privacy
Auto Added by WPeMatico
Auto Added by WPeMatico
Securiti.ai, a San Jose startup, is working to bring a modern twist to data governance and security. Today the company announced a $50 million Series B led by General Catalyst, with participation from Mayfield.
The company, which only launched in 2019, reports it has already raised $81 million. What is attracting all of this investment in such a short period of time is that the company is going after a problem that is an increasing pain point for companies all over the world because of a growing body of data privacy regulation like GDPR and CCPA.
These laws are forcing companies to understand the data they have, and find ways to be able to pull that data into a single view, and, if needed, respond to customer wishes to remove or redact some of it. It’s a hard problem to solve with customer data spread across multiple applications, and often shared with third parties and partners.
Company CEO and founder Rehan Jalil says the goal of his startup is to provide an operations platform for customer data, an area he has coined PrivacyOps, with the goal of helping companies give customers more control over their data, as laws increasingly require.
“In the end it’s all about giving individuals the rights on the data: the right to privacy, the right to deletion, the right to redaction, the right to stop the processing. That’s the charter and the mission of the company,” he told TechCrunch.
You begin by defining your data sources, then a bot goes out and gathers customer data across all of the data sources you have defined. The company has links to more than 250 common modern and legacy data sources out of the box. Once the bot grabs the data and creates a central record, humans come in to review the results and make any adjustments and final decisions on how to handle a data request.
It has a number of security templates for different kinds of privacy regulations, such as GDPR and CCPA, and the bot finds data that must meet these requirements and lets the governance team see how many records could be in violation or meet a set of criteria you define.
Securiti.ai data view. Screenshot: Securiti.ai (cropped)
There are a number of tools in the package, including ways to look at your privacy readiness, vendor assessments, data maps and data breaches to look at data privacy in broad way.
The company launched in 2019, and in just five months has already grown to 185 employees, a number that is expected to increase in the next year with the new funding.
Powered by WPeMatico
Mark Zuckerberg won’t be spending 2020 focused on wearing ties, learning Mandarin or just fixing Facebook. “Rather than having year-to-year challenges, I’ve tried to think about what I hope the world and my life will look in 2030,” he wrote today on Facebook. As you might have guessed, though, Zuckerberg’s vision for an improved planet involves a lot more of Facebook’s family of apps.
His biggest proclamations in today’s notes include that:

These are all reasonable predictions and suggestions. However, Zuckerberg’s post does little to address how the broadening of Facebook’s services in the 2010s also contributed to a lot of the problems he presents:
Noticeably absent from Zuckerberg’s post are explicit mentions of some of Facebook’s more controversial products and initiatives. He writes about “decentralizing opportunity” by giving small businesses commerce tools, but never mentions cryptocurrency, blockchain or Libra directly. Instead he seems to suggest that Instagram store fronts, Messenger customer support and WhatsApp remittance might be sufficient. He also largely leaves out Portal, Facebook’s smart screen that could help distant families stay closer, but that some see as a surveillance and data collection tool.
I’m glad Zuckerberg is taking his role as a public figure and the steward of one of humanity’s fundamental utilities more seriously. His willingness to even think about some of these long-term issues instead of just quarterly profits is important. Optimism is necessary to create what doesn’t exist.
Still, if Zuckerberg wants 2030 to look better for the world, and for the world to look more kindly on Facebook, he may need to hire more skeptics and cynics that see a dystopic future instead — people who understand human impulses toward greed and vanity. Their foresight on where societal problems could arise from Facebook’s products could help temper Zuckerberg’s team of idealists to create a company that balances the potential of the future with the risks to the present.
Every new year of the last decade I set a personal challenge. My goal was to grow in new ways outside my day-to-day work…
Posted by Mark Zuckerberg on Thursday, January 9, 2020
For more on why Facebook can’t succeed on idealism alone, read:
Powered by WPeMatico
Almost exactly 4 months to the day after BigID announced a $50 million Series C, the company was back today with another $50 million round. The Series C extension came entirely from Tiger Global Management. The company has raised a total of $144 million.
What warrants $100 million in interest from investors in just four months is BigID’s mission to understand the data a company has and manage that in the context of increasing privacy regulation including GDPR in Europe and CCPA in California, which went into effect this month.
BigID CEO and co-founder Dimitri Sirota admits that his company formed at the right moment when it launched in 2016, but says he and his co-founders had an inkling that there would be a shift in how governments view data privacy.
