Year: 2019

Did you know that Russia’s security services, particularly those related to hacking / information security, have been in the throes of vicious high-stakes infighting for years? Did you know that the perceived Russian doctrine which informed much Western analysis of Russian strategies never actually existed? Did you know that the Kremlin’s secrecy has built an entire cottage industry of largely-unfounded rumors and conspiracy theories based on the few tantalizing details which do leak?

OK, you probably knew that last part. Everyone, or at least everyone who calls a social-media stranger with whom they disagree a “Russian bot,” is a Russian conspiracy theorist nowadays. And of course the evidence of widespread malevolent Russian activity, ranging from assassinations to hacking to social-media bombing, is copious.

But exactly which Russian organizations are doing what, and why — that’s a lot harder to establish. I’m reminded of old Cold War spy novels in which Kremlinologists analyzed the few public appearances of Politburo members, wrongfully reading great significance into who stood where and when, because they had little else to go on. Just like those bad old days, our instinct nowadays is to treat “Russia” as a single, well-oiled, tightly-orchestrated malignant machine.

Of course it’s nothing of the sort. Instead it is a complex, seething, tiered morass of many figures and institutions, often incentivized against one another, in a time of profound and rapid change. Today I attended a Black Hat talk by Kimberley Zenz, who opened with a plea for nuanced consideration of Russia and Russian activities. She’s right, of course, but sadly the Internet tends to be where nuance goes to die.

This nuance, though, is especially fascinating, the stuff of spy thrillers. In 2017 a slew of Russian intelligence officials and hackers — along with, inexplicably, Kaspersky Lab’s Head of Investigations — were suddenly arrested. One was “apparently forcibly removed from a meeting with fellow FSB officers — escorted out with a bag over his head” according to Stratfor. A case was eventually made against them for “high treason in favor of the United States.”

Four individuals were this year sentenced to up to 22 years in prison. (They are appealing.) Andrei Gerasimov, the longtime director of Russia’s Information Security Center, “a shadowy unit … thought to be Russia’s largest inspectorate when it comes to domestic and foreign cyber capabilities, including hacking,” resigned a week after this case emerged.

Stratfor again: ‘Because the charges are treason, the case is considered “classified” by the state, meaning no official explanation or evidence will be released.’ From this fog of secrecy, half a dozen different rumors and theories have emanated. Are the charges entirely trumped-up to eliminate rivals? Did someone leak to the US to attack their rivals, only to see this backfire spectacularly? Did the FSB turn a hacking group which then discovered something they really shouldn’t have about a powerful oligarch? Who can say?

Of course another conspiracy theory is the nuance-free “well-oiled malignant machine” one, in which this case is just an instance of said machine expelling a bit of grit from its innards. It’s remarkable how common this “monolithic Russian single-voiced hive-mind” analysis has become. Here’s Politico, for instance, after the above scandal broke: “Lately, Russia appears to be coming at the United States from all kinds of contradictory angles … Confused? Only if you don’t understand the Gerasimov Doctrine.”

That doctrine — named after General Valery Gerasimov, please note, not repeat not the now-disgraced former-FSB-director Andrei Gerasimov mentioned above — is used there to explain away all Russian activity, even that which appears self-contradictory, as a deliberately bewildering diversity of tactics used to “achieve an environment of permanent unrest and conflict within an enemy state.” It was cited yesterday in another Black Hat talk, which I was so unimpressed by I’ll diplomatically refrain from discussing further. It is consistently cited by Russian policy analysts to this day.

