Government

Auto Added by WPeMatico

How Have I Been Pwned became the keeper of the internet’s biggest data breaches

When Troy Hunt launched Have I Been Pwned in late 2013, he wanted it to answer a simple question: Have you fallen victim to a data breach?

Seven years later, the data-breach notification service processes thousands of requests each day from users who check to see if their data was compromised — or pwned with a hard ‘p’ — by the hundreds of data breaches in its database, including some of the largest breaches in history. As it’s grown, now sitting just below the 10 billion breached-records mark, the answer to Hunt’s original question is more clear.

“Empirically, it’s very likely,” Hunt told me from his home on Australia’s Gold Coast. “For those of us that have been on the internet for a while it’s almost a certainty.”

What started out as Hunt’s pet project to learn the basics of Microsoft’s cloud, Have I Been Pwned quickly exploded in popularity, driven in part by its simplicity to use, but largely by individuals’ curiosity.

As the service grew, Have I Been Pwned took on a more proactive security role by allowing browsers and password managers to bake in a backchannel to Have I Been Pwned to warn against using previously breached passwords in its database. It was a move that also served as a critical revenue stream to keep down the site’s running costs.

But Have I Been Pwned’s success should be attributed almost entirely to Hunt, both as its founder and its only employee, a one-man band running an unconventional startup, which, despite its size and limited resources, turns a profit.

As the workload needed to support Have I Been Pwned ballooned, Hunt said the strain of running the service without outside help began to take its toll. There was an escape plan: Hunt put the site up for sale. But, after a tumultuous year, he is back where he started.

Ahead of its next big 10-billion milestone mark, Have I Been Pwned shows no signs of slowing down.

‘Mother of all breaches’

Even long before Have I Been Pwned, Hunt was no stranger to data breaches.

By 2011, he had cultivated a reputation for collecting and dissecting small — for the time — data breaches and blogging about his findings. His detailed and methodical analyses showed time and again that internet users were using the same passwords from one site to another. So when one site was breached, hackers already had the same password to a user’s other online accounts.

Then came the Adobe breach, the “mother of all breaches” as Hunt described it at the time: Over 150 million user accounts had been stolen and were floating around the web.

Hunt obtained a copy of the data and, with a handful of other breaches he had already collected, loaded them into a database searchable by a person’s email address, which Hunt saw as the most common denominator across all the sets of breached data.

And Have I Been Pwned was born.

It didn’t take long for its database to swell. Breached data from Sony, Snapchat and Yahoo soon followed, racking up millions more records in its database. Have I Been Pwned soon became the go-to site to check if you had been breached. Morning news shows would blast out its web address, resulting in a huge spike in users — enough at times to briefly knock the site offline. Hunt has since added some of the biggest breaches in the internet’s history: MySpace, Zynga, Adult Friend Finder, and several huge spam lists.

As Have I Been Pwned grew in size and recognition, Hunt remained its sole proprietor, responsible for everything from organizing and loading the data into the database to deciding how the site should operate, including its ethics.

Hunt takes a “what do I think makes sense” approach to handling other people’s breached personal data. With nothing to compare Have I Been Pwned to, Hunt had to write the rules for how he handles and processes so much breach data, much of it highly sensitive. He does not claim to have all of the answers, but relies on transparency to explain his rationale, detailing his decisions in lengthy blog posts.

His decision to only let users search for their email address makes logical sense, driven by the site’s only mission, at the time, to tell a user if they had been breached. But it was also a decision centered around user privacy that helped to future-proof the service against some of the most sensitive and damaging data he would go on to receive.

In 2015, Hunt obtained the Ashley Madison breach. Millions of people had accounts on the site, which encourages users to have an affair. The breach made headlines, first for the breach, and again when several users died by suicide in its wake.

The hack of Ashley Madison was one of the most sensitive entered into Have I Been Pwned, and ultimately changed how Hunt approached data breaches that involved people’s sexual preferences and other personal data. (AP Photo/Lee Jin-man, File)

Hunt diverged from his usual approach, acutely aware of its sensitivities. The breach was undeniably different. He recounted a story of one person who told him how their local church posted a list of the names of everyone in the town who was in the data breach.

