Year: 2018

Reddit announced today that it suffered a security breach in June that exposed some of its internal systems to the attackers, although what was accessed was not particularly sensitive. Notably the hack was accomplished by circumventing the two-factor authentication Reddit had in place via SMS interception — which should be a wake-up call to any who haven’t moved on from that method.

A post by Reddit CTO Chris Slowe (as KeyserSosa, naturally) explained that they discovered the hack on June 19, and estimated it to have taken place between June 14 and 18. The attack “compromised a few of our employees’ accounts with our cloud and source code hosting providers,” he wrote, gaining “read-only access to some systems that contained backup data, source code and other logs.”

Said access was gated behind two-factor authentication systems, but unfortunately they were of the type that occasionally or optionally allow SMS to be used instead of an authenticator app or token. SMS has some major inherent security flaws, and this method was declared unacceptable by NIST back in 2016. But it is far from eliminated, and many services still use it as a main or backup 2FA method.

Reddit itself, it is worth noting, only provides 2FA via token. But at least one provider of theirs didn’t, it turns out, and the attackers took advantage of that. (Slowe said they know no phones were hacked, which suggests the SMS authentication codes were intercepted otherwise, possibly via spoofing a phone or scamming the provider.)

Although a complete inventory of what was accessed by the hackers isn’t made available, Slowe said that there were two main areas of concern as far as users were concerned:

• A complete copy of Reddit data from 2007, comprising the first two years of the site’s operations. This includes usernames, salted/hashed passwords, emails, public posts and private messages.
• June’s email digests, with usernames and associated emails.

Reddit is a different and much, much bigger place today than it was in 2007; anyone who remembers the big migration from Digg in those days will also remember how small and limited it was.

Still, these data together could still be useful to malicious actors looking to scam people on this list — if I were them, I’d be sending fake email digests asking them to log in, or building a list of username-email pairs and matching those to other sites. And of course you might want to, as Slowe put it, “think about whether there’s anything on your Reddit account that you wouldn’t want associated back to that address.”

If you’re one of the people affected, you should be receiving an email or PM that should inform you of your risk — for example, if your password hasn’t been changed since 2007, which would be its own security risk. I joined in July 2007 and haven’t received either, as a data point.

Slowe also noted that the company has alerted the appropriate authorities as required and has improved security since the event.

Flying cars are BS. But there is actually a chance that we’re on the cusp of a revolution in general aviation as startups and major players like Airbus are looking to modern technology to allow more people to take flight without having to first learn how to steer a Cessna 152 down a short runway (though that’s a good skill to have, too). Boeing, which is not currently a player in general aviation, clearly doesn’t want to be left behind. The company today announced that it is opening a new R&D office in Boston that will focus on designing, building and flying autonomous aircraft.

The new office will be staffed by Boeing engineers and employees of its Aurora Flight Sciences subsidiary, which it acquired last year. Unsurprisingly, the company also plans to work with the boffins at MIT, which is the landlord of the company’s new offices in Kendall Square.

“Boeing is leading the development of new autonomous vehicles and future transportation systems that will bring flight closer to home,” said Greg Hyslop, Boeing’s chief technology officer, in today’s announcement. “By investing in this new research facility, we are creating a hub where our engineers can collaborate with other Boeing engineers and research partners around the world and leverage the Cambridge innovation ecosystem.”

There’s obviously plenty left to be figured out with regards to autonomous flights — or even just giving people access to semi-autonomous aircraft that would fall under the FAA’s ultralight designation so that the pilot wouldn’t need a pilot’s license.

Right now, the rules are pretty clear about what’s possible and what isn’t — and most ideas around “urban air transportation” (at least in the U.S.) aren’t feasible under today’s rules. But those rules were written for an aviation system that handles fewer than 250,000 small general-aviation aircraft, most of which feature very little in terms of automation. The FAA has shown some ability to act relatively fast when new technology comes along (see: drone regulations), so maybe that’ll be the case here, too. By 2020, the average Cessna you see puttering about in the sky above you will be close to 50 years old — but who knows, maybe we’ll see sleek electrified personal Boeing drones zooming 500 feet above our heads instead.

While there aren’t many VR hardware startups raising cash out there these days, there are far fewer that are securing investments to actually build the VR headsets themselves.

