privacy
Auto Added by WPeMatico
Auto Added by WPeMatico
Facebook shut down its Research and Onavo programs after TechCrunch exposed how the company paid teenagers for root access to their phones to gain market data on competitors. Now Facebook is relaunching its paid market research program, but this time with principles — namely transparency, fair compensation and safety. The goal? To find out which other competing apps and features Facebook should buy, copy or ignore.
Today Facebook releases its “Study from Facebook” app for Android only. Some adults 18+ in the U.S. and India will be recruited by ads on and off Facebook to willingly sign up to let Facebook collect extra data from them in exchange for a monthly payment. They’ll be warned that Facebook will gather which apps are on their phone, how much time they spend using those apps, the app activity names of features they use in other apps, plus their country, device and network type.

Facebook promises it won’t snoop on user IDs, passwords or any of participants’ content, including photos, videos or messages. It won’t sell participants’ info to third parties, use it to target ads or add it to their account or the behavior profiles the company keeps on each user. Yet while Facebook writes that “transparency” is a major part of “Approaching market research in a responsible way,” it refuses to tell us how much participants will be paid.
“Study from Facebook” could give the company critical insights for shaping its product roadmap. If it learns everyone is using screensharing social network Squad, maybe it will add its own screensharing feature. If it finds group video chat app Houseparty is on the decline, it might not worry about cloning that functionality. Or if it finds Snapchat’s Discover mobile TV shows are retaining users for a ton of time, it might amp up teen marketing of Facebook Watch. But it also might rile up regulators and politicians who already see it as beating back competition through acquisitions and feature cloning.
TechCrunch’s investigation from January revealed that Facebook had been quietly operating a research program codenamed Atlas that paid users ages 13 to 35 up to $20 per month in gift cards in exchange for root access to their phone so it could gather all their data for competitive analysis. That included everything the Study app grabs, but also their web browsing activity, and even encrypted information, as the app required users to install a VPN that routed all their data through Facebook. It even had the means to collect private messages and content shared — potentially including data owned by their friends.
Facebook’s Research app also abused Apple’s enterprise certificate program designed for distributing internal use-only apps to employees without the App Store or Apple’s approval. Facebook originally claimed it obeyed Apple’s rules, but Apple quickly disabled Facebook’s Research app and also shut down its enterprise certificate, temporarily breaking Facebook’s internal test builds of its public apps, as well as the shuttle times and lunch menu apps employees rely on.
In the aftermath of our investigation, Facebook shut down its Research program. It then also announced in February that it would shut down its Onavo Protect app on Android, which branded itself as a privacy app providing a free VPN instead of paying users while it collected tons of data on them. After giving users until May 9th to find a replacement VPN, the Onavo Protect was killed off.

This was an embarrassing string of events that stemmed from unprincipled user research. Now Facebook is trying to correct its course and revive its paid data collection program but with more scruples.
Unlike Onavo or Facebook Research, users can’t freely sign up for Study. They have to be recruited through ads Facebook will show on its own app and others to both 18+ Facebook users and non-users in the U.S. and India. That should keep out grifters and make sure the studies stay representative of Facebook’s user base. Eventually, Facebook plans to extend the program to other countries.
If users click through the ad, they’ll be brought to Facebook’s research operations partner Applause’s website, which clearly identifies Facebook’s involvement, unlike Facebook Research, which hid that fact until users were fully registered. There they’ll be informed how the Study app is opt-in, what data they’ll give up in exchange for what compensation and that they can opt out at any time. They’ll need to confirm their age, have a PayPal account (which are only supposed to be available to users 18 and over) and Facebook will cross-check the age to make sure it matches the person’s Facebook profile, if they have one. They won’t have to sign and NDA like with the Facebook Research program.

Anyone can download the Study from Facebook app from Google Play, but only those who’ve been approved through Applause will be able to log in and unlock the app. It will again explain what Facebook will collect, and ask for data permissions. The app will send periodic notifications to users reminding them they’re selling their data to Facebook and offering them an opt-out. Study from Facebook will use standard Google-approved APIs and won’t use a VPN, SSL bumping, root access, enterprise certificates or permission profiles you install on your device like the Research program that ruffled feathers.
Different users will be paid the same amount to their PayPal account, but Facebook wouldn’t say how much it’s dealing out, or even whether it was in the ball park of cents, dollars or hundreds of dollars per month. That seems like a stern departure from its stated principle of transparency. This matters, because Facebook earns billions in profit per quarter. It has the cash to potentially offer so much to Study participants that it effectively coerces them to give up their data; $10 to $20 per month like it was paying Research participants seems reasonable in the U.S., but that’s enough money in India to make people act against their better judgement.

