privacy
Auto Added by WPeMatico
Auto Added by WPeMatico
Ransomware is getting sneakier and smarter.
The latest example comes from ExecuPharm, a little-known but major outsourced pharmaceutical company that confirmed it was hit by a new type of ransomware last month. The incursion not only encrypted the company’s network and files, hackers also exfiltrated vast amounts of data from the network. The company was handed a two-for-one threat: pay the ransom and get your files back or don’t pay and the hackers will post the files to the internet.
This new tactic is shifting how organizations think of ransomware attacks: it’s no longer just a data-recovery mission; it’s also now a data breach. Now companies are torn between taking the FBI’s advice of not paying the ransom or the fear their intellectual property (or other sensitive internal files) are published online.
Because millions are now working from home, the surface area for attackers to get in is far greater than it was, making the threat of ransomware higher than ever before.
That’s just one of the stories from the week. Here’s what else you need to know.
Education giant Chegg confirmed its third data breach in as many years. The latest break-in affected past and present staff after a hacker made off with 700 names and Social Security numbers. It’s a drop in the ocean when compared to the 40 million records stolen in 2018 and an undisclosed number of passwords taken in a breach at Thinkful, which Chegg had just acquired in 2019.
Those 700 names account for about half of its 1,400 full-time employees, per a filing with the Securities and Exchange Commission. But Chegg’s refusal to disclose further details about the breach — beyond a state-mandated notice to the California attorney general’s office — makes it tough to know exactly went wrong this time.
Powered by WPeMatico
The makers of the world’s most ethical smartphone, the Fairphone 3, have teamed up for a version of the device with even less big tech on board.
The Netherlands-based device maker has partnered with France’s /e/OS to offer a “de-Googled” version of its latest handset, running an Android AOSP fork out of the box that’s itself built atop a fork of CyanogenMod (remember them?) — called LineageOS (via Engadget).
“The deGoogled Fairphone 3 is most likely the first privacy conscious and sustainable phone,” runs the blurb on /e/OS’ website. “It combines a phone that cares for people and planet and an OS and apps that care for your privacy.”
A pithy explainer of its “privacy by design ecosystem” — and the point of “Android without Google” — further notes: “We have removed many pieces of code that send your personal data to remote servers without your consent. We don’t scan your data in your phone or in your cloud space, and we don’t track your location a hundred times a day or collect what you’re doing with your apps.”
When the Fairphone 3 launched last September it came with Android 9 preloaded. But the company touted a post-launch update that would make it easy for buyers to wipe Google services off their slate and install the Android Open Source Project, which it recommended for advanced users.
The new /e/OS flavor offers a third OS option.
Per Engadget, Fairphone said it polled members of its community asking which alternative OS to offer and /e/OS got more votes than a number of others. The company also highlighted /e/OS’ privacy by design as a factor in the choice, lauding how it shuts down “unwanted data flows,” meaning users have more control over what their phone is doing.
The e/OS flavor of the Fairphone 3 ships from May 6, priced at just under €480 — a €30 premium on the Googley flavor of Android you get on the standard Fairphone 3.
Existing owners of Fairphone’s third-gen handset can manually install /e/OS gratis via an installer on its website.
When the Fairphone 3 launched last year the company told us only around 5% of Fairphone users opt to go full open source — which suggests the /e/OS Fairphone 3 will be a niche choice for even these discerning buyers.
Powered by WPeMatico
Prompted by Jeff Bezos’s plans to test all Amazon employees for the virus that causes COVID-19, we wondered whether employers can mandate employee testing, regardless of symptoms. The issue pits public safety against personal privacy, but limited testing availability has rendered the question somewhat moot.
But as the World Health Organization and U.S. Centers for Disease Control and Prevention have noted, asymptomatic COVID-19 carriers can spread the virus without realizing they’re infected. To learn more about workers’ rights in this arena, we spoke to Tricia Bozyk Sherno, counsel at Debevoise & Plimpton, who focuses on employment and general commercial litigation.
The answer, for now, is not entirely straightforward, though updates from the U.S. Equal Employment Opportunity Commission could make the situation clearer going forward as more tests are made available and state governments begin pushing to reopen businesses.
Sherno offered a fair amount of insight into the EEOC’s updated guidance and made some predictions about how things may look for both employers and workers going forward.
TechCrunch: Prior to the COVID-19 pandemic, what sorts of laws governed an employer’s ability to test employees for infectious diseases?
Tricia Bozyk Sherno: Covered employers (employers with 15 or more employees) must comply with the requirements of the Americans with Disabilities Act (ADA), which limits an employer’s ability to make disability-related inquiries or require medical examinations. (Note that certain states may also have similar statutes in place.) Generally, disability-related inquiries and medical examinations are prohibited by the ADA except in limited circumstances. A “medical examination” is a procedure or test that seeks information about an individual’s physical or mental impairments or health — so infectious disease testing would fall into this category.
Powered by WPeMatico
For better or worse, digital identity management services — the process of identifying and authenticating users on networks to access services — has become a ubiquitous part of interacting on the internet, all the more so in the recent weeks as we have been asked to carry out increasingly more of our lives online.
Used correctly, they help ensure that it’s really you logging into your online banking service; used badly, you feel like you can’t innocently watch something silly on YouTube without being watched yourself. Altogether, they are a huge business: worth $16 billion today according to Gartner but growing at upwards of 30% and potentially as big as $30.5 billion by 2024, according to the latest forecasts.
Now, a company called ForgeRock, which has built a platform that is used to help make sure that those accessing services really are who they say are, and help organizations account for how their services are getting used, is announcing a big round of funding to continue expanding its business amid a huge boost in demand.
The company is today announcing that it has raised $93.5 million in funding, a Series E it will use to continue expanding its product and take it to its next step as a business, specifically investing in R&D, cloud services and its ForgeRock Identity Cloud, and general global business development.