Even as established tech giants are having a rough go-ahead with the headset market, Beijing-based Pico Interactive is looking to give it a go with a focus on standalone VR headset hardware that can keep up with the innovations of larger firms.

Pico has closed a $24.7 million Series A led by GF Qianhe and GF Xinde Investment, with participation from Jufeng S&T Venture Investment and others, the company said in an announcement. This is the startup’s first bout of outside funding since its founding in 2015.

VR hardware had plenty of entrants around Pico’s founding, but as Oculus competitors were forced to slash prices to keep up with aggressive pricing, margins disappeared, leaving relatively scant space for startups. Pico has made its bet on moving past PC or console-based systems and focusing strongly on self-contained standalone headset options.

Coinciding with the funding announcement, Pico also offered details on a new standalone headset being released in China. Called the Pico G2, it’s an updated version of the Pico Goblin that is built on Qualcomm’s 835 chipset. The company’s hardware runs on HTC’s Vive Wave VR platform.

The company also says that it is planning to release its own augmented reality hardware in 2019.

CBS is today debuting a new portfolio of streaming services designed to deliver local news to cord cutters and other digital media consumers. The services, branded CBSN Local, will live under the CBSN brand – the 24/7 news channel first launched in November 2014 that made its way to the CBS All Access streaming service last August. And like CBSN, CBSN Local’s coverage will also become a part of CBS All Access in the future, the company says.

CBSN Local is essentially a way to bring local news from CBS stations to the streaming TV audience. The content offered will include anchored news broadcasts airing in the morning, daytime and evening, plus breaking live news events from CBS-owned TV stations in major U.S. markets.

Each of the CBSN Local services will also offer additional daily newscasts that are produced exclusively for CBSN Local, as well as content that’s available for on-demand viewing. All content will be led by anchors and reporters at CBS TV stations.

Not all CBS-owned stations are coming online with their local news coverage at launch. Instead, the company will be gradually adding stations in key markets throughout 2018 and beyond. The first station to join CBSN Local is New York City’s WCBS, the flagship station of the CBS TV Network. This will be followed by independent sister station WLNY in Q4 2018, then L.A.’s KCBS and KCAL, and others.

CBSN Local’s news coverage will then be delivered to consumers across CBS digital platforms, including CBSN on CBSNews.com, the CBS News app for mobile and connected TVs, and through CBS TV stations’ own websites and apps.

The service joins CBS’s growing streaming lineup which includes not only CBSN, but also CBS’s more recently launched streaming sports news service, CBS Sports HQ, and its direct-to-consumer offering, CBS All Access.

And while no specific timeframe was offered, CBS says the suite of local streams will “ultimately” be included as live channels in CBS All Access in their respective markets.

Making local news available to CBS All Access could be another draw for cord cutters, who often find it difficult to watch their hometown news after they cut the cord with traditional pay TV. Not everyone wants to fuss with a digital antenna, after all. And not everyone lives in an area where there’s good reception for over-the-air signals, either.

CBS All Access and Showtime combined have around 5.2 to 5.3 million subscribers, CBS said during its earnings. The company has been doubling down on what it believes is working – namely, its investment in original programming, including the new “Star Trek” franchise. The company said in June it would be expanding that universe with new shows, miniseries, and animation over the next few years.

 

Duolingo, the popular language learning service, today announced that it has now hit more than 300 million users worldwide. A year ago, Duolingo reported 200 million total users.

That’s great, but the number of monthly active users on the service remains stagnant. Duolingo reported 25 million active users a year ago — and that’s still the same today, a company spokesperson confirmed. The company argues this is due to its focus on revenue growth instead of user growth in the last year, but it did grow by 100 million total users. Update: After this post went live, Duolingo called to provide us with revenue numbers to put its user numbers into context, something it hasn’t disclosed before. Its revenue in 2016 was $1 million. It grew that to $13 million in 2017 and a spokesperson tells us that it’s on track for $40 million in 2018. The company also says that its daily active user numbers are up.

Maybe that’s why the company is putting a bit more effort behind its marketing efforts now. As the company also today announced, it has hired Cammie Dunaway as its first chief marketing officer (CMO) to help it reach those next 300 million users.

Before joining Duolingo, Dunaway was the CMO of Yahoo for four years in the early 2000s before joining Nintendo in 2007. In recent years, she took on the role of president and CMO of KidZania.

