Twitter Super Follows has generated only around $6K+ in its first two weeks

Twitter’s creator platform Super Follows is off to an inauspicious start, having contributed to somewhere around $6,000 in U.S. iOS revenue in the first two weeks the feature has been live, according to app intelligence data provided by Sensor Tower. And it’s made only around $600 or so in Canada. A small portion of that revenue may be attributed to Ticketed Spaces, Twitter’s other in-app purchase offered in the U.S. — but there’s no way for this portion to be calculated by an outside firm.

Twitter first announced its plans to launch Super Follows during its Analyst Day event in February, where the company detailed many of its upcoming initiatives to generate new revenue streams.

Today, Twitter’s business is highly dependant on advertising, and Super Follows is one of the few ways it’s aiming to diversify. The company is also now offering a way for creators to charge for access to their live events with Ticketed Spaces and, outside the U.S., Twitter has begun testing a premium product for power users called Twitter Blue.

Image Credits: Twitter

But Super Follows, which targets creators, is the effort with the most potential appeal to mainstream users.

It’s also one that is working to capitalize on the growing creator economy, where content creators build a following, then generate revenue directly through subscriptions — decreasing their own dependence on ads or brand deals, as a result. The platforms they use for this business skim a little off the top to help them fund the development of the creator tools. (In Twitter’s case, it’s taking only a 3% cut.)

The feature would seem to make sense for Twitter, a platform that already allows high-profile figures and regular folks to hobnob in the same timeline and have conversations. Super Follows ups that access by letting fans get even closer to their favorite creators — whether those are musicians, artists, comedians, influencers, writers, gamers, or other experts, for example. These creators can set a monthly subscription price of $2.99, $4.99, or $9.99 to provide fans with access to bonus, “behind-the-scenes” content of their choosing. These generally come in the form of extra tweets, Q&As, other interactions with subscribers.

Image Credits: Twitter

At launch, Twitter opened up Super Follows to a handful of creators, including the beauty and skincare-focused account @MakeupforWOC; astrology account @TarotByBronx; sports-focused @KingJosiah54; writer @myeshachou; internet personality and podcaster @MichaelaOkla; spiritual healer @kemimarie; music charts tweeter @chartdata; Twitch streamers @FaZeMew, @VelvetIsCake, @MackWood1, @GabeJRuiz, and @Saulsrevenge; YouTubers @DoubleH_YT, @LxckTV, and @PowerGotNow; and crypto traders @itsALLrisky and @moon_shine15; among others. Twitter says there are fewer than 100 creators in total who have access to Super Follows.

While access on the creation side is limited, the ability to subscribe to creators is not. Any Twitter iOS user in the U.S. or Canada can “Super Follow” any number of the supported creator accounts. In the U.S., Twitter has 169 million average monetizable daily active users as of Q2 2021. Of course, only some subset of those will be iOS users.

Still, Twitter could easily count millions upon millions of “potential” customers for its Super Follow platform at launch. Its current revenue indicates that, possibly, only thousands of consumers have done so, given many of the top in-app purchases are for creators offering content at lower price points.

Image Credits: Sensor Tower

Sensor Tower notes the $6,000 in U.S. consumer spending on iOS was calculated during the first two weeks of September (Sept. 1-14). Before this period, U.S. iOS users spent only $100 from August 25 through 31 — a figure that would indicate user spending on Ticketed Spaces during that time. In other words, the contribution of Tickets Spaces revenue to this total of $6,000 in iOS consumer spending is likely quite small.

In Canada, the other market where Super Follow is now available to subscribers, Twitter’s iOS in-app purchase revenue from September 1 through September 14 was a negligible $600. (This would also include Twitter Blue subscription revenue, which is being tested in Canada and Australia.)

Worldwide, Twitter users on iOS spent $9,000 during that same time, which would include other Ticketed Spaces revenues and tests of its premium service, Twitter Blue. (Twitter’s Tip Jar, a way to pay creators directly, does not work through in-app purchases).

Unlike other Twitter products that developed by watching what users were already doing anyway — like using hashtags or retweeting content — many of Twitter’s newer features are attempts at redefining the use cases for its platform. In a massive rush of product pushes, Twitter has recently launched tools for not just for creators, but also for e-commerce, organizing reading materials, subscribing to newsletters, socializing in communities, chatting through audio, fact-checking content, keeping up with trends, conversing more privately, and more.

Twitter’s position on the slower start to Super Follows is that it’s still too early to make any determinations. While that’s fair, it’s also worth tracking adoption to see if the new product had seen any rapid, of-the-gate traction.

“This is just the start for Super Follows,” a Twitter spokesperson said, reached for comment about Sensor Tower’s figures. “Our main goal is focused on ensuring creators are set up for success and so we’re working closely with a small group of creators in this first iteration to ensure they have the best experience using Super Follows before we roll out more widely.”

The spokesperson also noted Twitter Super Follows had been set up to help creators make more money as it scales.

“With Super Follows, people are eligible to earn up to 97% of revenue after in-app purchase fees until they make $50,000 in lifetime earnings. After $50,000 in lifetime earnings, they can earn up to 80% of revenue after in-app purchase fees,” they said.

#analyst, #canada, #computing, #day, #e-commerce, #operating-systems, #real-time-web, #sensor-tower, #software, #spokesperson, #tc, #text-messaging, #tweetdeck, #twitter, #twitter-blue, #united-states, #video-hosting, #vine, #writer, #youtube

Ireland probes TikTok’s handling of kids’ data and transfers to China

Ireland’s Data Protection Commission (DPC) has yet another ‘Big Tech’ GDPR probe to add to its pile: The regulator said yesterday it has opened two investigations into video sharing platform TikTok.

The first covers how TikTok handles children’s data, and whether it complies with Europe’s General Data Protection Regulation.

The DPC also said it will examine TikTok’s transfers of personal data to China, where its parent entity is based — looking to see if the company meets requirements set out in the regulation covering personal data transfers to third countries.

TikTok was contacted for comment on the DPC’s investigation.

A spokesperson told us:

“The privacy and safety of the TikTok community, particularly our youngest members, is a top priority. We’ve implemented extensive policies and controls to safeguard user data and rely on approved methods for data being transferred from Europe, such as standard contractual clauses. We intend to fully cooperate with the DPC.”

The Irish regulator’s announcement of two “own volition” enquiries follows pressure from other EU data protection authorities and consumers protection groups which have raised concerns about how TikTok handles’ user data generally and children’s information specifically.

In Italy this January, TikTok was ordered to recheck the age of every user in the country after the data protection watchdog instigated an emergency procedure, using GDPR powers, following child safety concerns.

TikTok went on to comply with the order — removing more than half a million accounts where it could not verify the users were not children.

This year European consumer protection groups have also raised a number of child safety and privacy concerns about the platform. And, in May, EU lawmakers said they would review the company’s terms of service.

On children’s data, the GDPR sets limits on how kids’ information can be processed, putting an age cap on the ability of children to consent to their data being used. The age limit varies per EU Member State but there’s a hard cap for kids’ ability to consent at 13 years old (some EU countries set the age limit at 16).

In response to the announcement of the DPC’s enquiry, TikTok pointed to its use of age gating technology and other strategies it said it uses to detect and remove underage users from its platform.

It also flagged a number of recent changes it’s made around children’s accounts and data — such as flipping the default settings to make their accounts privacy by default and limiting their exposure to certain features that intentionally encourage interaction with other TikTok users if those users are over 16.

While on international data transfers it claims to use “approved methods”. However the picture is rather more complicated than TikTok’s statement implies. Transfers of Europeans’ data to China are complicated by there being no EU data adequacy agreement in place with China.

In TikTok’s case, that means, for any personal data transfers to China to be lawful, it needs to have additional “appropriate safeguards” in place to protect the information to the required EU standard.

When there is no adequacy arrangement in place, data controllers can, potentially, rely on mechanisms like Standard Contractual Clauses (SCCs) or binding corporate rules (BCRs) — and TikTok’s statement notes it uses SCCs.

But — crucially — personal data transfers out of the EU to third countries have faced significant legal uncertainty and added scrutiny since a landmark ruling by the CJEU last year which invalidated a flagship data transfer arrangement between the US and the EU and made it clear that DPAs (such as Ireland’s DPC) have a duty to step in and suspend transfers if they suspect people’s data is flowing to a third country where it might be at risk.

So while the CJEU did not invalidate mechanisms like SCCs entirely they essentially said all international transfers to third countries must be assessed on a case-by-case basis and, where a DPA has concerns, it must step in and suspend those non-secure data flows.

The CJEU ruling means just the fact of using a mechanism like SCCs doesn’t mean anything on its own re: the legality of a particular data transfer. It also amps up the pressure on EU agencies like Ireland’s DPC to be pro-active about assessing risky data flows.

Final guidance put out by the European Data Protection Board, earlier this year, provides details on the so-called ‘special measures’ that a data controller may be able to apply in order to increase the level of protection around their specific transfer so the information can be legally taken to a third country.

But these steps can include technical measures like strong encryption — and it’s not clear how a social media company like TikTok would be able to apply such a fix, given how its platform and algorithms are continuously mining users’ data to customize the content they see and in order to keep them engaged with TikTok’s ad platform.

In another recent development, China has just passed its first data protection law.

But, again, this is unlikely to change much for EU transfers. The Communist Party regime’s ongoing appropriation of personal data, through the application of sweeping digital surveillance laws, means it would be all but impossible for China to meet the EU’s stringent requirements for data adequacy. (And if the US can’t get EU adequacy it would be ‘interesting’ geopolitical optics, to put it politely, were the coveted status to be granted to China…)

One factor TikTok can take heart from is that it does likely have time on its side when it comes to the’s EU enforcement of its data protection rules.

The Irish DPC has a huge backlog of cross-border GDPR investigations into a number of tech giants.

It was only earlier this month that Irish regulator finally issued its first decision against a Facebook-owned company — announcing a $267M fine against WhatsApp for breaching GDPR transparency rules (but only doing so years after the first complaints had been lodged).

The DPC’s first decision in a cross-border GDPR case pertaining to Big Tech came at the end of last year — when it fined Twitter $550k over a data breach dating back to 2018, the year GDPR technically begun applying.

The Irish regulator still has scores of undecided cases on its desk — against tech giants including Apple and Facebook. That means that the new TikTok probes join the back of a much criticized bottleneck. And a decision on these probes isn’t likely for years.

On children’s data, TikTok may face swifter scrutiny elsewhere in Europe: The UK added some ‘gold-plaiting’ to its version of the EU GDPR in the area of children’s data — and, from this month, has said it expects platforms meet its recommended standards.

It has warned that platforms that don’t fully engage with its Age Appropriate Design Code could face penalties under the UK’s GDPR. The UK’s code has been credited with encouraging a number of recent changes by social media platforms over how they handle kids’ data and accounts.

