Year: 2019

It’s another week, and another bevy of hits on Chinese tech by the U.S. government. Let’s get up to speed, plus a request for startup lawyer recommendations.

TechCrunch is experimenting with new content forms. This is a rough draft of something new — provide your feedback directly to the author (Danny at danny@techcrunch.com) if you like or hate something here.

Venture capital’s leading advocate NVCA pushes for narrower restrictions on foreign investment

Let’s start with the most exciting subject in the world: the federal rulemaking process.

Last year, Congress approved sweeping reforms of CFIUS, the Committee on Foreign Investment in the United States, providing it with new powers including the ability to review deals made by foreign investors for minority investments (aka the kinds of equity rounds typically received by startups). That reform has put a crimp on SoftBank’s Vision Fund, which has been trying to get around the rules, and has also led to a massive decline in the amount of Chinese venture capital flowing into the Valley.

As the implementation of that reform meanders its way through the federal rulemaking process, one huge challenge is defining what the term “emerging technologies” means. Since the purview of CFIUS will extend to any technology defined under that term, its definition is critically important, but there is just one problem: no one knows what the hell that phrase even is.

So yesterday, the National Venture Capital Association, the leading advocacy org for the asset class, submitted its stance on the debate. In a filing with the Bureau of Industry and Security, the NVCA argues for a relatively narrow interpretation of emerging technologies.

The organization is specifically concerned about controls on technologies like AI/ML and gene editing through CRISPR, because these “horizontal technologies” are very under-defined and thus restrictions on investment could lead to tough challenges for many startups. For instance, startups that fall under these categories could be prevented from taking foreign investment, or sharing information with other startups. In short, it could kill American leadership in these industries.

It’s an important point, but it is also part of a wider challenge — for startups and the government — that no one knows what “AI” means any more than they know what “emerging technologies” mean. Every startup might have (or claims to have!) AI, and that could mean that highly restrictive rules from the Bureau could apply pretty much to everyone, undermining the original intent of reform legislation.

This is a process not worth paying attention to, except that if it were to go stupidly wrong (and this is DC after all), we might suddenly find that the thousands of AI startups in the Valley suddenly become “definitely not AI” startups posthaste.

Don’t expect to ride Chinese subway cars in America anytime soon (except if you live in Boston)

America’s subway cars are widely dilapidated, as riders in systems in Boston, New York, DC, and SF can attest. Replacing those subway cars is a challenge, particularly since no American company manufactures them. Among the largest manufacturers is the China Railway Rolling Stock Corp., which has won deals to replace some of Boston’s aging subway cars.

Now, there is a renewed nationwide push to demand tougher cybersecurity standards on railcars as a way to prevent Chinese companies from receiving these contracts. As the Washington Post noted this week, DC’s Metro officials have rewritten its contract specifications, adding terms to require that all hardware and software go through cybersecurity verification from third-parties.

Further, Congress itself is getting involved in the matter. Per the article:

Both the U.S. Senate and House have sought to block further Chinese penetration of the transit vehicle market. Each chamber has inserted language in annual transportation appropriations bills to impose a one-year ban on new purchases of mass transit rail cars or buses from Chinese-owned companies if the procurement uses federal funding. The ban is not yet law, as final action has been put off until this year.

Cybersecurity is of course a legitimate concern, but so is lowering the cost of subway car replacements. By removing Chinese bidders from this market, Congress is effectively raising the price of subway car replacements for every city in the nation (and do you think they will pay for that increase?)

Huawei export license not renewed

Huawei has had a bullseye on its back for much of the last two years, and now it faces another restrictions.

The company hosts a research and development center in Silicon Valley quaintly called Futurewei, where it designs next-generation telecommunications tech. As reported in the Wall Street Journal, the unit has recently seen its export license for some of its technologies pulled by the Commerce Department. That move means that Futurewei won’t legally be allowed to transfer its know-how back to Huawei in China. What becomes of the lab, which the Journal reports has a budget of $16 million, is anyone’s guess.

These little policy actions are starting to add up though. While the administration at one point pulled the entire license for ZTE and nearly killed it, it seems to have now fallen into a pattern of just creating enough frictions in the market to make operating a Chinese company in the U.S. annoying and unprofitable. Which, with some deep irony, is exactly how the Chinese have blocked American companies for years.