“This is an opportunity to have mission alignment and work with great people,” Dunaway told me when I asked her what attracted her to the job. “And also to be able to really make an impact and an important point in the company’s history. But on the mission alignment: I am at the point of my career where I want to spend my talents and my energy really helping companies grow who I think make a difference in the world.”

But why did Duolingo decide to hire a CMO now and start to more actively go after new users? Dunaway argues that the company is now at an inflection point where it has paid services and a subscription product. “That gives us the opportunity to put a little bit more focus behind marketing because we want to ensure that we continue to grow so that we’re able to make the service free and accessible to people who need us,” she explained.

So going forward, you’re going to see a lot more brand marketing from Duolingo and see the company tell a lot more stories (and it’s already doing some of that), but it’ll also do some traditional performance marketing to acquire new users that it thinks will likely convert into paying subscribers. As Duolingo co-founder Luis von Ahn noted last year, the company is looking at its subscription product, which provides an ad-free experience, offline access and a few other perks, as a way to subsidize the product for those who can’t afford a subscription.

While it’s ramping up its marketing efforts, though, Dunaway promises that Duolingo won’t lose its focus on building the best product for its users. And sometimes those go hand-in-hand. Duolingo is about to launch a Hawaiian course, for example, to help tourists learn more about the islands they visit. But I’m sure that’s also going to generate quite a bit of buzz for the service.

What Duolingo really has to figure out now, though, is how to turn that huge install base into a growing base of active users. That, after all, is the group of people who will also buy subscriptions and support the service in other ways.

Think there are too many streaming services? How about one more? Today, Vizio says it’s launching its own streaming service called WatchFree that will be available on nearly all its Vizio SmartCast TVs via a separate input. The service itself will be powered by streaming TV provider Pluto TV, and will include access to over 100 live and linear channels featuring news, entertainment, sports, movies, and more.

Pluto TV is a differentiated player in the busy streaming video market. Instead of trying to get cord cutters to pay for a skinny bundle of channels, its over-the-top service delivers content from a number of networks and other sources for free. The service primarily generates revenue through advertising.

For example, the company has content deals with dozens of partners like Warner Bros., Lionsgate, MGM, Bloomberg Media, Al Jazeera English, CNN, Hearst, Tastemade, Machinima, FreemantleMedia, CNBC, Cheddar, Gravitas Ventures, Asylum, Viz Media, Electronic Music Awards, Big Sky Conference, Stadium, Jukin Media, and many others.

In then assembles this hodgepodge into an interface that looks a lot like your traditional cable TV guide, where you can tune into what’s airing now and see what’s coming up next.

On WatchFree, Pluto TV is bringing channels like Pluto TV Movies, Action Movies, Black Cinema, News 24/7, NBC News/MSNBC, Fox Sports, Frontdoor, Cats 24/7, Crime Network, MST3K, and The Surf Channel. In addition, Pluto TV will launch two new channels on Vizio service – one dedicated to Gordon Ramsay’s “Kitchen Nightmares,” and another called “Unsolved Mysteries.”

The service is meant to serve as a selling point for Vizio’s TVs, by offering buyers an easy way to watch free programming. To some extent, the move makes sense, as many TV buyers today are planning to only use the set for streaming content – not cable TV.

Vizio’s SmartCast TVs cater to this audience of cord cutters already by offering easy access to local broadcasts via a connected over-the-air antenna. It also offers Chromecast support built-in, allowing viewers access to a number of paid streaming apps including DirecTV Now, YouTube TV, Netflix, Amazon Prime Video, and others. And it (again) supports apps accessed directly, without casting.

To access the new WatchFree service, SmartCast TV owners will press the “Input” button on their remote then select “WatchFree” to be taken to the live TV experience. This makes it feel more like the traditional cable TV experience some cord cutters may be missing.

“Powering VIZIO’s WatchFree service is a pivotal next step in our goal to deliver free, premium entertainment to as many consumers as possible,” states Tom Ryan, Pluto TV co-founder and CEO, in a statement. “From hit TV shows to blockbuster movies, news, sports, lifestyle and more, WatchFree is a gamechanger for cord-cutting enthusiasts.”

The launch of partnership with Vizio follows Pluto TV’s recent hiring of its first Chief Revenue Officer,  Rich Calacci, previously senior VP of sales at Turner Sports and CRO of Bleacher Report, as well as the earlier top-level additions of ex-Disney exec Mike Drath as COO and CFO, and former CBS exec Jeff Shultz as Chief Business Officer.