“It’s clearly casting a moral judgment,” he said, referring to the breach. “I don’t want Have I Been Pwned to enable that.”

Unlike earlier, less sensitive breaches, Hunt decided that he would not allow anyone to search for the data. Instead, he purpose-built a new feature allowing users who had verified their email addresses to see if they were in more sensitive breaches.

“The purposes for people being in that data breach were so much more nuanced than what anyone ever thought,” Hunt said. One user told him he was in there after a painful break-up and had since remarried but was labeled later as an adulterer. Another said she created an account to catch her husband, suspected of cheating, in the act.

“There is a point at which being publicly searchable poses an unreasonable risk to people, and I make a judgment call on that,” he explained.

The Ashely Madison breach reinforced his view on keeping as little data as possible. Hunt frequently fields emails from data breach victims asking for their data, but he declines every time.

“It really would not have served my purpose to load all of the personal data into Have I Been Pwned and let people look up their phone numbers, their sexualities, or whatever was exposed in various data breaches,” said Hunt.

“If Have I Been Pwned gets pwned, it’s just email addresses,” he said. “I don’t want that to happen, but it’s a very different situation if, say, there were passwords.”

But those remaining passwords haven’t gone to waste. Hunt also lets users search more than half a billion standalone passwords, allowing users to search to see if any of their passwords have also landed in Have I Been Pwned.

Anyone — even tech companies — can access that trove of Pwned Passwords, he calls it. Browser makers and password managers, like Mozilla and 1Password, have baked-in access to Pwned Passwords to help prevent users from using a previously breached and vulnerable password. Western governments, including the U.K. and Australia, also rely on Have I Been Pwned to monitor for breached government credentials, which Hunt also offers for free.

“It’s enormously validating,” he said. “Governments, for the most part, are trying to do things to keep countries and individuals safe — working under extreme duress and they don’t get paid much,” he said.

“There have been similar services that have popped up. They’ve been for-profit — and they’ve been indicted.”
Troy Hunt

Hunt recognizes that Have I Been Pwned, as much as openness and transparency is core to its operation, lives in an online purgatory under which any other circumstances — especially in a commercial enterprise — he would be drowning in regulatory hurdles and red tape. And while the companies whose data Hunt loads into his database would probably prefer otherwise, Hunt told me he has never received a legal threat for running the service.

“I’d like to think that Have I Been Pwned is at the far-legitimate side of things,” he said.

Others who have tried to replicate the success of Have I Been Pwned haven’t been as lucky.

“There have been similar services that have popped up,” said Hunt. “They’ve been for-profit — and they’ve been indicted,” he said.

LeakedSource was, for a time, one of the largest sellers of breach data on the web. I know, because my reporting broke some of their biggest gets: music streaming service Last.fm, adult dating site AdultFriendFinder, and Russian internet giant Rambler.ru to name a few. But what caught the attention of federal authorities was that LeakedSource, whose operator later pleaded guilty to charges related to trafficking identity theft information, indiscriminately sold access to anyone else’s breach data.

“There is a very legitimate case to be made for a service to give people access to their data at a price.”

Hunt said he would “sleep perfectly fine” charging users a fee to access their data. “I just wouldn’t want to be accountable for it if it goes wrong,” he said.

Project Svalbard

Five years into Have I Been Pwned, Hunt could feel the burnout coming.

“I could see a point where I would be if I didn’t change something,” he told me. “It really felt like for the sustainability of the project, something had to change.”

He said he went from spending a fraction of his time on the project to well over half. Aside from juggling the day-to-day — collecting, organizing, deduplicating and uploading vast troves of breached data — Hunt was responsible for the entirety of the site’s back office upkeep — its billing and taxes — on top of his own.

The plan to sell Have I Been Pwned was codenamed Project Svalbard, named after the Norweigian seed vault that Hunt likened Have I Been Pwned to, a massive stockpile of “something valuable for the betterment of humanity,” he wrote announcing the sale in June 2019. It would be no easy task.

Hunt said the sale was to secure the future of the service. It was also a decision that would have to secure his own. “They’re not buying Have I Been Pwned, they’re buying me,” said Hunt. “Without me, there’s just no deal.” In his blog post, Hunt spoke of his wish to build out the service and reach a larger audience. But, he told me, it was not about the money

As its sole custodian, Hunt said that as long as someone kept paying the bills, Have I Been Pwned would live on. “But there was no survivorship model to it,” he admitted. “I’m just one person doing this.”

