coming from Eastern Europe. We have been told by some of our LPs that they think we’re the top 2014 vintage VC fund in the world, nobody’s seen stronger numbers than this.”
“Peak Games turned out to be a phenomenal story. When you look at how tough it’s been for Turkey, macroeconomically. The fact that a single company with 100 people essentially sold for $1.8 billion in cash, was just… it was staggering for the local market here.”
DEF’s emergence from Turkey, together with its relationship with a fund in Berlin, was not the most obvious path for the VC fund.
“One thing we realized early one was that we could invest with our own capital and syndicating to our friends, but for follow-on funding, we’d always have to go global. And that made us feel vulnerable. It made us feel we were always dependent on others’ comprehension of the opportunity that we were facing. So that’s when the first fund idea came out this was,” said Sertoglu.
“We felt that there was this unusual dislocation between opportunity and capital in Eastern Europe. Our first fund was $150 million funds – I mean, a very quaint size compared to Western markets. But we became the largest fund in the region, and decided to focus on this series A gap where we felt that there was this big opportunity, because of the way we think series A is still very much a local play.”
“Being a local player that understands the region would be an advantage, so this was proven to be true. We could essentially see pretty much everything in Eastern Europe for the last eight years. And we caught the biggest one, fortunately, which was UiPath. I think very few funds around the world can say that they see the majority if not all of the opportunities that fall into their mandate,” he said.
“We have this dual strategy of backing local champions as well as contenders for global markets as well. 20 years ago you had to be in Silicon Valley. Now, Transferwise comes out of Estonia, UiPath comes out of Romania. And that was even before the pandemic.”
Sertoglu concluded: “So we now have fresh capital, coming on the heels of a very successful first fund, which we’re keen to deploy. We’re calling all the opportunities, seeing very ambitious, strong teams coming out of the region. And we have 200 million euros to focus on these types of opportunities in the region.”
The resignation of Juri Ratas in a scandal involving pandemic relief loans is an unusual hiccup in a buttoned-down country.
Eneba, a marketplace for gamers that sells games and other products, has raised a $8M round of funding from Practica Capital and InReach Ventures. The funding is described as a ‘combination’ of a Seed and Series A round. Also participating in the funding for the Lithuanian startup was FJ Labs and a group of Angel investors including Mantas Mikuckas, COO of Vinted. The investment highlights once again the strength of the Baltics region as tech ecosystem, after Lithuania produced its first Unicorn in the shape of Vinted, and Estonia’s added Pipedrive to its unicorns list.
With the increased shift to digital entertainment during the pandemic, the startup has managed to garner much more US traffic. Launched in 2018 by two Lithuanian school friends, Vytis Uogintas and Žygimantas Mikšta, Eneba says it has attracted 26 million unique users because of its security features, ‘one-click to buy’ gamer experience and fingerprinting technology. The site also optimizes its localized gaming experiences to show locally trending gaming products. Eneba’s platform is designed to reduce risky transactions, simplifies the refunding process, and deals with fraud threats.
Co-founder and CMO, Žygimantas Mikšta said: “We had a lot of new users coming to Eneba during these uncertain times. While it was extremely satisfying to see our numbers increasing tenfold, there was a challenge to meet the demand. To better reflect our user numbers, we had to quickly expand our team to 130.”
Security has risen up the agenda in online gaming as virtual goods and services connected to games can be highly susceptible to fraud or theft. Although it competes with outlets like Amazon, eBay, and retailers like Gamestop, Game.co.uk, Eneba think they’ve found a better, tailored online pre/post-buying experience for gamers, while addressing the risk problems for sellers and buyers in the gaming world.
Donatas Keras, partner at Practica Capital said: “We are thrilled to be backing Vytis and Žygimantas. We’ve been impressed by their ability to execute at such speed as their company quickly scales, and to drive an incredible product with a unique value proposition for gamers.”
Co-founder of InReach Ventures, Roberto Bonanzinga, said: “In Europe we have a tradition of building successful companies in the gaming space. We are very excited to have discovered Eneba thanks to our AI platform when the company was unknown and under the radar. We have been extremely impressed by what the founders have been able to build in such a short amount of time.”
An operation ahead of the November election was part of stepped-up efforts by the military to stop Russian interference in American politics.
Started as a side project by its founders, Warren is now helping regional cloud infrastructure service providers compete against Amazon, Microsoft, IBM, Google and other tech giants. Based in Tallinn, Estonia, Warren’s self-service distributed cloud platform is gaining traction in Southeast Asia, one of the world’s fastest-growing cloud service markets, and Europe. It recently closed a $1.4 million seed round led by Passion Capital, with plans to expand in South America, where it recently launched in Brazil.
Warren’s seed funding also included participation from Lemonade Stand and angel investors like former Nokia vice president Paul Melin and Marek Kiisa, co-founder of funds Superangel and NordicNinja.
