Thursday, 28 February 2019

Facebook admits 18% of Research spyware users were teens, not

Facebook has changed its story after initially trying to downplay how it targeted teens with its Research program that a TechCrunch investigation revealed was paying them gift cards to monitor all their mobile app usage and browser traffic. “Less than 5 percent of the people who chose to participate in this market research program were teens” a Facebook spokesperson told TechCrunch and many other news outlets in a damage control effort 7 hours after we published our report on January 29th. At the time,  Facebook claimed that it had removed its Research app from iOS. The next morning we learned that wasn’t true, as Apple had already forcibly blocked the Facebook Research app for violating its Enterprise Certificate program that supposed to reserved for companies distributing internal apps to employees.

It turns out that wasn’t the only time Facebook deceived the public in its response regarding the Research VPN scandal. TechCrunch has attained Facebook’s unpublished February 21st response to questions about the Research program in a letter from Senator Mark Warner, who wrote to CEO Mark Zuckerberg that “Facebook’s apparent lack of full transparency with users – particularly in the context of ‘research’ efforts – has been a source of frustration for me.”

In the response from Facebook’s VP of US public policy Kevin Martin, the company admits that (emphasis ours) “At the time we ended the Facebook Research App on Apple’s iOS platform, less than 5 percent of the people sharing data with us through this program were teens. Analysis shows that number is about 18 percent when you look at the complete lifetime of the program, and also add people who had become inactive and uninstalled the app.” So 18 percent of research testers were teens. It was only less than 5 percent when Facebook got caught. Given users age 13 to 35 were eligible for Facebook’s Research program, 13 to 18 year olds made of 22 percent of the age range. That means Facebook clearly wasn’t trying to minimize teen involvement, nor were they just a tiny fraction of users.

WASHINGTON, DC – APRIL 10: Facebook co-founder, Chairman and CEO Mark Zuckerberg testifies before a combined Senate Judiciary and Commerce committee hearing in the Hart Senate Office Building on Capitol Hill April 10, 2018 in Washington, DC. Zuckerberg, 33, was called to testify after it was reported that 87 million Facebook users had their personal information harvested by Cambridge Analytica, a British political consulting firm linked to the Trump campaign. (Photo by Chip Somodevilla/Getty Images)

Warner asked Facebook “Do you think any use reasonable understood Facebook was using this data for commercial purposes includingto track competitors?” Facebook response indicates it never told Research users anything about tracking “competitors”, and instead dances around the question. Facebook says the registration process told users the data would help the company “understand how people use mobile apps,” “improve . . . services,” and “introduce new features for millions of people around the world.”

Facebook had also told reporters on January 29th regarding teens’ participation, “All of them with signed parental consent forms.” Yet in its response to Senator Warner, Facebook admitted that “Potential participants were required to confirm that they were over 18 or provide other evidence of parental consent, though the vendors did not require a signed parental consent form for teen users.” In some cases, underage users merely had to check a box to claim they had parental consent, and there was no verification of users’ ages or that their parents actually approved.

Facebook pays teens to install VPN that spies on them

So to quickly recap:

Facebook targeted teens with ads on Instagram and Snapchat to join the Research program without revealing its involvement

The contradictions between Facebook’s initial response to reporters and what it told Warner, who has the power to pursue regulation of the the tech giant, shows Facebook willingness to move fast and play loose with the truth when it’s less accountable. It’s no wonder the company never shared the response with TechCrunch or posted a blog post or press release about it.

Facebook’s attempt to minimize the issue in the wake of backlash exemplifies the trend of of the social network’s “reactionary” PR strategy that employees described to BuzzFeed’s Ryan Mac. The company often views its scandals as communications errors rather than actual product screwups or as signals of deep-seeded problems with Facebook’s respect for privacy. Facebook needs to learn to take its lumps, change course, and do better rather than constantly trying to challenge details of negative press about it, especially before it has all the necessary information. Until then, the never-ending news cycle of Facebook’s self-made disasters will continue.

Here is Facebook’s full response to Senator Warner’s inquiry [PDF], and below is Warner’s original letter to Mark Zuckerberg.

Additional reporting by Krystal Hu



from Apple – TechCrunch https://ift.tt/2UkSpgg
Posted by at No comments:
Labels: , , ,

Privacy complaints received by tech giants’ favorite EU watchdog up more than 2x since GDPR

A report by the lead data watchdog for a large number of tech giants operating in Europe shows a significant increase in privacy complaints and data breach notifications since the region’s updated privacy framework came into force last May.

The Irish Data Protection Commission (DPC)’s annual report, published today, covers the period May 25, aka the day the EU’s General Data Protection Regulation (GDPR) came into force, to December 31 2018 and shows the DPC received more than double the amount of complaints post-GDPR vs the first portion of 2018 prior to the new regime coming in: With 2,864 and 1,249 complaints received respectively.

That makes a total of 4,113 complaints for full year 2018 (vs just 2,642 for 2017). Which is a year on year increase of 36 per cent.

But the increase pre- and post-GDPR is even greater — 56 per cent — suggesting the regulation is working as intended by building momentum and support for individuals to exercise their fundamental rights.

“The phenomenon that is the [GDPR] has demonstrated one thing above all else: people’s interest in and appetite for understanding and controlling use of their personal data is anything but a reflection of apathy and fatalism,” writes Helen Dixon, Ireland’s commissioner for data protection.

She adds that the rise in the number of complaints and queries to DPAs across the EU since May 25 demonstrates “a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data”.

While Europe has had online privacy rules since 1995 a weak regime of enforcement essentially allowed them to be ignored for decades — and Internet companies to grab and exploit web users’ data without full regard and respect for European’s privacy rights.