By selling Have I Been Pwned, the goal was a more sustainable model that took the pressure off him, and, he joked, the site wouldn’t collapse if he got eaten by a shark, an occupational hazard for living in Australia.

But chief above all, the buyer had to be the perfect fit.

Hunt met with dozens of potential buyers, and many in Silicon Valley. He knew what the buyer would look like, but he didn’t yet have a name. Hunt wanted to ensure that whomever bought Have I Been Pwned upheld its reputation.

“Imagine a company that had no respect for personal data and was just going to abuse the crap out of it,” he said. “What does that do for me?” Some potential buyers were driven by profits. Hunt said any profits were “ancillary.” Buyers were only interested in a deal that would tie Hunt to their brand for years, buying the exclusivity to his own recognition and future work — that’s where the value in Have I Been Pwned is.

Hunt was looking for a buyer with whom he knew Have I Been Pwned would be safe if he were no longer involved. “It was always about a multiyear plan to try and transfer the confidence and trust people have in me to some other organizations,” he said.

Hunt testifies to the House Energy Subcommittee on Capitol Hill in Washington, Thursday, Nov. 30, 2017. (AP Photo/Carolyn Kaster)

The vetting process and due diligence was “insane,” said Hunt. “Things just drew out and drew out,” he said. The process went on for months. Hunt spoke candidly about the stress of the year. “I separated from my wife early last year around about the same time as the [sale process],” he said. They later divorced. “You can imagine going through this at the same time as the separation,” he said. “It was enormously stressful.”

Then, almost a year later, Hunt announced the sale was off. Barred from discussing specifics thanks to non-disclosure agreements, Hunt wrote in a blog post that the buyer, whom he was set on signing with, made an unexpected change to their business model that “made the deal infeasible.”

“It came as a surprise to everyone when it didn’t go through,” he told me. It was the end of the road.

Looking back, Hunt maintains it was “the right thing” to walk away. But the process left him back at square one without a buyer and personally down hundreds of thousands in legal fees.

After a bruising year for his future and his personal life, Hunt took time to recoup, clambering for a normal schedule after an exhausting year. Then the coronavirus hit. Australia fared lightly in the pandemic by international standards, lifting its lockdown after a brief quarantine.

Hunt said he will keep running Have I Been Pwned. It wasn’t the outcome he wanted or expected, but Hunt said he has no immediate plans for another sale. For now it’s “business as usual,” he said.

In June alone, Hunt loaded over 102 million records into Have I Been Pwned’s database. Relatively speaking, it was a quiet month.

“We’ve lost control of our data as individuals,” he said. But not even Hunt is immune. At close to 10 billion records, Hunt has been ‘pwned’ more than 20 times, he said.

Earlier this year Hunt loaded a massive trove of email addresses from a marketing database — dubbed ‘Lead Hunter’ — some 68 million records fed into Have I Been Pwned. Hunt said someone had scraped a ton of publicly available web domain record data and repurposed it as a massive spam database. But someone left that spam database on a public server, without a password, for anyone to find. Someone did, and passed the data to Hunt. Like any other breach, he took the data, loaded it in Have I Been Pwned, and sent out email notifications to the millions who have subscribed.

“Job done,” he said. “And then I got an email from Have I Been Pwned saying I’d been pwned.”

He laughed. “It still surprises me the places that I turn up.”

Related stories:

Powered by WPeMatico

Police roll up crime networks in Europe after infiltrating popular encrypted chat app

Hundreds of alleged drug dealers and other criminals are in custody today after police in Europe infiltrated an encrypted chat system reportedly used by thousands to discuss illegal operations. The total failure of this ostensibly secure method of communication will likely have a chilling effect on the shadowy industry of crime-focused tech.

“Operation Venetic” was reported by various police agencies, major local news outlets, and by Motherboard in especially vibrant form, quoting extensively people apparently from within the groups affected.

The operation involved hundreds of officers working across numerous agencies in France, the Netherlands, the U.K., and other countries. It began in 2017, and culminated two months ago when a service called EncroChat was hacked and the messages of tens of thousands of users exposed to police scrutiny.