Pluto TV is backed by $51.8 million in outside funding, according to Crunchbase, from investors including Samsung Ventures, Scripps Networks, Sky, Third Wave Digital, ProSieben, USVP, United Talent Agency, Luminari Capital, Chicago Ventures, Pritzker Group and others.

European consumer electronics retailer Dixons Carphone’s apologetic admission yesterday that a 2017 data breach was in fact considerably worse than it first reported suggests disclosures of major breaches could get a bit more messy — at least under the early reign of the region’s tough new data protection framework, GDPR — as organizations scramble to comply with requirements to communicate serious breaches “without undue delay”.

Although, to be clear, it’s not the regulation that’s the problem. Dixons’ handling of this particular security incident has come in for sharp criticism — and is most certainly not a textbook example of how to proceed.

Dixons Carphone disclosed a breach of 5.9M payment cards and 1.2M customer records in mid June, saying it had discovered the unauthorized access to its systems during a security review.

However this week the company revised upwards the number of customer records affected — to around 10M. The breach itself occurred sometime last year.

“They are clearly concerned about regulatory enforcement but they seem completely unprepared to handle customer reactions. With privacy and security awareness increasing exponentially, it will not be long before we see customer churn, reputational damage, and further decrease in the value of the business as a result of such a poor response to a very large breach,” says Enza Iannopollo, a security expert at the analyst Forrester, responding to Dixon’s revised report of the security incident in a statement yesterday. 

The ballooning size of the Dixons breach is interesting in light of Europe’s strict new data protection regulation, which put the onus on data controllers to disclose breaches rapidly. Rather than — as has all-too-often been the case — sitting like broody hens waiting for the most opportune corporate moment to hatch a confession, yet leaving their users in the dark in the meanwhile, unwittingly shouldering all the risk.

In the case of this Dixons 2017 breach (NB: it’s not the only breach the Group has suffered), it’s not yet clear whether the EU’s new regulation will apply (given the incident was publicly disclosed after GDPR had come into force); or whether it will fall under the UK’s prior data protection regime — given the hack itself occurred prior to May 25, when GDPR came into force.

A spokesperson for the UK’s Information Commissioner’s Office (ICO) told us: “Our investigation has not yet concluded which data protection law applies in this case — DPA98 or the GDPR.”

While the UK’s Data Protection Act 1998 encouraged data controllers to disclose serious data breaches, the EU’s General Data Protection Regulation (transposed into national law in the UK via the DPA 2018) goes much further, putting in place a universal obligation to report serious breaches of personal data within 72 hours of becoming aware of an incident. And of course this means not just personal data that’s been actually confirmed as lost or stolen but also when a security incident entails the risk of unauthorized access to customer data.

The exception to ‘undue delay within 72 hours’ is where a personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Which, while it’s clear that not every breach will require disclosure (say for example if personal data was robustly encrypted a company may deem it unnecessary to disclose a breach), is a caveat that still sets a pretty low disclosure bar. At least where a breach entails a risk of personal information being extracted from compromised data. (Which is yet another reason why strong encryption is good for everyone.)

Certainly, any companies discovering a breach that puts their customers at risk, and which took place on or after May 25, 2018, but which then decide to ‘do an Uber’ — i.e. sit on it for the best part of a year before ‘fessing up — will put themselves squarely in EU regulators’ crosshairs for an equally major penalty. (GDPR has supersized fines for data violations — and therefore also something that the bloc’s DP law has sorely lacked for years: Teeth to encourage compliance.)

If a breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms” the regulation also urges data controllers to communicate the incident to the people affected — and do so without “undue delay”.

Dixons said in June that it was contacting “those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take”. But at that time it only thought 1.2M people had been affected.

More than a month later it now puts the number of records swiped at ~10M — and yet is only now contacting the millions more customers whose data was also compromised last year.

Clearly, this is not a good look. Customers who got faux reassurance in June, when the company did not write to them to warn them their data was at risk, will feel rightly angry about any delay in communicating with them.

It will be up to the UK’s data protection watchdog to decide whether Dixons’ security practices and response to the breach of its systems meets the standards it expects from data controllers. And a lot will depend upon whether the incident falls under the DPA98, which encourages discloses of serious breaches but does not legally require them to deadline, vs GDPR which absolutely does.

