1010Computers | Computer Repair & IT Support

Cosmic JS wants to simplify web development so you can focus on content

If you are a web developer, you know how complex many of the traditional web content management systems have been. One of the big problems has been managing the underlying infrastructure for the system. Cosmic JS, a member of the Winter 2019 Y Combinator class, wants to simplify that by taking care of the infrastructure part for you, while providing a flexible front end for content creators.

“Our customers benefit from using Cosmic because they can avoid the pain of building and maintaining their own CMS infrastructure. For a monthly service fee, we provide a seamless infrastructure for them, and it allows them to focus on what really matters, building great products and user experiences,” Cosmic JS CEO and co-founder Tony Spiro told TechCrunch.

As with so many YC companies, this one started with a pain point the founders were feeling in their jobs developing websites in an agency setting in 2014. Spiro was building the websites and CMO and co-founder Carson Gibbons was servicing accounts, and they saw a problem with the infrastructure piece.

“We found that there was a huge bottleneck just installing and maintaining our own backend infrastructure management. So around that time, I began building out Cosmic on the side. I thought it would be great if there was just a web dashboard and an API to deliver content as a service. And so that’s how it all got started,” Spiro explained. By removing infrastructure management from the equation, Cosmic was freeing developers to concentrate solely on the customer-facing bits.

Cosmic JS content edit view. Screenshot: Cosmic JS

Spiro and Gibbons left their jobs to concentrate on Cosmic full time after the release of the initial version in 2016. They aim the product at web development teams with between 5 and 100 members. The product has three main user types: developers, site managers and content producers. So far, it has attracted 250 customers in 100 countries.

While it’s not open source, it does rely on community members to build extensions and apps. “We have hundreds of apps (ready-made websites and applications) and extensions built by our community,” Spiro said. These tools enable Cosmic to connect to best of breed services and tools like photos, videos or search without having to create them from scratch.

Cosmic JS website templates and apps. Screenshot: Cosmic JS

Spiro says that they joined Y Combinator at the behest of their advisors and investors and it has been a formative experience. “We applied and got in, and and now we’re surrounded by just some of the most impressive and intelligent people in technology.” Spiro said.

So far Cosmic JS includes the two co-founders with some contractors and freelancers helping out along with the extended development community. The company has received some funding, but the founders weren’t ready to share the amount just yet.

Their goal is to continue building the paid user base, and increase community participation through outreach and events.

Powered by WPeMatico

India’s largest bank SBI leaked account data on millions of customers

India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions.

The server, hosted in a regional Mumbai-based data center, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500.

But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.

It’s not known for how long the server was open, but long enough for it to be discovered by a security researcher, who told TechCrunch of the leak, but did not want to be named for the story.

SBI Quick allows SBI’s banking customers to text the bank, or make a missed call, to retrieve information back by text message about their finances and accounts. It’s ideal for millions of the banking giant’s customers who don’t use smartphones or have limited data service. By using predefined keywords, like “BAL” for a customer’s current balance, the service recognizes the customer’s registered phone number and will send back the current amount in that customer’s bank account. The system can also be used to send back the last five transactions, block an ATM card and make inquiries about home or car loans.

It was the back-end text message system that was exposed, TechCrunch can confirm, storing millions of text messages each day.

A redacted example of some of the banking and credit information found in the database (Image: TechCrunch)

The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking.

The bank sent out close to three million text messages on Monday alone.

The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers’ finances.

We verified the data by asking India-based security researcher Karan Saini to send a text message to the system. Within seconds, we found his phone number in the database, including the text message he received back.

“The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to TechCrunch. Saini previously found a data leak in India’s Aadhaar, the country’s national identity database, and a two-factor bypass bug in Uber’s ridesharing app.

Saini said that knowing a phone number “could be used to aid social engineering attacks — which is one of the most common attack vectors in the country with regard to financial fraud,” he said.

SBI claims more than 500 million customers across the glob,e with 740 million accounts.

Just days earlier, SBI accused Aadhaar’s authority, UIDAI, of mishandling citizen data that allowed fake Aadhaar identity cards to be created, despite numerous security lapses and misuse of the system. UIDAI denied the report, saying there was “no security breach” of its system. (UIDAI often uses the term “fake news” to describe coverage it doesn’t like.)

TechCrunch reached out to SBI and India’s National Critical Information Infrastructure Protection Centre, which receives vulnerability reports for the banking sector. The database was secured overnight.

Despite several emails, SBI did not comment prior to publication.

Powered by WPeMatico

How business-to-business startups reduce inequality

Sibjeet Mahapatra
Contributor

Sib Mahapatra is a writer and co-founder of Bureau, an end-to-end office furniture startup in NYC.

When considering the structural impact of technology companies on our economy and society, we tend to focus on questions of scale and monopoly.

It’s true that the FAANG companies and more recent winners (Airbnb, Uber) have surfed a combination of network effects, preferential access to capital and classic efficiencies of scale to generate tremendous value for their shareholders — to the detriment of new entrants who attempt to unseat them.

At their high water mark in mid-2018, FAANG alone made up 11 percent of the total market cap of the S&P 500 and 38 percent of the index’s year-to-date gain, representing a doubling in their influence in only five years. The question of regulating technology companies — to the point of instituting anti-trust actions — has even become a rare point of relative concord between Democrats and Republicans in Congress.

