privacy
Auto Added by WPeMatico
Auto Added by WPeMatico
Apple’s upcoming desktop and laptop operating system, macOS Big Sur, will be released on November 12, the company announced today.
MacOS Big Sur — which stays with the company’s California-themed naming scheme — will arrive with a new and refreshed user interface, new features and performance improvements.
Many of the features in iOS 14 are porting over — including improved Message threading and in-line replies and a redesigned Maps app. The new Apple software also comes with a new Control Center, with quick access to brightness, volume, Wi-Fi and Bluetooth.
Safari also gets a much-needed lick of paint. It comes with new privacy and security features, including an in-built intelligence tracking prevention that stops trackers following you across the web, and password monitoring to save you from using previously breached passwords.
If you’re wondering what macOS Big Sir is like to work on, TechCrunch’s Brian Heater took the new software for a spin in August.
MacOS Big Sur will be supported on Macs and MacBooks dating back to 2013.
Read more:
Powered by WPeMatico
Inrupt, the startup from World Wide Web founder Tim Berners-Lee, announced an enterprise version of the Solid privacy platform today, which allows large organizations and governments to build applications that put users in control of their data.
Berners-Lee has always believed that the web should be free and open, but large organizations have grown up over the last 20 years that make their money using our data. He wanted to put people back in charge of their data, and the Solid open source project, developed at MIT, was the first step in that process.
Three years ago he launched Inrupt, a startup built on top of the open source project, and hired John Bruce to run the company. The two shared the same vision of shifting data ownership without changing the way websites get developed. With Solid, developers use the same standards and methods of building sites, and these applications will work in any browser. What Solid aims to do is alter the balance of data power and redirect it to the user.
“Fast forward to today, and we’re releasing the first significant technology as the fruits of our labor, which is an enterprise version of Solid to be deployed at scale by large organizations,” Bruce explained.
The core idea behind this approach is that users control their data in online storage entities called Personal Online Data Stores or Pods for short. The enterprise version consists of Solid Server to manage the Pods, and developers can build applications using an SDK to take advantage of the Pods and access the data they need to do a particular job like pay taxes or interact with a healthcare provider. Bruce points out that the enterprise version is fully compatible with the open source Solid project specifications.
The company has been working with some major organizations prior to today’s release including the BBC and National Health Service in the UK and the Government of Flanders in Belgium as they have been working to bring this to market.
To give you a sense of how this works, the National Health Service has been building an application for patients interacting with them, who using Solid can control their health data. “Patients will be able to permit doctors, family or at-home caregivers to read certain data from their Solid Pods, and add caretaking notes or observations that doctors can then read in order to improve patient care,” the company explained.
The difference between this and more conventional web or phone apps is that it is up to the user who can access this information and the application owner has to ask the user for permission and the user has to explicitly grant it and under what conditions.
The startup launched in 2017 and has raised about $20 million so far. Bruce and Berners-Lee understand that for this to take root, it has to be easy to use, be standards-based and and have the capacity to handle massive scale. Anyone can download and use the open source version of Solid, but by having an enterprise version, it gives large organizations like the ones they have been working with the support, security and scale that these companies require.
Powered by WPeMatico
As you may already know, there’s a lot of data out there, and some of it could actually be pretty useful. But privacy and security considerations often put strict limitations on how it can be used or analyzed. DataFleets promises a new approach by which databases can be safely accessed and analyzed without the possibility of privacy breaches or abuse — and has raised a $4.5 million seed round to scale it up.
To work with data, you need to have access to it. If you’re a bank, that means transactions and accounts; if you’re a retailer, that means inventories and supply chains, and so on. There are lots of insights and actionable patterns buried in all that data, and it’s the job of data scientists and their ilk to draw them out.
But what if you can’t access the data? After all, there are many industries where it is not advised or even illegal to do so, such as in healthcare. You can’t exactly take a whole hospital’s medical records, give them to a data analysis firm, and say “sift through that and tell me if there’s anything good.” These, like many other data sets, are too private or sensitive to allow anyone unfettered access. The slightest mistake — let alone abuse — could have serious repercussions.
In recent years a few technologies have emerged that allow for something better, though: analyzing data without ever actually exposing it. It sounds impossible, but there are computational techniques for allowing data to be manipulated without the user ever actually having access to any of it. The most widely used one is called homomorphic encryption, which unfortunately produces an enormous, orders-of-magnitude reduction in efficiency — and big data is all about efficiency.
This is where DataFleets steps in. It hasn’t reinvented homomorphic encryption, but has sort of sidestepped it. It uses an approach called federated learning, where instead of bringing the data to the model, they bring the model to the data.
DataFleets integrates with both sides of a secure gap between a private database and people who want to access that data, acting as a trusted agent to shuttle information between them without ever disclosing a single byte of actual raw data.
