In latest big tech antitrust push, Germany’s FCO eyes Google News Showcase fine print

The Bundeskartellamt, Germany’s very active competition authority, isn’t letting the grass grow under new powers it gained this year to tackle big tech: The Federal Cartel Office (FCO) has just announced a third proceeding against Google.

The FCO’s latest competition probe looks very interesting as it’s targeting Google News Showcase — Google’s relatively recently launched product which curates a selection of third party publishers’ content to appear in story panels on Google News (and other Google properties), content for which the tech giant pays a licensing fee.

Google started cutting content licensing deals with publishers around the world for News Showcase last year, announcing a total pot of $1BN to fund the arrangements — with Germany one of the first markets where it inked deals.

However its motivation to pay publishers to licence their journalism is hardly pure.

It follows years of bitter accusations from media companies that Google is freeloading off their content. To which the tech giant routinely responded with stonewalling statements — saying it would never pay for content because that’s not how online aggregation works. It also tried to fob off the industry with a digital innovation fund (aka Google News Initiative) which distributes small grants and offers free workshops and product advice, seeking to frame publishers’ decimated business models as a failure of innovation, leaving Google’s adtech machine scot free to steamroller on.

Google’s stonewalling-plus-chicken-feeding approach worked to stave off regulatory action for a long time but eventually enough political pressure built up around the issue of media business models vs the online advertising duopoly that legislators started to make moves to try to address the power imbalance between traditional publishers and intermediating tech giants.

Most infamously in Australia, where lawmakers passed a news media bargaining code earlier this year.

Prior to its passage, both Facebook and Google, the twin targets for that law, warned the move could result in dire consequences — such as a total shut down of their products, reduced quality or even fees to use their services.

Nothing like that happened but lawmakers did agree to a last minute amendment — adding a two-month mediation period to the legislation which allows digital platforms and publishers to strike deals on their own before having to enter into forced arbitration.

Critics say that allows for the two tech giants to continue to set their own terms when dealmaking with publishers, leveraging market muscle to strike deals that may disproportionately benefit Australia’s largest media firms — and doing so without any external oversight and with no guarantees that the resulting content arrangements foster media diversity and plurality or even support quality journalism.

In the EU, lawmakers acted earlier — taking the controversial route of extending copyright to cover snippets of news content back in 2019.

Following on, France was among the first EU countries to transpose the provision into national law — and its competition watchdog quickly ordered Google to pay for news reuse back in 2020 after Google tried to wiggle out of the legislation by stopping displaying snippets in the market.

It responded to the competition authority’s order with more obfuscation, though, agreeing earlier this year to pay French publishers for linking to their content but also for their participation in News Showcase — bundling required-by-law payments (for news reuse) with content licensing deals of its own devising. And thereby making it difficult to understand the balance of mandatory payments vs commercial arrangements.

The problem with News Showcase is that these licensing arrangements are being done behind closed doors, in many cases ahead of relevant legislation and thus purely on Google’s terms — which means the initiative risks exacerbating concerns about the power imbalance between it and traditional publishers caught in a revenue bind as their business models have been massively disrupted by the switch to digital.

If Google suddenly offers some money for content, plenty of publishers might well jump — regardless of the terms. And perhaps especially because any publishers that hold out against licensing content to Google at the price it likes risk being disadvantaged by reduced visibility for their content, given Google’s dominance of the search market and content discoverability (via its ability to direct traffic to specific media properties, such as based on how prominently News Showcase content is displayed, for example).

The competition implications look clear.

But it’s still impressive that the Bundeskartellamt is spinning up an investigation into News Showcase so quickly.

The FCO said it’s acting on a complaint from Corint Media — looking at whether the announced integration of the Google News Showcase service into Google’s general search function is “likely to constitute self-preferencing or an impediment to the services offered by competing third parties”.

It also said it’s looking at whether contractual conditions include unreasonable terms (“to the detriment of the participating publishers”); and, in particular, “make it disproportionately difficult for them to enforce the ancillary copyright for press publishers introduced by the German Bundestag and Bundesrat in May 2021” — a reference to the transposed neighbouring right for news in the EU copyright reform.

So it will be examining the core issue of whether Google is trying to use News Showcase to undermine the new EU rights publishers gained under the copyright reform.

The FCO also said it wants to look at “how the conditions for access to Google’s News Showcase service are defined”.

Google launched the News Showcase in Germany on October 1 2020, with an initial 20 media companies participating — covering 50 publications. Although more have been added since.

Per the FCO, the News Showcase ‘story panels’ were initially integrated in the Google News app but can now also be found in Google News on the desktop. It also notes that Google has said the panels will soon also appear in the general Google search results — a move that will further dial up the competition dynamics around the product, given Google’s massive dominance of the search market in Europe.

Commenting on its proceeding in a statement, Andreas Mundt, president of the Bundeskartellamt, said: “Cooperating with Google can be an attractive option for publishers and other news providers and offer consumers new or improved information services. However, it must be ensured that this will not result in discrimination between individual publishers. In addition, Google’s strong position in providing access to end customers must not lead to a situation where competing services offered by publishers or other news providers are squeezed out of the market. There must be an adequate balance between the rights and obligations of the content providers participating in Google’s programme.”

Google was contacted for comment on the FCO’s action — and it sent us this statement, attributed to spokesperson, Kay Oberbeck:

“Showcase is one of many ways Google supports journalism, building on products and funds that all publishers can benefit from. Showcase is an international licensing program for news — the selection of partners is based on objective and non-discriminatory criteria, and partner content is not given preference in the ranking of our results. We will cooperate fully with the German Competition Authority and look forward to answering their questions.”

The FCO’s scrutiny of Google News Showcase, follows hard on the heels of two other Google proceedings it opened last month, one to determine whether or not the tech giant meets the threshold of Germany’s new competition powers for tackling big tech — and another examining its data processing practices. Both remain ongoing.

The competition authority has also recently opened a proceeding into Amazon’s market dominance — and is also looking to extend another recent investigation of Facebook’s Oculus business, also by determining whether the social media giant’s business meets the threshold required under the new law.

The amendment to the German Competition Act came into force in January — giving the FCO greater powers to proactively impose conditions on large digital companies who are considered to be of “paramount significance for competition across markets” in order to pre-emptively control the risk of market abuse.

That it’s taking on so many proceedings in parallel against big tech shows it’s keen not to waste any time — putting itself in a position to come, as quickly as possible, with proactive interventions to address competitive problems caused by platform giants just as soon as it determines it can legally do that.

The Bundeskartellamt also has a pioneering case against Facebook’s ‘superprofiling’ on its desk — which links privacy abuse to competition concerns and could drastically limit the tech giant’s ability to profile users. That investigation and case has been ongoing for years but was recently referred to Europe’s top court for an interpretation of key legal questions.

 

#andreas-mundt, #artificial-intelligence, #australia, #companies, #digital-media, #europe, #european-union, #facebook, #france, #germany, #google, #google-news-showcase, #media, #news-showcase, #policy, #president, #spokesperson, #websites, #world-wide-web

0

Crypto asset manager Babel raises $40M from Tiger Global, Bertelsmann and others

Three years after its inception, crypto financial service provider Babel Finance is racking up fundings and partnerships from major institutional investors. The startup said Monday that it has closed a $40 million Series A round, with lead investors including Zoo Capital, Sequoia Capital China, Dragonfly Capital, Bertelsmann and its Asian fund BAI Capital, and Tiger Global Management.

For years, traditional investors were reluctant to join the cryptocurrency fray. But in 2020, Babel noticed that many institutions and high net worth individuals began to consider crypto assets as an investment class.

Babel, with offices in Hong Kong, Beijing, and Singapore, wanted to capture the window of opportunity and be one of the earliest to help allocate crypto assets in investors’ portfolios. But first, it needed to win investors’ trust. One solution is to have reputable private equity and venture capital firms on its cap table.

“It’s more of a brand boost so we can attract more institutions and build up credibility,” Babel’s spokesperson Yiwei Wang said of the firm’s latest financing, which is a strategic round as Babel had “reached profitability” and “wasn’t actively looking for funding.”

To vie for institutional customers and wealthy individuals, Babel plans to spend its fresh proceeds on product development, compliance and talent acquisition, seeking especially banking professionals and lawyers to work on regulatory requirements. It currently has a headcount of 55 employees.

Mainstream investors are jumping into the crypto scene partly because many see bitcoin as a way to hedge against “solvency and credibility risks” amid global economic uncertainties caused by Covid-19, said Wang. “Bitcoin is not something controlled by the government.”

The other trigger, Wang explained, was what shock the industry in February: Elon Musk bought $1.5 billion in bitcoin and declared Tesla would begin accepting the digital token as payments. That sparked a massive rally around bitcoin, sending its price to over $40,000.

Babel’s evolution has been in line with the trajectory of the industry. In its early days, the startup was a “crypto-native” company offering deposit and loan products to crypto miners and traders. These days, it also runs a suite of asset management products and services tailored to enterprise clients around the world. It’s applying for relevant financial licenses in North America and Asia.

As of February, Babel’s crypto lending business had reached an outstanding balance of $2 billion in equivalent cryptocurrency, the firm says. It has served more than 500 institutional clients and sees about $8 billion in direct trading volume each month. 80% of its revenues are currently derived from institutions. The goal is to manage one million bitcoins within four years.

#asia, #babel-finance, #beijing, #bertelsmann, #bitcoin, #cryptocurrencies, #cryptocurrency, #decentralization, #digital-currencies, #financial-technology, #funding, #sequoia-capital, #sequoia-capital-china, #singapore, #spokesperson, #tc, #tiger-global-management

0

Could NFT auctions be moving away from Ethereum? One new group is betting they will

NFTs were arguably already taking off when Beeple sold his NFT artwork for $69m. But another crypto project attracted attention when it bought an original Banksy artwork for $95,000.

The group literally burnt the artwork and sold its NFT on the OpenSea platform for $400,000. Although the stunt was covered by CBS News, BBC News, The Guardian, and others, it did actually make a significant point.

By removing the physical piece, the group – calling itself “Burnt Banksy” – proved that the value of the piece wasn’t affected by being destroyed, given that the NFT went up so much in value.

Now that project is turning that stunt into an actual blockchain platform for art auctions.

Burnt Finance says it has raised $3 Million for a decentralized auction protocol built on the Solana blockchain.