#apps, #articles, #china, #communist-party, #data-controller, #data-protection, #data-protection-commission, #data-protection-law, #data-security, #encryption, #europe, #european-data-protection-board, #european-union, #general-data-protection-regulation, #ireland, #italy, #max-schrems, #noyb, #personal-data, #privacy, #social, #social-media, #spokesperson, #tiktok, #united-kingdom, #united-states

Instagram is building a ‘Favorites’ feature so you don’t miss important posts

Instagram confirmed it’s developing a new feature called “Favorites,” which would allow users to select certain accounts whose posts they would like to see higher in their feed. A similar feature already exists on Facebook where it gives users a bit more control over the News Feed algorithm. On Facebook, users can select up to 30 friends or Facebook Pages whose posts get shown higher in the News Feed. It’s unclear what limit an Instagram Favorites feature would have, however.

The Instagram Favorites feature was recently spotted in development by reverse engineer Alessandro Paluzzi, who found a new pushpin icon for Favorites in the Instagram Settings menu, and other details about how the feature may work.

According to screenshots Paluzzi posted on Twitter, users will be able to search across the Instagram accounts they are currently following to create a list of Favorites. This list can be edited at any time, and Instagram notes that users would not be notified when they’re added to someone’s Favorites.

This is a similar level of privacy as offered by Instagram’s several years-old “Close Friends” feature, which instead focuses on allowing users to create a separate list of followers so they can share their more private and personal Instagram Stories with a select group of their own choosing.

Paluzzi tells us he was able to add contacts to the Favorites list, but didn’t yet notice any changes to the Instagram feed after doing so. That implies the feature is still being built and a launch is not imminent.

“This feature is an internal prototype that’s still in development, and not testing externally,” an Instagram spokesperson told TechCrunch. They declined to share any other specifics about the feature.

A Favorites feature could play into Instagram’s larger plans to better establish itself as a home for creator content. In other leaks, Paluzzi had also found the company was building out “Fan Subscriptions,” which would allow users to pay for elevated access to creator content — like exclusive live videos or Stories, for example. Paid subscribers may also be given a special badge that would highlight their name when they commented, DM’ed, or viewed the creator’s Stories.

Given that users who were paying for content would not want to miss a moment, it would make sense to give them tools to designate those creators as “Favorites” whose posts were also more highly ranked in their Feed.

A Favorites feature could also be useful to those who had taken a break from Instagram and would rather see the important photos and videos they missed from favorite accounts upon their return, rather than just the most recent or interesting updates from across all of the accounts they follow.

And while not likely the main goal, the new feature could help to address users’ complaints about the algorithmic feed in general.

Today, there are still a number of people who want to be able to see Instagram posts in chronological order, preferring to not have posts re-ordered by an algorithm they can’t control. Favorites wouldn’t give in to this demand (though Instagram has tested a chronological feed in the past). But it would at least give users the ability to ensure they weren’t missing the posts from those whose updates they wanted to see the most.

Though Instagram did say it’s working on the development of Favorites, it doesn’t necessarily mean such a feature will launch to the public. Companies of Instagram’s size often prototype new ideas, but only some of those tests make it to a general release.

#apps, #computing, #facebook, #instagram, #like-button, #news-feed, #operating-systems, #social, #social-media, #social-software, #software, #spokesperson

Technology giant Olympus hit by BlackMatter ransomware

Olympus said in a brief statement Sunday that it is “currently investigating a potential cybersecurity incident” affecting its European, Middle East and Africa computer network.

“Upon detection of suspicious activity, we immediately mobilized a specialized response team including forensics experts, and we are currently working with the highest priority to resolve this issue. As part of the investigation, we have suspended data transfers in the affected systems and have informed the relevant external partners,” the statement said.

But according to a person with knowledge of the incident, Olympus is recovering from a ransomware attack that began in the early morning of September 8. The person shared details of the incident prior to Olympus acknowledging the incident on Sunday.

A ransom note left behind on infected computers claimed to be from the BlackMatter ransomware group. “Your network is encrypted, and not currently operational,” it reads. “If you pay, we will provide you the programs for decryption.” The ransom note also included a web address to a site accessible only through the Tor Browser that’s known to be used by BlackMatter to communicate with its victims.

Read more on TechCrunch

Brett Callow, a ransomware expert and threat analyst at Emsisoft, told TechCrunch that the site in the ransom note is associated with the BlackMatter group.

BlackMatter is a ransomware-as-a-service group that was founded as a successor to several ransomware groups, including DarkSide, which recently bounced from the criminal world after the high-profile ransomware attack on Colonial Pipeline, and REvil, which went silent for months after the Kaseya attack flooded hundreds of companies with ransomware. Both attacks caught the attention of the U.S. government, which promised to take action if critical infrastructure was hit again.

Groups like BlackMatter rent access to their infrastructure, which affiliates use to launch attacks, while BlackMatter takes a cut of whatever ransoms are paid. Emsisoft has also found technical links and code overlaps between Darkside and BlackMatter.

Since the group emerged in June, Emsisoft has recorded more than 40 ransomware attacks attributed to BlackMatter, but that the total number of victims is likely to be significantly higher.

Ransomware groups like BlackMatter typically steal data from a company’s network before encrypting it, and later threaten to publish the files online if the ransom to decrypt the files is not paid. Another site associated with BlackMatter, which the group uses to publicize its victims and touts stolen data, did not have an entry for Olympus at the time of publication.

Japan-headquartered Olympus manufactures optical and digital reprography technology for the medical and life sciences industries. Until recently, the company built digital cameras and other electronics until it sold its struggling camera division in January.

Olympus said it was “currently working to determine the extent of the issue and will continue to provide updates as new information becomes available.”

Christian Pott, a spokesperson for Olympus, did not respond to emails and text messages requesting comment.

#africa, #colonial-pipeline, #crime, #crimes, #cyberattacks, #cybercrime, #digital-cameras, #electronics, #kaseya, #middle-east, #olympus, #ransomware, #security, #spokesperson, #u-s-government, #united-states

Texas Right to Life website exposed job applicants’ resumes

Anti-abortion group Texas Right to Life exposed the personal information of hundreds of job applicants after a website bug allowed anyone to access their resumes, which were stored in an unprotected directory on its website.

A security researcher told TechCrunch that the group’s main website, built largely in WordPress, was not properly protecting the file storage on its website, which it used to store resumes of more than 300 job applicants, as well as other files uploaded to the website. The resumes contained names, phone numbers, addresses, and details of a person’s employment history.

The website bug was fixed over the weekend, a short time after details of the leak were posted on Twitter. The group’s website no longer lists any of the exposed files.

“We are taking action to protect the concerned individuals,” said Kimberlyn Schwartz, a spokesperson for Texas Right to Life told TechCrunch, referring to those who “sought and circulated the information.”

When asked, Schwartz would not say if the organization planned on informing those whose personal information was exposed by its security lapse.

Texas Right to Life sparked anger when last week it publicized a “whistleblower” website that encouraged Texas residents to report when someone might be seeking an abortion in violation of the state’s restrictive new abortion law. The law allows anyone to sue someone seeking an abortion, or anyone “aiding and abetting” an abortion after six weeks. That provision has been widely interpreted as targeting doctors who perform these procedures, but also potentially anyone who gets involved, such as contributing money or driving a friend to a clinic.

It didn’t take long for the “whistleblower” website to be flooded with fake tips, memes, and Shrek porn in protest. The site briefly fell offline Thursday, which coincided with an activist releasing an iOS shortcut to help anyone pre-fill the website’s form with fake information.

But by the weekend, GoDaddy, the company hosting the website, told Texas Right to Life that the site violated its terms of service and gave the group 24 hours to find another host. It did — briefly — by way of Epik, a web host that helped other controversial sites like far-right social networks Gab get back online. But that didn’t last long either.

As of Monday, the “whistleblower” website pointed to Texas Right to Life’s main website.

 

#abortion, #godaddy, #government, #health, #human-rights, #humans, #privacy, #security, #spokesperson, #texas, #womens-rights

How a Vungle-owned mobile marketer sent Fontmaker to the top of the App Store

Does this sound familiar? An app goes viral on social media, often including TikTok, then immediately climbs to the top of the App Store where it gains even more new installs thanks to the heightened exposure. That’s what happened with the recent No. 1 on the U.S. App Store, Fontmaker, a subscription-based fonts app which appeared to benefit from word-of-mouth growth thanks to TikTok videos and other social posts. But what we’re actually seeing here is a new form of App Store marketing — and one which now involves one of the oldest players in the space: Vungle.

Fontmaker, at first glance, seems to be just another indie app that hit it big.

The app, published by an entity called Mango Labs, promises users a way to create fonts using their own handwriting which they can then access from a custom keyboard for a fairly steep price of $4.99 per week. The app first launched on July 26. Nearly a month later, it was the No. 2 app on the U.S. App Store, according to Sensor Tower data. By August 26, it climbed up one more position to reach No. 1. before slowly dropping down in the top overall free app rankings in the days that followed.

By Aug. 27, it was No. 15, before briefly surging again to No. 4 the following day, then declining once more. Today, the app is No. 54 overall and No. 4 in the competitive Photo & Video category — still, a solid position for a brand-new and somewhat niche product targeting mainly younger users. To date, it’s generated $68,000 in revenue, Sensor Tower reports.

But Fontmaker may not be a true organic success story, despite its Top Charts success driven by a boost in downloads coming from real users, not bots. Instead, it’s an example of how mobile marketers have figured out how to tap into the influencer community to drive app installs. It’s also an example of how it’s hard to differentiate between apps driven by influencer marketing and those that hit the top of the App Store because of true demand — like walkie-talkie app Zello, whose recent trip to No. 1 can be attributed to Hurricane Ida

As it turns out, Fontmaker is not your typical “indie app.” In fact, it’s unclear who’s really behind it. Its publisher, Mango Labs, LLC, is actually an iTunes developer account owned by the mobile growth company JetFuel, which was recently acquired by the mobile ad and monetization firm Vungle — a longtime and sometimes controversial player in this space, itself acquired by Blackstone in 2019.

Vungle was primarily interested in JetFuel’s main product, an app called The Plug, aimed at influencers.

Through The Plug, mobile app developers and advertisers can connect to JetFuel’s network of over 15,000 verified influencers who have a combined 4 billion Instagram followers, 1.5 billion TikTok followers, and 100 million daily Snapchat views.

While marketers could use the built-in advertising tools on each of these networks to try to reach their target audience, JetFuel’s technology allows marketers to quickly scale their campaigns to reach high-value users in the Gen Z demographic, the company claims. This system can be less labor-intensive than traditional influencer marketing, in some cases. Advertisers pay on a cost-per-action (CPA) basis for app installs. Meanwhile, all influencers have to do is scroll through The Plug to find an app to promote, then post it to their social accounts to start making money.

Image Credits: The Plug’s website, showing influencers how the platform works

So while yes, a lot of influencers may have made TikTok videos about Fontmaker, which prompted consumers to download the app, the influencers were paid to do so. (And often, from what we saw browsing the Fontmaker hashtag, without disclosing that financial relationship in any way — an increasingly common problem on TikTok, and area of concern for the FTC.)