Here’s an example. Say a pharmaceutical company wants to develop a machine-learning model that looks at a patient’s history and predicts whether they’ll have side effects with a new drug. A medical research facility’s private database of patient data is the perfect thing to train it. But access is highly restricted.
The pharma company’s analyst creates a machine-learning training program and drops it into DataFleets, which contracts with both them and the facility. DataFleets translates the model to its own proprietary runtime and distributes it to the servers where the medical data resides; within that sandboxed environment, it grows into a strapping young ML agent, which when finished is translated back into the analyst’s preferred format or platform. The analyst never sees the actual data, but has all the benefits of it.
Screenshot of the DataFleets interface. Look, it’s the applications that are meant to be exciting. Image Credits: DataFleets
It’s simple enough, right? DataFleets acts as a sort of trusted messenger between the platforms, undertaking the analysis on behalf of others and never retaining or transferring any sensitive data.
Plenty of folks are looking into federated learning; the hard part is building out the infrastructure for a wide-ranging enterprise-level service. You need to cover a huge amount of use cases and accept an enormous variety of languages, platforms and techniques, and of course do it all totally securely.
“We pride ourselves on enterprise readiness, with policy management, identity-access management, and our pending SOC 2 certification,” said DataFleets COO and co-founder Nick Elledge. “You can build anything on top of DataFleets and plug in your own tools, which banks and hospitals will tell you was not true of prior privacy software.”
But once federated learning is set up, all of a sudden the benefits are enormous. For instance, one of the big issues today in combating COVID-19 is that hospitals, health authorities, and other organizations around the world are having difficulty, despite their willingness, in securely sharing data relating to the virus.
Everyone wants to share, but who sends whom what, where is it kept, and under whose authority and liability? With old methods, it’s a confusing mess. With homomorphic encryption it’s useful but slow. With federated learning, theoretically, it’s as easy as toggling someone’s access.
Because the data never leaves its “home,” this approach is essentially anonymous and thus highly compliant with regulations like HIPAA and GDPR, another big advantage. Elledge notes: “We’re being used by leading healthcare institutions who recognize that HIPAA doesn’t give them enough protection when they are making a data set available for third parties.”
Of course there are less noble, but no less viable, examples in other industries: Wireless carriers could make subscriber metadata available without selling out individuals; banks could sell consumer data without violating anyone in particular’s privacy; bulky datasets like video can sit where they are instead of being duplicated and maintained at great expense.
The company’s $4.5 million seed round is seemingly evidence of confidence from a variety of investors (as summarized by Elledge): AME Cloud Ventures (Jerry Yang of Yahoo) and Morado Ventures, Lightspeed Venture Partners, Peterson Ventures, Mark Cuban, LG, Marty Chavez (president of the board of overseers of Harvard), Stanford-StartX fund, and three unicorn founders (Rappi, Quora and Lucid).
With only 11 full-time employees DataFleets appears to be doing a lot with very little, and the seed round should enable rapid scaling and maturation of its flagship product. “We’ve had to turn away or postpone new customer demand to focus on our work with our lighthouse customers,” Elledge said. They’ll be hiring engineers in the U.S. and Europe to help launch the planned self-service product next year.
“We’re moving from a data ownership to a data access economy, where information can be useful without transferring ownership,” said Elledge. If his company’s bet is on target, federated learning is likely to be a big part of that going forward.
Powered by WPeMatico
Zoom will begin rolling out end-to-end encryption to users of its videoconferencing platform from next week, it said today.
The platform, whose fortunes have been supercharged by the pandemic-driven boom in remote working and socializing this year, has been working on rebooting its battered reputation in the areas of security and privacy since April — after it was called out on misleading marketing claims of having E2E encryption (when it did not). E2E is now finally on its way though.
“We’re excited to announce that starting next week, Zoom’s end-to-end encryption (E2EE) offering will be available as a technical preview, which means we’re proactively soliciting feedback from users for the first 30 days,” it writes in a blog post. “Zoom users — free and paid — around the world can host up to 200 participants in an E2EE meeting on Zoom, providing increased privacy and security for your Zoom sessions.”
Zoom acquired Keybase in May, saying then that it was aiming to develop “the most broadly used enterprise end-to-end encryption offering”.
However, initially, CEO Eric Yuan said this level of encryption would be reserved for fee-paying users only. But after facing a storm of criticism the company enacted a swift U-turn — saying in June that all users would be provided with the highest level of security, regardless of whether they are paying to use its service or not.
Zoom confirmed today that Free/Basics users who want to get access to E2EE will need to participate in a one-time verification process — in which it will ask them to provide additional pieces of information, such as verifying a phone number via text message — saying it’s implementing this to try to reduce “mass creation of abusive accounts”.