EncroChat is a step up in some ways from encrypted chat apps like Signal and WhatsApp. Rather like Blackberry once did, EncroChat provided customized hardware, a dedicated OS, and its own servers to users, providing an expensive service costing thousands per year rather than a one-time purchase or download.

Messages on the service were supposedly very secure and had deniability built in by letting conversations be edited later — so theoretically a user could claim after the fact they never said something. Motherboard’s Joseph Cox has been following the company for some time and has far more details on its claims and operations.

Image Credits: EncroChat /

Needless to say those claims were not entirely true, as at some point in early 2020 police managed to introduce malware into the EncroChat system that completely exposed the conversations and images of its users. Because of the trusted nature of the app, people would openly discuss drug deals, murders, and other crimes, making them sitting ducks for law enforcement.

Throughout the spring criminal operations were being cracked open with alarming (to them) regularity, but it wasn’t until May that users and EncroChat managed to put the pieces together. The company attempted to warn its users and issue an update, but the cat was out of the bag. Seeing that its operation was now exposed, the Operation Venetic teams struck.

Arrests across the several countries involved (there were numerous sub-operations but France and the Netherlands were the primary investigators) total near a thousand, but exact numbers are not clear. Dozens of guns, tons (metric, naturally) of drugs and the equivalent of tens of millions of dollars in cash were seized. More importantly, the chat logs seem to have provided access to people higher up the food chain than ordinary busts would have.

That the reportedly most popular of encrypted chat companies focused on illegal activities could be so completely subverted by international authorities will likely put a damper on its competition. But like other, more domestic challenges to encryption, such as the perennial complaints by the FBI, this event is more likely to strengthen the tools in the long run.

Powered by WPeMatico

Dear Sophie: Is immigration happening? Who can I hire?

Sophie Alcorn
Contributor

Sophie Alcorn is the founder of Alcorn Immigration Law in Silicon Valley and 2019 Global Law Experts Awards’ “Law Firm of the Year in California for Entrepreneur Immigration Services.” She connects people with the businesses and opportunities that expand their lives.

Here’s another edition of “Dear Sophie,” the advice column that answers immigration-related questions about working at technology companies.

“Your questions are vital to the spread of knowledge that allows people all over the world to rise above borders and pursue their dreams,” says Sophie Alcorn, a Silicon Valley immigration attorney. “Whether you’re in people ops, a founder or seeking a job in Silicon Valley, I would love to answer your questions in my next column.”

“Dear Sophie” columns are accessible for Extra Crunch subscribers; use promo code ALCORN to purchase a one- or two-year subscription for 50% off.


Dear Sophie:

What is going on with recent USCIS furloughs and Trump’s H-1B ban?

I handle recruitment for several tech companies. Is immigration happening? Who can I hire?

—Frustrated in Fremont

Dear Fremont:

Immigration is still possible and I will explain how below. The administration continues to miss the mark with immigration policy. Trump’s U.S. unemployment “solution” of cutting off the stream of global talent to the U.S. is short-sighted. The administration is shooting America in the foot by walling off the promise of post-COVID economic revitalization and job-creation for Americans through the talent of immigrant entrepreneurs, investors and talent.

USCIS just provided a 30-day furlough notice to more than 70% of its employees. Reporters have been reaching out to me every day requesting stories of affected immigrants and HR professionals; please sign up to share your immigration story with journalists.

Powered by WPeMatico

Four views: How will the work visa ban affect tech and which changes will last?

The Trump administration’s decision to extend its ban on issuing work visas to the end of this year “would be a blow to very early-stage tech companies trying to get off the ground,” Silicon Valley immigration lawyer Sophie Alcorn told TechCrunch this week.

In 2019, the federal government issued more than 188,000 H-1B visas — thousands of workers who live in the San Francisco Bay Area and other startup hubs hold H-1B and H-2B visas or J and L visas, which are explicitly prohibited under the president’s ban. Normally, the government would process tens of thousands of visa applications and renewals in October at the start of its fiscal year, but the executive order all but guarantees new visas won’t be granted until 2021.

