privacy
Auto Added by WPeMatico
Auto Added by WPeMatico
Apple has disabled the Apple Watch Walkie Talkie app due to an unspecified vulnerability that could allow a person to listen to another customer’s iPhone without consent, the company told TechCrunch this evening.
Apple has apologized for the bug and for the inconvenience of being unable to use the feature while a fix is made.
The Walkie Talkie app on Apple Watch allows two users who have accepted an invite from each other to receive audio chats via a “push to talk” interface reminiscent of the PTT buttons on older cell phones.
A statement from Apple reads:
We were just made aware of a vulnerability related to the Walkie-Talkie app on the Apple Watch and have disabled the function as we quickly fix the issue. We apologize to our customers for the inconvenience and will restore the functionality as soon as possible. Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously. We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. We apologize again for this issue and the inconvenience.
Apple was alerted to the bug via its report a vulnerability portal directly and says there is no current evidence that it was exploited in the wild.
The company is temporarily disabling the feature entirely until a fix can be made and rolled out to devices. The Walkie Talkie App will remain installed on devices, but will not function until it has been updated with the fix.
Earlier this year a bug was discovered in the group calling feature of FaceTime that allowed people to listen in before a call was accepted. It turned out that the teen who discovered the bug, Grant Thompson, had attempted to contact Apple about the issue but was unable to get a response. Apple fixed the bug and eventually rewarded Thompson a bug bounty. This time around, Apple appears to be listening more closely to the reports that come in via its vulnerability tips line and has disabled the feature.
Earlier today, Apple quietly pushed a Mac update to remove a feature of the Zoom conference app that allowed it to work around Mac restrictions to provide a smoother call initiation experience — but that also allowed emails and websites to add a user to an active video call without their permission.
Powered by WPeMatico
In 2017 — for the first time in over a decade — a computer worm ran rampage across the internet, threatening to disrupt businesses, industries, governments and national infrastructure across several continents.
The WannaCry ransomware attack became the biggest threat to the internet since the Mydoom worm in 2004. On May 12, 2017, the worm infected millions of computers, encrypting their files and holding them hostage to a bitcoin payment.
Train stations, government departments, and Fortune 500 companies were hit by the surprise attack. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.
Earlier this week we reported a deep-dive story into the 2017 cyberattack that’s never been told before.
British security researchers — Marcus Hutchins and Jamie Hankins — registered a domain name found in WannaCry’s code in order to track the infection. It took them three hours to realize they had inadvertently stopped the attack dead in its tracks. That domain became the now-infamous “kill switch” that instantly stopped the spread of the ransomware.
As long as the kill switch remains online, no computer infected with WannaCry would have its files encrypted.
But the attack was far from over.
In the days following, the researchers were attacked from an angry botnet operator pummeling the domain with junk traffic to try to knock it offline and two of their servers were seized by police in France thinking they were contributing to the spread of the ransomware.
Worse, their exhaustion and lack of sleep threatened to derail the operation. The kill switch was later moved to Cloudflare, which has the technical and infrastructure support to keep it alive.
Hankins described it as the “most stressful thing” he’s ever experienced. “The last thing you need is the idea of the entire NHS on fire,” he told TechCrunch.
Although the kill switch is in good hands, the internet is just one domain failure away from another massive WannaCry outbreak. Just last month two Cloudflare failures threatened to bring the kill switch domain offline. Thankfully, it stayed up without a hitch.
CISOs and CSOs take note: here’s what you need to know.
Powered by WPeMatico
The UK government has announced the next phase of a review of the law around the making and sharing of non-consensual intimate images, with ministers saying they want to ensure it keeps pace with evolving digital tech trends.
The review is being initiated in response to concerns that abusive and offensive communications are on the rise, as a result of it becoming easier to create and distribute sexual images of people online without their permission.
Among the issues the Law Commission will consider are so-called ‘revenge porn’, where intimate images of a person are shared without their consent; deepfaked porn, which refers to superimposing a real photograph of a person’s face onto a pornographic image or video without their consent; and cyber flashing, the unpleasant practice of sending unsolicited sexual images to a person’s phone by exploiting technologies such as Bluetooth that allow for proximity-based file sharing.
On the latter practice, the screengrab below is of one of two unsolicited messages I received as pop-ups on my phone in the space of a few seconds while waiting at a UK airport gate — and before I’d had a chance to locate the iOS master setting that actually nixes Bluetooth.
On iOS, even without accepting the AirDrop the cyberflasher is still able to send an unsolicited placeholder image with their request.
Safe to say, this example is at the tamer end of what tends to be involved. More often it’s actual dick pics fired at people’s phones, not a parrot-friendly silicone substitute…

A patchwork of UK laws already covers at least some of the offensive and abusive communications in question, such as the offence of voyeurism under the Sexual Offences Act 2003, which criminalises certain non-consensual photography taken for sexual gratification — and carries a two-year maximum prison sentence (with the possibility that a perpetrator may be required to be listed on the sexual offender register); while revenge porn was made a criminal offence under section 33 of the Criminal Justice and Courts Act 2015.
But the government says that while it feels the law in this area is “robust”, it is keen not to be seen as complacent — hence continuing to keep it under review.
It will also hold a public consultation to help assess whether changes in the law are required.
The Law Commission published Phase 1 of their review of Abusive and Offensive Online Communications on November 1 last year — a scoping report setting out the current criminal law which applies.
The second phase, announced today, will consider the non-consensual taking and sharing of intimate images specifically — and look at possible recommendations for reform. Though it will not report for two years so any changes to the law are likely to take several years to make it onto the statute books.
