Year: 2018

Eager to change the conversation from their years-long exposure of user data via Google+ to the bright, shining future the company is providing, Google has announced some changes to the way permissions are approved for Android apps. The new process will be slower, more deliberate and hopefully secure.

The changes are part of “Project Strobe,” a “root-and-branch review of third-party developer access to Google account and Android device data and our philosophy around apps’ data access.” Essentially they decided it was time to update the complex and likely not entirely cohesive set of rules and practices around those third-party developers and API access.

One of those roots (or perhaps branches) was the bug discovered inside Google+, which theoretically (the company can’t tell if it was abused or not) exposed non-public profile data to apps that should have received only a user’s public profile. This, combined with the fact that Google+ never really justified its own existence in the first place, led to the service essentially being shut down. “The consumer version of Google+ currently has low usage and engagement,” Google admitted. “90 percent of Google+ user sessions are less than five seconds.”

But the team doing the review has plenty of other suggestions to improve the process of informed consent to sharing data with third parties.

The first change is the most user-facing. When an application wants to access your Google account data — say your Gmail, Calendar and Drive contents for a third-party productivity app — you’ll have to approve each one of those separately. You’ll also have the opportunity to deny access to one or more of those requests, so if you never plan on using the Drive functionality, you can just nix it and the app will never get that permission.

These permissions can also be delayed and gated behind the actions that require them. For instance, if this theoretical app wanted to give you the opportunity to take a picture to add to an email, it wouldn’t have to ask up front when you download it. Instead, when you tap the option to attach a picture, it would ask permission to access the camera then and there. Google went into a little more detail on this in a post on its developer blog.

Notably there is only the option to “deny” or “allow,” but no “deny this time” or “allow this time,” which I find to be useful when you’re not totally on board with the permission in question. You can always revert the setting manually, but it’s nice to have the option to say “okay, just this once, strange app.”

The changes will start rolling out this month, so don’t be surprised if things look a little different next time you download a game or update an app.

The second and third changes have to do with limiting which data from your Gmail and messaging can be accessed by apps, and which apps can be granted access in the first place.

Specifically, Google is restricting access to these sensitive data troves to apps “directly enhancing email functionality” for Gmail and your default calling and messaging apps for call logs and SMS data.

There are some edge cases where this might be annoying to power users; some have more than one messaging app that falls back to SMS or integrates SMS replies, and this might require those apps to take a new approach. And apps that want access to these things may have trouble convincing Google’s review authorities that they qualify.

Developers also will need to review and agree to a new set of rules governing what Gmail data can be used, how they can use it and the measures they must have in place to protect it. For example, apps are not allowed to “transfer or sell the data for other purposes such as targeting ads, market research, email campaign tracking, and other unrelated purposes.” That probably puts a few business models out of the running.

Apps looking to handle Gmail data will also have to submit a report detailing “application penetration testing, external network penetration testing, account deletion verification, reviews of incident response plans, vulnerability disclosure programs, and information security policies.” No fly-by-night operations permitted, clearly.

There also will be additional scrutiny on what permissions developers ask for to make sure it matches up with what their app requires. If you ask for Contacts access but don’t actually use it for anything, you’ll be asked to remove that, as it only increases risk.

These various new requirements will go into effect next year, with application review (a multi-week process) starting on January 9; tardy developers will see their apps stop working at the end of March if they don’t comply.

The relatively short timeline here suggests that some apps may in fact shut down temporarily or permanently due to the rigors of the review process. Don’t be surprised if early next year you get an update saying service may be interrupted due to Google review policies or the like.

These changes are just the first handful issuing from the recommendations of Project Strobe; we can expect more to appear over the next few months, though perhaps not such striking ones. To say Gmail and Android apps are widely used is something of an understatement, so it’s understandable that they would be focused on first, but there are many other policies and services the company will no doubt find reason to improve.