But is the narrative of tech companies in the 2010s only a story of economic consolidation and growing inequality? Many of the most successful B2B startups of the last decade are aligned by a theme that paints a different picture. By transforming the nature of the costs required to start a business, these startups are reducing the influence of capital and leveling the playing field for new entrants to share in the surplus generated by the secular shift to a tech-mediated economy.

Source: Getty Images/MIKIEKWOODS

A path to equal opportunity: Turning fixed costs into variable costs

What do AWSWeWorkStordGusto and RocketLawyer have in common? They provide cloud computing services, office space, warehouse storage, payroll management and access to legal templates, respectively — at first glance, not a particularly congruent set of services.

But they are alike in the economic purpose they serve for their customers. Each of these services takes a fixed cost — a bank of servers, a lease, a legal retainer — and transforms it into a variable cost. As a refresher, a fixed cost stays constant regardless of output, and variable costs scale with the output of a business.

When my father started his software consulting business in the early 1990s, I remember the giant boxes of AIX servers that arrived at our apartment, and tagging along to office tours in central New Jersey before he decided to run the company out of our spare bedroom. Back then, starting almost any kind of business was hard because of high fixed costs. Without AWS or WeWork, you shelled out upfront for hardware and a lease.

Access to capital, whether in the form of a bank loan, savings or friends and family was a prerequisite for entrepreneurship.

Today, startups make it possible to start and scale almost any kind of business while incurring few fixed costs. Want to found an e-commerce store? Start with a free Shopify account and dropship your inventory. Want to become a freelance designer? Put a shingle up on Fiverr and meet clients at a Breather you rent by the hour.

Whether software or hardware or labor, building a business is way easier when overhead is transformed into a string of flexible microservices that you only pay for as you grow.

Image courtesy of Getty Images

Lower fixed costs means capital matters less

Taken together, startups that turn fixed costs into variable costs make it less capital-intensive to start a business. This decreases the influence of gatekeepers and aggregators of capital — an impact evident in the way entrepreneurs think about starting businesses today.

It’s no coincidence that the rise of B2B startups fitting this theme has coincided with the bootstrap movement, in which tech entrepreneurs with major ambitions demur from raising venture funding because — well, they don’t need the money anymore.

It has also coincided with a renaissance in freelance entrepreneurship: 56.7 million Americans freelanced in 2018. Beyond the economic benefits of working for yourself — the fastest growing segment of freelancers earns more than $75,000 a year — freelancers can access the lifestyle and health benefits of owning their destiny, which aren’t directly captured but play a role in the economic picture. Indeed, 51 percent of freelancers said no amount of money would lure them into a traditional job, and 64 percent reported feeling healthier and happier.

When capital plays a reduced role in new business formation, access to capital plays a smaller role in determining who will succeed. More companies are founded, and the economy becomes more likely to birth new Davids that will unseat the Goliaths. Economics 101: lower barriers to entry create markets that converge on perfect competition instead of oligarchic concentration.

Source: Getty Images/ERHUI1979

Variable costs don’t scale, but that’s OK

Variable costs have their downsides. A startup with a relatively higher proportion of fixed costs — the profile of the classic high-tech software business — can achieve higher profit margins as it scales. Compare Microsoft or Google, which pay high fixed costs in the form of salaries and servers but few costs in delivering their services and achieve operating margins of 25-30 percent, to Costco, which takes in more than $100 billion of annual revenue but earns an operating margin in the single digits.

That’s OK. Neither type of cost is “better” or “worse,” but having the option to decide how to structure costs through a company’s life cycle can meaningfully impact an entrepreneur’s ability to execute a business idea.
Founders investigating startup ideas — and politicians debating the impact of technology — would do well to pay attention to how B2B companies have democratized access to entrepreneurship.

Equality of outcome arrives from equality of opportunity — and a future where millions of people can start businesses, differentiate and succeed on the basis of their ability and value proposition, rather than their access to capital, sounds like a promising representation of the egalitarian ethos Silicon Valley wants to bring to pass.

Powered by WPeMatico

FabFitFun raises $80 million for its growing lifestyle brand

Nine years after launching its online magazine, and three years after diversifying into the subscription box business, FabFitFun has raised $80 million in a growth round of funding, led by Kleiner Perkins, with participation from its previous investors Upfront Ventures and NEA. 

The Los Angeles-based company has steadily expanded its retail and lifestyle empire through subscription boxes, video… and even an augmented reality app.

Last year the company crossed $200 million in revenue and managed to net more than 1 million subscribers for the service.

In a statement the company said the new financing would be used to expand FabFitFun membership offerings and consolidate its position as a marketing partner and platform for brands.

As a result of the investment, Kleiner Perkins general partners Mood Rowghani and Mary Meeker will join as board member and observer, respectively.

It’s been a long ride for co-founders Daniel and Michael Broukhim and Katie Rosen Kitchens. From a newsletter and blog to the subscription box to the launch of live programming last year.

For brands, the pitch is a new way to find customers and engage with them. The seasonally curated boxes and special exclusive co-branded box opportunities with Los Angeles’ pool of influencers results in hundreds of millions of targeted impressions, according to the company.