But regulators hit the reset button last year. And Ireland’s data watchdog is an especially interesting agency to watch if you’re interested in assessing how GDPR is working, given how many tech giants have chosen to place their international data flows under the Irish DPC’s supervision.

More cross-border complaints

“The role places an important duty on the DPC to safeguard the data protection rights of hundreds of millions of individuals across the EU, a duty that the GDPR requires the DPC to fulfil in cooperation with other supervisory authorities,” the DPC writes in the report, discussing its role of supervisory authority for multiple tech multinationals and acknowledging both a “greatly expanded role under the GDPR” and a “significantly increased workload”.

A breakdown of GDPR vs Data Protection Act 1998 complaint types over the report period suggests complaints targeted at multinational entities have leapt up under the new DP regime.

For some complaint types the old rules resulted in just 2 per cent of complaints being targeted at multinationals vs close to a quarter (22 per cent) in the same categories under GDPR.

It’s the most marked difference between the old rules and the new — underlining the DPC’s expanded workload in acting as a hub (and often lead supervisory agency) for cross-border complaints under GDPR’s one-stop shop mechanism.

The category with the largest proportions of complaints under GDPR over the report period was access rights (30%) — with the DPC receiving a full 582 complaints related to people feeling they’re not getting their due data. Access rights was also most complained about under the prior data rules over this period.

Other prominent complaint types continue to be unfair processing of data (285 GDPR complaints vs 178 under the DPA); disclosure (217 vs 138); and electronic direct marketing (111 vs 36).

EU policymakers’ intent with GDPR is to redress the imbalance of weakly enforced rights — including by creating new opportunities for enforcement via a regime of supersized fines. (GDPR allows for penalties as high as up to 4 per cent of annual turnover, and in January the French data watchdog slapped Google with a $57M GDPR penalty related to transparency and consent — albeit still far off that theoretical maximum.)

Importantly, the regulation also introduced a collective redress option which has been adopted by some EU Member States.

This allows for third party organizations such as consumer rights groups to lodge data protection complaints on individuals’ behalf. The provision has led to a number of strategic complaints being filed by organized experts since last May (including in the case of the aforementioned Google fine) — spinning up momentum for collective consumer action to counter rights erosion. Again that’s important in a complex area that remains difficult for consumers to navigate without expert help.

For upheld complaints the GDPR ‘nuclear option’ is not fines though; it’s the ability for data protection agencies to order data controllers to stop processing data.

That remains the most significant tool in the regulatory toolbox. And depending on the outcome of various ongoing strategic GDPR complaints it could prove hugely significant in reshaping what data experts believe are systematic privacy incursions by adtech platform giants.

And while well-resourced tech giants may be able to factor in even very meaty financial penalties, as just a cost of doing a very lucrative business, data-focused business models could be far more precarious if processors can suddenly be slapped with an order to limit or even cease processing data. (As indeed Facebook’s business just has in Germany, where antitrust regulators have been liaising with privacy watchdogs.)

Data breach notifications also up

GDPR also shines a major spotlight on security — requiring privacy by design and default and introducing a universal requirement for swiftly reporting data breaches across the bloc, again with very stiff penalties for non-compliance.

On the data breach front, the Irish DPC says it received a total of 3,687 data breach notifications between May 25 and December 31 last year — finding just four per cent (145 cases) did not meet the definition of a personal-data breach set out in GDPR. That means it recorded a total of 3,542 valid data protection breaches over the report period — which it says represents an increase of 27 per cent on 2017 breach report figures.

“As in other years, the highest category of data breaches notified under the GDPR were classified as Unauthorised Disclosures and accounted for just under 85% of the total data-breach notifications received between 25 May and 31 December 2018,” it notes, adding: “The majority occurred in the private sector (2,070).”

More than 4,000 data breach notifications were recorded by the watchdog for full year 2018, the report also states.

The DPC further reveals that it was notified of 38 personal data breaches involving 11 multinational technology companies during the post-GDPR period of 2018. Which means breaches involving tech giants.

“A substantial number of these notifications involved the unauthorised disclosure of, and unauthorised access to, personal data as a result of bugs in software supplied by data processors engaged by the organisations,” it writes, saying it opened several investigations as a result (such as following the Facebook Token breach in September 2018).

Open probes of tech giants

As of 31 December 2018, the DPC says it had 15 investigations open in relation to multinational tech companies’ compliance with GDPR.

Below is the full list of the DPC’s currently open investigations of multinationals — including the tech giant under scrutiny; the origin of the inquiry; and the issues being examined:

