Year: 2019

The UK’s data protection watchdog has issued fines against a pro-Brexit campaign, Leave.EU, and an insurance company owned by the largest individual donor to the leave cause, Arron Banks’ Eldon Insurance.

The penalties have been handed down for what the Information Commissioner’s Office (ICO) dubs “serious breaches of electronic marketing laws” during the 2016 referendum on the UK’s European Union membership. 

The fines — served under the Privacy and Electronic Communications Regulations 2003, which governs electronic marketing — total £120,000 (~$157k); with Leave.EU fined a total of £60k (covering two incidents) and Eldon Insurance £60k.

The ICO’s investigation found the two entities were closely linked and it says systems for segregating the personal data of insurance customers’ from that of political subscribers’ were “ineffective”.

Leave.EU used Eldon Insurance customers’ details unlawfully to send almost 300,000 political marketing messages, according to the ICO’s probe.

Eldon Insurance was also found to have carried out two unlawful direct marketing campaigns which involved the sending of more than a million emails to Leave.EU subscribers without “sufficient consent”.

The ICO says it will now review how both entities are complying with data protection laws by carrying out audits — to observe how personal data is processed; what policies and procedures are in place; and look at the types of training made available for staff.

Key employees across both organisations will also be interviewed, including directors, staff and their data protection officers.

The ICO adds that it will publish its findings when it concludes the audits.

Commenting in a statement, information commissioner Elizabeth Denham, said: “It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened. We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information.”

The ICO issued a preliminary enforcement notice and three notices of intent to fine Leave.EU and Eldon Insurance trading as Go Skippy Insurance, last November, as part of a wide-ranging investigation into data analytics for political purposes.

“After considering the companies’ representations, the ICO has issued the fines, confirming a change to one amount, with the other two remaining unchanged,” it writes today. “The regulator has also issued two assessment notices to Leave.EU and Eldon Insurance to inform both organisations that they will be audited.”

Banks and associates connected to his unofficial leave campaign remain under investigation by the UK’s National Crime Agency. Last November the NCA announced an investigation into the source of £8M in funding Banks provided to the Leave.EU campaign — after an Electoral Commission investigation found there were reasonable grounds to suspect he was “not the true source” of the money.

The UK introduced legislation back in the year 2000 to outlaw foreign donations, with donors of even a few thousand pounds needing to be both British citizens and on the UK electoral roll for the donations to be legal.

However since then the rise of social media platforms has provided an unregulated workaround for election spending rules by offering a free-for-all conduit for political ads by the backdoor.

And it’s only since major scandals over election interference, such as Kremlin propaganda targeting the 2016 US presidential election, that tech giants have started to pay attention to the problem and introduce some checks on who can run political ads.

Facebook, for example, recently announced it will set up human-staffed operations centers to monitor political news.

In a few markets it’s also launched tools that offer a degree of transparency around who is buying certain types of political ads. But such measures clearly come far too late for Brexit.

A UK parliamentary committee which spend months investigating the issue of online political disinformation — and slammed Facebook for dodging its questions — came out with a laundry list of recommendations for changes to the law in a preliminary report last year, including calling for a levy on social media firms to defend democracy from disinformation.

Although the government rejected the levy, and most of the committee’s recommendations — preferring a ‘wait and see’ approach. (It has previously committed to legislate around social media and safety, though.)

Last year the UK’s election oversight body issued a series of fines for other leave-backed Brexit referendum campaigns — after finding the official Vote Leave campaign had breached election campaign spending limits by undeclared joint working with a youth-focused Brexit campaign, BeLeave.

Almost half a million pounds in illegal overspending was channeled via a Canadian data firm, AggregateIQ, to use for targeting political advertising pushing pro-Brexit ads on Facebook’s platform.

Facebook later released some of the ads that had been used by Brexit campaigns, which included fake claims and dogwhistle racism being used by leave campaigns to stir up fear among voters about foreigners coming to the UK.

The Facebook Cambridge Analytica data misuse scandal which snowballed into a major global scandal last year, also triggered a major ICO investigation into the use of personal data for political campaigning, parts of which remain ongoing.

The watchdog issued a £500,000 fine on Facebook last year, as part of that probe — saying the company had “failed to sufficiently protect the privacy of its users before, during and after the unlawful processing” by Cambridge Analytica.

Though Facebook has filed an appeal, arguing the ICO did not find evidence that any UK users’ data was processed by CA.