Four TechCrunch staffers analyzed the president’s move in an attempt to see what it portends for the tech industry, the U.S. economy and our national image:

Danny Crichton: Trump’s ban is a “self-inflicted” blow to our precarious economy

America’s economic supremacy is increasingly precarious.

Outsourcing and offshoring led to a generational loss of manufacturing skills, management incompetence killed off many of the country’s leading businesses and the nation now competes directly with China and other countries in critical emerging industries like 5G, artificial intelligence and the other alphabet soup of technological acronyms.

We have one thing going for us that no other country can rival: our ability to attract top talent. No other country hosts more immigrants, nor does any other country capture the imagination of a greater portion of the world’s top minds. America — whether Silicon Valley, Wall Street, Hollywood, Harvard Square or anywhere in between — is where smart people congregate.

Or at least, it was.

The coronavirus was the first major blow, partially self-inflicted. Remote work pushed employers toward keeping workers where they are (both domestically and overseas) rather than centralizing them in a handful of corporate HQs. Meanwhile, students — the first step for many talented workers to enter the United States — are taking a pause, fearing renewed outbreaks of COVID-19 in America while much of the rest of the developed world reopens with few cases.

The second blow was entirely self-inflicted. Earlier this week, President Donald Trump announced that his administration would halt processing critical worker visas like the H-1B due to the current state of the American economy.

Powered by WPeMatico

Volcker Rule reforms expand options for raising VC funds

It’s time to put on our thinking caps so we can discuss an esoteric but important policy change and how it is going to impact the VC world.

The 2008 financial crisis devastated the global economy. One of the reforms that came from the detritus of that situation was a policy known as the Volcker Rule.

The rule, proposed by former Fed chairman Paul Volcker and passed into law with the Dodd-Frank Act, was designed to limit the ways that banks could invest their balance sheets to avoid the kind of cataclysmic systemic risks that the world witnessed during the crisis. Many banks faced a liquidity crunch after investing in mortgage-backed securities (MBSs), collateralized debt obligations (CDOs), and other even more arcane speculative financial instruments (like POGs, or Piles Of Garbage) in seeking profits.

A number of reforms are underway to the Volcker Rule, which has been a domestic regulatory priority for the Trump administration since Inauguration Day.

One of the unintended consequences of the rule is that it limited banks from investing in certain “covered funds,” which was written broadly enough that it, well, covered VC firms as well as hedge funds and other private equity vehicles. Reforms to that policy (and to the rule in general) have been proposed for a decade with little traction until recently.

Now, a number of reforms are underway to the Volcker Rule, which has been a domestic regulatory priority for the Trump administration since Inauguration Day.

First, a simplification to some of the rule’s regulations was passed late last year and went into effect in January. Now, a final rule to reform the Volcker Rule’s applications to VC firms, among other issues, was agreed to by a group of U.S. regulatory agencies, and will go into effect later this year.

Powered by WPeMatico

China’s GPS competitor is now fully launched

For decades, the United States has had a monopoly on positioning, navigation and timing technology with its Global Positioning System (GPS), a constellation of satellites operated by the military that today provides the backbone for location on billions of devices worldwide.

As those technologies have become not just key to military maneuvers but the very foundation of modern economies, more and more governments around the world have sought ways to decouple from usage of the U.S.-centric system. Russia, Japan, India, the United Kingdom and the European Union have all made forays to build out alternatives to GPS, or at least, to augment the system with additional satellites for better coverage.

Few countries, though, have made the investment that China has made into its Beidou (北斗) GPS alternative. Over 20 years, the country has spent billions of dollars and launched nearly three dozen satellites to create a completely separate system for positioning. According to Chinese state media, nearly 70% of all Chinese handsets are capable of processing signals from Beidou satellites.

Now, the final puzzle piece is in place, as the last satellite in the Beidou constellation was launched Tuesday morning into orbit, according to the People’s Daily.

It’s just another note in the continuing decoupling of the United States and China, where relations have deteriorated over differences of market access and human rights. Trade talks between the two countries have reached a standstill, with one senior Trump administration advisor calling them off entirely. The announcement of a pause in new issuances of H-1B visas is also telling, as China is the source of the second largest number of petitions, according to USCIS, the country’s immigration agency.