The launch shows Facebook’s boldness despite the threat of antitrust regulation focusing on how it has suppressed competition through its acquisitions and copying. Democrat presidential candidates could use Study from Facebook as a talking point, noting how the company’s huge profits earned from its social network domination afford it a way to buy private user data to entrench its lead.
At 15 years old, Facebook is at risk of losing touch with what the next generation wants out of their phones. Rather than trying to guess based on their activity on its own app, it’s putting its huge wallet to work so it can pay for an edge on the competition.
Powered by WPeMatico
When people bring their own devices to work or school, they don’t want IT administrators to manage the entire device. But until now, Apple only offered two ways for IT to manage its iOS devices: either device enrollments, which offered device-wide management capabilities to admins or those same device management capabilities combined with an automated setup process. At Apple’s Worldwide Developer Conference last week, the company announced plans to introduce a third method: user enrollments.
This new MDM (mobile device management) enrollment option is meant to better balance the needs of IT to protect sensitive corporate data and manage the software and settings available to users, while at the same time allowing users’ private personal data to remain separate from IT oversight.
According to Apple, when both users’ and IT’s needs are in balance, users are more likely to accept a corporate “bring your own device” (BYOD) program — something that can ultimately save the business money that doesn’t have to be invested in hardware purchases.
The new user enrollments option for MDM has three components: a managed Apple ID that sits alongside the personal ID; cryptographic separation of personal and work data; and a limited set of device-wide management capabilities for IT.
The managed Apple ID will be the user’s work identity on the device, and is created by the admin in either Apple School Manager or Apple Business Manager — depending on whether this is for a school or a business. The user signs into the managed Apple ID during the enrollment process.
From that point forward until the enrollment ends, the company’s managed apps and accounts will use the managed Apple ID’s iCloud account.
Meanwhile, the user’s personal apps and accounts will use the personal Apple ID’s iCloud account, if one is signed into the device.
Third-party apps are then either used in managed or unmanaged modes.
That means users won’t be able to change modes or run the apps in both modes at the same time. However, some of the built-in apps like Notes will be account-based, meaning the app will use the appropriate Apple ID — either the managed one or personal — depending on which account they’re operating on at the time.
To separate work data from personal, iOS will create a managed APFS volume at the time of the enrollment. The volume uses separate cryptographic keys which are destroyed along with the volume itself when the enrollment period ends. (iOS had always removed the managed data when the enrollment ends, but this is a cryptographic backstop just in case anything were to go wrong during unenrollment, the company explained.)
The managed volume will host the local data stored by any managed third-party apps along with the managed data from the Notes app. It also will house a managed keychain that stores secure items like passwords and certificates; the authentication credentials for managed accounts; and mail attachments and full email bodies.
The system volume does host a central database for mail, including some metadata and five line previews, but this is removed as well when the enrollment ends.
Users’ personal apps and their data can’t be managed by the IT admin, so they’re never at risk of having their data read or erased.
And unlike device enrollments, user enrollments don’t provide a UDID or any other persistent identifier to the admin. Instead, it creates a new identifier called the “enrollment ID.” This identifier is used in communication with the MDM server for all communications and is destroyed when enrollment ends.
Apple also noted that one of the big reasons users fear corporate BYOD programs is because they think the IT admin will erase their entire device when the enrollment ends — including their personal apps and data.
To address this concern, the MDM queries can only return the managed results.
In practice, that means IT can’t even find out what personal apps are installed on the device — something that can feel like an invasion of privacy to end users. (This feature will be offered for device enrollments, too.) And because IT doesn’t know which personal apps are installed, it also can’t restrict certain apps’ use.
User enrollments will also not support the “erase device” command — and they don’t have to, because IT will know the sensitive data and emails are gone. There’s no need for a full device wipe.
Similarly, the Exchange Server can’t send its remote wipe command — just the account-only remote wipe to remove the managed data.