“FabFitFun has emerged into an exciting and entirely new distribution channel that brings retail to the platforms where consumers are most engaged,” said Mood Rowghani, a general partner at Kleiner Perkins, in a statement. “The company’s personalized connection with its community allows brands to better understand and interact with consumers – establishing a long-term relationship rather than simply a transaction.”

Powered by WPeMatico

Amex blocks Curve as the fintech startup vows to fight ‘anti-competitive’ decision

Well, that was short-lived: Just 36 hours after Curve, the London fintech that lets you consolidate all of your bank cards into a single Curve card, re-instated support for Amex, the feature has once again been unceremoniously blocked by American Express. This time, however, the context feels very different from 2016, when the startup was barely off the ground, with Curve telling customers in an email this morning that it intends to “fight Amex’s decision with our full might.”

Going up against the deep pockets and dominant market position of American Express will undoubtedly be a “David and Goliath” battle, although, unlike two years ago, Curve is now backed by an array of investors that includes Connect Ventures and Santander. Arguably, the startup will have U.K. and EU payments and competition regulations on its side, too, although it is hard to predict with certainty if the U.K. regulators will use their full teeth in a situation like this and how they will interpret those existing U.K. and EU regulations.

Curve’s position, however, is clear: In the same email to customers, the company has called the move “anti-competitive” and says it is “entirely disproportionate and discriminatory” to Curve. “U.K. payment regulations clearly state that Curve should be allowed to access the Amex payment network on a level-playing field with every other fee-paying and legitimate merchant,” writes the startup.

However, American Express disputes this, telling TechCrunch it doesn’t have regulatory obligations to work “with Curve or any individual merchants.”

Meanwhile, the credit card giant has been busy briefing journalists that it ended its merchant contract with Curve for business reasons, following what looked like a successful beta test with a small number of joint customers. Perhaps the trial was too successful, with American Express telling me Curve customers were using Amex added to Curve in ways that were different to its regular customers, which, one could argue, is the whole point. To truly innovate, you have to offer something new. Something truly new, has to be different.

With that said, the method with which Curve was accessing the Amex network is a well-established one. Technically, Curve had signed a “merchant” contract with American Express, just like any other merchant and many existing e-wallet products, such as PayPal or YoYo Wallet, which, notably, haven’t been blocked. As part of the trial period, the fintech also made changes to its own product to accommodate Amex, requiring customers to top up their Curve card in advance if they wanted to spend from their Curve-Amex wallet.

In other words, this was definitely not a “don’t ask for permission, ask for forgiveness” situation on Curve’s part. The two companies had been working together for months, and in talks for even longer, to get Curve back on the Amex network. A merchant contract had been signed. What changed at the 11th hour is unclear, although we can be sure this one has a long way to play out just yet.

American Express provided TechCrunch with the following statement:

We participated in a limited Curve beta test in which we explored enabling Card Members to load funds onto an e-wallet using their Amex Card in the Curve app. A very small number of Amex Card Members participated in the test. Based on the results, we communicated to Curve that we would not participate in the further roll out of Curve because of concerns related to the overall American Express Card Member experience. Subsequently we terminated our contract with them.

And here’s the full email sent out by Curve to customers, myself included:

Dear Steve,

We are extremely sorry that the top-up functionality of your Amex wallet is currently disabled.

Like thousands of other UK merchants, Curve has a valid merchant agreement to accept Amex payments into its e-wallet. However, on Tuesday evening, Amex decided to terminate this agreement and block all Amex transactions to Curve with immediate effect.

Amex has given no good or fair reason for their decision and we believe it is entirely disproportionate and discriminatory to Curve and all our (joint) customers. UK payment regulations clearly state that Curve should be allowed to access the Amex payment network on a level-playing field with every other fee-paying and legitimate merchant.

Rest assured that you can still spend the funds that you have already topped up to your existing Amex Wallets. If you have contacted us for support, we apologise for the delay in response and will endeavour to do so as soon as possible. We will update you as soon as we have any further information.

With your interests in mind, and our mission to deliver a truly innovative product, we intend to fight Amex’s decision with our full might. We believe financial freedom is the future and we are prepared to fight for yours.

Team Curve

Powered by WPeMatico

Wanna Kicks, a new AR app from Wannaby, lets you virtually ‘try on’ your next pair of kicks

Wannaby, a startup out of Belarus that is building “AR commerce” experiences, has launched a beta of its latest app, which aims to make it easier to find the perfect sneakers.

Dubbed “Wanna Kicks,” the iOS app uses augmented reality to let you “try on” various pairs of sneakers. You simply choose a pair of kicks from the list of 3D models, point your camera at your feet and — bingo — you’re now virtually wearing your chosen footwear.

The effect is pretty instant and tracks reasonably well as you move and rotate your feet or change camera angle. You can even try walking and the AR app will follow your footsteps. It doesn’t work quite as well standing in front of a mirror, which would be more useful, but that is something Wanna Kicks’ makers say they are working on.

Ultimately, however, Wannaby believes its technology can help both customers and retailers. The premise is simple: The better idea you have of how a pair of sneakers will look when you’re actually wearing them, the more likely you are to make the right purchase and the less likely you are to return an item. Online retailers spend a lot of their margins trying to get customers to convert, and arguably even more servicing returns.