But the problem with the Gerasimov Doctrine as a cornerstone of modern Kremlinology is that — according to the very person who coined the term! — it never actually existed. (Ironically it stems from a conspiracy theory on General Gerasimov’s part: that the CIA instigated the Arab Spring.) Instead, rather than a campaign informed by a unifying doctrine, Russian activity is

largely opportunistic, fragmented, even sometimes contradictory. Some major operations are coordinated, largely through the presidential administration, but most are not. Rather, operations are conceived and generally carried out by a bewildering array of “political entrepreneurs” hoping that their success will win them the Kremlin’s favor

That sounds like an awfully important distinction to make, and it leads to the most interesting thing (to me) about Ms. Zenz’s talk; her mention that “the Russian government considers Russian cybercriminals to be a strategic asset,” and that one side effect of this treason case is that it has greatly chilled information sharing and cooperation between Russia and the West regarding online threats.

Does this strategic status in turn mean that Russian hackers are likely to be government operatives, and/or Russian infosec companies in bed with their government? I am no Kremlinologist, but it seems to me more that the very question is wrong and should be unasked. Rather, the relatively sharp differences between “private sector,” “government,” and “criminal,” defined in nations with a strong rule of law, don’t really exist in a nation like modern Russia where those distinctions can, and often do, blur together.

Facebook is facing exposure to billions of dollars in potential damages as a federal appeals court on Thursday rejected Facebook’s arguments to halt a class action lawsuit claiming it illegally collected and stored the biometric data of millions of users.

The class action lawsuit has been working its way through the courts since 2015, when Illinois Facebook users sued the company for alleged violations of the state’s Biometric Information Privacy Act by automatically collecting and identifying people in photographs posted to the service.

Now, thanks to an unanimous decision from the 9th U.S. Circuit Court of Appeals in San Francisco, the lawsuit can proceed.

The most significant language from the decision from the circuit court seems to be this:

 We conclude that the development of face template using facial-recognition technology without consent (as alleged here) invades an individual’s private affairs and concrete interests. Similar conduct is actionable at common law.

The American Civil Liberties Union came out in favor of the court’s ruling.

“This decision is a strong recognition of the dangers of unfettered use of face surveillance technology,” said Nathan Freed Wessler, staff attorney with the ACLU Speech, Privacy, and Technology Project, in a statement. “The capability to instantaneously identify and track people based on their faces raises chilling potential for privacy violations at an unprecedented scale. Both corporations and the government are now on notice that this technology poses unique risks to people’s privacy and safety.”

As April Glaser noted in “Slate”, Facebook already may have the world’s largest database of faces, and that’s something that should concern regulators and privacy advocates.

“Facebook wants to be able to certify identity in a variety of areas of life just as it has been trying to corner the market on identify verification on the web,” Siva Vaidhyanathan told Slate in an interview. “The payoff for Facebook is to have a bigger and broader sense of everybody’s preferences, both individually and collectively. That helps it not only target ads but target and develop services, too.”

That could apply to facial recognition technologies as well. Facebook, thankfully, doesn’t sell its facial recognition data to other people, but it does allow companies to use its data to target certain populations. It also allows people to use its information for research and to develop new services that could target Facebooks billion-strong population of users.

As our own Josh Constine noted in an article about the company’s planned cryptocurrency wallet, the developer community poses as much of a risk to how Facebook’s products and services are used and abused as Facebook itself.

Facebook has said that it plans to appeal the decision. “We have always disclosed our use of face recognition technology and that people can turn it on or off at any time,” a spokesman said in an email to “Reuters”.

Now, the lawsuit will go back to the court of U.S. District Judge James Donato in San Francisco who approved the class action lawsuit last April for a possible trial.

Under the privacy law in Illinois, negligent violations could be subject to damages of up to $1,000 and intentional violations of privacy are subject to up to $5,000 in penalties. For the potential 7 million Facebook users that could be included in the lawsuit those figures could amount to real money.

“BIPA’s innovative protections for biometric information are now enforceable in federal court,” added Rebecca Glenberg, senior staff attorney at the ACLU of Illinois. “If a corporation violates a statute by taking your personal information without your consent, you do not have to wait until your data is stolen or misused to go to court. As our General Assembly understood when it enacted BIPA, a strong enforcement mechanism is crucial to hold companies accountable when they violate our privacy laws. Corporations that misuse Illinoisans sensitive biometric data now do so at their own peril.”