Another new feature related to user enrollments is how traffic for managed accounts is guided through the corporate VPN. Using the per-app VPN feature, traffic from the Mail, Contacts and Calendars built-in apps will only go through the VPN if the domains match that of the business. For example, mail.acme.com can pass through the VPN, but not mail.aol.com. In other words, the user’s personal mail remains private.
This addresses what has been an ongoing concern about how some MDM solutions operate — routing traffic through a corporate proxy meant the business could see the employees’ personal emails, social networking accounts and other private information.
User enrollments also only enforces a six-digit non-simple passcode, as the MDM server can’t help users by clearing the past code if the user forgets it.
Some today advise users to not accept BYOD MDM policies because of the impact to personal privacy. While a business has every right to manage and wipe its own apps and data, IT has overstepped with some of its remote management capabilities — including its ability to erase entire devices, access personal data, track a phone’s location, restrict personal use of apps and more.
Apple’s MDM policies haven’t included GPS tracking, however, nor does this new option.
Apple’s new policy is a step toward a better balance of concerns, but will require that users understand the nuances of these more technical details — which they may not.
That user education will come down to the businesses that insist on these MDM policies to begin with — they will need to establish their own documentation, explainers, and establish new privacy policies with their employees that detail what sort of data they can and cannot access, as well as what sort of control they have over corporate devices.
Powered by WPeMatico
It takes a lot of trust to allow a company to come in and install a mystery box on their network to monitor for threats. It’s like inviting in a security guard to sit in your living room to make sure nobody breaks in.
Yet that’s exactly what Darktrace does. (The box, not the security guard.)
The Cambridge U.K.-founded company, now with a second headquarters in San Francisco, assumes that any network can be breached. Instead of looking at the perimeter of a network, Darktrace uses artificial intelligence (AI) and machine learning to scan and identify security weaknesses and malicious traffic inside a company’s network.
Traditional network monitoring typically uses signature-based threat detection of matching against known malicious files, but can be easily modified to evade detection. Instead, Darktrace builds up a profile of the network to understand what the baseline “normal” looks like so it can spot and identify potential issues, like large amounts of data exfiltration or suspect devices.
But how do you win over those who see a sea of meaningless buzzwords? How can you differentiate between the smoke and mirrors and the real deal?
“No one wants the black box making decisions without them knowing what it’s doing,” said Nicole Eagan, Darktrace’s co-founder and chief executive, in a call with TechCrunch.
“So, let them have visibility,” she said.
Darktrace’s founders have roots in the U.K. and U.S. intelligence, where they took what they knew of the cybersecurity threats to the private sector to where the new battleground opened up. In the past half-decade of its existence, the company has gained major clients on its roster — from telcos to banks, tech giants and car makers — supported by 900 staff in over 40 offices around the world.
About a quarter of its customers are in financial services, said Eagan. But it takes a lot for the heavily regulated companies to trust a mystery device on a company’s network where the data and security, like financial services, is highly regulated.
Powered by WPeMatico
One of the bigger security announcements from Apple’s Worldwide Developer Conference this week is Apple’s new requirement that app developers must implement the company’s new single sign-on solution, Sign In with Apple, wherever they already offer another third-party sign-on system.
Apple’s decision to require its button in those scenarios is considered risky — especially at a time when the company is in the crosshairs of the U.S. Department of Justice over antitrust concerns. Apple’s position on the matter is that it wants to give its customers a more private choice.
From a security perspective, Apple offers a better option for both users and developers alike compared with other social login systems which, in the past, have been afflicted by massive security and privacy breaches.
Apple’s system also ships with features that benefit iOS app developers — like built-in two-factor authentication support, anti-fraud detection and the ability to offer a one-touch, frictionless means of entry into their app, among other things.
For consumers, they get the same fast sign-up and login as with other services, but with the knowledge that the apps aren’t sharing their information with an entity they don’t trust.
Consumers can also choose whether or not to share their email with the app developer.

