privacy

Auto Added by WPeMatico

Facebook’s new Study app pays adults for data after teen scandal

Facebook shut down its Research and Onavo programs after TechCrunch exposed how the company paid teenagers for root access to their phones to gain market data on competitors. Now Facebook is relaunching its paid market research program, but this time with principles — namely transparency, fair compensation and safety. The goal? To find out which other competing apps and features Facebook should buy, copy or ignore.

Today Facebook releases its “Study from Facebook” app for Android only. Some adults 18+ in the U.S. and India will be recruited by ads on and off Facebook to willingly sign up to let Facebook collect extra data from them in exchange for a monthly payment. They’ll be warned that Facebook will gather which apps are on their phone, how much time they spend using those apps, the app activity names of features they use in other apps, plus their country, device and network type.

Facebook promises it won’t snoop on user IDs, passwords or any of participants’ content, including photos, videos or messages. It won’t sell participants’ info to third parties, use it to target ads or add it to their account or the behavior profiles the company keeps on each user. Yet while Facebook writes that “transparency” is a major part of “Approaching market research in a responsible way,” it refuses to tell us how much participants will be paid.

“Study from Facebook” could give the company critical insights for shaping its product roadmap. If it learns everyone is using screensharing social network Squad, maybe it will add its own screensharing feature. If it finds group video chat app Houseparty is on the decline, it might not worry about cloning that functionality. Or if it finds Snapchat’s Discover mobile TV shows are retaining users for a ton of time, it might amp up teen marketing of Facebook Watch. But it also might rile up regulators and politicians who already see it as beating back competition through acquisitions and feature cloning.

An attempt to be less creepy

TechCrunch’s investigation from January revealed that Facebook had been quietly operating a research program codenamed Atlas that paid users ages 13 to 35 up to $20 per month in gift cards in exchange for root access to their phone so it could gather all their data for competitive analysis. That included everything the Study app grabs, but also their web browsing activity, and even encrypted information, as the app required users to install a VPN that routed all their data through Facebook. It even had the means to collect private messages and content shared — potentially including data owned by their friends.

Facebook’s Research app also abused Apple’s enterprise certificate program designed for distributing internal use-only apps to employees without the App Store or Apple’s approval. Facebook originally claimed it obeyed Apple’s rules, but Apple quickly disabled Facebook’s Research app and also shut down its enterprise certificate, temporarily breaking Facebook’s internal test builds of its public apps, as well as the shuttle times and lunch menu apps employees rely on.

In the aftermath of our investigation, Facebook shut down its Research program. It then also announced in February that it would shut down its Onavo Protect app on Android, which branded itself as a privacy app providing a free VPN instead of paying users while it collected tons of data on them. After giving users until May 9th to find a replacement VPN, the Onavo Protect was killed off.

This was an embarrassing string of events that stemmed from unprincipled user research. Now Facebook is trying to correct its course and revive its paid data collection program but with more scruples.

How Study from Facebook works

Unlike Onavo or Facebook Research, users can’t freely sign up for Study. They have to be recruited through ads Facebook will show on its own app and others to both 18+ Facebook users and non-users in the U.S. and India. That should keep out grifters and make sure the studies stay representative of Facebook’s user base. Eventually, Facebook plans to extend the program to other countries.

If users click through the ad, they’ll be brought to Facebook’s research operations partner Applause’s website, which clearly identifies Facebook’s involvement, unlike Facebook Research, which hid that fact until users were fully registered. There they’ll be informed how the Study app is opt-in, what data they’ll give up in exchange for what compensation and that they can opt out at any time. They’ll need to confirm their age, have a PayPal account (which are only supposed to be available to users 18 and over) and Facebook will cross-check the age to make sure it matches the person’s Facebook profile, if they have one. They won’t have to sign and NDA like with the Facebook Research program.

Anyone can download the Study from Facebook app from Google Play, but only those who’ve been approved through Applause will be able to log in and unlock the app. It will again explain what Facebook will collect, and ask for data permissions. The app will send periodic notifications to users reminding them they’re selling their data to Facebook and offering them an opt-out. Study from Facebook will use standard Google-approved APIs and won’t use a VPN, SSL bumping, root access, enterprise certificates or permission profiles you install on your device like the Research program that ruffled feathers.