The leading global cloud providers are aggressively expanding their international businesses by growing their marketing teams and data centers around the world (for example, over the past few months, Microsoft has launched a new data center region in Austria, expanded in Brazil and announced it will build a new region in Taiwan as it competes against Amazon Web Services).
But demand for customized service and control over data still prompt many companies, especially smaller ones, to pick local cloud infrastructure providers instead, Warren co-founder and chief executive officer Tarmo Tael told TechCrunch.
“Local providers pay more attention to personal sales and support, in local language, to all clients in general, and more importantly, take the time to focus on SME clients to provide flexibility and address their custom needs,” he said. “Whereas global providers give a personal touch maybe only to a few big clients in the enterprise sectors.” Many local providers also offer lower prices and give a large amount of bandwidth for free, attracting SMEs.
He added that “the data sovereignty aspect that plays an important role in choosing their cloud platform for many of the clients.”
In 2015, Tael and co-founder Henry Vaaderpass began working on the project that eventually became Warren while running a development agency for e-commerce sites. From the beginning, the two wanted to develop a product of their own and tested several ideas out, but weren’t really excited by any of them, he said. At the same time, the agency’s e-commerce clients were running into challenges as their businesses grew.
Tael and Vaaderpass’s clients tended to pick local cloud infrastructure providers because of lower costs and more personalized support. But setting up new e-commerce projects with scalable infrastructure was costly because many local cloud infrastructure providers use different platforms.
“So we started looking for tools to use for managing our e-commerce projects better and more efficiently,” Tael said. “As we didn’t find what we were looking for, we saw this as an opportunity to build our own.”
After creating their first prototype, Tael and Vaaderpass realized that it could be used by other development teams, and decided to seek angel funding from investors, like Kiisa, who have experience working with cloud data centers or infrastructure providers.
Southeast Asia, one of the world’s fastest-growing cloud markets, is an important part of Warren’s business. Warren will continue to expand in Southeast Asia, while focusing on other developing regions with large domestic markets, like South America (starting with Brazil). Tael said the startup is also in discussion with potential partners in other markets, including Russia, Turkey and China.
Warren’s current clients include Estonian cloud provider Pilw.io and Indonesian cloud provider IdCloudHost. Tael said working with Warren means its customers spend less time dealing with technical issues related to infrastructure software, so their teams, including developers, can instead focus on supporting clients and managing other services they sell.
The company’s goal is to give local cloud infrastructure providers the ability to meet increasing demand, and eventually expand internationally, with tools to handle more installations and end users. These include features like automated maintenance and DevOps processes that streamline feature testing and handling different platforms.
Ultimately, Warren wants to connect providers in a network that end users can access through a single API and user interface. It also envisions the network as a community where Warren’s clients can share resources and, eventually, have a marketplace for their apps and services.
In terms of competition, Tael said local cloud infrastructure providers often turn to OpenStack, Virtuozzo, Stratoscale or Mirantis. The advantage these companies currently have over Warren is a wider network, but Warren is busy building out its own. The company will be able to connect several locations to one provider by the first quarter of 2021. After that, Tael said, it will “gradually connect providers to each other, upgrading our user management and billing services to handle all that complexity.”
Today a group of academics, researchers and civil rights leaders go live on with ‘The Real Facebook Oversight Board’ which is designed to criticize and discuss the role of the platform in the upcoming US election. The group includes Facebook’s ex-head of election security, leaders of the #StopHateForProfit campaign and Roger McNamee, early Facebook investor. Facebook launched its own ‘Oversight Board’ last November to deal with thorny issues of content moderation, but Facebook has admitted it will not be overseeing any of Facebook’s content or activity during the course of the US election, and will only adjudicate on issues after the event.
The press conference for the launch is streamed live today, below:
Facebook founder Mark Zuckerberg claimed last November that the Oversight Board was “an incredibly important undertaking” and would “prevent the concentration of too much decision-making within our teams” and promote “accountability and oversight”.
The move was seen as an acknowledgment of the difficulty of decision-making inside Facebook. Decisions on what controversial posts to remove fall on the shoulders of individual executives, hence why the Oversight Board will act like a ‘Supreme Court’ for content moderation.
However, the Oversight Board has admitted it will take up to three months to make a decision and will only make judgments about content that has been removed from the platform, not what stays up.
Facebook has invested $130 million in this board and announced its first board members in May, including ex-prime minister of Denmark, Helle Thorning-Schmidt and the ex-editor-in-chief of the Guardian, Alan Rusbridger.
The activist-led ‘Real Facebook Oversight Board’ includes the ex-President of Estonia, Toomas Henrik Ilves, an outspoken critic of Facebook and Maria Ressa, the journalist currently facing imprisonment in the Philippines for cyberlibel.
