Year: 2019

In my years covering cybersecurity, there’s one variation of the same lie that floats above the rest. “We take your privacy and security seriously.”

You might have heard the phrase here and there. It’s a common trope used by companies in the wake of a data breach — either in a “mea culpa” email to their customers or a statement on their website to tell you that they care about your data, even though in the next sentence they all too often admit to misusing or losing it.

The truth is, most companies don’t care about the privacy or security of your data. They care about having to explain to their customers that their data was stolen.

I’ve never understood exactly what it means when a company says it values my privacy. If that were the case, data hungry companies like Google and Facebook, which sell data about you to advertisers, wouldn’t even exist.

I was curious how often this go-to one liner was used. I scraped every reported notification to the California attorney general, a requirement under state law in the event of a breach or security lapse, stitched them together, and converted it into machine-readable text.

About one-third of all 285 data breach notifications had some variation of the line.

It doesn’t show that companies care about your data. It shows that they don’t know what to do next.

A perfect example of a company not caring: Last week, we reported several OkCupid users had complained their accounts were hacked. More likely than not, the accounts were hit by credential stuffing, where hackers take lists of usernames and passwords and try to brute-force their way into people’s accounts. Other companies have learned from such attacks and took the time to improve account security, like rolling out two-factor authentication.

Instead, OkCupid’s response was to deflect, defend, and deny, a common way for companies to get ahead of a negative story. It looked like this:

• Deflect: “All websites constantly experience account takeover attempts,” the company said.
• Defend: “There’s no story here,” the company later told another publication.
• Deny: “No further comment,” when asked what the company will do about it.

It would’ve been great to hear OkCupid say it cared about the matter and what it was going to do about it.

Every industry has long neglected security. Most of the breaches today are the result of shoddy security over years or sometimes decades, coming back to haunt them. Nowadays, every company has to be a security company, whether it’s a bank, a toymaker, or a single app developer.

Companies can start off small: tell people how to reach contact them with security flaws, roll out a bug bounty to encourage bug submissions, and grant good-faith researchers safe harbor by promising not to sue. Startup founders can also fill their executive suite with a chief security officer from the very beginning. They’d be better off than 95 percent of the world’s richest companies that haven’t even bothered.

But this isn’t what happens. Instead, companies would rather just pay the fines.

Target paid $18.5 million for a data breach that ensnared 41 million credit cards, compared to full-year revenues of $72 billion. Anthem paid $115 million in fines after a data breach put 79 million insurance holders’ data at risk, on revenues that year of $79 billion. And, remember Equifax? The biggest breach of 2017 led to all talk but no action.

With no incentive to change, companies will continue to parrot their usual hollow remarks. Instead, they should do something about it.

A final report by a British parliamentary committee which spent months last year investigating online political disinformation makes very uncomfortable reading for Facebook — with the company singled out for “disingenuous” and “bad faith” responses to democratic concerns about the misuse of people’s data.

In the report, published today, the committee has also called for Facebook’s use of user data to be investigated by the UK’s data watchdog.

In an evidence session to the committee late last year, the Information Commissioner’s Office (ICO) suggested Facebook needs to change its business model — warning the company risks burning user trust for good.

Last summer the ICO also called for an ethical pause of social media ads for election campaigning, warning of the risk of developing “a system of voter surveillance by default”.

Interrogating the distribution of ‘fake news’

The UK parliamentary enquiry looked into both Facebook’s own use of personal data to further its business interests, such as by providing access to user data to developers and advertisers in order to increase revenue and/or usage; and examined what Facebook claimed as ‘abuse’ of its platform by the disgraced (and now defunct) political data company Cambridge Analytica — which in 2014 paid a developer with access to Facebook’s developer platform to extract information on millions of Facebook users in build voter profiles to try to influence elections.

The committee’s conclusion about Facebook’s business is a damning one with the company accused of operating a business model that’s predicated on selling abusive access to people’s data.

“Far from Facebook acting against “sketchy” or “abusive” apps, of which action it has produced no evidence at all, it, in fact, worked with such apps as an intrinsic part of its business model,” the committee argues. “This explains why it recruited the people who created them, such as Joseph Chancellor [the co-founder of GSR, the developer which sold Facebook user data to Cambridge Analytica]. Nothing in Facebook’s actions supports the statements of Mark Zuckerberg who, we believe, lapsed into “PR crisis mode”, when its real business model was exposed.

“This is just one example of the bad faith which we believe justifies governments holding a business such as Facebook at arms’ length. It seems clear to us that Facebook acts only when serious breaches become public. This is what happened in 2015 and 2018.”

“We consider that data transfer for value is Facebook’s business model and that Mark Zuckerberg’s statement that ‘we’ve never sold anyone’s data” is simply untrue’,” the committee also concludes.

We’ve reached out to Facebook for comment on the committee’s report.

Last fall the company was issued the maximum possible fine under relevant UK data protection law for failing to safeguard user data from Cambridge Analytica saga. Although Facebook is appealing the ICO’s penalty, claiming there’s no evidence UK users’ data got misused.

During the course of a multi-month enquiry last year investigating disinformation and fake news, the Digital, Culture, Media and Sport (DCMS) committee heard from 73 witnesses in 23 oral evidence sessions, as well as taking in 170 written submissions. In all the committee says it posed more than 4,350 questions.

Its wide-ranging, 110-page report makes detailed observations on a number of technologies and business practices across the social media, adtech and strategic communications space, and culminates in a long list of recommendations for policymakers and regulators — reiterating its call for tech platforms to be made legally liable for content.