“We are confident that by implementing risk-based authentication, in combination with our current mix of tools — including our work with human rights and children’s safety organizations and our users’ ability to lock down a meeting, report abuse, and a myriad of other features made available as part of our security icon — we can continue to enhance the safety of our users,” it writes.
Next week’s roll out of a technical preview is phase 1 of a four-stage process to bring E2E encryption to the platform.
This means there are some limitations — including on the features that are available in E2EE Zoom meetings (you won’t have access to join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat, and meeting reactions); and on the clients that can be used to join meetings (for phase 1 all E2EE meeting participants must join from the Zoom desktop client, mobile app, or Zoom Rooms).
The next phase of the E2EE rollout — which will include “better identity management and E2EE SSO integration”, per Zoom’s blog — is “tentatively” slated for 2021.
From next week, customers wanting to check out the technical preview must enable E2EE meetings at the account level and opt-in to E2EE on a per-meeting basis.
All meeting participants must have the E2EE setting enabled in order to join an E2EE meeting. Hosts can enable the setting for E2EE at the account, group, and user level and can be locked at the account or group level, Zoom notes in an FAQ.
The AES 256-bit GCM encryption that’s being used is the same as Zoom currently uses but here combined with public key cryptography — which means the keys are generated locally, by the meeting host, before being distributed to participants, rather than Zoom’s cloud performing the key generating role.
“Zoom’s servers become oblivious relays and never see the encryption keys required to decrypt the meeting contents,” it explains of the E2EE implementation.
If you’re wondering how you can be sure you’ve joined an E2EE Zoom meeting a dark padlock will be displayed atop the green shield icon in the upper left corner of the meeting screen. (Zoom’s standard GCM encryption shows a checkmark here.)
Meeting participants will also see the meeting leader’s security code — which they can use to verify the connection is secure. “The host can read this code out loud, and all participants can check that their clients display the same code,” Zoom notes.
Powered by WPeMatico
Privacy data mismanagement is a lurking liability within every commercial enterprise. The very definition of privacy data is evolving over time and has been broadened to include information concerning an individual’s health, wealth, college grades, geolocation and web surfing behaviors. Regulations are proliferating at state, national and international levels that seek to define privacy data and establish controls governing its maintenance and use.
Existing regulations are relatively new and are being translated into operational business practices through a series of judicial challenges that are currently in progress, adding to the confusion regarding proper data handling procedures. In this confusing and sometimes chaotic environment, the privacy risks faced by almost every corporation are frequently ambiguous, constantly changing and continually expanding.
Conventional information security (infosec) tools are designed to prevent the inadvertent loss or intentional theft of sensitive information. They are not sufficient to prevent the mismanagement of privacy data. Privacy safeguards not only need to prevent loss or theft but they must also prevent the inappropriate exposure or unauthorized usage of such data, even when no loss or breach has occurred. A new generation of infosec tools is needed to address the unique risks associated with the management of privacy data.
A variety of privacy-focused security tools emerged over the past few years, triggered in part by the introduction of GDPR (General Data Protection Regulation) within the European Union in 2018. New capabilities introduced by this first wave of innovation were focused in the following three areas:
Data discovery, classification and cataloging. Modern enterprises collect a wide variety of personal information from customers, business partners and employees at different times for different purposes with different IT systems. This data is frequently disseminated throughout a company’s application portfolio via APIs, collaboration tools, automation bots and wholesale replication. Maintaining an accurate catalog of the location of such data is a major challenge and a perpetual activity. BigID, DataGuise and Integris Software have gained prominence as popular solutions for data discovery. Collibra and Alation are leaders in providing complementary capabilities for data cataloging.
Consent management. Individuals are commonly presented with privacy statements describing the intended use and safeguards that will be employed in handling the personal data they supply to corporations. They consent to these statements — either explicitly or implicitly — at the time such data is initially collected. Osano, Transcend.io and DataGrail.io specialize in the management of consent agreements and the enforcement of their terms. These tools enable individuals to exercise their consensual data rights, such as the right to view, edit or delete personal information they’ve provided in the past.
Powered by WPeMatico
Data protection and data privacy have gone from niche concerns to mainstream issues in the last several years, thanks to new regulations and a cascade of costly breaches that have laid bare the problems that arise when information and data security are treated haphazardly.
Yet that swing has also thrown up a whole series of issues for organisations and business functions that depend on sharing and exchanging data in order to work. Today, a startup that has built a new way of exchanging data while still keeping privacy in mind — starting first by applying the concept to the “marketing industrial complex” — is announcing a round of funding as it continues to pick up momentum.