“Our mission is to break online shopping barriers,” Wannaby CEO and ex-Googler Sergey Arkhangelskiy tells me. “We believe that AR try-on can help customers to shop online and will wash away the difference between online and offline shopping. We see two major problems in the shoe market. Online conversions are quite low, and returns are quite high, in comparison to traditional ‘brick-and-mortar’ shopping. The ability to try sneakers with your phone before buying online should shift conversions, engagement and returns.”

Arkhangelskiy argues that AR is also a great marketing tool. Unsurprisingly, Wanna Kicks lets you save a photo of your feed clad in new virtual sneakers, which you can then share on social media. Video sharing is in the pipeline, too.

“Many shoe brands are presenting their new releases both online and offline,” he says. “Lots of customers are eager to know more about new sneaker releases, and AR is a great new way for people to experience sneakers that are new to the market or are about to get to the market. Essentially, this is the main idea behind Wanna Kicks: allowing users to choose and decide whether they like a shoe or not without visiting a physical store.”

Under the hood, Wannaby says it uses sophisticated “3D geometry algorithms” together with neural networks to identify the position of the shoe in space. It’s these algorithms that the startup says are its secret sauce and the company’s main innovation. To onboard sneakers into the app, Wannaby utilises its own studio to create bespoke 3D models.

“We’ve built Wanna Kicks for Gen Z and millennials who are interested in buying sneakers and eager to know whether they will fit their style or not,” adds Arkhangelskiy. “The AR and AI community will love our launch as well — we’ve accomplished a really difficult task in computer vision and rendering.”

Meanwhile, Wannaby is backed by Bulba Ventures and Haxus. The startup has raised $2 million in seed funding to date.

Powered by WPeMatico

Altice to acquire majority stake in OTT startup Molotov

Telecom company Altice is about to close a significant investment in French startup Molotov — the two companies have entered into exclusive negotiations. While terms of the deal are undisclosed, Altice is investing a large sum of money and should end up with a majority stake in Molotov — it’s more like a fundraising round than a traditional acquisition.

“We’re doing a 60/40 deal,” Molotov co-founder and CEO Jean-David Blanc told me. “Altice is taking 60 percent of Molotov. Existing investors remain shareholders and are even putting more money for some.”

Molotov had raised around $35 million from Idinvest (Benoist Grossmann), Sky, TDF, Cherry Tree Invest and others. This is an interesting move as it greatly increases the reach of Molotov and opens up some new opportunities when it comes to internationalization, content and more.

“Altice is also bringing access to cash, content, marketing and countries,” Blanc said.

Molotov is an over-the-top streaming platform in France. You can find all major TV channels, stream live content and watch replays for free. There are optional subscriptions to unlock more features, such as cloud recordings and premium channels.

The service is available on all major platforms — desktop, mobile, tablet, Apple TV, Android TV, Amazon Fire TV, smart TVs from Samsung, LG, Panasonic, etc. It is one of the most popular apps on tvOS and Android TV, always at the top of the stores with Netflix and myCanal.

When I last covered Molotov, the company told me that it has 7 million users in France. Every day, 1.2 million users watch something on Molotov. They stream a total of 1.1 million hours of content. As you can see, those Molotov sessions can be quite long.

Altice currently operates in France under the name SFR, Israel, Portugal and Dominican Republic. Like many telecom companies, Altice and its founder Patrick Drahi also has invested in content and media.

The company owns NextRadioTV (BFM TV, BFM Business, BFM Paris, RMC Story and RMC Découverte). It operates premium sports channels, as the company currently has the distribution rights of the Premier League in France. It owns different newspapers and magazines, such as Libération and L’Express.

Interestingly, Altice has also acquired video adtech company Teads. You could already imagine new monetization opportunities for Molotov and Teads.

As Altice has already negotiated distribution rights with every TV network in France for its own set-top boxes, you can imagine a better offering on Molotov in the coming months. For instance, you could imagine being able to subscribe to Canal+ or BeIN Sports from Molotov. Restrictions on some channels, such as TF1 and M6, will likely disappear, as well.

Molotov is already thinking about new products. For instance, hotel chains have been asking for a special version of Molotov so that they can get rid of their complicated TV setup. Now, Molotov can collaborate with Altice’s B2B division to sell a software-as-a-service version of Molotov.

While the service will remain available to everyone even, if you’re an Orange subscriber for instance, SFR customers will get an extended version of Molotov for free. Altice will keep the name Molotov.

Blanc will remain at the helm of Molotov and the company will remain more or less the same for now. “We won’t have employees moving from one company to the other. Obviously there will be interactions between the companies, but they’ll remain autonomous,” Blanc said.

With this open approach, Altice doesn’t just want to integrate the service into its offering. Molotov will remain an independent service and grow independently from Altice’s telecom operations.

Powered by WPeMatico

Pinterest puts an IPO on its pinboard, hiring Goldman Sachs and JPMorgan to lead an offering this year

Pinterest, the 11-year-old, San Francisco-based site known for the photos its users post about everything from wedding to beauty trends, has hired Goldman Sachs and JPMorgan Chase as lead underwriters for an IPO that it’s planning to stage later this year.