If customers decide not to share their real email, Apple will generate a random — but real and verified — email address for the app in question to use, then will route the emails the app wants to send to that address. The user can choose to disable this app email address at any time like — like if they begin to get spam, for example.
The ability to create disposable emails is not new — you can add pluses (+) or dots (.) in your Gmail address, for example, to set up filters to delete emails from addresses that become compromised. Other email providers offer similar features.
However, this is the first time a major technology company has allowed customers to not only create these private email addresses for sign-ins to apps, but to also disable those addresses at any time if they want to stop receiving emails at them.
Despite the advantages to the system, the news left many wondering how the new Sign In with Apple button would work, in practice, at a more detailed level. We’ve tried to answer some of the more burning and common questions. There are likely many more questions that won’t be answered until the system goes live for developers and Apple updates its App Review Guidelines, which are its hard-and-fast rules for apps that decide entry into the App Store.

1) What information does the app developer receive when a user chooses Sign In with Apple?
The developer only receives the user’s name associated with their Apple ID, the user’s verified email address — or the random email address that routes email to their inbox, while protecting their privacy — and a unique stable identifier that allows them to set up the user’s account in their system.
Unlike Facebook, which has a treasure trove of personal information to share with apps, there are no other permissions settings or dialog boxes with Apple’s sign in that will confront the user with having to choose what information the app can access. (Apple would have nothing more to share, anyway, as it doesn’t collect user data like birthday, hometown, Facebook Likes or a friend list, among other things.)
2) Do I have to sign up again with the app when I get a new iPhone or switch over to use the app on my iPad?
No. For the end user, the Sign In with Apple option is as fast as using the Facebook or Google alternative. It’s just a tap to get into the app, even when moving between Apple devices.
3) Does Sign In with Apple work on my Apple Watch? Apple TV? Mac?
Sign In with Apple works across all Apple devices — iOS/iPadOS devices (iPhone, iPad and iPod touch), Mac, Apple TV and Apple Watch.
4) But what about Android? What about web apps? I use my apps everywhere!
There’s a solution, but it’s not quite as seamless.
If a user signs up for an app on their Apple device — like, say, their iPad — then wants to use the app on a non-Apple device, like their Android phone, they’re sent over to a web view.
Here, they’ll see a Sign In with Apple login screen where they’ll enter their Apple ID and password to complete the sign in. This would also be the case for web apps that need to offer the Sign In with Apple login option.
This option is called Sign In with Apple JS as it’s JavaScript-based.
(Apple does not offer a native SDK for Android developers, and honestly, it’s not likely to do so any time soon.)
5) What happens if you tap Sign In with Apple, but you forgot you already signed up for that app with your email address?
Sign In with Apple integrates with iCloud Keychain so if you already have an account with the app, the app will alert you to this and ask if you want to log in with your existing email instead. The app will check for this by domain (e.g. Uber), not by trying to match the email address associated with your Apple ID — which could be different from the email used to sign up for the account.
6) If I let Apple make up a random email address for me, does Apple now have the ability to read my email?
No. For those who want a randomized email address, Apple offers a private email relay service. That means it’s only routing emails to your personal inbox. It’s not hosting them.
Developers must register with Apple which email domains they’ll use to contact their customers and can only register up to 10 domains and communication emails.
7) How does Sign In with Apple offer two-factor authentication?
On Apple devices, users authenticate with either Touch ID or Face ID for a second layer of protection beyond the username/password combination.
On non-Apple devices, Apple sends a six-digit code to a trusted device or phone number.
8) How does Sign In with Apple prove I’m not a bot?
App developers get access to Apple’s robust anti-fraud technology to identify which users are real and which may not be real. This is tech it has built up over the years for its own services, like iTunes.
The system uses on-device machine learning and other information to generate a signal for developers when a user is verified as being “real.” This is a simple bit that’s either set to yes or no, so to speak.
But a “no” doesn’t mean the user is a definitely a bot — they could just be a new user on a new device. However, the developer can take this signal into consideration when providing access to features in their apps or when running their own additional anti-fraud detection measures, for example.

9) When does an app have to offer Sign In with Apple?
Apple is requiring that its button is offered whenever another third-party sign-in option is offered, like Facebook’s login or Google. Note that Apple is not saying “social” login though. It’s saying “third-party,” which is more encompassing.
This requirement is what’s shocking people as it seems heavy-handed.
But Apple believes customers deserve a private choice, which is why it’s making its sign-in required when other third-party options are provided.
But developers don’t have to use Sign In with Apple. They can opt to just use their own direct login instead. (Or they can offer a direct login and Sign In with Apple, if they want.)
10) Do the apps only have to offer Sign In with Apple if they offer Google and/or Facebook login options, or does a Twitter, Instagram or Snapchat sign-in button count, too?
Apple hasn’t specified this is only for apps with Facebook or Google logins, or even “social” logins. Just any third-party sign-in system. Although Facebook and Google are obviously the biggest providers of third-party sign-in services to apps, other companies, including Twitter, Instagram and Snapchat, have been developing their own sign-in options, as well.
As third-party providers, they too would fall under this new developer requirement.

