Year: 2018

A number of Slack users report that they have suddenly lost access to their accounts with no warning in what appears to be an aggressive implementation of U.S. sanctions on Iran.

In some cases, users have reported seeing their access revoked to free, public Slack groups, while access to paid accounts remains. Administrators of the public accounts were not notified of the account terminations affecting their group’s members. Affected users include a University of British Columbia PhD student, a researcher studying at the Technical University of Munich, and many other Twitter users who reported personal travel to Iran in recent years. Affected users reported receiving the following letter:

When questioned about the recent action taken against some users, Slack provided TechCrunch the following statement:

“Slack complies with the U.S. regulations related to embargoed countries and regions, as does every U.S.-based company. We updated our system for applying geolocation information, which relies on IP addresses, and that led to the deactivations for accounts tied to embargoed countries. We only utilize IP addresses to take these actions. We do not possess information about nationality or the ethnicity of our users. If users think we’ve made a mistake in blocking their access, please reach out to feedback@slack.com and we’ll review as soon as possible.”

Right now, it looks like any travel to Iran (and the associated Iranian IP address) were sufficient to flag an account under Slack’s new geolocation update that triggered the bans. We’ve reached out to Slack with additional questions about when these accounts should expect to be reinstated, assuming that Slack doesn’t double down on its aggressive policy implementation.

A cyberattack has the power to paralyze cellular communications; alter or erase information in computerized systems; prevent access to computer servers; and directly harm a country’s economy and security by attacking its electricity networks or banking system.

The necessity is clear for any country, but especially Israel with its unique security considerations, to maintain a cyber defense system. The creation of the unified Israel National Cyber Directorate (INCD), which includes the Israel Cyber Event Readiness Team (CERT-IL), side by side with other security agencies such as the Israeli NSA and Mossad within the Prime Minister’s Office, addresses this need. This is an important institution, and it therefore must have clearly defined legislative powers, goals and organizational structures.

What is interesting, though, is that although Israel is Startup Nation when it comes to innovation and development, it is sorely behind in legislation that deals with the growing dilemmas regarding the intersection between technology, human rights and democratic values. Most technological innovations in security and tracking systems used in social networks are developed out of the public eye. The unified INCD was established before legislation to regulate its activities was put in place.

To this end, the recent publishing of the first draft of a cyber law for Israel, designed to provide a legal framework for the activities of Israel’s cyber defense system, is welcomed. However, the content of the draft shows that the State is seeking to assume far wider powers than are needed to protect the public from cyberattacks. Part of the reason for this is that it is difficult at present to assess what cyberattacks could look like in the future, but another part is what seems to be a somewhat hidden policy of the government to use technology in order to increase their control over citizens’ activities.

According to the draft, the INCD, a division within the Prime Minister’s Office, will be able to routinely collect data from internet and cellular providers, government ministries, local authorities and government corporations in order to identify and thwart cyberattacks in real time. Yet the definition of “security relevant data” remains ambiguous, and is certainly much broader than the definitions laid out in IOC (Cyber Threat Indicator) in the American Cybersecurity Information Sharing Act (CISA) passed in 2015.

The question is whether there is truly a need for all of this information — a record of all online activities and personal details we’ve shared with governmental agencies — to be collected in this way, and whether this is information that could potentially be used to create behavioral profiles that could be used against citizens. What, in effect, is the difference between gathering this data and wide-scale, unrestricted wiretapping? For the State to have access to such far-reaching information constitutes a real threat to citizens’ privacy and human rights on a larger scale.

In addition, should the drafted bill pass, INCD will have access to computers and the authority to collect and process information, all in the name of identifying cybersecurity infiltrators. This could include almost any information held by any private citizen or business. While the law mentions the need to respect the right to privacy, it also permits activities that do not infringe upon this right “more than is necessary” — a frighteningly vague limitation. In addition, there do not seem to be sufficient limits on the use of the information collected. How long can it be stored? Can it be passed from INCD to the police, or to other agencies?

This bill endows the INCD with supreme regulatory powers that supersede those of the police, the Privacy Protection Authorities and others. The INCD even has the capacity to withdraw licenses awarded to commercial institutions. One obvious outcome of this is that it will lead to a lack of cooperation between the different authorities. The million-dollar question is, of course, when do these powers come into play? And the answer, again, is worrying: “Whenever necessary in order to defend a ‘vital interest.'”

This might mean protecting the country’s security or saving human life, but according to the draft, it also includes “the proper functioning of organizations that provide services on a significant scale.” Does this also mean a cyberattack on a large clothing chain? And if so, is this justified?