Board members also include Shoshana Zuboff, author of Surveillance Capitalism, Derrick Johnson, president of the NAACP, Yael Eisenstat, former head of election integrity at Facebook, Rashad Robinson, president of Color of Change, and Jonathan Greenblatt, CEO of the Anti-Defamation League .
This issue of how Facebook moderates its content and allows its users to be targetted by campaigns has become ever more pressing as the US election looms closer. It’s already been revealed by Channel 4 News in the UK that 3.5 million Black Americans were profiled and categorized on Facebook, and other social media, as needing to be deterred from voting by the Trump campaign.
After the Estonia sunk in a storm off Finland, investigators said that a bow door had been bashed in by heavy seas. But a new series has raised disturbing fresh details.
One of the biggest surveys ever of ancient DNA offers new evidence of who the Vikings were and where they went raiding and trading.
An Ironman race on Saturday in Tallinn, Estonia, was the first such race since March. Precautions included travel restrictions, temperature checks, masked volunteers and medals handed over in bags.
Several countries with fragile tourist economies have started to offer visas that allow foreign nationals to live and work for a period of at least six months.
The UK may be rethinking its decision to shun Apple and Google’s API for its national coronavirus contacts tracing app, according to the Financial Times, which reported yesterday that the government is paying an IT supplier to investigate whether it can integrate the tech giants’ approach after all.
As we’ve reported before coronavirus contacts tracing apps are a new technology which aims to repurpose smartphones’ Bluetooth signals and device proximity to try to estimate individuals’ infection risk.
The UK’s forthcoming app, called NHS COVID-19, has faced controversy because it’s being designed to use a centralized app architecture. This means developers are having to come up with workarounds for platform limitations on background access to Bluetooth as the Apple-Google cross-platform API only works with decentralized systems.
The choice of a centralized app architecture has also raised concerns about the impact of such an unprecedented state data grab on citizens’ privacy and human rights, and the risk of state ‘mission creep‘.
The UK also looks increasingly isolated in its choice in Europe after the German government opted to switch to a decentralized model, joining several other European countries that have said they will opt for a p2p approach, including Estonia, Ireland and Switzerland.
In the region, France remains the other major backer of a centralized system for its forthcoming coronavirus contacts tracing app, StopCovid.
Apple and Google, meanwhile, are collaborating on a so-called “exposure notification” API for national coronavirus contacts tracing apps. The API is slated to launch this month and is designed to remove restrictions that could interfere with how contact events are logged. However it’s only available for apps that don’t hold users’ personal data on central servers and prohibits location tracking, with the pair emphasizing that their system is designed to put privacy at the core.
Yesterday the FT reported that NHSX, the digital transformation branch of UK’s National Health Service, has awarded a £3.8M contract to the London office of Zuhlke Engineering, a Switzerland-based IT development firm which was involved in developing the initial version of the NHS COVID-19 app.
The contract includes a requirement to “investigate the complexity, performance and feasibility of implementing native Apple and Google contact tracing APIs within the existing proximity mobile application and platform”, per the newspaper’s report.
The work is also described as a “two week timeboxed technical spike”, which the FT suggests means it’s still at a preliminary phase — thought it also notes the contract includes a deadline of mid-May.
The contracted work was due to begin yesterday, per the report.
We’ve reached out to Zuhlke for comment. Its website describes the company as “a strong solutions partner” that’s focused on projects related to digital product delivery; cloud migration; scaling digital platforms; and the Internet of Things.
We also put questions arising from the FT report to NHSX.
At the time of writing the unit had not responded but yesterday a spokesperson told the newspaper: “We’ve been working with Apple and Google throughout the app’s development and it’s quite right and normal to continue to refine the app.”
The specific technical issue that appears to be causing concern relates to a workaround the developers have devised to try to circumvent platform limitations on Bluetooth that’s intended to wake up phones when the app itself is not being actively used in order that the proximity handshakes can still be carried out (and contacts events properly logged).
Thing is, if any of the devices fail to wake up and emit their identifiers so other nearby devices can log their presence there will be gaps in the data. Which, in plainer language, means the app might miss some close encounters between users — and therefore fail to notify some people of potential infection risk.
Recent reports have suggested the NHSX workaround has a particular problem with iPhones not being able to wake up other iPhones. And while Google’s Android OS is the more dominant platform in the UK (running on circa ~60% of smartphones, per Kantar) there will still be plenty of instances of two or more iPhone users passing near each other. So if their apps fail to wake up they won’t exchange data and those encounters won’t be logged.
On this, the FT quotes one person familiar with the NHS testing process who told it the app was able to work in the background in most cases, except when two iPhones were locked and left unused for around 30 minutes, and without any Android devices coming within 60m of the devices. The source also told it that bringing an Android device running the app close to the iPhone would “wake up” its Bluetooth connection.
Clearly, the government having to tell everyone in the UK to use an Android smartphone not an iPhone wouldn’t be a particularly palatable political message.