Among specific issues the Law Commission will consider is whether anonymity should automatically be granted to victims of revenge porn.
Commenting in a statement, justice minister Paul Maynard said: “No one should have to suffer the immense distress of having intimate images taken or shared without consent. We are acting to make sure our laws keep pace with emerging technology and trends in these disturbing and humiliating crimes.”
Maynard added that the review builds on recent changes to toughen UK laws around revenge porn and to outlaw ‘upskirting’ in English law; aka the degrading practice of taking intimate photographs of others without consent.
“Too many young people are falling victim to co-ordinated abuse online or the trauma of having their private sexual images shared. That’s not the online world I want our children to grow up in,” added the secretary of state for digital issues, Jeremy Wright, in another supporting statement.
“We’ve already set out world-leading plans to put a new duty of care on online platforms towards their users, overseen by an independent regulator with teeth. This Review will ensure that the current law is fit for purpose as we deliver our commitment to make the UK the safest place to be online.”
The Law Commission review will begin on July 1, 2019 and report back to the government in summer 2021.
Terms of Reference will be published on the Law Commission’s website in due course.
Powered by WPeMatico
Federal authorities have announced its latest crackdown on illegal robocallers — taking close to a hundred actions against several companies and individuals blamed for the recent barrage of spam calls.
In the so-called “Operation Call It Quits,” the Federal Trade Commission brought four cases — two filed on its behalf by the Justice Department — and three settlements in cases said to be responsible for making more than a billion illegal robocalls.
Several state and local authorities also brought actions as part of the operation, officials said.
Each year, billions of automatically dialed or spoofed phone calls trick millions into picking up the phone. An annoyance at least, at worse it tricks unsuspecting victims into turning over cash or buying fake or misleading products. So far, the FTC has fined companies more than $200 million but only collected less than 0.01% of the fines because of the agency’s limited enforcement powers.
In this new wave of action, the FTC said it will send a strong signal to the robocalling industry.
Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said Americans are “fed up” with the billions of robocalls received every year. “Today’s joint effort shows that combatting this scourge remains a top priority for law enforcement agencies around the nation,” he said.
It’s the second time the FTC has acted in as many months. In May, the agency also took action against four companies accused of making “billions” of robocalls.
The FTC said its latest action brings the number of robocall violators up to 145.
Several of the cases involved shuttering operations that offer consumers “bogus” credit card interest rate reduction services, which the FTC said specifically targeted seniors. Other cases involved the use of illegal robocalls to promote money-making schemes.
Another cases included actions against Lifewatch, a company pitching medical alert systems, which the FTC contended uses spoofed caller ID information to trick victims into picking up the phone. The company settled for $25.3 million. Meanwhile, Redwood Scientific settled for $18.2 million, suspended due to the inability for defendant Danielle Cadiz to pay, for “deceptively” marketing dentistry products, according to the FTC’s complaint.
The robocalling epidemic has caught the attention of the Federal Communications Commission, which regulates the telecoms and internet industries. Last month, its commissioners proposed a new rule that would make it easier for carriers to block robocalls.
Powered by WPeMatico
From the venue and the flashy event website, Waterloo, Ontario’s True North conference (in its second year) doesn’t seem all that distinct from a laundry list of other major tech events that take place each year across North America. But from the moment its main stage programming kicked off on the first day, it was clear this wasn’t your typical gathering place for the tech industry faithful.
The main stage track kicked off with Communitech CEO Iain Klugman. The event is produced by Communitech, an entrepreneurial support and resource organization founded in 1997 to foster the Waterloo region’s technology industry. Communitech sprung out of BlackBerry and the University of Waterloo and the world-class innovation community that surrounds both.
Klugman, a former communications executive and current board member at a number of Communitech-fostered startups and academic institutions, sounded a cautionary and urgent note that continued throughout the day.
Tech conferences, in general, tend to dwell on optimism and enthusiasm, with brief forays into dark alleys of negative consequences. Not this one.
Communitech CEO Iain Klugman speaking at True North 2019 in Waterloo.
Klugman’s talk touched on opportunity, but it was the opportunity to discuss among a group of peers with influence in the technology industry how they should undertake together “to set things right.” Last year’s event had a similar outcome, resulting in the “Tech for Good Declaration,” which True North describes as “the Canadian tech industry’s living document,” and includes a number of principles designed to help guide technology development with community good in mind.
Rather than changing focus for year two, True North’s organizers seem to have doubled down: Klugman’s opening talk included references to surveillance capitalism and breaches of trust, and included this cheerful analogy: “Technology is like fuel. It can warm our homes or it can burn them to the ground, so we decide which one it will do.”
As a whole, the event is about the “tough choices” faced by the collective “we” of the tech industry, according to Klugman.
True North’s official keynote perfectly took the baton from the intro, as New York Times columnist and longtime political commentator Thomas Friedman took the stage. Friedman, a somewhat controversial figure owing to some of his past political stances, launched into a talk informed by his most recent book, “Thank You for Being Late,” and talked about what we’re seeing now in human history as a moment of intersection of three different forces accelerating in a “nonlinear manner” all at once, including technological development outpacing humanity’s ability to adapt to those changes.
NYT columnist and author Thomas Friedman at True North 2019 in Waterloo.
Friedman’s talk ended with him positing that humans spend most of their time today in the essentially “god-less” realm of “cyberspace,” a realm “where we’re all connected but no one’s in charge,” while at the same time we’ve achieved better than ever ability to act with god-like power to control and manipulate our environment. He chided the essential disconnect of powerful forces that act with supreme mastery over technology but with no grounding in sociopolitical understanding (specifically naming Mark Zuckerberg) and those who have the inverse problem (the U.S. Congress, in Friedman’s view).