These civil damages could come on top of fines that Facebook has already paid to the U.S. government for violating its agreement with the Federal Trade Commission over its handling of private user data. That resulted in one of the single largest penalties levied against a U.S. technology company. Facebook is potentially on the hook for a $5 billion payout to the U.S. government. That penalty is still subject to approval by the Justice Department.

Glow is a new startup that says it wants to help podcasters build media business.

That’s something co-founder and CEO Amira Valliani said she tried to do herself. After a career that included working in the Obama White House and getting an MBA from Wharton, she launched a podcast covering local elections in Cambridge, Mass., and she said that after the initial six episodes, she struggled to find a sustainable business model.

Valliani (pictured above with her co-founder and chief product officer Brian Elieson) recalled thinking, “Well, I got this one grant and I’d love to do more, but I need to figure out a way to pay for it.” She realized that advertising didn’t make sense, but when a listener expressed interest in paying her directly, none of the existing platforms made it easy.

“I just couldn’t figure it out,” she said. “I felt an acute need, and I thought, ‘Are there other people out there there who haven’t been able to figure out how to do it, because the lift is just too high?'”

That’s the need Glow tries to address with its first product — allowing podcasters to create paid subscriptions . To do that, podcasters create a subscription page on the Glow site, where they can accept payments and then allow listeners to access paywalled content from the podcast app of their choice.

Glow started testing the product with the startup-focused podcast Acquired, which is now bringing in $35,000 in subscription fees through Glow. More recently, it’s signed up the Techmeme Ride Home, Twenty Thousand Hertz, The Newsworthy and others.

When asked about the broader landscape of podcast startups (including several that support paid subscriptions), Valliani said there are three main problems that podcasters face: Hosting, monetization and distribution.

Hosting, she said, is “largely a solved problem,” so Glow is starting out by trying to “solve for monetization through the direct relationship with listener.” Eventually, it could move into distribution, though that doesn’t mean launching a Glow podcast app: “For us, we think distribution means helping podcasts grow their audience.”

The startup announced today that it has raised $2.3 million in seed funding. The round was led by Greycroft, with participation from Norwest Venture Partners, PSL Ventures, WndrCo and Revolution’s Rise of the Rest Seed Fund, as well as individuals investors including Nas and Electronic Arts CTO Ken Moss.

“Our first hire after this funding round will be someone focused on podcast success,” Valliani said. “Of course, we’re going to build the product [but we’re] doubling down on this market; we better make sure that [podcasters] are prepared to launch programs that are as successful as possible.”

The Hyundai Nexo, a hydrogen fuel cell SUV first unveiled at CES 2018, has earned a top safety award from the Insurance Institute for Highway Safety.

The award, announced Thursday, marks two firsts. The Nexo is the first fuel cell vehicle to earn IIHS’s top safety award. Then again, it’s also the first fuel cell vehicle IIHS has ever tested.

The top safety pick+ award is for 2019 Hyundai Nexo vehicles built after June 2019, when the automaker adjusted the headlights to provide better visibility through curves. Any Nexo vehicles produced prior to June still get high marks, but fall short of the top award. Instead, they qualify for IIHS’ second-tier top safety award. The Nexo joins other 2019 Hyundai and Kia vehicles to earn top safety pick+ awards, including the Hyundai Elantra, Kia Niro hybrid and Kia Soul.

The market for the Nexo is small right now. Within the U.S., the new vehicle, which has a base price of $58,300, is only sold in California. Deliveries of the vehicle to California residents began in December 2018. The vehicle has been available to customers in Korea since early 2018.

Normally, such a limited vehicle wouldn’t be included in IIHS’s routine test schedule, the organization said. Hyundai nominated the vehicle for testing. IIHS says it ended up benefitting too because it gave the organization an early opportunity to evaluate a hydrogen fuel cell vehicle.