Where things get tricky is in trying to sort out Mango Labs’ relationship with JetFuel/Vungle. As a consumer browsing the App Store, it looks like Mango Labs makes a lot of fun consumer apps of which Fontmaker is simply the latest.

JetFuel’s website helps to promote this image, too.

It had showcased its influencer marketing system using a case study from an “indie developer” called Mango Labs and one of its earlier apps, Caption Pro. Caption Pro launched in Jan. 2018. (App Annie data indicates it was removed from the App Store on Aug. 31, 2021…yes, yesterday).

Image Credits: App Annie

Vungle, however, told TechCrunch “The Caption Pro app no longer exists and has not been live on the App Store or Google Play for a long time.” (We can’t find an App Annie record of the app on Google Play).

They also told us that “Caption Pro was developed by Mango Labs before the entity became JetFuel,” and that the case study was used to highlight JetFuel’s advertising capabilities. (But without clearly disclosing their connection.)

“Prior to JetFuel becoming the influencer marketing platform that it is today, the company developed apps for the App Store. After the company pivoted to become a marketing platform, in February 2018, it stopped creating apps but continued to use the Mango Labs account on occasion to publish apps that it had third-party monetization partnerships with,” the Vungle spokesperson explained.

In other words, the claim being made here is that while Mango Labs, originally, were the same folks who have long since pivoted to become JetFuel, and the makers of Caption Pro, all the newer apps published under “Mango Labs, LLC” were not created by JetFuel’s team itself.

“Any apps that appear under the Mango Labs LLC name on the App Store or Google Play were in fact developed by other companies, and Mango Labs has only acted as a publisher,” the spokesperson said.

Image Credits: JetFuel’s website describing Mango Labs as an “indie developer”

There are reasons why this statement doesn’t quite sit right — and not only because JetFuel’s partners seem happy to hide themselves behind Mango Labs’ name, nor because Mango Labs was a project from the JetFuel team in the past. It’s also odd that Mango Labs and another entity, Takeoff Labs, claim the same set of apps. And like Mango Labs, Takeoff Labs is associated with JetFuel too.

Breaking this down, as of the time of writing, Mango Labs has published several consumer apps on both the App Store and Google Play.

On iOS, this includes the recent No. 1 app Fontmaker, as well as FontKey, Color Meme, Litstick, Vibe, Celebs, FITme Fitness, CopyPaste, and Part 2. On Google Play, it has two more: Stickered and Mango.

Image Credits: Mango Labs

Most of Mango Labs’ App Store listings point to JetFuel’s website as the app’s “developer website,” which would be in line with what Vungle says about JetFuel acting as the apps’ publisher.

What’s odd, however, is that the Mango Labs’ app Part2, links to Takeoff Labs’ website from its App Store listing.

The Vungle spokesperson initially told us that Takeoff Labs is “an independent app developer.”

And yet, the Takeoff Labs’ website shows a team which consists of JetFuel’s leadership, including JetFuel co-founder and CEO Tim Lenardo and JetFuel co-founder and CRO JJ Maxwell. Takeoff Labs’ LLC application was also signed by Lenardo.

Meanwhile, Takeoff Labs’ co-founder and CEO Rhai Goburdhun, per his LinkedIn and the Takeoff Labs website, still works there. Asked about this connection, Vungle told us they did not realize the website had not been updated, and neither JetFuel nor Vungle have an ownership stake in Takeoff Labs with this acquisition.

Image Credits: Takeoff Labs’ website showing its team, including JetFuel’s co-founders.

Takeoff Labs’ website also shows off its “portfolio” of apps, which includes Celeb, Litstick, and FontKey — three apps that are published by Mango Labs on the App Store.

On Google Play, Takeoff Labs is the developer credited with Celebs, as well as two other apps, Vibe and Teal, a neobank. But on the App Store, Vibe is published by Mango Labs.

Image Credits: Takeoff Labs’ website, showing its app portfolio.

(Not to complicate things further, but there’s also an entity called RealLabs which hosts JetFuel, The Plug and other consumer apps, including Mango — the app published by Mango Labs on Google Play. Someone sure likes naming things “Labs!”)

Vungle claims the confusion here has to do with how it now uses the Mango Labs iTunes account to publish apps for its partners, which is a “common practice” on the App Store. It says it intends to transfer the apps published under Mango Labs to the developers’ accounts, because it agrees this is confusing.

Vungle also claims that JetFuel “does not make nor own any consumer apps that are currently live on the app stores. Any of the apps made by the entity when it was known as Mango Labs have long since been taken down from the app stores.”

JetFuel’s system is messy and confusing, but so far successful in its goals. Fontmaker did make it to No. 1, essentially growth hacked to the top by influencer marketing.

But as a consumer, what this all means is that you’ll never know who actually built the app you’re downloading or whether you were “influenced” to try it through what were, essentially, undisclosed ads.

Fontmaker isn’t the first to growth hack its way to the top through influencer promotions. Summertime hit Poparrazzi also hyped itself to the top of the App Store in a similar way, as have many others. But Poparazzi has since sunk to No. 89 in Photo & Video, which shows influence can only take you so far.

As for Fontmaker, paid influence got it to No. 1, but its Top Chart moment was brief.

#app-developer, #app-store, #apps, #blackstone, #co-founder, #federal-trade-commission, #google-play, #indie-developer, #itunes, #linkedin, #mobile-applications, #mobile-software, #snapchat, #social-media, #software, #spokesperson, #tc, #technology, #tiktok, #vibe, #video-hosting, #vungle

Netflix begins testing mobile games in its Android app in Poland

Netflix today announced it will begin testing mobile games inside its Android app for its members in Poland. At launch, paying subscribers will be able to try out two games, “Stranger Things: 1984” and “Stranger Things 3” — titles that have been previously available on the Apple App Store, Google Play and, in the case of the newer release, on other platforms including desktop and consoles. While the games are offered to subscribers from within the Netflix mobile app’s center tab, users will still be directed to the Google Play Store to install the game on their devices.

To then play, members will need to confirm their Netflix credentials.

Members can later return to the game at any time by clicking “Play” on the game’s page from inside the Netflix app or by launching it directly from their mobile device.

“It’s still very, very early days and we will be working hard to deliver the best possible experience in the months ahead with our no ads, no in-app purchases approach to gaming,” a Netflix spokesperson said about the launch.

The company has been expanding its investment in gaming for years, seeing the potential for a broader entertainment universe that ties in to its most popular shows. At the E3 gaming conference back in 2019, Netflix detailed a series of gaming integrations across popular platforms like Roblox and Fortnite and its plans to bring new “Stranger Things” games to the market.

On mobile, Netflix has been working with the Allen, Texas-based game studio BonusXP, whose first game for Netflix, “Stranger Things: The Game,” has now been renamed “Stranger Things: 1984” to better differentiate it from others. While that game takes place after season 1 and before season 2, in the “Stranger Things” timeline, the follow-up title, “Stranger Things 3,” is a playable version of the third season of the Netflix series. (So watch out for spoilers!)

Netflix declined to share how popular the games had been in terms of users or installs, while they were publicly available on the app stores.

With the launch of the test in Poland, Netflix says users will need to have a membership to download the titles as they’re now exclusively available to subscribers. However, existing users who already downloaded the game from Google Play in the past will not be impacted. They will be able to play the game as usual or even re-download it from their account library if they used to have it installed. But new players will only be able to get the game from the Netflix app.

The test aims to better understand how mobile gaming will resonate with Netflix members and determine what other improvements Netflix may need to make to the overall functionality, the company said. It chose Poland as the initial test market because it has an active mobile gaming audience, which made it seem like a good fit for this early feedback.

Netflix couldn’t say when it would broaden this test to other countries, beyond “the coming months.”

The streamer recently announced during its second-quarter earnings that it would add mobile games to its offerings, noting that it viewing gaming as “another new content category” for its business, similar to its “expansion into original films, animation and unscripted TV.”

The news followed what had been a sharp slowdown in new customers after the pandemic-fueled boost to streaming. In North America, Netflix in Q2 lost a sizable 430,000 subscribers — its third-ever quarterly decline in a decade. It also issued weaker guidance for the upcoming quarter, forecasting the addition of 3.5 million subscribers when analysts had been looking for 5.9 million. But Netflix downplayed the threat of competition on its slowing growth, instead blaming a lighter content slate, in part due to Covid-related production delays.

 

 

 

 

 

#android, #animation, #app-store, #apple-app-store, #apps, #computing, #gaming, #google-play, #google-play-store, #media, #mobile, #mobile-device, #mobile-game, #netflix, #north-america, #operating-systems, #poland, #roblox, #software, #spokesperson, #stranger-things, #texas

Social platforms wrestle with what to do about the Taliban

With the hasty U.S. military withdrawal from Afghanistan underway after two decades occupying the country, social media platforms have a complex new set of policy decisions to make.

The Taliban has been social media-savvy for years, but those companies will face new questions as the notoriously brutal, repressive group seeks to present itself as Afghanistan’s legitimate governing body to the rest of the world. Given its ubiquity among political leaders and governments, social media will likely play an even more central role for the Taliban as it seeks to cement control and move toward governing.

Facebook has taken some early precautions to protect its users from potential reprisals as the Taliban seizes power. Through Twitter, Facebook’s Nathaniel Gleicher announced a set of new measures the platform rolled out over the last week. The company added a “one-click” way for people in Afghanistan to instantly lock their accounts, hiding posts on their timeline and preventing anyone they aren’t friends with from downloading or sharing their profile picture.

Facebook also removed the ability for users to view and search anyone’s friends list for people located in Afghanistan. On Instagram, pop-up alerts will provide Afghanistan-based users with information on how to quickly lock down their accounts.

The Taliban has long been banned on Facebook under the company’s rules against dangerous organizations. “The Taliban is sanctioned as a terrorist organization under US law… This means we remove accounts maintained by or on behalf of the Taliban and prohibit praise, support, and representation of them,” a Facebook spokesperson told the BBC.

The Afghan Taliban is actually not designated as a foreign terrorist organization by the U.S. State Department, but the Taliban operating out of Pakistan has held that designation since 2010. While it doesn’t appear on the list of foreign terrorist organizations, the Afghanistan-based Taliban is defined as a terror group according to economic sanctions that the U.S. put in place after 9/11.

While the Taliban is also banned from Facebook-owned WhatsApp, the platform’s end-to-end encryption makes enforcing those rules on WhatsApp more complex. WhatsApp is ubiquitous in Afghanistan and both the Afghan military and the Taliban have relied on the chat app to communicate in recent years. Though Facebook doesn’t allow the Taliban on its platforms, the group turned to WhatsApp to communicate its plans to seize control to the Afghan people and discourage resistance in what was a shockingly swift and frictionless sprint to power. The Taliban even set up WhatsApp number as a sort of help line for Afghans to report violence or crime, but Facebook quickly shut down the account.