The project is being incubated by Injective Protocol (which recently raised $10 from investors and Mark Cuban, as well as Multicoin, DeFiance, Alameda, Mechanism, Vessel Capital, Hashkey, Spartan, Do Kwon (CEO of Terra), Sandeep (COO of Polygon), and others.

The reason why it’s worth mentioning all this is that in trying to auction the painting, the Burnt Banksy group stumbled on an increasing problem in the world of NFTs: the rising congestion on the Ethereum network is leading to larger and larger gas fees. This is making both the creation and bidding on NFTs increasingly expensive, just from a baseline.

As a result, team decided to build the Burnt Finance NFT auction platform away from Etherum and hit upon the Solana blockchain, which has comparatively good speed, performance, and lower transaction costs. It will use ‘Solana Wormhole’ which connects ETH and ERC20 tokens to SPL Tokens.

A spokesperson for Burnt Finance, ‘Burnt Banksy’ told me: “Most auctions are Ethereum based, and currently the Ethereum gas fees are extremely high. It can cost you up to $70 to make an artwork, which doesn’t work if you’re selling an NFT for $50. We chose Solana mainly because of the ecosystem. It’s fast-growing, in addition to the technical aspect of it.”

There’s another reason why we may see other Crypto projects move away from Ethereum as ETH rises in price and as gas fees increase: the potential for bad faith actors in NFT auctions.

If a bad actor tries to leverage the congestion on Ethereum and manipulate the transaction fee, they might sway the results of an auction. This would be quite something, if the auction was for, say, $69 million…

#bbc, #blockchains, #ceo, #coo, #crypto-art, #cryptocurrencies, #decentralized-finance, #distributed-computing, #ethereum, #europe, #joseph-lubin, #spokesperson, #tc, #terra, #the-guardian

0

DigitalOcean says customer billing data ‘exposed’ by a security flaw

DigitalOcean has emailed customers warning of a data breach involving customers’ billing data, TechCrunch has learned.

The cloud infrastructure giant told customers in an email on Wednesday, obtained by TechCrunch, that it has “confirmed an unauthorized exposure of details associated with the billing profile on your DigitalOcean account.” The company said the person “gained access to some of your billing account details through a flaw that has been fixed” over a two-week window between April 9 and April 22.

The email said customer billing names and addresses were accessed, as well as the last four digits of the payment card, its expiry date, and the name of the card-issuing bank. The company said that customers’ DigitalOcean accounts were “not accessed,” and passwords and account tokens were “not involved” in this breach.

“To be extra careful, we have implemented additional security monitoring on your account. We are expanding our security measures to reduce the likelihood of this kind of flaw occuring [sic] in the future,” the email said.

DigitalOcean said it fixed the flaw and notified data protection authorities, but it’s not clear what the apparent flaw was that put customer billing information at risk.

In a statement, DigitalOcean’s security chief Tyler Healy said 1% of billing profiles were affected by the breach, but declined to address our specific questions, including how the vulnerability was discovered and which authorities have been informed.

Companies with customers in Europe are subject to GDPR, and can face fines of up to 4% of their global annual revenue.

Last year, the cloud company raised $100 million in new debt, followed by another $50 million round, months after laying off dozens of staff amid concerns about the company’s financial health. In March, the company went public, raising about $775 million in its initial public offering. 

#cloud, #cloud-computing, #cloud-infrastructure, #cloud-storage, #computing, #data-breach, #digitalocean, #enterprise, #security, #spokesperson, #web-hosting, #web-services, #world-wide-web

0

Geico admits fraudsters stole customer driver’s license numbers for months

Geico, the second-largest auto insurer in the U.S., has fixed a security bug that let fraudsters steal customer driver’s license numbers from its website.

In a data breach notice filed with the California attorney general’s office, Geico said information gathered from other sources was used to “obtain unauthorized access to your driver’s license number through the online sales system on our website.”

The insurance giant did not say how many customers were affected by the breach but said the fraudsters accessed customer driver’s license numbers between January 21 and March 1. Companies are required to alert the state’s attorney general’s office when more than 500 state residents are affected by a security incident.

Geico said it had “reason to believe that this information could be used to fraudulently apply for unemployment benefits in your name.”

Many financially-driven criminals target government agencies using stolen identities or data. But many U.S. states require a government ID — like a driver’s license — to file for unemployment benefits. To get a driver’s license number, fraudsters take public or previously breached data and exploit weaknesses in auto insurance websites to obtain a customer’s driver’s license number. That allows the fraudsters to obtain unemployment benefits in another person’s name.

Earlier this year, San Francisco-based insurance startup Metromile admitted a bug on its website was used to obtain driver’s license numbers for six months before the bug was fixed in January.

If you’ve received correspondence from your state government and haven’t filed for unemployment benefits, there’s a good chance your personal data may have been used fraudulently.

Geico spokesperson Christine Tasher did not return multiple requests for comment.

#apps, #articles, #attorney-general, #automotive, #california, #crime, #crimes, #deception, #driver, #fraud, #geico, #metromile, #san-francisco, #security, #spokesperson, #united-states

0

ConsenSys raises $65M from JP Morgan, Mastercard, UBS to build infrastructure for DeFi

ConsenSys, a key player in crypto and a major proponent of the Ethereum blockchain, has raised a $65 million funding round from J.P. Morgan, Mastercard, and UBS AG, as well as major blockchain companies Protocol Labs, the Maker Foundation, Fenbushi, The LAO and Alameda Research. Additional investors include CMT Digital and the Greater Bay Area Homeland Development Fund. As well as fiat, several funds invested with Ethereum-based stablecoins, DAI and USDC, as consideration.

Sources told TechCrunch that this is an unpriced round because of the valuation risk, and the funding instrument is “full”, so the round is being closed now.

The fundraise looks like a highly strategic one, based around the idea that traditional institutions will need visibility into the increasingly influential world of ‘decentralized finance’ (DeFi) and the Web3 applications being developed on the Ethereum blockchain.

In a statement on the fundraise, ConsenSys said it has been through a “period of strategic evolution and growth”, but most outside observers would agree that this is that’s something of an understatement.

After a period of quite a lot of ‘creative disruption’ to put it mildly (at one point a couple of years ago, ConsenSys seemed to have everything from a VC fund, to an accelerator, to multiple startups under its wing), the company has restructured to form two main arms: ConsenSys, the core software business; and ConsenSys Mesh, the investment arm, incubator, and portfolio. It also acquired the Quorum product from J.P. Morgan which has given it a deeper bench into the enterprise blockchain ecosystem. This means it now has a very key product suite for the Etherum platform, including products such as Codefi, Diligence, Infura, MetaMask, Truffle, and Quorum.

This suite allows it to serve both public and private permissioned blockchain networks. It can also support Layer 2 Ethereum networks, as well as facilitate access to adjacent protocols like IPFS, Filecoin, and others. ConsenSys is also a major contributor to the Ethereum 2.0 project, for obvious reasons.

Commenting on the fundraise, Joseph Lubin, founder of ConsenSys and co-founder, Ethreum said in a statement: “When we set out to raise a round, it was important to us to patiently construct a diverse cap table, consistent with our belief that similar to how the web developed, the whole economy would join the revolutionaries on a next-generation protocol. ConsenSys’ software stack represents access to a new automated objective trust foundation enabled by decentralized protocols like Ethereum. We are proud to partner with preeminent financial firms alongside leading crypto companies to further converge the centralized and decentralized financial domains at this particularly exciting time of growth for ConsenSys and the entire industry.”

With financial institutions able to see, ‘in public’ DeFi happening on Ethereuem, because of the public chain, they can see how much of the financial system is gradually starting to merge with the blockchain world. So it’s becoming clearer what attracts these major institutions.

Mike Dargan, Head of Group Technology at UBS said: “Our investment in ConsenSys adds proven expertise in distributed ledger technology to our UBS Next portfolio.”

For MasterCard this appears to be not just a pure investment – Consensys has been working with it on a private permissioned network.

Raj Dhamodharan, executive vice president of digital asset and blockchain products and partnerships at Mastercard said: “Enterprise Ethereum is a key infrastructure on which we and our partners are building payment and non-payment applications to power the future of commerce… Our investment and partnership with ConsenSys helps us bring secure and performant Enterprise Ethereum capabilities to our customers.”

Colleen Sullivan, Co-Founder and CEO of CMT Digital said: “ConsenSys is the pioneer in bridging the gaps across traditional finance, centralized crypto, and DeFi, and more broadly, between Web 2.0 and Web 3.0. We are proud to participate in this funding round as the ConsenSys team continues to pave the way for global users  — retail and institutional — to easily access the crypto ecosystem.”

TechCrunch understands that the fundraise was started around the time of the Quorum acquisition, last June. The $65 million round is in majority fiat currency as opposed to cryptocurrency and is an adjunct to the round done with JP Morgan last summer.

The presence of significant crypto players such as Maker Protocol Labs shows the significance of the fund-raise, beyond the simple transaction. The announcement also comes just ahead of the Coinbase IPO, which makes for interesting timing.

ConsenSys’ products have become highly significant in the world where developers, enterprises, and consumers meet blockchain and crypto. In its statement, the company claims MetaMask now has over three million monthly active users across mobile and desktop, a 3x increase in the last five or six months, it says. This is roughly the same amount of monthly active customers as Coinbase.

The ConsenSys announcement comes just ahead of the Coinbase IPO. While Coinbase is acting as an exchange to turn fiat into crypto and vice versa, it has also been getting into DeFi of late. Where there are also resemblances with ConsenSys, is that Coinbase, with 3 million users, is used as a wallet, and MetMask, which also has 3 million users, can also be used as a wallet. The comparison ends there, but it’s certainly interesting, given Coinbase’s $100 billion valuation.

As Jeremy Millar, Chief Development Officer, told me: “Coinbase has pioneered an exchange, in one of the world’s most regulated financial markets, the US. And it has helped drive significant interest in the space. We enjoy a very positive relationship with Coinbase, trying to further enable the ecosystem and adoption of the technology.”

The background to this raise is that a lot of early-stage blockchain and crypto companies have been raising a lot of money recently, but much of this has been through crypto investment firms. Only a handful of Silicon Valley VCs are backing blockchain, such as Andreessen Horowitz.

What’s interesting about this announcement is that these incumbent financial giants are not only taking an interest, but working alongside ConsenSys to both invest and build products on Ethereum.

It’s ConsenSys’ view that every payment service provider, banks will need this financial infrastructure in the future, especially for DeFI.