11) Does the app have to put the Sign In with Apple button on top of the other options or else get rejected from the App Store?
Apple is suggesting its button be prominent.
The company so far has only provided design guidelines to app developers. The App Store guidelines, which dictate the rules around App Store rejections, won’t be updated until this fall.
And it’s the design guidelines that say the Apple button should be on the top of a stack of other third-party sign-in buttons, as recently reported.
The design guidelines also say that the button must be the same size or larger than competitors’ buttons, and users shouldn’t have to scroll to see the Apple button.
But to be clear, these are Apple’s suggested design patterns, not requirements. The company doesn’t make its design suggestions law because it knows that developers do need a degree of flexibility when it comes to their own apps and how to provide their own users with the best experience.
12) If the app only has users signing up with their phone number or just their email, does it also have to offer the Apple button?
Not at this time, but developers can add the option if they want.
13) After you sign in using Apple, will the app still make you confirm your email address by clicking a link they send you?
Nope. Apple is verifying you, so you don’t have to do that anymore.
14) What if the app developer needs you to sign in with Google, because they’re providing some sort of app that works with Google’s services, like Google Drive or Docs, for example?
This user experience would not be great. If you signed in with Apple’s login, you’d then have to do a second authentication with Google once in the app.
It’s unclear at this time how Apple will handle these situations, as the company hasn’t offered any sort of exception list to its requirement, nor any way for app developers to request exceptions. The company didn’t give us an answer when we asked directly.
It may be one of those cases where this is handled privately with specific developers, without announcing anything publicly. Or it may not make any exceptions at all, ever. And if regulators took issue with Apple’s requirement, things could change as well. Time will tell.
15) What if I currently sign in with Facebook, but want to switch to Sign In with Apple?
Apple isn’t providing a direct way for customers to switch for themselves from Facebook or another sign-in option to Apple ID. It instead leaves migration up to developers. The company’s stance is that developers can and should always offer a way for users to stop using their social login, if they choose.
In the past, developers could offer users a way to sign in only with their email instead of the third-party login. This is helpful particularly in those cases where users are deleting their Facebook accounts, for example, or removing apps’ ability to access their Facebook information.
Once Apple ID launches, developers will be able to offer customers a way to switch from a third-party login to Sign In with Apple ID in a similar way.
Do you have more questions you wish Apple would answer? Email me at sarahp@techcrunch.com
Powered by WPeMatico
If you ask Eugenio Pace to describe himself, “engineer” would be fairly high on the list.
“Being a CEO is pretty busy,” he told TechCrunch in a call last week. “But I’m an engineer in my heart — I am a problem solver,” he said.
Pace, an Argentinan immigrant to the U.S., founded identity management company Auth0 in 2013 after more than a decade at Microsoft. Auth0, pronounced “auth-zero,” has been described as like Stripe for payments or Twilio for messaging. App developers can add a few lines of code and it immediately gives their users access to the company’s identity management service.
That means the user can securely log in to the app without building a homebrew username and password system that’s invariably going to break. Any enterprise paying for Auth0 can also use its service to securely logon to the company’s internal network.
“Nobody cares about authentication, but everybody needs it,” he said.
Pace said Auth0 works to answer two simple questions. “Who are you, and what can you do?” he said.
“Those two questions are the same regardless of the device, the app, or whether if I’m an employee of somebody or if I am an individual using an app, or if I am using a device where there’s no human attached to it,” he said.
Whoever the users are, the app needs to know if the person using the app or service is allowed to, and what level of access or functionality they can get. “Can you transfer these funds?,” he said. “Can you approve these expense reports? Can you open the door of my house?” he explained.
Pace left Microsoft in 2012 and founded Auth0 during the emergence of Azure, which transformed Microsoft from a software giant into a cloud company. It was at Microsoft where he found identity management was one of the biggest headaches for developers moving their apps to the cloud. He wrote book after book, and edition after edition. “I felt like I could keep writing books about the problem — or I can just solve the problem,” he said.
So he did.
Instead of teaching developers how to become experts in identity management, he wanted to give them the tools to employ a sign-on solution without ever having to read a book.
Powered by WPeMatico
Sharing with everyone is passé and more than a little bit scary these days. We want to send photos to friends without posting them publicly. We want to reminisce without being permanently defined by our timelines. And we want the utility of apps without giving away our contact info to developers.
The problem is that this philosophy is hard to monetize for a social network that needs to maximize broadcasted content and engagement to score ad views. But it’s easy to monetize if you sell the phone and then let people be as private as they want on it. That’s why today at WWDC, Apple showed off changes that turn iOS into the asocial network — software that mimics the tools of Facebook but without the pressure to overshare.
Most stunningly, Apple will require apps that offer third-party login options like those from Facebook and Google to integrate its new Sign In With Apple feature that lets users hide their email addresses from developers. It’s a power move that makes Facebook look wreckless with your contact info by comparison.
Privacy has been a core Apple talking point for years, from the iPhone’s secure enclave and FaceID to message encryption to protection against tracking. But those safeguards have been focused on getting out of the way to let Apple’s products to ‘just work’. Increasingly, Apple is moving privacy further forward in the user experience to highlight how you can get more out of sharing less. That’s a wise strategy since the company has proven its inability to build full scale social networks out of Ping, Apple Music Connect, and iMessage.
“At Apple, we believe privacy is a fundamental human right and we engineer it into every single thing we do” said Apple SVP Craig Federighi . Mark Zuckerberg declared “The future is private” at Facebook’s F8 conference a month ago, but proved it wasn’t his company’s past or present by failing to launch products that protect users. Now like Google did at I/O a few weeks ago with a slew of privacy tech launches, Apple is actually living up to its talking points with today’s beta release of iOS 13.
Photo Message Recommendations – When you bring up the Share Sheet for a photo or video in iOS 13, Apple will recommend people to send it to over iMessage or Mail based on who you frequently share with and if friends appear in the content. With a few taps you can privately deliver your imagery to a slew of your closest friends and favorite group chats, which could eliminate the need to post it more widely on Facebook or Instagram.