Overall, Friedman’s views are grounded in what he describes as a place of optimism. But the takeaway is more that humanity is currently at a state where it’s overwhelmed on a number of fronts and out of its depth in terms of having a capacity to cope.
In the afternoon, Robert Mazur (longtime undercover agent and the subject of biopic “The Infiltrator”) discussed his experience tracking down and prosecuting money launderers operating more or less with the blessing of large financial institutions, precisely because their systems were designed around incentive systems that encouraged them but didn’t have protections in place to prevent bad actors from taking advantage. Mazur further elaborated that current telecom industry structure actually makes it even easier than ever to launder large sums relatively unchecked. In essence, it was a warning to be mindful of how the products you build can be exploited by the most malicious actors.
Former Information and Privacy Commissioner for Ontario and creator of the concept of “Privacy by Design” Ann Cavoukian came next, decrying the current state of data “centralized in huge honeypots of information,” including Google (her example).
Former Ontario Information and Privacy Commissioner Ann Cavoukian.
This centralization, she noted is a huge risk in terms of presenting opportunities for tracking, misuse, leaks and more. It’s “taking away our agency as individuals,” she said, and the solution is moving to true decentralization of data.
“Privacy […] is freedom, and is about you making decisions relating to your personal information; not the state, not corporations — you,” she said. “It’s not about secrecy, it’s about control [and] privacy is a necessary condition for societal well-being.”
Cavoukian wrapped her talk by noting the sheer volume of privacy breaches that have leaked consumer information to date, and about the importance of encryption in keeping this safe. Overall, her talk was a blueprint for tech companies looking to incorporate data privacy and good stewardship into the DNA of their products from day one.
Kelsey Leonard, Tribal Co-Lead on the Mid-Atlantic Regional Planning Body of the U.S. National Ocean Council, provided a talk on the implications of digital rights and the continued digital divide as it pertains to Indigenous communities globally. Leonard pointed out that Indigenous nations in North America are the least connected in the world, something she noted continues the ongoing colonialism, and even can potentially contribute to “ongoing genocide of Indigenous peoples.”
Kelsey Leonard, advocate for Indigenous Data Governance and Sovereignty, speaks at True North 2019 in Waterloo.
Indigenous people are also systematically disenfranchised from data ownership and data control, by virtue of their being left out of advanced STEM education and formalized degrees, she said. Leonard also noted that platforms contain reinforcement of what she calls “digital colonialism,” in that Indigenous names are often flagged as fake by algorithms designed to enforce real-name policies, and Indigenous languages are often mistranslated (specifically as Estonian, she said).
This worsens existing Indigenous language and culture erasure. Leonard said a language is lost every two weeks on average, according to recent research. What’s required then is to add protection measures specific to digital platforms to help counter this institutional digital colonization and enforce Indigenous Sovereign Data.
To close day one, Recode founder and legendary Silicon Valley reporter Kara Swisher summarized a lot of her recent work as a New York Times columnist. Basically, that means she called on the industry to stop messing around and start fixing stuff.
Kara Swisher speaks at the True North 2019 conference in Waterloo, Ontario.
Swisher said we’re coming to a “reckoning” for tech in terms of media coverage, and the overwhelmingly positive coverage it’s received over the past many years. She emphasized that we’re only at the beginning of the impact technology will have on society, and laid out a number of current areas of innovation and investment that will continue to upset societal norms, including autonomous driving, artificial intelligence and more.
Regarding media specifically, Swisher noted that she marked a significant shift when BuzzFeed started A/B testing to amplify and extend the attention-capture possible around specific “news” items, citing the famous Katy Perry Left Shark incident of 2015. This, combined with our “continuous partial attention,” which is tied to our inability to totally disengage from our smartphones, is combining to have effects on how we think and work in the world, Swisher said.
She added that, today, many of her new big concerns are around AI, and that “everything that can be digitized will be digitized.” Not only that, she continued, but “almost everything can be,” which will be massively disruptive to peoples’ lives, with effects including a future where most people will have a very high number of different jobs over the course of their lives, requiring continuous education and retraining. “We have to think really hard about what good AI is and what problematic AI is,” she said.
Thompson Reuters Foundation CEO Antonio Zappulla at True North 2019 in Waterloo discussed using technology to help fight human trafficking.
Across other stages, too, the themes of technology’s dangers and how to avert it prevailed across programming. Take Some Risk founder Duane Brown gave a talk on opting out of the always-connected lifestyle and becoming “digitally exhausted.” MedStack founder and CEO Balaji Gopalan talked about the risks inherent in dealing with private patient data in healthcare. Other topics included sustainable energy for Africa, using big data to counter human trafficking and ensuring we steer away from encouraging consumerization in this generation of connected kids.
The event’s central theme was the deceptively simple (and frankly over-uttered) phrase “tech for good,” but the programming and content revealed a level of sophistication and sincerity on the topic that exceeds the low bar often found in tech industry marketing materials and staged events. Overall, it felt introspective, contrite and contemplative — a self-reflection from a community genuine about shoring up its ethical shortcomings. In other words, refreshing.
Powered by WPeMatico
Text IQ, a machine learning system that parses and understands sensitive corporate data, has raised $12.6 million in Series A funding led by FirstMark Capital, with participation from Sierra Ventures.
Text IQ started as co-founder Apoorv Agarwal’s Columbia thesis project titled “Social Network Extraction From Text.” The algorithm he built was able to read a novel, like Jane Austen’s “Emma,” for example, and understand the social hierarchy and interactions between characters.