Earning this top safety pick+ award isn’t easy. A vehicle has to earn good ratings in the driver-side small overlap front, passenger-side small overlap front, moderate overlap front, side, roof strength and head restraint tests. It also needs an advanced or superior rating for front crash prevention and a good headlight rating.

The Nexo, a midsize luxury SUV, has good ratings in all six crashworthiness tests, IIHS said. The Nexo’s standard front crash prevention system earned a superior rating. The vehicle avoided collisions in 12 mph and 25 mph track tests and has a forward collision warning system that meets National Highway Traffic Safety Administration criteria, according to IIHS.

The Nexo could someday become more common, and even used in fleets. Self-driving vehicle startup Aurora has been working with Hyundai and Kia for the last year to integrate its “Driver” into Hyundai’s Nexo.

Uber disclosed earnings for the second time since becoming a public company, reporting revenues of $3.16 billion on losses of $5.2 billion for the second quarter of 2019.

Uber (NYSE: UBER) closed up more than 9% Thursday at $42.98 per share, just below its $45 IPO price, but took a nose dive more than 11% on the news.

$5.2 billion in net losses represents the company’s largest-ever quarterly loss. Revenue, for its part, is up only 14% year-over-year. The company says a majority of 2Q losses are a result of stock-based compensation expenses for employees following its May IPO.

“While we will continue to invest aggressively in growth, we also want it to be healthy growth, and this quarter we made good progress in that direction,” Uber chief financial officer Nelson Chai said in the earnings document.

Uber’s had a rough few months since making the leaps to the public markets. The stock has tumbled as the business finds it footing. Recently, Uber announced it was laying off one-third of its 1,200-person strong marketing department in an effort to slash costs and make operations more efficient.News of Uber’s piling losses comes one day after its key U.S. competitor, Lyft, beat on revenue with $867 million for the quarter on net losses of $644 million. That’s up from $505 million in revenue in Q2 2018 on losses of $179 million. Lyft closed up 3% Thursday at $62 per share. The company’s stock sunk in after-hours trading Wednesday after it announced the IPO lockup period would end more than a month early.

Uber Eats “monthly active platform consumers,” or MAPCs, grey 140% YoY, Uber said. The company now works with 320,000 restaurants.

This story is updating.

Apple is finally giving security researchers something they’ve wanted for years: a macOS bug bounty.

The technology giant said Thursday it will roll out the bug bounty program to include Macs and MacBooks, as well as Apple TV and Apple Watch, almost exactly three years after it debuted its bug bounty program for iOS.

The idea is simple: you find a vulnerability, you disclose it to Apple, they fix it — and in return you get a cash payout. These programs are wildly popular in the tech industry as it helps to fund security researchers in exchange for serious security flaws that could otherwise be used by malicious actors, and also helps fill the void of bug finders selling their vulnerabilities to exploit brokers, and on the black market, who might abuse the flaws to conduct surveillance.

But Apple had dragged its feet on rolling out a bug bounty to its range of computers. Some security researchers had flat-out refused to report security flaws to Apple in absence of a bug bounty.

At the Black Hat conference in Las Vegas, head of security engineering and architecture Ivan Krstić announced the program to run alongside its existing iOS bug bounty.

Patrick Wardle, a security expert and principle security researcher at Jamf, said the move was a “no brainer.”

Wardle has found several major security vulnerabilities and dropped zero-days — details of flaws published without allowing the companies a chance to fix — citing the lack of a macOS bug bounty. He has long criticized Apple for not having a bug bounty, accusing the company of leaving a void open for security researchers to sell their flaws to exploit brokers who often use the vulnerabilities for nefarious reasons.

“Granted, they hired many incredible talented researchers and security professionals — but still never really had a transparent mutually beneficial relationship with external independent researchers,” said Wardle.

“Sure this is a win for Apple, but ultimately this a huge win for Apple’s end users,” he added.