Asocial Media Tools – Instagram offers no way to download a photo or video you edit without first posting it to the feed first. That greedy growth hack leaves room for Apple to usurp more of the creative process. iOS 13 will let you edit videos for lighting, color, contrast, and more plus rotate clips you accidentally shot sideways — all which Instagram and Facebook can’t do. Forgoing the social network side lets Apple focus on tools that you’re free to use however you want.
And with the new Photo Day feature, Apple automatically hides and emphasizes different photos from each day to create magazine-style layouts. These ignite nostalgia and create a visual diary without the embarassment of all that content being on social media to power those TimeHop and Facebook On This Day features.

Memoji – To date, Apple’s interest in animated avatar masks that look like you has centered around FaceTime and video messages. But now it’s realizing how these virtual mini-me’s can enhance privacy while connecting more deeply. iOS 13 will let you opt to share your name and Memoji (or a real photo) as your message thread thumbnail in iMessage so new conversation partners like group chat friends-of-friends can better identify you without showing strangers your actual face. And Memoji can now be used as pre-generated stickers in chat, making it a direct competitor to Snapchat’s Bitmoji and Facebook’s Avatars that just launched today.

AirPods Audio Sharing – What if instead of trumpeting what you’re listening to on social media or fumbling to text a song link to a friend, they could just instantly pipe the sound into their headphones too so you’re rocking out in sync? That’s how the upcoming AirPods Audio Sharing works to let you exchange music privately over Bluetooth without exposing your guilty pleasure jams.

Apple’s most brazen attack saw it call out the social network by name on screen at WWDC. Flashing logos for “Sign In With Facebook” and “Sign In With Google” that are popular for joining new apps without setting up an account, Federighi noted that “This can be convenient, but it also can come at the cost of your privacy. Your personal information sometimes gets shared behind the scenes. These logins can be used to track you.”

As an alternative, Apple is launching “Sign In With Apple”. It uses FaceID in lieu of asking you to create a new username and password to register for a third-party app. Federighi told users they can opt to hide their email addresses from app developers and instead have Apple provide a randomized proxy address that forwards to their real one. That means users can permanently block spam messages from the app, prevent the developer from sharing or selling their contact info, and avoid being targeted with marketing via their email address as with Facebook Custom Audience ads.
The announcement drew the loudest cheers of any at WWDC. And it seems Apple is determined to wring as much competitive advantage out of its Sign In feature as possible. You might imagine that adoption by developers would be outside of Apple’s control, and it’d have to prove it drove more lifetime value than login options that always provide a user’s real email.
But while Apple failed to mention this on stage, the fine print of its developer news brief notes that “Sign In with Apple will be available for beta testing this summer. It will be required as an option for users in apps that support third-party sign-in when it is commercially available later this year.”

Sure, developers want to maximize signups by minimizing onboarding friction, which is why Sign In With features that don’t make you remember more passwords have grown popular. Adding the Apple sign-in option should theoretically help. But developers also rely on sucking in email addresses to wake up lapsed users with message blasts, target them and people similar to them with reengagement or install ads, and exclude existing users to save money when buying ads to recruit new users.
If developers fear Sign In With Apple’s proxy email address feature will hurt them by cannibalizing registrations made with Facebook or Google that don’t offer users a way to hide their real contact info more than the convenience of a third sign-in option will help, they may try their best to bury or minimize the mandatory feature. Apple might have to incentivize growth for developers in other ways, such as heavily promoting them in the App Store if they prioritize its login option to offset the lifetime value per user decline from the loss of contact info. Unless compelled by some moral imperative, developers aren’t likely to risk their business any more than they have to in the name of privacy.