Data is valuable — if you know how to access it and reap the insights from it. That’s where Machinify comes in. The artificial intelligence company just raised a $10 million Series A round led by Battery Ventures with participation from GV and Matrix Partners.

“Our core notion is that today, enterprises are collecting a ton of data,” Machinify founder and CEO Prasanna Ganesan told TechCrunch. “But if you look at how many of them are successful in turning it into smarter decision-making to drive efficiency, very few companies are succeeding.”

With Machinify, enterprise customers feed the system raw data, specify what they’re trying to optimize for — whether that be revenue or some other goal — and then the machine figures out what to do from there. Based on past decisions, the machine can figure out the right thing to do, Ganesan said.

A good example of how companies use Machinify is in the healthcare space, where businesses are using the tool to increase the accuracy and speed with which they process claims. By doing so, these companies have been able to increase revenue and reduce costs.

“Machinify is laser-focused on the critical operational issues created by the deployment of what we often call Software 2.0 within enterprises,” GV general partner Adam Ghoborah said in a statement. “Software 2.0 is software that is not written by humans like traditional software but is dynamically driven by AI models and large enterprise datasets. Software 2.0 requires a completely different approach, and we believe that the Machinify platform holds the key to unlocking its value.”

Google is about to have its Cambridge Analytica moment. A security bug allowed third-party developers to access Google+ user profile data since 2015 until Google discovered and patched it in March, but decided not to inform the world. When a user gave permission to an app to access their public profile data, the bug also let those developers pull they and their friends’ non-public profile fields. 496,951 users’ full names, email addresses, birth dates, gender, profile photos, places lived, occupation and relationship status were potentially exposed, though Google says it has no evidence the data was misused by the 438 apps that could have had access.

The company decided against informing the public because it would lead to “us coming into the spotlight alongside or even instead of Facebook despite having stayed under the radar throughout the Cambridge Analytica scandal” according to an internal memo. Now Google+, which was already a ghost town largely abandoned or never inhabited by users, has become a massive liability for the company.

The news comes from a damning Wall Street Journal report that said Google is expected to announce a slew of privacy reforms today in response to the breach. Google made that announcement about the findings of its Project Strobe security audit minutes after the WSJ report was published. The changes include stopping most third-party developers from accessing Android phone SMS data, call logs, and some contact info. Gmail will restrict building add-ons to a small number of developers. Google+ will cease all its consumer services while winding down over the next 10-months with an opportunity for users to export their data while Google refocuses on making G+ an enterprise product.

Google will also change its Account Permissions system for giving third-party apps access to your data such that you have to confirm each type of access individually rather than all at once. Gmail Add-Ons will be limited to those “directly enhancing email functionality”, including email clients, backup, CRM, mail merge, and productivity tools.

90 percent of Google+ sessions were less than 5 seconds

Embarrasingly, Google’s admits that “This review crystallized what we’ve known for a while: that while our engineering teams have put a lot of effort and dedication into building Google+ over the years, it has not achieved broad consumer or developer adoption, and has seen limited user interaction with apps. The consumer version of Google+ currently has low usage and engagement: 90 percent of Google+ user sessions are less than five seconds.” For more on G+’s demise, read our 2014 take on the beginning of the end.

Since the bug and subquent security hole started in 2015 and was discovered in March before Europe’s GDPR went into effect in May, Google will likely be spared a 2 percent of global annual revenue fine for failing to disclose the issue within 72 hours. The company could still face class-action lawsuits and public backlash. On the bright side, G+ posts and messages, Google account data and phone numbers, and G Suite enterprise content wasn’t exposed.

The fiasco could thrust Google into the same churning sea of scrutiny currently drowning Facebook, just as the company feared. Google has managed to float above much of the criticism leveled at Facebook and Twitter, in part by claiming it’s not really a social network. But now its failed Facebook knock-off from seven years ago could drag down the search giant and see it endure increasingly calls for testimony before congress and regulation.

Apple has doubled down on its repudiation of Bloomberg’s report last week that claimed its systems had been compromised by Chinese spies.