Given there is roughly $43 billion collateralized in DeFi, it’s increasingly the case that major investors are involved, and there are increasingly higher returns than traditional yield and bond or bond yields.

The moves by Central Banks into digital currencies is also forcing companies and governments to realize digital currency, and the ‘blockchain rails’ on which it runs, is here to stay. This is what is suggested by the Greater Bay Area Homeland Development Fund’s (a Shenzhen / Hong Kong joint partnership) decision to get involved.

Another aspect of this story is that ConsenSys is sitting on some extremely powerful products. Consensys has six products that serve three different types of people.

Service developers who are building on Ethereum are using Truffle to develop smart contracts. Users joining the NFT hype are using MetaMask underneath it all.

The MetaMask wallet allows users to swap one token for another. This has proved quite lucrative for ConsenSys, which says it has resulted in $1.8 billion in volume in decentralized exchange use. ConsenSys takes a 0.875 percent cut on every swap that it serves.

And institutions are using Consensys’ products. The company says more than 150,000 developers use Infura’s APIs, and 4.5 million developers create and deploy smart contracts using Truffle, while its Protocols group — developer of Hyperledger Besu and ConsenSys Quorum — are building Central Bank Digital Currencies (CBDCs) for six central banks, says Consensys.

Consensys is also making hay with the NFT boom. Developers are using Consensys products for the nodes and infrastructure on Ethereum which stores the NFT files.

Consensys is also riding two waves. One is the developer eave and the other is the financial system wave.

As a spokesperson said: “Where the interest in money and invention started happening was on public networks like Ethereum. So we really believe that these are converging and they will continue to, and every one of our products offers public main net compatibility because we think this is the future.”

Millar added: “If we want to help the world adopt the technology we need to meet it at its adoption point, which for many large enterprises means inside the firewall first. But similarly, we think, just like the public Internet, the real value – the disruptive value – changes the ability to do this on a broader permissionless basis, especially when you have sufficient privacy and authentication available.”

#andreessen-horowitz, #articles, #blockchains, #co-founder, #coinbase, #consensys, #cryptocurrencies, #decentralization, #decentralized-finance, #energy, #ethereum, #finance, #firewall, #founder, #joseph-lubin, #jp-morgan, #mastercard, #player, #protocol-labs, #quorum, #shenzhen, #smart-contract, #software, #spokesperson, #tc, #technology, #united-states

0

Education non-profit Edraak ignored a student data leak for two months

Edraak, an online education non-profit, exposed the private information of thousands of students after uploading student data to an unprotected cloud storage server, apparently by mistake.

The non-profit, founded by Jordan’s Queen Rania and headquartered in the kingdom’s capital, was set up in 2013 to promote education across the Arab region. The organization works with several partners, including the British Council and edX, a consortium set up by Harvard, Stanford, and MIT.

In February, researchers at U.K. cybersecurity firm TurgenSec found one of Edraak’s cloud storage servers containing at least tens of thousands of students’ data, including spreadsheets with students’ names, email addresses, gender, birth year, country of nationality, and some class grades.

TurgenSec, which runs Breaches.UK, a site for disclosing security incidents, alerted Edraak to the security lapse. A week later, their email was acknowledged by the organization but the data continued to spill. Emails seen by TechCrunch show the researchers tried to alert others who worked at the organization via LinkedIn requests, and its partners, including the British Council.

Two months passed and the server remained open. At its request, TechCrunch contacted Edraak, which closed the servers a few hours later.

In an email this week, Edraak chief executive Sherif Halawa told TechCrunch that the storage server was “meant to be publicly accessible, and to host public course content assets, such as course images, videos, and educational files,” but that “student data is never intentionally placed in this bucket.”

“Due to an unfortunate configuration bug, however, some academic data and student information exports were accidentally placed in the bucket,” Halawa confirmed.

“Unfortunately our initial scan did not locate the misplaced data that made it there accidentally. We attributed the elements in the Breaches.UK email to regular student uploads. We have now located these misplaced reports today and addressed the issue,” Halawa said.

The server is now closed off to public access.

It’s not clear why Edraak ignored the researchers’ initial email, which disclosed the location of the unprotected server, or why the organization’s response was not to ask for more details. When reached, British Council spokesperson Catherine Bowden said the organization received an email from TurgenSec but mistook it for a phishing email.

Edraak’s CEO Halawa said that the organization had already begun notifying affected students about the incident, and put out a blog post on Thursday.

Last year, TurgenSec found an unencrypted customer database belonging to U.K. internet provider Virgin Media that was left online by mistake, containing records linking some customers to adult and explicit websites.

More from TechCrunch:


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

#articles, #british-council, #ceo, #computing, #cyberspace, #education, #edx, #email, #harvard, #jordan, #linkedin, #mit, #online-education, #phishing, #security, #server, #spamming, #spokesperson, #stanford, #united-kingdom, #virgin-media, #web-server

0

US indicts California man accused of stealing Shopify customer data

A grand jury has indicted a California resident accused of stealing Shopify customer data on over a hundred merchants, TechCrunch has learned.

The indictment charges Tassilo Heinrich with aggravated identity theft and conspiracy to commit wire fraud by allegedly working with two Shopify customer support agents to steal merchant and customer data from Shopify customers to gain a competitive edge and “take business away from those merchants,” the indictment reads. The indictment also accuses Heinrich, believed to be around 18-years-old at the time of the alleged scheme, of selling the data to other co-conspirators to commit fraud.

A person with direct knowledge of the security breach confirmed Shopify was the unnamed victim company referenced in the indictment.

Last September, Shopify, an online e-commerce platform for small businesses, revealed a data breach in which two “rogue members” of its third-party customer support team of “less than 200 merchants.” Shopify said it fired the two contractors for engaging “in a scheme to obtain customer transactional records of certain merchants.”

Shopify said the contractors stole customer data, including names, postal addresses and order details, like which products and services were purchased. One merchant who received the data breach notice from Shopify said the last four digits of affected customers’ payment cards were also taken, which the indictment confirms.

Another one of the victims was Kylie Jenner’s cosmetics and make-up company, Kylie Cosmetics, the BBC reported.

The indictment accuses Heinrich of paying an employee of a third-party customer support company in the Philippines to access parts of Shopify’s internal network by either taking screenshots or uploading the data to Google Drive in exchange for kickbacks. Heinrich paid the employee in thousands of dollars worth of cryptocurrency, and also fake positive reviews claiming to be from merchants to whom the employee had provided customer service but had not left feedback. The indictment alleges that Heinrich received a year’s worth of some merchants’ data.

Heinrich allegedly spent at least a year siphoning off incrementing amounts of data from Shopify’s internal network, at one point asking if he could “remotely access” the customer support employee’s computer while they were asleep.

Heinrich was arrested by the FBI at Los Angeles International Airport in February,and is currently detained in federal custody pending trial, set to begin on September 7. Heinrich has pleaded not guilty.

A Shopify spokesperson did not respond to a request for comment.

#california, #companies, #data-breach, #ecommerce, #federal-bureau-of-investigation, #kylie-jenner, #philippines, #publishing, #security, #shopify, #spokesperson

0

How Jamaica failed to handle its JamCOVID scandal

As governments scrambled to lock down their populations after the COVID-19 pandemic was declared last March, some countries had plans underway to reopen. By June, Jamaica became one of the first countries to open its borders.

Tourism represents about one-fifth of Jamaica’s economy. In 2019 alone, four million travelers visited Jamaica, bringing thousands of jobs to its three million residents. But as COVID-19 stretched into the summer, Jamaica’s economy was in free fall, and tourism was its only way back — even if that meant at the expense of public health.

The Jamaican government contracted with Amber Group, a technology company headquartered in Kingston, to build a border entry system allowing residents and travelers back onto the island. The system was named JamCOVID and was rolled out as an app and a website to allow visitors to get screened before they arrive. To cross the border, travelers had to upload a negative COVID-19 test result to JamCOVID before boarding their flight from high-risk countries, including the United States.

Amber Group’s CEO Dushyant Savadia boasted that his company developed JamCOVID in “three days” and that it effectively donated the system to the Jamaican government, which in turn pays Amber Group for additional features and customizations. The rollout appeared to be a success, and Amber Group later secured contracts to roll out its border entry system to at least four other Caribbean islands.

But last month TechCrunch revealed that JamCOVID exposed immigration documents, passport numbers, and COVID-19 lab test results on close to half a million travelers — including many Americans — who visited the island over the past year. Amber Group had set the access to the JamCOVID cloud server to public, allowing anyone to access its data from their web browser.

Whether the data exposure was caused by human error or negligence, it was an embarrassing mistake for a technology company — and, by extension, the Jamaican government — to make.

And that might have been the end of it. Instead, the government’s response became the story.

A trio of security lapses

By the end of the first wave of coronavirus, contact tracing apps were still in their infancy and few governments had plans in place to screen travelers as they arrived at their borders. It was a scramble for governments to build or acquire technology to understand the spread of the virus.

Jamaica was one of a handful of countries using location data to monitor travelers, prompting rights groups to raise concerns about privacy and data protection.

As part of an investigation into a broad range of these COVID-19 apps and services, TechCrunch found that JamCOVID was storing data on an exposed, passwordless server.

This wasn’t the first time TechCrunch found security flaws or exposed data through our reporting. It also was not the first pandemic-related security scare. Israeli spyware maker NSO Group left real location data on an unprotected server that it used for demonstrating its new contact tracing system. Norway was one of the first countries with a contact tracing app, but pulled it after the country’s privacy authority found the continuous tracking of citizens’ location was a privacy risk.

Just as we have with any other story, we contacted who we thought was the server’s owner. We alerted Jamaica’s Ministry of Health to the data exposure on the weekend of February 13. But after we provided specific details of the exposure to ministry spokesperson Stephen Davidson, we did not hear back. Two days later, the data was still exposed.

After we spoke to two American travelers whose data was spilling from the server, we narrowed down the owner of the server to Amber Group. We contacted its chief executive Savadia on February 16, who acknowledged the email but did not comment, and the server was secured about an hour later.

We ran our story that afternoon. After we published, the Jamaican government issued a statement claiming the lapse was “discovered on February 16” and was “immediately rectified,” neither of which were true.

Contact Us

Got a tip? Contact us securely using SecureDrop. Find out more here.

Instead, the government responded by launching a criminal investigation into whether there was any “unauthorized” access to the unprotected data that led to our first story, which we perceived to be a thinly veiled threat directed at this publication. The government said it had contacted its overseas law enforcement partners.