Classic cybersecurity, as we know it, deals mainly with potential damage to tangible infrastructure. However, the proposed bill allows the prime minister to add more cyberthreats to this list at his will. Which begs the question: What will happen when a prime minister adds something along the lines of “harming the public consciousness by presenting arguments on social networks”? or “disseminating fake news”? Do we really want the INCD to be empowered to deal with such cases in addition to the Israeli NSA?

Moreover, the draft makes scant mention of oversight bodies to regulate the use of such broad powers, and grants the head of INCD the power to maintain a veil of secrecy when attacks are being discovered. It certainly makes sense not to publicize the existence of a cyberattack until it is under control — in order to prevent additional damage — but assume that you are a patient in a hospital in which a cyberattack has created confusion in the administration of medicines. How long would you want this to be kept secret? And what of bank account holders, or people who have registered for a dating site, whose details have been compromised?

The proposed bill endows the INCD with unchecked power, especially when compared with other democracies. The abuse of such power and Edward Snowden’s exposure of PRISM (the NSA’s intrusive surveillance program) should serve as a warning to us all, especially here in Israel. Today, the right to privacy can no longer be seen as the right to control one’s personal data as laid out in the General Data Protection Regulation (GDPR). Rather, the right to privacy is understood as a prerequisite condition for other human rights. While the bill is important, one cannot help but think that it may be the first stage in an unprecedented “big brother” scenario.

Legislators have to take the time to study cyber issues and the threats and opportunities that they pose. It is crucial that those who decide whether or not to pass the bill gain a deep understanding of the meaning of the right to privacy in a digital world. This knowledge will allow them to create a more balanced piece of legislation and in turn protect the rights of Israeli citizens.

The law states that one of its primary goals is to “advance Israel as a global leader in the field of cyber security.” Yet let us not forget that in a small country like Israel, driven by creativity, independence and thinking out-of-the-box, we would not be global leaders in cyber and technology without simultaneously protecting fundamental human rights.

For a CEO who insists his electric vehicle startup doesn’t want to be Tesla, Rivian founder RJ Scaringe can sound a lot like Elon Musk.

Just weeks before unveiling Rivian’s first vehicles — an all-electric pickup and a seven-seater SUV — at the LA Auto Show last month, Scaringe promised an impressive new battery technology and speculated about an electric jet-ski. He’s made other bold claims à la Musk, including that his company had developed an artificial intelligence charging system that “allows the battery to last … about three times longer than a traditional battery.”

There’s a method to, and a reason for, Scaringe’s promotional madness.

It’s a tough time to launch an EV startup. With a recession lurking around the corner and mainstream automakers promising to accelerate into the space, Rivian needs to show more than just a stylish brand and a half-empty bank account. TechCrunch has learned that Scaringe has a technology roadmap that includes regular reveals of new features, vehicles and partners, to lure in new business and keep pre-order customers happy while they wait for delivery in 2020.

For a start, Rivian’s AI will observe how new owners of its vehicles drive and charge their cars, and then adjust various parameters to maximize battery longevity. This might include not fully charging the battery for people who tend to drive only short distances in a day, although it would never reduce the total range available, Scaringe later told TechCrunch.

“We don’t make drastic adjustments over time,” he said. “We do this slowly as we learn more about you.”

Although Rivian could not provide evidence of a tripling of battery life, an EV battery expert contacted by TechCrunch confirmed that smart charging strategies could slow the deterioration of lithium-ion packs to some extent.

Rivian’s “AI batteries” could be integrated into other applications, such as electric jet-skis, snowmobiles and tractors built by partners, Scaringe said recently at an Economic Development Council meeting near the startup’s assembly plant in Normal, Ill.

“A significant part of our business is leveraging the technology we built around batteries and battery control systems to help electrify the things that move on our planet,” he said.

Scaringe told TechCrunch that Rivian is in the process of negotiating strategic partnerships with companies that might take a stake in the startup, as well as use its batteries and powertrain in their products.

Trademark applications filed by Rivian in October suggest the company is also planning to expand its own vehicle line-up. As well as the R1T pickup and R1S SUV announced in LA, Rivian has reserved the vehicle names R1A, R1C, R2A, R2C, R2R and R2S.

Scaringe admitted that Rivian has four additional “adventure” vehicles on its immediate roadmap, all using the same battery and powertrain system (dubbed a “skateboard”) as its pickup and SUV. The next two vehicles would be quite a bit smaller than the launch duo, and possibly includes a rally car.  Rivian is not working on a sedan to compete with Tesla’s Model 3, Scaringe said.

Rivian also trademarked the terms “tank turn” and “tank steer,” referring to independently moving wheels that can enable extremely tight turns. Scaringe confirmed that this feature would be available on the R1S, the R1T, and future quad-drive vehicles.

All of these plans — from the multiple models and AI batteries to the strategic partnerships and triple battery life — are ambitious for a company that has yet to demonstrate a moving vehicle, and still about two years from producing its first vehicles.