“Fortunately for us, some of the requirements that we said were going to be critical, like being able to understand what data you collect on each individual across your entire data landscape, have come to [pass],” Sirota told TechCrunch. While he understands that there are lots of competing companies going after this market, he believes that being early helped his startup establish a brand identity earlier than most.
Meanwhile, the privacy regulation landscape continues to evolve. Even as California privacy legislation is taking effect, many other states and countries are looking at similar regulations. Canada is looking at overhauling its existing privacy regulations.
Sirota says that he wasn’t actually looking to raise either the C or the D, and in fact still has B money in the bank, but when big investors want to give you money on decent terms, you take it while the money is there. These investors clearly see the data privacy landscape expanding and want to get involved. He recognizes that economic conditions can change quickly, and it can’t hurt to have money in the bank for when that happens.
That said, Sirota says you don’t raise money to keep it in the bank. At some point, you put it to work. The company has big plans to expand beyond its privacy roots and into other areas of security in the coming year. Although he wouldn’t go into too much detail about that, he said to expect some announcements soon.
For a company that is only four years old, it has been amazingly proficient at raising money with a $14 million Series A and a $30 million Series B in 2018, followed by the $50 million Series C last year, and the $50 million round today. And Sirota said, he didn’t have to even go looking for the latest funding. Investors came to him — no trips to Sand Hill Road, no pitch decks. Sirota wasn’t willing to discuss the company’s valuation, only saying the investment was minimally diluted.
BigID, which is based in New York City, already has some employees in Europe and Asia, but he expects additional international expansion in 2020. Overall the company has around 165 employees at the moment and he sees that going up to 200 by mid-year as they make a push into some new adjacencies.
Powered by WPeMatico
TikTok parent company ByteDance has built technology to let you insert your face into videos starring someone else. TechCrunch has learned that ByteDance has developed an unreleased feature using life-like deepfakes technology that the app’s code refers to as Face Swap. Code in both TikTok and its Chinese sister app Douyin asks users to take a multi-angle biometric scan of their face, then choose from a selection of videos they want to add their face to and share.
With ByteDance’s new Face Swap feature, users scan themselves, pick a video and have their face overlaid on the body of someone in the clip
The deepfakes feature, if launched in Douyin and TikTok, could create a more controlled environment where face swapping technology plus a limited selection of source videos can be used for fun instead of spreading misinformation. It might also raise awareness of the technology so more people are aware that they shouldn’t believe everything they see online. But it’s also likely to heighten fears about what ByteDance could do with such sensitive biometric data — similar to what’s used to set up Face ID on iPhones.
Several other tech companies have recently tried to consumerize watered-down versions of deepfakes. The app Morphin lets you overlay a computerized rendering of your face on actors in GIFs. Snapchat offered a FaceSwap option for years that would switch the visages of two people in frame, or replace one on camera with one from your camera roll, and there are standalone apps that do that too, like Face Swap Live. Then last month, TechCrunch spotted Snapchat’s new Cameos for inserting a real selfie into video clips it provides, though the results aren’t meant to look confusingly realistic.
Most problematic has been Chinese deepfakes app Zao, which uses artificial intelligence to blend one person’s face into another’s body as they move and synchronize their expressions. Zao went viral in September despite privacy and security concerns about how users’ facial scans might be abused. Zao was previously blocked by China’s WeChat for presenting “security risks.” [Correction: While “Zao” is mentioned in the discovered code, it refers to the general concept rather than a partnership between ByteDance and Zao.]
But ByteDance could bring convincingly life-like deepfakes to TikTok and Douyin, two of the world’s most popular apps with over 1.5 billion downloads.
Zao in the Chinese iOS App Store
TechCrunch received a tip about the news from Israeli in-app market research startup Watchful.ai. The company had discovered code for the deepfakes feature in the latest version of TikTok and Douyin’s Android apps. Watchful.ai was able to activate the code in Douyin to generate screenshots of the feature, though it’s not currently available to the public.
First, users scan their face into TikTok. This also serves as an identity check to make sure you’re only submitting your own face so you can’t make unconsented deepfakes of anyone else using an existing photo or a single shot of their face. By asking you to blink, nod and open and close your mouth while in focus and proper lighting, Douyin can ensure you’re a live human and create a manipulable scan of your face that it can stretch and move to express different emotions or fill different scenes.