InfoSum, a London startup that has built a way for organizations to share their data with each other without passing it on to each other — by way of a federated, decentralized architecture that uses mathematical representations to organise, “read” and query the data — is today announcing that it has raised $15.1 million.
Data may be the new oil, but according to founder and CEO Nick Halstead, that just means “it’s sticky and gets all over the place.” That is to say, InfoSum is looking for a new way to use data that is less messy, and less prone to leakage, and ultimately devaluation.
The Series A is being co-led by Upfront Ventures and IA Ventures. A number of strategics using InfoSum — Ascential, Akamai, Experian, British broadcaster ITV and AT&T’s Xandr — are also participating in the round. The startup has raised $23 million to date.
Nicholas Halstead, the founder and CEO who previously had founded and led another big data company, DataSift (the startup that gained early fame as a middleman for Twitter’s firehose of data, until Twitter called time on that relationship to push its own business strategy), said in an interview that the plan is to use the funding to continue fueling its growth, with a specific focus on the U.S. market.
To that end, Brian Lesser — the founder and former CEO of Xandr (AT&T’s adtech business that is now a part of AT&T’s WarnerMedia), and previous to that the North American CEO of GroupM — is joining the company as executive chairman. Lesser had originally led Xandr’s investment into InfoSum and had previously been on the board of the startup.
InfoSum got its start several years ago as CognitiveLogic, founded at a time when Halstead was first starting to get his head around the problems that were becoming increasingly urgent in how data was being used by companies, and how newer information architecture models using data warehousing and cloud computing could help solve that.
“I saw the opportunity for data collaboration in a more private way, helping enable companies to work together when it came to customer data,” he said. This eventually led to the company releasing its first product two years ago.
In the interim, and since then, that trend, he noted, has only gained momentum, spurred by the rise of companies like Snowflake that have disrupted the world of data warehousing, cookies have started to increasingly go out of style (and some believe will disappear altogether over time) and the concept of federated architecture has become much more ubiquitous, applied to identity management and other areas.
All of this means that InfoSum’s solution today may be aimed at martech, but it is something that affects a number of industries. Indeed, the decision to focus on marketing technology, he said, was partly because that is the industry that Halstead worked most closely with at DataSift, although the plan is to expand to other verticals as well.
“We’ve done a lot of work to change the marketing industrial complex,” said Lesser, “but its bigger use cases are in areas like finance and healthcare.”
Powered by WPeMatico
With the launch of Android 11 getting closer, Google today launched the third and final beta of its mobile operating system ahead of its general availability. Google had previously delayed the beta program by about a month because of the coronavirus pandemic.
Since Android 11 had already reached platform stability with Beta 2, most of the changes here are fixes and optimizations. As a Google spokesperson noted, “this beta is focused on helping developers put the finishing touches on their apps as they prepare for Android 11, including the official API 30 SDK and build tools for Android Studio.”
The one exception is some updates to the Exposure Notification System contact-tracing API, which users can now use without turning on device location settings. Exposure Notification is an exception here, as all other Android apps need to have location settings on (and user permission to access it) to perform the kind of Bluetooth scanning Google is using for this API.
Otherwise, there are no surprises here, given that this has already been a pretty lengthy preview cycle. Mostly, Google really wants developers to make sure their apps are ready for the new version, which includes quite a few changes.
If you are brave enough, you can get the latest beta over the air as part of the Android Beta program. It’s available for Pixel 2, 3, 3a, 4 and (soon) 4a users.
Powered by WPeMatico
One little-known home and retail automation startup might seem like an unlikely candidate to help combat the ongoing pandemic. But its founder says its technology can do just that, even if it wasn’t the company’s original plan.
Butlr, a spin-out of the MIT Media Lab, uses a mix of wireless, battery-powered hardware and artificial intelligence to track people’s movements indoors without violating their privacy. The startup uses ceiling-mounted sensors to detect individuals’ body heat to track where a person walks and where they might go next. The use cases are near-endless. The sensors can turn on mood-lighting or air conditioning when it detects movement, help businesses understand how shoppers navigate their stores, determine the wait-time in the queues at the checkout and even sound the alarm if it detects a person after-hours.
By using passive infrared sensors to detect only body heat, the sensors don’t know who you are — only where you are and where you’re heading. The tracking stops as soon as you leave the sensor’s range, like when you leave a store.
The technology is in high demand. Butlr says some 200,000 retail stores use its technology, not least because it’s far cheaper than the more privacy-invading — and expensive — alternatives, like surveillance cameras and facial recognition.
But when the pandemic hit, most of those stores closed — as effectively did entire cities and nations — to counter the ongoing threat from of COVID-19. But those stores would have to open again, and so Butlr got back to work.
Butlr’s privacy-friendly body heat sensors don’t know who you are — only where you are. Now the company is retooling its technology to help combat coronavirus. (Image: Butlr)
Butlr’s co-founder Honghao Deng told TechCrunch that it began retooling its technology to help support stores opening again.