A history of grand plans

But ambition has never been a problem for Scaringe. In 2010, he persuaded the state of Florida and Space Florida, the state’s aerospace economic development agency, to hand over $3.5 million to develop and produce a 60 miles per gallon sports car using advanced manufacturing techniques. Rivian even signed an agreement with NASA to test the high-speed car on the Shuttle Landing Facility at Kennedy Space Center.

Scaringe promised a factory in Florida that would employ 1,200 people by 2015, with a new automotive engineering course at the Florida Institute of Technology to produce the skilled workers required. Rivian did complete an initial technology demonstrator vehicle but neither the factory nor the jobs materialized.

“Although we did not get the manufacturing, we’re still very excited about the technology,” Dale Ketchum, VP of Space Florida, told TechCrunch. “We remain optimistic that some of their operations and technology and job generation will eventually occur in Florida.”

Space Florida continues to hold stock warrants in Rivian, issued as part of its grant.

By 2013, Rivian had pivoted to developing electric vehicles in Michigan, California, the UK, and, following the purchase of an ex-Mitsubishi plant in Normal in 2017, Illinois. Rivian has sought public funds there, too. It negotiated nearly $50 million in state tax credits by promising to create 1000 new full-time jobs in Illinois in 2024, and a package of around $4m in local credits.

These include the city of Normal handing over $1 million in cash after Rivian invests $20 million of its own money to refurbish the factory. The town will also provide security and landscaping services for the plant, and even remove snow from its driveways and parking lots for two years.

A bet on job growth

But while the economic benefits of Rivian’s promised jobs lie in the future, Normal is having to tighten its belt today. In February, the town noted that property tax abatements granted to Rivian would reduce its 2018-2019 operating fund by $74,900 and its library fund by $32,200. In March, Normal postponed plans for a new library indefinitely. Scaringe says Rivian currently has just 65 Rivian employees at the Normal facility.

The company says that it has also raised $450 million in capital and debt financing from investors, including Sumitomo Corporation of Americas. Its largest shareholder is Saudi conglomerate Abdul Latif Jameel, whose initial investment Scaringe secured while working on a Master’s degree at MIT.

Following a generally positive reception of its electric pickup and SUV at the LA Auto Show, and a subsequent flurry of $1,000 pre-orders, Rivian now faces the trickier task of bringing them into production in just two years.

Scaringe has promised that both vehicles will be capable of Level 3 autonomous highway driving – something that Tesla also has promised, but has yet to deliver. Although Rivian’s self-driving team is based in Silicon Valley, the company has yet to apply for an autonomous vehicle testing permit from the California DMV.

Scaringe said the company is testing on public roads in California, but in a way that does not require a permit. “We took the decision to be very quiet in stealth and stay below the radar,” he said. “But we will probably have to file for a permit, possibly in the next year.”

Developing and integrating such advanced technology so quickly will put even more pressure on Rivian’s aggressive development cycle. The first big adventure for Rivian’s innovative vehicles won’t be muddy tracks or forest roads, but in factories that are still worryingly empty.

WhatsApp chat groups are being used to spread illegal child pornography, cloaked by the app’s end-to-end encryption. Without the necessary number of human moderators, the disturbing content is slipping by WhatsApp’s automated systems. A report reviewed by TechCrunch from two Israeli NGOs details how third-party apps for discovering WhatsApp groups include “Adult” sections that offer invite links to join rings of users trading images of child exploitation. TechCrunch has reviewed materials showing many of these groups are currently active.

TechCrunch’s investigation shows that Facebook could do more to police WhatsApp and remove this kind of content. Even without technical solutions that would require a weakening of encryption, WhatsApp’s moderators should have been able to find these groups and put a stop to them. Groups with names like “child porn only no adv” and “child porn xvideos” found on the group discovery app “Group Links For Whats” by Lisa Studio don’t even attempt to hide their nature. And a screenshot provided by anti-exploitation startup AntiToxin reveals active WhatsApp groups with names like “Children ” or “videos cp” — a known abbreviation for ‘child pornography’.

A screenshot from today of active child exploitation groups on WhatsApp. Phone numbers and photos redacted. Provided by AntiToxin.

Better manual investigation of these group discovery apps and WhatsApp itself should have immediately led these groups to be deleted and their members banned. While Facebook doubled its moderation staff from 10,000 to 20,000 in 2018 to crack down on election interference, bullying, and other policy violations, that staff does not moderate WhatsApp content. With just 300 employees, WhatsApp runs semi-independently, and the company confirms it handles its own moderation efforts. That’s proving inadequate for policing at 1.5 billion user community.