Different users will be paid the same amount to their PayPal account, but Facebook wouldn’t say how much it’s dealing out, or even whether it was in the ball park of cents, dollars or hundreds of dollars per month. That seems like a stern departure from its stated principle of transparency. This matters, because Facebook earns billions in profit per quarter. It has the cash to potentially offer so much to Study participants that it effectively coerces them to give up their data; $10 to $20 per month like it was paying Research participants seems reasonable in the U.S., but that’s enough money in India to make people act against their better judgement.

The launch shows Facebook’s boldness despite the threat of antitrust regulation focusing on how it has suppressed competition through its acquisitions and copying. Democrat presidential candidates could use Study from Facebook as a talking point, noting how the company’s huge profits earned from its social network domination afford it a way to buy private user data to entrench its lead.

At 15 years old, Facebook is at risk of losing touch with what the next generation wants out of their phones. Rather than trying to guess based on their activity on its own app, it’s putting its huge wallet to work so it can pay for an edge on the competition.

Powered by WPeMatico

Apple is making corporate ‘BYOD’ programs less invasive to user privacy

When people bring their own devices to work or school, they don’t want IT administrators to manage the entire device. But until now, Apple only offered two ways for IT to manage its iOS devices: either device enrollments, which offered device-wide management capabilities to admins or those same device management capabilities combined with an automated setup process. At Apple’s Worldwide Developer Conference last week, the company announced plans to introduce a third method: user enrollments.

This new MDM (mobile device management) enrollment option is meant to better balance the needs of IT to protect sensitive corporate data and manage the software and settings available to users, while at the same time allowing users’ private personal data to remain separate from IT oversight.

According to Apple, when both users’ and IT’s needs are in balance, users are more likely to accept a corporate “bring your own device” (BYOD) program — something that can ultimately save the business money that doesn’t have to be invested in hardware purchases.

The new user enrollments option for MDM has three components: a managed Apple ID that sits alongside the personal ID; cryptographic separation of personal and work data; and a limited set of device-wide management capabilities for IT.

The managed Apple ID will be the user’s work identity on the device, and is created by the admin in either Apple School Manager or Apple Business Manager — depending on whether this is for a school or a business. The user signs into the managed Apple ID during the enrollment process.

From that point forward until the enrollment ends, the company’s managed apps and accounts will use the managed Apple ID’s iCloud account.

Meanwhile, the user’s personal apps and accounts will use the personal Apple ID’s iCloud account, if one is signed into the device.

Third-party apps are then either used in managed or unmanaged modes.

That means users won’t be able to change modes or run the apps in both modes at the same time. However, some of the built-in apps like Notes will be account-based, meaning the app will use the appropriate Apple ID — either the managed one or personal — depending on which account they’re operating on at the time.

To separate work data from personal, iOS will create a managed APFS volume at the time of the enrollment. The volume uses separate cryptographic keys which are destroyed along with the volume itself when the enrollment period ends. (iOS had always removed the managed data when the enrollment ends, but this is a cryptographic backstop just in case anything were to go wrong during unenrollment, the company explained.)

The managed volume will host the local data stored by any managed third-party apps along with the managed data from the Notes app. It also will house a managed keychain that stores secure items like passwords and certificates; the authentication credentials for managed accounts; and mail attachments and full email bodies.

The system volume does host a central database for mail, including some metadata and five line previews, but this is removed as well when the enrollment ends.

Users’ personal apps and their data can’t be managed by the IT admin, so they’re never at risk of having their data read or erased.

And unlike device enrollments, user enrollments don’t provide a UDID or any other persistent identifier to the admin. Instead, it creates a new identifier called the “enrollment ID.” This identifier is used in communication with the MDM server for all communications and is destroyed when enrollment ends.

Apple also noted that one of the big reasons users fear corporate BYOD programs is because they think the IT admin will erase their entire device when the enrollment ends — including their personal apps and data.

To address this concern, the MDM queries can only return the managed results.

In practice, that means IT can’t even find out what personal apps are installed on the device — something that can feel like an invasion of privacy to end users. (This feature will be offered for device enrollments, too.) And because IT doesn’t know which personal apps are installed, it also can’t restrict certain apps’ use.

User enrollments will also not support the “erase device” command — and they don’t have to, because IT will know the sensitive data and emails are gone. There’s no need for a full device wipe.

Similarly, the Exchange Server can’t send its remote wipe command — just the account-only remote wipe to remove the managed data.