You’ll then be able to pick from videos ByteDance claims to have the rights to use, and it will replace with your own the face of whomever is in the clip. You can then share or download the deepfake video, though it will include an overlayed watermark the company claims will help distinguish the content as not being real. I received confidential access to videos made by Watchful using the feature, and the face swapping is quite seamless. The motion tracking, expressions and color blending all look very convincing.
Watchful also discovered unpublished updates to TikTok and Douyin’s terms of service that cover privacy and usage of the deepfakes feature. Inside the U.S. version of TikTok’s Android app, English text in the code explains the feature and some of its terms of use:
Your facial pattern will be used for this feature. Read the Drama Face Terms of Use and Privacy Policy for more details. Make sure you’ve read and agree to the Terms of Use and Privacy Policy before continuing. 1. To make this feature secure for everyone, real identity verification is required to make sure users themselves are using this feature with their own faces. For this reason, uploaded photos can’t be used; 2. Your facial pattern will only be used to generate face-change videos that are only visible to you before you post it. To better protect your personal information, identity verification is required if you use this feature later. 3. This feature complies with Internet Personal Information Protection Regulations for Minors. Underage users won’t be able to access this feature. 4. All video elements related to this feature provided by Douyin have acquired copyright authorization.
ZHEJIANG, CHINA – OCTOBER 18 2019 Two U.S. senators have sent a letter to the U.S. national intelligence agency saying TikTok could pose a threat to U.S. national security and should be investigated. Visitors visit the booth of Douyin (Tiktok) at the 2019 Smart Expo in Hangzhou, east China’s Zhejiang province, Oct. 18, 2019.- PHOTOGRAPH BY Costfoto / Barcroft Media via Getty Images.
A longer terms of use and privacy policy was also found in Chinese within Douyin. Translated into English, some highlights from the text include:
“The ‘face-changing’ effect presented by this function is a fictional image generated by the superimposition of our photos based on your photos. In order to show that the original work has been modified and the video generated using this function is not a real video, we will mark the video generated using this function. Do not erase the mark in any way.”
“The information collected during the aforementioned detection process and using your photos to generate face-changing videos is only used for live detection and matching during face-changing. It will not be used for other purposes . . . And matches are deleted immediately and your facial features are not stored.”
“When you use this function, you can only use the materials provided by us, you cannot upload the materials yourself. The materials we provide have been authorized by the copyright owner”.
“According to the ‘Children’s Internet Personal Information Protection Regulations’ and the relevant provisions of laws and regulations, in order to protect the personal information of children / youths, this function restricts the use of minors”.
We reached out to TikTok and Douyin for comment regarding the deepfakes feature, when it might launch, how the privacy of biometric scans are protected and the age limit. However, TikTok declined to answer those questions. Instead, a spokesperson insisted that “after checking with the teams I can confirm this is definitely not a function in TikTok, nor do we have any intention of introducing it. I think what you may be looking at is something slated for Douyin – your email includes screenshots that would be from Douyin, and a privacy policy that mentions Douyin. That said, we don’t work on Douyin here at TikTok.” They later told TechCrunch that “The inactive code fragments are being removed to eliminate any confusion,” which implicitly confirms that Face Swap code was found in TikTok.
A Douyin spokesperson tells TechCrunch “Douyin follows the laws and regulations of the jurisdictions in which it operates, which is China.” They denied that the Face Swap terms of service appear in TikTok despite TechCrunch reviewing code from the app showing those terms of service and the feature’s functionality.

This is suspicious, and doesn’t explain why code for the deepfakes feature and special terms of service in English for the feature appear in TikTok, and not just Douyin, where the app can already be activated and a longer terms of service was spotted. TikTok’s U.S. entity has previously denied complying with censorship requests from the Chinese government in contradiction to sources who told The Washington Post that TikTok did censor some political and sexual content at China’s behest.
It’s possible that the deepfakes Face Swap feature never officially launches in China or the U.S. But it’s fully functional, even if unreleased, and demonstrates ByteDance’s willingness to embrace the controversial technology despite its reputation for misinformation and non-consensual pornography. At least it’s restricting the use of the feature by minors, only letting you face-swap yourself, and preventing users from uploading their own source videos. That avoids it being used to create dangerous misinformational videos like the slowed down one making House Speaker Nancy Pelosi seem drunk, or clips of people saying things as if they were President Trump.
“It’s very rare to see a major social networking app restrict a new, advanced feature to their users 18 and over only,” Watchful.ai co-founder and CEO Itay Kahana tells TechCrunch. “These deepfake apps might seem like fun on the surface, but they should not be allowed to become trojan horses, compromising IP rights and personal data, especially personal data from minors who are overwhelmingly the heaviest users of TikTok to date.”