The findings from the NGOs Screen Savers and Netivei Reshe were written about today by The Financial Times, but TechCrunch is publishing the full report, their translated letter to Facebook translated emails with Facebook, their police report, plus the names of child pornography groups on WhatsApp and group discovery apps the lead to them listed above. A startup called AntiToxin Technologies that researches the topic has backed up the report, providing the screenshot above and saying it’s identified more than 1300 videos and photographs of minors involved in sexual acts on WhatsApp groups. Given that Tumblr’s app was recently temporarily removed from the Apple App Store for allegedly harboring child pornography, we’ve asked Apple if it will temporarily suspend WhatsApp but have not heard back. 

Uncovering A Nightmare

In July 2018, the NGOs became aware of the issue after a man reported to one of their hotlines that he’d seen hardcore pornography on WhatsApp. In October, they spent 20 days cataloging over 10 of the child pornography groups, their content, and the apps that allow people to find them.

The NGOs began contacting Facebook’s head of policy Jordana Cutler starting September 4th. They requested a meeting four times to discuss their findings. Cutler asked for email evidence but did not agree to a meeting, instead following Israeli law enforcement’s guidance to instruct researchers to contact the authorities. The NGO reported their findings to Israeli police but declined to provide Facebook with their research. WhatsApp only received their report and the screenshot of active child pornography groups today from TechCrunch.

Listings from a group discovery app of child exploitation groups on WhatsApp. URLs and photos have been redacted.

WhatsApp tells me it’s now investigating the groups visible from the research we provided. A Facebook spokesperson tells TechCrunch “Keeping people safe on Facebook is fundamental to the work of our teams around the world. We offered to work together with police in Israel to launch an investigation to stop this abuse.” A statement from the Israeli Police’s Head of the Child Online Protection Bureau Meir Hayoun notes that: “In past meetings with Jordana, I instructed her to always tell anyone who wanted to report any pedophile content to contact the Israeli police to report a complaint.”

A WhatsApp spokesperson tells me that while legal adult pornography is allowed on WhatsApp, it banned 130,000 accounts in a recent 10-day period for violating its policies against child exploitation. In a statement, WhatsApp wrote that:

“WhatsApp has a zero-tolerance policy around child sexual abuse. We deploy our most advanced technology, including artificial intelligence, to scan profile photos and images in reported content, and actively ban accounts suspected of sharing this vile content. We also respond to law enforcement requests around the world and immediately report abuse to the National Center for Missing and Exploited Children. Sadly, because both app stores and communications services are being misused to spread abusive content, technology companies must work together to stop it.”

But it’s that over-reliance on technology and subsequent under-staffing that seems to have allowed the problem to fester. AntiToxin’s CEO Zohar Levkovitz tells me “Can it be argued that Facebook has unwittingly growth-hacked pedophilia? Yes. As parents and tech executives we cannot remain complacent to that.”

Automated Moderation Doesn’t Cut It

WhatsApp introduced an invite link feature for groups in late 2016, making it much easier to discover and join groups without knowing any members. Competitors like Telegram had benefited as engagement in their public group chats rose. WhatsApp likely saw group invite links as an opportunity for growth, but didn’t allocate enough resources to monitor groups of strangers assembling around different topics. Apps sprung up to allow people to browse different groups by category. Some usage of these apps is legitimate, as people seek communities to discuss sports or entertainment. But many of these apps now feature “Adult” sections that can include invite links to both legal pornography sharing groups as well as illegal child exploitation content.

A WhatsApp spokesperson tells me that it scans all unencrypted information on its network — basically anything outside of chat threads themselves — including user profile photos, group profile photos, and group information. It seeks to match content against the PhotoDNA banks of indexed child pornography that many tech companies use to identify previously reported inappropriate imagery. If it find a match, that account, or that group and all of its members receive a lifetime ban from WhatsApp.

A WhatsApp group discovery app’s listings of child exploitation groups on WhatsApp

If imagery doesn’t match the database but is suspected of showing child exploitation, it’s manually reviewed. If found to be illegal, WhatsApp bans the accounts and/or groups, prevents it from being uploaded in the future, and reports the content and accounts to the National Center For Missing And Exploited Children. The one example group reported to WhatsApp by the Financial Times was already flagged for human review by its automated system, and was then banned along with all 256 members.

To discourage abuse, WhatsApp says it limits groups to 256 members and purposefully does not provide a search function for people or groups within its app. It does not encourage the publication of group invite links and the vast majority of groups have six or fewer members. It’s already working with Google and Apple to enforce its terms of service against apps like the child exploitation group discovery apps that abuse WhatsApp. Those kind of groups already can’t be found in Apple’s App Store, but remain available on Google Play. We’ve contacted Google Play to ask how it addresses illegal content discovery apps and whether Group Links For Whats by Lisa Studio will remain available, and will update if we hear back.