This people-centric approach to parsing unstructured data eventually became the kernel of Text IQ, which helps corporations find what they’re looking for in a sea of unstructured, and highly sensitive, data.
The platform started as a tool used by corporate legal teams. Lawyers often have to manually look through troves of documents and conversations (text messages, emails, Slack, etc.) to find specific evidence or information. Even using search, these teams spend loads of time and resources looking through the search results, which usually aren’t as accurate as they should be.
“The status quo for this is to use search terms and hire hundreds of humans, if not thousands, to look for things that match their search terms,” said Agarwal. “It’s super expensive, and it can take months to go through millions of documents. And it’s still risky, because they could be missing sensitive information. Compared to the status quo, Text IQ is not only cheaper and faster but, most interestingly, it’s much more accurate.”
Following success with legal teams, Text IQ expanded into HR/compliance, giving companies the ability to retrieve sensitive information about internal compliance issues without a manual search. Because Text IQ understands who a person is relative to the rest of the organization, and learns that organization’s “language,” it can more thoroughly extract what’s relevant to the inquiry from all that unstructured data in Slack, email, etc.
More recently, in the wake of GDPR, Text IQ has expanded its product suite to work in the privacy realm. When a company is asked by a customer to get access to all their data, or to be forgotten, the process can take an enormous amount of resources. Even then, bits of data might fall through the cracks.
For example, if a customer emailed Customer Service years ago, that might not come up in the company’s manual search efforts to find all of that customer’s data. But because Text IQ understands this unstructured data with a person-centric approach, that email wouldn’t slip by its system, according to Agarwal.
Given the sensitivity of the data, Text IQ functions behind a corporation’s firewall, meaning that Text IQ simply provides the software to parse the data rather than taking on any liability for the data itself. In other words, the technology comes to the data, and not the other way around.
Text IQ operates on a tiered subscription model, and offers the product for a fraction of the value they provide in savings when clients switch over from a manual search. The company declined to share any further details on pricing.
Former Apple and Oracle General Counsel Dan Cooperman, former Verizon General Counsel Randal Milch, former Baxter International Global General Counsel Marla Persky and former Nationwide Insurance Chief Legal and Governance Officer Patricia Hatler are on the advisory board for Text IQ.
The company has plans to go on a hiring spree following the new funding, looking to fill positions in R&D, engineering, product development, finance and sales. Co-founder and COO Omar Haroun added that the company achieved profitability in its first quarter entering the market and has been profitable for eight consecutive quarters.
Powered by WPeMatico
IOActive may not be a household name but you almost certainly know its work.
The Seattle-headquartered company has been behind some of the most breathtaking hacks in the past decade. Its researchers have broken into in-flight airplanes from the ground and reverse engineered an ATM to spit out gobs of cash. One of the company’s most revered hackers discovered a way to remotely shock a pacemaker out of rhythm. And remember that now-infamous hack that remotely killed the engine of a Jeep? That was IOActive, too.
If it’s connected, they will bet that they can hack it.
IOActive has made a name for itself with its publicly reported findings, but its bread and butter is helping its corporate customers better understand how they approach security.
Since its founding more than two decades ago, the penetration testing and ethical hacking company now serves customers mostly in the Global 1000 largest companies to help assess and test their security posture.
“You can have the absolute most sophisticated alarm in the entire world, and I guarantee our team can break in,” said Jennifer Steffens, IOActive’s chief executive, in a call with TechCrunch. “But if you left your front door unlocked lock, hackers are going to walk right through”
“Don’t pay us to show you how to break into the alarm before someone learns how to lock the door,” she said.
Powered by WPeMatico
When a company hires talent away from a competitor, onboarding the new employee can pose significant legal risks for both the company and the new employee. A fundamental aspect of Silicon Valley is that employees are generally free to move between competitors.
This unrestricted movement of talent facilitates the robust competition that helps drive the Silicon Valley economy. While this is no doubt positive, unfettered employment mobility also creates unique challenges when it comes to protecting a company’s trade secrets, which are the lifeblood of many Silicon Valley companies.
Because of California’s policies regarding free employment mobility, unlike in most other states, California companies cannot protect their trade secrets with non-compete contracts. So, they instead rely heavily on trade secret laws for protection.
And, of course, when trade secret theft occurs, it is often when an employee transitions from one company to another. Thus, when a key employee gives notice that he or she is leaving for a competitor, it sets off alarm bells for the soon-to-be former company.
Unfortunately, because of the hypersensitivity to protecting trade secrets, many departing employees who have no interest in actually taking their former company’s trade secrets get accused of theft. This allegation can trigger a long, stressful, expensive legal process for both the employee and the new company, and sometimes cost the employee his or her reputation and new job.
This article explains how this situation arises and provides some practical considerations for how the employee transitioning jobs, and the onboarding company, can avoid an unnecessary legal fight.
Powered by WPeMatico
Facebook has finally revealed the details of its cryptocurrency, Libra, which will let you buy things or send money to people with nearly zero fees. You’ll pseudonymously buy or cash out your Libra online or at local exchange points like grocery stores, and spend it using interoperable third-party wallet apps or Facebook’s own Calibra wallet that will be built into WhatsApp, Messenger and its own app. Today Facebook released its white paper explaining Libra and its testnet for working out the kinks of its blockchain system before a public launch in the first half of 2020.