One source with information about the NHSX testing process told us the unit has this week been asking IT suppliers for facilities or input on testing environments with “50-100 Bluetooth devices of mixed origin”, to help with challenges in testing the Bluetooth exchanges — which raises questions about how extensively this core functionality has been tested up to now. (Again, we’ve put questions to the NHSX about testing and will update this report with any response.)
Work on planning and developing the NHS COVID-19 app began March 7, according to evidence given to a UK parliamentary committee by the NHSX CEO’s, Matthew Gould, last month.
Gould has also previously suggested that the app could be “technically” ready to launch in as little as two or three weeks time from now. While a limited geographical trial of the app kicked off this week in the Isle of Wight. Prior to that, an alpha version of the app was tested at an RAF base involving staff carrying out simulations of people going shopping, per a BBC report last month.
Gould faced questions over the choice of centralized vs decentralized app architecture from the human rights committee earlier this week. He suggested then that the government is not “locked” to the choice — telling the committee: “We are constantly reassessing which approach is the right one — and if it becomes clear that the balance of advantage lies in a different approach then we will take that different approach. We’re not irredeemably wedded to one approach; if we need to shift then we will… It’s a very pragmatic decision about what approach is likely to get the results that we need to get.”
However it’s unclear how quickly such a major change to app architecture could be implemented, given centralized vs decentralized systems work in very different ways.
Additionally, such a big shift — more than two months into the NHSX’s project — seems, at such a late stage, as if it would be more closely characterized as a rebuild, rather than a little finessing (as suggested by the NHSX spokesperson’s remark to the FT vis-a-vis ‘refining’ the app).
In related news today, Reuters reports that Colombia has pulled its own coronavirus contacts tracing app after experiencing glitches and inaccuracies. The app had used alternative technology to power contacts logging via Bluetooth and wi-fi. A government official told the news agency it aims to rebuild the system and may now use the Apple-Google API.
Australia has also reported Bluetooth related problems with its national coronavirus app. And has also been reported to be moving towards adopting the Apple-Google API.
While, Singapore, the first country to launch a Bluetooth app for coronavirus contacts tracing, was also the first to run into technical hitches related to platform limits on background access — likely contributing to low download rates for the app (reportedly below 20%).
The UK has this week started testing a coronavirus contacts-tracing app which NHSX, a digital arm of the country’s National Health Service, has been planning and developing since early March. The test is taking place in the Isle of Wight, a 380km2 island off the south coast of England, with a population of around 140,000.
The NHS COVID-19 app uses Bluetooth Low Energy handshakes to register proximity events (aka ‘contacts’) between smartphone users, with factors such as the duration of the ‘contact event’ and the distance between the devices feeding an NHS clinical algorithm that’s being designed to estimate infection risk and trigger notifications if a user subsequently experiences COVID-19 symptoms.
The government is promoting the app as an essential component of its response to fighting the coronavirus — the health minister’s new mantra being: ‘Protect the NHS, stay home, download the app’ — and the NHSX has said it expects the app to be “technically” ready to deploy two to three weeks after this week’s trial.
However there are major questions over how effective the tool will prove to be, especially given the government’s decision to ‘go it alone’ on the design of its digital contacts-tracing system — which raises some specific technical challenges linked to how modern smartphone platforms operate, as well as around international interoperability with other national apps targeting the same purpose.
In addition, the UK app allows users to self report symptoms of COVID-19 — which could lead to many false alerts being generated. That in turn might trigger notification fatigue and/or encourage users to ignore alerts if the ratio of false alarms exceeds genuine alerts.
Keep calm and download the app?
How users will generally respond to this technology is a major unknown. Yet mainstream adoption will be needed to maximize utility; not just one-time downloads. Dealing with the coronavirus will be a marathon not a sprint — which means sustaining usage will be vital to the app functioning as intended. And that will require users to trust that the app is both useful for the claimed public health purpose, by being effective at shrinking infection risk, and also that using it will not create any kind of disadvantages for them personally or for their friends and family.
The NHSX has said it will publish the code for the app, the DPIA (data protection impact assessment) and the privacy and security models — all of which sounds great, though we’re still waiting to see those key details. Publishing all that before the app launches would clearly be a boon to user trust.
A separate consideration is whether there should be a dedicated legislation wrapper put around the app to ensure clear and firm legal bounds on its use (and to prevent abuse and data misuse).
As it stands the NHS COVID-19 app is being accelerated towards release without this — relying on existing legislative frameworks (with some potential conflicts); and with no specific oversight body to handle any complaints. That too could impact user trust.
The overarching idea behind digital contacts tracing is to leverage uptake of smartphone technology to automate some contacts tracing, with the advantage that such a tool might be able to register fleeting contacts, such as between strangers on the street or public transport, that may more difficult for manual contacts-tracing methods to identify. Though whether these sorts of fleeting contacts create a significant risk of infection with the SARS-CoV-2 virus has not yet been quantified.