Apple said it will open its bug bounty program to all researchers and increase the size of the bounty from the current maximum of $200,000 per exploit to $1 million for a zero-click, full chain kernel code execution attack with persistence — in other words, if an attacker can gain complete control of a phone without any user interaction and simply by knowing a target’s phone number.

Apple also said that any researcher who finds a vulnerability in pre-release builds that’s reported before general release will qualify for up to 50% bonus on top of the category of vulnerability they discover.

The bug bounty programs will be available to all security researchers beginning later this year.

The company also confirmed a Forbes report, published earlier this week, saying it will give a number of “dev” iPhones to vetted and trusted security researchers and hackers under the new iOS Security Research Device Program. These devices are special devices that give the hackers greater access to the underlying software and operating system to help them find vulnerabilities typically locked away from other security researchers — such as secure shell.

Apple said that it hopes expanding its bug bounty program will encourage more researchers to privately disclose security flaws, which will help to increase the protection of its customers.

Read more:
Apple restricts ads and third-party trackers in iPhone apps for kids
New book looks inside Apple’s legal fight with the FBI
Apple has pushed a silent Mac update to remove hidden Zoom web server
Many popular iPhone apps secretly record your screen without asking
Apple rebukes Australia’s ‘dangerously ambiguous’ anti-encryption bill
Apple Card will make credit card fraud a lot more difficult

I’m a big instant camera fan, but the film is expensive and the digital printers just aren’t very good. So I was delighted to see this alternative seeking funds on Kickstarter: the Alulu camera, which prints photos in black and white on receipt paper. Why did no one do this before?

The idea is so simple that you’ve already gotten it — no explanation necessary, but since explaining things is my job I am going to do so anyway.

The Alulu is an idea incubated by three friends as they left college, each heading their separate directions but looking to take a shot at making this cool gadget a reality before doing so. Right now it only exists in prototype form (they only thought it up in May), but it works more or less as intended, and it’s as silly and fun as I wanted it to be; I got to test one out, as it happened that one of the team members happened to live in my neighborhood.

The camera is a little box about the size of a fat point-and-shoot, with charming little dials on the top to select exposure mode or a 10-second timer if you want it, and a shutter button that’s hard to miss. On the side is the charge port and a button to advance the paper. And the back has a little frame that flips out and helps you set up your shot — very loosely, I hardly need add.

Inside the 3D-printed, acrylic-plated exterior, the guts of the camera are simple. An off-the-shelf camera stack that does all the hard work of actually taking a picture — but don’t worry about the megapixels, because they don’t matter here. The camera sends its signal to a custom board that prepares and optimizes the image for black-and-white printing.

To be clear, we’re talking black and white, not shades of grey. The printer inside the camera is a standard receipt printer, which uses heat-activated ink that’s either transparent or black and nothing in between. You feed paper in via a little chamber on the bottom.

Thankfully creating the appearance of shading in 1-bit imagery is old hat for computer graphics, and an algorithm dithers and tweaks the picture so that more or fewer dots in various patterns create the illusion of a wider palette.

The results are… well, photos printed on receipt paper. Let’s keep our expectations in line. But they’re instantly printed (with a little stutter like a dot matrix printer) and charming little artifacts indeed. You can even use receipts you’re given at stores or restaurants, if they fit, and you can always fold it over a bit if it’s too large.

(By the way, if you’re worried about being poisoned by receipt paper, don’t be. The stuff with high BPA content was generally phased out a while back, and you can order non-poisonous rolls of paper easily and cheaply.)

I think this thing is great, though I’m afraid that the projected $99 retail price might be too high for what amounts to a novelty. The idea, I was told, was to drive the price down with mass manufacturing, but until they do so they want to be honest about the cost of the parts (the printer itself is the most expensive piece, but like everything else the price goes down when you order a thousand or more).