TikTok has already been banned by the U.S. Navy and ByteDance’s acquisition and merger of Musical.ly into TikTok is under investigation by the Committee on Foreign Investment in The United States. Deepfake fears could further heighten scrutiny.
With the proper safeguards, though, face-changing technology could usher in a new era of user-generated content where the creator is always at the center of the action. It’s all part of a new trend of personalized media that could be big in 2020. Social media has evolved from selfies to Bitmoji to Animoji to Cameos, and now consumerized deepfakes. When there are infinite apps and videos and notifications to distract us, making us the star could be the best way to hold our attention.
Powered by WPeMatico
Instagram dodges child safety laws. By not asking users their age upon signup, it can feign ignorance about how old they are. That way, it can’t be held liable for $40,000 per violation of the Child Online Privacy Protection Act. The law bans online services from collecting personally identifiable information about kids under 13 without parental consent. Yet Instagram is surely stockpiling that sensitive info about underage users, shrouded by the excuse that it doesn’t know who’s who.
But here, ignorance isn’t bliss. It’s dangerous. User growth at all costs is no longer acceptable.
It’s time for Instagram to step up and assume responsibility for protecting children, even if that means excluding them. Instagram needs to ask users’ age at sign up, work to verify they volunteer their accurate birthdate by all practical means, and enforce COPPA by removing users it knows are under 13. If it wants to allow tweens on its app, it needs to build a safe, dedicated experience where the app doesn’t suck in COPPA-restricted personal info.

Instagram is woefully behind its peers. Both Snapchat and TikTok require you to enter your age as soon as you start the sign up process. This should really be the minimum regulatory standard, and lawmakers should close the loophole allowing services to skirt compliance by not asking. If users register for an account, they should be required to enter an age of 13 or older.
Instagram’s parent company Facebook has been asking for birthdate during account registration since its earliest days. Sure, it adds one extra step to sign up, and impedes its growth numbers by discouraging kids to get hooked early on the social network. But it also benefits Facebook’s business by letting it accurately age-target ads.

Most importantly, at least Facebook is making a baseline effort to keep out underage users. Of course, as kids do when they want something, some are going to lie about their age and say they’re old enough. Ideally, Facebook would go further and try to verify the accuracy of a user’s age using other available data, and Instagram should too.
Both Facebook and Instagram currently have moderators lock the accounts of any users they stumble across that they suspect are under 13. Users must upload government-issued proof of age to regain control. That policy only went into effect last year after UK’s Channel 4 reported a Facebook moderator was told to ignore seemingly underage users unless they explicitly declared they were too young or were reported for being under 13. An extreme approach would be to require this for all signups, though that might be expensive, slow, significantly hurt signup rates, and annoy of-age users.

Instagram is currently on the other end of the spectrum. Doing nothing around age-gating seems recklessly negligent. When asked for comment about how why it doesn’t ask users’ ages, how it stops underage users from joining, and if it’s in violation of COPPA, Instagram declined to comment. The fact that Instagram claims to not know users’ ages seems to be in direct contradiction to it offering marketers custom ad targeting by age such as reaching just those that are 13.
Luckily, this could all change soon.
Mobile researcher and frequent TechCrunch tipster Jane Manchun Wong has spotted Instagram code inside its Android app that shows it’s prototyping an age-gating feature that rejects users under 13. It’s also tinkering with requiring your Instagram and Facebook birthdates to match. Instagram gave me a “no comment” when I asked about if these features would officially roll out to everyone.

Code in the app explains that “Providing your birthday helps us make sure you get the right Instagram experience. Only you will be able to see your birthday.” Beyond just deciding who to let in, Instagram could use this info to make sure users under 18 aren’t messaging with adult strangers, that users under 21 aren’t seeing ads for alcohol brands, and that potentially explicit content isn’t shown to minors.
Instagram’s inability to do any of this clashes with it and Facebook’s big talk this year about its commitment to safety. Instagram has worked to improve its approach to bullying, drug sales, self-harm, and election interference, yet there’s been not a word about age gating.

Meanwhile, underage users promote themselves on pages for hashtags like #12YearOld where it’s easy to find users who declare they’re that age right in their profile bio. It took me about 5 minutes to find creepy “You’re cute” comments from older men on seemingly underage girls’ photos. Clearly Instagram hasn’t been trying very hard to stop them from playing with the app.