Earlier this week, Facebook’s VP of content policy Monika Bickert noted that even if the U.S. does ultimately remove the Taliban from its lists of sanctioned terror groups, the platform would reevaluate and make its own decision. “… We would have to do a policy analysis on whether or not they nevertheless violate our dangerous organizations policy,” Bickert said.

Like Facebook, YouTube maintains that the Taliban is banned from its platform. YouTube’s own decision also appears to align with sanctions and could be subject to change if the U.S. approach to the Taliban shifts.

“YouTube complies with all applicable sanctions and trade compliance laws, including relevant U.S. sanctions,” a YouTube spokesperson told TechCrunch. “As such, if we find an account believed to be owned and operated by the Afghan Taliban, we terminate it. Further, our policies prohibit content that incites violence.”

On Twitter, Taliban spokesperson Zabihullah Mujahid has continued to share regular updates about the group’s activities in Kabul. Another Taliban representative, Qari Yousaf Ahmadi, also freely posts on the platform. Unlike Facebook and YouTube, Twitter doesn’t have a blanket ban on the group but will enforce its policies on a post-by-post basis.

If the Taliban expands its social media footprint, other platforms might be facing the same set of decisions. TikTok did not respond to TechCrunch’s request for comment, but previously told NBC that it considers the Taliban a terrorist organization and does not allow content that promotes the group.

The Taliban doesn’t appear to have a foothold beyond the most mainstream social networks, but it’s not hard to imagine the former insurgency turning to alternative platforms to remake its image as the world looks on.

While Twitch declined to comment on what it might do if the group were to use the platform, it does have a relevant policy that takes “off-service conduct” into account when banning users. That policy was designed to address reports of abusive behavior and sexual harassment among Twitch streamers.

The new rules also apply to accounts linked to violent extremism, terrorism, or other serious threats, whether those actions take place on or off Twitch. That definition would likely preclude the Taliban from establishing a presence on the platform, even if the U.S. lifts sanctions or changes its terrorist designations in the future.

#afghanistan, #encryption, #facebook, #kabul, #military, #pakistan, #social, #social-media, #social-media-platforms, #spokesperson, #taliban, #tc, #united-states, #whatsapp

Google says geofence warrants make up one-quarter of all US demands

For the first time, Google has published the number of geofence warrants it’s historically received from U.S. authorities, providing a rare glimpse into how frequently these controversial warrants are issued.

The figures, published Thursday, reveal that Google has received thousands of geofence warrants each quarter since 2018, and at times accounted for about one-quarter of all U.S. warrants that Google receives. The data shows that the vast majority of geofence warrants are obtained by local and state authorities, with federal law enforcement accounting for just 4% of all geofence warrants served on the technology giant.

According to the data, Google received 982 geofence warrants in 2018, 8,396 in 2019, and 11,554 in 2020. But the figures only provide a small glimpse into the volume of warrants received, and did not break down how often it pushes back on overly broad requests. A spokesperson for Google would not comment on the record.

Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project (STOP), which led efforts by dozens of civil rights groups to lobby for the release of these numbers, commended Google for releasing the numbers.

“Geofence warrants are unconstitutionally broad and invasive, and we look forward to the day they are outlawed completely.” said Cahn.

Geofence warrants are also known as “reverse-location” warrants, since they seek to identify people of interest who were in the near-vicinity at the time a crime was committed. Police do this by asking a court to order Google, which stores vast amounts of location data to drive its advertising business, to turn over details of who was in a geographic area, such as a radius of a few hundred feet at a certain point in time, to help identify potential suspects.

Google has long shied away from providing these figures, in part because geofence warrants are largely thought to be unique to Google. Law enforcement has long known that Google stores vast troves of location data on its users in a database called Sensorvault, first revealed by The New York Times in 2019.

Sensorvault is said to have the detailed location data on “at least hundreds of millions of devices worldwide,” collected from users’ phones when they use an Android device with location data switched on, or Google services like Google Maps and Google Photo, and even Google search results. In 2018, the Associated Press reported that Google could still collect users’ locations even when their location history is “paused.”

But critics have argued that geofence warrants are unconstitutional because the authorities compel Google to turn over data on everyone else who was in the same geographic area.

Worse, these warrants have been known to ensnare entirely innocent people.

TechCrunch reported earlier this year that Minneapolis police used a geofence warrant to identify individuals accused of sparking violence in the wake of the police killing of George Floyd last year. One person on the ground who was filming and documenting the protests had his location data requested by police for being close to the violence. NBC News reported last year how one Gainesville, Fla. resident whose information was given by Google to police investigating a burglary, but was able to prove his innocence thanks to an app on his phone that tracked his fitness activity.

Although the courts have yet to deliberate widely on the legality of geofence warrants, some states are drafting laws to push back against geofence warrants. New York lawmakers proposed a bill last year that would ban geofence warrants in the state, amid fears that police could use these warrants to target protesters — as what happened in Minneapolis.

Cahn, who helped introduce the New York bill last year, said the newly released data will “help spur lawmakers to outlaw the technology.”

“Let’s be clear, the number of geofence warrants should be zero,” he said.

#android, #articles, #computing, #databases, #florida, #george-floyd, #google, #google-maps, #law-enforcement, #minneapolis, #new-york, #privacy, #security, #spokesperson, #technology, #the-new-york-times, #united-states, #warrant

Apple’s CSAM detection tech is under fire — again

Apple has encountered monumental backlash to a new child sexual abuse imagery (CSAM) detection technology it announced earlier this month. The system, which Apple calls NeuralHash, has yet to be activated for its billion-plus users, but the technology is already facing heat from security researchers who say the algorithm is producing flawed results.

NeuralHash is designed to identify known CSAM on a user’s device without having to possess the image or knowing the contents of the image. Because a user’s photos stored in iCloud are end-to-end encrypted so that even Apple can’t access the data, NeuralHash instead scans for known CSAM on a user’s device, which Apple claims is more privacy friendly as it limits the scanning to just photos rather than other companies which scan all of a user’s file.

Apple does this by looking for images on a user’s device that have the same hash — a string of letters and numbers that can uniquely identify an image — that are provided by child protection organizations like NCMEC. If NeuralHash finds 30 or more matching hashes, the images are flagged to Apple for a manual review before the account owner is reported to law enforcement. Apple says the chance of a false positive is about one in one trillion accounts.

But security experts and privacy advocates have expressed concern that the system could be abused by highly-resourced actors, like governments, to implicate innocent victims or to manipulate the system to detect other materials that authoritarian nation states find objectionable. NCMEC called critics the “screeching voices of the minority,” according to a leaked memo distributed internally to Apple staff.

Last night, Asuhariet Ygvar reverse-engineered Apple’s NeuralHash into a Python script and published code to GitHub, allowing anyone to test the technology regardless of whether they have an Apple device to test. In a Reddit post, Ygvar said NeuralHash “already exists” in iOS 14.3 as obfuscated code, but was able to reconstruct the technology to help other security researchers understand the algorithm better before it’s rolled out to iOS and macOS devices later this year.

It didn’t take long before others tinkered with the published code and soon came the first reported case of a “hash collision,” which in NeuralHash’s case is where two entirely different images produce the same hash. Cory Cornelius, a well-known research scientist at Intel Labs, discovered the hash collision. Ygvar confirmed the collision a short time later.

Hash collisions can be a death knell to systems that rely on cryptography to keep them secure, such as encryption. Over the years several well-known password hashing algorithms, like MD5 and SHA-1, were retired after collision attacks rendered them ineffective.

Kenneth White, a cryptography expert and founder of the Open Crypto Audit Project, said in a tweet: “I think some people aren’t grasping that the time between the iOS NeuralHash code being found and [the] first collision was not months or days, but a couple of hours.”

When reached, an Apple spokesperson declined to comment on the record. But in a background call where reporters were not allowed to quote executives directly or by name, Apple downplayed the hash collision and argued that the protections it puts in place — such as a manual review of photos before they are reported to law enforcement — are designed to prevent abuses. Apple also said that the version of NeuralHash that was reverse-engineered is a generic version, and not the complete version that will roll out later this year.

It’s not just civil liberties groups and security experts that are expressing concern about the technology. A senior lawmaker in the German parliament sent a letter to Apple chief executive Tim Cook this week saying that the company is walking down a “dangerous path” and urged Apple not to implement the system.

#algorithms, #apple, #apple-inc, #cryptography, #encryption, #github, #hash, #icloud, #law-enforcement, #password, #privacy, #python, #security, #sha-1, #spokesperson, #tim-cook

Google to introduce increased protections for minors on its platform, including Search, YouTube and more

Weeks after Instagram rolled out increased protections for minors using its app, Google is now doing the same for its suite of services, including Google search, YouTube, YouTube Kids, Google Assistant, and others. The company this morning announced a series of product and policy changes that will allow younger people to stay more private and protected online and others that will limit ad targeting.

The changes in Google’s case are even more expansive than those Instagram announced, as they span across an array of Google’s products, instead of being limited to a single app.

Though Congress has been pressing Google and other tech companies on the negative impacts their services may have on children, not all changes being made are being required by law, Google says.

“While some of these updates directly address upcoming regulations, we’ve gone beyond what’s required by law to protect teens on Google and YouTube,” a Google spokesperson told TechCrunch. “Many of these changes also extend beyond any single current or upcoming regulation. We’re looking at ways to develop consistent product experiences and user controls for kids and teens globally,” they added.

In other words, Google is building in some changes based on where it believes the industry is going, rather than where it is right now.

On YouTube, Google says it will “gradually” start adjusting the default upload setting to the most private option for users ages 13 to 17 in the weeks ahead, which will limit the visibility of videos only to the the users and those they directly share with, not the wider public. These younger teen users won’t be prevented from changing the setting back to “public,” necessarily, but they will now have to make an explicit and intentional choice when doing so. YouTube will then provide reminders indicating who can see their video, the company notes.

YouTube will also turn on its “take a break” and bedtime reminders by default for all users ages 13 to 17 and will turn off autoplay. Again, these changes are related to the default settings  — users can disable the digital well-being features if they choose.

On YouTube’s platform for younger children, YouTube Kids, the company will also add an autoplay option, which is turned off autoplay by default so parents will have to decide whether or not they want to use autoplay with their children. The change puts the choice directly in parents’ hands, after complaints from child safety advocates and some members of Congress suggested such an algorithmic feature was problematic. Later, parents will also be able to “lock” their default selection.

YouTube will also remove “overly commercial content” from YouTube Kid, in a move that also follows increased pressure from consumer advocacy groups and childhood experts, who have long since argued that YouTube encourages kids to spend money (or rather, beg their parents to do so.) How YouTube will draw the line between acceptable and “overly commercial” content is less clear, but the company says it will, for example, remove videos that focus on product packaging — like the popular “unboxing” videos. This could impact some of YouTube’s larger creators of videos for kids, like multi-millionaire Ryan’s Toy Review.

youtube kids laptop red1

Image Credits: YouTube

Elsewhere on Google, other changes impacting minors will also begin rolling out.