Whether it makes it to the factory or not, I think the Alulu is a great idea. We need more weird, one-off devices in this world of ours where every function seems to devolve to the smartphone — and I’m tired of my phone! Plus, it can’t print on receipt paper.

The Alulu is currently looking for backers on Kickstarter. Go give it a pledge.

One of the more interesting news tidbits from yesterday’s Unpacked event got a bit drowned out in all of the noise. Understandably so — Samsung jammed a lot into an event that ran just over an hour, virtually sprinting through a handful of gaming announcements.

The below video is the best demonstration we have of PlayGalaxy Link, a new feature that makes it possible to stream games directly from a PC to the Galaxy Note 10. Why the company didn’t make a bigger deal of the feature is beyond me, but in an area when Apple and Google are really starting to get involved in gaming in earnest, Samsung really ought to have shone a bigger like light on the new offering.

From the sound of it, the feature will offer similarly to one that Microsoft has been working on for the Xbox, letting users stream games from their PC onto the mobile device, whether or not they’re on a shared WiFi.

The video showcases the connection, as a user links a Samsung Odyssey gaming laptop to a Note nestled inside a gamepad controller. Things are initiated by signing in on the desktop, opening the PlayGalaxy Link app on the Note and clicking “Start.” In the video, at least, game play happens simultaneously on both machines.

PlayGalaxy is Samsung’s latest shot at getting more heavily involved in mobile gaming, arriving on the heels of the Apple Arcade and Google Stadia announcements. And while the new Note offers a number of hardware features optimized for gaming, it does appear that, as with Microsoft and Google’s offering, the PC is doing the heavy lifting here.

The offering seems to be linked to Samsung’s recently announced partnership with Microsoft — itself a clear shot across the bow against Apple’s ecosystem offering. There are still a lot of questions here, including how bad that lag is going to be. More coming soon, no doubt. 

Following many months of pressure, DoorDash, one of the most frequently used food delivery apps in the U.S., said late last month that it was finally changing its tipping policy to pass 100% of tips along to workers, rather than employ some of that money toward defraying its own costs.

The move was a step in the right direction, but as a New York Times piece recently underscored, there are many remaining challenges for food delivery couriers, including not knowing where a delivery is going until a worker picks it up (Uber Eats), having just seconds to decide whether or not to accept an order (Postmates), and not being guaranteed a minimum wage (Deliveroo), not to mention the threat of delivery robots taking their jobs.

It’s a big enough problem that a young, nine-person startup called Dumpling has decided to tackle it directly. Its big idea: turn today’s delivery workers into “solopreneurs” who build their own book of clients and keep much more of the money changing hands. It newly has $3 million in backing from two venture firms that know the gig economy well, too: Floodgate, an early investor in Lyft (firm cofounder Ann Miura-Ko is on Lyft’s board), and Fuel Capital, where TaskRabbit founder Leah Busque is now a general partner.

We talked with Dumpling’s cofounders and co-CEOs earlier this week to learn more about the company and how viable it might be. Nate D’Anna spent eight years as a director of corporate development at Cisco; Joel Shapiro spent more than 13 years with National Instruments, where he held a variety of roles, including as a marketing director focused on emerging markets.

National Instruments, based in Austin, is also where Shapiro and D’Anna first met back in 2002. Our chat, edited lightly for length, follows:

TC: You started working together out of college. What prompted you to come together to start Dumpling?

JS: We’d stayed good friends as we’d done different things with our careers, but we were both seeing rising inequality happening at companies and within their workforces, and we were both interested in using our [respective] background and experiences to try and make a difference.

ND: When we were first started, Dumpling wasn’t a platform for people to start their own business. It was a place for people to voice opinions — kind of like a Glassdoor for workers with hourly jobs, including in retail. What jumped out at us was how many gig workers began using the platform to talk about the horrible ways they were being treated, not having a traditional boss and not being protected by traditional policies.

TC: At what point did you think you were onto a separate opportunity?