The round is being led by Riverwood Capital, and Accenture Ventures, as well as previous investors Accel, Meritech Capital, Foundation Capital and KKR Growth, also participated.
Fran Rosch, the startup’s CEO, said in an interview that this will likely be its final round of funding ahead of an IPO, although given the current static of affairs with a lot of M&A, there is no timing set for when that might happen. (Notably, the company had said its last round of funding — $88 million in 2017 — would be its final ahead of an IPO, although that was under a different CEO.)
This Series E brings the total raised by the company to $230 million. Rosch confirmed it was raised as a material upround, although he declined to give a valuation. For some context, the company’s last post-money valuation was $646.50 million per PitchBook, and so this round values the company at more than $730 million.
ForgeRock has annual recurring revenues of more than $100 million, with annual revenues also at over $100 million, Rosch said. It operates in an industry heavy with competition, with some of the others vying for pole position in the various aspects of identity management including Okta, LastPass, Duo Serurity and Ping Identity.
But within that list it has amassed some impressive traction. In total it has 1,100 enterprise customers, who in turn collectively manage 2 billion identities through ForgeRock’s platform, with considerably more devices also authenticated and managed on top of that.
Customers include the likes of the BBC — which uses ForgeRock to authenticate and log not just 45 million users but also the devices they use to access its iPlayer on-demand video streaming service — Comcast, a number of major banks, the European Union and several other government organizations. ForgeRock was originally founded in Norway about a decade ago, and while it now has its headquarters in San Francisco, it still has about half its employees and half its customers on the other side of the Atlantic.
Currently ForgeRock provides services to businesses related to identity management including password and username creation, identity governance, directory services, privacy and consent gates, which they in turn provide both to their human customers as well as to devices accessing their services, but we’re in a period of change right now when it comes to identity management. It stays away from direct-to-consumer password management services and Rosch said there are no plans to move into that area.
These days, we’ve become more aware of privacy and data protection. Sometimes, it’s been because of the wrong reasons, such as giant security breaches that have leaked some aspect of our personal information into a giant database, or because of a news story that has uncovered how our information has unwittingly been used in ‘legit’ commercial schemes, or other ways we never imagined it would.
Those developments, combined with advances in technology, are very likely to lead us to a place over time where identity management will become significantly more shielded from misuse. These could include more ubiquitous use of federated identities, “lockers” that store our authentication credentials that can be used to log into services but remain separate from their control, and potentially even applications of blockchain technology.
All of this means that while a company like ForgeRock will continue to provide its current services, it’s also investing big in what it believes will be the next steps that we’ll take as an industry, and society, when it comes to digital identity management — something that has had a boost of late.
“There are a lot of interesting things going on, and we are working closely behind the scenes to flesh them out,” Rosch said. “For example, we’re looking at how best to break up data links where we control identities to get access for a temporary period of time but then pull back. It’s a powerful trend that is still about four to five years out. But we are preparing for this, a time when our platform can consume decentralised identity, on par with logins from Google or Facebook today. That is an interesting area.”
He notes that the current market, where there has been an overall surge for all online services as people are staying home to slow the speed of the coronavirus pandemic, has seen big boosts in specific verticals.
Its largest financial services and banking customers have seen traffic up by 50%, and digital streaming has been up by 300% — with customers like the BBC seeing spikes in usage at 5pm every day (at the time of the government COVID-19 briefing) that are as high as its most popular primetime shows or sporting events — and use of government services has also been surging, in part because many services that hadn’t been online are now developing online presences or seeing much more traffic from digital channels than before. Unsurprisingly, its customers in hotel and travel, as well as retail, have seen drops, he added.
“ForgeRock’s comprehensive platform is very well-positioned to capitalize on the enormous opportunity in the Identity & Access Management market,” said Jeff Parks, co-founder and managing partner of Riverwood Capital, in a statement. “ForgeRock is the leader in solving a wide range of workforce and consumer identity use cases for the Global 2000 and is trusted by some of the largest companies to manage millions of user identities. We have seen the growth acceleration and are thrilled to partner with this leadership team.” Parks is joining the board with this round.
Powered by WPeMatico
A coalition of EU scientists and technologists that’s developing what’s billed as a “privacy-preserving” standard for Bluetooth-based proximity tracking, as a proxy for COVID-19 infection risk, wants Apple and Google to make changes to an API they’re developing for the same overarching purpose.
The Pan-European Privacy-Preserving Proximity Tracing (PEPP-PT) uncloaked on April 1, calling for developers of contact tracing apps to get behind a standardized approach to processing smartphone users’ data to coordinate digital interventions across borders and shrink the risk of overly intrusive location-tracking tools gaining momentum as a result of the pandemic.
PEPP-PT said today it has seven governments signed up to apply its approach to national apps, with a claimed pipeline of a further 40 in discussions about joining.
“We now have a lot of governments interacting,” said PEPP-PT’s Hans-Christian Boos, speaking during a webinar for journalists. “Some governments are publicly declaring that their local applications will be built on top of the principles of PEPP-PT and also the various protocols supplied inside this initiative.
“We know of seven countries that have already committed to do this — and we’re currently in conversation with 40 countries that are in various states of onboarding.”
Boos said a list of the governments would be shared with journalists, though at the time of writing we haven’t seen it. But we’ve asked PEPP-PT’s PR firm for the info and will update this report when we get it.
“The pan-European approach has worked,” he added. “Governments have decided at a speed previously unknown. But with 40 more countries in the queue of onboarding we definitely have outgrown just the European focus — and to us this shows that privacy as a model and as a discussion point… is a statement and it is something that we can export because we’re credible on it.”
Paolo de Rosa, the CTO at the Ministry of Innovation Technology and Digital Transformation for the Italian government, was also on the webinar — and confirmed its national app will be built on top of PEPP-PT.
“We will have an app soon and obviously it will be based on this model,” he said, offering no further details.