The maximum possible penalties under the two regimes are also very different: With the ICO capable of issuing a maximum fine of just £500k under the DPA98 (it recently announced it would be issuing a fine of this size to Facebook, for instance, for data misuse related to the Cambridge Analytica incident — which took place in 2014); and up to €20M (or 4% of the total worldwide annual turnover of the preceding financial year) under GDPR.

For a sense of what a GDPR level fine would mean for Dixons Carphone, the company’s 2017/18 revenue is around £10.5BN so — if GDPR were indeed to apply — it would be facing a maximum possible penalty of £420M. Which would surely get the shareholders talking.

But Iannopollo argues it’s not even the risk of major financial penalties that companies are most worried about when it comes to GDPR compliance — rather it’s damage to their reputation and to customer trust that’s really making them sweat.

In a recent Forrester survey, asking companies about their biggest concerns vis-a-vis the consequences of failure to comply with the regulation, Iannopollo says the main worries reported to it were loss of customer trust and reputational damage, followed by regulatory enforcement — with fines coming lower down the list.

“It’s interesting the point about regulatory enforcement — I remember working with a number of banks and actually they were very worried about enforcement action,” she adds. “You don’t want a regulator to impose on you a specific process to handle data. You don’t want a regulator to impose on you a limitation on some processing activities. And they understand that the effect of such an enforcement action can probably be even more detrimental than a fine in some ways.”

Whatever the particular driver, security must now be front of mind for any (well run) organization routinely handling the personal data of EU people. Because the risks for screwing up are getting real.

It’s also clear that consumers are waking up to the fact their personal information is at risk — doubtless in large part because of how poorly their data has been protected before now — and also waking up to the fact they have enhanced data rights they can exercise to help manage and shrink their personal risk.

“Probably the biggest push to GDPR enforcement is coming from customers themselves, both end users and business customers,” says Iannopollo.

Discussing Dixons’ breach response, she is very critical of the company’s lack of customer focus in its public comments. “I saw a lot of emphasis around whether the breach happened before GDPR — so hoping that there was not this standard. And also there was something else that was said about ‘there is no evidence that our customers suffered any financial loss’ as a result of the breach. And again it’s interesting because until a few days ago they didn’t even know the breadth of the breach and now they are saying there wasn’t a financial loss so we’re not prepared to provide compensation. This is not exactly what we see as a constructive way to tackle the breach and help your customers figure out how they can be safe even if you lost their data,” she says.

“In the UK customers can ask for compensation even if they have emotional distress as a result of a breach — there is a potential to develop class action for the mishandling of customer data,” she adds. “And also they said well we are now finally sending some letters to our customers to try and explain what happened — well it’s way too late. Your customers are already very worried. There is no way this company can now show in any way the customers that they have competency over what happened because clearly we all doubt that actually there is some competency there. And actually I don’t think that they are showing there is a remediation strategy in place for their customers.

“All they did was to say that we don’t have any evidence of financial losses so we are not ready to compensate. Are you really taking care of your customers in this instance? Are you really showing that there is a commitment to make sure that they still feel that you are responsible for their data, doing your best to protect this data? I don’t think so. The executive team were involved but I don’t think they were doing really a good job from their customer sentiment and customer trust point of view.”

In its statement yesterday, the company’s CEO Alex Baldock said he was “disappointed in having fallen short” — and apologized “for any distress we’ve caused our customers”, adding that the company is “fully committed” to safeguarding customers’ personal data.

A month earlier, when the company disclosed a much smaller sized breach, he had said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here.”

Does Iannopollo believe GDPR’s breach disclosure requirements could lead to more disclosures that similarly inflate in size after the fact — i.e. because an initial disclosure put out to hit the GDPR 72-hour disclosure window gets revised upwards later — at least in the short term, as companies that perhaps have not yet doubled down on their security investments, let alone rearchitected any data processes, are caught on the hop?

“It remains a technical challenge to understand what happened, quantify the number of records that were lost — so all that forensics work and the classic incident response immediately after you discover the breach cannot necessarily provide a full answer, a full picture immediately after — so definitely there is a part of that [that] is a genuine delay. And the regulation accounts for this,” she replies on that.

“Regulators do expect organizations to do a first disclosure, but also they give an opportunity to organizations to come back and provide additional details as they become available. Again it’s very genuine, the idea here — it’s not a strategy to avoid a potential fine; the regulator understands companies might need more time.”