The company quickly rolled out new software features — like maximum occupancy and queue management — to help stores with sensors already installed cope with the new but ever-changing laws and guidance that businesses had to comply with.
Deng said that the sensors can make sure no more than the allowed number of people can be in a store at once, and make sure that staff are protected from customers by helping to enforce social distancing rules. Customers can also see live queue data to help them pick a less-crowded time to shop, said Deng.
All these things before a pandemic might have sounded, frankly, a little dull. Fast-forward to the middle of a pandemic and you’re probably thankful for all the help — and the technology — you can get.
Butlr tested its new features in China at the height of the pandemic’s rise in February, and later rolled out to its global customers, including in the United States. Deng said Butlr’s technology is already helping customers at furniture store Steelcase, supermarket chain 99 Ranch Market and the Louvre Museum in Abu Dhabi to help them reopen while minimizing the risk to others.
It’s a pivot that’s paid off. Last month Butlr raised $1.2 million in seed funding, just as the pandemic was reaching its peak in the United States.
Nobody knew a pandemic was coming, not least Deng. And as the pandemic spread, businesses have suffered. If it wasn’t for quick thinking, Butlr might’ve been another startup that succumbed to the pandemic.
Instead, the startup is probably going to help save lives — and without compromising anyone’s privacy.
Powered by WPeMatico
Swiss keyboard startup Typewise has bagged a $1 million seed round to build out a typo-busting, ‘privacy-safe’ next word prediction engine designed to run entirely offline. No cloud connectivity, no data mining risk is the basic idea.
They also intend the tech to work on text inputs made on any device, be it a smartphone or desktop, a wearable, VR — or something weirder that Elon Musk might want to plug into your brain in future.
For now they’ve got a smartphone keyboard app that’s had around 250,000 downloads — with some 65,000 active users at this point.
The seed funding breaks down into $700K from more than a dozen local business angels; and $340K via the Swiss government through a mechanism (called “Innosuisse projects“), akin to a research grant, which is paying for the startup to employ machine learning experts at Zurich’s ETH research university to build out the core AI.
The team soft launched a smartphone keyboard app late last year, which includes some additional tweaks (such as an optional honeycomb layout they tout as more efficient; and the ability to edit next word predictions so the keyboard quickly groks your slang) to get users to start feeding in data to build out their AI.
Their main focus is on developing an offline next word prediction engine which could be licensed for use anywhere users are texting, not just on a mobile device.
“The goal is to develop a world-leading text prediction engine that runs completely on-device,” says co-founder David Eberle. “The smartphone keyboard really is a first use case. It’s great to test and develop our algorithms in a real-life setting with tens of thousands of users. The larger play is to bring word/sentence completion to any application that involves text entry, on mobiles or desktop (or in future also wearables/VR/Brain-Computer Interfaces).
“Currently it’s pretty much only Google working on this (see Gmail’s auto completion feature). Applications such as Microsoft Teams, Slack, Telegram, or even SAP, Oracle, Salesforce would want such productivity increase – and at that level privacy/data security matters a lot. Ultimately we envision that every “human-machine interface” is, at least on the text-input level, powered by Typewise.”
You’d be forgiven for thinking all this sounds a bit retro, given the earlier boom in smartphone AI keyboards — such as SwiftKey (now owned by Microsoft).
The founders have also pushed specific elements of their current keyboard app — such as the distinctive honeycomb layout — before, going down a crowdfunding route back in 2015, when they were calling the concept Wrio. But they reckon it’s now time to go all in — hence relaunching the business as Typewise and shooting to build a licensing business for offline next word prediction.
“We’ll use the funds to develop advanced text predictions… first launching it in the keyboard app and then bringing it to the desktop to start building partnerships with relevant software vendors,” says Eberle, noting they’re working on various enhancements to the keyboard app and also plan to spend on marketing to try to hit 1M active users next year.
“We have more ‘innovative stuff’ [incoming] on the UX side as well, e.g. interacting with auto correction (so the user can easily intervene when it does something wrong — in many countries users just turn it off on all keyboards because it gets annoying), gamifying the general typing experience (big opportunity for kids/teenagers, also making them more aware of what and how they type), etc.”
The competitive landscape around smartphone keyboard tech, largely dominated by tech giants, has left room for indie plays, is the thinking. Nor is Typewise the only startup thinking that way (Fleksy has similar ambitions, for one). However gaining traction vs such giants — and over long established typing methods — is the tricky bit.
Android maker Google has ploughed resource into its Gboard AI keyboard — larding it with features. While, on iOS, Apple’s interface for switching to a third party keyboard is infamously frustrating and finicky; the opposite of a seamless experience. Plus the native keyboard offers next word prediction baked in — and Apple has plenty of privacy credit. So why would a user bother switching is the problem there.