PEPP-PT’s core “privacy-preserving” claim rests on the use of system architectures that do not require location data to be collected. Rather devices that come near each other would share pseudonymized IDs — which could later be used to send notifications to an individual if the system calculates an infection risk has occurred. An infected individual’s contacts would be uploaded at the point of diagnosis — allowing notifications to be sent to other devices with which had come into contact.
Boos, a spokesman for and coordinator of PEPP-PT, told TechCrunch earlier this month the project will support both centralized and decentralized approaches. The former meaning IDs are uploaded to a trusted server, such as one controlled by a health authority; the latter meaning IDs are held locally on devices, where the infection risk is also calculated — a backend server is only in the loop to relay info to devices.
It’s just such a decentralized contacts tracing system that Apple and Google are collaborating on supporting — fast-following PEPP-PT last week by announcing a plan for cross-platform COVID-19 contacts tracing via a forthcoming API and then a system-wide (opt-in) for Bluetooth-based proximity tracking.
That intervention, by the only two smartphone platforms that matter when the ambition is mainstream adoption, is a major development — putting momentum behind decentralized contacts tracing for responding digitally to the coronavirus crisis in the Western world, certainly at the platform level.
In a resolution passed today the European parliament also called for a decentralized approach to COVID-19 proximity tracking.
MEPs are pushing for the Commission and Member States to be “fully transparent on the functioning of contact tracing apps, so that people can verify both the underlying protocol for security and privacy and check the code itself to see whether the application functions as the authorities are claiming.” (The Commission has previously signaled a preference for decentralization too.)
However, backers of PEPP-PT, which include at least seven governments (and the claim of many more), aren’t giving up on the option of a “privacy-preserving” centralized option — which some in their camp are dubbing “pseudo-decentralized” — with Boos claiming today that discussions are ongoing with Apple and Google about making changes to their approach.
As it stands, contacts tracing apps that don’t use a decentralized infrastructure won’t be able to carry out Bluetooth tracking in the background on Android or iOS — as the platforms limit how general apps can access Bluetooth. This means users of such apps would have to have the app open and active all the time for proximity tracking to function, with associated (negative) impacts on battery life and device usability.
There are also (intentional) restrictions on how contacts tracing data could be centralized, as a result of the relay server model being deployed in the joint Apple-Google model.
“We very much appreciate that Google and Apple are stepping up to making the operating system layer available — or putting what should be the OS actually there, which is the Bluetooth measurement and the handling of crypto and the background running of such tasks which have to keep running resiliently all the time — if you look at their protocols and if you look at whom they are provided by, the two dominant players in the mobile ecosystem, then I think that from a government perspective especially, or from lots of government perspectives, there are many open points to discuss,” said Boos today.
“From a PEPP-PT perspective there are a few points to discuss because we want choice and implementing choice in terms of model — decentralized or centralized on top of their protocol creates actually the worst of both worlds — so there are many points to discuss. But contrary to the behavior that many of us who work with tech companies are used to Google and Apple are very open in these discussions and there’s no point in getting up in arms yet because these discussions are ongoing and it looks like agreement can be reached with them.”
It wasn’t clear what specific changes PEPP-PT wants from Apple and Google — we asked for more detail during the webinar but didn’t get a response. But the group and its government backers may be hoping to dilute the tech giants’ stance to make it easier to create centralized graphs of Bluetooth contacts to feed national coronavirus responses.
As it stands, Apple and Google’s API is designed to block contact matching on a server — though there might still be ways for governments (and others) to partially work around the restrictions and centralize some data.
We reached out to Apple and Google with questions about the claimed discussions with PEPP-PT. At the time of writing, neither had responded.
As well as Italy, the German and French governments are among those that have indicated they’re backing PEPP-PT for national apps — which suggests powerful EU Member States could be squaring up for a fight with the tech giants, along the lines of Apple versus the FBI, if pressure to tweak the API fails.
Another key strand to this story is that PEPP-PT continues to face strident criticism from privacy and security experts in its own backyard — including after it removed a reference to a decentralized protocol for COVID-19 contacts tracing that’s being developed by another European coalition, comprised of privacy and security experts, called DP-3T.
Coindesk reported on the silent edit to PEPP-PT’s website yesterday.
Backers of DP-3T have also repeatedly queried why PEPP-PT hasn’t published code or protocols for review to-date — and even gone so far as to dub the effort a “trojan horse.”
#DP3T entered as a candidate to so-called PEPP-PT in good faith, but it is now clear that powerful actors pushing centralised databases of Bluetooth contact tracing do not, and will not, act in good faith.
PEPP-PT is a Trojan horse.
— Michael Veale (@mikarv) April 16, 2020
ETH Zürich’s Dr. Kenneth Paterson, who is both a part of the PEPP-PT effort and a designer of DP-3T, couldn’t shed any light on the exact changes the coalition is hoping to extract from “Gapple” when we asked.
“They’ve still not said exactly how their system would work, so I can’t say what they would need [in terms of changes to Apple and Google’s system],” he told us in an email exchange.
Today Boos couched the removal of the reference to DP-3T on PEPP-PT’s website as a mistake — which he blamed on “bad communication.” He also claimed the coalition is still interested in including the former’s decentralized protocol within its bundle of standardized technologies. So the already sometimes fuzzy lines between the camps continue to be redrawn. (It’s also interesting to note that press emails to Boos are now being triaged by Hering Schuppener, a communications firm that sells publicity services, including crisis PR.)
“We’re really sorry for that,” Boos said of the DP-3T excision. “Actually we just wanted to put the various options on the same level that are out there. There are still all these options and we very much appreciate the work that colleagues and others are doing.
“You know there is a hot discussion in the crypto community about this and we actually encourage this discussion because it’s always good to improve on protocols. What we must not lose sight of is… that we’re not talking about crypto here, we’re talking about pandemic management and as long as an underlying transport layer can ensure privacy that’s good enough because governments can choose whatever they want.”