But the larger question is that if WhatsApp was already aware of these group discovery apps, why wasn’t it using them to track down and ban groups that violate its policies. A spokesperson claimed that group names with “CP” or other indicators of child exploitation are some of the signals it uses to hunt these groups, and that names in group discovery apps don’t necessarily correlate to the group names on WhatsApp. But TechCrunch then provided a screenshot showing active groups within WhatsApp as of this morning with names like “Children ” or “videos cp”. That shows that WhatsApp’s automated systems and lean staff are not enough to prevent the spread of illegal imagery.

The situation also raises questions about the tradeoffs of encryption as some governments like Australia seek to prevent its usage by messaging apps. The technology can protect free speech, improve the safety of political dissidents, and prevent censorship by both governments and tech platforms. However, it can also make detecting crime more difficult, exacerbating the harm caused to victims.

WhatsApp’s spokesperson tells me that it stands behind strong end-to-end encryption that protects conversations with loved ones, doctors, and more. They said there are plenty of good reasons for end-to-end encryption and it will continue to support it. Changing that in any way, even to aid catching those that exploit children, would be require a significant change to the privacy guarantees it’s given users. They suggested that on-device scanning for illegal content would have to be implemented by phone makers to prevent its spread without hampering encryption.

But for now, WhatsApp needs more human moderators willing to use proactive and unscalable manual investigation to address its child pornography problem. With Facebook earning billions in profit per quarter and staffing up its own moderation ranks, there’s no reason WhatsApp’s supposed autonomy should prevent it from applying adequate resources to the issue. WhatsApp sought to grow through big public groups, but failed to implement the necessary precautions to ensure they didn’t become havens for child exploitation. Tech companies like WhatsApp need to stop assuming cheap and efficient technological solutions are sufficient. If they want to make money off of huge user bases, they must be willing to pay to protect and police them.

The app economy is continuing to grow, both in terms of app downloads and consumer spending. According to preliminary year-end data shared by App Annie, it’s predicting the number of global app downloads in 2018 will surpass 113 billion, up 10 percent from last year. Consumer spending in apps has grown even quicker – it’s up 20 percent year-over-year to surpass $76 billion worldwide.

The app intelligence firm came to these figures by analyzing data across both Apple’s iOS App Store and Google Play, up until December 15, 2018. It doesn’t include the third-party Chinese app stores, which would make the figures even higher.

The rest of this month may see the numbers increase a bit – especially as people unwrap new smartphones over the holidays, then download and buy apps. However, the numbers should still be in the general ballpark. App Annie will release a full “State of Mobile” report in January, after the holidays conclude and the final numbers are crunched.

The firm attributed the continued increase in consumer spending to mobile games, which are the most popular and profitable gaming format, it says.

In 2018, the mobile gaming market matured with hits like Fortnite, PUBG, and Roblox taking advantage of more capable specs on smartphones, as well as the trend towards cross-platform gaming. App Annie analysts predict we’ll see more of the same in 2019, as smartphones continue to be capable of supporting more complex, console-quality multiplayer games than in years past.

On the flip side, hyper-casual games did well this year, too – even hitting the year-end top charts both in terms of downloads and consumer spend.

Subscriptions also helped to drive up consumer spend in 2018, with App Annie having already forecast the app stores (including third-party stores in China) will pass $122 billion in 2019, thanks to a combination of gaming and subscriptions driving the growth.

App Annie noted that mobile was sucking up more of people’s time in 2018, as well.

In 2018, the average smartphone user in the U.S. spent nearly 3 hours each day in apps, up 10 percent from 2017 and up 20 percent from 2016.

The firm released the Top Charts across both app stores for 2018, with Messenger receiving the most downloads out of all apps, excluding games, and Helix Jump being the most downloaded game. Fate/Grand Order generated the most revenue out of all games, while Netflix generated the most out of non-games.

The FBI has seized the domains of 15 several high-profile distributed denial-of-service (DDoS) websites, after a co-ordinated effort by law enforcement and several tech companies.

Several seizure warrants granted by a California federal judge went into effect Thursday, removing several of these “booter” or “stresser” sites off the internet “as part of coordinated law enforcement action taken against illegal DDoS-for-hire services.” The orders were granted under federal seizure laws, and the domains were replaced with a federal notice.

Prosecutors have charged three men, Matthew Gatrel and Juan Martinez in California and David Bukoski in Alaska, with operating the sites, according to affidavits filed in three U.S. federal courts, which were unsealed Thursday.

The FBI had assistance from the U.K.’s National Crime Agency and the Dutch national police.

Several companies, including Cloudflare, Flashpoint, and Google, were named by the Justice Department for providing authorities with additional assistance.

“DDoS for hire services such as these pose a significant national threat,” U.S. Attorney Bryan Schroder said in a statement. “Coordinated investigations and prosecutions such as these demonstrate the importance of cross-District collaboration and coordination with public sector partners.”