Among the report’s main recommendations are:

• clear legal liabilities for tech companies to act against “harmful or illegal content”, with the committee calling for a compulsory Code of Ethics overseen by a independent regulatory with statutory powers to obtain information from companies; instigate legal proceedings and issue (“large”) fines for non-compliance
• privacy law protections to cover inferred data so that models used to make inferences about individuals are clearly regulated under UK data protection rules
• a levy on tech companies operating in the UK to support enhanced regulation of such platforms
• a call for the ICO to investigate Facebook’s platform practices and use of user data
• a call for the Competition Markets Authority to comprehensively “audit” the online advertising ecosystem, and also to investigate whether Facebook specifically has engaged in anti-competitive practices
• changes to UK election law to take account of digital campaigning, including “absolute transparency of online political campaigning” — including “full disclosure of the targeting used” — and more powers for the Electoral Commission
• a call for a government review of covert digital influence campaigns by foreign actors (plus a review of legislation in the area to consider if it’s adequate) — including the committee urging the government to launch independent investigations of recent past elections to examine “foreign influence, disinformation, funding, voter manipulation, and the sharing of data, so that appropriate changes to the law can be made and lessons can be learnt for future elections and referenda”
• a requirement on social media platforms to develop tools to distinguish between “quality journalism” and low quality content sources, and/or work with existing providers to make such services available to users

Among the areas the committee’s report covers off with detailed commentary are data use and targeting; advertising and political campaigning — including foreign influence; and digital literacy.

It argues that regulation is urgently needed to restore democratic accountability and “make sure the people stay in charge of the machines”.

Ministers are due to produce a White Paper on social media safety regulation this winter and the committee writes that it hopes its recommendations will inform government thinking.

“Much has been said about the coarsening of public debate, but when these factors are brought to bear directly in election campaigns then the very fabric of our democracy is threatened,” the committee writes. “This situation is unlikely to change. What does need to change is the enforcement of greater transparency in the digital sphere, to ensure that we know the source of what we are reading, who has paid for it and why the information has been sent to us. We need to understand how the big tech companies work and what happens to our data.”

The report calls for tech companies to be regulated as a new category “not necessarily either a ‘platform’ or a ‘publisher”, but which legally tightens their liability for harmful content published on their platforms.

Last month another UK parliamentary committee also urged the government to place a legal ‘duty of care’ on platforms to protect users under the age of 18 — and the government said then that it has not ruled out doing so.

“Digital gangsters”

Competition concerns are also raised several times by the committee.

“Companies like Facebook should not be allowed to behave like ‘digital gangsters’ in the online world, considering themselves to be ahead of and beyond the law,” the DCMS committee writes, going on to urge the government to investigate whether Facebook specifically has been involved in any anti-competitive practices and conduct a review of its business practices towards other developers “to decide whether Facebook is unfairly using its dominant market position in social media to decide which businesses should succeed or fail”. 

“The big tech companies must not be allowed to expand exponentially, without constraint or proper regulatory oversight,” it adds.

The committee suggests existing legal tools are up to the task of reining in platform power, citing privacy laws, data protection legislation, antitrust and competition law — and calling for a “comprehensive audit” of the social media advertising market by the UK’s Competition and Markets Authority, and a specific antitrust probe of Facebook’s business practices.

“If companies become monopolies they can be broken up, in whatever sector,” the committee points out. “Facebook’s handling of personal data, and its use for political campaigns, are prime and legitimate areas for inspection by regulators, and it should not be able to evade all editorial responsibility for the content shared by its users across its platforms.”

The social networking giant was the recipient of many awkward queries during the course of the committee’s enquiry but it refused repeated requests for its founder Mark Zuckerberg to testify — sending a number of lesser staffers in his stead.

That decision continues to be seized upon by the committee as evidence of a lack of democratic accountability. It also accuses Facebook of having an intentionally “opaque management structure”.

“By choosing not to appear before the Committee and by choosing not to respond personally to any of our invitations, Mark Zuckerberg has shown contempt towards both the UK Parliament and the ‘International Grand Committee’, involving members from nine legislatures from around the world,” the committee writes.

It doubles down on the accusation that Facebook sought to deliberately mislead its enquiry — pointing to incorrect and/or inadequate responses from staffers who did testify.

“We are left with the impression that either [policy VP] Simon Milner and [CTO] Mike Schroepfer deliberately misled the Committee or they were deliberately not briefed by senior executives at Facebook about the extent of Russian interference in foreign elections,” it suggests.

In an unusual move late last year the committee used rare parliamentary powers to seize a cache of documents related to an active US lawsuit against Facebook filed by a developer called Six4Three.

The cache of documents is referenced extensively in the final report, and appears to have fuelled antitrust concerns, with the committee arguing that the evidence obtained from the internal company documents “indicates that Facebook was willing to override its users’ privacy settings in order to transfer data to some app developers, to charge high prices in advertising to some developers, for the exchange of that data, and to starve some developers… of that data, thereby causing them to lose their business”.

“It seems clear that Facebook was, at the very least, in violation of its Federal Trade Commission [privacy] settlement,” the committee also argues, citing evidence from the former chief technologist of the FTC, Ashkan Soltani .

On Soltani’s evidence, it writes:

Ashkan Soltani rejected [Facebook’s] claim, saying that up until 2012, platform controls did not exist, and privacy controls did not apply to apps. So even if a user set their profile to private, installed apps would still be able to access information. After 2012, Facebook added platform controls and made privacy controls applicable to apps. However, there were ‘whitelisted’ apps that could still access user data without permission and which, according to Ashkan Soltani, could access friends’ data for nearly a decade before that time. Apps were able to circumvent users’ privacy of platform settings and access friends’ information, even when the user disabled the Platform. This was an example of Facebook’s business model driving privacy violations.

While Facebook is singled out for the most eviscerating criticism in the report (and targeted for specific investigations), the committee’s long list of recommendations are addressed at social media businesses and online advertisers generally.