Competing for smartphone users’ fingers as an indie certainly isn’t easy. Alternative keyboard layouts and input mechanism are always a very tough sell as they disrupt people’s muscle memory and hit mobile users hard in their comfort and productivity zone. Unless the user is patient and/or stubborn enough to stick with a frustratingly different experience they’ll soon ditch for the keyboard devil they know. (‘Qwerty’ is an ancient typewriter layout turned typing habit we English speakers just can’t kick.)
Given all that, Typewise’s retooled focus on offline next word prediction to do white label b2b licensing makes more sense — assuming they can pull off the core tech.
And, again, they’re competing at a data disadvantage on that front vs more established tech giant keyboard players, even as they argue that’s also a market opportunity.
“Google and Microsoft (thanks to the acquisition of SwiftKey) have a solid technology in place and have started to offer text predictions outside of the keyboard; many of their competitors, however, will want to embed a proprietary (difficult to build) or independent technology, especially if their value proposition is focused on privacy/confidentiality,” Eberle argues.
“Would Telegram want to use Google’s text predictions? Would SAP want that their clients’ data goes through Microsoft’s prediction algorithms? That’s where we see our right to win: world-class text predictions that run on-device (privacy) and are made in Switzerland (independent environment, no security back doors, etc).”
Early impressions of Typewise’s next word prediction smarts (gleaned by via checking out its iOS app) are pretty low key (ha!). But it’s v1 of the AI — and Eberle talks bullishly of having “world class” developers working on it.
“The collaboration with ETH just started a few weeks ago and thus there are no significant improvements yet visible in the live app,” he tells TechCrunch. “As the collaboration runs until the end of 2021 (with the opportunity of extension) the vast majority of innovation is still to come.”
He also tells us Typewise is working with ETH’s Prof. Thomas Hofmann (chair of the Data Analytic Lab, formerly at Google), as well as having has two PhDs in NLP/ML and one MSc in ML contributing to the effort.
“We get exclusive rights to the [ETH] technology; they don’t hold equity but they get paid by the Swiss government on our behalf,” Eberle also notes.
Typewise says its smartphone app supports more than 35 languages. But its next word prediction AI can only handle English, German, French, Italian and Spanish at this point. The startup says more are being added.
Powered by WPeMatico
When Troy Hunt launched Have I Been Pwned in late 2013, he wanted it to answer a simple question: Have you fallen victim to a data breach?
Seven years later, the data-breach notification service processes thousands of requests each day from users who check to see if their data was compromised — or pwned with a hard ‘p’ — by the hundreds of data breaches in its database, including some of the largest breaches in history. As it’s grown, now sitting just below the 10 billion breached-records mark, the answer to Hunt’s original question is more clear.
“Empirically, it’s very likely,” Hunt told me from his home on Australia’s Gold Coast. “For those of us that have been on the internet for a while it’s almost a certainty.”
What started out as Hunt’s pet project to learn the basics of Microsoft’s cloud, Have I Been Pwned quickly exploded in popularity, driven in part by its simplicity to use, but largely by individuals’ curiosity.
As the service grew, Have I Been Pwned took on a more proactive security role by allowing browsers and password managers to bake in a backchannel to Have I Been Pwned to warn against using previously breached passwords in its database. It was a move that also served as a critical revenue stream to keep down the site’s running costs.
But Have I Been Pwned’s success should be attributed almost entirely to Hunt, both as its founder and its only employee, a one-man band running an unconventional startup, which, despite its size and limited resources, turns a profit.
As the workload needed to support Have I Been Pwned ballooned, Hunt said the strain of running the service without outside help began to take its toll. There was an escape plan: Hunt put the site up for sale. But, after a tumultuous year, he is back where he started.
Ahead of its next big 10-billion milestone mark, Have I Been Pwned shows no signs of slowing down.
Even long before Have I Been Pwned, Hunt was no stranger to data breaches.
By 2011, he had cultivated a reputation for collecting and dissecting small — for the time — data breaches and blogging about his findings. His detailed and methodical analyses showed time and again that internet users were using the same passwords from one site to another. So when one site was breached, hackers already had the same password to a user’s other online accounts.
Then came the Adobe breach, the “mother of all breaches” as Hunt described it at the time: Over 150 million user accounts had been stolen and were floating around the web.
Hunt obtained a copy of the data and, with a handful of other breaches he had already collected, loaded them into a database searchable by a person’s email address, which Hunt saw as the most common denominator across all the sets of breached data.
And Have I Been Pwned was born.