In all, several sites were knocked offline — including downthem.org, netstress.org, quantumstress.net, vbooter.org and defcon.pro and more— which allowed would-be attackers to sign up and rent time and servers to launch large-scale bandwidth attacks against systems and servers.

DDoS attacks have long plagued the internet as a by-product of faster connection speeds and easy-to-exploit vulnerabilities in the underlying protocols that power the internet.

Through its Internet Crime Complaint Center (IC3), the bureau warned over a year ago of the risks from booter and stresser sites. While many use them for legitimate services — to test the resilience of a corporate network from DDoS attacks — many have used them to launch large-scale attacks that can knock networks offline. When those networks support apps and services, those too can face downtime — in some cases affecting millions of users.

Specifically in the complaint, the Justice Department accused Downthem had more than 2,000 customer subscriptions, and had been used to carry out over 200,000 attacks.

Some of the sites named in the indictments reported attacks exceeding 40 gigabits per second, large enough to knock some websites offline for a period of time. Booter sites have largely been put to the wayside for larger attacks, such as the botnet-powered attack that knocked Dyn, a major internet powerhouse relied on by many tech companies, offline.

Thursday’s seizures mark the latest in a string of law enforcement action aimed at booter services. Earlier this year, U.S. and European authorities took down webstresser.org which prosecutors claimed to help launch more than six million attacks,

When reached, the FBI did not comment beyond the Justice Department’s statement.

Firefox Focus for Android and iOS is Mozilla’s privacy-centric mobile browser. Today, the organization stepped up this promise of keeping its users’ data private by adding a few new features to the browser that expand on this by adding a new privacy feature, as well as a few other new tools.

The main new addition here is support for Enhanced Tracking Protection. This feature first launched in Firefox for the desktop. It allows you to block cookies and trackers with a bit more granularity than was previously possible. Until now, Focus blocked all cookies by default. Now, however, you can choose to either continue doing that — but with the risk of sites breaking every now and then — or opt to allow third-party cookies or only third-party tracking cookies. Mozilla uses Disconnect’s Tracking Protection list to power this feature.

“This enables you to allow cookies if they contribute to the user experience for a website while still preventing trackers from being able to track you across multiple sites, offering you the same products over and over again and recording your online behavior,” Mozilla explains.

Mozilla also today announced that Firefox Focus now checks all URLs against Google’s Safe Browsing service to ensure that users don’t click on known phishing links or open other fraudulent sites. While using a Google tool may seem a bit odd, given that Firefox and Chrome are competitors, it’s worth noting virtually every browser makes use of Safe Browsing (and that Mozilla pulls in a lot of revenue from its search engine deal with Google).

In addition, iOS users who opt for Firefox Focus will now be able to get search suggestions, too, just like their friends on Android . There’s a privacy trade-off here, though, as everything you’re typing is send directly to the likes of Google for offering you those suggestions. Since the focus of this browser is privacy, the feature is turned off by default, though.

Apple has just confirmed that John Giannandrea, the ex-Googler machine learning veteran who joined the company back in April, has joined the likes of Tim Cook, Jony Ive, Eddy Cue and Angela Ahrendts on the executive team.

His role on the executive team will be “Senior Vice President of Machine Learning and Artificial Intelligence Strategy,” signaling just how key AI and machine learning will be to Apple moving forward.
Giannandrea has been leading Apple’s Siri and Core ML team for months, bringing the two previously distinct teams together under one leader.

Prior to Apple, Giannandrea spent eight years leading the AI push at Google; as of 2016, he was leading the search team, as well.

We spoke to Giannandrea at TechCrunch Disrupt shortly before he parted ways with Google. You can see that video here:

Welcome to TechCrunch’s 2018 Holiday Gift Guide! Need more gift ideas? Check out our Gift Guide Hub.

Buying the right stuff as a new parent is tough. Buying the right things for a new parent? Even harder.

There’s just way, way too much junk out there marketed at new parents. A lot of it seems useful until you realize it’s just taking up space.

As it turns out, Team TechCrunch had a lot of babies this year. Really — backstage at TechCrunch Disrupt SF was like a lil’ temporary nursery. I chatted with the new moms and dads of TechCrunch (past and present) to figure out the things that helped them the most in the early months.

We won’t get into things like carriers and car seats and strollers; those are pretty personal, and there’s no one-size-fits-all recommendation. Instead we focused on the things that surprised us with their usefulness. Some of them aren’t necessarily marketed toward parents, but make their lives easier. Some are things they didn’t think they’d need, but ended up using on the daily.

Here are some of the things that came up most:

Headrest mirror

Age range: until the baby is moved to a forward facing car seat

For the first stretch of a baby’s life, their carseat is supposed to face the rear of the car. That means, of course, that you can’t see your baby in the rearview. That’s no fun.