In the weeks ahead, Google will introduce a new policy that will allow anyone under the age of 18, or a parent or guardian, to request the removal of their images from Google Image search results. This expands upon the existing “right to be forgotten” privacy policies already live in the E.U., but will introduce new products and controls for both kids and teenagers globally.

The company will make a number of adjustments to user accounts for people under the age of 18, as well.

In addition to the changes to YouTube, Google will restrict access to adult content by enabling its SafeSearch filtering technology by default to all users under 13 managed by its Google Family Link service. It will also enable SafeSearch for all users under 18 and make this the new default for teens who set up new accounts. Google Assistant will enable SafeSearch protections by default on shared devices, like smart screens and their web browsers. In school settings where Google Workspace for Education is used, SafeSearch will be the default and switching to Guest Mode and Incognito Mode web browsing will be turned off by default, too, as was recently announced.

Meanwhile, location history is already off by default on all Google accounts, but children with supervised accounts now won’t be able to enable it. This change will be extended to all users under 18 globally, meaning location can’t be enabled at all under the children are legal adults.

On Google Play, the company will launch a new section that will inform parents about which apps follow its Families policies, and app developers will have to disclose how their apps collect and use data. These features — which were partially inspired by Apple’s App Store Privacy Labels — had already been detailed for Android developers before today.

Google’s parental control tools are also being expanded. Parents and guardians who are Family Link users will gain new abilities to filter and block news, podcasts, and access to webpages on Assistant-enabled smart devices.

For advertisers, there are significant changes in store, too.

Google says it will expand safeguards to prevent age-sensitive ad categories from being shown to teens and it will block ad targeting based on factors like age, gender, or interests for users under 18. While somewhat similar to the advertising changes Instagram introduced, as ads will no longer leverage “interests” data for targeting young teens and kids, Instagram was still allowing targeting by age and gender. Google will not. The advertising changes will roll out globally in the “coming months,” the company says.

All the changes across Google and YouTube will roll out globally in the coming weeks and months.

 

#android, #app-developers, #assistant, #computing, #congress, #google, #google-play, #google-search, #instagram, #operating-systems, #search-results, #software, #spokesperson, #tc, #web-browsers, #youtube, #youtube-kids

Cent, the platform that Jack Dorsey used to sell his first tweet as an NFT, raises $3M

Cent was founded in 2017 as an ad-free creator network that allows users to offer each other crypto rewards for good posts and comments — it’s like gifting awards on Reddit, but with Ethereum. But in late 2020, Cent’s small, San Fransisco-based team created Valuables, an NFT market for tweets, and by March, the small blockchain startup was thrown a serendipitous curveball.

“We just wrapped up for the day, and I was about to go eat dinner, and all these people started texting me,” remembers CEO Cameron Hejazi. Then, he realized that Twitter CEO Jack Dorsey had minted Twitter’s first ever Tweet through Cent’s Valuables application. “I was basically like, mildly shivering for the rest of the night. The whole team, we were like, ‘Okay, battle stations, prepare to get hacked!’”

Dorsey ended up selling his NFT for $2.9 million, and he donated the proceeds to Give Directly’s Africa Response fund for COVID-19 relief. But for Cent, it was as if the small company had just been handed a free marketing campaign. Now, about five months later, Cent is announcing a $3 million round of seed funding with investors like Galaxy Interactive, former Disney chairman Jeffrey Katzenberg, Will.I.Am, and Zynga founder Mark Pincus.

On Valuables, anyone on the internet can place an offer on any tweet, which then makes it possible for someone else to make a counter-offer. If the author of the tweet accepts an offer (logging into Valuables requires you to validate your Twitter account), then Cent will mint the tweet on the blockchain and create a 1-of-1 NFT.

The NFT itself contains the text of the tweet, the username of the creator, the time it was minted, and the creator’s digital signature. The NFT also includes a link to the tweet, though the linked content lives outside the blockchain.

There’s nothing proprietary about minting tweets as NFTs — another company could do the same thing that Cent is doing. Even Twitter itself has recently dabbled in giving away free NFT art, though it hasn’t tried to sell actual tweets as NFTs like Cent. Still, Hejazi sees Dorsey’s use of Cent like an endorsement — he thinks it would be difficult for Twitter to shut them down, since Dorsey made $2.9 million on the platform himself. After all, Dorsey chose Cent instead of taking a screenshot of his first tweet, minting the .JPG as an NFT, and posting it on a larger NFT platform, like OpenSea.

“We’ve spoken with people at Twitter. I’m positive that we have a healthy relationship going,” Hejazi said (Twitter declined to comment on or confirm whether that’s true). “We thought about applying this approach to other social platforms, like Instagram and TikTok, but we hypothesized that this is particularly suited for Twitter, because it’s a conversation platform, and it’s where all of the crypto people are actually living.”

With Cent’s seed funding Hejazi hopes to continue building the platform. The company’s goal is to enable anyone creative to make an income through the use of NFTs — that means developing tools to make it simpler for its users to mint NFTs, but also, building out its existing creator-focused social network. The content people post on Cent is usually creative work, like art and writing, rather than short posts — it’s closer to DeviantArt than it is to Reddit. These are lofty goals for a $3 million seed funding round, but there are aspects of Cent’s Beta platform that make it promising.

“There’s already value in what we post on social media. It’s just being proxied through ad dollars, and it doesn’t have to be the case that there’s so much wealth concentration in a single entity. We can work toward a system that decentralizes that wealth,” said Hejazi. “These networks as they exist have monopolies on distribution — you can’t take your Twitter audience, download it as a .CSV, and send them all an email.”

A screenshot of Cent’s social platform.

In addition to independent distribution lists, Hejazi wants to move away from the ad-supported internet. He references Substack as an example of a company where the creator has control of their list, and at the same time, the platform can remain ad-free, since the money that propels it comes from the users who pay to subscribe to newsletters (and also, venture capital helps).

But Cent does something different by allowing users to essentially invest in creators who they think have the potential to take off on their platform.

Users can “seed” a post, which is how you subscribe to a creator participating on the creatives side of Cent’s platform. As the seeder, you pay a set fee of at least one dollar per month. There’s an incentive to support up-and-coming creators on the platform, because seeders get a portion of the creators’ future profit — it’s like making a bet on them that they will continue to make great content in the future. Five percent of profits go toward Cent, but the remaining 95% is split 50/50 between the creator and all of their past seeders. Participating on this platform would allow creators to network and show support for one another, but doesn’t prevent them from more directly monetizing their work on other creator platforms, like Patreon.

In addition to seeding posts, users can also “spot” other people’s posts — Cent’s version of a “like” button. Each “spot” is the equivalent of one cent from the user’s crypto wallet. Cent’s argument is that getting 1,000 likes on a post on other platforms yields nothing but a vague sensation of social clout. But on Cent, if a user gets 1,000 “spots,” that’s $10. Still, a project like this can only work if enough people use the platform.

“When we started Cent, we chose cryptocurrencies because we loved the idea of someone being able to earn money with nothing more than their creativity and a crypto address,” Hejazi said. “Over time, we’ve found it to be limiting as a payment type — very few people actually own it and have it ready to spend. We’re working on ways to make payments to creators using Cent easier, and are exploring both crypto-native and non-crypto options.”

This mindset echoes other NFT startups like Yat, which allows payments via credit card as part of its “progressive decentralization” model. So much of these companies’ success depends on public buy-in toward an eventual decentralized, blockchain-based internet. But until then, companies like Cent will continue to experiment in reimagining how creatives can get paid online.

#apps, #author, #blockchain, #ceo, #chairman, #computing, #cryptocurrencies, #deviantart, #disney, #ethereum, #funding, #jack-dorsey, #jeffrey-katzenberg, #mark-pincus, #operating-systems, #penny, #social-media, #software, #spokesperson, #twitter, #venture-capital, #zynga

A Silicon Valley VC firm with $1.8B in assets was hit by ransomware

Advanced Technology Ventures, a Silicon Valley venture capital firm with more than $1.8 billion in assets under its management, was hit by a ransomware attack in July that saw cybercriminals steal personal information on the company’s private investors, or limited partners (LPs).

In a letter to the Maine attorney general’s office, ATV said it became aware of the attack on July 9 after its servers storing financial information had been encrypted by ransomware. By July 26, the ATV learned that data had been stolen from the servers before the files were encrypted, a common “double extortion” tactic used by ransomware groups, which then threaten to publish the files online if the ransom to decrypt the files is not paid.

The letter said ATV believes the names, email addresses, phone numbers and Social Security numbers of the individual investors in ATV’s funds were stolen in the attack. Some 300 individuals were affected by the incident, including one person in Maine, according to a listing on the Maine attorney general’s data breach notification portal.

Venture capital firms often do not disclose all of their LPs — the investors who have thrown millions into an investment vehicle — to the public. A number of pre-approved names may be included in an announcement, but overall, a company’s private investors try to stay that way: private. The reasons vary, but it comes down to secrecy and a degree of competitive advantage: The firm may not want competitors to know who is backing them, and an investor may not want others to know where their money is going. This particular attack likely stole key information on a hush-hush part of how venture money works.

ATV said it notified the FBI about the attack. A spokesperson for the FBI did not immediately comment when reached by TechCrunch. ATV’s managing director Mike Carusi did not respond to questions sent by TechCrunch on Monday.

The venture capital firm, based in Menlo Park, California with offices in Boston, was founded in 1979 and invests largely in technology, communications, software and services, and healthcare technology. The company was an early investor in many of the startups from the last decade, like software library Fandango, Host Analytics (now Planfun) and Apptegic (now Evergage). Its more recent investments include Tripwire, which was later sold to cybersecurity company Belden for $710 million; Cedexis, a network traffic monitoring startup acquired by Cisco in 2018; and Actifo, which was sold to Google in 2020.


Natasha Mascarenhas contributed reporting. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send TechCrunch files or documents using our SecureDrop.

#attorney-general, #atv, #boston, #california, #cedexis, #cisco, #cybercrime, #encryption, #fandango, #federal-bureau-of-investigation, #google, #healthcare-technology, #maine, #private-equity, #ransomware, #securedrop, #security, #signal, #software, #spokesperson, #venture-capital

EU hits Amazon with record-breaking $887M GDPR fine over data misuse

Luxembourg’s National Commission for Data Protection (CNPD) has hit Amazon with a record-breaking €746 million ($887m) GDPR fine over the way it uses customer data for targeted advertising purposes.

Amazon disclosed the ruling in an SEC filing on Friday in which it slammed the decision as baseless and added that it intended to defend itself “vigorously in this matter.”

“Maintaining the security of our customers’ information and their trust are top priorities,” an Amazon spokesperson said in a statement. “There has been no data breach, and no customer data has been exposed to any third party. These facts are undisputed.