  • Facebook Ireland Limited — Complaint-based inquiry: “Right of Access and Data Portability. Examining whether Facebook has discharged its GDPR obligations in respect of the right of access to personal data in the Facebook ‘Hive’ database and portability of “observed” personal data”
  • Facebook Ireland Limited — Complaint-based inquiry: “Lawful basis for processing in relation to Facebook’s Terms of Service and Data Policy. Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the Facebook platform.”
  • Facebook Ireland Limited — Complaint-based inquiry: “Lawful basis for processing. Examining whether Facebook has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
  • Facebook Ireland Limited — Own-volition inquiry: “Facebook September 2018 token breach. Examining whether Facebook Ireland has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
  • Facebook Ireland Limited — Own-volition inquiry: “Facebook September 2018 token breach. Examining Facebook’s compliance with the GDPR’s breach notification obligations.”
  • Facebook Inc. — Own-volition inquiry: “Facebook September 2018 token breach. Examining whether Facebook Inc. has discharged its GDPR obligations to implement organizational and technical measures to secure and safeguard the personal data of its users.”
  • Facebook Ireland Limited — Own-volition inquiry: “Commenced in response to large number of breaches notified to the DPC during the period since 25 May 2018 (separate to the token breach). Examining whether Facebook has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
  • Instagram (Facebook Ireland Limited) — Complaint-based inquiry: “Lawful basis for processing in relation to Instagram’s Terms of Use and Data Policy. Examining whether Instagram has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the Instagram platform.”
  • WhatsApp Ireland Limited — Complaint-based inquiry: “Lawful basis for processing in relation to WhatsApp’s Terms of Service and Privacy Policy. Examining whether WhatsApp has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data of individuals using the WhatsApp platform.”
  • WhatsApp Ireland Limited — Own-volition inquiry: “Transparency. Examining whether WhatsApp has discharged its GDPR transparency obligations with regard to the provision of information and the transparency of that information to both users and non-users of WhatsApp’s services, including information provided to data subjects about the processing of information between WhatsApp and other Facebook companies.”
  • Twitter International Company — Complaint-based inquiry: “Right of Access. Examining whether Twitter has discharged its obligations in respect of the right of access to links accessed on Twitter.”
  • Twitter International Company — Own-volition inquiry: “Commenced in response to the large number of breaches notified to the DPC during the period since 25 May 2018. Examining whether Twitter has discharged its GDPR obligations to implement organisational and technical measures to secure and safeguard the personal data of its users.”
  • LinkedIn Ireland Unlimited Company — Complaint-based inquiry: “Lawful basis for processing. Examining whether LinkedIn has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
  • Apple Distribution International — Complaint-based inquiry: “Lawful basis for processing. Examining whether Apple has discharged its GDPR obligations in respect of the lawful basis on which it relies to process personal data in the context of behavioural analysis and targeted advertising on its platform.”
  • Apple Distribution International — Complaint-based inquiry: “Transparency. Examining whether Apple has discharged its GDPR transparency obligations in respect of the information contained in its privacy policy and online documents regarding the processing of personal data of users of its services.”

“The DPC’s role in supervising the data-processing operations of the numerous large data-rich multinational companies — including technology internet and social media companies — with EU headquarters located in Ireland changed immeasurably on 25 May 2018,” the watchdog acknowledges.

“For many, including Apple, Facebook, Microsoft, Twitter, Dropbox, Airbnb, LinkedIn, Oath [disclosure: TechCrunch is owned by Verizon Media Group; aka Oath/AOL], WhatsApp, MTCH Technology and Yelp, the DPC acts as lead supervisory authority under the GDPR OSS [one-stop shop] facility.”

The DPC notes in the report that between May 25 and December 31 2018 it received 136 cross-border processing complaints through the regulation’s OSS mechanism (i.e. which had been lodged by individuals with other EU data protection authorities).

A breakdown of these (likely) tech giant focused GDPR complaints shows a strong focus on consent, right of erasure, right of access and the lawfulness of data processing:

Breakdown of cross-border complaint types received by the DPC under GDPR’s OSS mechanism

While the Irish DPC acts as the lead supervisor for many high profile GDPR complaints which relate to how tech giants are handling people’s data, it’s worth emphasizing that the OSS mechanism does not mean Ireland is sitting in sole judgement on Silicon Valley’s giants’ rights incursions in Europe.

The mechanism allows for other DPAs to be involved in these cross-border complaints.

And the European Data Protection Board, the body that works with all the EU Member States’ DPAs to help ensure consistent application of the regulation, can trigger a dispute resolution process if a lead agency considers it cannot implement a concerned agency objection. The aim is to work against forum shopping.

In a section on “EU cooperation”, the DPC further writes:

Our fellow EU regulators, alongside whom we sit on the European Data Protection Board (EDPB), follow the activities and results of the Irish DPC closely, given that a significant number of people in every EU member state are potentially impacted by processing activities of the internet companies located in Ireland. EDPB activity is intense, with monthly plenary meetings and a new system of online data sharing in relation to cross-border processing cases rolled out between the authorities. The DPC has led on the development of EDPB guidance on arrangements for Codes of Conduct under the GDPR and these should be approved and published by the EDPB in Q1 of 2019. The DPC looks forward to industry embracing Codes of Conduct and raising the bar in individual sectors in terms of standards of data protection and transparency. Codes of Conduct are important because they will more comprehensively reflect the context and reality of data-processing activities in a given sector and provide clarity to those who sign up to the standards that need to be attained in addition to external monitoring by an independent body. It is clarity of standards that will drive real results.

Over the reported period the watchdog also reveals that it issued 23 formal requests seeking detailed information on compliance with various aspects of the GDPR from tech giants, noting too that since May 25 it has engaged with platforms on “a broad range of issues” — citing the following examples to give a flavor of these concerns:

  • Google on the processing of location data
  • Facebook on issues such as the transfer of personal data from third-party apps to Facebook and Facebook’s collaboration with external researchers
  • Microsoft on the processing of telemetry data collected by its Office product
  • WhatsApp on matters relating to the sharing of personal data with other Facebook companies

“Supervision engagement with these companies on the matters outlined is ongoing,” the DPC adds of these issues.

Adtech sector “must comply” with GDPR 

Talking of ongoing action, a GDPR complaint related to the security of personal data that’s systematically processed to power behavioral advertising is another open complaint on the DPC’s desk.

The strategic complaint was filed by a number of individuals in multiple EU countries (including Ireland) last fall. Since then the individuals behind the complaints have continued to submit and publish evidence they argue bolsters their case against the behavioral ad targeting industry (principally Google and the IAB which set the spec involved in the real-time bidding (RTB) system).

The Irish DPC makes reference to this RTB complaint in the annual report, giving the adtech industry what amounts to a written warning that while the advertising ecosystem is “complex”, with multiple parties involved in “high-speed, voluminous transactions” related to bidding for ad space and serving ad content “the protection of personal data is a prerequisite to the processing of any personal data within this ecosystem and ultimately the sector must comply with the standards set down by the GDPR”.