We asked the ICO how it’s likely to respond to breach reports that are revised upwards a considerable time after the initial disclosure (such as one month+ in Dixons’ case).

A spokeswoman for the watchdog told us the regulation does allow for phased breach reporting, as more information is uncovered during an investigation. However she also emphasized that it expects the investigation to be prioritized — so, again, that there be no additional “undue” delays in any follow-on disclosures.

“In general terms the GDPR’s rules around personal data breach reporting recognize that it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. So Article 34(4) allows organizations to provide the required information in phases, as long as this is done without undue further delay,” the ICO told us. 

“However, we expect controllers to prioritise the investigation, give it adequate resources, and expedite it urgently. They must still notify us of the breach when they become aware of it, and submit further information as soon as possible. If they know they won’t be able to provide full details within 72 hours, it is a good idea to explain the delay to us and tell us when to expect more information.”

The watchdog has more guidance on how data controllers should handle breach disclosures here.

Iannopollo reckons organizations won’t (or shouldn’t) struggle to make a breach disclosure to their regulator within the GDPR timeframe — pointing to rising numbers of reports being made to DPAs in the wake of GDPR coming into force. (Late last month Ireland’s Data Protection Commission said it had received more than 1,100 reports of data breaches since May 25 vs an average of just 230 prior to GDPR, for instance.)

What she argues is more challenging for organizations to get right is not to lose sight of the impact of a breach on your users/customers — in the midst of needing to make (awkward) public pronouncements and communicate with those affected by the incident.

“You might feel that as an organization you want just to undermine the kind of breach that you have suffered, you may say that the less people were involved the less records where involved, but the point is that if you are the one communicating to the affected customers in the very first place, and you have an opportunity to explain to them what happened, and to explain in which way you are taking care of them and their data even after the breach, then you have an opportunity to manage their response in a way that doesn’t destroy the trust that your customers have in you,” she says.

“If you instead decide to go very small, and say ‘well nothing really happened’, and you do what [Dixons did] and say, well it’s about 1M and then we discover that actually it’s 10M records that they lost, at that point you have lost your opportunity to manage the breach with your customers because it means that they might realize that they were part of the data breach — they might be affected… without the business being in touch with them… So this is really the risk. So whatever they can do to have a full picture of what happened, as soon as possible, that will help them managing their response of the breach… with your customers so that — hopefully — it doesn’t become a breach of trust.”

“A breach of trust has consequences that are well beyond a fine,” she adds. “The challenge to me is really communicating to the public, communicating to customers — this is something that for European customers this is something new. We are not used to receive these sorts of communication.

“And what I see from the data that we have is customers that are really becoming much more aware of these sorts of incidents, what it means for them, and they know that they have rights when it comes to privacy. And it’s not just compensation — it’s ‘I want to get control over my data and I expect a business to respect these sorts of rights that I have and to be able to give me that control over my data’.

“The incident response team cannot be just a technical team or a legal team, it has to be marketing team, PR, it has to be the executive team. You need to have a plan about what we say to these customers, which is the remediation that we offer — is it going to be credit monitoring, identity protection… are we setting up a call center to be able to respond to questions if there are questions from customers.”

Of course GDPR also puts strong emphasis on practices that should — in theory — minimize the chances of risky data breaches happening in the first place, because the law now encourages good practices like data minimization, privacy by design, and indeed investment in strong security.

So, over the longer term, the theory is that data controllers’ priorities and processes will be re-worked in a way that makes data breaches — if not as rare as hens’ teeth then (hopefully) a whole lot less common than they’ve become in recent years, when another major breach has seemingly hit the headlines every few weeks.

But Iannopollo is under no illusions that that sort of transformational shift will happen overnight.

“Ideally we would see that. That would be the best outcome,” she says, discussing the possibility of GDPR leading to fewer data breaches in future, if it’s successful in transforming attitudes and approaches to data processing and security across multiple industries and sectors. “There is no question that GDPR has driven a lot of investment into specific security technologies… Many companies have made improvements… in terms of the controls that they are using.

“Hopefully also they’ve thought about the processes that underpins the deployment of these technologies. The changes around data minimization, the management around third parties, the ability to build data architectures that are really flexible and transparent in the same way — it will take some time.”