Facebook won’t fully control Libra, but instead get just a single vote in its governance like other founding members of the Libra Association, including Visa, Uber and Andreessen Horowitz, which have invested at least $10 million each into the project’s operations. The association will promote the open-sourced Libra Blockchain and developer platform with its own Move programming language, plus sign up businesses to accept Libra for payment and even give customers discounts or rewards.
Facebook is launching a subsidiary company also called Calibra that handles its crypto dealings and protects users’ privacy by never mingling your Libra payments with your Facebook data so it can’t be used for ad targeting. Your real identity won’t be tied to your publicly visible transactions. But Facebook/Calibra and other founding members of the Libra Association will earn interest on the money users cash in that is held in reserve to keep the value of Libra stable.

Facebook’s audacious bid to create a global digital currency that promotes financial inclusion for the unbanked actually has more privacy and decentralization built in than many expected. Instead of trying to dominate Libra’s future or squeeze tons of cash out of it immediately, Facebook is instead playing the long-game by pulling payments into its online domain. Facebook’s VP of blockchain, David Marcus, explained the company’s motive and the tie-in with its core revenue source during a briefing at San Francisco’s historic Mint building. “If more commerce happens, then more small businesses will sell more on and off platform, and they’ll want to buy more ads on the platform so it will be good for our ads business.”
In cryptocurrencies, Facebook saw both a threat and an opportunity. They held the promise of disrupting how things are bought and sold by eliminating transaction fees common with credit cards. That comes dangerously close to Facebook’s ad business that influences what is bought and sold. If a competitor like Google or an upstart built a popular coin and could monitor the transactions, they’d learn what people buy and could muscle in on the billions spent on Facebook marketing. Meanwhile, the 1.7 billion people who lack a bank account might choose whoever offers them a financial services alternative as their online identity provider too. That’s another thing Facebook wants to be.

Yet existing cryptocurrencies like Bitcoin and Ethereum weren’t properly engineered to scale to be a medium of exchange. Their unanchored price was susceptible to huge and unpredictable swings, making it tough for merchants to accept as payment. And cryptocurrencies miss out on much of their potential beyond speculation unless there are enough places that will take them instead of dollars, and the experience of buying and spending them is easy enough for a mainstream audience. But with Facebook’s relationship with 7 million advertisers and 90 million small businesses plus its user experience prowess, it was well-poised to tackle this juggernaut of a problem.
Now Facebook wants to make Libra the evolution of PayPal . It’s hoping Libra will become simpler to set up, more ubiquitous as a payment method, more efficient with fewer fees, more accessible to the unbanked, more flexible thanks to developers and more long-lasting through decentralization.

“Success will mean that a person working abroad has a fast and simple way to send money to family back home, and a college student can pay their rent as easily as they can buy a coffee,” Facebook writes in its Libra documentation. That would be a big improvement on today, when you’re stuck paying rent in insecure checks while exploitative remittance services charge an average of 7% to send money abroad, taking $50 billion from users annually. Libra could also power tiny microtransactions worth just a few cents that are infeasible with credit card fees attached, or replace your pre-paid transit pass.
…Or it could be globally ignored by consumers who see it as too much hassle for too little reward, or too unfamiliar and limited in use to pull them into the modern financial landscape. Facebook has built a reputation for over-engineered, underused products. It will need all the help it can get if wants to replace what’s already in our pockets.
By now you know the basics of Libra. Cash in a local currency, get Libra, spend them like dollars without big transaction fees or your real name attached, cash them out whenever you want. Feel free to stop reading and share this article if that’s all you care about. But the underlying technology, the association that governs it, the wallets you’ll use and the way payments work all have a huge amount of fascinating detail to them. Facebook has released more than 100 pages of documentation on Libra and Calibra, and we’ve pulled out the most important facts. Let’s dive in.
Facebook knew people wouldn’t trust it to wholly steer the cryptocurrency they use, and it also wanted help to spur adoption. So the social network recruited the founding members of the Libra Association, a not-for-profit which oversees the development of the token, the reserve of real-world assets that gives it value and the governance rules of the blockchain. “If we were controlling it, very few people would want to jump on and make it theirs,” says Marcus.
Each founding member paid a minimum of $10 million to join and optionally become a validator node operator (more on that later), gain one vote in the Libra Association council and be entitled to a share (proportionate to their investment) of the dividends from interest earned on the Libra reserve into which users pay fiat currency to receive Libra.
The 28 soon-to-be founding members of the association and their industries, previously reported by The Block’s Frank Chaparro, include:

Facebook says it hopes to reach 100 founding members before the official Libra launch and it’s open to anyone that meets the requirements, including direct competitors like Google or Twitter. The Libra Association is based in Geneva, Switzerland and will meet biannually. The country was chosen for its neutral status and strong support for financial innovation including blockchain technology.
To join the association, members must have a half rack of server space, a 100Mbps or above dedicated internet connection, a full-time site reliability engineer and enterprise-grade security. Businesses must hit two of three thresholds of a $1 billion USD market value or $500 million in customer balances, reach 20 million people a year and/or be recognized as a top 100 industry leader by a group like Interbrand Global or the S&P.
Crypto-focused investors must have more than $1 billion in assets under management, while Blockchain businesses must have been in business for a year, have enterprise-grade security and privacy and custody or staking greater than $100 million in assets. And only up to one-third of founding members can by crypto-related businesses or individually invited exceptions. Facebook also accepts research organizations like universities, and nonprofits fulfilling three of four qualities, including working on financial inclusion for more than five years, multi-national reach to lots of users, a top 100 designation by Charity Navigator or something like it and/or $50 million in budget.