Boos also said PEPP-PT would finally be publishing some technical documents this afternoon — opting to release information some three weeks after its public unveiling and on a Friday evening (a seven-page ‘high level overview’ has since been put on their GitHub here [this link has since been deleted – Ed.] — but still a far cry from code for review) — while making a simultaneous plea for journalists to focus on the “bigger picture” of fighting the coronavirus rather than keep obsessing over technical details.
During today’s webinar some of the scientists backing PEPP-PT talked about how they’re testing the efficacy of Bluetooth as a proxy for tracking infection risk.
“The algorithm that we’ve been working on looks at the cumulative amount of time that individuals spend in proximity with each other,” said Christophe Fraser, professor at the Nuffield Department of Medicine and Senior Group Leader in Pathogen Dynamics at the Big Data Institute, University of Oxford, offering a general primer on using Bluetooth proximity data for tracking viral transmission.
“The aim is to predict the probability of transmission from the phone proximity data. So the ideal system reduces the requested quarantine to those who are the most at risk of being infected and doesn’t give the notification — even though some proximity event was recorded — to those people who’re not at risk of being infected.”
“Obviously that’s going to be an imperfect process,” he went on. “But the key point is that in this innovative approach that we should be able to audit the extent to which that information and those notifications are correct — so we need to actually be seeing, of the people who have been sent the notification how many of them actually were infected. And of those people who were identified as contacts, how many weren’t.
“Auditing can be done in many different ways for each system but that step is crucial.”
Evaluating the effectiveness of the digital interventions will be vital, per Fraser — whose presentation could have been interpreted as making a case for public health authorities to have fuller access to contacts graphs. But it’s important to note that DP-3T’s decentralized protocol makes clear provision for app users to opt-in to voluntarily share data with epidemiologists and research groups to enable them to reconstruct the interaction graph among infected and at risk users (aka to get access to a proximity graph).
“It’s really important that if you’re going to do an intervention that is going to affect millions of people — in terms of these requests to [quarantine] — that that information be the best possible science or the best possible representation of the evidence at the point at which you give the notification,” added Fraser. “And therefore as we progress forwards that evidence — our understanding of the transmission of the virus — is going to improve. And in fact auditing of the app can allow that to improve, and therefore it seems essential that that information be fed back.”
None of the PEPP-PT-aligned apps that are currently being used for testing or reference are interfacing with national health authority systems, per Boos — though he cited a test in Italy that’s been plugged into a company’s health system to run tests.
“We have supplied the application builders with the backend, we have supplied them with sample code, we have supplied them with protocols, we have supplied them with the science of measurement, and so on and so forth. We have a working application that simply has no integration into a country’s health system — on Android and on iOS,” he noted.
On its website PEPP-PT lists a number of corporate “members” as backing the effort — including the likes of Vodafone — alongside several research institutions including Germany’s Fraunhofer Heinrich Hertz Institute for telecoms (HHI) which has been reported as leading the effort.
The HHI’s executive director, Thomas Wiegand, was also on today’s call. Notably, his name initially appeared on the authorship list for the DP-3T’s white paper. However, on April 10 he was removed from the README and authorship list, per its GitHub document history. No explanation for the change was given.
During today’s press conference Wiegand made an intervention that seems unlikely to endear him to the wider crypto and digital rights community — describing the debate around which cryptography system to use for COVID-19 contacts tracing as a ‘side show’ and expressing concern that what he called Europe’s “open public discussion” might “destroy our ability to get ourselves as Europeans out of this.”
“I just wanted to make everyone aware of the difficulty of this problem,” he also said. “Cryptography is only one of 12 building blocks in the system. So I really would like to have everybody go back and reconsider what problem we are in here. We have to win against this virus… or we have another lockdown or we have a lot of big problems. I would like to have everybody to consider that and to think about it because we have a chance if we get our act together and really win against the virus.”
The press conference had an even more inauspicious start after the Zoom call was disrupted by racist spam in the chat field. Right before that Boos had kicked off the call saying he had heard from “some more technically savvy people that we should not be using Zoom because it’s insecure — and for an initiative that wants security and privacy it’s the wrong tool.”
“Unfortunately we found out that many of our international colleagues only had this on their corporate PCs so over time either Zoom has to improve — or we need to get better installations out there. It’s certainly not our intention to leak the data on this Zoom,” he added.
Powered by WPeMatico
Google is today announcing a series of policy changes aimed at eliminating untrustworthy apps from its Android app marketplace, the Google Play store. The changes are meant to give users more control over how their data is used, tighten subscription policies and help prevent deceptive apps and media — including those involving deepfakes — from becoming available on the Google Play Store.
Background Location
The first of these new policies is focused on the location tracking permissions requested by some apps.
Overuse of location tracking has been an area Google has struggled to rein in. In Android 10, users were able to restrict apps’ access to location while the app was in use, similar to what’s been available on iOS. With the debut of Android 11, Google decided to give users even more control with the new ability to grant a temporary “one-time” permission to sensitive data, like location.
In February, Google said it would also soon require developers to get user permission before accessing background location data, after noting that many apps were asking for unnecessary user data. The company found that a number of these apps would have been able to provide the same experience to users if they only accessed location while the app was in use — there was no advantage to running the app in the background.
Of course, there’s an advantage for developers who are collecting location data. This sort of data can be sold to third-party through trackers that supply advertisers with detailed information about the app’s users, earning the developer additional income.
The new change to Google Play policies now requires that developers get approval to access background location in their apps.
But Google is giving developers time to comply. It says no action will be taken for new apps until August 2020 or on existing apps until November 2020.
“Fleeceware”
A second policy is focused on subscription-based apps. Subscriptions have become a booming business industry-wide. They’re often a better way for apps to generate revenue as opposed to other monetization methods — like paid downloads, ads or in-app purchases.
However, many subscription apps are duping users into paying by not making it easy or obvious how to dismiss a subscription offer in order to use the free parts of an app, or not being clear about subscription terms or the length of free trials, among other things.