Another new feature related to user enrollments is how traffic for managed accounts is guided through the corporate VPN. Using the per-app VPN feature, traffic from the Mail, Contacts and Calendars built-in apps will only go through the VPN if the domains match that of the business. For example, mail.acme.com can pass through the VPN, but not mail.aol.com. In other words, the user’s personal mail remains private.

This addresses what has been an ongoing concern about how some MDM solutions operate — routing traffic through a corporate proxy meant the business could see the employees’ personal emails, social networking accounts and other private information.

User enrollments also only enforces a six-digit non-simple passcode, as the MDM server can’t help users by clearing the past code if the user forgets it.

Some today advise users to not accept BYOD MDM policies because of the impact to personal privacy. While a business has every right to manage and wipe its own apps and data, IT has overstepped with some of its remote management capabilities — including its ability to erase entire devices, access personal data, track a phone’s location, restrict personal use of apps and more.

Apple’s MDM policies haven’t included GPS tracking, however, nor does this new option.

Apple’s new policy is a step toward a better balance of concerns, but will require that users understand the nuances of these more technical details — which they may not.

That user education will come down to the businesses that insist on these MDM policies to begin with — they will need to establish their own documentation, explainers, and establish new privacy policies with their employees that detail what sort of data they can and cannot access, as well as what sort of control they have over corporate devices.

Powered by WPeMatico

AI security startup Darktrace’s CEO defeats buzzword bingo with trust and transparency

It takes a lot of trust to allow a company to come in and install a mystery box on their network to monitor for threats. It’s like inviting in a security guard to sit in your living room to make sure nobody breaks in.

Yet that’s exactly what Darktrace does. (The box, not the security guard.)

The Cambridge U.K.-founded company, now with a second headquarters in San Francisco, assumes that any network can be breached. Instead of looking at the perimeter of a network, Darktrace uses artificial intelligence (AI) and machine learning to scan and identify security weaknesses and malicious traffic inside a company’s network.

Traditional network monitoring typically uses signature-based threat detection of matching against known malicious files, but can be easily modified to evade detection. Instead, Darktrace builds up a profile of the network to understand what the baseline “normal” looks like so it can spot and identify potential issues, like large amounts of data exfiltration or suspect devices.

But how do you win over those who see a sea of meaningless buzzwords? How can you differentiate between the smoke and mirrors and the real deal?

“No one wants the black box making decisions without them knowing what it’s doing,” said Nicole Eagan, Darktrace’s co-founder and chief executive, in a call with TechCrunch.

“So, let them have visibility,” she said.

Darktrace’s founders have roots in the U.K. and U.S. intelligence, where they took what they knew of the cybersecurity threats to the private sector to where the new battleground opened up. In the past half-decade of its existence, the company has gained major clients on its roster — from telcos to banks, tech giants and car makers — supported by 900 staff in over 40 offices around the world.

About a quarter of its customers are in financial services, said Eagan. But it takes a lot for the heavily regulated companies to trust a mystery device on a company’s network where the data and security, like financial services, is highly regulated.

Powered by WPeMatico

Why identity startup Auth0’s founder still codes: It makes him a better boss

If you ask Eugenio Pace to describe himself, “engineer” would be fairly high on the list.

“Being a CEO is pretty busy,” he told TechCrunch in a call last week. “But I’m an engineer in my heart — I am a problem solver,” he said.

Pace, an Argentinan immigrant to the U.S., founded identity management company Auth0 in 2013 after more than a decade at Microsoft. Auth0, pronounced “auth-zero,” has been described as like Stripe for payments or Twilio for messaging. App developers can add a few lines of code and it immediately gives their users access to the company’s identity management service.

That means the user can securely log in to the app without building a homebrew username and password system that’s invariably going to break. Any enterprise paying for Auth0 can also use its service to securely logon to the company’s internal network.

“Nobody cares about authentication, but everybody needs it,” he said.

Pace said Auth0 works to answer two simple questions. “Who are you, and what can you do?” he said.

“Those two questions are the same regardless of the device, the app, or whether if I’m an employee of somebody or if I am an individual using an app, or if I am using a device where there’s no human attached to it,” he said.

Whoever the users are, the app needs to know if the person using the app or service is allowed to, and what level of access or functionality they can get. “Can you transfer these funds?,” he said. “Can you approve these expense reports? Can you open the door of my house?” he explained.