The watchdog also reports that it has engaged with “several stakeholders, including publishers and data brokers on one side, and privacy advocates and affected individuals on the other”, vis-a-vis the RTB complaint, and says it will continue prioritizing its scrutiny of the sector in 2019 — “in cooperation with its counterparts at EU level so as to ensure a consistent approach across all EU member states”.

It goes on to say that some of its 15 open investigations into tech giants will both conclude this year and “contribute to answering some of the questions relating to this complex area”. So, tl;dr, watch this space.

Responding to the DPC’s comments on the RTB complaint, Dr Johnny Ryan, chief policy and industrial relations officer of private browser Brave — and also one of the complainants — told us they expect the DPC to act “urgently”.

“We have brought our complaint before the DPC and other European regulators because there is a dire need to fix adtech so that it’s works safely,” he told TechCrunch. “The DPC itself recognizes that online advertising is a priority. The IAB and Google online ‘ad auction’ system enables companies to broadcast what every single person online reads, watches, and listens to online to countless parties. There is no control over what happens to these data. The evidence that we have submitted to the DPC shows that this occurs hundreds of billions of times a day.”

“In view of the upcoming European elections, it is particularly troubling that the IAB and Google’s systems permit voters to be profiled in this way,” he added. “Clearly, this infringes the security and integrity principles of the GDPR, and we expect the DPC to act urgently.”

The IAB has previously rejected the complaints as “false”, arguing any security risk is “theoretical”; while Google has said it has policies in place to prohibit advertisers from targeting sensitive categories of data. But the RTB complaint itself pivots on GDPR’s security requirements which demand that personal data be processed in a manner that “ensures appropriate security”, including “protection against unauthorised or unlawful processing and against accidental loss”.

So the security of the RTB system is the core issue which the Irish DPC, along with agencies in the UK and Poland, will have to grapple with as a priority this year.

The complainants have also said they intend to file additional complaints in more markets across Europe, so more DPAs are likely to join the scrutiny of RTB, as concerned supervisory agencies, which could increase pressure on the Irish DPC to act.

Schrems II vs Facebook 

The watchdog’s report also includes an update on long-running litigation filed by European privacy campaigner Max Schrems concerning a data transfer mechanism known as standard contractual clauses (SCCs) — and originally only targeted at Facebook’s use of the mechanism.

The DPC decided to refer Schrems’ original challenge to the Irish courts — which have since widened the action by referring a series of legal questions up to the EU’s top court with (now) potential implications for the legality of the EU’s ‘flagship’ Privacy Shield data transfer mechanism.

That was negotiated following the demise of its predecessor Safe Harbor, in 2015, also via a Schrems legal challenge, going on to launch in August 2016 — despite ongoing concerns from data experts. Privacy Shield is now used by close to 4,500 companies to authorize transfers of EU users’ personal data to the US.

So while Schrems’ complaint about SCCs (sometimes also called “model contract clauses”) was targeted at Facebook’s use of them the litigation could end up having major implications for very many more companies if Privacy Shield itself comes unstuck.

More recently Facebook has sought to block the Irish judges’ referral of legal questions to the Court of Justice of the EU (CJEU) — winning leave to appeal last summer (though judges did not stay the referral in the meanwhile).

In its report the DPC notes that the substantive hearing of Facebook’s appeal took place over January 21, 22 and 23 before a five judge Supreme Court panel.

“Oral arguments were made on behalf of Facebook, the DPC, the U.S. Government and Mr Schrems,” it writes. “Some of the central questions arising from the appeal include the following: can the Supreme Court revisit the facts found by the High Court relating to US law? (This arises from allegations by Facebook and the US Government that the High Court judgment, which underpins the reference made to the CJEU, contains various factual errors concerning US law).

“If the Supreme Court considers that it may do so, further questions will then arise for the Court as to whether there are in fact errors in the judgment and if so, whether and how these should be addressed.”

“At the time of going to print there is no indication as to when the Supreme Court judgment will be delivered,” it adds. “In the meantime, the High Court’s reference to the CJEU remains valid and is pending before the CJEU.”



from Apple – TechCrunch https://ift.tt/2H3XYMy
Posted by at No comments:
Labels: , , ,

Report: Disney in talks with AT&T to buy WarnerMedia’s 10% Hulu stake

Disney is in discussions to buy AT&T’s 10 percent stake in Hulu, which it comes into by way of its WarnerMedia acquisition, according to a report from Variety this morning. The news is not surprising – AT&T had already said it was exploring a sale. And Disney has been looking to increase its stake in Hulu following its deal for 20th Century Fox which, when closed, will see Disney picking up Fox’s 30 percent share in Hulu.

Currently, Disney owns a 30 percent stake in Hulu’s streaming service. That means the Fox deal will give it a 60 percent stake in Hulu. Snagging AT&T’s Hulu share would bring Disney’s ownership to 70 percent.

Comcast/NBCU is Hulu’s other major owner, but isn’t currently prepared to sell, Variety said.

AT&T had detailed its streaming plans to investors in November, noting at the time it was thinking of selling its Hulu stake as part of its larger goal to “monetize assets” that were not essential to its current strategies and to help pay down its debt. Its Hulu share is valued at $930 million.

AT&T has little interest in Hulu because it’s building out its own internet-based streaming services, including live TV service DirecTV Now; the more lightweight WatchTV; and a new service that leverages its WarnerMedia properties. WarnerMedia also today operates streaming services for its brands, like HBO NOW, Boomerang, DC Universe, and others.

Disney, meanwhile, is preparing to launch its family-friendly Netflix competitor, Disney+, but sees Hulu as a place to house its more adult-oriented programming and general entertainment properties.