The new Google Play policy says developers will need to be explicit about their subscription terms, trials and offers, by telling users the following:
That means the “fine print” has to be included on the offer’s page, and developers shouldn’t use sneaky tricks like lighter font to hide the important bits, either.
For example:

This change aims to address the rampant problem with “fleeceware” across the Google Play store. Multiple studies have shown subscription apps have gotten out of control. In fact, one study from January stated that over 600 million Android users had installed “fleeceware” apps from the Play Store. To be fair, the problem is not limited to Android. The iOS App Store was recently found to have an issue, too, with more than 3.5 million users having installed “fleeceware.”
Developers have until June 16, 2020 to come into compliance with this policy, Google says.
Deepfakes
The final update has to do with the Play Store’s “Deceptive Behavior” policy.
This wasn’t detailed in Google’s official announcements about the new policies, but Google tells us it’s also rolling out updated rules around deceptive content and apps.
Before, Google’s policy was used to restrict apps that tried to deceive users — like apps claiming a functionally impossible task, those that lied in their listing about their content or features or those that mimicked the Android OS, among others.
The updated policy is meant to better ensure all apps are clear about their behavior once they’re downloaded. In particular, it’s meant to prevent any manipulated content (aka “deepfakes”) from being available on the Play Store.
Google tells us this policy change won’t impact apps that allow users to make deepfakes that are “for fun” — like those that allow users to swap their face onto GIFs, for example. These will fall under an exception to the rule, which allows deepfakes that are “obvious satire or parody.”
However, it will take aim at apps that manipulate and alter media in a way that isn’t conventionally obvious or acceptable.
For example:
In particular, the policy will focus on apps that promote misleading imagery that could cause harm related to politics, social issues or sensitive events. The apps must also disclose or watermark the altered media if it isn’t clear the media has been altered.
Similar bans on manipulated media have been enacted across social media platforms, including Facebook, Twitter and WeChat. Apple’s App Store Developer Guidelines don’t specifically reference “deepfakes” by name, however, though it bans apps with false or defamatory information, outside of satire and humor.
Google says the apps currently available on Google Play have 30 days to comply with this change.
In Google’s announcement, the company said it understood these were difficult times for people, which is why it’s taken steps to minimize the short-term impact of these changes. In other words, it doesn’t sound like the policy changes will soon result in any mass banning or big Play Store clean-out — rather, they’re meant to set the stage for better policing of the store in the future.
Powered by WPeMatico
The European Commission has set out a plan for coordinating the lifting of regional coronavirus restrictions that includes a role for digital tools in what the EU executive couches as “a robust system of reporting and contact tracing.” However it has reiterated that such tools must “fully respect data privacy.”
Last week, the Commission made a similar call for a common approach to data and apps for fighting the coronavirus, emphasizing the need for technical measures to be taken to ensure that citizens’ rights and freedoms aren’t torched in the scramble for a tech fix.
Today’s toolbox of measures and principles is the next step in its push to coordinate a pan-EU response.
“Responsible planning on the ground, wisely balancing the interests of protection of public health with those of the functioning of our societies, needs a solid foundation. That’s why the Commission has drawn up a catalogue of guidelines, criteria and measures that provide a basis for thoughtful action,” said EC president Ursula von der Leyen, commenting on the full roadmap in a statement.
“The strength of Europe lies in its social and economic balance. Together we learn from each other and help our European Union out of this crisis,” she added.
Harmonized data gathering and sharing by public health authorities — “on the spread of the virus, the characteristics of infected and recovered persons and their potential direct contacts” — is another key plank of the plan for lifting coronavirus restrictions on citizens within the 27 Member State bloc.
While ‘anonymized and aggregated’ data from commercial sources — such as telcos and social media platforms — is seen as a potential aid to pandemic modelling and forecasting efforts, per the plan.
“Social media and mobile network operators can offer a wealth of data on mobility, social interactions, as well as voluntary reports of mild disease cases (e.g. via participatory surveillance) and/or indirect early signals of disease spread (e.g. searches/posts on unusual symptoms),” it writes. “Such data, if pooled and used in anonymised, aggregated format in compliance with EU data protection and privacy rules, could contribute to improve the quality of modelling and forecasting for the pandemic at EU level.”
The Commission has been leaning on telcos to hand over fuzzy metadata for coronavirus modelling which it wants done by the EU’s Joint Research Centre. It wrote to 19 mobile operators last week to formalize its request, per Euractiv, which reported yesterday that its aim is to have the data exchange system operational ‘as soon as possible’ — with the hope being it will cover all the EU’s member states.
Other measures included in the wider roadmap are the need for states to expand their coronavirus testing capacity and harmonize tesing methodologies — with the Commission today issuing guidelines to support the development of “safe and reliable testing”.
Steps to support the reopening of internal and external EU borders is another area of focus, with the executive generally urging a gradual and phased lifting of coronavirus restrictions.
On contacts tracing apps specifically, the Commission writes:
“Mobile applications that warn citizens of an increased risk due to contact with a person tested positive for COVID-19 are particularly relevant in the phase of lifting containment measures, when the infection risk grows as more and more people get in contact with each other. As experienced by other countries dealing with the COVID-19 pandemic, these applications can help interrupt infection chains and reduce the risk of further virus transmission. They should thus be an important element in the strategies put in place by Member States, complementing other measures like increased testing capacities.
“The use of such mobile applications should be voluntary for individuals, based on users’ consent and fully respecting European privacy and personal data protection rules. When using tracing apps, users should remain in control of their data. National health authorities should be involved in the design of the system. Tracing close proximity between mobile devices should be allowed only on an anonymous and aggregated basis, without any tracking of citizens, and names of possibly infected persons should not be disclosed to other users. Mobile tracing and warning applications should be subject to demanding transparency requirements, be deactivated as soon as the COVID-19 crisis is over and any remaining data erased.”
“Confidence in these applications and their respect of privacy and data protection are paramount to their success and effectiveness,” it adds.