Okay so what?

With the massive decline of Chinese investment in Silicon Valley and further export restrictions, it is clear that the Trump administration wants to sever any link between the two countries in the technology industry. While it is still early, it is clear that they have been pretty clearly successful, no doubt helped by the retrenchment of the Chinese economy as growth has slowed on the mainland .

For founders in the U.S., the complications and tough choices have actually declined substantially. A certain universe of LPs and VCs have left the market, and the Chinese market is pretty clearly marked off-limits and is probably best ignored for the time being. The toughest questions might be around partnership deals with the likes of Tencent, but those have not been as heavily targeted by authorities so far. So the China story may well disappear in the coming months as the two countries head in their own directions.

Share your feedback on your startup’s attorney

My colleague Eric Eldon and I are reaching out to startup founders and execs about their experiences with their attorneys. Our goal is to identify the leading lights of the industry and help spark discussions around best practices. If you have an attorney you thought did a fantastic job for your startup, let us know using this short Google Forms survey and also spread the word. We will share the results and more in the coming weeks.

What’s next & obsessions

I’m continuing to explore this theme/thesis of (societal) resilience tech that I discussed yesterday. Lots of you gave feedback on the idea and further avenues to explore.

I want to specifically thank a reader named Beau, who sent me multiple paragraphs, a dozen book recommendations, and a whole list of articles on the subject to get me up to speed. I super appreciate the thoughtfulness, and look forward to sharing more of that list in the coming days.

I love hearing from readers, so if you have thoughts, opinions, articles or books, share them with me: danny@techcrunch.com.

Reading docket

What I’m reading (or at least, trying to read)

• The Planet Remade by Oliver Morton and Networks of New York by Ingrid Burrington.

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here:

1. Microsoft Bing not only shows child pornography, it suggests it

A TechCrunch-commissioned report has found damning evidence on Microsoft’s search engine. Our findings show a massive failure on Microsoft’s part to adequately police its Bing search engine and to prevent its suggested searches and images from assisting pedophiles.

2. Unity pulls nuclear option on cloud gaming startup Improbable, terminating game engine license

Unity, the widely popular gaming engine, has pulled the rug out from underneath U.K.-based cloud gaming startup Improbable and revoked its license — effectively shutting them out from a top customer source. The conflict arose after Unity claimed Improbable broke the company’s Terms of Service and distributed Unity software on the cloud.

3. Improbable and Epic Games establish $25M fund to help devs move to ‘more open engines’ after Unity debacle

Just when you thought things were going south for Improbable the company inked a late-night deal with Unity competitor Epic Games to establish a fund geared toward open gaming engines. This begs the question of how Unity and Improbable’s relationship managed to sour so quickly after this public debacle.

4. The next phase of WeChat 

WeChat boasts more than 1 billion daily active users, but user growth is starting to hit a plateau. That’s been expected for some time, but it is forcing the Chinese juggernaut to build new features to generate more time spent on the app to maintain growth.

5. Bungie takes back its Destiny and departs from Activision 

The creator behind games like Halo and Destiny is splitting from its publisher Activision to go its own way. This is good news for gamers, as Bungie will no longer be under the strict deadlines of a big gaming studio that plagued the launch of Destiny and its sequel.

6. Another server security lapse at NASA exposed staff and project data

The leaking server was — ironically — a bug-reporting server, running the popular Jira bug triaging and tracking software. In NASA’s case, the software wasn’t properly configured, allowing anyone to access the server without a password.

7. Is Samsung getting serious about robotics? 

This week Samsung made a surprise announcement during its CES press conference and unveiled three new consumer and retail robots and a wearable exoskeleton. It was a pretty massive reveal, but the company’s look-but-don’t-touch approach raised far more questions than it answered.

Tor, the open source initiative which provides a more secure way to access the internet, is continuing to diversify its funding away from its long-standing reliance on U.S. government grants.

The Tor Foundation — the organization behind the service which stands for ‘The Onion Router’ — announced this week that it brought in a record $460,000 from individual donors in 2018. In addition, recently released financial information shows it raised a record $4.13 million from all sources in 2017 thanks to a growth in non-U.S. government donors.