Hulu today has 25 million subscribers, but is still a smaller player compared with Netflix because it’s not yet available worldwide. It also hasn’t invested into original programming at Netflix’s scale. Disney’s increased ownership will change these things and could help Hulu compete on the market against larger rivals like Netflix, AT&T/WarnerMedia, and soon Apple, as well.



from Apple – TechCrunch https://ift.tt/2EnDN9p
Posted by at No comments:
Labels: , , ,

Thailand passes controversial cybersecurity law that could enable government surveillance

Thailand’s government passed a controversial cybersecurity bill today that has been criticized for vagueness and the potential to enable sweeping access internet user data.

The bill (available in Thai) was amended late last year following criticism over potential data access, but it passed the country’s parliament with 133 positives votes and no rejections although there were 16 absentees.

There are concerns around a number of clauses, chiefly the potential for the government — which came to power via a military coup in 2014 — to search and seize data and equipment in cases that are deemed issues of national emergency. That could enable internet traffic monitoring and access to private data, including communications, without a court order.

The balance of power beyond enforcement has also been questioned. Critics have highlighted the role of the National Cybersecurity Committee, which is headed by the Prime Minister and holds considerable weight in carrying out the law. The Committee has been called upon to include representation from the industry and civic groups to give it greater oversight and balance.

Added together, there’s a fear that the law could be weaponized by the government to silence critics. Thailand already has powerful lese majeste laws, which make it illegal to criticize the monarchy and have been used to jail citizens for comments left on social media and websites. The country has also censored websites in the past, including the Daily Mail and, for a nearly six-month period in 2007, YouTube.

“The Asia Internet Coalition is deeply disappointed that Thailand’s National Assembly has voted in favor of a Cybersecurity Law that overemphasizes a loosely-defined national security agenda, instead of its intended objective of guarding against cyber risks,” read a statement from Jeff Paine, managing director of Asia Internet Coalition — an alliance of international tech firms that include Facebook, Google and Apple.

“Protecting online security is a top priority, however the Law’s ambiguously defined scope, vague language and lack of safeguards raises serious privacy concerns for both individuals and businesses, especially provisions that allow overreaching authority to search and seize data and electronic equipment without proper legal oversight. This would give the regime sweeping powers to monitor online traffic in the name of an emergency or as a preventive measure, potentially compromising private and corporate data,” Paine added.

Reaction to the law has seen a hashtag (#พรบไซเบอร์) trend on Twitter in Thailand, while other groups have spoken out on the potential implications.

Thailand isn’t alone in introducing controversial internet laws. New regulations, passed last summer, came into force in near-neighbor Vietnam on January 1 and sparked similar concerns around free speech online.

That Vietnamese law broadly forbids internet users from organizing with, or training, others for anti-state purposes, spreading false information, and undermining the nation state’s achievements or solidarity. It also requires foreign internet companies to operate a local office and store user information on Vietnamese soil. That’s something neither Google nor Facebook has complied with, despite the Vietnamese government’s recent claim that the former is investigating a local office launch.



from Apple – TechCrunch https://ift.tt/2VqZ9cY
Posted by at No comments:
Labels: , , ,

Wednesday, 27 February 2019

Polestar unveils its all-electric response to the Tesla Model 3

Volvo’s standalone electric performance brand Polestar introduced Wednesday its first all-electric vehicle — a five-door fastback that is gunning for the Tesla Model 3.

In the past few years, every time an electric vehicle — concept, prototype, or production version — has been unveiled, the term “Tesla killer” has been tossed about regardless of whether that car will ever even come to market.

In the case of Polestar 2, it’s unclear if it will be the “Tesla killer.” It’s possible that an entirely new group of customers will be attracted to the vehicle. What is clear: the Polestar 2 was designed to compete with the Tesla Model 3 in the U.S., Europe and China. 

You can watch the reveal on Polestar’s YouTube channel.

The specs

The Polestar 2 meant to be a performance electric vehicle. It’s equipped with two electric motors and a 78 kilowatt-hour battery pack that has an estimated EPA range of about 275 miles.

The Polestar 2’s all-wheel drive electric powertrain produces 300 kW ( an equivalent of 408 horsepower) and 487 lb-ft of torque. This is above the rear-wheel (and currently cheapest) version of the Model 3. It’s just a skoosh under the dual-motor performance version of the Model 3, which has an output of 450 horsepower and 471 lb-ft of torque.

The Polestar 2 accelerates from 0 to 100km (about 62 mph) in less than 5 seconds — again a stat that puts it right above the mid-range Model 3 and below the performance version.

Polestar 2-Exterior-Front

Android inside

In 2017, Volvo announced plans to incorporate a version of its Android operating system into its car infotainment systems. A year later, the company said it would embed voice-controlled Google Assistant, Google Play Store, Google Maps, and other Google services into its next-generation Sensus infotainment system.

Polestar has followed Volvo. The Polestar 2’s infotainment system will be powered by Android OS and as a result, bring embedded Google services such as Google Assistant, Google Maps, and the Google Play Store into the car.

This shouldn’t be confused with Android Auto, which is a secondary interface that lays on top of an operating system. Android OS is modeled after its open-source mobile operating system that runs on Linux. But instead of running smartphones and tablets, Google modified it so it could be used in cars.

The Polestar 2 will also have so-called “Phone-As-Key technology,” which basically means customers will have the ability to unlock their car remotely using their smartphones. This capability opens the door — literally and figuratively — for owners to rent their vehicle out via car sharing or use a delivery service to drop off items in the vehicle.

The feature also allows Polestar 2 to sense the driver upon approach. 

Polestar 2-Interior

Market plans

The base price of Polestar 2 is 39,900 euros ($45,389), the company says. However, for the first year of production the pricier “launch edition” will only be available at 59,900, or about $68,000. (The prices are listed before any federal or state incentives might be applied).