Last year information commissioner Elizabeth Denham also called for an “ethical pause” around the use of microtargeting ad tools for political campaigning — saying there was “a risk of developing a system of voter surveillance by default”.

In the case of Facebook, the platform has generally preferred to continue accepting money for political ads, while it works on expanding self-styled “election security” measures.

Although it did temporarily suspend foreign-funded ads during a referendum in Ireland last year on whether to repeal or retain a constitutional ban on abortion — acting after concerns had been raised. It also fast tracked the launch of an ad transparency tool in the market ahead of the vote.

Hello and welcome back to Equity, TechCrunch’s venture capital-focused podcast, where we unpack the numbers behind the headlines.

This week we recorded as a trio: Connie Loizos holding down the studio with our guest, the ever-present Jeff Clavier of Uncork Capital. I dialed in from the what was the East Coast, back before it froze over.

But while the temperature is low over here, the world’s tech news was anything but slow. Indeed, we had to cram a lot into a little bit of time, so here’s the quick overview to follow as you listen:

• Acorns raised a $105 million Series E. The company, best known for its savings product, does a bit more than just that. With its new capital, the service should have more than enough dosh to work to its own betterment, building a wealthfront for its investors and founders alike. A real square deal, if you will. 
• Stripe also raised another $100 million, but at its $22.5 billion valuation how much money is that really? Not much!
• Moving along, it being 2019, we couldn’t avoid chatting about the IPO market. First up was news that Pinterest has bankers. That Big Pint is going public is not a surprise. That this may finally be the year somewhat is; Pinterest has been a perennial IPO possible. We’re excited to see its margins so that we can better grok what it’s worth.
• And on the IPO front, Zoom is said to be making progress as well. Connie pointed out that 2018 was the year of the enterprise IPO, and that 2019 is looking more consumer-oriented. But that won’t stop Zoom if its S-1 comes in as healthy as we expect it.
• We ran a bit long (woo!) hitting on the SEC, Barrett Daniels, Uber, and more, but we did wrap talking about the Dropbox-HelloSign deal. More of those please, they’re fun to write about.

A big thanks to Jeff for joining us. Today we had two people on the show who are part of the first name club on Twitter. That was fun.

Hang tight, we’re back in a week!

Amazon has been forced to pull an estimated 400,000 products in India after new regulation limiting e-commerce businesses went into force in the country today.

First announced at the end of 2018, the new regulation imposes a ban on exclusive sales, prevents retailers from selling products on platforms they count as investors, and it applies restrictions on discounts and cashback promotions.

That’s hugely problematic for Amazon and Flipkart, its rival that’s owned by Walmart following a $16 billion investment last year. After a 2016 ruling prevented it from owning inventory, Amazon restricted its system so that its own products were offered by entities that it jointly owned with local partners. However, the newest regulation forbids it from working with organizations that it has ownership of, hence it is estimated to have pulled as many as 400,000 products from sale in India, according to a New York Times report.

The same report suggests that Flipkart could pull as many as one-quarter of its products in order to comply with the rule, according to analysis from consulting firm Technopak.

Flipkart and Amazon have been unsuccessful with efforts to get a three-month extension to the rules, Bloomberg reported, hence their respective catalogs look very much more sparse today.

Online commerce in the country is tipped to surpass $100 billion per year by 2022, up from $35 billion today, as increasing numbers of Indian citizens come online, according to a report co-authored by PwC. But it looks like 2019 could deliver a major curveball.

Besides binge-watching TikTok videos and battling enemies in the magical land of mobile games, many Chinese people may also pass time during the upcoming Lunar New Year on Xuexi Qiangguo, a news and chat app developed by the country’s top ideology officials.

The app managed to top the Chinese App Store between January 22 and 25 before two ByteDance apps pushed it down to the third place this week, download statistics from App Annie shows. At a glance, the news section is almost exclusively about the Communist Party and president Xi Jinping.

It doubles as an instant messenger, with development support provided by Alibaba’s Dingtalk enterprise communications tool. That means users can log in via their Dingtalk account and chat with their Dingtalk contacts directly over Xuexi Qiangguo.

Directly translated as “studying strengthens the nation,” Xuexi Qiangguo is the product of a research center under China’s Publicity Department, an important organ in charge of how information disseminates in the country. The digital weapon underscores the Communist Party’s growing efforts in recent years to appeal to phone-savvy generations, though the app seems to have peaked.