All experts are crystal clear on one thing: Digital contacts tracing is only going to be — at very best — a supplement to manual contact tracing. People who do not own or carry smartphones or who do not or cannot use the app obviously won’t register in any captured data. Technical issues may also create barriers and data gaps. It’s certainly not a magic bullet — and may, in the end, turn out to be ill-suited for this use case (we’ve written a general primer on digital contacts tracing here).
One major component of the UK approach is that it’s opted to create a so-called ‘centralized’ system for coronavirus contacts tracing — which leads to a number of specific challenges.
While the NHS COVID-19 app stores contacts events on the user’s device initially, at the point when (or if) a user chooses to report themselves having coronavirus symptoms then all their contacts events data is uploaded to a central server. This means it’s not just a user’s own identifier but a list of any identifiers they have encountered over the past 28 days — so, essentially, a graph of their recent social interactions.
This data cannot be deleted after the fact, according to the NHSX, which has also said it may be used for “research” purposes related to public health — raising further questions around privacy and trust.
Questions around the legal bases for this centralized approach also remain to be answered in detail by the government. UK and EU data protection law emphasize data minimization as a key principle; and while there’s flexibility built into these frameworks for a public health emergency there is still a requirement on the government to detail and justify key data processing decisions.
The UK’s decision to centralize contacts data has another obvious and immediate consequence: It means the NHS COVID-19 app will not be able to plug into an API that’s being jointly developed by Apple and Google to provide technical support for Bluetooth-based national contacts-tracing apps — and due to be release this month.
The tech giants have elected to support decentralized app architectures for these apps — which, conversely, do not centralize social graph data. Instead, infection risk calculations are performed locally on the device.
By design, these approaches avoid providing a central authority with information on who infected whom.
In the decentralized scenario, an infected user consents to their ephemeral identifier being shared with other users so apps can do matching locally, on the end-user device — meaning exposure notifications are generated without a central authority needing to be in the loop. (It’s also worth noting there are ways for decentralized protocols to feed aggregated contact data back to a central authority for epidemiological research, though the design is intended to prevent users’ social graph being exposed. A system of ‘exposure notification’, as Apple and Google are now branding it, has no need for such data, is their key argument. The NHSX counters that by suggesting social graph data could provide useful epidemiological insights — such as around how the virus is being spread.)
At the point a user of the NHS COVID-19 app experiences symptoms or gets a formal coronavirus diagnosis — and chooses to inform the authorities — the app will upload their recent contacts to a central server where infection risk calculations are performed.
The system will then send exposure notifications to other devices — in instances where the software deems there may be at risk of infection. Users might, for example, be asked to self isolate to see if they develop symptoms after coming into contact with an infected person, or told to seek a test to determine if they have COVID-19 or not.
A key detail here is that users of the NHS COVID-19 app are assigned a fixed identifier — basically a large, random number — which the government calls an “installation ID”. It claims this identifier is ‘anonymous’. However this is where political spin in service of encouraging public uptake of the app is being allowed to obscure a very different legal reality: A fixed identifier linked to a device is in fact pseudonymous data, which remains personal data under UK and EU law. Because, while the user’s identity has been ‘obscured’, there’s still a clear risk of re-identification.
Truly ‘anonymous’ data is a very high bar to achieve when you’re dealing with large data-sets. In the NHS COVID-19 app case there’s no reason beyond spin for the government to claim the data is “anonymous”; given the system design involves a device-linked fixed identifier that’s uploaded to a central authority alongside at least some geographical data (a partial postcode: which the app also asks users to input — so “the NHS can plan your local NHS response”, per the official explainer).
The NHSX has also said future versions of the app may ask users to share even more personal data, including their location. (And location data-sets are notoriously difficult to defend against re-identification.)
Nonetheless the government has maintained that individual users of the app will not be identified. But under such a system architecture this assertion sums to ‘trust us with your data’; the technology itself has not been designed to remove the need for individual users to trust a central authority, as is the case with bona fide decentralized protocols.
This is why Apple and Google are opting to support the latter approach — it cuts the internationally thorny issue of ‘government trust’ out of their equation.
However it also means governments that do want to centralize data face a technical headache to get their apps to function smoothly on the only two smartphone platforms that matter.
Technical and geopolitical headaches
The specific technical issue here relates to how these mainstream platforms manage background access to Bluetooth.
Using Bluetooth as a proxy for measuring coronavirus infection risk is of course a very new and novel technology. Singapore was reported to be the first country to attempt this. Its TraceTogether app, which launched in March, reportedly gained only limited (<20%) uptake — with technical issues on iOS being at least partly blamed for the low uptake.
The problem that the TraceTogether app faced initially is the software needed to be actively running and the iPhone open (not locked) for the tracing function to work. That obviously interferes with the normal multitasking of the average iPhone user — discouraging usage of the app.