It didn’t take long for its database to swell. Breached data from Sony, Snapchat and Yahoo soon followed, racking up millions more records in its database. Have I Been Pwned soon became the go-to site to check if you had been breached. Morning news shows would blast out its web address, resulting in a huge spike in users — enough at times to briefly knock the site offline. Hunt has since added some of the biggest breaches in the internet’s history: MySpace, Zynga, Adult Friend Finder, and several huge spam lists.
As Have I Been Pwned grew in size and recognition, Hunt remained its sole proprietor, responsible for everything from organizing and loading the data into the database to deciding how the site should operate, including its ethics.
Hunt takes a “what do I think makes sense” approach to handling other people’s breached personal data. With nothing to compare Have I Been Pwned to, Hunt had to write the rules for how he handles and processes so much breach data, much of it highly sensitive. He does not claim to have all of the answers, but relies on transparency to explain his rationale, detailing his decisions in lengthy blog posts.
His decision to only let users search for their email address makes logical sense, driven by the site’s only mission, at the time, to tell a user if they had been breached. But it was also a decision centered around user privacy that helped to future-proof the service against some of the most sensitive and damaging data he would go on to receive.
In 2015, Hunt obtained the Ashley Madison breach. Millions of people had accounts on the site, which encourages users to have an affair. The breach made headlines, first for the breach, and again when several users died by suicide in its wake.
The hack of Ashley Madison was one of the most sensitive entered into Have I Been Pwned, and ultimately changed how Hunt approached data breaches that involved people’s sexual preferences and other personal data. (AP Photo/Lee Jin-man, File)
Hunt diverged from his usual approach, acutely aware of its sensitivities. The breach was undeniably different. He recounted a story of one person who told him how their local church posted a list of the names of everyone in the town who was in the data breach.
“It’s clearly casting a moral judgment,” he said, referring to the breach. “I don’t want Have I Been Pwned to enable that.”
Unlike earlier, less sensitive breaches, Hunt decided that he would not allow anyone to search for the data. Instead, he purpose-built a new feature allowing users who had verified their email addresses to see if they were in more sensitive breaches.
“The purposes for people being in that data breach were so much more nuanced than what anyone ever thought,” Hunt said. One user told him he was in there after a painful break-up and had since remarried but was labeled later as an adulterer. Another said she created an account to catch her husband, suspected of cheating, in the act.
“There is a point at which being publicly searchable poses an unreasonable risk to people, and I make a judgment call on that,” he explained.
The Ashely Madison breach reinforced his view on keeping as little data as possible. Hunt frequently fields emails from data breach victims asking for their data, but he declines every time.
“It really would not have served my purpose to load all of the personal data into Have I Been Pwned and let people look up their phone numbers, their sexualities, or whatever was exposed in various data breaches,” said Hunt.
“If Have I Been Pwned gets pwned, it’s just email addresses,” he said. “I don’t want that to happen, but it’s a very different situation if, say, there were passwords.”
But those remaining passwords haven’t gone to waste. Hunt also lets users search more than half a billion standalone passwords, allowing users to search to see if any of their passwords have also landed in Have I Been Pwned.
Anyone — even tech companies — can access that trove of Pwned Passwords, he calls it. Browser makers and password managers, like Mozilla and 1Password, have baked-in access to Pwned Passwords to help prevent users from using a previously breached and vulnerable password. Western governments, including the U.K. and Australia, also rely on Have I Been Pwned to monitor for breached government credentials, which Hunt also offers for free.
“It’s enormously validating,” he said. “Governments, for the most part, are trying to do things to keep countries and individuals safe — working under extreme duress and they don’t get paid much,” he said.
“There have been similar services that have popped up. They’ve been for-profit — and they’ve been indicted.”
Troy Hunt
Hunt recognizes that Have I Been Pwned, as much as openness and transparency is core to its operation, lives in an online purgatory under which any other circumstances — especially in a commercial enterprise — he would be drowning in regulatory hurdles and red tape. And while the companies whose data Hunt loads into his database would probably prefer otherwise, Hunt told me he has never received a legal threat for running the service.
“I’d like to think that Have I Been Pwned is at the far-legitimate side of things,” he said.
Others who have tried to replicate the success of Have I Been Pwned haven’t been as lucky.
“There have been similar services that have popped up,” said Hunt. “They’ve been for-profit — and they’ve been indicted,” he said.
LeakedSource was, for a time, one of the largest sellers of breach data on the web. I know, because my reporting broke some of their biggest gets: music streaming service Last.fm, adult dating site AdultFriendFinder, and Russian internet giant Rambler.ru to name a few. But what caught the attention of federal authorities was that LeakedSource, whose operator later pleaded guilty to charges related to trafficking identity theft information, indiscriminately sold access to anyone else’s breach data.
“There is a very legitimate case to be made for a service to give people access to their data at a price.”