As of February 1, the iOS version of Xuexi Qiangguo is rated 2.4 out of 5 from 6,810 reviews. Its impressive download number, as it turns out, is in part a result of top-down order. Many early users are Party members or work in China’s giant state apparatus, who were told to install the app. Several users TechCrunch spoke to, including a public school principal, a director of a district party committee and a municipal government official, confirmed that everyone in their organizations must download the app and every now and then, users may get quizzed on relevant content.

Newspapers and social media posts also suggest local governments have mandated downloads among Party members and encouraged the general public to give it a try. Some take a step further to organize offline study sessions for the app. For some context, China had nearly 90 million Communist Party members by the end of 2017.

“I believe that most of the downloads were incentivized, probably only a very small portion was initiated by a real interest,” says Kristin Shi-Kupfer, director at MERICS, a German think tank specializing in China. “This app will probably drop out of the rankings of any app store soon.”

To engage the younger crowd, the app takes cues from new media forms in China’s flourishing online world. The news section, for instance, appears to be modelled on ByteDance’s popular news app Jinri Toutiao . While Toutiao uses algorithms to understand user preferences and delivers content from a wide array of third-party publications, Xuexi Qiangguo curates from an army of 18 state-controlled outlets.

The app also has a gamified loyalty program, which rewards users virtual points when they complete a task, such as daily sign-in. Since registrations are on a real-name basis, supervisors can check who in their organizations haven’t installed the app, ushering in a new kind of digital monitoring.

“The timing of the publishing of this app might be linked to the upcoming Chinese New Year Festival, which the Chinese Communist Party sees as an opportunity and a necessity to spread their ideology,” notes Shi-Kupfer.” [It] may be hoping that people would use the holiday season to take a closer look, but probably also knowing that most people would rather choose other sources to relax, consume and travel.”

Asia’s venture capital-backed startups are gunning for Starbucks .

In China, the U.S. coffee giant is being pushed by Luckin Coffee, a $2.2 billion challenger surfing China’s on-demand wave, and on the real estate side, where WeWork China has just unveiled an on-demand product that could tempt people who go to Starbucks to kill time or work.

That trend is picking up in Indonesia, the world’s fourth largest country and Southeast Asia’s largest economy, where an on-demand challenger named Fore Coffee has fuelled up for a fight after it raised $8.5 million.

Fore was started in August 2018 when associates at East Ventures, a prolific early-stage investor in Indonesia, decided to test how robust the country’s new digital infrastructure can be. That means it taps into unicorn companies like Grab, Go-Jek and Traveloka and their army of scooter-based delivery people to get a hot brew out to customers. Incidentally, the name ‘Fore’ comes from ‘forest’ — “we aim to grow fast, strong, tall and bring life to our surrounding” — rather than in front of… or a shout heard on the golf course.

The company has adopted a similar hybrid approach to Luckin, and Starbucks thanks to its alliance with Alibaba. Fore operates 15 outlets in Jakarta, which range from ‘grab and go’ kiosks for workers in a hurry, to shops with space to sit and delivery-only locations, Fore co-founder Elisa Suteja told TechCrunch. On the digital side, it offers its own app (delivery is handled via Go-Jek’s Go-Send service) and is available via Go-Jek and Grab’s apps.

So far, Fore has jumped to 100,000 deliveries per month and its app is top of the F&B category for iOS and Android in Indonesia — ahead of Starbucks, McDonald’s and Pizza Hut .

It’s early times for the venture — which is not a touch on Starbuck’s $85 billion business; it does break out figures for Indonesia — but it is a sign of where consumption is moving to Indonesia, which has become a coveted beachhead for global companies, and especially Chinese, moving into Southeast Asia. Chinese trio Tencent, Alibaba and JD.com and Singapore’s Grab are among the outsiders who have each spent hundreds of millions to build or invest in services that tap growing internet access among Indonesia’s population of over 260 million.

There’s a lot at stake. A recent Google-Temasek report forecast that Indonesia alone will account for over 40 percent of Southeast Asia’s digital economy by 2025, which is predicted to triple to reach $240 billion.

As one founder recently told TechCrunch anonymously: “There is no such thing as winning Southeast Asia but losing Indonesia. The number one priority for any Southeast Asian business must be to win Indonesia.”

This new money comes from East Ventures — which incubated the project — SMDV, Pavilion Capital, Agaeti Venture Capital and Insignia Ventures Partners with participation from undisclosed angel backers. The plan is to continue to invest in growing the business.

“Fore is our model for ‘super-SME’ — SME done right in leveraging technology and digital ecosystem,” Willson Cuaca, a managing partner at East Ventures, said in a statement.