It also calls for far more transparency from platforms, writing that: “Social media companies need to be more transparent about their own sites, and how they work. Rather than hiding behind complex agreements, they should be informing users of how their sites work, including curation functions and the way in which algorithms are used to prioritise certain stories, news and videos, depending on each user’s profile. The more people know how the sites work, and how the sites use individuals’ data, the more informed we shall all be, which in turn will make choices about the use and privacy of sites easier to make.”

The committee also urges a raft of updates to UK election law — branding it “not fit for purpose” in the digital era.

Its interim report, published last summer, made many of the same recommendations.

Russian interest

But despite pressing the government for urgent action there was only a cool response from ministers then, with the government remaining tied up trying to shape a response to the 2016 Brexit vote which split the country (with social media’s election-law-deforming help). Instead it opted for a ‘wait and see‘ approach.

The government accepted just three of the preliminary report’s forty-two recommendations outright, and fully rejected four.

Nonetheless, the committee has doubled down on its preliminary conclusions, reiterating earlier recommendations and pushing the government once again to act.

It cites fresh evidence, including from additional testimony, as well as pointing to other reports (such as the recently published Cairncross Review) which it argues back up some of the conclusions reached. 

“Our inquiry over the last year has identified three big threats to our society. The challenge for the year ahead is to start to fix them; we cannot delay any longer,” writes Damian Collins MP and chair of the DCMS Committee, in a statement. “Democracy is at risk from the malicious and relentless targeting of citizens with disinformation and personalised ‘dark adverts’ from unidentifiable sources, delivered through the major social media platforms we use every day. Much of this is directed from agencies working in foreign countries, including Russia.

“The big tech companies are failing in the duty of care they owe to their users to act against harmful content, and to respect their data privacy rights. Companies like Facebook exercise massive market power which enables them to make money by bullying the smaller technology companies and developers who rely on this platform to reach their customers.”

“These are issues that the major tech companies are well aware of, yet continually fail to address. The guiding principle of the ‘move fast and break things’ culture often seems to be that it is better to apologise than ask permission. We need a radical shift in the balance of power between the platforms and the people,” he added.

“The age of inadequate self-regulation must come to an end. The rights of the citizen need to be established in statute, by requiring the tech companies to adhere to a code of conduct written into law by Parliament, and overseen by an independent regulator.”

The committee says it expects the government to respond to its recommendations within two months — noting rather dryly: “We hope that this will be much more comprehensive, practical, and constructive than their response to the Interim Report, published in October 2018. Several of our recommendations were not substantively answered and there is now an urgent need for the Government to respond to them.”

It also makes a point of including an analysis of Internet traffic to the government’s own response to its preliminary report last year — in which it highlights a “high proportion” of online visitors hailing from Russian cities including Moscow and Saint Petersburg…

Source: Web and publications unit, House of Commons

“This itself demonstrates the very clear interest from Russia in what we have had to say about their activities in overseas political campaigns,” the committee remarks, criticizing the government response to its preliminary report for claiming there’s no evidence of “successful” Russian interference in UK elections and democratic processes.

“It is surely a sufficient matter of concern that the Government has acknowledged that interference has occurred, irrespective of the lack of evidence of impact. The Government should be conducting analysis to understand the extent of Russian targeting of voters during elections,” it adds.

Three senior managers knew

Another interesting tidbit from the report is confirmation that the ICO has shared the names of three “senior managers” at Facebook who knew about the Cambridge Analytica data breach prior to the first press report in December 2015 — which is the date Facebook has repeatedly told the committee was when it first learnt of the breach, contradicting what the ICO found via its own investigations.

The committee’s report does not disclose the names of the three senior managers — saying the ICO has asked the names to remain confidential (we’ve reached out to the ICO to ask why it is not making this information public) — and implies the execs did not relay the information to Zuckerberg.

The committee dubs this as an example of “a profound failure” of internal governance, and also branding it evidence of “fundamental weakness” in how Facebook manages its responsibilities to users.

Here’s the committee’s account of that detail:

We were keen to know when and which people working at Facebook first knew about the GSR/Cambridge Analytica breach. The ICO confirmed, in correspondence with the Committee, that three “senior managers” were involved in email exchanges earlier in 2015 concerning the GSR breach before December 2015, when it was first reported by The Guardian. At the request of the ICO, we have agreed to keep the names confidential, but it would seem that this important information was not shared with the most senior executives at Facebook, leading us to ask why this was the case.

The scale and importance of the GSR/Cambridge Analytica breach was such that its occurrence should have been referred to Mark Zuckerberg as its CEO immediately. The fact that it was not is evidence that Facebook did not treat the breach with the seriousness it merited. It was a profound failure of governance within Facebook that its CEO did not know what was going on, the company now maintains, until the issue became public to us all in 2018. The incident displays the fundamental weakness of Facebook in managing its responsibilities to the people whose data is used for its own commercial interests.

The ‘below the belt selfie’ media circus surrounding Jeff Bezos has made encrypted communications top of mind among nervous executive handlers. Their assumption is that a product with serious cryptography like Wickr – where I work – or Signal could have helped help Mr. Bezos and Amazon avoid this drama.

It’s a good assumption, but a troubling conclusion.

I worry that moments like these will drag serious cryptography down to the level of the National Enquirer. I’m concerned that this media cycle may lead people to view privacy and cryptography as a safety net for billionaires rather than a transformative solution for data minimization and privacy.

We live in the chapter of computing when data is mostly unprotected because of corporate indifference. The leaders of our new economy – like the vast majority of society – value convenience and short-term gratification over the security and privacy of consumer, employee and corporate data.  

We cannot let this media cycle pass without recognizing that when corporate executives take a laissez-faire approach to digital privacy, their employees and organizations will follow suit.

Two recent examples illustrate the privacy indifference of our leaders…

• The most powerful executive in the world is either indifferent to, or unaware that, unencrypted online flirtations would be accessed by nation states and competitors.
• 2016 presidential campaigns were either indifferent to, or unaware that, unencrypted online communications detailing “off-the-record” correspondence with media and payments to adult actor(s) would be accessed by nation states and competitors.