Reuters first reported the news. TechCrunch sources have since confirmed the development. A Pinterest spokesperson declined to “comment on rumors and speculation” when asked this afternoon for more information.

Pinterest has raised roughly $1.5 billion over the years and was valued at $12 billion by its private investors during its last fundraising round in 2017. Notably, its backers include Goldman Sachs Investment Partners, among many other investment firms, both early and later-stage, like Valiant Capital Partners, Wellington Management, Andreessen Horowitz and Bessemer Venture Partners.

The company’s revenue last year was $700 million, more than double what the company generated in revenue in 2017.

It has 250 million monthly active users, compared with the 200 million monthly active users who were on the platform as of mid 2017.

Whether Pinterest has ever been profitable, we couldn’t learn this afternoon. But the company employs 1,600 people across 13 cities globally, including Chicago, London, Paris, São Paulo, Berlin, and Tokyo, and half its users now live outside the U.S., with the international market its fastest-growing segment.

Perhaps unsurprisingly, more than 80 percent of people access the service via its mobile app.

Assessing how Pinterest’s shares might be received by public market shareholders has become a favorite parlor game for Silicon Valley denizens. In a recent report, the outlet The Information posited that Pinterest’s offering could suffer because it’s a social media company that’s frequently lumped together with companies like Facebook and Twitter that have repeatedly raised concerns about users’ privacy and have faced a nearly year-long backlash as a result.

Yet Pinterest is far afield from what most users think of as social media and more akin to a visual search and discovery platform, with people looking for ideas and inspiration rather than to reach other people. So thinks venture capitalist Venky Ganesan of Menlo Ventures, who noted on a recent  TechCrunch podcast that “there are no Russian trolls” on Pinterest. More, he’d said, “I haven’t seen Pinterest sell [users’] data. They’re using data to [figure out] advertising on Pinterest; they aren’t brokering [that information] to others.”

Another potential concern for Pinterest is its reliance advertising, which is often the easiest expense for companies to slash when an economy begins to cool, as may be happening here in the U.S. Ads make up 100 percent of the company’s revenue. Here, too, however, Pinterest could prove more durable than some of its competitors. While brand-image driven advertising often gets cut when budgets tighten, direct response advertising often does even better in down markets, as companies seek out clearer returns on their investment, and much of Pinterest’s revenue is driven by direct response advertising. Users see, they click, and they buy. As Ganesan offered during that same podcast visit, “I’ve got three daughters at home, and they spend a lot of time on Pinterest, and they buy stuff.” (Ganesan isn’t an investor in the company; neither is the broader Menlo Ventures team.)

Pinterest could reportedly seek to raise up to $1.5 billion in an offering, according to past media reports. Whether it targets more or less, we’re likely to learn soon, but an IPO has been expected for some time, in part because the company is now getting up there in years as startups go, in part because of its continued growth, and in part because of some new hires that seemed to suggest the company has been gearing up to become publicly traded.

In November, for example, Pinterest brought aboard its first-ever chief marketing officer in Andréa Mallard, who joined the company from Athleta, Gap’s activewear brand, and who now oversees its global marketing and creative teams.

Roughly a year ago, Pinterest also recruited its first COO, hiring  Francoise Brougher, who was previously a  business lead at Square and a VP of SMB global sales and operations at Google before that.

In fact, unlike many of today’s buzziest companies, Pinterest seems to have retained almost all of the executives who work at the company with one notable exception, In late 2017, it parted ways with its then president, Tim Kendall, who’d been with Pinterest for more than five years at the time and who left to start his own health wellness company.

Powered by WPeMatico

Facebook pays teens to install VPN that spies on them

Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms. Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits, and it has no plans to stop.

Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe.

We asked Guardian Mobile Firewall’s security expert Will Strafach to dig into the Facebook Research app, and he told us that “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.” It’s unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user’s device once they install the app.

The strategy shows how far Facebook is willing to go and how much it’s willing to pay to protect its dominance — even at the risk of breaking the rules of Apple’s iOS platform on which it depends. Apple could seek to block Facebook from continuing to distribute its Research app, or even revoke it permission to offer employee-only apps, and the situation could further chill relations between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices. Facebook disobeying iOS policies to slurp up more information could become a new talking point. TechCrunch has spoken to Apple and it’s aware of the issue, but the company did not provide a statement before press time.

“The fairly technical sounding ‘install our Root Certificate’ step is appalling,” Strafach tells us. “This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this.”

Facebook’s surveillance app

Facebook first got into the data-sniffing business when it acquired Onavo for around $120 million in 2014. The VPN app helped users track and minimize their mobile data plan usage, but also gave Facebook deep analytics about what other apps they were using. Internal documents acquired by Charlie Warzel and Ryan Mac of BuzzFeed News reveal that Facebook was able to leverage Onavo to learn that WhatsApp was sending more than twice as many messages per day as Facebook Messenger. Onavo allowed Facebook to spot WhatsApp’s meteoric rise and justify paying $19 billion to buy the chat startup in 2014. WhatsApp has since tripled its user base, demonstrating the power of Onavo’s foresight.