Production of the Polestar 2 will begin in early 2020 at its Chengdu, China factory. The company is initially targeting sales in China, the U.S., Canada and a handful of European countries that include Belgium, Germany, the Netherlands, Norway, Sweden and the UK.

Polestar, like its potential rival Tesla, is also ditching the dealership. Polestar will only sell its vehicles online and will offer customers subscriptions to the vehicle. Subscription pricing will be revealed at a later date, Polestar said.

The automaker is also opening “Polestar Spaces,” a showroom where customers can interact with the product and schedule test drives. These spaces will be standalone facilities and not within existing Volvo retailer showrooms.

Polestar was once a high-performance brand under Volvo Cars. In 2017, the company was recast as an electric performance brand aimed at producing exciting and fun-to-drive electric vehicles — a niche that Tesla was the first to fill and has dominated ever since. Polestar is a jointly owned by Volvo Car Group and Zhejiang Geely Holding of China. Volvo was acquired by Geely in 2010.

The company’s first vehicle, the Polestar 1, was unveiled in September.  The Polestar 1 is not a pure electric vehicle; it’s a plug-in hybrid with two electrical motors powered by three 34 kilowatt-hour battery packs and a turbo and supercharged gas inline 4 up front.

Polestar said Wednesday that its next vehicle, the Polestar 3, will be an all-electric “performance SUV.” The company didn’t provide any additional details about the Polestar 3.



from Android – TechCrunch https://ift.tt/2H5zQsX
via IFTTT
Posted by at No comments:
Labels: , ,

Apple removes VoIP app clones from the App Store

Following my report from yesterday, Apple has removed many of the apps I pointed out. When you try to find them on the App Store, they are no longer available.

App Store Review Guidelines are very clear when it comes to app duplicates. According to rule 4.3, you can’t release the same app multiple times on the App Store has it is considered as spamming.

But that rule has been poorly enforced and some companies have taken advantage of that. In my original report, I focused on one category in particular — VoIP apps that let you get a second phone number and send and receive calls and texts from that new number.

Developers release multiple versions of the same app so that they can use different names, different keywords and different categories. This way, they can cover a wide range of keywords when you’re searching for an app in the App Store.

So let’s look at the developers I called out yesterday. It’s still unclear if some of these apps will reappear after some changes.

TextMe, Inc.

BinaryPattern and Flexible Numbers LLC

Appverse Inc.

Dingtone Inc.

This case illustrates once again that Apple holds the keys to the App Store kingdom. The company acts as a judge and can make or break some companies.

Some of those companies have released clones of their apps and benefited from that strategy for many years. The main issue here is that App Store rules aren’t enforced consistently.

Plenty of clones in other categories

The clone plague is far from over. Many categories also use this App Store optimization strategy.

JPEG Labs has released four different apps that let you print photos in Walgreens or CVS stores around you. They all do the same thing but have different names and keywords. (They also tell you to leave a review right after opening the app.)

Photo Prints: 1 Hour Photos

Print Photos: 1 Hour Prints

Printmatic 1 Hour Photo Print

Same Day Canvas Photo Prints

When you can’t beat them, acquire them

Another good example is MailPix, Inc. You can find multiple copies of the same app. The company is also slowly expanding its App Store footprint by acquiring competitors and changing those apps into duplicated versions of the main app.

MailPix acquired Photobucket’s printing app to turn it into a clone.



from Apple – TechCrunch https://ift.tt/2EBKg1K
Posted by at No comments:
Labels: , , ,

Tuesday, 26 February 2019

Virtual phone number apps are gaming the App Store with duplicates

If you’ve searched the App Store for an app to get a second phone number, chances are you found dozens of apps with very little differences. A handful of companies are spamming the App Store with duplicated apps. This strategy is against Apple’s rules.

The App Store Review Guidelines are detailed rules that define what you can and cannot do on the App Store. As soon as you sign up for a developer account and submit an app to the App Store review team, you agree to comply with those rules. It’s a long document, but the rule 4.3 titled “Spam” is straightforward:

Don’t create multiple Bundle IDs of the same app. If your app has different versions for specific locations, sports teams, universities, etc., consider submitting a single app and provide the variations using in-app purchase. Also avoid piling on to a category that is already saturated; the App Store has enough fart, burp, flashlight, and Kama Sutra apps already. Spamming the store may lead to your removal from the Developer Program.

A tipster looked at a specific category in the App Store — VoIP apps that let you get a second phone number, send and receive calls and texts from that new number. I looked at that category myself and here are the results of my investigation.

Companies don’t even try to hide the fact that have submitted multiple versions of the same app with different names and icons. But core features remain the same. Apple hasn’t enforced its own guideline properly and developers took advantage of that grey area.

Example 1: TextMe

As you can see on the company’s website, TextMe currently operates three apps and is open about it — TextMe Up, TextMe and FreeTone. These three apps all have an average of 4.7 stars in the App Store with hundreds of thousands of reviews in total.

The wording is slightly different for each app. TextMe Up lets you “call & text anyone in the world from your mobile, tablet, and computer”, while TextMe lets you “get a new phone number and start texting and making calls for free” and FreeTone is all about “[enjoying] free calls & texts to the phone numbers in the US and Canada”.

But if you look at the App Store screenshots, the company doesn’t even bother changing the screenshots or marketing copy.

“Our apps have a different marketing target,” TextMe, Inc. co-founder and co-CEO Patrice Giami told me in a phone interview. “They share the same code base, but we can activate or deactivate some features in order to differentiate the apps. We manage that depending on the competitive environment and if we need to optimize distribution.”

Giami also believes that his company complies with the App Store guidelines. “Apple is doing a very systematic review — we’re constantly scrutinized because we release a lot of app updates. We’ve never been flagged or contacted by Apple — they’ve never said that we’re releasing complete clones of the same app,” he said.