There’s clearly a long way to go before Fore reaches the size of Luckin, which has said it lost 850 million yuan, or $124 million, inside the first nine months in 2018.

The Chinese coffee challenger recently declared that money is no object for its strategy to dethrone Starbucks. The U.S. firm is currently the largest player in China’s coffee market, with 3,300 stores as of last May and a goal of topping 6,000 outlets by 2022, but Luckin said it will more than double its locations to more than 4,500 by the end of this year.

By comparison, Indonesia’s coffee battle is only just getting started.

Fourteen years after unveiling its first location in New York, Nintendo is finally opening an official store in Japan, too. Nintendo Tokyo will be located in Shibuya Parco, the new flagship of the Parco department store chain. Nintendo Tokyo is scheduled to open at the same time as the shopping center in fall.

In an announcement, Nintendo said “we are preparing to make this store, which will be a new base for communicating Nintendo information in Japan, an enjoyable place for a wide range of consumers.” In addition to games, consoles, accessories like amiibo, and branded merchandise, Nintendo Tokyo will also host gaming kiosks and events (if the New York store, in Rockefeller Center, is anything to go by, these might include tournaments, demos, and launches).

Nintendo recently posted strong third-quarter revenue growth, but also cut its Switch forecast for the year. Sales may pick up again, however, if Nintendo releases a smaller and less expensive version of the console, as Japanese financial publication Nikkei reported it plans to do.

Fourteen years after unveiling its first location in New York, Nintendo is finally opening an official store in Japan, too. Nintendo Tokyo will be located in Shibuya Parco, the new flagship of the Parco department store chain. Nintendo Tokyo is scheduled to open at the same time as the shopping center in fall.

In an announcement, Nintendo said “we are preparing to make this store, which will be a new base for communicating Nintendo information in Japan, an enjoyable place for a wide range of consumers.” In addition to games, consoles, accessories like amiibo, and branded merchandise, Nintendo Tokyo will also host gaming kiosks and events (if the New York store, in Rockefeller Center, is anything to go by, these might include tournaments, demos, and launches).

Nintendo recently posted strong third-quarter revenue growth, but also cut its Switch forecast for the year. Sales may pick up again, however, if Nintendo releases a smaller and less expensive version of the console, as Japanese financial publication Nikkei reported it plans to do.

Facebook said today it has removed hundreds of Facebook and Instagram counts with links to an organization that peddled fake news.

The world’s fourth largest country with a population of over 260 million, Indonesia is in election year alongside Southeast Asia neighbors Thailand and the Philippines. Facebook said this week it has set up an ‘election integrity’ team in Singapore, its APAC HQ, as it tries to prevent its social network being misused in the lead-up to voting as happened in the U.S.

This Indonesia bust is the first move announced since that task force was put in place, and it sees 207 Facebook Pages, 800 Facebook accounts, 546 Facebook Groups, and 208 Instagram accounts removed for “engaging in coordinated inauthentic behavior.”

“About 170,000 people followed at least one of these Facebook Pages, and more than 65,000 followed at least one of these Instagram accounts,” Facebook said of the reach of the removed accounts.

The groups and accounts are linked to Saracen Group, a digital media group that saw three of its members arrested by police in 2016 for spreading “incendiary material,’ as Reuters reports.

Facebook isn’t saying too much about the removals other than: “we don’t want our services to be used to manipulate people.”

In January, the social network banned a fake news group in the Philippines in similar circumstances.

Despite the recent action, the U.S. company has struggled to manage the flow of false information that flows across its services in Asia. The most extreme examples come from Myanmar, where the UN has concluded that Facebook played a key role in escalating religious hatred and fueling violence. Facebook has also been criticized for allowing manipulation in Sri Lanka and the Philippines among other places.

Facebook said today it has removed hundreds of Facebook and Instagram counts with links to an organization that peddled fake news.

The world’s fourth largest country with a population of over 260 million, Indonesia is in election year alongside Southeast Asia neighbors Thailand and the Philippines. Facebook said this week it has set up an ‘election integrity’ team in Singapore, its APAC HQ, as it tries to prevent its social network being misused in the lead-up to voting as happened in the U.S.

This Indonesia bust is the first move announced since that task force was put in place, and it sees 207 Facebook Pages, 800 Facebook accounts, 546 Facebook Groups, and 208 Instagram accounts removed for “engaging in coordinated inauthentic behavior.”