While the completion of the current plan for Beidou offers Beijing new flexibility and resiliency for this critical technology, ultimately, positioning technologies are mostly not adversarial — additional satellites can offer more redundancy to all users, and many of these technologies have the potential to coordinate with each other, offering more flexibility to handset manufacturers.

Nonetheless, GPS spoofing and general hacking of positioning technologies remains a serious threat. Earlier this year, the Trump administration published a new executive order that would force government agencies to develop more robust tools to ensure that GPS signals are protected from hacking.

Given how much of global logistics and our daily lives are controlled by these technologies, further international cooperation around protecting these vital assets seems necessary. Now that China has its own fully working system, they have an incentive to protect their own infrastructure as much as the United States does to continue to provide GPS and positioning more broadly to the highest standards of reliability.

Powered by WPeMatico

How will EC plans to reboot rules for digital services impact startups?

A framework for ensuring fairness in digital marketplaces and tackling abusive behavior online is brewing in Europe, fed by a smorgasbord of issues and ideas, from online safety and the spread of disinformation, to platform accountability, data portability and the fair functioning of digital markets.

European Commission lawmakers are even turning their eye to labor rights, spurred by regional concern over unfair conditions for platform workers.

On the content side, the core question is how to balance individual freedom of expression online against threats to public discourse, safety and democracy from illegal or junk content that can be deployed cheaply, anonymously and at massive scale to pollute genuine public debate.

The age-old conviction that the cure for bad speech is more speech can stumble in the face of such scale. While illegal or harmful content can be a money spinner, outrage-driven engagement is an economic incentive that often gets overlooked or edited out of this policy debate.

Certainly the platform giants — whose business models depend on background data-mining of internet users in order to program their content-sorting and behavioral ad-targeting (activity that, notably, remains under regulatory scrutiny in relation to EU data protection law) — prefer to frame what’s at stake as a matter of free speech, rather than bad business models.

But with EU lawmakers opening a wide-ranging consultation about the future of digital regulation, there’s a chance for broader perspectives on platform power to shape the next decades online, and much more besides.

In search of cutting-edge standards

For the past two decades, the EU’s legal framework for regulating digital services has been the e-commerce Directive — a cornerstone law that harmonizes basic principles and bakes in liabilities exemptions, greasing the groove of cross-border e-commerce.

In recent years, the Commission has supplemented this by applying pressure on big platforms to self-regulate certain types of content, via a voluntary Code of Conduct on illegal hate speech takedowns — and another on disinformation. However, the codes lack legal bite and lawmakers continue to chastise platforms for not doing enough nor being transparent enough about what they are doing.

Powered by WPeMatico

5 resources Black entrepreneurs can leverage to build and grow

Delali Dzirasa
Contributor

Delali Dzirasa is CEO and founder of Fearless, a full-stack digital services firm in Baltimore, MD with a mission to create software with a soul — tools that empower communities and make a difference.

Building a business is hard; about 50% of businesses fail in the first five years. The early years of an entrepreneur’s journey can be difficult and lonely. When starting my digital services firm Fearless, I convinced my wife to rent out our home and move in with my mother so we could have an extra income while I built Fearless in my mother’s basement.

That was 10 years ago — Fearless now has over 115 employees.

That story of struggling to build a tech company and working out of a basement or garage until you “make it” is pretty common, but the barriers facing Black entrepreneurs make it harder to find success and support.

Research by the University of California, Santa Cruz states that minority-owned startups have access to less capital than their white counterparts. The right investors can offer more than just funding to early-stage companies; the connections those in the venture capitalist world have can bring an entrepreneur the new business, mentorship and employees needed to grow.

Venture capital firms like Harlem Capital and Black Angel Tech Fund are focused on changing the faces of entrepreneurship by diversifying their portfolio, but traditional venture capitalist funding is not the only way to grow your business.

There are other avenues and opportunities to get the support, financial and otherwise, to help build a successful company:

Equity crowdfunding: Similar to crowdfunding campaigns like GoFundMe or Kickstarter, equity crowdfunding allows nontraditional investors to support businesses and receive equity. Enabled through Title III of the 2012 JOBS Act’s Regulation CF, equity crowdfunding allows all companies to sell securities, whether in the form of equity in the company, debt, revenue shares, convertible notes and more. Equity crowdfunding platforms include WeFunder and LocalStake.