Pace left Microsoft in 2012 and founded Auth0 during the emergence of Azure, which transformed Microsoft from a software giant into a cloud company. It was at Microsoft where he found identity management was one of the biggest headaches for developers moving their apps to the cloud. He wrote book after book, and edition after edition. “I felt like I could keep writing books about the problem — or I can just solve the problem,” he said.

So he did.

Instead of teaching developers how to become experts in identity management, he wanted to give them the tools to employ a sign-on solution without ever having to read a book.

Powered by WPeMatico

How Marcin Kleczynski went from message boards to founding anti-malware startup Malwarebytes

Marcin Kleczynski is a shining example of the American dream.

A Polish-born immigrant turned naturalized citizen, Kleczynski grew up in the Chicago suburbs spending much of his time on computers and the early days of the world wide web. He couldn’t afford to buy computer games; instead, he downloaded them from the internet — and usually malware along with it. Frustrated that his computer’s anti-malware didn’t prevent the infection, he took to seeking help from security message boards to troubleshoot and remove the malware by hand.

That’s where Kleczynski thought he could do better, and so he founded Malwarebytes .

In early 2008, his company’s first anti-malware product was released. To no surprise, the very people on the message boards who helped Kleczynski recover his computer were the same championing his debut software. So much so that Kleczynski hired one of the people from the message board who helped him rid the malware from his computer as one of his first employees. Within months, Malwarebytes was turning over a couple of hundred thousand dollars, Kleczynski told TechCrunch.

By August came the question of whether he would run his company or go to university.

“After about a 15-second conversation with my mother, she quickly informed me that I would be attending university,” he said.

And so he did both.

Fast-forward to today, the company is a multi-million dollar anti-malware giant serving 150 million consumer customers and 50,000 paying small to medium-sized business and enterprise customers from its five offices — two in the U.S., as well as Estonia, Ireland and Singapore.

Powered by WPeMatico

Security startup Bugcrowd on crowdsourcing bug bounties: ‘Cybersecurity is a people problem’

For a cybersecurity company, Bugcrowd relies much more on people than it does on technology.

For as long as humans are writing software, developers and programmers are going to make mistakes, said Casey Ellis, the company’s founder and chief technology officer in an interview TechCrunch from his San Francisco headquarters.

“Cybersecurity is fundamentally a people problem,” he said. “Humans are actually the root of the problem,” he said. And when humans made coding mistakes that turn into bugs or vulnerabilities that be exploited, that’s where Bugcrowd comes in — by trying to mitigate the fallout before they can be maliciously exploited.

Founded in 2011, Bugcrowd is one of the largest bug bounty and vulnerability disclosure companies on the internet today. The company relies on bug finders, hackers, and security researchers to find and privately report security flaws that could damage systems or putting user data at risk.

Bugcrowd acts as an intermediary by passing the bug to the companies to get fixed — potentially helping them to dodge a future security headache like a leak or a breach — in return for payout to the finder.

The greater the vulnerability, the higher the payout.

“The space we’re in is brokering conversations between different groups of people that don’t necessarily have a good history of getting along but desperately need to talk to each other,” said Ellis.

Powered by WPeMatico

DuckDuckGo founder Gabriel Weinberg is coming to Disrupt

2019 is the year Facebook announced a “pivot to privacy.” At the same time, Google is trying to claim that privacy means letting it exclusively store and data-mine everything you do online. So what better time to sit down with DuckDuckGo founder and CEO Gabriel Weinberg for a chat about what privacy really means.

We’re delighted to announce that Weinberg is joining us at Disrupt SF (October 2-4).

The pro-privacy search engine he founded has been on a mission to shrink the shoulder-surfing creepiness of internet searching for more than a decade, serving contextual keyword-based ads, rather than pervasively tracking users to maintain privacy-hostile profiles. (If you can’t quite believe the decade bit; here’s DDG’s startup elevator pitch — which we featured on TC all the way back in 2008.)

It’s a position that looks increasingly smart as big tech comes under sharper political and regulatory scrutiny on account of the volume of information it’s amassing. (Not to mention what it’s doing with people’s data.)

Despite competing as a self-funded underdog against the biggest tech giants around, DuckDuckGo has been profitable and gaining users at a steady clip for years. It also recently took in a chunk of VC to capitalize on what its investors see as a growing international opportunity to help internet users go about their business without being intrusively snooped on. Which makes a compelling counter narrative to the tech giants.