Earlier this week Apple and Google announced a collaboration around coronavirus contracts tracing — throwing their weight behind a privacy-sensitive decentralized approach to proximity tracking that would see ephemeral IDs processed locally on devices, rather than being continually uploaded and held on a central server.
A similar decentralized infrastructure for Bluetooth-based COVID-19 contacts tracing had already been suggested by a European coalition of privacy and security experts, as we reported last week.
While a separate coalition of European technologists and researchers has been pushing a standardization effort for COVID-19 contacts tracing that they’ve said will support either centralized or decentralized approaches — in the hopes of garnering the broadest possible international backing.
For its part the Commission has urged the use of technologies such as decentralization for COVID-19 contacts tracing to ensure tools align with core EU principles for handling personal data and safeguarding individual privacy, such as data minimization.
However governments in the region are working on a variety of apps and approaches for coronavirus contacts tracing that don’t all look as if they will check a ‘rights respecting’ box…
Poland advertised a new product to enforce #coronavirus #COVID19 quarantaine? Electronic bracelet equipped with geolocation sensor (and a microphone, apparently), for “constant monitoring instead of random checks”. https://t.co/WipDJDnLK8 pic.twitter.com/ormYjM1EyJ
— Lukasz Olejnik (@lukOlejnik) April 14, 2020
In a video address last week, Europe’s lead privacy regulator, the EDPS, intervened to call for a “panEuropean model ‘COVID-19 mobile application’, coordinated at EU level” — in light of varied tech efforts by Member States which involve the processing of personal data for a claimed public health purpose.
“The use of temporary broadcast identifiers and bluetooth technology for contact tracing seems to be a useful path to achieve privacy and personal data protection effectively,” said Wojciech Wiewiórowski on Monday week. “Given these divergences, the European Data Protection Supervisor calls for a panEuropean model “COVID-19 mobile application”, coordinated at EU level. Ideally, coordination with the World Health Organisation should also take place, to ensure data protection by design globally from the start.”
The Commission has not gone so far in today’s plan — calling instead for Member States to ensure their own efforts align with the EU’s existing data protection framework.
Though its roadmap is also heavy on talk of the need for “coordination between Member States, to avoid negative effects” — dubbing it “a matter of common European interest”. But, for now, the Commission has issued a list of recommendations; it’s up to Member States to choose to fall in behind them or not.
With the caveat that EU regulators are watching very carefully how states’ handle citizens’ data.
“Legality, transparency and proportionality are essential for me,” warned Wiewiórowski, ending last week’s intervention on the EU digital response to the coronavirus with a call for “digital solidarity, which should make data working for all people in Europe and especially for the most vulnerable” — and a cry against “the now tarnished and discredited business models of constant surveillance and targeting that have so damaged trust in the digital society”.
Powered by WPeMatico
Zoom is making some drastic changes to prevent rampant abuse as trolls attack publicly-shared video calls. Starting April 5th, it will require passwords to enter calls via Meeting ID, since these may be guessed or reused. Meanwhile, it will change virtual waiting rooms to be on by default so hosts have to manually admit attendees.
The changes could prevent “Zoombombing”, a term I coined two weeks ago to describe malicious actors entering Zoom calls and disrupting them by screensharing offensive imagery. New Zoombombing tactics have since emerged, like spamming the chat thread with terrible GIFs, using virtual backgrounds to spread hateful messages, or just screaming profanities and slurs. Anonymous forums have now become breeding grounds for organized trolling efforts to raid calls.
Just imagine the most frightened look on all these people’s faces. That’s what happened when Zoombombers attacked the call.
The FBI has issued a warning about the Zoombombing problem after children’s online classes, alcoholics anonymous meetings, and private business calls were invaded by trolls. Security researchers have revealed many ways that attackers can infiltrate a call.
The problems stem from Zoom being designed for trusted enterprise use cases rather than cocktail hours, yoga classes, roundtable discussions, and classes. But with Zoom struggling to scale its infrastructure as its daily user count has shot up from 10 million to 200 million over the past month due to coronavirus shelter-in-place orders, it’s found itself caught off guard.

Zoom CEO Eric Yuan apologized for the security failures this week and vowed changes. But at the time, the company merely said it would default to making screensharing host-only and keeping waiting rooms on for its K-12 education users. Clearly it determined that wasn’t sufficient, so now waiting rooms are on by default for everyone.
Zoom communicated the changes to users via an email sent this afternoon that explains “we’ve chosen to enable passwords on your meetings and turn on Waiting Rooms by default as additional security enhancements to protect your privacy.”
The company also explained that “For meetings scheduled moving forward, the meeting password can be found in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting join URL.” Some other precautions users can take include disabling file transfer, screensharing, or rejoining by removed attendees.
NEW YORK, NY – APRIL 18: Zoom founder Eric Yuan reacts at the Nasdaq opening bell ceremony on April 18, 2019 in New York City. The video-conferencing software company announced it’s IPO priced at $36 per share, at an estimated value of $9.2 billion. (Photo by Kena Betancur/Getty Images)
The shift could cause some hassle for users. Hosts will be distracted by having to approve attendees out of the waiting room while they’re trying to lead calls. Zoom recommends users resend invites with passwords attached for Meeting ID-based calls scheduled for after April 5th. Scrambling to find passwords could make people late to calls.
But that’s a reasonable price to pay to keep people from being scarred by Zoombombing attacks. The rash of trolling threatened to sour many people’s early experiences with the video chat platform just as it’s been having its breakout moment. A single call marred by disturbing pornography can leave a stronger impression than 100 peaceful ones with friends and colleagues. The old settings made sense when it was merely an enterprise product, but it needed to embrace its own change of identity as it becomes a fundamental utility for everyone.