The Libra Association will be responsible for recruiting more founding members to act as validator nodes for the blockchain, fundraising to jump-start the ecosystem, designing incentive programs to reward early adopters and doling out social impact grants. A council with a representative from each member will help choose the association’s managing director, who will appoint an executive team and elect a board of five to 19 top representatives.
Each member, including Facebook/Calibra, will only get up to one vote or 1% of the total vote (whichever is larger) in the Libra Association council. This provides a level of decentralization that protects against Facebook or any other player hijacking Libra for its own gain. By avoiding sole ownership and dominion over Libra, Facebook could avoid extra scrutiny from regulators who are already investigating it for a sea of privacy abuses as well as potentially anti-competitive behavior. In an attempt to preempt criticism from lawmakers, the Libra Association writes, “We welcome public inquiry and accountability. We are committed to a dialogue with regulators and policymakers. We share policymakers’ interest in the ongoing stability of national currencies.”
A Libra is a unit of the Libra cryptocurrency that’s represented by a three wavy horizontal line unicode character ≋ like the dollar is represented by $. The value of a Libra is meant to stay largely stable, so it’s a good medium of exchange, as merchants can be confident they won’t be paid a Libra today that’s then worth less tomorrow. The Libra’s value is tied to a basket of bank deposits and short-term government securities for a slew of historically stable international currencies, including the dollar, pound, euro, Swiss franc and yen. The Libra Association maintains this basket of assets and can change the balance of its composition if necessary to offset major price fluctuations in any one foreign currency so that the value of a Libra stays consistent.
The name Libra comes from the word for a Roman unit of weight measure. It’s trying to invoke a sense of financial freedom by playing on the French stem “Lib,” meaning free.
The Libra Association is still hammering out the exact start value for the Libra, but it’s meant to be somewhere close to the value of a dollar, euro or pound so it’s easy to conceptualize. That way, a gallon of milk in the U.S. might cost 3 to 4 Libra, similar but not exactly the same as with dollars.
The idea is that you’ll cash in some money and keep a balance of Libra that you can spend at accepting merchants and online services. You’ll be able to trade in your local currency for Libra and vice versa through certain wallet apps, including Facebook’s Calibra, third-party wallet apps and local resellers like convenience or grocery stores where people already go to top-up their mobile data plan.
Each time someone cashes in a dollar or their respective local currency, that money goes into the Libra Reserve and an equivalent value of Libra is minted and doled out to that person. If someone cashes out from the Libra Association, the Libra they give back are destroyed/burned and they receive the equivalent value in their local currency back. That means there’s always 100% of the value of the Libra in circulation, collateralized with real-world assets in the Libra Reserve. It never runs fractional. And unliked “pegged” stable coins that are tied to a single currency like the USD, Libra maintains its own value — though that should cash out to roughly the same amount of a given currency over time.

When Libra Association members join and pay their $10 million minimum, they receive Libra Investment Tokens. Their share of the total tokens translates into the proportion of the dividend they earn off of interest on assets in the reserve. Those dividends are only paid out after Libra Association uses interest to pay for operating expenses, investments in the ecosystem, engineering research and grants to nonprofits and other organizations. This interest is part of what attracted the Libra Association’s members. If Libra becomes popular and many people carry a large balance of the currency, the reserve will grow huge and earn significant interest.
Every Libra payment is permanently written into the Libra Blockchain — a cryptographically authenticated database that acts as a public online ledger designed to handle 1,000 transactions per second. That would be much faster than Bitcoin’s 7 transactions per second or Ethereum’s 15. The blockchain is operated and constantly verified by founding members of the Libra Association, which each invested $10 million or more for a say in the cryptocurrency’s governance and the ability to operate a validator node.
When a transaction is submitted, each of the nodes runs a calculation based on the existing ledger of all transactions. Thanks to a Byzantine Fault Tolerance system, just two-thirds of the nodes must come to consensus that the transaction is legitimate for it to be executed and written to the blockchain. A structure of Merkle Trees in the code makes it simple to recognize changes made to the Libra Blockchain. With 5KB transactions, 1,000 verifications per second on commodity CPUs and up to 4 billion accounts, the Libra Blockchain should be able to operate at 1,000 transactions per second if nodes use at least 40Mbps connections and 16TB SSD hard drives.

Transactions on Libra cannot be reversed. If an attack compromises over one-third of the validator nodes causing a fork in the blockchain, the Libra Association says it will temporarily halt transactions, figure out the extent of the damage and recommend software updates to resolve the fork.
Transactions aren’t entirely free. They incur a tiny fraction of a cent fee to pay for “gas” that covers the cost of processing the transfer of funds similar to with Ethereum. This fee will be negligible to most consumers, but when they add up, the gas charges will deter bad actors from creating millions of transactions to power spam and denial-of-service attacks. “We’ve purposely tried not to innovate massively on the blockchain itself because we want it to be scalable and secure,” says Marcus of piggybacking on the best elements of existing cryptocurrencies.
Currently, the Libra Blockchain is what’s known as “permissioned,” where only entities that fulfill certain requirements are admitted to a special in-group that defines consensus and controls governance of the blockchain. The problem is this structure is more vulnerable to attacks and censorship because it’s not truly decentralized. But during Facebook’s research, it couldn’t find a reliable permissionless structure that could securely scale to the number of transactions Libra will need to handle. Adding more nodes slows things down, and no one has proven a way to avoid that without compromising security.
That’s why the Libra Association’s goal is to move to a permissionless system based on proof-of-stake that will protect against attacks by distributing control, encourage competition and lower the barrier to entry. It wants to have at least 20% of votes in the Libra Association council coming from node operators based on their total Libra holdings instead of their status as a founding member. That plan should help appease blockchain purists who won’t be satisfied until Libra is completely decentralized.