It’s worth emphasizing that the UK is doing things a bit differently vs Singapore, though, in that it’s using Bluetooth handshakes rather than a Bluetooth advertising channel to power the contacts logging.
The NHS COVID-19 app has been designed to listen passively for other Bluetooth devices and then wake up in order to perform the handshake. This is intended as a workaround for these platform limits on background Bluetooth access. However it is still a workaround — and there are ongoing questions over how robustly it will perform in practice.
An analysis by The Register suggests the app will face a fresh set of issues in that iPhones specifically will fail to wake each other up to perform the handshakes — unless there’s also an Android device in the vicinity. If correct, it could result in big gaps in the tracing data (around 40% of UK smartphones run iOS vs 60% running Android).
Battery drain may also resurface as an issue with the UK system, though the NHSX has claimed its workaround solves this. (Though it’s not clear if they’ve tested what happens if an iPhone user switches on a battery saving mode which limits background app activity, for example.)
Other Bluetooth-based contract-tracing apps that have tried to workaround platforms limits have also faced issues with interference related to other Bluetooth devices — such as Australia’s recently launched app. So there are a number of potential issues that could trouble performance.
Being outside the Apple-Google API also certainly means the UK app is at the mercy of future platform updates which could derail the specific workaround. Best laid plans that don’t involve using an official interface as your plug are inevitably operating on shaky ground.
Finally, there’s a huge and complex issue that’s essentially being glossed over by government right now: Interoperability with other national apps.
How will the UK app work across borders? What happens when Brits start travelling again? With no obvious route for centralized vs decentralized systems to interface and play nice with each other there’s a major question mark over what happens when UK citizens want to travel to countries with decentralized systems (or indeed vice versa). Mandatory quarantines because the government picked a less interoperable app architecture? Let’s hope not.
Notably, the Republic of Ireland has opted for a decentralized approach for its national app, whereas Northern Ireland, which is part of the UK but shares a land border with the Republic, will — baring any NHSX flip — be saddled with a centralized and thus opposing choice. It’s the Brexit schism all over again in app form.
Earlier this week the NHSX was asked about this cross-border issue by a UK parliamentary committee — and admitted it creates a challenge “we’ll have to work through”, though it did not suggest how it proposes to do that.
And while that’s a very pressing backyard challenge, the same interoperability gremlins arise across the English Channel — where a number of European countries are opting for decentralized apps, including Estonia, Germany and Switzerland. While Apple and Google’s choice at the platform level means future US apps may also be encouraged down a decentralized route. (The two US tech giants are demonstrably flexing their market power to press on and influence governments’ app design choices internationally.)
So countries that fix on a ‘DIY’ approach for the digital component of their domestic pandemic response may find it leads to some unwelcome isolation for their citizens at the international level.
Icebreaker claims to be Finland’s most active pre-seed VC. The firm, which also invests in Estonia and Sweden, has backed 38 companies in the last three years out of its first fund, with a 65% success rate so far for companies that have been able to raise follow-on funding.
Two weeks ago, Icebreaker announced the launch of Fund II, with an initial close of €50 million. That’s more than twice the size of its first fund, which topped out at €20 million.
Its remit remains largely the same, however. The company typically invests between €150k and €800k in teams that have “deep domain expertise” and are building globally competitive tech companies according to Icebreaker co-founder and partner Riku Seppälä.
Noteworthy, this goes right to the top of the funnel and includes backing and helping to connect “pre-founders,” defined as individuals with over 5 years of work experience in their domain who are aiming to start or join a tech company. As part of this effort, Icebreaker operates an online and offline community to act as a catalyst for new companies to be founded.
Meanwhile, I’m told that Fund II was signed just as the coronavirus crisis began to take hold and includes the majority of LPs from Fund I in addition to new investors. Lead LPs are Tesi, KRR III, Varma Mutual Pension Insurance Company and Elo Mutual Pension Insurance Company, together with 41 other entities consisting of institutional investors, family offices and founders.
To find out more about Fund II and what’s it’s like to launch a new pre-seed fund at a time of such uncertainty, and to understand how Icebreaker thinks about startup life during and after lockdown, I put questions to Icebreaker co-founder and Partner Riku Seppälä.
TechCrunch: What does it feel like to close a new fund right at the start of a pandemic?
Riku Seppälä: Of course, we have been distracted by the mounting health crisis and how the world economy will recover, so the feelings are mixed.
More details have emerged about a coronavirus contacts tracing app being developed by UK authorities. NHSX CEO, Matthew Gould, said today that future versions of the app could ask users to share location data to help authorities learn more about how the virus propagates.
Gould, who heads up the digital transformation unit of the UK’s National Health Service, was giving evidence to the UK parliament’s Science & Technology Committee today.