Technologists will need to grow better at anticipating worst-case scenarios as their products go mainstream and are adapted to new use cases. Assuming everyone will have the best intentions ignores the reality of human nature. There’s always someone looking to generate a profit, score power, or cause chaos from even the smallest opportunity. Building development teams that include skeptics and realists, rather than just visionary idealists, could keep ensure products get safeguarded from abuse before rather than after a scandal occurs.
Powered by WPeMatico
Google is giving the world a clearer glimpse of exactly how much it knows about people everywhere — using the coronavirus crisis as an opportunity to repackage its persistent tracking of where users go and what they do as a public good in the midst of a pandemic.
In a blog post today, the tech giant announced the publication of what it’s branding COVID-19 Community Mobility Reports, an in-house analysis of the much more granular location data it maps and tracks to fuel its ad-targeting, product development and wider commercial strategy to showcase aggregated changes in population movements around the world.
The coronavirus pandemic has generated a worldwide scramble for tools and data to inform government responses. In the EU, for example, the European Commission has been leaning on telcos to hand over anonymized and aggregated location data to model the spread of COVID-19.
Google’s data dump looks intended to dangle a similar idea of public policy utility while providing an eyeball-grabbing public snapshot of mobility shifts via data pulled off of its global user-base.
In terms of actual utility for policymakers, Google’s suggestions are pretty vague. The reports could help government and public health officials “understand changes in essential trips that can shape recommendations on business hours or inform delivery service offerings,” it writes.
“Similarly, persistent visits to transportation hubs might indicate the need to add additional buses or trains in order to allow people who need to travel room to spread out for social distancing,” it goes on. “Ultimately, understanding not only whether people are traveling, but also trends in destinations, can help officials design guidance to protect public health and essential needs of communities.”
The location data Google is making public is similarly fuzzy — to avoid inviting a privacy storm — with the company writing it’s using “the same world-class anonymization technology that we use in our products every day,” as it puts it.
“For these reports, we use differential privacy, which adds artificial noise to our datasets enabling high quality results without identifying any individual person,” Google writes. “The insights are created with aggregated, anonymized sets of data from users who have turned on the Location History setting, which is off by default.”
“In Google Maps, we use aggregated, anonymized data showing how busy certain types of places are—helping identify when a local business tends to be the most crowded. We have heard from public health officials that this same type of aggregated, anonymized data could be helpful as they make critical decisions to combat COVID-19,” it adds, tacitly linking an existing offering in Google Maps to a coronavirus-busting cause.
The reports consist of per country, or per state, downloads (with 131 countries covered initially), further broken down into regions/counties — with Google offering an analysis of how community mobility has changed vs a baseline average before COVID-19 arrived to change everything.
So, for example, a March 29 report for the whole of the U.S. shows a 47 percent drop in retail and recreation activity vs the pre-CV period; a 22% drop in grocery & pharmacy; and a 19% drop in visits to parks and beaches, per Google’s data.
While the same date report for California shows a considerably greater drop in the latter (down 38% compared to the regional baseline); and slightly bigger decreases in both retail and recreation activity (down 50%) and grocery & pharmacy (-24%).
Google says it’s using “aggregated, anonymized data to chart movement trends over time by geography, across different high-level categories of places such as retail and recreation, groceries and pharmacies, parks, transit stations, workplaces, and residential.” The trends are displayed over several weeks, with the most recent information representing 48-to-72 hours prior, it adds.
The company says it’s not publishing the “absolute number of visits” as a privacy step, adding: “To protect people’s privacy, no personally identifiable information, like an individual’s location, contacts or movement, is made available at any point.”
Google’s location mobility report for Italy, which remains the European country hardest hit by the virus, illustrates the extent of the change from lockdown measures applied to the population — with retail & recreation dropping 94% vs Google’s baseline; grocery & pharmacy down 85%; and a 90% drop in trips to parks and beaches.
The same report shows an 87% drop in activity at transit stations; a 63% drop in activity at workplaces; and an increase of almost a quarter (24%) of activity in residential locations — as many Italians stay at home instead of commuting to work.
It’s a similar story in Spain — another country hard-hit by COVID-19. Though Google’s data for France suggests instructions to stay-at-home may not be being quite as keenly observed by its users there, with only an 18% increase in activity at residential locations and a 56% drop in activity at workplaces. (Perhaps because the pandemic has so far had a less severe impact on France, although numbers of confirmed cases and deaths continue to rise across the region.)
While policymakers have been scrambling for data and tools to inform their responses to COVID-19, privacy experts and civil liberties campaigners have rushed to voice concerns about the impacts of such data-fueled efforts on individual rights, while also querying the wider utility of some of this tracking.
And yes, the disclaimer is very broad. I’d say, this is largely a PR move.
Apart from this, Google must be held accountable for its many other secondary data uses. And Google/Alphabet is far too powerful, which must be addressed at several levels, soon. https://t.co/oksJgQAPAY
— Wolfie Christl (@WolfieChristl) April 3, 2020
Contacts tracing is another area where apps are fast being touted as a potential solution to get the West out of economically crushing population lockdowns — opening up the possibility of people’s mobile devices becoming a tool to enforce lockdowns, as has happened in China.
“Large-scale collection of personal data can quickly lead to mass surveillance,” is the succinct warning of a trio of academics from London’s Imperial College’s Computational Privacy Group, who have compiled their privacy concerns vis-a-vis COVID-19 contacts tracing apps into a set of eight questions app developers should be asking.
Discussing Google’s release of mobile location data for a COVID-19 cause, the head of the group, Yves-Alexandre de Montjoye, gave a general thumbs up to the steps it’s taken to shrink privacy risks. Although he also called for Google to provide more detail about the technical processes it’s using in order that external researchers can better assess the robustness of the claimed privacy protections. Such scrutiny is of pressing importance with so much coronavirus-related data grabbing going on right now, he argues.
“It is all aggregated; they normalize to a specific set of dates; they threshold when there are too few people and on top of this they add noise to make — according to them — the data differentially private. So from a pure anonymization perspective it’s good work,” de Montjoye told TechCrunch, discussing the technical side of Google’s release of location data. “Those are three of the big ‘levers’ that you can use to limit risk. And I think it’s well done.”