Over the years since, Onavo clued Facebook in to what apps to copy, features to build and flops to avoid. By 2018, Facebook was promoting the Onavo app in a Protect bookmark of the main Facebook app in hopes of scoring more users to snoop on. Facebook also launched the Onavo Bolt app that let you lock apps behind a passcode or fingerprint while it surveils you, but Facebook shut down the app the day it was discovered following privacy criticism. Onavo’s main app remains available on Google Play and has been installed more than 10 million times.

The backlash heated up after security expert Strafach detailed in March how Onavo Protect was reporting to Facebook when a user’s screen was on or off, and its Wi-Fi and cellular data usage in bytes even when the VPN was turned off. In June, Apple updated its developer policies to ban collecting data about usage of other apps or data that’s not necessary for an app to function. Apple proceeded to inform Facebook in August that Onavo Protect violated those data collection policies and that the social network needed to remove it from the App Store, which it did, Deepa Seetharaman of the WSJ reported.

But that didn’t stop Facebook’s data collection.

Project Atlas

TechCrunch recently received a tip that despite Onavo Protect being banished by Apple, Facebook was paying users to sideload a similar VPN app under the Facebook Research moniker from outside of the App Store. We investigated, and learned Facebook was working with three app beta testing services to distribute the Facebook Research app: BetaBound, uTest and Applause. Facebook began distributing the Research VPN app in 2016. It has been referred to as Project Atlas since at least mid-2018, around when backlash to Onavo Protect magnified and Apple instituted its new rules that prohibited Onavo. Facebook didn’t want to stop collecting data on people’s phone usage and so the Research program continued, in disregard for Apple banning Onavo Protect.

Ads (shown below) for the program run by uTest on Instagram and Snapchat sought teens 13-17 years old for a “paid social media research study.” The sign-up page for the Facebook Research program administered by Applause doesn’t mention Facebook, but seeks users “Age: 13-35 (parental consent required for ages 13-17).” If minors try to sign-up, they’re asked to get their parents’ permission with a form that reveal’s Facebook’s involvement and says “There are no known risks associated with the project, however you acknowledge that the inherent nature of the project involves the tracking of personal information via your child’s use of apps. You will be compensated by Applause for your child’s participation.” For kids short on cash, the payments could coerce them to sell their privacy to Facebook.

The Applause site explains what data could be collected by the Facebook Research app (emphasis mine):

“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed . . . This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.”

Meanwhile, the BetaBound sign-up page with a URL ending in “Atlas” explains that “For $20 per month (via e-gift cards), you will install an app on your phone and let it run in the background.” It also offers $20 per friend you refer. That site also doesn’t initially mention Facebook, but the instruction manual for installing Facebook Research reveals the company’s involvement.

 

Facebook seems to have purposefully avoided TestFlight, Apple’s official beta testing system, which requires apps to be reviewed by Apple and is limited to 10,000 participants. Instead, the instruction manual reveals that users download the app from r.facebook-program.com and are told to install an Enterprise Developer Certificate and VPN and “Trust” Facebook with root access to their phone plus much of the data it transmits. Apple requires that developers agree to only use this certificate system for distributing internal corporate apps to their own employees. Randomly recruiting testers and paying them a monthly fee appears to violate the spirit of that rule.

Once installed, users just had to keep the VPN running and sending data to Facebook to get paid. The Applause-administered program requested that users screenshot their Amazon orders page. This data could potentially help Facebook tie browsing habits and usage of other apps with purchase preferences and behavior. That information could be harnessed to pinpoint ad targeting and understand which types of users buy what.

TechCrunch commissioned Strafach to analyze the Facebook Research app and find out where it was sending data. He confirmed that data is routed to “vpn-sjc1.v.facebook-program.com” that is associated with Onavo’s IP address, and that the facebook-program.com domain is registered to Facebook, according to MarkMonitor. The app can update itself without interacting with the App Store, and is linked to the email address PeopleJourney@fb.com. He also discovered that the Enterprise Certificate indicates Facebook renewed it on June 27th, 2018 — weeks after Apple announced its new rules that prohibited the similar Onavo Protect app.

“It is tricky to know what data Facebook is actually saving (without access to their servers). The only information that is knowable here is what access Facebook is capable of based on the code in the app. And it paints a very worrisome picture,” Strafach explains. “They might respond and claim to only actually retain/save very specific limited data, and that could be true, it really boils down to how much you trust Facebook’s word on it. The most charitable narrative of this situation would be that Facebook did not think too hard about the level of access they were granting to themselves . . . which is a startling level of carelessness in itself if that is the case.”

“Flagrant defiance of Apple’s rules”

In response to TechCrunch’s inquiry, a Facebook spokesperson confirmed it’s running the program to learn how people use their phones and other services. The spokesperson told us “Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate. We don’t share this information with others and people can stop participating at any time.”

Facebook’s spokesperson claimed that the Facebook Research app was in line with Apple’s Enterprise Certificate program, but didn’t explain how in the face of evidence to the contrary. They said Facebook first launched its Research app program in 2016. They tried to liken the program to a focus group and said Nielsen and comScore run similar programs, yet neither of those ask people to install a VPN or provide root access. The spokesperson confirmed the Facebook Research program does recruit teens but also other age groups from around the world. They claimed that Onavo and Facebook Research are separate programs, but admitted the same team supports both as an explanation for why their code was so similar.