These plastic (so no glass shards if it somehow breaks) headrest mirrors bring the baby back into view. I thought it was just comforting to us, until we were traveling and using a rental car. Our baby, who always seems to love car rides, was suddenly upset any time we placed him in the rental. We eventually realized it’s because his friend — the baby in the mirror — was nowhere to be found. As soon as the mirror was back, he was happy again.

We use the Go by Goldbug ($12). It’s easy to install, adjust, and move from car to car, and it feels super secure once it’s in place.

Philips Hue Bulbs

Age range: All ages.

We’ve had Philips Hue bulbs in our house for a few years, but I honestly can’t believe how useful they’ve been since our baby arrived. Being able to turn on the light from your phone when the baby cries without going across the room to the switch? Magic. Being able to dim the light a bit with your voice (with the help of something like Google Home or an Amazon Echo) when your arms are occupied by an upset newborn? Sorcery.

A 2-bulb starter kit (including the required hub) goes for $70 on Amazon.

(There are lots of alternatives to Hue at this point, many of them cheaper. I like Hue because of the flexibility provided by the Hue line’s extensive options/accessories, because it works with Apple’s HomeKit and Google’s Home, and because the app is nice and stable.)

Portable/Moveable Philips Hue Switch

Age range: All ages.

If you get the bulbs above, grab one of these Philips Hue Tap switches ($44 on Amazon) too.

I’ve probably poked this goofy little hockey puck a thousand times in the past four months.

That example I used earlier with the light switch being on the other side of the room? That’s my life. This thing, however, lets me bring a light switch anywhere; in our case, my wife and I each have one stuck on our nightstand. It has four buttons, each of which can set a Hue light to a different preset (like bright/dim/even dimmer/off). It lets me turn the light to just the right level of brightness without waking anyone up, without looking for my phone, and without wandering across the room in the dark.

Oh, and the neatest part: it doesn’t need batteries. The action of pressing a button charges it up just enough to send the command to the Hue bulb.

Portable white noise machine

Age range: First year, at least.

White noise (think the sound of radio static) helps some babies fall asleep, and sleep more soundly.

There’s about a thousand options for bringing white noise on the go, but the Cloud b Sleep Sheep ($32) has become my go-to.

It turns off automatically after 45 minutes, has an adjustable volume level, has velcro tabs to hook it onto a stroller, and multiple melodies/sound options like ocean sounds and lullabies in case the white noise gets tiring. And when it’s not in use? It just looks like a cute stuffed animal, rather than a whacky techno doodad. It requires two AA batteries, so consider also buying them some rechargeables.

Google Home/Amazon Echo

Like the Hue Bulbs, usage of my Google Home ($100) has skyrocketed since our baby came along.

Got a baby on the edge of falling asleep? Hey Google, play rain noises.

Want to watch your shows but the baby is already nursing in your arms? Hey Google, play The Good Place on the upstairs TV.

Hey Google, add “freezable teethers” to my shopping list. Hey Google, play lullabies from Spotify. Hey Google, dim the lights.

(Amazon Echos are a totally solid alternative. I like Google Home because it plays friendly with Chromecast, but if the recipient is more a Fire TV fan, go with the Echo)

A (more secure!) baby monitor

Age range: Any age, but extra useful in the first year or two.

Baby monitors are great! Sometimes it feels like baby’s naps are the only times in which you can get anything done, but you still want to keep an eye on them.

Unfortunately, a lot of baby monitors are insecure junk (see Rapid7’s report on baby monitor security here) requiring anyone who might want to eavesdrop into your house to use only the most basic of tools (like, say, another baby monitor.)

One option is to use a Nest camera ($199) as a baby monitor — especially if the house already has Nest cams setup elsewhere. Built by Google and battle tested by countless security researchers, it’s pretty dang secure. It’s not built specifically to work as a baby monitor, but it’s nice that it can just be used as a security camera once it completes its baby monitor duties.

Want something a bit more baby-focused? A few TechCrunchers use Nanit. The base model ($229) does HD Audio/Video, IR-based night vision, plus some neat bonus tricks like sleep tracking and temperature/humidity sensing. A slightly more expensive Plus model ($279) brings in two-way audio, if that’s a thing you ant.

And, as a huge plus, the company is pretty open about their security practices and self-auditing efforts.

Instant Pot

Age range: Any

When baby comes, free time becomes a precious commodity. It becomes way easy to fall back to microwaveable meals or DoorDash every night. And hey, no judgement! If you’re finding time to eat most meals, you’re doing just fine.

But when you feel like making something for yourself but want it to be tasty and fast and relatively easy to cleanup, pressure cooking is a great option. InstantPot ($80 – $100, depending on the size) makes pressure cooking less daunting — prep ingredients, pop them in, close the lid, press a button.