“But — especially in times like this when there’s a lot of people using data — I think what we would have liked is more details. There’s a lot of assumptions on thresholding, on how do you apply differential privacy, right?… What kind of assumptions are you making?” he added, querying how much noise Google is adding to the data, for example. “It would be good to have a bit more detail on how they applied [differential privacy]… Especially in times like this it is good to be… overly transparent.”
While Google’s mobility data release might appear to overlap in purpose with the Commission’s call for EU telco metadata for COVID-19 tracking, de Montjoye points out there are likely to be key differences based on the different data sources.
“It’s always a trade off between the two,” he says. “It’s basically telco data would probably be less fine-grained, because GPS is much more precise spatially and you might have more data points per person per day with GPS than what you get with mobile phone but on the other hand the carrier/telco data is much more representative — it’s not only smartphone, and it’s not only people who have latitude on, it’s everyone in the country, including non smartphone.”
There may be country specific questions that could be better addressed by working with a local carrier, he also suggested. (The Commission has said it’s intending to have one carrier per EU Member State providing anonymized and aggregated metadata.)
On the topical question of whether location data can ever be truly anonymized, de Montjoye — an expert in data reidentification — gave a “yes and no” response, arguing that original location data is “probably really, really hard to anonymize”.
“Can you process this data and make the aggregate results anonymous? Probably, probably, probably yes — it always depends. But then it also means that the original data exists… Then it’s mostly a question of the controls you have in place to ensure the process that leads to generating those aggregates does not contain privacy risks,” he added.
Perhaps a bigger question related to Google’s location data dump is around the issue of legal consent to be tracking people in the first place.
While the tech giant claims the data is based on opt-ins to location tracking the company was fined $57M by France’s data watchdog last year for a lack of transparency over how it uses people’s data.
Then, earlier this year, the Irish Data Protection Commission (DPC) — now the lead privacy regulator for Google in Europe — confirmed a formal probe of the company’s location tracking activity, following a 2018 complaint by EU consumers groups which accuses Google of using manipulative tactics in order to keep tracking web users’ locations for ad-targeting purposes.
“The issues raised within the concerns relate to the legality of Google’s processing of location data and the transparency surrounding that processing,” said the DPC in a statement in February, announcing the investigation.
The legal questions hanging over Google’s consent to track people likely explains the repeat references in its blog post to people choosing to opt in and having the ability to clear their Location History via settings. (“Users who have Location History turned on can choose to turn the setting off at any time from their Google Account, and can always delete Location History data directly from their Timeline,” it writes in one example.)
In addition to offering up coronavirus mobility porn reports — which Google specifies it will continue to do throughout the crisis — the company says it’s collaborating with “select epidemiologists working on COVID-19 with updates to an existing aggregate, anonymized dataset that can be used to better understand and forecast the pandemic.”
“Data of this type has helped researchers look into predicting epidemics, plan urban and transit infrastructure, and understand people’s mobility and responses to conflict and natural disasters,” it adds.
Powered by WPeMatico
GDPR and other data protection and privacy regulations — as well as a significant (and growing) number of data breaches and exposées of companies’ privacy policies — have put a spotlight on not just the vast troves of data that businesses and other organizations hold on us, but also how they handle it. Today, one of the companies helping them cope with that data in a better and legal way is announcing a huge round of funding to continue that work. Collibra, which provides tools to manage, warehouse, store and analyse data troves, is today announcing that it has raised $112.5 million in funding, at a post-money valuation of $2.3 billion.
The funding — a Series F, from the looks of it — represents a big bump for the startup, which last year raised $100 million at a valuation of just over $1 billion. This latest round was co-led by ICONIQ Capital, Index Ventures, and Durable Capital Partners LP, with previous investors CapitalG (Google’s growth fund), Battery Ventures, and Dawn Capital also participating.
Collibra was originally a spin-out from Vrije Universiteit in Brussels, Belgium and today it works with some 450 enterprises and other large organizations. Customers include Adobe, Verizon (which owns TechCrunch), insurers AXA and a number of healthcare providers. Its products cover a range of services focused around company data, including tools to help customers comply with local data protection policies and store it securely, and tools (and plug-ins) to run analytics and more.
These are all features and products that have long had a place in enterprise big data IT, but they have become increasingly more used and in-demand both as data policies have expanded, as security has become more of an issue, and as the prospects of what can be discovered through big data analytics have become more advanced.
With that growth, many companies have realised that they are not in a position to use and store their data in the best possible way, and that is where companies like Collibra step in.
“Most large organizations are in data chaos,” Felix Van de Maele, co-founder and CEO, previously told us. “We help them understand what data they have, where they store it and [understand] whether they are allowed to use it.”
As you would expect with a big IT trend, Collibra is not the only company chasing this opportunity. Competitors include Informatica, IBM, Talend, and Egnyte, among a number of others, but the market position of Collibra, and its advanced technology, is what has continued to impress investors.
“Durable Capital Partners invests in innovative companies that have significant potential to shape growing industries and build larger companies,” said Henry Ellenbogen, founder and chief investment officer for Durable Capital Partners LP, in a statement (Ellenbogen is formerly an investment manager a T. Rowe Price, and this is his first investment in Collibra under Durable). “We believe Collibra is a leader in the Data Intelligence category, a space that could have a tremendous impact on global business operations and a space that we expect will continue to grow as data becomes an increasingly critical asset.”
“We have a high degree of conviction in Collibra and the importance of the company’s mission to help organizations benefit from their data,” added Matt Jacobson, general partner at ICONIQ Capital and Collibra board member, in his own statement. “There is an increasing urgency for enterprises to harness their data for strategic business decisions. Collibra empowers organizations to use their data to make critical business decisions, especially in uncertain business environments.”
Powered by WPeMatico