She also says there are companies now starting to offer managed services to help organizations respond effectively at the point of a breach disclosure — such as by supplying additional call center resource. So there are startup opportunities there.

GDPR triggering a comprehensive reorganization of organizations’ data processing is certainly “not the rule” yet though. “What we have seen is more organizations backing one or two requirements — heavily relying on technology, as much as they could, but not taking enough time to think about changes to their governance, and the processes and also people skills, as an element of compliance with GDPR,” she adds.

“So, again, ideally — and for those organizations that really have taken this comprehensive approach — we might see those results in the medium term: A decrease of these sorts of incidents, and better discipline around data handling practices. But the reality is that many organizations have just taken this very piecemeal approach to GDPR. So for that sort of overall outcome we will need to wait some time to see.”

The strength of the regulation’s impact will depend most on two things: How much push there is below, i.e from users and customers — so how people feel; what they say; and via specific legal redress actions they could choose to take, such as class action style actions seeking compensation.

And also of course on the regulatory enforcement — when that lands.

That all important piece of the compliance puzzle remains to be seen, given we’re only in the first months after GDPR came into force — when regulators are likely allowing organizations a bit of time to get their compliance ducks in order.

How DPAs ultimately respond to all the extra complaints they’re getting will be very important in setting the tone of the new regime because it will end up shaping data controllers’ perception of and response to GDPR.

Rules without enforcement quickly stop being worth the paper they’re written on. And a watchdog that barks but doesn’t bite will soon get treated like a pet.

However, given EU consumers are increasingly aware and even active when it comes to their data rights, it would be a major misstep if the region’s regulators fell short by failing to listen to rising concerns.

In the meanwhile, it’s likely there will be a period where information about data breaches gets a bit more dynamic — with news of a breach emerging with less delay than it might have, prior to GDPR, but perhaps also with a greater possibility that an initial disclosure does not paint the full picture because an investigation is still in train. So, in short, compliance, like security, is an ongoing process.

On-demand delivery is painfully difficult. The margins are usually razor thin, each market is wildly different, and the business can be largely dependent on retailers’ willingness to jump into the digital age.

But DoorDash, which launched in 2013 out of Y Combinator, has been a dominant force in the space.

That’s why we’re absolutely thrilled to have DoorDash CEO Tony Xu join us at Disrupt SF in September.

In the five years since it’s launched, DoorDash has expanded to hundreds of markets in the U.S. The company, which offers delivery services for restaurants, liquor stores, and even gadget retailers like b8ta, has also penned partnerships with big retailers like Walmart for grocery delivery.

In fact, DoorDash has raised more than $700 million and has achieved unicorn status in its relatively short life.

Much of that success can be attributed to founder and CEO Tony Xu. The son of immigrants, Xu worked in his parents’ restaurant before heading off to Stanford. He then worked at McKinsey, eBay, and Square before bringing his knowledge and experience into the entrepreneurial realm.

This isn’t the first time we’ve hung out with Xu on the Disrupt stage. In 2016, Xu’s biggest focus was balance.

“Hardest part is keeping everything in balance,” he said. “There’s a couple dimensions to this: how do you invest the company’s capital effectively; how do you best serve the marketplace of three audiences, consumers/merchants/dashers; and how do you keep that in check. If you have too many of one, it’s a challenge, and we have the unique challenge where we have to solve product market fit across three audiences.”

While that challenge will always be a factor in DoorDash’s business, we’re particularly interested to hear about the company’s move into the evolving world of grocery delivery. There is plenty to discuss with Xu, and we hope you will join us at the conference, which runs September 5 to September 7.

The full agenda is here. Passes for the show are available here.

Martin Tripp, the former Tesla employee who was fired and then sued by the electric vehicle automaker, has filed a lawsuit, alleging statements made by CEO Elon Musk in recent weeks (many in tweet form) defamed him.

Tripp is asking for $1 million in damages from the electric automaker. Tripp, who has hired an Arizona-based law firm, has a GoFundMe page aiming to raise $500,000 to pay for his legal bill. Tripp has raised more than $15,000, according to the GoFundMe page.

The filing is the latest blow in a bout between Tesla, Musk and Tripp that kicked off about six weeks ago. The case, filed in the U.S. District Court in Nevada, is Tesla Inc. v. Tripp, 3:18-cv-00296.

Here’s a timeline, so saddle up and follow along.