“About 170,000 people followed at least one of these Facebook Pages, and more than 65,000 followed at least one of these Instagram accounts,” Facebook said of the reach of the removed accounts.

The groups and accounts are linked to Saracen Group, a digital media group that saw three of its members arrested by police in 2016 for spreading “incendiary material,’ as Reuters reports.

Facebook isn’t saying too much about the removals other than: “we don’t want our services to be used to manipulate people.”

In January, the social network banned a fake news group in the Philippines in similar circumstances.

Despite the recent action, the U.S. company has struggled to manage the flow of false information that flows across its services in Asia. The most extreme examples come from Myanmar, where the UN has concluded that Facebook played a key role in escalating religious hatred and fueling violence. Facebook has also been criticized for allowing manipulation in Sri Lanka and the Philippines among other places.

A lapse in security has led to the leaking of over a hundred thousand Aadhaar numbers, TechCrunch can reveal.

One of the web systems used to record attendance of government workers for the Indian state of Jharkhand was left exposed and without a password as far back as 2014, allowing anyone access to names, job titles, and partial phone numbers on 166,000 workers as of the time of writing.

But the photo on each record page used the file name as that worker’s Aadhaar number, a confidential 12-digit number assigned to each Indian citizen as part of the country’s national identity and biometric database.

The data leak isn’t a direct breach of the central database run by Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), but represents another lapse in responsibility from the authority charged with protecting its data.

Aadhaar numbers aren’t strictly secret but are treated similarly to Social Security numbers. Anyone of the 1.23 billion Indian citizens enrolled in Aadhaar — more than 90 percent of the population — can use their unique number or their thumbprint to verify their identity in order to enroll in state services, like voting, welfare or financial assistance. Aadhaar users can even use their Aadhaar identity to open a bank account, get a SIM card, call an Uber, buy something on Amazon, or rent an Airbnb.

But the system has been plagued with problems that have led to starvation in cases, and the illicit trade of citizen data on the underground market.

It’s unclear why the Jharkhand government site was accessible to anyone who knew where to look, but little effort had been put in to ensure the security of the system — or even hide it from the outside world. The site was easily found on a subdomain of the state government’s website, but for long enough that it was indexed by Google, which cached copies of not only the site itself, but also its attendance record pages that still contain Aadhaar numbers in each worker’s photo.

TechCrunch asked Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, to take a look at the site. Robert has prior experience in revealing Aadhaar-related data leaks. Using less than a hundred lines of Python code, Robert demonstrated that it was easy for anyone to scrape the entire site in batches to download their photos and corresponding Aadhaar numbers.

TechCrunch verified a small selection of Aadhaar numbers from the site using UIDAI’s own verification tool on its website. (We used a VPN in Bangalore as the page was unavailable in the U.S.). Each record came back as a positive match.

After confirming our findings, we reached out to both the Jharkhand government and UIDAI.

At the time of publication, neither had responded, but the website had been pulled offline.

The exposure may represent a fraction of the billion-plus users registered with Aadhaar, but uncovers yet another inadvertent disclosure of citizen data from a system that UIDAI claims is impenetrable. Instead of learning from mistakes and mishaps, UIDAI instead has shown a long history of rebuffing evidence of security incidents or breaches with mockery and declaring findings as “fake news,” by claiming to refute evidence without presenting any of its own.

The leak of Aadhaar numbers may not be seen as sensitive compared to leaked biometric data. Former attorney general Mukul Rohtagi once called a separate leak of Aadhaar numbers “much ado about nothing.” But it’s raises fears that obtaining and misusing someone’s number could lead to identity theft and fraud — which reportedly peaked last year.

Others have expressed concern that the system puts privacy at risk by recording information on a person’s life, which authorities can use to conduct surveillance on ordinary citizens.

But the exposure alone contradicts the Indian government’s claims that the Aadhaar system as a whole is secure.

In recent years, several security lapses involving data relating to Aadhaar have reignited fresh concerns about the centralized database — including several issues found by Robert. Last year, security researcher Karan Saini, a New Delhi-based security researcher, found a poorly-secured web address used by state-owned utility company Indane that had direct access to the Aadhaar database, allowing him to query results from the system. UIDAI rubbished the reports, baselessly claiming that there was “no truth to this story” in a series of tweets from its official Twitter account, despite evidence to the contrary. In the same year, India’s Tribune newspaper reported that some were selling direct access to the Aadhaar database. UIDAI responded by filing a complaint against the reporter with police.

Despite the security concerns, India’s Supreme Court ruled the database constitutional in September after a long-running court battle.