When reached, a spokesperson for the FBI declined to say whether the Jamaican government had contacted the agency.

Things didn’t get much better for JamCOVID. In the days that followed the first story, the government engaged a cloud and cybersecurity consultant, Escala 24×7, to assess JamCOVID’s security. The results were not disclosed, but the company said it was confident there was “no current vulnerability” in JamCOVID. Amber Group also said that the lapse was a “completely isolated occurrence.”

A week went by and TechCrunch alerted Amber Group to two more security lapses. After the attention from the first report, a security researcher who saw the news of the first lapse found exposed private keys and passwords for JamCOVID’s servers and databases hidden on its website, and a third lapse that spilled quarantine orders for more than half a million travelers.

Amber Group and the government claimed it faced “cyberattacks, hacking and mischievous players.” In reality, the app was just not that secure.

Politically inconvenient

The security lapses come at a politically inconvenient time for the Jamaican government, as it attempts to launch a national identification system, or NIDS, for the second time. NIDS will store biographic data on Jamaican nationals, including their biometrics, such as their fingerprints.

The repeat effort comes two years after the government’s first law was struck down by Jamaica’s High Court as unconstitutional.

Critics have cited the JamCOVID security lapses as a reason to drop the proposed national database. A coalition of privacy and rights groups cited the recent issues with JamCOVID for why a national database is “potentially dangerous for Jamaicans’ privacy and security.” A spokesperson for Jamaica’s opposition party told local media that there “wasn’t much confidence in NIDS in the first place.”

It’s been more than a month since we published the first story and there are many unanswered questions, including how Amber Group secured the contract to build and run JamCOVID, how the cloud server became exposed, and if security testing was conducted before its launch.

TechCrunch emailed both the Jamaican prime minister’s office and Jamaica’s national security minister Matthew Samuda to ask how much, if anything, the government donated or paid to Amber Group to run JamCOVID and what security requirements, if any, were agreed upon for JamCOVID. We did not get a response.

Amber Group also has not said how much it has earned from its government contracts. Amber Group’s Savadia declined to disclose the value of the contracts to one local newspaper. Savadia did not respond to our emails with questions about its contracts.

Following the second security lapse, Jamaica’s opposition party demanded that the prime minister release the contracts that govern the agreement between the government and Amber Group. Prime Minister Andrew Holness said at a press conference that the public “should know” about government contracts but warned “legal hurdles” may prevent disclosure, such as for national security reasons or when “sensitive trade and commercial information” might be disclosed.

That came days after local newspaper The Jamaica Gleaner had a request to obtain contracts revealing the salaries state officials denied by the government under a legal clause that prevents the disclosure of an individual’s private affairs. Critics argue that taxpayers have a right to know how much government officials are paid from public funds.

Jamaica’s opposition party also asked what was done to notify victims.

Government minister Samuda initially downplayed the security lapse, claiming just 700 people were affected. We scoured social media for proof but found nothing. To date, we’ve found no evidence that the Jamaican government ever informed travelers of the security incident — either the hundreds of thousands of affected travelers whose information was exposed, or the 700 people that the government claimed it notified but has not publicly released.

TechCrunch emailed the minister to request a copy of the notice that the government allegedly sent to victims, but we did not receive a response. We also asked Amber Group and Jamaica’s prime minister’s office for comment. We did not hear back.

Many of the victims of the security lapse are from the United States. Neither of the two Americans we spoke to in our first report were notified of the breach.

Spokespeople for the attorneys general of New York and Florida, whose residents’ information was exposed, told TechCrunch that they had not heard from either the Jamaican government or the contractor, despite state laws requiring data breaches to be disclosed.

The reopening of Jamaica’s borders came at a cost. The island saw over a hundred new cases of COVID-19 in the month that followed, the majority arriving from the United States. From June to August, the number of new coronavirus cases went from tens to dozens to hundreds each day.

To date, Jamaica has reported over 39,500 cases and 600 deaths caused by the pandemic.

Prime Minister Holness reflected on the decision to reopen its borders last month in parliament to announce the country’s annual budget. He said the country’s economic decline last was “driven by a massive 70% contraction in our tourist industry.” More than 525,000 travelers — both residents and tourists — have arrived in Jamaica since the borders opened, Holness said, a figure slightly more than the number of travelers’ records found on the exposed JamCOVID server in February.

Holness defended reopening the country’s borders.

“Had we not done this the fall out in tourism revenues would have been 100% instead of 75%, there would be no recovery in employment, our balance of payment deficit would have worsened, overall government revenues would have been threatened, and there would be no argument to be made about spending more,” he said.

Both the Jamaican government and Amber Group benefited from opening the country’s borders. The government wanted to revive its falling economy, and Amber Group enriched its business with fresh government contracts. But neither paid enough attention to cybersecurity, and victims of their negligence deserve to know why.


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

#articles, #ceo, #contact-tracing, #contractor, #federal-bureau-of-investigation, #florida, #government, #health, #jamaica, #mass-surveillance, #mobile-applications, #new-york, #norway, #nso-group, #privacy, #securedrop, #security, #social-media, #software, #spokesperson, #technology, #united-states

0

Microsoft gets contract worth up to $22 billion to outfit U.S. Army with 120,000 AR headsets

The killer use case for AR/VR might just be warfare.

Today, Microsoft announced that it’s won a contract to outfit the United States Army with tens of thousands of augmented reality headsets based on the company’s HoloLens tech. This contract could be worth as much as $21.88 billion over 10 years, the company says.

Microsoft will be fulfilling an order for 120,000 AR headsets for the Army based on their Integrated Visual Augmentation System (IVAS) design.

“The program delivers enhanced situational awareness, enabling information sharing and decision-making in a variety of scenarios,”  a blog post from Microsoft’s Alex Kipman reads.

The contract builds on the two-year $480 million contract that Microsoft won back in 2018 to outfit the U.S. army with augmented reality tech. At the time, the contract detailed that the deal could potentially result in follow-on orders of more than 100,000 headsets. “Augmented reality technology will provide troops with more and better information to make decisions. This new work extends our longstanding, trusted relationship with the Department of Defense to this new area,” a Microsoft spokesperson said in a statement sent to TechCrunch at the time.

Microsoft says this announcement marks the transition from prototyping these designs to producing and rolling them out in the field.

This is a massive scale-up for augmented reality tech that has seen few large-scale rollouts and gives Microsoft a government contractor budget to tackle base technology problems that could scale down to consumer and enterprise-level devices in the future. Many of the industry’s biggest players in augmented reality have been reluctant or outspoken in their avoidance of military contracts but Microsoft has remained undeterred in competing for these contracts.

#army, #augmented-reality, #augmented-reality-technology, #computing, #contractor, #department-of-defense, #microsoft, #microsoft-hololens, #mixed-reality, #spokesperson, #tc, #technology, #united-states, #windows-10

0

US cuts trade ties to Myanmar, risking internet outages

The U.S. government has cut trade ties to Myanmar, two months after the country’s military staged a coup overthrowing the country’s president and also its de-facto leader, Aung San Suu Kyi, and killed at least 200 protesters resulting from its offensive.

In a statement, U.S. Trade Representative Katherine Tai said the trade suspension would be “effective immediately” and will remain in place “until the return of a democratically elected government.”

“The United States supports the people of Burma in their efforts to restore a democratically elected government, which has been the foundation of Burma’s economic growth and reform,” said Tai. “The United States strongly condemns the Burmese security forces’ brutal violence against civilians. The killing of peaceful protestors, students, workers, labor leaders, medics, and children has shocked the conscience of the international community. These actions are a direct assault on the country’s transition to democracy and the efforts of the Burmese people to achieve a peaceful and prosperous future,” the statement read.

Myanmar (also known as Burma) and the U.S. began trading in 2013 following the easing of U.S. sanctions a year earlier after elections saw Suu Kyi’s party win by a landslide.

The trade suspension is designed to target the ruling military junta, but leaves millions of internet users across Myanmar in uncertainty as U.S. cloud and internet companies wrangle with the U.S. government order, at a time where protesters are struggling to stay online amid government-ordered internet shutdowns across the country.

Myanmar already blocked Facebook, Twitter, and Instagram “until further notice.”

Sanctions are designed to prevent the shipping of goods, money and certain services to other countries. Companies operating in the U.S. have to follow U.S. sanctions or face heavy financial penalties. ZTE pleaded guilty in 2017 to violating U.S. sanctions against Iran by knowingly shipping products to the country, and agreed to pay a near-$1 billion fine.

But cloud companies fall into a gray area and have different interpretations of the rules. Quartz reported in 2016 that internet users across Syria, Cuba, and Iran — all subject to U.S. trade sanctions — couldn’t access sites hosted by IBM, because the U.S. cloud host blocked visitors from those countries from accessing its services. Rackspace and Linode, two other large cloud providers, do not block internet traffic to users in embargoed countries but instead prevented users from those countries from signing up for their service.

Myamnar has about 17 million internet users, some 30% of the wider population. A spokesperson for the Office of the U.S. Trade Representative did not immediately return a request for comment.

#asia, #countries, #cuba, #government, #ibm, #internet, #internet-traffic, #iran, #linode, #myanmar, #president, #rackspace, #security, #spokesperson, #syria, #u-s-government, #united-states

0

FatFace tells customers to keep its data breach ‘strictly private’

Clothing giant FatFace had a data breach, but doesn’t want you to tell anyone about it.

The company sent an email to customers this week disclosing that it first detected a breach on January 17. A hacker made off with the customer’s name, email and postal address, and the last four-digits of their credit card. “Full payment card information was not compromised,” the notice reiterated.

But despite going out to thousands of customers, the email said to “keep this email and the information included within it strictly private and confidential,” an entirely unenforceable request.

Under the U.K. data protection laws, a company must disclose a data breach within 72 hours of becoming aware of an incident, but there are no legal requirements on the customer to keep the information confidential. It didn’t take long for the company to face flack from the public. The company didn’t have much to say in response, asking instead to “DM us with any questions.”

In a statement sent via crisis communications firm Kekst CNC, FatFace said: “The notification email was marked private and confidential due to the nature of the communication, which was intended for the individual concerned. Given its contents, we wanted to make this clear, which is why we marked it private and confidential.” (FatFace declined to attribute the statement to a named spokesperson.)