TextMe uses the same developer account for its three apps, Text Me, Inc. Apple could easily compare those apps if it wanted to.

Example 2: BinaryPattern and Flexible Numbers LLC

This case is a bit more sophisticated. The company behind those apps has two different developer accounts and tried to differentiate its App Store listings a bit. Similarly, buttons and colors slightly vary from app to another, but it’s the same feature set.

Here are a few screenshots I took:

Texting/Calling Phone Burner

Smiley Private Texting SMS

Texting Shield – Phone Number

Burner Phone Numbers SMS/Calls

Business Line Phone Number

I’ve reached out to BinaryPattern/Flexible Numbers and haven’t heard back.

Example 3: Appsverse Inc.

This time, Phoner, Second Line and Text Burner all share the same developer account. Even though these apps let you do the same thing, Appsverse has released its app in three different App Store categories — utilities, productivity and social networking.

By doing that, the company’s apps appear in multiple categories. Text Burner is #88 in social networking, Second Line is #74 in productivity and Phoner is #106 in utilities.

It seems a bit counterintuitive as Appsverse splits their downloads between multiple apps. But I believe the main reason the company is releasing multiple apps is for keyword optimization and App Store search results. It then picks a different category for each app, but it’s a side effect.

Appsverse has sent me the following statement:

“The guideline promotes a healthy App Store ecosystem that is good for both developers and users. It prevents proliferation of similar apps that does not have a differentiation in business model, features, use cases and demographic appeal.”

Example 4: Telos Mobile and Dingtone Inc.

On paper, Dingtone and Telos look like two different apps from two different companies. I downloaded the Dingtone app and signed up with my email address. I then downloaded the Telos app and signed up with the same email address. Here’s the message I got:

I’ve reached out to Telos/Dingtone and haven’t heard back.

A level playing field

Those companies haven’t done anything illegal. They took advantage of Apple’s lack of oversight on an App Store rule. Releasing multiple versions of the same app is a great App Store optimization strategy. This way, you can pick a different name, different keywords and different categories. Chances are potential customers are going to see your app in their App Store search results.

While Apple is usually quite strict when it comes to App Store guidelines, it hasn’t enforced some of them. And this is unfair for app developers who play by the rules. They can’t compete as effectively with companies that know that they can ignore some rules.



from Apple – TechCrunch https://ift.tt/2GMG41x
Posted by at No comments:
Labels: , , ,

Cloudflare expands its government warrant canaries

When the government comes for your data, tech companies can’t always tell you. But thanks to a legal loophole, companies can say if they haven’t had a visit yet

That’s opened up an interesting clause that allows companies to silently warn customers when the government turns up to secretly raid its stash of customer data without violating a gag order it. Under U.S. freedom of speech laws, companies can publicly say that “the government has not been here” when there has been no demand for data, but they are allowed to remove statements when a warrant comes in as a warning shot to anyone who pays attention.

These so-called “warrant canaries” — named for the poor canary down the mine, who dies when there’s gas that the human can’t see — are a key transparency tool that predominantly privacy-focused companies use to keep their customers aware of the goings-on behind the scenes.

Where companies have abandoned their canaries or caved to legal pressure, Cloudflare is bucking the trend.

The networking and content delivery network giant said in a blog post this week that it’s expanding the transparency reports to include more canaries.

To date, the company:

  • has never turned over our SSL keys or our customers SSL keys to anyone;
  • has never installed any law enforcement software or equipment anywhere on our network;
  • has never terminated a customer or taken down content due to political pressure;
  • has never provided any law enforcement organization a feed of our customers’ content transiting our network.

Those key points are critical to the company’s business. A government demand for SSL keys and installing intercept equipment on its network would allow investigators unprecedented access to a customer’s communications and data, and undermine the company’s security. A similar demand led to Ladar Levison shutting down his email service Lavabit when they sought the keys to obtain information on whistleblower Edward Snowden, who used the service.

Now Cloudflare’s warrant canaries will include:

  • Cloudflare has never modified customer content at the request of law enforcement or another third party.
  • Cloudflare has never modified the intended destination of DNS responses at the request of law enforcement or another third party.
  • Cloudflare has never weakened, compromised, or subverted any of its encryption at the request of law enforcement or another third party.

It’s also expanded and replaced its first canary to confirm that the company “has never turned over our encryption or authentication keys or our customers’ encryption or authentication keys to anyone.”

Cloudflare said that if it were ever asked to do any of the above, the company would “exhaust all legal remedies” to protect customer data, and remove the statements from its site.

The networking and content delivery network is one of a handful of major companies that have used warrant canaries over the years. Following reports that the National Security Agency was vacuuming up the call records from the major telecom giants in bulk, Apple included a statement in its most recent transparency reports noting that the company has to date “not received any orders for bulk data.” Reddit removed its warrant canary in 2015, indicating that it had received a national security order it wasn’t permitted to disclose.

Cloudflare’s expanded canaries were included in the company’s latest transparency report, out this week.

According to its latest figures covering the second-half of 2018, Cloudflare responded to just seven subpoenas of the 19 requests, affecting 12 accounts and 309 domains. The company also responded to 44 court orders of the 55 requests, affecting 134 accounts and 19,265 domains.

The company received between 0-249 national security requests for the duration, and that it didn’t process any wiretap or foreign government requests for the duration.

Amazon’s barely-transparent transparency report somehow gets more opaque



from Apple – TechCrunch https://ift.tt/2BNZAqj
Posted by at No comments:
Labels: , , ,

Monday, 25 February 2019

Ford partners with geocoding startup what3words

Ford is partnering with what3words to give drivers access to the startup’s novel addressing system.