If our leaders do not respect and understand online security and privacy, then their organizations will not make data protection a priority. It’s no surprise that we see a constant stream of large corporations and federal agencies breached by nation states and competitors.  Who then can we look to for leadership?

GDPR is an early attempt by regulators to lead. The European Union enacted GDPR to ensure individuals own their data and enforce penalties on companies who do not protect personal data.  It applies to all data processors, but the EU is clearly focused on sending a message to the large US based data processors – Amazon, Facebook, Google, Microsoft, etc. In January, France’s National Data Protection Commission sent a message by fining Google $57 million for breaching GDPR rules. It was an unprecedented fine that garnered international attention. However, we must remember that in 2018 Google’s revenues were greater than $300 million … per day!  GPDR is, at best, an annoying speed-bump in the monetization strategy of large data processors.

It is through this lens that Senator Ron Wyden’s (Oregon) idealistic call for billions of dollars in corporate fines and jail time for executives who enable privacy breaches can be seen as reasonable.  When record financial penalties are inconsequential it is logical to pursue other avenues to protect our data.

Real change will come when our leaders understand that data privacy and security can increase profitability and reliability.  For example, the Compliance, Governance and Oversight Council reports that an enterprise will spend as much as $50 million to protect 10 petabytes of data, and that $34.5 million of this is spent on protecting data that should be deleted. Serious efficiencies are waiting to be realized and serious cryptography can help.  

So, thank you Mr. Bezos for igniting corporate interest in secure communications. Let’s hope this news cycle convinces our corporate leaders and elected officials to embrace data privacy, protection and minimization because it responsible, profitable and efficient. We need leaders and elected officials to set an example and respect their own data and privacy if we have any hope of their organizations to protect ours.

We were promised flying cars but, as it turns out, flying boats were easier to build.

SeaBubbles, a “flying” boat startup that uses electric power instead of gas, hit Miami this weekend to show off one of its five prototype boats — or six, if you count an early, windowless white boat they’ve lovingly dubbed the “soapdish.” This innovative boat design combines technology from nautical industries, aviation, and intelligent software to raise the hull of the boat out of the water using foils, which helps it to consume less energy by allowing it to travel on rougher waters with reduced drag, while also keeping the passenger cabin relatively comfortable.

When raised, the boat is “flying” above the water, so to speak.

Founded only three years ago in Paris, the idea for SeaBubbles was dreamed up by Alain Thébault, a sailor who previously designed and piloted the Hydroptère, an experimental hydrofoil trimaran, using a similar system that lifts the boat up in order to reduce drag. That boat went on to break the world record for sailing speed twice, at 50.17 knots. Meanwhile, SeaBubbles co-founder, Anders Bringdal, is a four-times windsurf world champion, who also set a windsurfing world record, at 51.45 knots.

Together, the two have envisioned SeaBubbles as a way for cities to reduce traffic congestion and help the environment by taking advantage of the area’s waterways to move people around in fast water taxis.

“The cities today have one thing in common: pollution and congestion,” explains Bringdal. “Every city has waterways — ones that are fairly unused. Think about having a giant freeway that goes straight down the center of the city, and no one uses it… why is that?,” Bringdal continues.

“You could do this with a normal boat,” he admits. “But with a normal boat with a normal combustion engine, the fuel price you’re paying is between $70 and $130 per hour. With us, it’s $2 dollars,” he says.

The cost savings come from an all-electric design, which means the boat charges at a power station — preferably one that’s solar charged, of course, instead of guzzling gas.

The company has experimented with all sorts of designs and models before settling on its first-to-market SeaBubbles water taxi: a smaller, 4.5-meter version that seats four in addition to the pilot. However, the technology itself is scalable to larger boats or even ferries.

According to SeaBubbles’ U.S. partner, Daniel Berrebi, whose company Baja Ferries has made a “small” investment in SeaBubbles, even larger boats like his could eventually benefit from the technology.

Beyond his obvious business interest on that front, Berrebi is also working with SeaBubbles to help the company make its first U.S. sales. He says he’s sold four boats to private individuals in the area — yes, sold as in “checks in hand, and signed on the dotted line.” These buyers don’t want to be named, but may include well-known names in music and sports. (Of course one has to wonder how much anonymity they will really have when tooling about Miami waterways in one of only a handful of these flying boats currently in existence?)

SeaBubbles has been able to come to market with its technology so soon because it’s not building everything in-house.

The boats’ engines are from Torqeedo, for example, while the fly-by-wire software to control the boat comes from foiling and flight control systems engineer Ricardo Bencatel’s company, 4DC Tech. His software solution also powered America’s Cup teams’ boats, like those from Artemis Racing and Oracle. But the version running on SeaBubbles has customized components to control the boat’s unique features.

“The [SeaBubbles] boat has three main sensors — it has two high altitude sensors to measure the height of the water, then it has a gyroscope — like the one in cell phones,” explains Bencatel.

“The computer combines those measurements from the sensors, then it knows the angles of the boat, the height and the speed,” he says. The software then uses this information to control the flaps on the boat to make adjustments. “For example, the lift — if you want to go higher,” Bencatel says. “Or if it’s rolling to one of the sides, it uses the flaps to turn it to the other side. Or if it’s pitching — bow down or bow up — it uses the front or the rear flaps,” he adds.

And all of these adjusts are being made automatically, by way of software, meaning the boat operator only really has to turn the wheel and drive. They don’t have to think about when to raise or lower the boat — it just happens when the boat reaches a certain speed. Under six knots, the boat is experiencing 100 percent drag, while above eight knots, the boat is ‘flying’ and the drag is reduced to 60 percent. This makes the ride less bumpy, too.