“We strongly disagree with the CNPD’s ruling, and we intend to appeal. The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

The penalty is the result of a 2018 complaint by French privacy rights group La Quadrature du Net, a group that claims to represent the interests of thousands of Europeans to ensure their data isn’t used by big tech companies to manipulate their behavior for political or commercial purposes. The complaint, which also targets Apple, Facebook Google and LinkedIn and was filed on behalf of more than 10,000 customers, alleges that Amazon manipulates customers for commercial means by choosing what advertising and information they receive.

La Quadrature du Net welcomed the fine issued by the CNPD, which “comes after three years of silence that made us fear the worst.”

“The model of economic domination based on the exploitation of our privacy and free will is profoundly illegitimate and contrary to all the values that our democratic societies claim to defend,” the group added in a blog post published on Friday.

The CNPD has also ruled that Amazon must commit to changing its business practices. However, the regulator has not publicly committed on its decision, and Amazon didn’t specify what revised business practices it is proposing.

The record penalty, which trumps the €50 million GDPR penalty levied against Google in 2019, comes amid heightened scrutiny of Amazon’s business in Europe. In November last year, the European Commission announced formal antitrust charges against the company, saying the retailer has misused its position to compete against third-party businesses using its platform. At the same time, the Commission a second investigation into its alleged preferential treatment of its own products on its site and those of its partners.

#amazon, #apple, #big-tech, #companies, #computing, #data-protection, #data-security, #europe, #european-commission, #facebook, #general-data-protection-regulation, #google, #policy, #privacy, #spokesperson, #tc, #u-s-securities-and-exchange-commission

Calgary’s parking authority exposed driver’s personal data and tickets

If you parked your car in one of the thousands of parking spots across Calgary, there’s a good chance you paid the Calgary Parking Authority for the privilege. But soon you might be hearing from the authority after a recent security lapse exposed the personal information of vehicle owners.

The parking authority oversees about 14% of the paid parking spots in the Calgary region, and lets drivers pay to park their cars by a parking kiosk, online, or through the phone app by entering their vehicle’s license plate and their payment details.

But a logging server used to monitor the authority’s parking system for bugs and errors was left on the internet without a password. The server contained computer-readable technical logs, but also real-world events like payments and parking tickets that contained a driver’s personal information.

A review of the logs by TechCrunch found contact information, like driver’s full names, dates of birth, phone numbers, email addresses and postal addresses, as well as details of parking tickets and parking offenses — which included license plates and vehicle descriptions — and in some cases the location data of where the alleged parking offense took place. The logs also contained some partial card payment numbers and expiry dates.

None of the data was encrypted.

Because the server’s data was entangled with logs and other computer-readable data, it’s not known exactly how many people had their information exposed by the security lapse. (In 2019, the Calgary Parking Authority issued more than 450,000 parking tickets, up by 69% in five years.)

Security researcher Anurag Sen found the exposed server and asked TechCrunch for help in reporting it to its owner. The server was secured on Tuesday, a day after TechCrunch contacted the authority.

A spokesperson for the authority confirmed that the server was exposed since May 13, though data seen by TechCrunch shows records dating back to at least the start of the year. The authority also told TechCrunch that the exposure was due to human error and that it was investigating its logs to determine if anyone else had access to the server.

“We at the CPA take this very seriously,” said Moe Houssaini, the acting general manager for the Calgary Parking Authority, told TechCrunch in a statement. “Any public access has been disabled and we are actively investigating to determine what exact data was impacted and what unauthorized access may have occurred. We apologize to our customers and will be reaching out to all individuals who may have been impacted. Protecting the security of our systems and privacy of our customers is a top priority of the CPA. It was an isolated error, and the database has now been secured. We are reviewing our procedures to ensure that this does not happen again,” said Houssaini.

The Calgary Parking Authority recently made headlines after it canceled more than a thousand parking tickets for drivers who were attending a COVID-19 vaccination center in the city.

Earlier this year, New York-based cashless parking startup ParkMobile reported a data breach that saw personal account information and license plates on some 21 million customers taken by hackers. The company blamed the breach on a vulnerability in an unspecified piece of third-party software.

Read more:


You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop.

#automotive, #calgary, #computer-security, #data-breach, #driver, #geico, #new-york, #parking, #parkmobile, #privacy, #securedrop, #security, #spokesperson, #transport

Trouble in fandom paradise: Tumblr users lash out against its beta subscription feature

The Tumblr community often refers to itself as the Wild West of the internet, and they’re not wrong. A text post with over 70,000 notes puts it best: “Tumblr is my favorite social media site because this place is literally uninhabitable for celebrities. No verification system, no algorithm that boosts their posts, it’s a completely lawless wasteland for them.”

But like any social media company, Tumblr needs to keep itself afloat in order for its users to continue sharing esoteric fan art, incomprehensible shitposts, and overly personal diary entries hidden beneath a “Read More” button. Yesterday, Tumblr announced the limited beta test of its Post+ subscription feature, which — if all goes as planned — will eventually let Tumblr users post paywalled content to subscribers that pay them $3.99, $5.99 or $9.99 per month.

Image Credits: Tumblr

Tumblr is far from the first social media platform to seek revenue this way — Twitter is rolling out Super Follows and a Tip Jar feature, and this week, YouTube announced a tipping feature too. Even Instagram is working on its own version of Twitter’s Super Follows that would let users create “exclusive stories.” But on a website with a community that prides itself as being a “completely lawless wasteland” for anyone with a platform (save for Wil Wheaton and Neil Gaiman, who are simply just vibing), the move toward paywalled content was not welcomed with open arms.

Monetization is a double-edged sword. It’s not considered uncool for a Tumblr artist to link to a third-party Patreon or Ko-fi site on their blog, where their most enthusiastic followers can access paywalled content or send them tips. So Post+ seems like an obvious way for Tumblr to generate revenue — instead of directing followers to other websites, they could build a way for fans to support creators on their own platform while taking a 5% cut. This isn’t unreasonable, considering that Twitter will take 3% revenue from its new monetization tools, while video-centric platforms like YouTube and Twitch take 30% and 50%, respectively. But Tumblr isn’t Twitter, or YouTube, or Twitch. Unlike other platforms, Tumblr doesn’t allow you to see other people’s follower counts, and no accounts are verified. It’s not as easy to tell whether the person behind a popular post has 100 followers or 100,000 followers, and the users prefer it that way. But Post+ changes that, giving bloggers an icon next to their username that resembles a Twitter blue check.

A Tumblr Post+ creator profile

Tumblr rolled out Post+ this week to a select group of hand-picked creators, including Kaijuno, a writer and astrophysicist. The platform announced Post+ on a new blog specific to this product, rather than its established staff blog, which users know to check for big announcements. So, as the most public user who was granted access, the 24-year-old blogger was the target of violent backlash from angry Tumblrites who didn’t want to see their favorite social media site turn into a hypercapitalist hellscape. When Kaijuno received death threats for beta testing Post+, Tumblr’s staff intervened and condemned harassment against Post+ users.

“We want to hear about what you like, what you love, and what concerns you. Even if it’s not very nice. Tell us. We can take it,” Tumblr wrote on its staff blog. “What we won’t ever accept is the targeted harassment and threats these creators have endured since this afternoon. […] all they’re doing is testing out a feature.”

Before making their post, a representative from Tumblr’s staff reached out to Kaijuno directly to check in on them regarding the backlash, but there’s only so much that Tumblr can do after a user has already been threatened for using their product.

“I felt like the sacrificial lamb, because they didn’t announce Post+ beforehand and only gave it to a few people, which landed me in the crosshairs of a very pissed off user base when I’m just trying to pay off medical bills by giving people the option to pay for content,” Kaijuno told TechCrunch. “I knew there’d be some backlash because users hate any sort of change to Tumblr, but I thought that the brunt of the backlash would be at the staff, and that the beta testers would be spared from most of it.”

Why do Tumblr users perceive monetization as such a threat? It’s not a question of whether or not it’s valuable to support creators, but rather, whether Tumblr is capable of hosting such a service. Multiple long-time, avid Tumblr users that spoke to TechCrunch referenced an incident in late 2020 when people’s blogs were being hacked by spam bots that posted incessant advertisements for a Ray-Ban Summer Sale.

“Tumblr is not the most well-coded website. It’s easy to break features,” Kaijuno added. “I think anything involving trusting Tumblr with your financial information would have gotten backlash.”

Tumblr users also worried about the implications Post+ could have on privacy — in the limited beta, Post+ users only have the ability to block people who are subscribed to their blog if they contact Tumblr support. In cases of harassment by a subscriber, this could leave a blogger vulnerable in a potentially dangerous situation.

“Ahead of our launch to all U.S.-based creators this fall, Post+ will allow creators to block subscribers directly,” a Tumblr spokesperson told TechCrunch.

Still, the Extremely Online Gen Z-ers who now make up 48% of Tumblr know that they can’t expect the platform to continue existing if it doesn’t pull in enough money to pay for its staff and server fees. In 2018, Tumblr lost almost one-third of its monthly page views after all NSFW content was banned — since then, the platform’s monthly traffic has remained relatively stagnant.

Image Credits: SimilarWeb

A former Tumblr employee told TechCrunch that the feature that became Post+ started out as a Tip Jar. But higher-ups at Tumblr — who do not work directly with the community — redirected the project to create a paywalled subscription product.

“I think a Tip Jar would be a massive improvement,” said the creator behind the Tumblr blog normal-horoscopes. Through the core audience they developed on Tumblr, they make a living via Patreon, but they don’t find Post+ compelling for their business. “External services [like Patreon] have more options, more benefits, better price points, and as a creator I get to choose how I present them to my audience.”

But a paywalled subscription service is different in the collective eyes of Tumblr. For a site that thrives on fandom, creators that make fan art and fanfiction worry that placing this derivative work behind a paywall — which Post+ encourages them to do — will land them in legal trouble. Even Archive of Our Own, a major fanfiction site, prohibits its users from linking to sites like Patreon or Ko-Fi.

“Built-in monetization attracts businesses, corporate accounts, people who are generally there to make money first and provide content second,” said normal-horoscopes. “It changes the culture of a platform.”

Across Tumblr, upset users are rallying for their followers to take Post+’s feedback survey to express their frustrations. The staff welcomes this.

“As with any new product launch, we expect our users to have a healthy discussion about how the feature will change the dynamics of how people use Tumblr,” a Tumblr spokesperson told TechCrunch. “Not all of this feedback will be positive, and that’s ok. Constructive criticism fuels how we create products and ultimately makes Tumblr a better place.”

Tumblr’s vocal community has been empowered over the years to question whether it’s possible for a platform to establish new revenue streams in a way that feels organic. The protectiveness that Tumblr’s user base feels for the site — despite their lack of faith in staff — sets it apart from social media juggernauts like Facebook, which can put ecommerce front and center without much scrutiny. But even three years after the catastrophic porn ban, it seems hard for Tumblr to grow without alienating the people that make the social network unique.

Platforms like Reddit and Discord have remained afloat by selling digital goods, like coins to reward top posters, or special emojis. Each company’s financial needs are different, but Tumblr’s choice to monetize with Post+ highlights the company’s lack of insight into its own community’s wishes.