Under the partnership, drivers will be able to connect to the free what3words app — on an iOS or Android device — to their vehicle via their SYNC 3 infotainment platform. Drivers can find the three-word address on website contact pages, guidebooks and business cards. Drivers can enter the addresses via voice or text input and receive directions through the vehicle’s navigation system.

The startup, founded in 2013, has divided the entire world into 57 trillion 3-by-3 meter squares and assigned three words to each one. Users of the what3words app, which is available in 26 languages, has been adopted by logistics, travel, automotive and humanitarian organizations because it provides exact locations anywhere in the world.

The system is used by Lonely Planet, which has rolled out three-word addresses for each of its listings, as well as Mercedes-Benz, ride-hailing app Cabify, the UN, Red Cross and TomTom.

The startup has also attracted an interesting mix of investors, most recently Sony’s venture capital arm. And last year, Daimler took a 10 percent stake in what3words, following an announcement in 2017 to integrate the addressing system into Mercedes’ new infotainment and navigation system — called the Mercedes-Benz User Experience, or MBUX. MBUX is now in the latest Mercedes A-Class and B-Class cars and Sprinter commercial vehicles.

“We are more mobile than ever before, but with that comes its challenges. The growing traction that what3words is gaining within the automobility industry is a testament to how we are improving journeys and customer experiences,” CEO and co-founder Chris Sheldrick said.

What3words will initially be available to Ford owners in the U.K. and Ireland, Germany, Spain, the U.S. and Mexico. More markets and languages will follow later in the year. The addressing system can be downloaded for free on iOS and Android.



from Android – TechCrunch https://ift.tt/2NuPLSH
via IFTTT
Posted by at No comments:
Labels: , ,

iOS developers will soon be able to offer discounts to their existing and lapsed subscribers

As subscriptions continue to grow into a sizable revenue stream for mobile app developers, Apple has had to make adjustments to its guidelines, rules, and even its tools for subscription management in recent weeks. It issued stricter guidelines around how subscriptions are to be presented to consumers, and it made the setting for canceling existing subscriptions more accessible. Now, Apple is rolling out new tools for developers that will help them retain their current customers and win back lapsed subscribers.

The company announced on Friday that apps with auto-renewable subscriptions will soon be able to offer their subscriptions at a discounted price for a specific period, as a means of growing and retaining their customer base. This will give the developers more control over their subscription pricing than was available before.

Until the change, developers could only make introductory offers to entice consumers to sign up for the first time. For example, developers could lure customers with a one-time introductory price, offer a free trial, or offer discounted rate for a specific period of time before the subscription converted to the full price.

But these offers could only be made to first-time customers. The new promotional offers will allow developers to cut similar deals for existing subscribers or to win back the business from those who used to pay for the subscription, but had canceled.

While the new promotional offers allow for the same sort of discounts as introductory offers, they’re more flexible in terms of how they’re used.

With introductory offers, developers were allowed one offer per subscription, per territory. With promotional offers, developers can activate up to 10 offers per subscription. This allows them to test which ones work best for their customers, instead of having to pick just one.

And developers are in control of when an offer displays to a customer, in which territories, as well as how many offers a customer can redeem.

In addition, while introductory offers may display in the App Store when promoted, the promotional offers will not. That means developers can use business logic that targets winning back their most valuable customers with offers that may be better from those shown to others – and no one would be the wiser. It also means developers can offer different deals to lapsed customers – like maybe a discounted subscription – compared with promos meant to retain current subscribers.

Developers will also be able to use receipt validation tools to find subscribers who turned off auto-renewal, which allows them to target those customers with new offers before their subscription lapses. They may also decided to target those who cancel during the free trial with different offers than those who cancel after using a paid subscription for a time.

As an end-user looking to save money, these changes mean it may be worth toggling off your subscriptions from time to time to see if you’re offered a better deal to resubscribe.

Developers were alerted to the new features last week, but the offers themselves aren’t yet publicly available.

To create the offers, developers have to download the latest Xcode 10.2 beta and will need to implement the new StoreKit APIs. They can then test their offers on the latest beta version of iOS 12.2, macOS 10.14.4, and tvOS 12.2. Apple said the offers will be made available to the public “soon.”



from Apple – TechCrunch https://ift.tt/2SX9NeC
Posted by at No comments:
Labels: , , ,

More passwordless logins are coming to Android

The FIDO Alliance and Google today announced that Android (from version 7.0 up) with the latest version of the Google Play Services, is now FIDO2 certified. At first glance, that sounds rather boring, but it will enable developers to write apps that use a phone’s fingerprint scanner or a FIDO security key to authenticate users without making them type in a password. Since I’m not aware of too many people who like to type in complicated passwords that their IT department makes them change every few months, that’s a big deal.

Developers will be able to enable password-less logins in their web and native apps. Chrome, Microsoft Edge and Firefox already fully support this feature, as does Apple’s Safari (but only in preview). In addition to the convenience, FIDO2 also promises to offer phishing-resistant security, given that this technology won’t let you authenticate on a malicious site.

“Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks,” Google product manager Christiaan Brand. “Today’s announcement of FIDO2 certification for Android helps move this initiative forward, giving our partners and developers a standardized way to access secure keystores across devices, both in market already as well as forthcoming models, in order to build convenient biometric controls for users.”

It’s worth noting that Android already supported password-less authentication for native apps, but now it’ll also support these for browser logins. Once you’ve set up this new authentication mechanism (and once web apps support it), your phone will store all of the cryptographic data on the device and none of the raw fingerprint data, for example, will be transferred to anybody else.

The FIDO Alliance says this new mechanism will soon enable a billion users on modern Android devices to experience password-less logins. Developers will have to implement support in their web and native applications, though, but that’s relatively easy.

Windows 10 will soon get passwordless logins with Yubico’s Security Key



from Android – TechCrunch https://ift.tt/2GNmUbM
via IFTTT
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)