The individual donation push represents an increase on the $400,000 it raised in 2017. A large part of that is down to Tor ally Mozilla, which once again pledged to match donations in the closing months of the year, while an anonymous individual matched all new backers who pledged up to $20,000.

Overall, the foundation said that it attracted donations from 115 countries worldwide in 2018 which reflects its importance outside of the U.S.

The record donation haul comes weeks after the Tor Foundation quietly revealed its latest financials — for 2017 — which show it has lessened its dependence on U.S. government sources. That’s been a key goal for some time, particularly after allegations that the FBI paid Carnegie Mellon researchers to help crack Tor, which served as a major motivation for the introduction of fundraising drives in 2015.

Back in 2015, U.S. government sources accounted for 80-90 percent of its financial backing, but that fell to just over 50 percent in 2017. The addition of a Swedish government agency, which provided $600,000, helped on that front as well as corporate donations from Mozilla ($520,000) and DuckDuckGo ($25,000), more than $400,000 from a range of private foundations, and, of course, those donations from individuals.

Tor is best known for being used by NSA whistleblower Edward Snowden but, with governments across the world cracking down on the internet, it is a resource that’s increasingly necessary if we are to guard the world’s right to a free internet.

Tor has certainly been busy making its technology more accessible over the last year.

It launched its first official mobile browser for Android in September and the same month it released TorBrowser 8.0, its most usable browser yet which is based on Firefox’s 2017 Quantum structure. It is also worked closely with Mozilla to bring Tor into Firefox itself as it has already done with Brave, a browser firm led by former Mozilla CEO Brendan Eich.

Beyond the browser and the Tor network itself, which is designed to minimize the potential for network surveillance, the organization also develops a range of other projects. More than two million people are estimated to use Tor, according to data from the organization.

In a government shutdown, everything deemed non-essential stops. As we found out, renewing the certificates on its websites is considered non-essential.

Several government sites are currently inaccessible or blocked by most browsers after their HTTPS certificate expired. With nobody available to renew them during the government shutdown, these sites are kicking back warning errors.

According to Netcraft, a U.K.-based internet security services company, many government domains can’t be accessed until someone fixes the certificates. Some sites, like one Justice Department subdomain, are at the time of writing completely inaccessible because the domain is included in Chrome’s HSTS preload list, used by browsers to force browsers into using HTTPS only when accessing pages on the domain.

Others, like this NASA page and one U.S. Courts website, however, aren’t using HSTS and are still accessible via an interstitial warning.

So what’s happening?

Every time your browser lights up with “HTTPS” in green or flashes a padlock, it’s a TLS certificate encrypting the connection between your computer and the website, ensuring nobody can intercept and steal your data or modify the website. But TLS certificates are notoriously delicate things. When a certificate expires — a common mistake as people often forget to renew them. Depending on the security level, most websites will kick back browser errors while other sites won’t let you in at all until the expired certificate is renewed.

Except in this case, they can’t — because there’s nobody there to buy and install a new certificate.

As it stands, it’s the responsibility of each department and agency to renew the certificate for their own domain. Depending on how many workers have been furloughed and sent home in each agency, renewing a certificate might not be a top priority when they’re short staffed and overworked already.

There is some good news.

Most major government websites aren’t down or likely to go down any time soon. Most government certificates aren’t set to expire for many more months. Also, any government website hosted on cloud.gov, search.gov, or federalist.18f.gov won’t get certificate errors as these domains automatically renew their certificates every three months with Let’s Encrypt.

Until the government opens up again, don’t expect these websites until then. But depending on how long this shutdown lasts, you can certainly expect things to get a lot worse.

Xiaomi, the Chinese company best known for budget phones, is betting big on a future of connected homes. It plans to plough at least 100 billion yuan, or $1.48 billion, into the so-called “AIoT” sector over the next five years, founder and chief operating office Lei Jun announced on Friday.

AIoT, short for “AI + IoT,” is an upgrade from devices connected to the internet, known as the Internet of Things. AIoTs are intelligent, run on automated systems and can learn from users’ habits, like lights that automatically turn on when you get home.