TechCrunch obtained a near-identical email sent to its staff from a former employee who asked not to be named. The email to employees was largely the same as the customer email, but warned that staff may have had their bank account information and their National Insurance numbers — the U.K. equivalent of Social Security — compromised.

FatFace confirmed “a select number of employees, former employees and customers and providing appropriate guidance and support,” but would not say specifically how many customers and employees were affected by the breach.

#computer-security, #computing, #crisis-communications, #cybercrime, #data-breach, #data-security, #email, #information-technology, #security, #spokesperson, #united-kingdom

0

Swell Energy’s new deal in New York shows how the company plans to spend the $450 million it’s raising

Back in December, Swell Energy said it would be raising $450 million to support the development of distributed power projects in three states. Now, with the announcement of a deal between the venture-backed startup and New York City’s utility, ConEd, industry watchers can get a glimpse of what those projects may look like.

The Los Angeles-based company has a new residential solar plus energy storage program for homeowners in Queens that’s going to be rolled out in partnership with ConEd.

It’s a project that will create solar-powered home batteries for eligible ConEd customers.

New York is actually targeting the rollout of 3 gigawatts of installed energy storage capacity by 2030 with a goal of moving the entire state’s electricity grid to zero emissions by 2040.

With the ConEd project, the city is hoping to create backup power for customers in Queens that they can tap independently of the energy grid’s own resources, which should free up power for customers that don’t have the energy storage tech.

Homeowners that participate in the project may qualify for incentives that lower the cost of the systems, which are initially being offered to residents of Forest Park, Glendale, Hunters Point, Long Island City, Maspeth, Middle Village, Ridgewood, Sunnyside, and parts of adjacent neighborhoods in Queens.

The New York virtual power plant differs from other initiatives from Swell in that it provides available capacity to specific distribution circuits on the grid to reduce customer demand on circuits during network overload periods, according to a Swell spokesperson.

With the virtual power plant, ConEd won’t need to build out new transmission and distribution infrastructure, but can still ensure network reliability. It’s what’s called a “non-wires solution” to the demand problem, Swell’s spokesperson said.

By contrast, the company’s Hawaii projects provide system-level capacity and frequency regulation and the California program with Southern California Edison, provide demand-response capacity for baseload energy management and overall load growth in the area where they’re operating.

#articles, #california, #electrical-grid, #energy, #hawaii, #los-angeles, #new-york, #new-york-city, #renewable-energy, #solar-power, #southern-california-edison, #spokesperson, #tc, #thomas-edison

0

WeWork unbundles its products in an attempt to make itself over, but will the strategy work?

For years, there was a debate as to whether WeWork was a tech company or more of a real estate play. At first, most people viewed WeWork as a real estate startup disguised as a tech startup.

And as it kept scooping up more and more property, the lines continued to blur. Then we all watched as the company’s valuation plummeted and its IPO plans went up in smoke. Today, WeWork is rumored to be going public via a SPAC at a $10 valuation, down significantly from the $47 billion it was valued at after raising $1 billion in its SoftBank-led Series H round in January 2019. 

Co-founder and then-CEO Adam Neumann notoriously stepped down later that year amid allegations of a toxic combination of arrogance and poor management. WeWork has since been very publicly trying to redeem itself and turn around investor — and public — perception.

Chairman Marcelo Claure kicked off a strategic, five-year turnaround plan in earnest in February 2020. That same month, the beleaguered company named a real estate — not tech — exec as its new CEO, a move that set tongues wagging.

WeWork then also set a target of becoming free cash flow positive by a year to 2022 as part of its plan, which was aimed at both boosting valuation and winning back investor trust. 

It likely saw the demise of competitor Knotel, which ended up filing for bankruptcy and selling assets to an investor, and realized it needed to learn from some of that company’s mistakes.

The question now is: Has WeWork legitimately turned a corner? 

Since the implementation of its turnaround plan, the company says it has exited out of over 100 pre-open or underperforming locations. (It still has over 800 locations globally, according to its website.) WeWork has also narrowed its net loss to $517 million in Q3 2020 from $1.2 billion in the third quarter of 2019. 

Meanwhile, revenue has taken a hit, presumably due to the impact of the coronavirus. Revenue slumped to $811 million the 2020 third quarter, compared with $934 million in Q3 2019.

The pandemic presented WeWork with challenges, but also — some might say — opportunity.

With so many people being forced to work from home and avoiding others during the work day, the office space in general struggled. WeWork either had to adapt, or potentially deal with a bigger blow to its valuation and bottom line.

WeWork’s dilemma is similar to  those of real estate companies around the world. With so many companies shifting to remote work not just temporarily, but also permanently, landlords everywhere have had to adjust. 

For example, as McKinsey recently pointed out, all landlords have been forced to be more flexible and restructure tenant leases. So in effect, anyone operating commercial real estate space has had to become more flexible, just as WeWork has.

For its part, WeWork has taken a few steps to adapt. For one, it realized its membership-only plan was not going to work anymore, and a dip in membership was evidence of that. So, it worked to open its buildings to more people through new On Demand and All Access options. The goal was to give people who were weary of working out of their own homes a place to go, say one day a week, to work. WeWork also saw an opportunity to work with companies to offer up its office space as a perk via an All Access offering, as well as with universities that wanted to give their students an alternative place to study. 

For example, Georgetown did a pretty unique partnership with WeWork to have one of its locations serve as “their replacement library and common space.” And, companies like Brandwatch have recently shifted from leveraging WeWork’s traditional spaces to instead offer employees access to WeWork locations around the globe via All Access passes. 

WeWork has also launched new product features. At the beginning of the year, the company launched the ability to book space on the weekend and outside of business hours. 

The unbundling of space

I talked with Prabhdeep Singh, WeWork’s global head of marketplace, who is overseeing the new products and also spearheading WeWork’s shift online, to learn more about the company’s new strategy.

“What we’ve essentially done is unbundle our space,” he said. “It used to be that the only way to enjoy our spaces was via a bundled subscription product and monthly memberships. But we realized with COVID, the world was shifting, and to open up our platform to a broader group of people and make it as flexible as humanly possible. So they can now book a room for a half hour or get a day pass, for example. The use cases are so wide.”

Since On Demand launched as a pilot in New York City in August 2020, demand has steadily been climbing, according to Singh. So far, reservations are up by 65% — and revenue up by 70% — over the 2020 fourth quarter. But of course, it’s still early and they were starting from a small base. Nearly two-thirds of On Demand reservations are made by repeat customers, he added.

“Over the last year and a half, we’ve been really figuring out what things we want to focus on what things we don’t,” Singh said. “As a flexible space provider, we are looking at where the world is going. And while we’re a small part of the whole commercial office space industry, we are working to use technology to enable a flexible workspace experience via a great app and the digitization of our spaces.”

For now, things seem to be looking up some. In February, WeWork says it had nearly twice as many active users compared to January. Also, people apparently like having the option to come in at off hours. Weekend bookings now account for an estimated 14.5% of total bookings.

Nearly double as many existing members purchased All Access passes in February 2020 compared to January to complement their existing private office space during COVID, the company said. 

In the beginning of the COVID-19, WeWork saw a higher departure of small and medium sized businesses (SMBs) than of its enterprise members, partially due to the nature of their businesses and the need to more immediately manage cash flow, the company said. But in the third quarter of 2020, SMB desk sales were up 50% over the second quarter.

Interestingly, throughout the pandemic, WeWork has seen its enterprise segment grow at nearly double the rate of its SMBs, now making up over half of the company’s total membership base.

While it’s slowing down investing in new real estate assets in certain markets, it is still working to “right-size” its portfolio via exits.

And, when it comes to its finances, as of March 2, WeWork said its bonds were trading at the highest point since the summer of 2019, when the company failed to go public. That’s way up from a 52-week low of about 28%.

“At ~92% for a ~10% yield, the creditor sentiment is clearly positive and a testament to the overall market’s belief that WeWork’s flexible workspace product has a viable future in the future of real estate,” a spokesperson told TechCrunch.

Just last March, WeWork’s bonds were trading at 43 cents on the dollar and S&P Global had lowered WeWork’s credit rating further into junk territory and put the company on watch for further downgrades, reported Forbes.

Still, the company is not done adapting. Singh told TechCrunch that to make WeWork’s value proposition even stronger, it’s working to offer a “business in a box.” Late last year, WeWork partnered with a number of companies to offer SMBs and startups, for example, services such as payroll, healthcare and business insurance.

A lot of people that come to WeWork are growing businesses,” Singh said. “So while we’ve stuck with our core business services, we’re working to offer more, as in a real suite of HR services that might be complex and expensive for a small business to manage on their own.”

It’s also working to be able to offer its On Demand product globally so that people can opt to work out of a WeWork space from any of its locations around the world.

“Right now, we are in the largest work from home experiment,” Singh said. “I think we’re about to shift to the largest return to work experiment ever. We are just going to be very well positioned.”

The company appears to be trying to become a more sophisticated real estate company that may not be as flashy as the one of the Adam Neumann era, but more stable and more in demand. But is it trying to do too much, too fast?

It will be interesting to see how it all goes.

 

#adam-neumann, #business, #business-services, #georgetown, #marcelo-claure, #new-york-city, #prabhdeep-singh, #real-estate, #softbank-group, #spokesperson, #wework

0

SITA says its airline passenger system was hit by a data breach

Global air transport data giant SITA has confirmed a data breach involving passenger data.

The company said in a brief statement on Thursday that it had been the “victim of a cyberattack,” and that certain passenger data stored on its U.S. servers had been breached. The cyberattack was confirmed on February 24, after which the company contacted affected airlines.

SITA is one of the largest aviation IT companies in the world, said to be serving around 90% of the world’s airlines, which rely on the company’s passenger service system Horizon to manage reservations, ticketing, and aircraft departures.

But it remains unclear exactly what data was accessed or stolen.

When reached, SITA spokesperson Edna Ayme-Yahil declined to say what specific data had been taken, citing an ongoing investigation. The company said that the incident “affects various airlines around the world, not just in the United States.”

SITA confirmed it had notified several airlines — Malaysia Airlines; Finnair; Singapore Airlines; and Jeju Air, an airline in South Korea — which have already made statements about the breach, but declined to name other affected airlines.

In an email to affected customers seen by TechCrunch, Singapore Airlines said it was not a customer of SITA’s Horizon passenger service system but that about half a million frequent flyer members had their membership number and tier status compromised. The airline said that the transfer of this kind of data is “necessary to enable verification of the membership tier status, and to accord to member airlines’ customers the relevant benefits while traveling.”