I brought up the same unsettling situations on Musically, now known as TikTok, to its CEO Alex Zhu on stage at TechCrunch Disrupt in 2016. I grilled Zhu about letting 10-year-olds flaunt their bodies on his app. He tried to claim parents run all of these kids’ accounts, and got frustrated as we dug deeper into Musically’s failures here.
Thankfully, TikTok was eventually fined $5.7 million this year for violating COPPA and forced to change its ways. As part of its response, TikTok started showing an age gate to both new and existing users, removed all videos of users under 13, and restricted those users to a special TikTok Kids experience where they can’t post videos, comment, or provide any COPPA-restricted personal info.
If even a Chinese app social media app that Facebook CEO has warned threatens free speech with censorship is doing a better job protecting kids than Instagram, something’s gotta give. Instagram could follow suit, building a special section of its apps just for kids where they’re quarantined from conversing with older users that might prey on them.
Perhaps Facebook and Instagram’s hands-off approach stems from the fact that CEO Mark Zuckerberg doesn’t think the ban on under-13-year-olds should exist. Back in 2011, he said “That will be a fight we take on at some point . . . My philosophy is that for education you need to start at a really, really young age.” He’s put that into practice with Messenger Kids which lets 6 to 12-year-olds chat with their friends if parents approve.
The Facebook family of apps’ ad-driven business model and earnings depend on constant user growth that could be inhibited by stringent age gating. It surely doesn’t want to admit to parents it’s let kids slide into Instagram, that advertisers were paying to reach children too young to buy anything, and to Wall Street that it might not have 2.8 billion legal users across its apps as it claims.

But given Facebook and Instagram’s privacy scandals, addictive qualities, and impact on democracy, it seems like proper age-gating should be a priority as well as the subject of more regulatory scrutiny and public concern. Society has woken up to the harms of social media, yet Instagram erects no guards to keep kids from experiencing those ills for themselves. Until it makes an honest effort to stop kids from joining, the rest of Instagram’s safety initiatives ring hollow.
Powered by WPeMatico
Instagram is hiding Like counts to make people feel better. But what if you’re curious, competitive or just petty? Now you can re-embrace the popularity contest by installing the Socialinsider Chrome extension that reveals Instagram Like and comment counts. “The Return of the Likes” extension overlays the numbers of Likes and comments on the top-right corner of posts on Instagram’s website. If you don’t want Instagram’s overprotective helicopter parenting, now you can download the extension here to put an end to it.

Obviously, it’s not as useful as showing Like counts right in the Instagram mobile app. You probably aren’t going to switch to browsing Insta just on the web, but if you see a post you want to know the Like count of, you can easily send yourself the permalink and open it on a computer.
Instagram is currently testing hiding Like counts with a percentage of users in every country worldwide. It started the experiment in Canada in April before adding six more countries in July and then the U.S. last month. Facebook launched a similar hidden likes experiment in Australia in September.
TechCrunch tested Return of the Likes and verified that it works. It comes from social media analytics company Socialinsider, which offers software for measuring engagement and benchmarking performance against competitors. The company insists that “No data is sent to Socialinsider servers.” We asked Instagram if the Chrome extension was in compliance with the app’s rules, and will update if we hear back.

As social media evolves, the emerging trend is for platforms to step in to protect users. In many cases, it’s warranted. Like counts can hurt people’s well-being by leading them into envy spirals comparing themselves against peers, or coercing them to self-censor to avoid an embarrassingly low Like count. Still, the question remains whether users deserve control over their own experience. Should we be able to opt back in to seeing Like counts, the way we have controls over block lists of offensive words?
After the platforms step up to ensure safety, we’ll have to decide when we want to step in and demand to see what’s been covered up.
Additional reporting by Lucas Matney
Powered by WPeMatico
The customer data platform (CDP) is the newest tool in the customer experience arsenal as big companies try to help customers deal with data coming from multiple channels. Today, Adobe announced the general availability of its CDP.
The CDP is like a central data warehouse for all the information you have on a single customer. This crosses channels like web, email, text, chat and brick and mortar in-person visits, as well as systems like CRM, e-commerce and point of sale. The idea is to pull all of this data together into a single record to help companies have a deep understanding of the customer at an extremely detailed level. They then hope to leverage that information to deliver highly customized cross-channel experiences.
The idea is to take all of this information and give marketers the tools they need to take advantage of it. “We want to make sure we create an offering that marketers can leverage and makes use of all of that goodness that’s living within Adobe Experience platform,” Nina Caruso, product marketing manager for Adobe Audience Manager, explained.