The blockbuster story cited more than a dozen sources claiming that China installed tiny chips on motherboards built by Supermicro, which companies across the U.S. tech industry — including Amazon and Apple — have used to power servers in their datacenters. Bloomberg’s report also claimed that the chip can reportedly compromise data on the server, allowing China to spy on some of the world’s most powerful tech companies.

Now, in a letter to Congress, Apple’s vice president of information security George Stathakopoulos sent the company’s strongest denial to date.

“Apple has never found malicious chips, ‘hardware manipulations’ or vulnerabilities purposely planted in any server,” he said. “We never alerted the FBI to any security concerns like those described in the article, nor has the FBI ever contacted us about such an investigation.”

It follows a statement by both the U.K. National Cyber Security Center and U.S. Homeland Security stating that they had “no reason to doubt” statements by Apple, Amazon and Supermicro denying the claims.

Stathakopoulos added that Apple “repeatedly asked them to share specific details about the alleged malicious chips that they seemed certain existed, they were unwilling or unable to provide anything more than vague secondhand accounts.”

Apple’s statement is far stronger than its earlier remarks. A key detail missing in the Bloomberg story is that its many sources, albeit anonymous, provided the reporters with a first hand account of the alleged spy chips.

Without any evidence that the chips exist beyond eyewitness accounts and sources, Bloomberg’s story remains on shaky grounds.

Zocdoc founder Cyrus Massoumi and Indiegogo founder Slava Rubin have created a new $30 million fund called Humbition aimed at early stage, founder-led companies in New York.

“The fund is focused on connecting startups with investors and advisors experienced in building and growing successful businesses,” said Rubin.

“We are seeking to fill a void in NYC, where the vast majority of early stage investors have no significant experience building and scaling businesses,” he said. “The fund’s main areas of investment include marketplaces, consumer and health tech. But the primary criteria for investments is high quality founders. The fund is also seeking out mission-driven businesses because the companies that are socially responsible will be the most successful in the coming decades.”

The fund has brought on ClassPass founder Payal Kadakia, Warby Parker founder Neil Blumenthal, Charity: Water CEO and founder Scott Harrison, and Casper founder and CEO Philip Krim as advisors. They have already invested some of the $30 million raise in Burrow, a couch-on-demand service.

“New York City is home to a tremendous number of mission-driven startups that are simply not receiving the same level of support as their peers in the Bay Area. This void presents a unique opportunity for humbition to reach the incredible local talent who need the funding and guidance to build and grow their businesses in New York City,” said Rubin.

Large e-commerce businesses have systems in place to fight online fraud, but smaller sellers with their own storefronts don’t always have the same advantages. Today, e-commerce platform Shopify is aiming to change that with its rollout of Fraud Protect for Shopify Payments. The service is initially available in the U.S.

The company had announced its plans to introduce fraud protection earlier this year at its Unite conference in Toronto, where it also debuted marketing app Shopify Ping and support for sellers managing inventory across multiple stores, among other things.

The company’s goal with anti-fraud systems is to protect online sellers against fraudulent chargebacks.

Shopify says its experience in processing millions of orders across its platform has allowed it to develop fraud detection technology that has the ability to accurately determine which orders are considered fraudulent. Its algorithms will now analyze incoming orders and decide if an order should be set as “protected.” If a fraudulent chargeback on a protected order then occurs, Shopify says it will automatically reimburse the merchant.

Before, merchants would have to manually review orders for fraud, which could be difficult – especially for smaller sellers who don’t know what to look for.

However, Shopify says the system isn’t just for the mom-and-pop merchants – it can aid bigger businesses, too, as it means lower operating costs.

Often, if merchants can’t handle fraud detection in-house, they’ll work with a partner who specializes in this technology. For example, Shopify competitor Bigcommerce integrates with Signifyd, an automated fraud detection service which merchants can opt to use.