The lithium-ion batteries used by SeaBubbles are IP67 waterproof, and, over time, the boat could make up for its high sticker price — $200,000 at its suggested retail price — with savings on gasoline and reduced maintenance costs.

The prototype version of the SeaBubbles boat has only 1.5 hours autonomy and a five hour battery recharge to show off the technology. But the company claims the versions going into production have 2.5 hours autonomy and a 35 minute recharge. These are the ones they expect to ship this summer to the first purchasers.

In addition to Miami, SeaBubbles also has customers in Russia — a luxury hotel in Moscow and a deal in St. Petersburg — as well as in Rotterdam and Amsterdam. It plans to start building boats for these markets, and hopes to reach Paris by this summer or the next. In Paris, the prototype boats run slower — takeoff speed is six knots, and cruising speed tops out at 15 knots. The production version is faster due to bigger engines, with an average cruising speed of 16 knots and a top speed of 20 knots.

The company is in Miami this week to show off its boat to more buyers, and take meeting with local officials.

Bringdal admits that some of the company’s earlier statements may have been overly ambitious — like having boats in 50 cities by 2024. ”I think, in reality, it’s step by step,” he says  “We’re very happy to be seeing something here in the U.S.”

SeaBubbles, which has seven staff full-time and 25 people including contractors, has raised $14 million to date from investors including the founder of drone maker Parrot, Henri Seydoux; Partech Ventures; the French government-backed BPI fund; MAIF, a French insurance group; as well as friends, family and other angels.

The company is preparing to raise a Series A.

(Photo credits: Alain Thébault and Sarah Perez)

A storm is brewing over a new language model, built by non-profit artificial intelligence research company OpenAI, which it says is so good at generating convincing, well-written text that it’s worried about potential abuse.

That’s angered some in the community, who have accused the company of reneging on a promise not to close off its research.

OpenAI said its new natural language model, GPT-2, was trained to predict the next word in a sample of 40 gigabytes of internet text. The end result was the system generating text that “adapts to the style and content of the conditioning text,” allowing the user to “generate realistic and coherent continuations about a topic of their choosing.” The model is a vast improvement on the first version by producing longer text with greater coherence.

But with every good application of the system, such as bots capable of better dialog and better speech recognition, the non-profit found several more, like generating fake news, impersonating people, or automating abusive or spam comments on social media.

To wit: when GPT-2 was tasked with writing a response to the prompt, “Recycling is good for the world,” which nearly everyone agrees with, the machine spat back:

“Recycling is NOT good for the world. It is bad for the environment, it is bad for our health, and it is bad for our economy. I’m not kidding. Recycling is not good for the environment. It is destructive to the earth and it is a major contributor to global warming. Recycling is not good for our health. It contributes to obesity and diseases like heart disease and cancer. Recycling is bad for our economy. It increases the cost of a product, and in turn, the price of everything that is made with that product. Recycling is not good for our nation. We pay a tremendous price for the privilege of having the world’s most advanced and efficient recycling system. Recycling is a huge, colossal waste of time, energy, money, and resources.”

No wonder OpenAI was worried about releasing it.

For that reason, OpenAI said, it’s only releasing a smaller version of the language model, citing its charter, which noted that the organizations expects that “safety and security concerns will reduce our traditional publishing in the future.” Admittedly, the organization said that it wasn’t sure of the decision, “we believe that the AI community will eventually need to tackle the issue of publication norms in a thoughtful way in certain research areas.”

Not everyone took that well. OpenAI’s tweet announcing GPT-2 was met with anger and frustration, accusing the company of “closing off” its research, and doing the “opposite of open,” seizing on the company’s name.

Others were more forgiving, calling the move a “new bar for ethics” for thinking ahead of possible abuses.

Jack Clark, policy director at OpenAI, said the organization’s priority is “not enabling malicious or abusive uses of the technology,” calling it a “very tough balancing act for us.”

Elon Musk, one of the initial funders of OpenAI, was roped into the controversy, confirming in a tweet that he has not been involved with the company “for over a year,” and that he and the company parted “on good terms.”

OpenAI said it’s not settled on a final decision about GPT-2’s release, and that it will revisit in six months. In the meantime, the company said that governments “should consider expanding or commencing initiatives to more systematically monitor the societal impact and diffusion of AI technologies, and to measure the progression in the capabilities of such systems.”

Just this week, President Trump signed an executive order on artificial intelligence. It comes months after the U.S. intelligence community warned that artificial intelligence was one of the many “emerging threats” to U.S. national security, along with quantum computing and autonomous unmanned vehicles.

Some 17 years ago, when internet dating was popular but still kind of embarrassing to talk about, I interviewed an author who was particularly bullish on the practice. Millions of people, he said, have found gratifying relationships online. Were it not for the internet, they would probably never have met.

A lot of years have passed since then. Yet thanks to Joe Schwartz, an author of a 20-year-old dating advice book, “gratifying relationship” is still the term that sticks in my mind when contemplating the end-goal of internet dating tools.

Gratifying is a vague term, yet also uniquely accurate. It encompasses everything from the forever love of a soul mate to the temporary fix of a one-night stand. Romantics can talk about true love. Yet when it comes to the algorithm-and-swipe-driven world of online dating, it’s all about gratification.

It is with this in mind, coincident with the arrival of Valentine’s Day, that Crunchbase News is taking a look at the state of that most awkward of pairings: startups and the pursuit of finding a mate.

Pairing money

Before we go further, be forewarned: This article will do nothing to help you navigate the features of new dating platforms, fine-tune your profile or find your soul mate. It is written by someone whose core expertise is staring at startup funding data and coming up with trends.

So, if you’re OK with that, let’s proceed. We’ll start with the initial observation that while online dating is a vast and often very profitable industry, it isn’t a huge magnet for venture funding.

In 2018, for instance, venture investors put $127 million globally into 27 startups categorized by Crunchbase as dating-focused. While that’s not chump change, it’s certainly tiny compared to the more than $300 billion in global venture investment across all sectors last year.