“We see a future where all home devices will be connected to the internet and controlled by voice. A wave of home appliances will be replaced by smart devices. There will be an AIoT network that infiltrates every second and scenario of people’s lives, collecting mountains of users, traffic and data,” said Lei in his annual address to employees.

The plan is to get all sorts of gadgets, not just handsets, onto Xiaomi’s operating system so the company can hawk services through these devices. The move comes as Xiaomi, the world’s fourth-largest smartphone vendor, copes a weakening market. Smartphone shipments in China were down more than 15 percent year-over-year in 2018, according to a government-backed research institute.

Phones remain strategically important to Xiaomi as it looks to lower-end phones for growth. On Thursday, the company announced it has split up (not spin out) its budget phone brand, Redmi, in hope of launching “red rice” — what Redmi means in Chinese — to Xiaomi’s “little rice” stardom. The strategy is similar to how Huawei operates sub-brand Honor for its line of cheaper phones.

Xiaomi’s new billion-dollar pledge is a continuation of a plan in 2013 to back 100 startups over the course of five years. These portfolio companies, in turn, helped make Xiaomi products, which now count 132 million total devices among which 20 million are active daily. Meanwhile, Xiaomi’s voice assistant Xiao Ai has hit 100 million installs.

These gadgets, along with an assortment of lifestyle products like suitcases and umbrellas, became the largest revenue driver for Xiaomi in the second quarter of last year, the company’s earnings report shows.

Xiaomi is in a land grab with other Chinese tech giants like Baidu to enter people’s homes. It’s becoming something akin to a department store, but it can’t make everything itself. Recently, the giant made a big push in TVs through a partnership with a veteran Chinese home appliance manufacturer. It’s also teamed up with IKEA on a 100 million yuan ($14.8 million) fund for third-party developers, which will enrich Xiaomi’s inventory as consumers in China may soon be able to buy many Xiaomi-powered furniture from the Swedish retailer.

Two months ago, NASA quietly fixed a buggy internal server that was leaking sensitive information about the agency’s staff and their work.

The leaking server was — ironically — a bug reporting server, running the popular Jira bug triaging and tracking software. In NASA’s case, the software wasn’t properly configured, allowing anyone to access the server without a password, Avinash Jain, an India-based security researcher who found the exposed server, told TechCrunch.

According to Jain’s writeup, some Jira instances can be misconfigured to allow “everyone” access without a password — including anyone on the internet — and not “everyone” within an organization, as some believe.

This was the case for NASA’s leaking server.

Jain found the leaking server in October exposing NASA staff usernames and email addresses and the projects they were working on. Because Jira contains information about bugs and issues within an organization, including works in progress, the server was also gave up what agency staff are working on and their upcoming milestones.

It’s not known if any classified information was on the Jira server, such as names or details of sensitive projects. Jain also said it’s not clear how how many NASA staff users were in the database as Jira limits searches to 1,000 queries at a time.

After he contacted NASA and CERT/CC, the vulnerability disclosure center at Carnegie Mellon University, the exposed server was fixed some three weeks later, he said.

NASA never responded to his private disclosure.

Although NASA has a page on HackerOne, a vulnerability reporting program, allowing researchers to email NASA of security issues, the agency doesn’t have a dedicated bug bounty program.

“I dropped [NASA] around five emails before it was fixed, and I was never informed that it was fixed,” he told TechCrunch.

CERT/CC latest expressed its “appreciation” for Jain privately reporting the bug.

This latest server lapse is yet another bruise for the U.S. space agency’s security posture — the fourth known incident this decade, after over a dozen hacks in 2011 alone and another sensitive data breach in 2016.

The latest breach was just before Christmas, in which the agency reported a data compromise affecting current and former NASA employees between July 2006 to October 2018. But CERT/CC told Jain in an email that there was “no evidence” his finding was related to NASA’s latest breach disclosure.

NASA was unable to comment during the government shutdown, according to an automated message on the agency’s press line.

The Fortnite community may be polite, but that doesn’t mean they’re getting the customer service they deserve. The Better Business Bureau gave Fortnite maker Epic Games an “F,” the lowest possible grade.