The Libra Blockchain is open source with an Apache 2.0 license, and any developer can build apps that work with it using the Move coding language. The blockchain’s prototype launches its testnet today, so it’s effectively in developer beta mode until it officially launches in the first half of 2020. The Libra Association is working with HackerOne to launch a bug bounty system later this year that will pay security researchers for safely identifying flaws and glitches. In the meantime, the Libra Association is implementing the Libra Core using the Rust programming language because it’s designed to prevent security vulnerabilities, and the Move language isn’t fully ready yet.
Move was created to make it easier to write blockchain code that follows an author’s intent without introducing bugs. It’s called Move because its primary function is to move Libra coins from one account to another, and never let those assets be accidentally duplicated. The core transaction code looks like: LibraAccount.pay_from_sender(recipient_address, amount) procedure.

Eventually, Move developers will be able to create smart contracts for programmatic interactions with the Libra Blockchain. Until Move is ready, developers can create modules and transaction scripts for Libra using Move IR, which is high-level enough to be human-readable but low-level enough to be translatable into real Move bytecode that’s written to the blockchain.
The Libra ecosystem and the Move language will be completely open to use and build, which presents a sizable risk. Crooked developers could prey on crypto novices, claiming their app works just the same as legitimate ones, and that it’s safe because it uses Libra. But if consumers get ripped off by these scammers, the anger will surely bubble up to Facebook. Yet still, Calibra’s head of product tells me, “There are no plans for the Libra Association to take a role in actively vetting [developers],” Calibra’s head of product Kevin Weil tells me.
Even though it’s tried to distance itself sufficiently via its subsidiary Libra and the association, many people will probably always think of Libra as Facebook’s cryptocurrency and blame it for their woes.
Read our full story on the dangers of Libra’s unvetted developer platform
The Libra Association wants to encourage more developers and merchants to work with its cryptocurrency. That’s why it plans to issue incentives, possibly Libra coins, to validator node operators who can get people signed up for and using Libra. Wallets that pull users through the Know Your Customer anti-fraud and money laundering process or that keep users sufficiently active for over a year will be rewarded. For each transaction they process, merchants will also receive a percentage of the transaction back.
Businesses that earn these incentives can keep them, or pass some or all of them along to users in the form of free Libra tokens or discounts on their purchases. This could create competition between wallets to see which can pass on the most rewards to their customers, and thereby attract the most users. You could imagine eBay or Spotify giving you a discount for paying in Libra, while wallet developers might offer you free tokens if you complete 100 transactions within a year.

“One challenge for Spotify and its users around the world has been the lack of easily accessible payment systems – especially for those in financially underserved markets,” Spotify’s Chief Premium Business Officer Alex Norström writes. “In joining the Libra Association, there is an opportunity to better reach Spotify’s total addressable market, eliminate friction and enable payments in mass scale.”
This savvy incentive system should massively help ratchet up Libra’s user count without dictating how businesses balance their margins versus growth. Facebook also has another plan to grow its developer ecosystem. By offering venture capital firms like Andreessen Horowitz and Union Square Ventures a portion of the reserve interest, they’re motivating to fund startups building Libra infrastructure.
So how do you actually own and spend Libra? Through Libra wallets like Facebook’s own Calibra and others that will be built by third-parties, potentially including Libra Association members like PayPal. The idea is to make sending money to a friend or paying for something as easy as sending a Facebook Message. You won’t be able to make or receive any real payments until the official launch next year, though, but you can sign up for early access when it’s ready here.
None of the Libra Association members agreed to provide details on what exactly they’ll build on the blockchain, but we can take Facebook’s Calibra wallet as an example of the basic experience. Calibra will launch alongside the Libra currency on iOS and Android within Facebook Messenger, WhatsApp and a standalone app. When users first sign up, they’ll be taken through a Know Your Customer anti-fraud process where they’ll have to provide a government-issued photo ID and other verification info. They’ll need to conduct due diligence on customers and report suspicious activity to the authorities.
From there you’ll be able to cash in to Libra, pick a friend or merchant, set an amount to send them and add a description and send them Libra. You’ll also be able to request Libra, and Calibra will offer an expedited way of paying merchants by scanning your or their QR code. Eventually it wants to offer in-store payments and integrations with point-of-sale systems like Square.

The Libra Association’s e-commerce members seem particularly excited about how the token could eliminate transaction fees and speed up checkout. “We believe blockchain will benefit the luxury industry by improving IP protection, transparency in the product life cycle and — as in the case of Libra — enable global frictionless e-commerce,” says FarFetch CEO Jose Neves.
Facebook CEO Mark Zuckerberg explained some of the philosophy behind Libra and Calibra in a post today. “It’s decentralized — meaning it’s run by many different organizations instead of just one, making the system fairer overall. It’s available to anyone with an internet connection and has low fees and costs. And it’s secured by cryptography which helps keep your money safe. This is an important part of our vision for a privacy-focused social platform — where you can interact in all the ways you’d want privately, from messaging to secure payments.”
By default, Facebook won’t import your contacts or any of your profile information, but may ask if you wish to do so. It also won’t share any of your transaction data back to Facebook, so it won’t be used to target you with ads, rank your News Feed, or otherwise earn Facebook money directly. Data will only be shared in specific instances in anonymized ways for research or adoption measurement, for hunting down fraudsters or due to a request from law enforcement. And you don’t even need a Facebook or WhatsApp account to sign up for Calibra or to use Libra.