It’s here that Apple will learn that taking the high road can have its speed bumps. It might monetize selling hardware, but its developer partners often still rely on constantly grabbing our attention.
Privacy is often an abstract concept to the mainstream consumer, that doesn’t dictate their decisions, judging by Facebook’s continued user growth. That’s why promotional campaigns around the philosophy of privacy can seem to have little impact. But by building products and platforms that are objectively more useful yet more privacy-friendly than those of competitors, Apple can allow natural market forces to sweep users in the right direction — which just happens to lead into its shiny retail stores.
Powered by WPeMatico
Marcin Kleczynski is a shining example of the American dream.
A Polish-born immigrant turned naturalized citizen, Kleczynski grew up in the Chicago suburbs spending much of his time on computers and the early days of the world wide web. He couldn’t afford to buy computer games; instead, he downloaded them from the internet — and usually malware along with it. Frustrated that his computer’s anti-malware didn’t prevent the infection, he took to seeking help from security message boards to troubleshoot and remove the malware by hand.
That’s where Kleczynski thought he could do better, and so he founded Malwarebytes .
In early 2008, his company’s first anti-malware product was released. To no surprise, the very people on the message boards who helped Kleczynski recover his computer were the same championing his debut software. So much so that Kleczynski hired one of the people from the message board who helped him rid the malware from his computer as one of his first employees. Within months, Malwarebytes was turning over a couple of hundred thousand dollars, Kleczynski told TechCrunch.
By August came the question of whether he would run his company or go to university.
“After about a 15-second conversation with my mother, she quickly informed me that I would be attending university,” he said.
And so he did both.
Fast-forward to today, the company is a multi-million dollar anti-malware giant serving 150 million consumer customers and 50,000 paying small to medium-sized business and enterprise customers from its five offices — two in the U.S., as well as Estonia, Ireland and Singapore.
Powered by WPeMatico
For a cybersecurity company, Bugcrowd relies much more on people than it does on technology.
For as long as humans are writing software, developers and programmers are going to make mistakes, said Casey Ellis, the company’s founder and chief technology officer in an interview TechCrunch from his San Francisco headquarters.
“Cybersecurity is fundamentally a people problem,” he said. “Humans are actually the root of the problem,” he said. And when humans made coding mistakes that turn into bugs or vulnerabilities that be exploited, that’s where Bugcrowd comes in — by trying to mitigate the fallout before they can be maliciously exploited.
Founded in 2011, Bugcrowd is one of the largest bug bounty and vulnerability disclosure companies on the internet today. The company relies on bug finders, hackers, and security researchers to find and privately report security flaws that could damage systems or putting user data at risk.
Bugcrowd acts as an intermediary by passing the bug to the companies to get fixed — potentially helping them to dodge a future security headache like a leak or a breach — in return for payout to the finder.
The greater the vulnerability, the higher the payout.
“The space we’re in is brokering conversations between different groups of people that don’t necessarily have a good history of getting along but desperately need to talk to each other,” said Ellis.
Powered by WPeMatico
2019 is the year Facebook announced a “pivot to privacy.” At the same time, Google is trying to claim that privacy means letting it exclusively store and data-mine everything you do online. So what better time to sit down with DuckDuckGo founder and CEO Gabriel Weinberg for a chat about what privacy really means.
We’re delighted to announce that Weinberg is joining us at Disrupt SF (October 2-4).
The pro-privacy search engine he founded has been on a mission to shrink the shoulder-surfing creepiness of internet searching for more than a decade, serving contextual keyword-based ads, rather than pervasively tracking users to maintain privacy-hostile profiles. (If you can’t quite believe the decade bit; here’s DDG’s startup elevator pitch — which we featured on TC all the way back in 2008.)
It’s a position that looks increasingly smart as big tech comes under sharper political and regulatory scrutiny on account of the volume of information it’s amassing. (Not to mention what it’s doing with people’s data.)
Despite competing as a self-funded underdog against the biggest tech giants around, DuckDuckGo has been profitable and gaining users at a steady clip for years. It also recently took in a chunk of VC to capitalize on what its investors see as a growing international opportunity to help internet users go about their business without being intrusively snooped on. Which makes a compelling counter narrative to the tech giants.
In more recent developments it has added a tracker blocker to its product mix — and been dabbling in policy advocacy — calling for a revival of a Do Not Track browser standard, after earlier attempts floundered with the industry, failing to reach accord.