#apps, #artist, #automattic, #facebook, #instagram, #neil-gaiman, #operating-systems, #post, #select, #social, #social-media, #social-network, #software, #spokesperson, #tumblr, #twitch, #twitter, #video-hosting, #wordpress, #world-wide-web, #writer, #youtube

A DNS outage just took down a large chunk of the internet

A large chunk of the internet dropped offline on Thursday. Some of the most popular sites, apps and services on the internet were down, including UPS and FedEx (which have since come back online), Airbnb, Fidelity, and others are reporting Steam, LastPass, and the PlayStation Network are all experiencing downtime.

Many other websites around the world are also affected, including media outlets in Europe.

What appears to be the cause is an outage at Akamai, an internet security giant that provides networking and content delivery services to companies. At around 11am ET, Akamai reported an issue with its Edge DNS, a service that’s designed to keep websites, apps and services running smoothly and securely.

DNS services are critically important to how the internet works, but are known to have bugs and can be easily manipulated by malicious actors. Companies like Akamai have built their own DNS services that are meant to solve some of these problems for their customers. But when things go wrong or there’s an outage, it can cause a knock-on effect to all of the customer websites and services that rely on it.

Akamai said it was “actively investigating the issue,” but when reached a spokesperson would not say if its outage was the cause of the disruption to other sites and services that are currently offline. Akamai would not say what caused the issue but that it was already in recovery.

“We have implemented a fix for this issue, and based on current observations, the service is resuming normal operations. We will continue to monitor to ensure that the impact has been fully mitigated,” Akamai told TechCrunch.

It’s not the first time we’ve seen an outage this big. Last year Cloudflare, which also provides networking services to companies around the world, had a similar outage following a bug that caused major sites to stop loading, including Shopify, Discord and Politico. In November, Amazon’s cloud service also stumbled, which prevented it from updating its own status page during the incident. Online workspace startup Notion also had a high-profile outage this year, forcing the company to turn to Twitter to ask for help.

#airbnb, #akamai, #cloudflare, #computing, #dns, #downtime, #europe, #fedex, #internet, #lastpass, #notion, #security, #shopify, #spokesperson, #technology, #twitter

GSA blocks senator from reviewing documents used to approve Zoom for government use

The General Services Administration has denied a senator’s request to review documents Zoom submitted to have its software approved for use in the federal government.

The denial was in response to a letter sent by Democratic senator Ron Wyden to the GSA in May, expressing concern that the agency cleared Zoom for use by federal agencies just weeks before a major security vulnerability was discovered in the app.

Wyden said the discovery of the bug raises “serious questions about the quality of FedRAMP’s audits.”

Zoom was approved to operate in government in April 2019 after receiving its FedRAMP authorization, a program operated by the GSA that ensures cloud services comply with a standardized set of security requirements designed to toughen the service from some of the most common threats. Without this authorization, federal agencies cannot use cloud products or technologies that are not cleared.

Months later, Zoom was forced to patch its Mac app after a security researcher found a flaw that could be abused to remotely switch on a user’s webcam without their permission. Apple was forced to intervene since users were still affected by the vulnerabilities even after uninstalling Zoom. As the pandemic spread and lockdowns were enforced, Zoom’s popularity skyrocketed — as did the scrutiny — including a technical analysis by reporters that found Zoom was not truly end-to-end encrypted as the company long claimed.

Wyden wrote to the GSA to say he found it “extremely concerning” that the security bugs were discovered after Zoom’s clearance. In the letter, the senator requested the documents known as the “security package,” which Zoom submitted as part of the FedRAMP authorization process, to understand how and why the app was cleared by GSA.

The GSA declined Wyden’s first request in July 2020 on the grounds that he was not a committee chair. In the new Biden administration, Wyden was named chair of the Senate Finance Committee and requested Zoom’s security package again.

But in a new letter sent to Wyden’s office late last month, GSA declined the request for the second time, citing security concerns.

“GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.” Sen. Ron Wyden (D-OR)

“The security package you have requested contains highly sensitive proprietary and other confidential information relating to the security associated with the Zoom for Government product. Safeguarding this information is critical to maintaining the integrity of the offering and any government data it hosts,” said the GSA letter. “Based on our review, GSA believes that disclosure of the Zoom security package would create significant security risks.”

In response to the GSA’s letter, Wyden told TechCrunch that he was concerned that other flawed software may have been approved for use across the government.

“The intent of GSA’s FedRAMP program is good — to eliminate red tape so that multiple federal agencies don’t have to review the security of the same software. But it’s vitally important that whichever agency conducts the review do so thoroughly,” said Wyden. “I’m concerned that the government’s audit of Zoom missed serious cybersecurity flaws that were subsequently uncovered and exposed by security researchers. GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.”

Of the people we spoke with who have first-hand knowledge of the FedRAMP process, either as a government employee or as a company going through the certification, FedRAMP was described as a comprehensive but by no means an exhaustive list of checks that companies have to meet in order to meet the security requirements of the federal government.

Others said that the process had its limits and would benefit from reform. One person with knowledge of how FedRAMP works said the process was not a complete audit of a product’s source code but akin to a checklist of best practices and meeting compliance requirements. Much of it relies on trusting the vendor, said the person, describing it like ” an honor system.” Another person said the FedRAMP process cannot catch every bug, as evidenced by executive action taken by President Biden this week aimed at modernizing and improving the FedRAMP process.

Most of the people we spoke to weren’t surprised that Wyden’s office was denied the request, citing the sensitivity of a company’s FedRAMP security package.

The people said that companies going through the certification process have to provide highly technical details about the security of their product, which if exposed would almost certainly be damaging to the company. Knowing where security weaknesses might be could tip off cyber-criminals, one of the people said. Companies often spend millions on improving their security ahead of a FedRAMP audit but companies wouldn’t risk going through the certification if they thought their trade secrets would get leaked, they added.

When asked by GSA why it objected to Wyden’s request, Zoom’s head of U.S. government relations Lauren Belive argued that handing over the security package “would set a dangerous precedent that would undermine the special trust and confidence” that companies place in the FedRAMP process.

GSA puts strict controls on who can access a FedRAMP security package. You need a federal government or military email address, which the senator’s office has. But the reason for GSA denying Wyden’s request still isn’t clear, and when reached a GSA spokesperson would not explain how a member of Congress would obtain a company’s FedRAMP security package

“GSA values its relationship with Congress and will continue to work with Senator Wyden and our committees of jurisdiction to provide appropriate information regarding our programs and operations,” said GSA spokesperson Christina Wilkes, adding:

“GSA works closely with private sector partners to provide a standardized approach to security authorizations for cloud services through the [FedRAMP]. Zoom’s FedRAMP security package and related documents provide detailed information regarding the security measures associated with the Zoom for Government product. GSA’s consistent practice with regard to sensitive security and trade secret information is to withhold the material absent an official written request of a congressional committee with jurisdiction, and pursuant to controls on further dissemination or publication of the information.”

GSA wouldn’t say which congressional committee had jurisdiction or whether Wyden’s role as chair of the Senate Finance Committee suffices, nor would the agency answer questions about the efficacy of the FedRAMP process raised by Wyden.

Zoom spokesperson Kelsey Knight said that cloud companies like Zoom “provide proprietary and confidential information to GSA as part of the FedRAMP authorization process with the understanding that it will be used only for their use in making authorization decisions. While we do not believe Zoom’s FedRAMP security package should be disclosed outside of this narrow purpose, we welcome conversations with lawmakers and other stakeholders about the security of Zoom for Government.”

Zoom said it has “engaged in security enhancements to continually improve its products,” and received FedRAMP reauthorization in 2020 and 2021 as part of its annual renewal. The company declined to say to what extent the Zoom app was audited as part of the FedRAMP process.

Over two dozen federal agencies use Zoom, including the Defense Department, Homeland Security, U.S. Customs and Border Protection, and the Executive Office of the President.

#apps, #biden, #biden-administration, #chair, #cloud-computing, #cloud-services, #computing, #congress, #department-of-defense, #executive, #federal-government, #fedramp, #government, #head, #internet, #internet-security, #official, #president, #ron-wyden, #security, #senator, #software, #spokesperson, #technology, #u-s-government, #united-states, #web-conferencing, #zoom

Evernote quietly disappeared from an anti-surveillance lobbying group’s website

In 2013, eight tech companies were accused of funneling their users’ data to the U.S. National Security Agency under the so-called PRISM program, according to highly classified government documents leaked by NSA whistleblower Edward Snowden. Six months later, the tech companies formed a coalition under the name Reform Government Surveillance, which as the name would suggest was to lobby lawmakers for reforms to government surveillance laws.

The idea was simple enough: to call on lawmakers to limit surveillance to targeted threats rather than conduct a dragnet collection of Americans’ private data, provide greater oversight and allow companies to be more transparent about the kinds of secret orders for user data that they receive.

Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, Yahoo and AOL (to later become Verizon Media, which owns TechCrunch — for now) were the founding members of Reform Government Surveillance, or RGS, and over the years added Amazon, Dropbox, Evernote, Snap and Zoom as members.

But then sometime in June 2019, Evernote quietly disappeared from the RGS website without warning. What’s even more strange is that nobody noticed for two years, not even Evernote.

“We hadn’t realized our logo had been removed from the Reform Government Surveillance website,” said an Evernote spokesperson, when reached for comment by TechCrunch. “We are still members.”

Evernote joined the coalition in October 2014, a year and a half after PRISM first came to public light, even though the company was never named in the leaked Snowden documents. Still, Evernote was a powerful ally to have onboard, and showed RGS that its support for reforming government surveillance laws was gaining traction outside of the companies named in the leaked NSA files. Evernote cites its membership of RGS in its most recent transparency report and that it supports efforts to “reform practices and laws regulating government surveillance of individuals and access to their information” — which makes its disappearance from the RGS website all the more bizarre.

TechCrunch also asked the other companies in the RGS coalition if they knew why Evernote was removed and all either didn’t respond, wouldn’t comment or had no idea. A spokesperson for one of the RGS companies said they weren’t all that surprised since companies “drop in and out of trade associations.”

The website of the Reform Government Surveillance coalition, which features Amazon, Apple, Dropbox, Facebook, Google, Microsoft, Snap, Twitter, Verizon Media and Zoom, but not Evernote, which is also a member. Image Credits: TechCrunch

While that may be true — companies often sign on to lobbying efforts that ultimately help their businesses; government surveillance is one of those rare thorny issues that got some of the biggest names in Silicon Valley rallying behind the cause. After all, few tech companies have openly and actively advocated for an increase in government surveillance of their users, since it’s the users themselves who are asking for more privacy baked into the services they use.

In the end, the reason for Evernote’s removal seems remarkably benign.

“Evernote has been a longtime member — but they were less active over the last couple of years, so we removed them from the website,” said an email from Monument Advocacy, a Washington, D.C. lobbying firm that represents RGS. “Your inquiry has helped to prompt new conversations between our organizations and we’re looking forward to working together more in the future.”