Hunt said he would “sleep perfectly fine” charging users a fee to access their data. “I just wouldn’t want to be accountable for it if it goes wrong,” he said.
Five years into Have I Been Pwned, Hunt could feel the burnout coming.
“I could see a point where I would be if I didn’t change something,” he told me. “It really felt like for the sustainability of the project, something had to change.”
He said he went from spending a fraction of his time on the project to well over half. Aside from juggling the day-to-day — collecting, organizing, deduplicating and uploading vast troves of breached data — Hunt was responsible for the entirety of the site’s back office upkeep — its billing and taxes — on top of his own.
The plan to sell Have I Been Pwned was codenamed Project Svalbard, named after the Norweigian seed vault that Hunt likened Have I Been Pwned to, a massive stockpile of “something valuable for the betterment of humanity,” he wrote announcing the sale in June 2019. It would be no easy task.
Hunt said the sale was to secure the future of the service. It was also a decision that would have to secure his own. “They’re not buying Have I Been Pwned, they’re buying me,” said Hunt. “Without me, there’s just no deal.” In his blog post, Hunt spoke of his wish to build out the service and reach a larger audience. But, he told me, it was not about the money
As its sole custodian, Hunt said that as long as someone kept paying the bills, Have I Been Pwned would live on. “But there was no survivorship model to it,” he admitted. “I’m just one person doing this.”
By selling Have I Been Pwned, the goal was a more sustainable model that took the pressure off him, and, he joked, the site wouldn’t collapse if he got eaten by a shark, an occupational hazard for living in Australia.
But chief above all, the buyer had to be the perfect fit.
Hunt met with dozens of potential buyers, and many in Silicon Valley. He knew what the buyer would look like, but he didn’t yet have a name. Hunt wanted to ensure that whomever bought Have I Been Pwned upheld its reputation.
“Imagine a company that had no respect for personal data and was just going to abuse the crap out of it,” he said. “What does that do for me?” Some potential buyers were driven by profits. Hunt said any profits were “ancillary.” Buyers were only interested in a deal that would tie Hunt to their brand for years, buying the exclusivity to his own recognition and future work — that’s where the value in Have I Been Pwned is.
Hunt was looking for a buyer with whom he knew Have I Been Pwned would be safe if he were no longer involved. “It was always about a multiyear plan to try and transfer the confidence and trust people have in me to some other organizations,” he said.
Hunt testifies to the House Energy Subcommittee on Capitol Hill in Washington, Thursday, Nov. 30, 2017. (AP Photo/Carolyn Kaster)
The vetting process and due diligence was “insane,” said Hunt. “Things just drew out and drew out,” he said. The process went on for months. Hunt spoke candidly about the stress of the year. “I separated from my wife early last year around about the same time as the [sale process],” he said. They later divorced. “You can imagine going through this at the same time as the separation,” he said. “It was enormously stressful.”
Then, almost a year later, Hunt announced the sale was off. Barred from discussing specifics thanks to non-disclosure agreements, Hunt wrote in a blog post that the buyer, whom he was set on signing with, made an unexpected change to their business model that “made the deal infeasible.”
“It came as a surprise to everyone when it didn’t go through,” he told me. It was the end of the road.
Looking back, Hunt maintains it was “the right thing” to walk away. But the process left him back at square one without a buyer and personally down hundreds of thousands in legal fees.
After a bruising year for his future and his personal life, Hunt took time to recoup, clambering for a normal schedule after an exhausting year. Then the coronavirus hit. Australia fared lightly in the pandemic by international standards, lifting its lockdown after a brief quarantine.
Hunt said he will keep running Have I Been Pwned. It wasn’t the outcome he wanted or expected, but Hunt said he has no immediate plans for another sale. For now it’s “business as usual,” he said.
In June alone, Hunt loaded over 102 million records into Have I Been Pwned’s database. Relatively speaking, it was a quiet month.
“We’ve lost control of our data as individuals,” he said. But not even Hunt is immune. At close to 10 billion records, Hunt has been ‘pwned’ more than 20 times, he said.
Earlier this year Hunt loaded a massive trove of email addresses from a marketing database — dubbed ‘Lead Hunter’ — some 68 million records fed into Have I Been Pwned. Hunt said someone had scraped a ton of publicly available web domain record data and repurposed it as a massive spam database. But someone left that spam database on a public server, without a password, for anyone to find. Someone did, and passed the data to Hunt. Like any other breach, he took the data, loaded it in Have I Been Pwned, and sent out email notifications to the millions who have subscribed.
“Job done,” he said. “And then I got an email from Have I Been Pwned saying I’d been pwned.”
He laughed. “It still surprises me the places that I turn up.”
Related stories:
Powered by WPeMatico