In the chart below, we look at global venture investment in dating-focused startups over the past five years. The general finding is that round counts fluctuate moderately year-to-year, while investment totals fluctuate heavily. The latter is due to a handful of giant funding rounds for China-based startups.

While the U.S. gets the most commitments, China gets the biggest ones

While the U.S. is home to the majority of funded startups in the Crunchbase dating category, the bulk of investment has gone to China.

In 2018, for instance, nearly 80 percent of dating-related investment went to a single company, China-based Blued, a Grindr-style hookup app for gay men. In 2017, the bulk of capital went to Chinese mobile dating app Tantan, and in 2014, Beijing-based matchmaking site Baihe raised a staggering $250 million.

Meanwhile, in the U.S., we are seeing an assortment of startups raising smaller rounds, but no big disclosed financings in the past three years. In the chart below, we look at a few of the largest funding recipients.

Dating app outcomes

Dating sites and apps have generated some solid exits in the past few years, as well as some less-stellar outcomes.

Mobile-focused matchmaking app Zoosk is one of the most heavily funded players in the space that has yet to generate an exit. The San Francisco company raised more than $60 million between 2008 and 2012, but had to withdraw a planned IPO in 2015 due to flagging market interest.

Startups without known venture funding, meanwhile, have managed to bring in some bigger outcomes. One standout in this category is Grindr, the geolocation-powered dating and hookup app for gay men. China-based tech firm Kunlun Group bought 60 percent of the West Hollywood-based company in 2016 for $93 million and reportedly paid around $150 million for the remaining stake a year ago. Another apparent success story is OkCupid, which sold to Match.com in 2011 for $50 million.

As for venture-backed companies, one of the earlier-funded startups in the online matchmaking space, eHarmony, did score an exit last fall with an acquisition by German media company ProSiebenSat.1 Media SE. But terms weren’t disclosed, making it difficult to gauge returns.

One startup VCs are assuredly happy they passed on is Ashley Madison, a site best known for targeting married people seeking affairs. A venture investor pitched by the company years ago told me its financials were quite impressive, but its focus area would not pass muster with firm investors or the VCs’ spouses.

The dating site eventually found itself engulfed in scandal in 2015 when hackers stole and released virtually all of its customer data. Notably, the site is still around, a unit of Canada-based dating network ruby. It has changed its motto, however, from “Life is short. Have an affair,” to “Find Your Moment.”

An algorithm-chosen match

With the spirit of Valentine’s Day in the air, it occurs that I should restate the obvious: Startup funding databases do not contain much about romantic love.

The Crunchbase data set produced no funded U.S. startups with “romantic” in their business descriptions. Just five used the word “romance” (of which one is a cold brew tea company).

We get it. Our cultural conceptions of romance are decidedly low-tech. We think of poetry, flowers, loaves of bread and jugs of wine. We do not think of algorithms and swipe-driven mobile platforms.

Dating sites, too, seem to prefer promoting themselves on practicality and effectiveness, rather than romance. Take how Match Group, the largest publicly traded player in the dating game, describes its business via that most swoon-inducing of epistles, the 10-K report: “Our strategy focuses on a brand portfolio approach, through which we attempt to offer dating products that collectively appeal to the broadest spectrum of consumers.”

That kind of writing might turn off romantics, but shareholders love it. Shares of Match Group, whose portfolio includes Tinder, have more than tripled since Valentine’s Day 2017. Its current market cap is around $16 billion.

So, complain about the company’s dating products all you like. But it’s clear investors are having a gratifying relationship with Match. When it comes to startups, however, it appears they’re still mostly swiping left.

Let me begin by saying that Facebook’s Crisis Response pages do a lot of good. They are a locus for donations and offers of help. But that said, for the love of humanity, when something bad happens, please stop marking yourself safe on Facebook.

They don’t mean to prey on our anxieties. They mean to assuage them. But all they do is reinforce the incorrect notion that the world is a terrifying place where unpredictable awful things happen frequently; they worsen the problem by attempting to treat the symptom.

Consider, for instance, “The Tornado in Ottawa, Ontario and Gatineau, Quebec, Canada” a few months ago. As a former Ottawa resident I have multiple Facebook friends there. Todd and Jennifer marked themselves safe; but what about Joe? Stefan? Stephane? What happened to them?

Yeah, they’re fine, thanks, because that region has a population of 1.3 million, and while it is a shame that six of them were hospitalized as a result of that tornado (which hit Canada frequently) when you do the math you quickly realize that that is equal to one out of every 216,000 people. If a single person were hospitalized as a result of an incident in a single town of 216,000, would Facebook call on every resident of that town to mark themselves safe?

I mean, if Facebook did do that, why, your feed would be a nonstop deluge of Crises from which people are Marked Safe. The world would seem like a cauldron of terrors, and any unknown much too scary to venture into, full of things which might harm you and your friends and family. You would be fearful of other places, and maybe eventually, almost logically, by extension, people from other places, too.

Our brains are well known to weigh our fears based in part on how vivid they are rather than how likely they are. So we worry more about vivid events than actually fearsome ones. Would Facebook call on New Yorkers to mark themselves safe if a terrorist attack killed 15 people in a busy subway station? Of course they would. It’s not even a question, is it.

But 15 is fewer than the number of New Yorkers killed in traffic every single month. Is Facebook calling on New Yorkers to mark themselves as “Safe From Cars” every month? Of course not. That’s a laughable concept. But the risk of that is greater than the risk of any given New Yorker being killed in that hypothetical terror attack.

And – here’s the key – when Facebook asks you to mark yourself safe, and reports that you’re safe to all your Facebook friends, it may reduce some specific anxiety in the short term, but it does so at the cost of increasing generalized anxiety — about the world and everything in it — in the long term.