The Better Business Bureau, which is not a government agency but rather a national network of nonprofits that measures how well businesses handle dispute resolution and relays that information to customers, says that 247 of 271 BBB complaints filed in the last year have gone unanswered by Epic.

An Epic spokesperson told Kotaku that “Epic Games is not affiliated with the Better Business Bureau and has redirected all player submitted complaints from the BBB to our Player Support staff.”

Kotaku points out that the BBB isn’t necessarily above reproach. TIME reported in 2013 that the one branch of the BBB based in Los Angeles had been involved in a pay-to-play scheme:

While the BBB offers consumers many services—lists of popular scams to watch out for and such—the organization’s mission isn’t to have your back. From top to bottom, the BBB is funded by the annual dues paid by businesses it anoints with “accreditation,” which allows the companies to put those iconic BBB stamps of approval on their storefronts and websites. This fact raises obvious questions about an inherent conflict of interest: The organization’s customers are businesses, not taxpayers or consumers. How can the BBB serve as an honest broker between businesses and consumers when it is fully funded by one of these parties? Many argue that it cannot — that there’s a natural incentive to paint its paying clients in the best possible light.

Epic Games is not accredited with the Better Business Bureau.

Here’s what the BBB had to say about its rating for Epic Games:

Epic Games is the creator of a number of well-known games that have a global following; in addition to Fortnite and Infinity Blade, they make Unreal, Gears of War, and Shadow Complex. The company has grown significantly in the past twelve months, and their most popular game, Fortnite, currently boasts more than 6 million followers on Twitter. A majority of complaints submitted to BBB against Epic Games deal with customer service and refund or exchange issues. One complainant wrote, “Epic Games failed to protect customer security, resulting in several unsanctioned charges over mine and my partner’s account.” Another complainant added that, “There is no phone number or proper email response time to return my unauthorized charge of $160. Nobody will answer, and I feel cheated.”

Epic has also had issues with account hacking on Fortnite, which has led the company to incentivize two-factor authentication on accounts by offering a special emote.

Though we are moving to an increasingly digital age, with email, Twitter and live-chat customer service growing more prevalent, there are certain instances where customers may feel they need to speak to another human being about their issue. Account hacking and unauthorized charges are two such situations, and the Epic Games support page doesn’t list a phone number, but rather asks customers to look up their question within a support FAQ or email.

We reached out to Epic Games but haven’t heard back.

Amazon’s Dash buttons have been found to breach consumer ecommerce rules in Germany.

The push-to-order gizmos were debuted by Amazon in 2015, in an attempt by the ecommerce giant to shave friction off of the online shopping process by encouraging consumers to fill their homes with stick-on, account-linked buttons that trigger product-specific staple purchases when pressed — from washing powder to toilet roll to cat food.

Germany was among the first international markets where Amazon launched Dash, in 2016, along with the UK and Austria. But yesterday a higher state court in Munich ruled the system does not provide consumers with sufficient information about a purchase.

The judgement follows a legal challenge by a regional consumer watchdog, Verbraucherzentrale NRW, which objects to the terms Amazon operates with Dash.

It complains that Amazon’s terms allow the company to substitute a product of a higher price or even a different product in place of what the consumer original selected for a Dash push purchase.

It argues consumers are also not provided with enough information on the purchase triggered when the button is pressed — which might be months after an original selection was made.

Dash buttons should carry a label stating that a paid purchase is triggered by a press, it believes.

The Munich court has now sided with the group’s view that Amazon does not provide sufficient information to Dash consumers, per Reuters.

In a press release following the ruling, Verbraucherzentrale NRW said the judges agreed Amazon should inform consumers about price and product before taking the order, rather than after the purchase as is currently the case.

It also expressed confidence the judgement leaves no room for Amazon to appeal — though the company has said it intends to do so.

Commenting on the ruling in a statement, Verbraucherzentrale NRW consumer bureau chief, Wolfgang Schuldzinski, said: “We are always open to innovation. But if innovation is to put consumers at a disadvantage and to make price comparisons more difficult, then we use all means against them, as in this case.”

Amazon did not reply to questions about how it intends to respond to the court ruling in the short term, such as whether it will withdraw the devices or change how Dash works in Germany.