At the same time, ongoing questions about the precise role of the UK’s domestic spy agency in key decisions about the NHSX’s choice of a centralized app architecture means privacy concerns are unlikely to go away — with Gould dodging the committee’s about GCHQ’s role.
A basic version of the NHSX’s coronavirus contacts tracing app is set to be tested in a small geographical region in the next 1-2 weeks, per Gould — who said “technically” it would be ready for a wider rollout in 2-3 weeks’ time.
Although he emphasized that any launch would need to be part of a wider government strategy which includes extensive testing and manual contacts tracing, along with a major effort to communicate to the public about the purpose and importance of the app as part of a combined response to fighting the virus.
In future versions of the app, Gould suggested users could be asked to contribute additional data — such as their location — in order to help epidemiologists identify infection hot spots, while emphasizing that such extra contributions would be voluntary.
“The app will iterate. We’ve been developing it at speed since the very start of the situation but the first version that we put out won’t have everything in it that we would like,” he said. “We’re quite keen, though, that subsequent versions should give people the opportunity to offer more data if they wish to do so.
“So, for example, it would be very useful, epidemiologically, if people were willing to offer us not just the anonymous proximity contacts but also the location of where those contacts took place — because that would allow us to know that certain places or certain sectors or whatever were a particular source of proximity contacts that subsequently became problematic.”
“If people were willing to do that — and I suspect a significant proportion of people would be willing to do that — then I think that would be very important data because that would allow us to have an important insight into how the virus was propagated,” he added.
For now, the basic version of the contacts tracing app the NHSX is devising is not being designed to track location. Instead, it will use Bluetooth as a proxy for infection risk, with phones that come into proximity swapping pseudonymized identifiers that may later be uploaded to a central server to calculate infection risk related to a person’s contacts.
Bluetooth proximity tracking is now being baked into national contacts tracing apps across Europe and elsewhere, although app architectures can vary considerably.
The UK is notable for being one of now relatively few European countries that have opted for a centralized model for coronavirus contacts tracing, after Germany switched its choice earlier this week.
France is also currently planning to use a centralized protocol. But countries including Estonia, Switzerland and Spain have said they will deploy decentralized apps — meaning infection risk calculations will be performed locally, on device, and social graph data will not be uploaded to a central authority.
Centralized approaches to coronavirus contact tracing have raised substantial privacy concerns as social graph data stored on a central server could be accessed and re-identified by the central authority controlling the server.
Apple and Google’s joint effort on a cross-platform API for national coronavirus contacts tracing apps is also being designed to work with decentralized approaches — meaning countries that want to go against the smartphone platform grain may face technically challenges such as battery drain and usability.
The committee asked Gould about the NHSX’s decision to develop its own app architecture, which means having to come up with workarounds to minimize issues such as battery drain because it won’t just be able to plug into the Apple –Google API . Yesterday the unit told the BBC how it’s planning to do this, while conceding its workaround won’t be as energy efficient as being able to use the API.
“We are co-operating very closely with a range of other countries. We’re sharing code, we’re sharing technical solutions and there’s a lot of co-operation but a really key part of how this works is not just the core Bluetooth technology — which is an important part of it — it’s the backend and how it ties in with testing, with tracing, with everything else. So a certain amount of it necessarily has to be embedded in the national approach,” said Gould, when asked why NHSX is going to the relative effort and hassle of developing its own bespoke centralized system rather than making use of protocols developed elsewhere.
“I would say we are sensibly trying to learn international best practice and share it — and we’ve shared quite a lot of the technological progress we’ve made in certain areas — but this has to embed in the wider UK strategy. So there’s an irreducible amount that has to be done nationally.”
On not aligning with Apple and Google’s decentralized approach specifically, he suggested that waiting for their system-wide contact tracing product to be released — due next month — would “slow us down quite considerably”. (During the committee hearing it was confirmed the first meeting relating to the NHSX app took place on March 7.)
While on the wider decision not to adopt a decentralized architecture for the app, Gould argued there’s a “false dichotomy” that decentralized is privacy secure and centralized isn’t. “We firmly believe that both our approach — though it has a measure of centralization in as much as your uploading the anonymized identifiers in order to run the cascades — nonetheless preserves people’s privacy in doing so,” he said.
“We don’t believe that’s a privacy endangering step. But also by doing so it allows you to see the contact graph of how this is propagating and how the contacts are working across a number of individuals, without knowing who they are, that allows you to do certain important things that you couldn’t do if it was just phone to phone propagation.”
He gave the example of detecting malicious use of contacts tracing being helped by being able to acquire social graph data. “One of the ways you can do that is looking for anomalous patterns even if you don’t know who the individuals are you can see anomalous propagation which the approach we’ve taken allows,” he said. “We’re not clear that a decentralized approach allows.”
Another example he gave was a person declaring themselves symptomatic and a cascade being run to notify their contacts and then that person subsequently testing negative.