However, Facebook claim that it doesn’t violate Apple’s Enterprise Certificate policy is directly contradicted by the terms of that policy. Those include that developers “Distribute Provisioning Profiles only to Your Employees and only in conjunction with Your Internal Use Applications for the purpose of developing and testing”. The policy also states that “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers” unless under direct supervision of employees or on company premises. Given Facebook’s customers are using the Enterprise Certificate-powered app without supervision, it appears Facebook is in violation.

Facebook disobeying Apple so directly could hurt their relationship. “The code in this iOS app strongly indicates that it is simply a poorly re-branded build of the banned Onavo app, now using an Enterprise Certificate owned by Facebook in direct violation of Apple’s rules, allowing Facebook to distribute this app without Apple review to as many users as they want,” Strafach tells us. ONV prefixes and mentions of graph.onavo.com, “onavoApp://” and “onavoProtect://” custom URL schemes litter the app. “This is an egregious violation on many fronts, and I hope that Apple will act expeditiously in revoking the signing certificate to render the app inoperable.”

Facebook is particularly interested in what teens do on their phones as the demographic has increasingly abandoned the social network in favor of Snapchat, YouTube and Facebook’s acquisition Instagram. Insights into how popular with teens is Chinese video music app TikTok and meme sharing led Facebook to launch a clone called Lasso and begin developing a meme-browsing feature called LOL, TechCrunch first reported. But Facebook’s desire for data about teens riles critics at a time when the company has been battered in the press. Analysts on tomorrow’s Facebook earnings call should inquire about what other ways the company has to collect competitive intelligence.

Last year when Tim Cook was asked what he’d do in Mark Zuckerberg’s position in the wake of the Cambridge Analytica scandal, he said “I wouldn’t be in this situation . . . The truth is we could make a ton of money if we monetized our customer, if our customer was our product. We’ve elected not to do that.” Zuckerberg told Ezra Klein that he felt Cook’s comment was “extremely glib.”

Now it’s clear that even after Apple’s warnings and the removal of Onavo Protect, Facebook is still aggressively collecting data on its competitors via Apple’s iOS platform. “I have never seen such open and flagrant defiance of Apple’s rules by an App Store developer,” Strafach concluded. If Apple shuts the Research program down, Facebook will either have to invent new ways to surveil our behavior amidst a climate of privacy scrutiny, or be left in the dark.

Additional reporting by Zack Whittaker.

Powered by WPeMatico

It’s time to pay serious attention to TikTok

If you haven’t been paying attention to TikTok, you haven’t been paying attention. The short-form video app hailing from Beijing’s ByteDance just had its biggest month ever with the addition of 75 million new users in December — a 275 percent increase from the 20 million it added in December 2017, according a recent report from Sensor Tower.

Despite its rapid rise, there are still plenty of people — often, older people — who aren’t quite sure what TikTok is.

TikTok is often referred to as a “lip-syncing” app, which makes it sound like it’s some online karaoke experience. But a closer comparison would be Vine, Twitter’s still sorely missed short-form video app whose content lives on as YouTube compilations.

While it’s true that TikTok is home to some standard lip-syncing, it’s actually better known for its act-out memes backed by music and other sound clips, which get endlessly reproduced and remixed among its young users.

Its tunes are varied — pop, rap, R&B, electro and DJ tracks serve as backing for its 15-second video clips. But the sounds may also be snagged from YouTube music videos (see: I Baked You A Pie above), SoundCloud or from pop culture — like weird soundbites from Peppa Pig or Riverdale — or just original creations.

These memes-as-videos reference things familiar to Gen Z, like gaming culture (see below). They come in the form of standalone videos, reactions, duets, mirrors/clones and more.

The app has been growing steadily since it acquired its U.S.-based rival Musical.ly in November 2017 for north of $800 million, then merged the two apps’ user bases last August.

This gave TikTok the means to grow in Western markets, where it has attracted the interest of U.S. celebrities like Jimmy Fallon and Tony Hawk, for example, along with YouTubers on the hunt for the next new thing.

But unlike Vine (RIP), YouTube or Instagram, TikTok doesn’t yet feel dominated by micro-celebs, though they certainly exist.

Instead, its main feed often surfaces everyday users — aka, amateurs — doing something cute, funny or clever, with a tacit acknowledgement that “yes, this is an internet joke” underlying much of the content.

Okay, okay.

Sometimes these videos are described as “cringey.” 

But that’s because those of us trying to talk about TikTok are old(er) people who grew up on the big ol’ mean internet.

Cringey, frankly, is an unfair label, as it dismisses TikTok’s success in setting a tone for its community. Here, users will often post and share unapologetically wholesome content, and receive less mocking than elsewhere on the web — largely because everyone else on TikTok posts similar “cringey” content, too.

You might not know this, however, if your only exposure to TikTok comes from YouTube’s TikTok Cringe Compilations. But spend a day in the (oddly addictive) TikTok feed, and you’ll find a whole world of video that doesn’t exist anywhere else on the web — including on YouTube. Videos that are weird, sure — but also fun to watch.

It’s a stark comparison to the existing social media platforms.