Instead it emailed us the following statement, attributed to a spokesperson: “The decision is not only against innovation, it also prevents customers from making an informed choice for themselves about whether a service like Dash Button is a convenient way for them to shop. We are convinced the Dash Button and the corresponding app are in line with German legislation. Therefore, we’re going to appeal.”

Lisbon, characterized occasionally by some tech scene observers as ‘the warm Berlin’, has been threatening to generate more startups in the last few years, not least because it will now have the enormous Web Summit conference there for the next 10 years, and because it’s a cheap and great place to live. But the startups appearing have not quite been as numerous as many would like.

It’s therefore fantastic to see a new VC fund appearing in the city, set up by three experienced stalwarts of the scene.

Indico Capital Partners VC has now completed its first closing of €41M out of the €46M of commitments from investors from eight different countries. The fund will be aimed at Iberian early stage startups (that means Spain and Portugal), but of course those in particularly those based out of Portugal.

The fund says it will invest typically between €150,000 and €5M per portfolio company over their lifetime – pre-seed to series A, plus follow-on rounds. They say the first Indico investments have already been concluded and will be announced soon.

It’s far and away the first sizable, independent and private early-stage, tech-focused fund to be based in Lisbon and will focus on investments in B2B SaaS, Artificial Intelligence, Fintech and Cybersecurity to Marketplaces and B2C Platforms.

The fund comprises of three partners: Managing General Partner, Stephan Morais (former head of the leading corporate VC Caixa Capital), General Partner Ricardo Torgal (also former Caixa Capital senior investor) and Venture Partner Cristina Fonseca (co-founder and shareholder of Talkdesk).

Collectively the team has in the past invested in Farfetch, Unbabel, Codacy and many other success stories originating from Portugal over the past 6 years, in addition to Talkdesk itself.

The EIF (European Investment Fund), is the cornerstone investor of Indico, and has been joined by 20 other institutional and individual investors such as the IFD (Instituição Financeira de Desenvolvimento) through the Portugal Tech facility, Draper Esprit (a major global quoted VC fund based in the UK), pension funds, education and research institutions, wealth managers, high net worth individuals and many local and international tech entrepreneurs.

The fund is supported by InnovFin Equity, with the financial backing of the European Union under Horizon 2020 Financial Instruments and the European Funds for Strategic Investments (EFSI) set up under the Investment Plan for Europe.

Stephan Morais, Managing General Partner, said: “This is a milestone for the Portuguese ecosystem, we will keep on supporting the most promising Portuguese, and increasingly Iberian, early-stage tech startups, but now with an independent stable investment platform backed by a diversified global LP base.”

Ricardo Torgal, General Partner added that “VC is not hype, it’s about building a balanced portfolio and being there for the companies to help them grow to the next stage”.

Cristina Fonseca, Venture Partner, commented that “I have been backing many companies over the past few years as an angel investor and mentor, so it was an obvious decision to join the best investment team in the market with a solid track record. Early stage tech is where my heart is and this is a local nurturing activity before it becomes globally investable and scalable.”

VLC, the hugely popular media playing service, is filing one of its gaps with the addition of AirPlay support as its just crossed an incredible three billion users.

The new feature was revealed by Jean-Baptiste Kempf, one of the service’s lead developers, in an interview with Variety at CES and it will give users a chance to beam content from their Android or iOS device to an Apple TV. The addition, which is due in the upcoming version 4 of VLC, is the biggest new feature since the service added Chromecast support last summer.

But that’s not all that the dozen or so people on the VLC development team are working on.

In addition, Variety reports that VLC is preparing to add enable native support for VR content. Instead of SDKs, the team has reversed engineered popular hardware to offer features that will include the option to watch 2D content in a cinema-style environment. There are also plans to bring the service to more platforms, with VentureBeat reporting that the VLC team is eying PlayStation 4, Nintendo Switch and Roku devices.

VLC, which is managed by non-profit parent VideonLAN, racked up its 3 millionth download at CES, where it celebrated with the live ticker pictured above. The service reached one billion downloads back in May 2012, which represents incredible growth for a venture that began life as a project from Ecole Centrale Paris students in 1996.