“We realize people don’t want their social data and financial data commingled,” says Marcus, who’s now head of Calibra. “The reality is we’ll have plenty of wallets that will compete with us and many of them will not be in social, and if we want to successfully win people’s trust, we have to make sure the data will be separated.”

In case you are hacked, scammed or lose access to your account, Calibra will refund you for lost coins when possible through 24/7 chat support because it’s a custodial wallet. You also won’t have to remember any long, complex crypto passwords you could forget and get locked out from your money, as Calibra manages all your keys for you. Given Calibra will likely become the default wallet for many Libra users, this extra protection and smoother user experience is essential.
For now, Calibra won’t make money. But Calibra’s head of product Kevin Weil tells me that if it reaches scale, Facebook could launch other financial tools through Calibra that it could monetize, such as investing or lending. “In time, we hope to offer additional services for people and businesses, such as paying bills with the push of a button, buying a cup of coffee with the scan of a code or riding your local public transit without needing to carry cash or a metro pass,” the Calibra team writes. That makes it start to sound a lot like China’s everything app WeChat.
Facebook got one thing right for sure: Today’s money doesn’t work for everyone. Those of us living comfortably in developed nations likely don’t see the hardships that befall migrant workers or the unbanked abroad. Preyed on by greedy payday lenders and high-fee remittance services, targeted by muggers and left out of traditional financial services, the poor get poorer. Libra has the potential to get more money from working parents back to their families and help people retain credit even if they’re robbed of their physical possessions. That would do more to accomplish Facebook’s mission of making the world feel smaller than all the News Feed Likes combined.
If Facebook succeeds and legions of people cash in money for Libra, it and the other founding members of the Libra Association could earn big dividends on the interest. And if suddenly it becomes super quick to buy things through Facebook using Libra, businesses will boost their ad spend there. But if Libra gets hacked or proves unreliable, it could cost lots of people around the world money while souring them on cryptocurrencies. And by offering an open Libra platform, shady developers could build apps that snatch not just people’s personal info like Cambridge Analytica, but their hard-earned digital cash.
Facebook just tried to reinvent money. Next year, we’ll see if the Libra Association can pull it off. It took me 4,000 words to explain Libra, but at least now you can make up your own mind about whether to be scared of Facebook crypto.
Powered by WPeMatico
The growing presence of encrypted communications apps makes a lot of communities safer and stronger. But the possibility of physical device seizure and government coercion is growing as well, which is why every such app should have some kind of self-destruct mode to protect its user and their contacts.
End to end encryption like that you see in Signal and (if you opt into it) WhatsApp is great at preventing governments and other malicious actors from accessing your messages while they are in transit. But as with nearly all cybersecurity matters, physical access to either device or user or both changes things considerably.
For example, take this Hong Kong citizen who was forced to unlock their phone and reveal their followers and other messaging data to police. It’s one thing to do this with a court order to see if, say, a person was secretly cyberstalking someone in violation of a restraining order. It’s quite another to use as a dragnet for political dissidents.
@telegram @durov an HK citizen who runs a Telegram channel detained by the police was forced to unlock his phone and reveal his channel followers. Could you please add an option such that channel subscribers cannot be seen under extreme circumstances? Much appreciate. https://t.co/tj4UQztuZ2
— Lo Sinofobo (@tnzqo7f9) June 12, 2019
This particular protestor ran a Telegram channel that had a number of followers. But it could just as easily be a Slack room for organizing a protest, or a Facebook group, or anything else. For groups under threat from oppressive government regimes it could be a disaster if the contents or contacts from any of these were revealed to the police.
Just as you should be able to choose exactly what you say to police, you should be able to choose how much your phone can say as well. Secure messaging apps should be the vanguard of this capability.
There are already some dedicated “panic button” type apps, and Apple has thoughtfully developed an “emergency mode” (activated by hitting the power button five times quickly) that locks the phone to biometrics and will wipe it if it is not unlocked within a certain period of time. That’s effective against “Apple pickers” trying to steal a phone or during border or police stops where you don’t want to show ownership by unlocking the phone with your face.
Those are useful and we need more like them — but secure messaging apps are a special case. So what should they do?
The best-case scenario, where you have all the time in the world and internet access, isn’t really an important one. You can always delete your account and data voluntarily. What needs work is deleting your account under pressure.
The next best-case scenario is that you have perhaps a few seconds or at most a minute to delete or otherwise protect your account. Signal is very good about this: The deletion option is front and center in the options screen, and you don’t have to input any data. WhatsApp and Telegram require you to put in your phone number, which is not ideal — fail to do this correctly and your data is retained.
Signal, left, lets you get on with it. You’ll need to enter your number in WhatsApp (right) and Telegram.
Obviously it’s also important that these apps don’t let users accidentally and irreversibly delete their account. But perhaps there’s a middle road whereby you can temporarily lock it for a preset time period, after which it deletes itself if not unlocked manually. Telegram does have self-destructing accounts, but the shortest time you can delete after is a month.
What really needs improvement is emergency deletion when your phone is no longer in your control. This could be a case of device seizure by police, or perhaps being forced to unlock the phone after you have been arrested. Whatever the case, there need to be options for a user to delete their account outside the ordinary means.
Here are a couple options that could work:
Obviously these open new avenues for calamity and abuse as well, which is why they will need to be explained carefully and perhaps initially hidden in “advanced options” and the like. But overall I think we’ll be safer with them available.
Eventually these roles may be filled by dedicated apps or by the developers of the operating systems on which they run, but it makes sense for the most security-forward app class out there to be the first in the field.
Powered by WPeMatico