In more recent developments it has added a tracker blocker to its product mix — and been dabbling in policy advocacy — calling for a revival of a Do Not Track browser standard, after earlier attempts floundered with the industry, failing to reach accord.

The political climate around privacy and data protection does look to be pivoting in such a way that Do Not Track could possibly swing back into play. But if — and, yes it’s a big one — privacy ends up being a baked-in internet norm, how might a pioneer like DuckDuckGo maintain its differentiating edge?

While, on the flip side, what if tech giants end up moving in on its territory by redefining privacy in their own self-serving image? We have questions and will be searching Weinberg for answers.

There’s also the fact that many a founder would have cut and run just half a decade into pushing against the prevailing industry grain. So we’re also keen to mine his views on entrepreneurial patience, and get a better handle on what makes him tick as a person — to learn how he’s turned a passion for building people-centric, principled products into a profitable business.

Disrupt SF runs October 2 – October 4 at the Moscone Center in San Francisco. Tickets are available here.

Powered by WPeMatico

A year after outcry, carriers are finally stopping sale of location data, letters to FCC show

Reports emerged a year ago that all the major cellular carriers in the U.S. were selling location data to third-party companies, which in turn sold them to pretty much anyone willing to pay. New letters published by the FCC show that despite a year of scrutiny and anger, the carriers have only recently put an end to this practice.

We already knew that the carriers, like many large companies, simply could not be trusted. In January it was clear that promises to immediately “shut down,” “terminate” or “take steps to stop” the location-selling side business were, shall we say, on the empty side. Kind of like their assurances that these services were closely monitored — no one seems to have bothered actually checking whether the third-party resellers were obtaining the required consent before sharing location data.

Similarly, the carriers took their time shutting down the arrangements they had in place, and communication on the process has been infrequent and inadequate.

FCC Commissioner Jessica Rosenworcel has been particularly frustrated by the foot-dragging and lack of communication on this issue (by companies and the commission).

“The FCC has been totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data. That’s unacceptable,” she wrote in a statement posted today.

To provide a bit of closure, she decided to publish letters (PDF) from the major carriers explaining their current positions. Fortunately it’s good news. Here’s the gist:

T-Mobile swiftly made promises last May, and in June of 2018, CEO John Legere said in a tweet that he “personally evaluated this issue,” and pledged that the company “will not sell customer location data to shady middlemen.”

That seems to have been before “T-Mobile undertook an evaluation last summer of whether to retain or restructure its location aggregator program… Ultimately, we decided to terminate it.” That phased termination took place over the next half a year, finishing only in March of 2019.

AT&T immediately suspended access to location data by the offending company, Securus, but continued providing it to others. One hopes they at least began auditing properly. Almost a year later, the company said in its letter to Commissioner Rosenworcel that “in light of the press report to which you refer… we decided in January 2019 to accelerate our phase-out of these services. As of March 29, 2019, AT&T stopped sharing any AT&T customer location data with location aggregators and LBS providers.”

Sprint said shortly after the initial reports that it was in the “process of terminating its current contracts with data aggregators to whom we provide location data.” That process sure seems to have been a long one:

As of May 31, 2019, Sprint will no longer contract with any location aggregators to provide LBS. Sprint anticipates that after May 31. 2019, it may provide LBS services directly to customers like those described above [i.e. roadside assistance], but there are no firm plans at this time.

Verizon (the parent company of TechCrunch) managed to kill its contracts with all-purpose aggregators LocationSmart and Zumigo in November of 2018… except for a specific use case through the former to provide roadside assistance services during the winter. That agreement ended in March.

It’s taken some time, but the carriers seem to have finally followed through on shutting down the programs through which they resold customer location data. All took care to mention at some point the practical and helpful use cases of such programs, but failed to detail the apparent lack of oversight with which they were conducted. The responsibility to properly vet customers and collect mobile user consent seems to have been fully ceded to the resellers, who as last year’s reports showed, did nothing of the kind.

Location data is obviously valuable to consumers and many services can and should be able to request it — from those consumers. No one is arguing otherwise. But this important data was clearly being irresponsibly handled by the carriers, and it is probably right that the location aggregation business gets a hard stop and not a band-aid. We’ll likely see new businesses and arrangements appearing soon — but you can be sure that these too will require close monitoring to make sure the carriers don’t allow them to get out of hand… again.

Powered by WPeMatico