Monument has been involved with RGS since near the beginning after it was hired by the RGS coalition of companies to lobby for changes to surveillance laws in Congress. Monument has spent $2.2 million in lobbying to date since it began work with RGS in 2014, according to OpenSecrets, specifically on lobbying lawmakers to push for changes to bills under congressional consideration, such as changes to the Patriot Act and the Foreign Intelligence Surveillance Act, or FISA, albeit with mixed success. RGS supported the USA Freedom Act, a bill designed to curtail some of the NSA’s collection under the Patriot Act, but was unsuccessful in its opposition to the reauthorization of Section 702 of FISA, the powers that allow the NSA to collect intelligence on foreigners living outside the United States, which was reauthorized for six years in 2018.

RGS has been largely quiet for the past year — issuing just one statement on the importance of transatlantic data flows, the most recent hot-button issue to concern tech companies, fearing that anything other than the legal status quo could see vast swaths of their users in Europe cut off from their services.

“RGS companies are committed to protecting the privacy of those who use our services, and to safeguard personal data,” said the statement, which included the logos of Amazon, Apple, Dropbox, Facebook, Google, Microsoft, Snap, Twitter, Verizon Media and Zoom, but not Evernote.

In a coalition that’s only as strong as its members, the decision to remove Evernote from the website while it’s still a member hardly sends a resounding message of collective corporate unity — which these days isn’t something Big Tech can find much of.

#amazon, #apple, #articles, #cloud-storage, #computing, #congress, #edward-snowden, #europe, #evernote, #facebook, #government, #linkedin, #mass-surveillance, #microsoft, #national-security-agency, #prism, #security, #software, #spokesperson, #techcrunch, #transparency-report, #twitter, #united-states, #usa-freedom-act, #verizon, #washington-d-c, #yahoo

The Accellion data breach continues to get messier

Morgan Stanley has joined the growing list of Accellion hack victims — more than six months after attackers first breached the vendor’s 20-year-old file-sharing product. 

The investment banking firm — which is no stranger to data breaches — confirmed in a letter this week that attackers stole personal information belonging to its customers by hacking into the Accellion FTA server of its third-party vendor, Guidehouse. In a letter sent to those affected, first reported by Bleeping Computer, Morgan Stanley admitted that threat actors stole an unknown number of documents containing customers’ addresses and Social Security numbers.

The documents were encrypted, but the letter said that the hackers also obtained the decryption key, though Morgan Stanley said the files did not contain passwords that could be used to access customers’ financial accounts.

“The protection of client data is of the utmost importance and is something we take very seriously,” a Morgan Stanley spokesperson told TechCrunch. “We are in close contact with Guidehouse and are taking steps to mitigate potential risks to clients.”

Just days before news of the Morgan Stanley data breach came to light, an Arkansas-based healthcare provider confirmed it had also suffered a data breach as a result of the Accellion attack. Just weeks before that, so did UC Berkely. While data breaches tend to grow past initially reported figures, the fact that organizations are still coming out as Accellion victims more than six months later shows that the business software provider still hasn’t managed to get a handle on it. 

The cyberattack was first uncovered on December 23, and Accellion initially claimed the FTA vulnerability was patched within 72 hours before it was later forced to explain that new vulnerabilities were discovered. Accellion’s next (and final) update came in March, when the company claimed that all known FTA vulnerabilities — which authorities say were exploited by the FIN11 and the Clop ransomware gang — have been remediated.

But incident responders said Accellion’s response to the incident wasn’t as smooth as the company let on, claiming the company was slow to raise the alarm in regards to the potential danger to FTA customers.

The Reserve Bank of New Zealand, for example, raised concerns about the timeliness of alerts it received from Accellion. In a statement, the bank said it was reliant on Accellion to alert it to any vulnerabilities in the system — but never received any warnings in December or January.

“In this instance, their notifications to us did not leave their system and hence did not reach the Reserve Bank in advance of the breach. We received no advance warning,” said RBNZ governor Adrian Orr.

This, according to a discovery made by KPMG International, was due to the fact that the email tool used by Accellion failed to work: “Software updates to address the issue were released by the vendor in December 2020 soon after it discovered the vulnerability. The email tool used by the vendor, however, failed to send the email notifications and consequently the Bank was not notified until 6 January 2021,” the KPMG’s assessment said. 

“We have not sighted evidence that the vendor informed the Bank that the System vulnerability was being actively exploited at other customers. This information, if provided in a timely manner is highly likely to have significantly influenced key decisions that were being made by the Bank at the time.”

In March, back when it was releasing updates about the ongoing breach, Accellion was keen to emphasize that it was planning to retire the 20-year-old FTA product in April and that it had been working for three years to transition clients onto its new platform, Kiteworks. A press release from the company in May says 75% of Accellion customers have already migrated to Kiteworks, a figure that also highlights the fact that 25% are still clinging to its now-retired FTA product. 

This, along with Accellion now taking a more hands-off approach to the incident, means that the list of victims could keep growing. It’s currently unclear how many the attack has claimed so far, though recent tallies put the list at around 300. This list includes Qualys, Bombardier, Shell, Singtel, the University of Colorado, the University of California, Transport for New South Wales, Office of the Washington State Auditor, grocery giant Kroger and law firm Jones Day.

“When a patch is issued for software that has been actively exploited, simply patching the software and moving on isn’t the best path,” Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, told TechCrunch. “Since the goal of patch management is protecting systems from compromise, patch management strategies should include reviews for indications of previous compromise.”

Accellion declined to comment.

#accellion, #arkansas, #bank, #business-software, #california, #colorado, #computer-security, #computing, #data-breach, #governor, #healthcare, #information-technology, #investment-banking, #kroger, #law, #morgan-stanley, #qualys, #security, #security-breaches, #singtel, #spokesperson, #synopsys, #transport, #university-of-california

Indian tech startup exposed Byju’s student data

India-based technology startup Salesken.ai has secured an exposed server that was spilling private and sensitive data on one of its customers, Byju’s, an education technology giant and India’s most valuable startup.

The server was left unprotected since at least June 14, according to historical data provided by Shodan, a search engine for exposed devices and databases. Because the server was without a password, anyone could access the data inside. Security researcher Anurag Sen found the exposed server, and asked TechCrunch for help in reporting it to the company.

The server was pulled offline a short time after we contacted Salesken.ai on Tuesday.

Salesken.ai provides customer relationship technology to companies like Byju’s to engage better with customers. The Bengaluru-based startup raised $8 million in Series A funding from Sequoia Capital India in 2020, two years after the company was founded.

Much of the data contained on the exposed server pertained to WhiteHat Jr., an online coding school for students in India and the U.S., which Byju’s bought for $300 million in 2020. Byju’s is currently valued at more than $16 billion after raising $1.5 billion earlier this year.

The server contained the names and classes taken by students and email addresses and phone numbers of parents and teachers. The server also contained other data related to students, such as chat logs between parents — identified by their phone number — and WhiteHat Jr. staff, as well as comments recorded by teachers about their students.

The server also contained copies of emails containing codes to reset user accounts and other internal Salesken.ai data.

Surga Thilakan, co-founder and chief executive at Salesken.ai, told TechCrunch the startup was “evaluating” the security incident but did not dispute what kind of data was found on the exposed server..

“Our assessment suggests the exposed device appears to be a non-production, staging instance of one of our integration services having access to less than 1% of India based end-of-life sales logs for a fortnight,” said Thilakan. “Salesken.ai follows stringent data security norms and is certified under the highest standards of global security and safety. We have, in an abundance of caution, immediately severed access to the cloud device.”

Thilakan did not respond to a follow-up email from TechCrunch asking why real user data was stored in what the company claims is a “non-production, staging” server. The company also would not say if it has logs or any evidence to determine if data was accessed or downloaded as a result of the security lapse.

WhiteHat Jr. spokesperson Sameer Bajaj said the company is “currently communicating with Salesken.ai about the incident and will take appropriate action in accordance with our rigorous security policies.”

 

 

#bengaluru, #byjus, #education, #government, #india, #online-tutoring, #privacy, #search-engine, #security, #spokesperson, #united-states, #whitehat-jr

On TikTok, Black creators’ dance strike calls out creative exploitation

There’s a new Megan Thee Stallion music video out in time for triple digit temperatures. But instead of launching a fresh viral TikTok dance for summer, the single inspired an informal protest among Black creators tired of thanklessly launching trends into the social media stratosphere.

With the release of the video for “Thot Shit,” some Black TikTok creators began calling attention to that exploitation this week, inspiring others to refuse to choreograph a dance to the hit song. The idea behind the movement is that Black artists on the platform create a disproportionate amount of content and culture — much of which is re-packaged and monetized by popular white creators and culture at large.

The song choice probably isn’t a coincidence. The Megan Thee Stallion video is both a playful but important paean to essential workers — twerking grocery, food service and sanitation workers, in this case — and a biting commentary on the wealthy white establishment that exploits their labor without thinking twice.

The “strike” doesn’t have creators leaving the platform or even staying off of the app. Instead, Black creators who might normally contribute dances for the hot new song are sitting back and pointing to what happens when they’re not around. (Predictably: not a lot.)

On the sound’s page, some videos tease choreography but pivot into a statement about how Black creators don’t get their due on the app. In other videos, Black creators watch on in horror at awkward dance attempts failing to fill the void or laugh about how the song’s lyrics are instructional but non-Black TikTok still can’t figure it out. The eminently danceable “Thot shit” could build into Megan Thee Stallion’s biggest hit yet, but just looking on TikTok you wouldn’t know it.

When reached for comment on the phenomenon, TikTok praised Black creators as a “critical and vibrant” part of the community. “We care deeply about the experience of Black creators on our platform and we continue to work every day to create a supportive environment for our community while also instilling a culture where honoring and crediting creators for their creative contributions is the norm,” a TikTok spokesperson said.

Many TikTok accounts participating in the strike cite a recent explosion of white TikTokkers lip-syncing obliviously to a clip of Nicki Minaj’s 2016 song “Black Barbies” that specifically praises Black bodies (“I’m a fucking Black Barbie/Pretty face, perfect body…”). White TikTok inexplicably flocked to the sound, boosting its popularity and crowding out Black creators.

The episode is the latest beat in the ongoing conversation over who gets to cash in on the wellspring of creativity that pours out of a platform like TikTok. More broadly, some creators believe that TikTok’s economics are stacked against them, even compared to other major platforms like YouTube.

Black dancers on TikTok have long been left in the cold when their original moves explode and are picked up by non-Black creators, who also pick up the credit along the way. For Black creators tired of seeing their work appropriated, collectively refusing to gift the world a hot new TikTok dance is certainly one way to show just how vital they are to the online ecosystem — something even a quick glance at the desolate “Thot Shit” sound makes abundantly clear.

#black, #bytedance, #computing, #food-service, #social, #software, #spokesperson, #tc, #tiktok, #video-hosting, #youtube