ND: We knew that a mission-driven company that’s trying to do good by people who’ve been exploited by Silicon Valley companies has to be profitable. I was an investor at Cisco, and I was very clear that the money side has to work.  So we started talking with gig workers and we asked, ‘Why are you working for a terrible company where you’re getting injured, where you’re getting penalized for not taking the next job?’ And the response was money. It was, “I need to be able to buy these groceries and I don’t want to put them on my own credit card.” That was an epiphany for us. If the biggest paint point to running these businesses is working capital and we can solve that — if business owners will pay for access to capital and for tools that help them run their business — that clicked for us.

TC: A big part of your premise is that while gig economy companies have anonymized people as best they can, there’s a meaningful segment of services where a stranger or a robot isn’t going to work.

JS: Shoppers for gig companies often hear, ‘When you [specifically] come, it makes my day,” so our philosophy was to build a platform that supports the person. When you run a business and build a clientele that you get to know, you’re incentivized for that [client] to have a good experience. So we wondered, how do we provide tools for someone who has done personal shopping and is maybe a part of Facebook groups and mom groups and who not only needs fund to shop but also help with marketing and a website and training so they can promote their services to other people?

ND: We also realized that to be successful and to make business owners be successful that we needed to lower the transaction cost for them to find customers, so we created a marketplace where shoppers can look at reviews, understand different shoppers’ knowledge regarding when it comes to various specialties and stores, then help match them.

TC: How many shoppers are now running their own businesses on Dumpling and what do they get from you exactly?

JS: More than 500 across the country are operating in 37 states.  And we want to give then everything they need. A big part of that is capital, so we give [them] a credit card, then it’s effectively the operational support, including order management, customer relationship functionality, customer communication, a storefront, an app that they can use to run their business from their phone. . .

TC: What about insurance, tax help, that sort of stuff?

ND: A lot of VCs pushed us in that direction. The good news is a lot of companies are coming up to provide those ancillary services, and we’ll eventually partner with them if you want to export your data to Intuit or someone else. Right now, we’re really focused on [shoppers’] core business, helping then to operate it, to find customers, that’s our sweet spot for the immediate future.

TC: What are you charging? Who are you charging?

JS: A subscription model is an obvious way for us to go at some point, but right now, because we’re in the transaction flow, we’re taking a percentage of each transaction. The [solopreneuer] pays us $5 per transaction as a platform fee; the shopper pays us five percent atop the delivery fee set by the [person who is delivering their goods]. So if someone spends $100 on groceries, that customer pays us $5, and the shopper pays us $5 and the shopper gets that delivery fee, plus his or her tip.

The vast amount goes to the shopper, unlike with today’s model [wherein the vast majority goes to delivery companies]. Our average shopper is bringing home $32 in earnings per order, roughly three times as much as when they work for  other grocery delivery apps. I think that’s partly because we communicate to [shoppers] that they are supporting local businesses and local entrepreneurs and they are receiving an average tip of 17 percent on their orders. But also, when you know your shopper and that person gets to know your preferences, you’re much more comfortable ordering non-perishables, like produce picked the way you like. That leads to huge order sizes, which is another reason that average earnings are higher.

TC: You’re fronting the cost for groceries. Is that money coming from your venture funding? Do you have a debt facility?

ND: We don’t. The money moves so fast. The shoppers are using the card to shop, then getting the money back again, so the cycle time is quick. It’s two days, not six months.

TC: How does this whole thing scale? Are you collecting data that you hope will inform future products?

ND: We definitely want to use tech to empower [shoppers] instead of control them. But [our CTO and third cofounder Tom Schoellhammer] came from Google doing search there, and eventually we [expect to] recommend similar stores, or [extend into] beauty or pet other local services. Grocery delivery is one obvious place where the market is broken, but where you want a trusted person involved, and you’re in the flow when people are looking for something [the opportunity opens up]. Shoppers’ knowledge of their local operation zone can be leveraged much more.