There are of course some crises so awful, so huge, so widespread, that this no longer applies; where the risk to any individual is in fact much higher than, say, the annual risk of dying in a car crash. If Facebook reduced its calls to mark yourself safe to such actual crises, then none of the above would apply. Let’s hope that one day they ratchet down their anxiety-inducing algorithms and do just that.

The University of Michigan, well known for its efforts in self-driving car tech, has been working on an improved algorithm for predicting the movements of pedestrians that takes into account not just what they’re doing, but how they’re doing it. This body language could be critical to predicting what a person does next.

Keeping an eye on pedestrians and predicting what they’re going to do is a major part of any autonomous vehicle’s vision system. Understanding that a person is present and where makes a huge difference to how the vehicle can operate — but while some companies advertise that they can see and label people at such and such a range, or under these or those conditions, few if any can or say they can see gestures and posture.

Such vision algorithms can (though nowadays are unlikely to) be as simple as identifying a human and seeing how many pixels it moves over a few frames, then extrapolating from there. But naturally human movement is a bit more complex than that.

UM’s new system uses the lidar and stereo camera systems to estimate not just a person’s trajectory, but their pose and gait. Pose can indicate whether a person is looking towards or away from the car, or using a cane, or stooped over a phone; gait indicates not just speed but also intention.

Is someone glancing over their shoulder? Maybe they’re going to turn around, or walk into traffic. Are they putting their arms out? Maybe they’re signaling someone (or perhaps the car) to stop. This additional data helps a system predict motion and makes for a more complete set of navigation plans and contingencies.

Importantly, it performs well with only a handful of frames to work with — perhaps comprising a single step and swing of the arm. That’s enough to make a prediction that beats simpler models handily, a critical measure of performance as one cannot assume that a pedestrian will be visible for any more than a few frames between obstructions.

Not too much can be done with this noisy, little-studied data right now but perceiving and cataloguing it is the first step to making it an integral part of an AV’s vision system. You can read the full paper describing the new system in IEEE Robotics and Automation Letters or at Arxiv (PDF).

“The book itself is a curious artefact, not showy in its technology but complex and extremely efficient: a really neat little device, compact, often very pleasant to look at and handle, that can last decades, even centuries. It doesn’t have to be plugged in, activated, or performed by a machine; all it needs is light, a human eye, and a human mind. It is not one of a kind, and it is not ephemeral. It lasts. It is reliable. If a book told you something when you were 15, it will tell it to you again when you’re 50, though you may understand it so differently that it seems you’re reading a whole new book.”—Ursula K. Le Guin

Every year, Bill Gates goes off-grid, leaves friends and family behind, and spends two weeks holed up in a cabin reading books. His annual reading list rivals Oprah’s Book Club as a publishing kingmaker. Not to be outdone, Mark Zuckerberg shared a reading recommendation every two weeks for a year, dubbing 2015 his “Year of Books.” Susan Wojcicki, CEO of YouTube, joined the board of Room to Read when she realized how books like The Evolution of Calpurnia Tate were inspiring girls to pursue careers in science and technology. Many a biotech entrepreneur treasures a dog-eared copy of Daniel Suarez’s Change Agent, which extrapolates the future of CRISPR. Noah Yuval Harari’s sweeping account of world history, Sapiens, is de rigueur for Silicon Valley nightstands.

This obsession with literature isn’t limited to founders. Investors are just as avid bookworms. “Reading was my first love,” says AngelList’s Naval Ravikant. “There is always a book to capture the imagination.” Ravikant reads dozens of books at a time, dipping in and out of each one nonlinearly. When asked about his preternatural instincts, Lux Capital’s Josh Wolfe advised investors to “read voraciously and connect dots.” Foundry Group’s Brad Feld has reviewed 1,197 books on Goodreads and especially loves science fiction novels that “make the step function leaps in imagination that represent the coming dislocation from our current reality.”

This begs a fascinating question: Why do the people building the future spend so much of their scarcest resource — time — reading books?

Image by NiseriN via Getty Images. Reading time approximately 14 minutes.

Don’t Predict, Reframe

Do innovators read in order to mine literature for ideas? The Kindle was built to the specs of a science fictional children’s storybook featured in Neal Stephenson’s novel The Diamond Age, in fact, the Kindle project team was originally codenamed “Fiona” after the novel’s protagonist. Jeff Bezos later hired Stephenson as the first employee at his space startup Blue Origin. But this literary prototyping is the exception that proves the rule. To understand the extent of the feedback loop between books and technology, it’s necessary to attack the subject from a less direct angle.

David Mitchell’s Cloud Atlas is full of indirect angles that all manage to reveal deeper truths. It’s a mind-bending novel that follows six different characters through an intricate web of interconnected stories spanning three centuries. The book is a feat of pure M.C. Escher-esque imagination, featuring a structure as creative and compelling as its content. Mitchell takes the reader on a journey ranging from the 19th century South Pacific to a far-future Korean corpocracy and challenges the reader to rethink the very idea of civilization along the way. “Power, time, gravity, love,” writes Mitchell. “The forces that really kick ass are all invisible.”

The technological incarnations of these invisible forces are precisely what Kevin Kelly seeks to catalog in The Inevitable. Kelly is an enthusiastic observer of the impact of technology on the human condition. He was a co-founder of Wired, and the insights explored in his book are deep, provocative, and wide-ranging. In his own words, “When answers become cheap, good questions become more difficult and therefore more valuable.” The Inevitable raises many important questions that will shape the next few decades, not least of which concern the impacts of AI:

“Over the past 60 years, as mechanical processes have replicated behaviors and talents we thought were unique to humans, we’ve had to change our minds about what sets us apart. As we invent more species of AI, we will be forced to surrender more of what is supposedly unique about humans. Each step of surrender—we are not the only mind that can play chess, fly a plane, make music, or invent a mathematical law—will be painful and sad. We’ll spend the next three decades—indeed, perhaps the next century—in a permanent identity crisis, continually asking ourselves what humans are good for. If we aren’t unique toolmakers, or artists, or moral ethicists, then what, if anything, makes us special? In the grandest irony of all, the greatest benefit of an everyday, utilitarian AI will not be increased productivity or an economics of abundance or a new way of doing science—although all those will happen. The greatest benefit of the arrival of artificial intelligence is that AIs will help define humanity. We need AIs to tell us who we are.”