Mentor programs: Fearless was lucky enough to be accepted into the DoD Mentor-Protégé program early in our growth. As the oldest continuously operating federal mentor-protégé program in existence, the DoD program helped us establish and expand our footprint in the federal government contracting space. NewMe and Black Girl Ventures are two programs that specialize in mentorship for early-stage companies.

Become 8(a) certified: The federal government has a goal of awarding at least 5% of all federal contracting dollars to small, disadvantaged businesses each year. These businesses fall under the 8(a) classification. To qualify for the program, you must be a small business with 51% of ownership and control from U.S. citizens who are economically and socially disadvantaged and the owner’s adjusted gross income for three years is $250,000 or less.

The full definition of what counts as being economically and socially disadvantaged can be found in Title 13 Part 124 of the Code of Federal Regulations. Fearless has been classified as an 8(a) company for several years and we have been able to secure several contracts through the certification.

Tap into Small Business Administration resources: More than a million users visit SBA.gov to utilize tools like the SBA Business Guide and Lender Match site. By using the SBA website and reaching out to your local SBA office, you can make full use of the programs available and connect with business owners who can offer advice and mentorship.

Identify supportive bankers: Your business is your top priority and the people you engage with should view your company as a priority too. You need someone vested in your success who will advocate for you when you need them. If you meet with a banker and get a sense that you would be an account number instead of a person, then find another one. If you don’t have your banker’s personal cell phone number, and they aren’t willing to visit you at your business, then take a pass and find a true partner who supports you.

A call to action for business owners

I am putting the call out to business owners and entrepreneurs who are further along in their journey to mentor and invest in Black-owned businesses. Think back on the support you received, and be that model for someone else. Or be the mentor that you wished you had when you were starting out. Take time to invest in other Black-owned tech companies or fund the programs that do. Share your knowledge and experience with Black tech leaders.

If there isn’t a resource hub for Black entrepreneurs in your city, create one. Fearless is a small company and we have still managed to help 13 new companies get off the ground through our accelerator program, Hutch.

Hutch is an intensive 12-month program that gives entrepreneurs a blueprint for building successful digital service firms, by empowering them with the tools, mentorship and peer support they need to have a lasting impact. We think of this program kind of like a home base for our entrepreneurs, providing them with a foundation of support so they can grow without getting lost amongst bigger companies in the industry.

Help create the spaces in your community that will foster innovation and business growth.

Powered by WPeMatico

Marietje Schaake is ‘very concerned about the future of democracy’

Scott Bade
Contributor

Scott Bade is a former speechwriter for Mike Bloomberg and co-author of “More Human: Designing a World Where People Come First.”

In the ten years she spent as a member of the European Parliament, Marietje Schaake became one of Brussels’ leading voices on technology policy issues.

A Dutch politician from the centrist-liberal Democrats 66 party, Schaake has been called “Europe’s most wired” politician. Since stepping down at the last European Parliament elections in 2019, she has doubled down with her work on cyber policy, becoming president of the CyberPeace Institute in Geneva and moving to the heart of Silicon Valley, where she has joined Stanford University as both the International Director of Policy at Stanford’s Cyber Policy Center, as well as an International Policy Fellow at its Institute for Human-Centered Artificial Intelligence.

I spoke with her about her top cyber policy concerns, the prospects of greater U.S.-EU cooperation on technology and much more.

Can you tell me about your journey from MEP in Brussels to think tank in academia?

There were a variety of reasons why I thought a third term was not the best thing for me to do. I started thinking about what would be a good way to continue, focusing on the fight for justice, for universal human rights and increasingly for the rule of law. A number of academic institutions, especially in the U.S. reached out, and we started a conversation about what the options might be, what I thought would be worthwhile. [My goal] was to understand where tech is going and what does it mean for society, for democracy, for human rights and the rule of law? But also how do the politics of Silicon Valley work?

I feel like there’s a huge opportunity, if not to say gap, on the West Coast when it comes to a policy shop — both to scrutinize policy that the companies are making and to look at what government is doing because Sacramento is super interesting. 

So from a policy perspective, what areas of tech are you thinking about most?