Users today are engaged in the culture wars on Twitter (ban the Nazis! protect free speech!), while YouTubers are gaming the algorithm with hateful, exploitive, dangerous and otherwise questionable content that freaks out advertisers. And Facebook is, well, contributing to war crimes and the toppling of democracy.

Meanwhile, TikTok presents an alternative version of online sharing. Simple, goofy, irreverent — and frankly, it’s a much needed reset.

For example, some of the popular TikTok memes have included videos of kids proclaiming what a great mom they have, as they drag her into frame, or they remind people to pick up litter and conserve water. They might give themselves silly, but self-affirming makeovers where, afterwards, they cite themselves not as “cute” but rather “drop. dead. gorgeous.”

They might spend hours setting up gummy bears as Adele concert-goers, learning how to do a shuffle dance up a set of stairs or in a dance battle their dad. Or they may showcase some special talent — drawing, painting, gymnastics, dance or skateboarding, perhaps. They do science experiments, make jokes or use special effects for a little video magic.

They shout out “hit or miss!” in public places and wait to see who answers. (Look it up.)

Sometimes it’s dumb, Sometimes it’s clever. But it’s addictive.

Of course, it is still the internet. And TikTok isn’t perfect.

The app has also been the subject of troubling reports about its “dark” side, which is reportedly filled with child predators and teens bullying and harassing one another. It’s not clear, however, that TikTok’s affliction with these matters is any worse than any other large, social, public-by-default app of its size.

And unlike some apps, concerned parents — or the users themselves — can set a TikTok account to private, turn off commenting, hide the account from search, disable downloads, disallow reactions and duets and restrict an account from receiving messages.

It is concerning, however, that under-13 kids are setting up social media accounts without parental consent. (But, uh, have you seen Fortnite and Roblox? This is what kids do. At least the TikTok main feed isn’t worrisome, we’ve found.)

The bigger issue, though — and one that could ultimately prove damaging to TikTok — is whether it will be able to keep up with content filtering and takedown requests, or handle its security and privacy protection issues as it scales up.

Content and community aren’t the only things contributing to TikTok’s growth.

While Vine may have introduced the concept of short-form video, TikTok made video editing incredibly simple. You don’t need to be a video expert to put together clips with a range of effects. It’s the Instagram for the mobile video age — in a way that Instagram itself won’t be able to reproduce, having already aligned its community with influencers and advertisers.

TikTok’s sizable user base, meanwhile, is due not only to its growth in Western markets, but because of its traction in emerging markets like China and India.

This allowed TikTok to rank No. 4 worldwide across iOS and Android, combined, according to App Annie’s data on the most-downloaded apps of 2018. On iOS, TikTok was the No. 1 most-downloaded app of the year, mainly thanks to China.

At times last year, TikTok even ranked higher than Facebook, Instagram, Snapchat and YouTube.

Both App Annie and Sensor Tower agree that TikTok scored the No. 3 position for most installs among all apps worldwide in 2018.

Now, TikTok is growing in India, says Sensor Tower.

The country accounted for 27 percent of new installs between December 2017 and December 2018, and last month was the source for 32.3 million of TikTok’s 75 million total new downloads — a 25x increase from last year.

Some of this growth comes from ad spend, according to a report from Apptopia, which examined the app’s widened use of ad networks. (It’s also driving people bonkers with its YouTube ads).

The revenue is starting to arrive, as well.

Worldwide, users spent $6 million tipping their favorite live streamers, a 253 percent year-over-year jump from December 2017’s total of $1.7 million, Sensor Tower estimates. But live streaming is not the default activity on TikTok — it added the feature after shutting down Musical.ly’s live streaming app, Live.ly.

Above: full-screen ad in TikTok when app is first launched; spotted today

Think this is the first real ad campaign I’ve seen on @tiktok_us. @kerrymflynn pic.twitter.com/zt3JcSYCz0

— chris harihar (@chrisharihar) January 26, 2019

Above: an ad appearing earlier this month

TikTok is also starting to test in-app advertising, and is being eyed by agencies as a result. When you launch TikTok, you may see a full-page splash screen ad of some kind — though the company has not officially launched ad products.

But the brands are starting to take notice. This week, for example, TikTok collaborated with SportsManias, an officially licensed NFL Players Association partner, for the introduction of NFL-themed AR animated stickers in time for the Super Bowl. The move feels like a test for how well branded content will perform within the TikTok universe, but the company says it’s “not an ad deal.”

The company also declined to say how many are today using TikTok.

However, parent company ByteDance had publicly stated last year that it had 500 million monthly active users when it announced the app’s rebranding post-merger. It has yet to release new numbers for its global user base.

That said, ByteDance just shared updated stats for China only, on all versions of the TikTok app (including the non-Google Play Android version). It says that TikTok now has 500 million monthly active users in China alone.

Sensor Tower today estimates TikTok has grown to nearly 800 million lifetime installs, not counting Android in China.

Factoring in those Android in China installs, it’s fair to say this app has topped 1 billion downloads.

Here comes the new new internet, folks. It’s big, dominated by emerging markets, mobile, video, meme-ified, and goes viral both online and off.

So if you haven’t been paying attention to TikTok, you may want to get started.

Powered by WPeMatico