The airline said passenger itineraries, reservations, ticketing, and passport data were not affected.

SITA is one of a handful of companies in the aviation market providing passenger ticketing and reservation systems to airlines, alongside Sabre and Amadeus.

Sabre reported a major data breach in mid-2017 affecting its hotel reservation system, after hackers scraped over a million customer credit cards. The U.S.-based company agreed in December to a $2.4 million settlement and to make changes to its cybersecurity policies following the breach.

In 2019, a security researcher found a vulnerability in Amadeus’ passenger booking system, used by Air France, British Airways, and Qantas among others, which made it easy to alter or access traveler records.

#aerospace, #air-france, #airline, #airlines, #aviation, #british-airways, #horizon, #malaysia-airlines, #privacy, #qantas, #sabre, #security, #singapore-airlines, #sita, #south-korea, #spokesperson, #united-states

0

Notion’s hours-long outage was caused by phishing complaints

Last week’s hours-long outage at online workspace startup Notion was caused by phishing complaints, according to the startup’s domain registrar.

Notion was offline for most of the morning on Friday, plunging its more than four million users into organization darkness because of what the company called a “very unusual DNS issue that occurred at the registry operator level.” With the company’s domain offline, users were unable to access their files, calendars, and documents.

Notion registered its domain name notion.so through Name.com, but all .so domains are managed by Hexonet, a company that helps connect Sonic, the .so top-level domain registry, with domain name registrars like Name.com.

That complex web of interdependence is in large part what led to the communications failure that resulted in Notion falling offline for hours.

In an email to TechCrunch, Name.com spokesperson Jared Ewy said: “Hexonet received complaints about user-generated Notion pages connected to phishing. They informed Name.com about these reports, but we were unable to independently confirm them. Per its policies, Hexonet placed a temporary hold on Notion’s domain.”

“Noting the impact of this action, all teams worked together to restore service to Notion and its users. All three teams are now partnering on new protocols to ensure this type of incident does not happen again. The Notion team and their avid followers were responsive and a pleasure to work with throughout. We thank everyone for their patience and understanding,” said Ewy.

There are several threads on Reddit discussing concerns about Notion being used to host phishing sites, and security researchers have shown examples of Notion used in active phishing campaigns. A Notion employee said almost a year ago that Notion would “soon” move its domain to notion.com, which the company owns.

Notion’s outage is almost identical to what happened with Zoho in 2018, which like Notion, resorted to tweeting at its domain registrar after it blocked zoho.com following complaints about phishing emails sent from Zoho-hosted email accounts.

It sounds like there’s no immediate danger of a repeat outage, but Notion did not return TechCrunch’s email over the weekend asking what it plans to do to prevent phishing on its platform in the future.

Read more:

#crime, #cybercrime, #dns, #email, #internet, #notion, #phishing, #security, #sonic, #spamming, #spokesperson, #top-level-domain, #web-hosting, #world-wide-web

0

Clearview AI ruled ‘illegal’ by Canadian privacy authorities

Controversial facial recognition startup Clearview AI violated Canadian privacy laws when it collected photos of Canadians without their knowledge or permission, the country’s top privacy watchdog has ruled.

The New York-based company made its splashy newspaper debut a year ago by claiming it had collected over 3 billion photos of people’s faces and touting its connections to law enforcement and police departments. But the startup has faced a slew of criticism for scraping social media sites also without their permission, prompting Facebook, LinkedIn and Twitter to send cease and desist letters to demand it stops.

In a statement, Canada’s Office of the Privacy Commissioner said its investigation found Clearview had “collected highly sensitive biometric information without the knowledge or consent of individuals,” and that the startup “collected, used and disclosed Canadians’ personal information for inappropriate purposes, which cannot be rendered appropriate via consent.”

Clearview rebuffed the allegations, claiming Canada’s privacy laws do not apply because the company doesn’t have a “real and substantial connection” to the country, and that consent was not required because the images it scraped were publicly available.

That’s a challenge the company continues to face in court, as it faces a class action suit citing Illinois’ biometric protection laws that last year dinged Facebook to the tune of $550 million for violating the same law.

The Canadian privacy watchdog rejected Clearview’s arguments, and said it would “pursue other actions” if the company does not follow its recommendations, which included stopping the collection on Canadians and deleting all previously collected images. Clearview said in July that it stopped providing its technology to Canadian customers after the Royal Canadian Mounted Police and the Toronto Police Service were using the startup’s technology.

“What Clearview does is mass surveillance and it is illegal,” said Daniel Therrien, Canada’s privacy commissioner. “It is an affront to individuals’ privacy rights and inflicts broad-based harm on all members of society, who find themselves continually in a police lineup. This is completely unacceptable.”

A spokesperson for Clearview AI did not immediately return a request for comment.

#articles, #canada, #clearview-ai, #digital-rights, #facebook, #facial-recognition, #facial-recognition-software, #human-rights, #illinois, #law-enforcement, #mass-surveillance, #new-york, #privacy, #security, #social-issues, #spokesperson, #terms-of-service

0

Amazon says government demands for user data spiked by 800% in 2020

New transparency figures released by Amazon show the company responded to a record number of government data demands in the last six months of 2020.

The new figures land in the company’s bi-annual transparency report published to Amazon’s website over the weekend.

Amazon said it processed 27,664 government demands for user data in the last six months of 2020, up from 3,222 data demands in the first six months of the year, an increase of close to 800%. That user data includes shopping searches and data from its Echo, Fire, and Ring devices.

The new report presents the data differently from previous transparency disclosures. Amazon now breaks down the top requesting countries. U.S. authorities historically made up the bulk of the overall data demands Amazon receives, but this latest report shows Germany with 42% of all requests, followed by Spain with 18%, and Italy and the U.S. with 11% share each.

But the report also removes the breakdown by legal process, and now only differentiates between the requests it gets for user’s content and for non-content. Amazon said it handed over user content data in 52 cases.

For its Amazon Web Services cloud business, which it reports separately, Amazon said it processed 523 data demands, with 75% of all requests made by U.S. authorities, and Amazon turned over user’s content in 15 cases.

An Amazon spokesperson would not say what led to the sharp rise in data demands. (Amazon seldom comments on its transparency reports.)

Amazon’s transparency report is one of the lightest reads of all the tech giants at just three pages in length, and spends most of the report explaining how it responds to each legal demand than on the data itself. The company, known for its notorious secrecy, became the last of the major tech giants to push out a transparency report in 2015. Where most tech companies added data to their transparency reports, like takedown notices and account removals, Amazon bucked the trend by removing data from its reports, despite the company’s growing reach into millions of homes.

The Financial Times reported this weekend that Ring, the video doorbell and home security startup acquired by Amazon for $1 billion, now has 2,000 law enforcement partners across the United States, allowing police departments to access homeowners’ doorbell camera footage.

#amazon, #amazon-echo, #amazon-web-services, #articles, #computing, #germany, #italy, #ring, #security, #spain, #spokesperson, #technology, #the-financial-times, #transparency, #transparency-report, #united-states

0

WallStreetBets goes dark

After a wild day for public markets driven by Reddit traders commandeering stocks and combatting hedge fund short sellers, the community at r/wallstreetbets no longer has a home on Discord and its Reddit community has been locked down as an invite-only subreddit for the time being.

Discord announced this afternoon that they had banned the WallStreetBets Discord server following hate speech violations after “repeated warnings.” The Discord server had been seeing heavy traffic of new users in the past several days as traffic surged to the subreddit as well.

On Reddit’s end, it’s not quite so clear what has happened. It does not appear as though Reddit took direct action against the community, but instead that r/wallstreetbets moderators were overwhelmed by the influx of new users and have taken the subreddit down themselves. The site notes that only moderators and “approved users” are currently allowed in the community. A number of long-time subscribers have noted on social media that they are unable to access the community which boasted several million subscribers.

We’ve reached out to Reddit for further clarification.

In a statement given to TechCrunch earlier today before the WallStreetBets subreddit went private, a company spokesperson says, “Reddit’s site-wide policies prohibit posting illegal content or soliciting or facilitating illegal transactions. We will review and cooperate with valid law enforcement investigations or actions as needed.”

The full statement from a Discord spokesperson to TechCrunch:

The WallStreetBets server has been on our Trust & Safety team’s radar for some time due to occasional content that violates our Community Guidelines, including hate speech, glorifying violence, and spreading misinformation. Over the past few months, we have issued multiple warnings to the server admin.

Today, we decided to remove the server and its owner from Discord for continuing to allow hateful and discriminatory content after repeated warnings.

To be clear, we did not ban this server due to financial fraud related to GameStop or other stocks. Discord welcomes a broad variety of personal finance discussions, from investment clubs and day traders to college students and professional financial advisors. We are monitoring this situation and in the event there are allegations of illegal activities, we will cooperate with authorities as appropriate.

Updating

#articles, #discord, #gamestop, #internet-culture, #reddit, #software, #spokesperson, #tc, #wikis

0

Apple says iOS 14.4 fixes three security bugs ‘actively exploited’ by hackers

Apple has released iOS 14.4 with security fixes for three vulnerabilities, said to be under active attack by hackers.

The technology giant said in its security update pages for iOS and iPadOS 14.4 that the three bugs affecting iPhones and iPads “may have been actively exploited.” Details of the vulnerabilities are scarce, and an Apple spokesperson declined to comment beyond what’s in the advisory.

It’s not known who is actively exploiting the vulnerabilities, or who might have fallen victim. Apple did not say if the attack was targeted against a small subset of users or if it was a wider attack. Apple granted anonymity to the individual who submitted the bug, the advisory said.

Two of the bugs were found in WebKit, the browser engine that powers the Safari browser, and the Kernel, the core of the operating system. Some successful exploits use sets of vulnerabilities chained together, rather than a single flaw. It’s not uncommon for attackers to first target vulnerabilities in a device’s browsers as a way to get access to the underlying operating system.

Apple said additional details would be available soon, but did not say when.

It’s a rare admission by Apple, which prides itself on its security image, that its customers might be under active attack by hackers.

In 2019, Google security researchers found a number of malicious websites laced with code that quietly hacked into victims’ iPhones. TechCrunch revealed that the attack was part of an operation, likely by the Chinese government, to spy on Uyghur Muslims. In response, Apple disputed some of Google’s findings in an equally rare public statement, for which Apple faced more criticism for underplaying the severity of the attack.