She said that would involve packaging and presenting the data in such a way to make it easier for marketers to consume, such as dashboards to deliver the data they want to see, while taking advantage of artificial intelligence and machine learning under the hood to help them find the data to populate the dashboards without having to do the heavy lifting.
Beyond that, having access to real-time streaming data in one place under the umbrella of the Adobe Experience Platform should enable marketers to create much more precise market segments. “Part of real-time CDP will be building productized primo maintained integrations for marketers to be able to leverage, so that they can take segmentations and audiences that they’ve built into campaigns and use those across different channels to provide a consistent customer experience across that journey life cycle,” Caruso said.
As you can imagine, bringing all of this information together, while providing a platform for customization for the customer, raises all kinds of security and privacy red flags at the same time. This is especially true in light of GDPR and the upcoming California privacy law. Companies need to be able to enforce data usage rules across the platform.
To that end, the company also announced the availability of Adobe Experience Platform Data Governance, which helps companies define a set of rules around the data usage. This involves “frameworks that help [customers] enforce data usage policies and facilitate the proper use of their data to comply with regulations, obligations and restrictions associated with various data sets,” according to the company.
“We want to make sure that we offer our customers the controls in place to make sure that they have the ability to appropriately govern their data, especially within the evolving landscape that we’re all living in when it comes to privacy and different policies,” Caruso said.
These tools are now available to Adobe customers.
Powered by WPeMatico
Big changes are afoot for Wire, an enterprise-focused end-to-end encrypted messaging app and service that advertises itself as “the most secure collaboration platform”. In February, Wire quietly raised $8.2 million from Morpheus Ventures and others, we’ve confirmed — the first funding amount it has ever disclosed — and alongside that external financing, it moved its holding company in the same month to the US from Luxembourg, a switch that Wire’s CEO Morten Brogger described in an interview as “simple and pragmatic.”
He also said that Wire is planning to introduce a freemium tier to its existing consumer service — which itself has half a million users — while working on a larger round of funding to fuel more growth of its enterprise business — a key reason for moving to the US, he added: There is more money to be raised there.
“We knew we needed this funding and additional to support continued growth. We made the decision that at some point in time it will be easier to get funding in North America, where there’s six times the amount of venture capital,” he said.
While Wire has moved its holding company to the US, it is keeping the rest of its operations as is. Customers are licensed and serviced from Wire Switzerland; the software development team is in Berlin, Germany; and hosting remains in Europe.
The news of Wire’s US move and the basics of its February funding — sans value, date or backers — came out this week via a blog post that raises questions about whether a company that trades on the idea of data privacy should itself be more transparent about its activities.
The changes to Wire’s financing and legal structure had not been communicated to users until news started to leak out, which brings up questions not just about transparency, but about how secure Wire’s privacy policy will play out, given the company’s ownership now being on US soil.
So turns out @wire changed ownership, didn’t really notify anyone as per their own privacy policy, and worst of all it’s to a US entity. It’s been proven time after time we shouldn’t place our data (or trust) into US entities. I used wire because it was different. Cc @Snowden https://t.co/i2cwAhMaTQ
— Peter Sunde Kolmisoppi (@brokep) November 12, 2019
It was an issue picked up and amplified by NSA whistleblower Edward Snowden . Via Twitter, he described the move to the US as “not appropriate for a company claiming to provide a secure messenger — claims a large number of human rights defenders relied on.”
If you’re a tech journalist, you should be digging into the story behind what’s going on behind the curtain here. This is not appropriate for a company claiming to provide a secure messenger — claims a large number of human rights defenders relied on — and we need facts. https://t.co/iV4tRZwgDR
— Edward Snowden (@Snowden) November 12, 2019
The key question is whether Wire’s shift to the US puts users’ data at risk — a question that Brogger claims is straightforward to answer: “We are in Switzerland, which has the best privacy laws in the world” — it’s subject to Europe’s General Data Protection Regulation framework (GDPR) on top of its own local laws — “and Wire now belongs to a new group holding, but there no change in control.”
In its blog post published in the wake of blowback from privacy advocates, Wire also claims it “stands by its mission to best protect communication data with state-of-the-art technology and practice” — listing several items in its defence:
But where data privacy and US law are concerned, it’s complicated. Snowden famously leaked scores of classified documents disclosing the extent of US government mass surveillance programs in 2013, including how data-harvesting was embedded in US-based messaging and technology platforms.