Get’em a good pressure cooking recipe book too, while you’re at it.

Meal delivery Kits

Age range: Extra useful in the first few months, but ask ahead

See above. If finding time to cook is hard, finding time to shop might feel impossible.

Meal delivery kits like Blue Apron and Sunbasket (both of which I used, the latter of which I ended up preferring) bring the ingredients to you, taking the least fun step out of the cooking process. They’ve boiled the instructions down to just a page or so, with most of the meals taking about an hour to do right. One month of meal deliveries will cost around $200-$250, depending on which service you go with.

As for which service to go with: this is the kind of gift that you want to consult the gift recipient about before. There are all kinds of different options now, with services that tailor to everything from veggie to keto to gluten-free. Don’t go sending them three months of meat if they’re herbivores, you know?

A really good protective phone case

Age range: Literally any time before or after the baby arrives

I’ve asked a bunch of friends about this, and it seems wildly common: when the baby comes along, suddenly your phone gets dropped 10x as much. When the baby starts crying, it’s easy to forget that your phone was sitting on your lap before you stood up. And when the baby gets older, they will grab your phone and throw it off the table.

A good phone case — something that beefs up the phone without adding a ton of bulk, like an Otterbox Defender ($50) or a LifeProof Slam ($50) — will save your friends hundreds of dollars in screen replacements.

Snoo

Age range: Newborn to “about 6 months” says the company (our son grew out of it at around 4.5 months)

Lets just get this out of the way: $1,200 for a bassinet is a little bananas. That’s one helluva expensive gift.

With that said, the Snoo is… just wonderful. Invented by pediatrician Harvey Karp (author of The Happiest Baby on the Block) and designed by Yves Béhar, it detects when a sleeping baby is starting to fuss, and plays a bit of white noise to try to shush’em back to sleep. If the baby continues to cry, it’ll gently rock them for a few minutes, gradually increasing the rocking through two additional stages. Baby still crying? It turns off and buzzes your phone in the off chance you’re somehow still asleep. It’s by no means a substitute for loving arms providing snuggles and warmth in the middle of the night — but when a baby is still in the early days of figuring out how to transition between sleep stages and is accidentally waking themselves up in the middle of the night, the Snoo might help everyone get a bit more sleep. Plus, the built-in swaddling system keeps the baby on their back while sleeping (as recommended by the American Academy of Pediatrics)

We went 50/50 on ours with some close friends who were having a baby a few months before us, and it worked out just perfect — our son came along just as their son was growing out of it. Our son is just about to grow out of it and into a bigger crib… and, well, we’re gonna miss the Snoo.

Fisher-Price Rock ‘n Play

Age range: Until a baby is 25lbs or can pull up or sit up unassisted, says the manual.

This is one of the few things we bought, fell in love with, then bought another. When the crib is in another room and you just need a place for the baby to layback and hang out for a few, the Rock n’ Play (~$60) is fantastic. It can gently rock the baby and play white noise (but, unlike the Snoo, it’s constant — not just when the baby is fussing). It’s great for smaller homes/apartments, with a relatively small footprint and a super lightweight design that can fold right up when it’s not in use.

Keekaroo Peanut Changing Pad

Age range: Newborn to around 3 years

Before our baby arrived, I didn’t quite understand why I needed a $100+ dollar cushion for our changing table. Any flat surface will do, right?

Turns out, babies are wiggle worms. They don’t understand why you’re pulling them out of their nice cozy crib just to set them on a cold table. Nor do they understand that falling from a few feet up would be bad news for everyone. They’ll roll right off, given the chance.

The Keekaroo Peanut helps make the changing table a bit more comfy, but also gives you a buckling strap and raised edges to help keep your lil’ acrobat from tumbling off (You still need to stay close to the table, of course.) It’s also SUPER easy to clean, thanks to the water-resistant surface.

Lyft today announced the hiring of John Maddox, founder of the American Center for Mobility and previous associate administrator of vehicle safety research at the US Department of Transportation, to lead its autonomous vehicle safety and compliance efforts. At Lyft, Maddox will be the company’s first senior director of autonomous safety and compliance.

“I’ve dedicated my career to advancing safe mobility technologies. Joining Lyft is a continuation of that effort, and I’m excited to be part of such a talented and energized team that’s leading the way in redefining the automotive industry and future of transportation,” Maddox said in a statement.

In Lyft’s recently-launched office of autonomous safety and compliance, Maddox will oversee the company’s safety efforts in bringing self-driving cars to the masses.

Lyft first launched its self-driving car division in July 2017. Since then, Lyft has partnered with Drive.ai as well as with tier-one automotive industry supplier Magna on autonomous vehicle technology. Magna also invested $200 million in Lyft in exchange for an equity stake.