Last month, internet watchdog Citizen Lab found dozens of journalists had their iPhones hacked with a previously unknown vulnerability to install spyware developed by Israel-based NSO Group.

In the absence of details, iPhone and iPad users should update to iOS 14.4 as soon as possible.

#apple, #apple-inc, #computing, #google, #ipad, #ipads, #iphone, #operating-system, #operating-systems, #safari, #security, #smartphones, #spokesperson, #tablet-computers, #vulnerability

0

Google open sources Tilt Brush VR software as it shuts down internal development

As Facebook and Apple begin to fire up more projects in the AR/VR world, Google has spent the last year shutting down most of their existing projects in that space.

Today, the folks at Google announced they had ended active development of Tilt Brush, a VR painting app that was one of virtual reality’s early hit pieces of software. The app allowed users to use virtual reality controllers as brushes to construct digital sculptures and environments.

While the company will not be pushing any new updates to the app, they did announce that they will be open sourcing the code on github for developers to build their own experiences and customizations. Google also notes that the app will continue to be available in the app stores on VR headsets.

“[W]e want to continue supporting the artists using Tilt Brush by putting it in your hands,”a blog post from Google reads. “This means open sourcing Tilt Brush, allowing everyone to learn how we built the project, and encouraging them to take it in directions that are near and dear to them.”

Google acquired the small studio behind Tilt Brush called Skillman & Hackett back in 2015.

Earlier this month, Tilt Brush co-creator Patrick Hackett announced he was leaving Google and would be joining the studio I-Illusions, the game studio behind VR title Space Pirate Trainer. According to LinkedIn, co-founder Drew Skillman stopped working on the VR project back in 2018 and now is part of the Stadia team at Google.

Last month, Google shut down Poly, its 3D object library which allowed users to share digital art including design made in the Tilt Brush software.

A Google spokesperson declined to comment further.

#augmented-reality, #co-founder, #digital-media, #google, #spokesperson, #technology, #tilt-brush, #virtual-reality

0

Google refreshes its mobile search experience

Google today announced a subtle but welcome refresh of its mobile search experience. The idea here is to provide easier to read search results and a more modern look with a simpler, edge-to-edge design.

From what we’ve seen so far, this is not a radically different look, but the rounded and slightly shaded boxes around individual search results have been replaced with straight lines, for example, while in other places, Google has specifically added more roundness. You’ll find changes to the circles around the search bar and some tweaks to the Google logo. “We believe it feels more approachable, friendly, and human,” a Google spokesperson told me. There’s a bit more whitespace in places, too, as well as new splashes of color that are meant to help separate and emphasize certain parts of the page.

Image Credits: Google

“Rethinking the visual design for something like Search is really complex,” Google designer Aileen Cheng said in today’s announcement. “That’s especially true given how much Google Search has evolved. We’re not just organizing the web’s information, but all the world’s information. We started with organizing web pages, but now there’s so much diversity in the types of content and information we have to help make sense of.”

Image Credits: Google

Google is also extending its use of the Google Sans font, which you are probably already quite familiar with thanks to its use in Gmail and Android. “Bringing consistency to when and how we use fonts in Search was important, too, which also helps people parse information more efficiently,” Aileen writes.

In many ways, today’s refresh is a continuation of the work Google did with its mobile search refresh in 2019. At that time, the emphasis, too, was on making it easier for users to scan down the page by adding site icons and other new visual elements to the page. The work of making search results pages more readable is clearly never done.

For the most part, though, comparing the new and old design, the changes are small. This isn’t some major redesign but we’re talking about minor tweaks that the designers surely obsessed over but that the users may not even really notice. Now if Google had made it significantly easier to distinguish ads from the content you are actually looking for, that would’ve been something.

Image Credits: Google

#android, #computing, #designer, #gmail, #google, #google-search, #google-workspace, #google-drive, #mobile, #mobile-search, #operating-systems, #search-results, #spokesperson, #technology

0

Snapchat permanently bans President Trump’s account

Quite a bit has happened since Snap announced last week that it was indefinitely locking President Trump’s Snapchat account. But after temporary bans from his Facebook, Instagram and YouTube accounts as well as a permanent ban from Twitter, Snap has decided that it will also be making its ban of the President’s Snapchat account permanent.

Though Trump’s social media preferences as a user are clear, Snapchat gave the Trump campaign a particularly effective platform to target young users who are active on the service. A permanent ban will undoubtedly complicate his future business and political ambitions as he finds himself removed from most mainstream social platforms.

Snap says it made the decision in light of repeated attempted violations of the company’s community guidelines that had been made over the past several months by the President’s account.

“Last week we announced an indefinite suspension of President Trump’s Snapchat account, and have been assessing what long term action is in the best interest of our Snapchat community. In the interest of public safety, and based on his attempts to spread misinformation, hate speech, and incite violence, which are clear violations of our guidelines, we have made the decision to permanently terminate his account,” a Snap spokesperson told TechCrunch.

Snap’s decision to permanently ban the President was first reported by Axios.

#computing, #donald-trump, #facebook, #instagram, #instant-messaging, #operating-systems, #president, #snap-inc, #snapchat, #spokesperson, #tc, #trump, #twitter, #vertical-video

0

Parler jumps to No. 1 on App Store after Facebook and Twitter ban Trump

Users are surging on small, conservative, social media platforms after President Donald Trump’s ban from the world’s largest social networks, even as those platforms are seeing access throttled by the app marketplaces of tech’s biggest players.

The social network, Parler, a network that mimics Twitter, is now the number one app in Apple’s app store and Gab, another conservative-backed service, claimed that it was seeing an explosion in the number of signups to its web-based platform as well.

Parler’s ballooning user base comes at a potentially perilous time for the company. It has already been removed from Google’s Play store and Apple is considering suspending the social media app as well if it does not add some content moderation features.

Both Parler and Gab have billed themselves as havens for free speech, with what’s perhaps the most lax content moderation online. In the past the two companies have left up content posted by an alleged Russian disinformation campaign, and allow users to traffic in conspiracy theories that other social media platforms have shut down.

The expectation with these services is that users on the platforms are in charge of muting and blocking trolls or offensive content, but, by their nature, those who join these platforms will generally find themselves among like-minded users.

Their user counts might be surging, but would-be adopters may soon have a hard time finding the services.

On Friday night, Google said that it would be removing Parler from their Play Store immediately — suspending the app until the developers committed to a moderation and enforcement policy that could handle objectionable content on the platform.

In a statement to TechCrunch, a Google spokesperson said:

“In order to protect user safety on Google Play, our longstanding policies require that apps displaying user-generated content have moderation policies and enforcement that removes egregious content like posts that incite violence. All developers agree to these terms and we have reminded Parler of this clear policy in recent months. We’re aware of continued posting in the Parler app that seeks to incite ongoing violence in the US. We recognize that there can be reasonable debate about content policies and that it can be difficult for apps to immediately remove all violative content, but for us to distribute an app through Google Play, we do require that apps implement robust moderation for egregious content. In light of this ongoing and urgent public safety threat, we are suspending the app’s listings from the Play Store until it addresses these issues.“

On Friday, Buzzfeed News reported that Parler had received a letter from Apple informing them that the app would be removed from the App Store within 24 hours unless the company submitted an update with a moderation improvement plan. Parler CEO John Matze confirmed the action from Apple in a post on his Parler account where he posted a screenshot of the notification from Apple.

“We want to be clear that Parler is in fact responsible for all the user generated content present on your service and for ensuring that this content meets App Store requirements for the safety and protection of our users,” text from the screenshot reads. “We won’t distribute apps that present dangerous and harmful content.

Parler is backed by the conservative billionaire heiress Rebekah Mercer, according to a November report in The Wall Street Journal. Founded in 2018, the service has experienced spikes in user adoption with every clash between more social media companies and the outgoing President Trump. In November, Parler boasted some 10 million users, according to the Journal.

Users like Fox Business anchor Maria Bartiromo and the conservative talk show host Dan Bongino, a wildly popular figure on Facebook who is also an investor in Parler, have joined the platform. In the Journal article Bongino called the company “a collective middle finger to the tech tyrants.”

Sarah Perez and Lucas Matney contributed additional reporting to this article. 

#app-store, #buzzfeed, #ceo, #donald-trump, #gab, #google, #google-play, #microblogging, #operating-systems, #parler, #play-store, #president, #real-time-web, #sensor-tower, #social-media, #social-media-app, #social-media-platforms, #social-network, #social-networks, #software, #spokesperson, #tc, #technology, #the-wall-street-journal, #twitter, #united-states

0

Pro-Trump mob storms the US Capitol, touting ‘Stop the Steal’ conspiracy

A chaotic scene unfolded in Washington D.C. on Wednesday as a large crowd of pro-Trump protesters stormed the U.S. Capitol Building.

The Trump supporters flooded into the nation’s capital to attend a rally held earlier by President Trump outside the White House. The rally was timed to protest lawmakers gathering Wednesday to certify President-elect Joe Biden’s electoral win.

At his own event, Trump encouraged his supporters to continue demonstrating against Congress, claiming incorrectly that Vice President Mike Pence holds the power to overturn the election results. While the situation is still unfolding, protesters penetrated the Capitol building and injuries have been confirmed, including at least one gunshot victim.

As Trump supporters flooded up the Capitol steps with “Make America Great Again” hats and “Stop the Steal” banners, the president did little to quell the violence. “Mike Pence didn’t have the courage to do what should have been done to protect our Country and our Constitution, giving States a chance to certify a corrected set of facts, not the fraudulent or inaccurate ones which they were asked to previously certify,” Trump wrote in a tweet. “USA demands the truth!”

Twitter appended a warning label calling Trump’s election fraud claims “disputed” to the tweet. After his supporters already made their way into the Capitol building, the president seemed to walk back his calls to action, calling for supporters to remain peaceful.

The Stop the Steal movement grew out of online conspiracies boosting Trump’s unfounded claims that Democrats had in some way rigged the presidential election. In reality, U.S. electoral results were decisively in favor of Biden, though votes trickled in over an extended period of time, as expected, due to a massive expansion of pandemic-related mail-in voting.

Facebook made efforts to rein in Stop the Spread groups soon after the election, blocking the hashtag for violating its rules around election misinformation. “The group was organized around the delegitimization of the election process, and we saw worrying calls for violence from some members of the group,” Facebook spokesperson Andy Stone said at the time.