Six years on, the political and legal ramifications of that disclosure are still playing out — with a key judgement pending from Europe’s top court which could yet unseat the current data transfer arrangement between the EU and the US.
Wire launched at a time when interest in messaging apps was at a high watermark. The company made its debut in the middle of February 2014, and it was only one week later that Facebook acquired WhatsApp for the princely sum of $19 billion. We described Wire’s primary selling point at the time as a “reimagining of how a communications tool like Skype should operate had it been built today” rather than in in 2003.
That meant encryption and privacy protection, but also better audio tools and file compression and more. It was a pitch that seemed especially compelling considering the background of the company. Skype co-founder Janus Friis and funds connected to him were the startup’s first backers (and they remain the largest shareholders); Wire was co-founded in by Skype alums Jonathan Christensen and Alan Duric (no longer with the company); and even new investor Morpheus has Skype roots.
Even with the Skype pedigree, the strategy faced a big challenge.
“The consumer messaging market is lost to the Facebooks of the world, which dominate it,” Brogger said today. “However, we made a clear insight, which is the core strength of Wire: security and privacy.”
That, combined with trend around the consumerization of IT that’s brought new tools to business users, is what led Wire to the enterprise market in 2017.
But fast forward to today, and it seems that even as security and privacy are two sides of the same coin, it may not be so simple when deciding what to optimise in terms of features and future development, which is part of the question now and what critics are concerned with.
“Wire was always for profit and planned to follow the typical venture backed route of raising rounds to accelerate growth,” one source familiar with the company told us. “However, it took time to find its niche (B2B, enterprise secure comms).
“It needed money to keep the operations going and growing. [But] the new CEO, who joined late 2017, didn’t really care about the free users, and the way I read it now, the transformation is complete: ‘If Wire works for you, fine, but we don’t really care about what you think about our ownership or funding structure as our corporate clients care about security, not about privacy.’”
And that is the message you get from Brogger, too, who describes individual consumers as “not part of our strategy”, but also not entirely removed from it, either, as the focus shifts to enterprises and their security needs.
Brogger said there are still half a million individuals on the platform, and they will come up with ways to continue to serve them under the same privacy policies and with the same kind of service as the enterprise users. “We want to give them all the same features with no limits,” he added. “We are looking to switch it into a freemium model.”
On the other side, “We are having a lot of inbound requests on how Wire can replace Skype for Business,” he said. “We are the only one who can do that with our level of security. It’s become a very interesting journey and we are super excited.”
Part of the company’s push into enterprise has also seen it make a number of hires. This has included bringing in two former Huddle C-suite execs, Brogger as CEO and Rasmus Holst as chief revenue officer — a bench that Wire expanded this week with three new hires from three other B2B businesses: a VP of EMEA sales from New Relic, a VP of finance from Contentful; and a VP of Americas sales from Xeebi.
Such growth comes with a price-tag attached to it, clearly. Which is why Wire is opening itself to more funding and more exposure in the US, but also more scrutiny and questions from those who counted on its services before the change.
Brogger said inbound interest has been strong and he expects the startup’s next round to close in the next two to three months.
Powered by WPeMatico
Security researchers have found several popular Android phones can be tricked into snooping on their owners by exploiting a weakness that gives accessories access to the phone’s underlying baseband software.
Attackers can use that access to trick vulnerable phones into giving up their unique identifiers, such as their IMEI and IMSI numbers, downgrade a target’s connection in order to intercept phone calls, forward calls to another phone or block all phone calls and internet access altogether.
The research, shared exclusively with TechCrunch, affects at least 10 popular Android devices, including Google’s Pixel 2, Huawei’s Nexus 6P and Samsung’s Galaxy S8+.
The vulnerabilities are found in the interface used to communicate with the baseband firmware, the software that allows the phone’s modem to communicate with the cell network, such as making phone calls or connecting to the internet. Given its importance, the baseband is typically off-limits from the rest of the device, including its apps, and often come with command blacklisting to prevent non-critical commands from running. But the researchers found that many Android phones inadvertently allow Bluetooth and USB accessories — like headphones and headsets — access to the baseband. By exploiting a vulnerable accessory, an attacker can run commands on a connected Android phone.
“The impact of these attacks ranges from sensitive user information exposure to complete service disruption,” said Syed Rafiul Hussain and Imtiaz Karim, two co-authors of the research, in an email to TechCrunch.