In Shopify’s case, it’s offering the technology directly to its merchant partners – meaning it’s managing the risk itself, and eating the loss involved with fraudulent transactions, as needed. That could be a big selling point in its favor when merchants are looking for a home to set up their online storefront.

“We talk to merchants every day and one of the recurring themes we often encounter is the amount of time and effort they put into preventing fraud, and the anxiety and turmoil they put up with when dealing with a chargeback on an order they’ve already shipped,” said Andre Lyver, Head of Financial Solutions at Shopify, in  a statement. “With Fraud Protect, merchants will never have to think about fraud and chargebacks. They can fulfill all of their orders with peace of mind, knowing that Shopify has them covered if the order is fraudulent,” Lyver added.

The pricing for the service will vary, Shopify tells us, but will be a small percentage of the order amount that’s protected.

The company says it’s rolling out Fraud Protect to a select group of U.S. merchants to start, who will be notified via email as well as with a notification within Shopify. It plans to expand the service to more merchants in the near future.

Epic’s gotta do something with the money it’s printing through Fortnite purchases. Acquisitions appear to be at the top of that list, starting with Kamu, the Finnish startup behind Easy Anti-Cheat.

Epic has already deployed the anti-cheat software for its wildly popular sandbox survival game — it’s been a central piece of the gaming company’s strong anti-cheating stance. It is, as CEO Tim Sweeney puts it in the press release announcing the acquisition, “key to building a vibrant Fortnite multiplayer experience that’s fair for all players.”

Fortnite isn’t the only title currently leveraging Kamu’s best-known offering. The startup says Easy Anti-Cheat is currently used by north of 80 games, installed on 100 million PCs globally. Chances are pretty decent that if you’ve played a big name title in the past year, it’s already on your computer.

Kamu will continue to provide its service to non-Epic titles for the time being. Here’s Kamu CEO Simon Allaeys from the same release, “Joining the Epic family is not only a childhood dream come true, but a huge boost for our mission to help developers create beautiful gaming experiences. Battling cheating in games was just the start; today our products also help developers stay competitive by identifying player needs as quickly as they emerge.”

The acquisition also affords Epic the opportunity to set up shop in Kamu’s native Helsinki. Terms of the deal were not disclosed.

Google is adding an interesting new feature to its Slides presentation tool today that allows you to enable real-time automated captions to your live presentations. That’s a great feature for those who are hard of hearing or deaf, as well as those who understand better when they can read instead of listen.

The new feature comes from the same accessibility team that previously introduced improved screen readers, Braille and screen magnifier support to Google Docs, Sheets and Slides. The automated captioning project started at an internal hackathon and is now rolling out to all Slides users who use U.S. English as their default language and Chrome as their browser. Over time, Google plans to enable this feature for other languages, too.

To turn on this feature you simply press the new “CC” button on the Slides navigation box and then use your computer’s microphone like always.

While this is mostly an accessibility feature, it’s also a nice way of creating a written transcript of a presentation that can then be used for other purposes after the presentation is over.

It’s worth noting that Microsoft recently introduced similar caption/transcription support for live meetings in its Teams product. Both Google, AWS and Microsoft offer their speech-to-text technology as APIs for developers, too, and a number of developers are now starting to build similar features into their applications based on these services.

A week after Google launched a game streaming service “Project Stream“ in beta, Microsoft’s touting its own take on the category. Project xCloud is, naturally, an Xbox game streaming service, designed to  bring the console’s titles to a slew of different platforms.

Outlined via blog post, the service is the latest offering to offer gamers the promise of cross-platform autonomy, bringing CPU-heavily titles to the PC and mobile devices. Public trials of the service will kick off next year. For now, the company is busily recruiting developers to bring content to the service and testing in private beta.

Those tests involve running titles on smartphones and tablets, played with bluetooth Xbox controllers or via touch. The latter, naturally, presents its own sorts of challenges. Games developed for complex consoles don’t necessarily translate to touch.