June 20: Tesla files a lawsuit against Tripp for $1 million, alleging the man, who worked as a process technician at the massive battery factory near Reno, hacked the company’s confidential and trade secret information and transferred that information to third parties, according to court documents. The lawsuit also claims the employee leaked false information to the media.

24 hours later: A combative email exchange between Musk and Tripp unfolds.

Tesla also notifies police based on a tip to its customer service line that Tripp had allegedly told a friend he was going to attack the company’s Gigafactory in Sparks, Nev. Tripp has denied this and the Storey County Sheriff’s department, which investigated, told TechCrunch they found no credible threat.

July 6: Tripp, who has retained Meissner Associates, a whistleblower, securities, investment fraud and employment law firm, files a formal whistleblower tip to the U.S. Securities and Exchange Commission alleging the company has misled investors and put its customers at risk.

Tripp’s whistleblower tip alleges that Tesla knowingly manufactured batteries with punctured holes, possibly impacting hundreds of cars on the road; misled the investing public as to the number of Model 3s actually being produced each week by as much as 44 percent; and lowered vehicle specifications and systemically used scrap and waste material in vehicles, all so as to meet production quotas.

July 31: Tripp’s counterclaim is filed.

Today WhatsApp launches its first revenue-generating enterprise product and the only way it currently makes money directly from its app. The WhatsApp Business API is launching to let businesses respond to messages from users for free for up to 24 hours, but will charge them a fixed rate by country per message sent after that.

Businesses will still only be able to message people who contacted them first, but the API will help them programatically send “shipping confirmations, appointment reminders or event tickets. Clients can also use it respond to manually respond to customer service inquiries through their own tool or apps like Zendesk, MessageBird, or Twilio. And small businesses who are one of the 3 million users of the WhatsApp For Business app can still use it to send late replies one-by-one for free.

After getting acquired by Facebook for $19 billion in 2014, it’s finally time for the 1.5 billion-user WhatsApp to pull its weight and contribute some revenue. If Facebook can pitch the WhatsApp Business API as a cheaper alternative to customer service call centers, the convenience of asynchronous chat could compel users to message companies instead of phoning.

Only charging for slow replies after 24 hours since a user’s last message is a genius way to create a growth feedback loop. If users get quick answers via WhatsApp, they’ll prefer it other channels. Once businesses and their customers get addicted to it, WhatsApp could eventually charge for all replies or any that exceed a volume threshold, or cut down the free window. Meanwhile, businesses might be too optimistic about their response times and end up paying more often than the expect, especially when messages come in on weekends or holidays.

WhatsApp first announced it would eventually charge for enterprise service last September when it launched its free WhatsApp For Business app that now has 3 million users and remains free for all replies, even late ones.

Importantly, WhatsApp stresses that all messaging between users and businesses, even through the API, will be end-to-end encrypted. That contrasts with the Washington Post’s report that Facebook pushing to weaken encryption for WhatsApp For Business message is partly what drove former CEO Jan Koum to quit WhatsApp and Facebook’s board in April. His co-founder Brian Acton had ditched Facebook back in September and donated $50 million to the foundation of encrypted messaging app Signal.

Today WhatsApp is also formally launching its new display ads product worldwide. But don’t worry, they won’t be crammed into your chat inbox like with Facebook Messenger. Instead, businesses will be able to buy ads on Facebook’s News Feed that launch WhatsApp conversations with them…thereby allowing them to use the new Business API to reply. TechCrunch scooped that this was coming last September, when code in Facebook’s ad manager revealed the click-to-WhatsApp ads option, and the company confirmed the ads were in testing. Facebook launched similar click-to-Messenger ads back in 2015.

Finally, WhatsApp also tells TechCrunch its planning to run ads in its 450 million daily user Snapchat Stories clone called Status. “WhatsApp does not currently run ads in Status though this represents a future goal for us, starting in 2019. We will move slowly and carefully and provide more details before we place any Ads in Status” a spokesperson told us. Given WhatsApp Status is over twice the size of Snapchat, it could earn a ton on ads between Stories, especially if it’s willing to make some unskippable.

Together, the ads and API will replace the $1 per year subscription fee WhatsApp used to charge in some countries but dropped in 2016. With Facebook’s own revenue decelerating, triggering a 20 percent, $120 billion market cap drop in its share price, it needs to show it has new ways to make money now more than ever.