Stop the Steal supporters also found a foothold on many other platforms, including Reddit, Twitter and alternative social networks like Gab and Parler, which have attracted far-right users with policies much friendlier to extremist content. The crowd at the capitol also shares considerable overlap with QAnon, a constellation of conspiracy theories that exploded on Facebook, YouTube and other online platforms over the last few years.

This story is developing.

#congress, #deception, #donald-trump, #government, #online-platforms, #parler, #president, #presidential-election, #qanon, #social-networks, #spokesperson, #tc, #trump, #twitter, #united-states, #vice-president, #washington-d-c, #white-house

0

T-Mobile says hackers accessed some customer call records in data breach

T-Mobile, the third largest cell carrier in the U.S. after completing its recent $26 billion merger with Sprint, ended 2020 by announcing its second data breach of the year.

The cell giant said in a notice buried on its website that it recently discovered unauthorized access to some customers’ account information, including the data that T-Mobile makes and collects on its customers in order to provide cell service.

From the notice: “Our cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account. We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”

Known as customer proprietary network information (CPNI), this data can include call records — such as when a call was made, for how long, the caller’s phone number and the destination phone numbers for each call, and other information that might be found on the customer’s bill.

But the company said that the hackers did not access names, home or email addresses, financial data, and account passwords (or PINs).

The notice didn’t say when T-Mobile detected the breach, only that it was now notifying affected customers.

A spokesperson for T-Mobile did not respond to requests for comment, but told one news site that the breach affects about 0.2% of all T-Mobile customers — or approximately 200,000 customers.

It’s the latest security incident to hit the cell giant in recent years.

In 2018, T-Mobile said as many as two million customers may have had their personal information scraped. A year later, the company confirmed hackers accessed records on another million prepaid customers. Just months into 2020, T-Mobile admitted a breach on its email systems that saw hackers access some T-Mobile employee email accounts, exposing some customer data.

#data-breach, #mobile, #security, #spokesperson, #t-mobile, #t-mobile-uk, #telecommunications, #united-states

0

Google, Cisco, and VMware join Microsoft to oppose NSO Group in WhatsApp spyware case

A coalition of companies have filed an amicus brief in support of a legal case brought by WhatsApp against Israeli intelligence firm NSO Group, accusing the company of using an undisclosed vulnerability in the messaging app to hack into at least 1,400 devices, some of which were owned by journalists and human rights activists.

NSO develops and sells governments access to its Pegasus spyware, allowing its nation state customers to target and stealthily hack into the devices of its targets. Spyware like Pegasus can track a victim’s location, read their messages and listen to their calls, steal their photos and files, and siphon off private information from their device. The spyware is often installed by tricking a target into opening a malicious link, or sometimes by exploiting never-before-seen vulnerabilities in apps or phones to silently infect the victims with the spyware. The company has drawn ire for selling to authoritarian regimes, like Saudi Arabia, Ethiopia, and the United Arab Emirates.

Last year, WhatsApp found and patched a vulnerability that it said was being abused to deliver the government-grade spyware, in some cases without the victim knowing. Months later, WhatsApp sued NSO to understand more about the incident, including which of its government customers was behind the attack.

NSO has repeatedly disputed the allegations, but was unable to convince a U.S. court to drop the case earlier this year. NSO’s main legal defense is that it is afforded legal immunities because it acts on behalf of governments.

But a coalition of tech companies has sided with WhatsApp, and are now asking the court to not allow NSO to claim or be subject to immunity.

Microsoft (including its subsidiaries LinkedIn and GitHub), Google, Cisco, VMware, and the Internet Association, which represents dozens of tech giants including Amazon, Facebook, and Twitter, warned that the development of spyware and espionage tools — including hoarding the vulnerabilities used to deliver them — make ordinary people less safe and secure, and also runs the risk of these tools falling into the wrong hands.

In a blog post, Microsoft’s customer security and trust chief Tom Burt said NSO should be accountable for the tools it builds and the vulnerabilities it exploits.

“Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve,” said Burt. “We hope that standing together with our competitors today through this amicus brief will help protect our collective customers and global digital ecosystem from more indiscriminate attacks.”

A spokesperson for NSO did not immediately comment.

#computer-security, #computing, #espionage, #ethiopia, #government, #internet-association, #nso-group, #privacy, #saudi-arabia, #security, #social-media, #software, #spokesperson, #spyware, #united-arab-emirates, #vulnerability, #whatsapp

0

Dozens of journalists’ iPhones hacked with NSO ‘zero-click’ spyware, says Citizen Lab

Citizen Lab researchers say they have found evidence that dozens of journalists had their iPhones silently compromised with spyware known to be used by nation states.

For more than the past year, London-based reporter Rania Dridi and at least 36 journalists, producers and executives working for the Al Jazeera news agency were targeted with a so-called “zero-click” attack that exploited a now-fixed vulnerability in Apple’s iMessage. The attack invisibly compromised the devices without having to trick the victims into opening a malicious link.

Citizen Lab, the internet watchdog at the University of Toronto, was asked to investigate earlier this year after one of the victims, Al Jazeera investigative journalist Tamer Almisshal, suspected that his phone may have been hacked.

In a technical report out Sunday and shared with TechCrunch, the researchers say they believe the journalists’ iPhones were infected with the Pegasus spyware, developed by Israel-based NSO Group.

The researchers analyzed Almisshal’s iPhone and found it had between July and August connected to servers known to be used by NSO for delivering the Pegasus spyware. The device revealed a burst of network activity that suggests that the spyware may have been delivered silently over iMessage.

Logs from the phone show that the spyware was likely able to secretly record the microphone and phone calls, take photos using the phone’s camera, access the victim’s passwords, and track the phone’s location.

Citizen Lab analyzed the network logs of two hacked iPhones and found it could record ambient calls, take photos using the camera, and track the device’s location without the victim knowing. (Image: Citizen Lab)

Citizen Lab said the bulk of the hacks were likely carried out by at least four NSO customers, including the governments of Saudi Arabia and the United Arab Emirates, citing evidence it found in similar attacks involving Pegasus.

The researchers found evidence that two other NSO customers hacked into one and three Al Jazeera phones respectively, but that they could not attribute the attacks to a specific government.

A spokesperson for Al Jazeera, which just broadcast its reporting of the hacks, did not immediately comment.

NSO sells governments and nation states access to its Pegasus spyware as a prepackaged service by providing the infrastructure and the exploits needed to launch the spyware against the customer’s targets. But the spyware maker has repeatedly distanced itself from what its customers do and has said it does not who its customers target. Some of NSO’s known customers include authoritarian regimes like China and Russia. Saudi Arabia allegedly used the surveillance technology to spy on the communications of columnist Jamal Khashoggi shortly before his murder, which U.S. intelligence concluded was likely ordered by the kingdom’s de facto ruler, Crown Prince Mohammed bin Salman.

Citizen Lab said it also found evidence that Dridi, a journalist at Arabic television station Al Araby in London, had fallen victim to a zero-click attack. The researchers said Dridi was likely targeted by the UAE government.

In a phone call, Dridi told TechCrunch that her phone may have been targeted because of her close association to a person of interest to the UAE.

Dridi’s phone, an iPhone XS Max, was targeted for a longer period, likely between October 2019 and July 2020. The researchers found evidence that she was targeted on two separate occasions with a zero-day attack — the name of an exploit that has not been previously disclosed and that a patch is not yet available — because her phone was running the latest version of iOS both times.

“My life is not normal anymore. I don’t feel like I have a private life again,” said Dridi. “To be a journalist is not a crime,” she said.

Citizen Lab said its latest findings reveal an “accelerating trend of espionage” against journalists and news organizations, and that the growing use of zero-click exploits makes it increasingly difficult — though evidently not impossible — to detect because of the more sophisticated techniques used to infect victims’ devices while covering their tracks.

When reached on Saturday, NSO said it was unable to comment on the allegations as it had not seen the report, but declined to say when asked if Saudi Arabia or the UAE were customers or describe what processes — if any — it puts in place to prevent customers from targeting journalists.

“This is the first we are hearing of these assertions. As we have repeatedly stated, we do not have access to any information related to the identities of individuals upon whom our system is alleged to have been used to conduct surveillance. However, when we receive credible evidence of misuse, combined with the basic identifiers of the alleged targets and timeframes, we take all necessary steps in accordance with our product misuse investigation procedure to review the allegations,” said a spokesperson.

“We are unable to comment on a report we have not yet seen. We do know that CitizenLab regularly publishes reports based on inaccurate assumptions and without a full command of the facts, and this report will likely follow that theme NSO provides products that enable governmental law enforcement agencies to tackle serious organized crime and counterterrorism only, but as stated in the past, we do not operate them. Nevertheless, we are committed to ensuring our policies are adhered to, and any evidence of a breach will be taken seriously and investigated.”

Citizen Lab said it stood by its findings.

Read more on TechCrunch

Spokespeople for the Saudi and UAE governments in New York did not respond to an email requesting comment.

The attacks not only puts a renewed focus on the shadowy world of surveillance spyware, but also the companies having to defend against it. Apple rests much of its public image on advocating privacy for its users and building secure devices, like iPhones, designed to be hardened against the bulk of attacks. But no technology is impervious to security bugs. In 2016, Reuters reported that UAE-based cybersecurity firm DarkMatter bought a zero-click exploit to target iMessage, which they referred to as “Karma.” The exploit worked even if the user did not actively use the messaging app.

Apple told TechCrunch that it had not independently verified Citizen Lab’s findings but that the vulnerabilities used to target the reporters were fixed in iOS 14, released in September.

“At Apple, our teams work tirelessly to strengthen the security of our users’ data and devices. iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks. The attack described in the research was highly targeted by nation-states against specific individuals. We always urge customers to download the latest version of the software to protect themselves and their data,” said an Apple spokesperson.

NSO is currently embroiled in a legal battle with Facebook, which last year blamed the Israeli spyware maker for using a similar, previously undisclosed zero-click exploit in WhatsApp to infect some 1,400 devices with the Pegasus spyware.

Facebook discovered and patched the vulnerability, stopping the attack in its tracks, but said that more than 100 human rights defenders, journalists and “other members of civil society” had fallen victim.

#apple, #darkmatter, #espionage, #government, #iphone, #mobile-surveillance, #mohammed-bin-salman, #nso-group, #privacy, #reporter, #russia, #security, #spokesperson

0