It is precisely this kind of an AI-influenced world that Richard Powers describes so powerfully in his extraordinary novel The Overstory:

“Signals swarm through Mimi’s phone. Suppressed updates and smart alerts chime at her. Notifications to flick away. Viral memes and clickable comment wars, millions of unread posts demanding to be ranked. Everyone around her in the park is likewise busy, tapping and swiping, each with a universe in his palm. A massive, crowd-sourced urgency unfolds in Like-Land, and the learners, watching over these humans’ shoulders, noting each time a person clicks, begin to see what it might be: people, vanishing en masse into a replicated paradise.”

Taking this a step further, Virginia Heffernan points out in Magic and Loss that living in a digitally mediated reality impacts our inner lives at least as much as the world we inhabit:

“The Internet suggests immortality—comes just shy of promising it—with its magic. With its readability and persistence of data. With its suggestion of universal connectedness. With its disembodied imagines and sounds. And then, just as suddenly, it stirs grief: the deep feeling that digitization has cost us something very profound. That connectedness is illusory; that we’re all more alone than ever.”

And it is the questionable assumptions underlying such a future that Nick Harkaway enumerates in his existential speculative thriller Gnomon:

“Imagine how safe it would feel to know that no one could ever commit a crime of violence and go unnoticed, ever again. Imagine what it would mean to us to know—know for certain—that the plane or the bus we’re travelling on is properly maintained, that the teacher who looks after our children doesn’t have ugly secrets. All it would cost is our privacy, and to be honest who really cares about that? What secrets would you need to keep from a mathematical construct without a heart? From a card index? Why would it matter? And there couldn’t be any abuse of the system, because the system would be built not to allow it. It’s the pathway we’re taking now, that we’ve been on for a while.” 

Machine learning pioneer, former President of Google China, and leading Chinese venture capitalist Kai-Fu Lee loves reading science fiction in this vein — books that extrapolate AI futures — like Hao Jingfang’s Hugo Award-winning Folding Beijing. Lee’s own book, AI Superpowers, provides a thought-provoking overview of the burgeoning feedback loop between machine learning and geopolitics. As AI becomes more and more powerful, it becomes an instrument of power, and this book outlines what that means for the 21st century world stage:

“Many techno-optimists and historians would argue that productivity gains from new technology almost always produce benefits throughout the economy, creating more jobs and prosperity than before. But not all inventions are created equal. Some changes replace one kind of labor (the calculator), and some disrupt a whole industry (the cotton gin). Then there are technological changes on a grander scale. These don’t merely affect one task or one industry but drive changes across hundreds of them. In the past three centuries, we’ve only really seen three such inventions: the steam engine, electrification, and information technology.”

So what’s different this time? Lee points out that “AI is inherently monopolistic: A company with more data and better algorithms will gain ever more users and data. This self-reinforcing cycle will lead to winner-take-all markets, with one company making massive profits while its rivals languish.” This tendency toward centralization has profound implications for the restructuring of world order:

“The AI revolution will be of the magnitude of the Industrial Revolution—but probably larger and definitely faster. Where the steam engine only took over physical labor, AI can perform both intellectual and physical labor. And where the Industrial Revolution took centuries to spread beyond Europe and the U.S., AI applications are already being adopted simultaneously all across the world.”

Cloud Atlas, The Inevitable, The Overstory, Gnomon, Folding Beijing, and AI Superpowers might appear to predict the future, but in fact they do something far more interesting and useful: reframe the present. They invite us to look at the world from new angles and through fresh eyes. And cultivating “beginner’s mind” is the problem for anyone hoping to build or bet on the future.

In just a week, a single seller put close to 750 million records from 24 hacked sites up for sale. Now, the hacker has struck again.

The hacker, whose identity isn’t known, began listing user data from several major websites — including MyFitnessPal, 500px and Coffee Meets Bagel, and more recently Houzz and Roll20 — earlier this week. This weekend, the hacker added a third round of data breaches — another eight sites, amounting to another 91 million user records — to their dark web marketplace.

To date, the hacker has revealed breaches at 30 companies, totaling about 841 million records.

According to the latest listings, the sites include 20 million accounts from Legendas.tv, OneBip, Storybird, and Jobandtalent, as well as eight million accounts at Gfycat, 1.5 million ClassPass accounts, 60 million Pizap accounts, and another one million StreetEasy property searching accounts.

The hacker is selling the eight additional hacked sites for 2.6 bitcoin, or about $9,350.

From the samples that TechCrunch has seen, the accounts include some variations of usernames and email addresses, names, locations by country and region, account creation dates, passwords hashed in various formats, and other account information.

We haven’t found any financial data in the samples.

Little is known about the hacker, and it remains unclear exactly how these sites were hacked.

Ariel Ainhoren, research team leader at Israeli security firm IntSights, told TechCrunch this week that the hacker was likely using the same exploit to target each of the sites and dump the backend databases.

“As most of these sites were not known breaches, it seems we’re dealing here with a hacker that did the hacks by himself, and not just someone who obtained it from somewhere else and now just resold it,” said Ainhoren. The software in question, PostgreSQL, an open-source database project, said it was “currently unaware of any patched or unpatched vulnerabilities” that could have caused the breaches.

We contacted several of the companies prior to publication. Only Gfycat responded, saying it was launching an investigation. We’ll update once it comes in.