I’m very concerned about the future of democracy in the broadest sense of the word. I feel like we need to understand better how the architecture of information flows and how it impacts our offline democratic world. The more people get steered in a certain direction, the more the foundations of actual liberalism and liberal democracy are challenged. And I feel like we just don’t look at that enough.

Powered by WPeMatico

Free money for startups? It’s possible with MainStreet’s platform for economic development incentives

Startups need money. State and local governments need startups and the employment growth they offer. It should be obvious that the two groups can work together and make each other happy. Unfortunately, nothing could be further from the truth.

Each year, governments spend tens of billions of dollars on economic development incentives designed to attract employers and jobs to their communities. There are a huge number of challenges, however, for startups and individual contributors trying to apply for these programs.

First, economic development leaders typically focus on massive, flagship projects that are splashy and will drive the news cycle and bring good media attention to their elected official bosses. So, for example, you get a massive, $10 billion Foxconn plant in Wisconsin tied to hundreds of millions of incentives, only to see the project sputter into the ground.

Then there is the paperwork. As you’d expect with any government application process, it can be arduous to find the right incentive programs, apply for credits at the right time and max out the opportunities available.

That’s where MainStreet comes in.

Its CEO and founder Doug Ludlow’s third company. He previously founded Hipster, which sold to AOL, and The Happy Home Company, which sold to Google. After that transaction, Ludlow went on to become chief of staff for SMB ads at the tech giant, where he saw firsthand the challenges that startups and all small companies face in growing outside of major urban hubs like San Francisco.

When he and his co-founders Dan Lindquist and Daniel Griffin first started, they were focused on what Ludlow described as “a network of remote work hubs.” As they were experimenting last November they tried paying people to leave the Bay Area, offering them $10,000 if they moved to other cities. The offer caused a sensation, with outlets like CNN covering the news.

While the interest from customers was great, what ignited Ludlow and his co-founders’ passions was that “literally dozens of cities, states and counties reached out, letting us know that they had an incentive program.” As the team explored further, they realized there was a huge untapped opportunity to connect startups to these preexisting programs.

MainStreet was born, and it’s an idea that has also attracted the attention of investors. The company announced today that it raised a $2.3 million round from Gradient Ventures, Weekend Fund and others.

Startups apply for economic incentives through MainStreet’s platform, and then MainStreet takes a 20% cut of any successful application. Notably, that cut is only taken when the incentive is actually disbursed (there’s no upfront cost), and there is also no on-going subscription fee to use the platform. “If you identify the credit that you’re able to use six months from now, we will charge you six months from now, when you’re actually getting that credit. It seems to be a business model that is aligned well with founders,” Ludlow said.

Right now, he says that the average MainStreet client saves $51,000, and that MainStreet has crossed the $1 million ARR run rate threshold.

Right now, the company’s core clientele are startups applying for payroll credits and research and development credits, but Ludlow says that MainStreet is working to expand beyond its tech roots to all small businesses such as restaurants. The company also wants to expand the number of economic development programs that startups can apply for. Given the myriad of governments and programs, there are hundreds if not thousands of more programs to onboard onto the platform.

MainStreet’s team. Image Credits: MainStreet

While MainStreet is helping startups and small businesses, it also wants to help governments improve their operations around economic development. With MainStreet, “we can report back to cities and states showing exactly what their tax dollars or tax credits are being utilized for,” Ludlow said. “So the accountability is orders of magnitude greater than they had before. So already, there’s this better system for tracking the success of incentives.”

The big question for MainStreet this year is navigating the crisis around the COVID-19 pandemic. While more small businesses than ever need help navigating credits, state and local governments have suffered huge shortfalls in revenues as taxes have dried up and Washington continues to debate over what, if any aid, to offer. There’s no money for economic development, yet, economic development has never been more important than right now.

Ultimately, MainStreet is pushing the vanguard of economic development thinking forward away from massive checks designed to underwrite industrial factories to a more flexible and dynamic model of incentivizing knowledge workers to move to areas outside the major global cities. It’s an interesting bet, and one that, at the very least, will help many startups get the economic incentives they rightly have access to.

Outside of Gradient and Weekend Fund, Shrug Capital, SV Angel, Remote First Capital, Basement Fund, Basecamp Ventures, Backend Capital and a host of angels participated in the round.

Powered by WPeMatico