Says Microsoft,

Cloud game-streaming is a multi-faceted, complex challenge. Unlike other forms of digital entertainment, games are interactive experiences that dynamically change based on player input. Delivering a high-quality experience across a variety of devices must account for different obstacles, such as low-latency video streamed remotely, and support a large, multi-user network. In addition to solving latency, other important considerations are supporting the graphical fidelity and framerates that preserve the artist’s original intentions, and the type of input a player has available.

For now, the service is far from public. Microsoft certainly has the hardware/gaming/enterprise expertise to pull it off, but execution is still a ways off, unlike Google’s recent Assassin’s Creed Odyssey demo, which is currently being offered in public beta. 

A UK union that represents the interests of Uber drivers has called a 24 hour strike for tomorrow.

Ride-hailing giant Uber may not be comfortable thinking of the people who do the driving on its platform as workers but, in 2016, a UK employment tribunal ruled against its classification of a group of then current and former drivers as independent contractors after they brought a legal challenge; and again in 2017 when Uber lost its first appeal against the tribunal ruling.

Though Uber’s appeal continues.

Today one of the unions that campaigns on behalf of individuals providing labor on so-called ‘gig economy’ platforms, the Independent Workers Union of Great Britain (IWGB), announced the strike action by Uber drivers.

It said Uber drivers are demanding an end to unfair deactivations (described by the union as ‘de facto dismissals’); an increase in fares to £2 per mile (vs the current rate of £1.25p/m in London); a 10% reduction in commissions paid by drivers to Uber (currently 25% for UberX); and calling for Uber to immediately apply the tribunal judgement and implement “employment conditions that respect worker rights for drivers, including the payment of at least the minimum wage and paid holidays”.

The union argues Uber drivers should be classified as Limb (b) workers under UK law, rather than ‘independent contractors’ as the company claims.

It’s asking Uber users to respect the strike and not use the app tomorrow.

The chair of the IWGB’s United Private Hire Drivers branch is James Farrar, who was one of the former Uber drivers who brought the 2016 tribunal action against the company.

The 24 hour strike will take place on October 9, from 1pm, in London, Birmingham and Nottingham.

The IWGB said participating drivers will stage protests outside Uber’s offices in all three cities at the start of the strike.

In a response statement emailed to TechCrunch an Uber spokesperson told us:

“We are always looking to make improvements to ensure drivers have the best possible experience and can make the most of their time driving on the app. That’s why over the last few months we’ve introduced dozens of new features, including sickness, injury, maternity and paternity protections. An academic study last month found that drivers in London make an average of £11 an hour, after accounting for all of their costs and Uber’s service fee. We continue to look at ways to help drivers increase their earnings and our door is always open if anyone wants to speak to us about any issues they’re having.”

A company spokesman also flagged up a number of changes Uber has made in the UK since the tribunal ruling, including expanding a free insurance product it offers to drivers and couriers including sickness, injury and maternity & paternity payments across Europe.

The spokesman also pointed to a number of other changes it’s made, such as to paid waiting times, in-app tipping, and discounted access to savings products such as pensions and free skills courses.

He also flagged Uber’s recent launch of a new driver app with real-time earnings tracking and access to data insights intended to help drivers boost their earnings; and a 24/7 telephone support line for drivers and passengers (which was actually a requirement of London’s transport regulator).

The company also says it has formalized how it listens to and responds to driver feedback in every city it operates in — albeit, not well enough to steer off this latest strike.

All the changes it flags might well be positive steps in terms of improving Uber drivers’ lot but if UK judges continue to find these folks should in fact be classified as workers Uber will find itself having to shell out a whole lot more money to keep operating in Europe.

The company has previously said that if it had to provide all the ~50,000 ‘self-employed’ Uber drivers on its platform in the UK with workers’ rights it would cost its business “tens of millions” of pounds.

Uber’s next appeal against the tribunal judgement will be heard later this month, on 30 and 31 October.