“We want to be able to release all the people that have been given an instruction to isolate previously on the basis of [the false positive person] being symptomatic. If it was done in an entirely decentalized way that becomes very difficult,” he suggested. “Because it’s all been done phone to phone you can’t go back to those individuals to say you don’t have to be locked down because your index case turned out to be negative. So we really believe there are big advantages the way we’re doing it. But we don’t believe it’s privacy endangering.”
Responding to the latter claim, Dr Michael Veale — a lecturer in digital rights and regulation at UCL who is also one of the authors of a decentalized protocol for contacts tracing, called DP-3T, that’s being adopted by a number of European governments — told us: “It is trivial to extend a decentralised system to allow individuals to upload ‘all clear’ keys too, although not something that DP-3T focussed on building in because to my knowledge, it is only the UK that wishes to allow these cascades to trigger instructions to self-isolate based on unverified self-reporting.”
In the decentralized scenario, “individuals would simply upload their identifiers again, flagging them as ‘false alarm’, they would be downloaded by everyone, and the phones of those who had been told to quarantine would notify the individual that they no longer needed to isolate”, Veale added — explaining how a ‘false alarm’ notification could indeed be sent without a government needing to centralize social graph data.
The committee also asked Gould directly whether UK spy agency, GCHQ, was involved in the decision to choose a centralized approach for the app. The BBC reported yesterday that experts from the cyber security arm of the spy agency, the National Cyber Security Centre (NCSC), had aided the effort.
At first pass Gould dodged the question. Pressed a second time he dodged a direct answer, saying only that the NCSC were “part of the discussions in which we decided to take the approach that we’ve taken”.
“[The NCSC] have, along with a number of others — the Information Commission’s Office, the National Data Guardian, the NHS — been advising us. And as the technical authority for cyber security I’m very glad to have had the NCSC’s advice,” he also said.
“We have said will will open source the software, we have said we will publish the privacy model and the security model that’s underpinning what we’re going to do,” he added. “The whole model rests on people having randomized IDs so the only point in the process at which they need to say to us who they are is when they need to order a test having become symptomatic because it’s impossible to do that otherwise.
“They will have the choice both to download the app and turn it on but also to upload the list of randomized IDs of people they’ve been in touch with. They will also have the choice at any point to delete the app and all the data that they haven’t shared with us up to that point with it. So I do believe that what we’ve done is respectful of people’s privacy but at the same time effective in terms of being able to keep people safe.”
Gould was unable to tell the committee when the app’s code will be open sourced, or even confirm it would happen before the app was made available. But he did say the unit is committed to publishing data protection impact assessments — claiming this would be done “for each iteration” of the app.
“At every stage we will do a data protection impact assessment, at every stage we’ll make sure the information commission know’s what we’re doing and is comfortable with what we’re doing so we will proceed carefully and make sure what we do is compliant,” he said.
At another point in the hearing, Lillian Edwards, a professor of law, innovation and society at Newcastle Law School who was also giving evidence, pointed out that the Information Commissioner’s Office’s executive director, Simon McDougall, told a public forum last week that the agency had not in fact seen details of the app plan.
“There has been a slight information gap there,” she suggested. “This is normally a situation with an app that is high risk stakes involving very sensitive personal data — where there is clearly a GDPR [General Data Protection Regulation] obligation to prepare a Data Protection Impact Assessment — where one might have thought that prior consultation and a formal sign off by the ICO might have been desirable.”
“But I’m very gratified to hear that a Data Protection Impact Assessment is being prepared and will be published and I think it would be very important to have a schedule on that — at least at some draft level — as obviously the technical details of the app are changing from day to day,” Edwards added.
We’ve reached out to the ICO to ask if it’s seen plans for the app or any data protection impact assessment now.
During the committee hearing, Gould was also pressed on what will happen to data sets uploaded to the central server once the app has been required. He said such data sets could be used for “research purposes”.
“There is the possibility of being able to use the data subsequently for research purposes,” he said. “We’ve said all along that the data from the app — the app will only be used for controlling the epidemic, for helping the NHS, public health and for research purposes. If we’re going to use data to ask people if we can keep their data for research purposes we will make that abundantly clear and they’ll have the choice on whether to do so.”
Gould followed up later in the session by adding that he didn’t envisage such data-sets being shared with the private sector. “This is data that will be probably under the joint data controllership of DHSC and NHS England and Improvement. I see no context in which it would be shared with the private sector,” he said, adding that UK law does already criminalize the reidentification of anonymized data.
“There are a series of protections that are in place and I would be very sorry if people started talking about sharing this data with the private sector as if it was a possibility. I don’t see it as a possibility.”
In another exchange during the session Gould told the committee the app will not include any facial recognition technology. Although he was unable to entirely rule out some role for the tech in future public health-related digital coronavirus interventions, such as related to certification of immunity.