The political climate around privacy and data protection does look to be pivoting in such a way that Do Not Track could possibly swing back into play. But if — and, yes it’s a big one — privacy ends up being a baked-in internet norm, how might a pioneer like DuckDuckGo maintain its differentiating edge?
While, on the flip side, what if tech giants end up moving in on its territory by redefining privacy in their own self-serving image? We have questions and will be searching Weinberg for answers.
There’s also the fact that many a founder would have cut and run just half a decade into pushing against the prevailing industry grain. So we’re also keen to mine his views on entrepreneurial patience, and get a better handle on what makes him tick as a person — to learn how he’s turned a passion for building people-centric, principled products into a profitable business.
Disrupt SF runs October 2 – October 4 at the Moscone Center in San Francisco. Tickets are available here.
Powered by WPeMatico
Reports emerged a year ago that all the major cellular carriers in the U.S. were selling location data to third-party companies, which in turn sold them to pretty much anyone willing to pay. New letters published by the FCC show that despite a year of scrutiny and anger, the carriers have only recently put an end to this practice.
We already knew that the carriers, like many large companies, simply could not be trusted. In January it was clear that promises to immediately “shut down,” “terminate” or “take steps to stop” the location-selling side business were, shall we say, on the empty side. Kind of like their assurances that these services were closely monitored — no one seems to have bothered actually checking whether the third-party resellers were obtaining the required consent before sharing location data.
Similarly, the carriers took their time shutting down the arrangements they had in place, and communication on the process has been infrequent and inadequate.
FCC Commissioner Jessica Rosenworcel has been particularly frustrated by the foot-dragging and lack of communication on this issue (by companies and the commission).
“The FCC has been totally silent about press reports that for a few hundred dollars shady middlemen can sell your location within a few hundred meters based on your wireless phone data. That’s unacceptable,” she wrote in a statement posted today.
To provide a bit of closure, she decided to publish letters (PDF) from the major carriers explaining their current positions. Fortunately it’s good news. Here’s the gist:
T-Mobile swiftly made promises last May, and in June of 2018, CEO John Legere said in a tweet that he “personally evaluated this issue,” and pledged that the company “will not sell customer location data to shady middlemen.”
That seems to have been before “T-Mobile undertook an evaluation last summer of whether to retain or restructure its location aggregator program… Ultimately, we decided to terminate it.” That phased termination took place over the next half a year, finishing only in March of 2019.
AT&T immediately suspended access to location data by the offending company, Securus, but continued providing it to others. One hopes they at least began auditing properly. Almost a year later, the company said in its letter to Commissioner Rosenworcel that “in light of the press report to which you refer… we decided in January 2019 to accelerate our phase-out of these services. As of March 29, 2019, AT&T stopped sharing any AT&T customer location data with location aggregators and LBS providers.”
Sprint said shortly after the initial reports that it was in the “process of terminating its current contracts with data aggregators to whom we provide location data.” That process sure seems to have been a long one:
As of May 31, 2019, Sprint will no longer contract with any location aggregators to provide LBS. Sprint anticipates that after May 31. 2019, it may provide LBS services directly to customers like those described above [i.e. roadside assistance], but there are no firm plans at this time.
Verizon (the parent company of TechCrunch) managed to kill its contracts with all-purpose aggregators LocationSmart and Zumigo in November of 2018… except for a specific use case through the former to provide roadside assistance services during the winter. That agreement ended in March.
It’s taken some time, but the carriers seem to have finally followed through on shutting down the programs through which they resold customer location data. All took care to mention at some point the practical and helpful use cases of such programs, but failed to detail the apparent lack of oversight with which they were conducted. The responsibility to properly vet customers and collect mobile user consent seems to have been fully ceded to the resellers, who as last year’s reports showed, did nothing of the kind.
Location data is obviously valuable to consumers and many services can and should be able to request it — from those consumers. No one is arguing otherwise. But this important data was clearly being irresponsibly handled by the carriers, and it is probably right that the location aggregation business gets a hard stop and not a band-aid. We’ll likely see new businesses and arrangements appearing soon — but you can be sure that these too will require close monitoring to make sure the carriers don’t allow them to get out of hand… again.
Powered by WPeMatico