Hussain and his colleagues Imtiaz Karim, Fabrizio Cicala and Elisa Bertino at Purdue University and Omar Chowdhury at the University of Iowa are set to present their findings next month.
“The impact of these attacks ranges from sensitive user information exposure to complete service disruption.”
Syed Rafiul Hussain, Imtiaz Karim
Baseband firmware accepts special commands, known as AT commands, which control the device’s cellular functions. These commands can be used to tell the modem which phone number to call. But the researchers found that these commands can be manipulated. The researchers developed a tool, dubbed ATFuzzer, which tries to find potentially problematic AT commands.
In their testing, the researchers discovered 14 commands that could be used to trick the vulnerable Android phones into leaking sensitive device data, and manipulating phone calls.
But not all devices are vulnerable to the same commands or can be manipulated in the same way. The researchers found, for example, that certain commands could trick a Galaxy S8+ phone into leaking its IMEI number, redirect phone calls to another phone and downgrade their cellular connection — all of which can be used to snoop and listen in on phone calls, such as with specialist cellular snooping hardware known as “stingrays.” Other devices were not vulnerable to call manipulation but were susceptible to commands that could be used to block internet connectivity and phone calls.
The vulnerabilities are not difficult to exploit, but require all of the right conditions to be met.
“The attacks can be easily carried out by an adversary with cheap Bluetooth connectors or by setting up a malicious USB charging station,” said Hussain and Karim. In other words, it’s possible to manipulate a phone if an accessory is accessible over the internet — such as a computer. Or, if a phone is connected to a Bluetooth device, an attacker has to be in close proximity. (Bluetooth attacks are not difficult, given vulnerabilities in how some devices implement Bluetooth has left some devices more vulnerable to attacks than others.)
“If your smartphone is connected with a headphone or any other Bluetooth device, the attacker can first exploit the inherent vulnerabilities of the Bluetooth connection and then inject those malformed AT commands,” the researchers said..
Samsung recognized the vulnerabilities in some of its devices and is rolling out patches. Huawei did not comment at the time of writing. Google said: “The issues reported are either in compliance with the Bluetooth specification or do not reproduce on Pixel devices with up to date security patches.”
Hussain said that iPhones were not affected by the vulnerabilities.
This research becomes the latest to examine vulnerabilities in baseband firmware. Over the years there have been several papers examining various phones and devices with baseband vulnerabilities. Although these reports are rare, security researchers have long warned that intelligence agencies and hackers alike could be using these flaws to launch silent attacks.
Powered by WPeMatico
When Okta launched its $50 million Okta Ventures investment fund in April, one of its investments was in an early-stage privacy startup called DataGrail. Today, the companies announced a partnership that they hope will help boost DataGrail, while providing Okta customers with a privacy tool option.
DataGrail CEO and co-founder Daniel Barber says that with the increase in privacy legislation, from GDPR to the upcoming California Consumer Protection Act (and many other proposed bills in various states of progress), companies need tools to help them comply and protect user privacy. “We are a privacy platform focused on delivering continuous compliance for businesses,” Barber says.
They do this in a way that fits nicely with Okta’s approach to identity. Whereas Okta provides a place to access all of your cloud applications from a single place with one logon, DataGrail connects to your applications with connectors to provide a way to monitor privacy across the organization from a single view.
It currently has 180 connectors to common enterprise applications like Salesforce, HubSpot, Marketo and Oracle. It then collects this data and presents it to the company in a central interface to help ensure privacy. “Our key differentiator is that we’re able to deliver a live data map of the customer data that exists within an organization,” Barber explained.
The company just launched last year, but Barber sees similarities in their approaches. “We see clear alignment on our go-to-market approach. The product that we built aligns very similarly to the way Okta is deployed, and we’re a true partner with the industry leader in identity management,” he said.
Monty Gray, SVP and head of corporate development at Okta, says that the company is always looking for innovative companies that fit well with Okta. The company liked DataGrail enough to contribute to the startup’s $5.2 million Series A investment in July.
Gray says that while DataGrail isn’t the only privacy company it’s partnering with, he likes how DataGrail is helping with privacy compliance in large organizations. “We saw how DataGrail was thinking about [privacy] in a modern fashion. They enable these technology companies to become not only compliant, but do it in a way where they were not directly in the flow, that they would get out of the way,” Gray explained.
Barber says having the help of Okta could help drive sales, and for a company that’s just getting off the ground, having a public company in your corner as an investor, as well as a partner, could help push the company forward. That’s all that any early startup can hope for.
Powered by WPeMatico