Thursday, January 31, 2019

We dismantle Facebook’s memo defending its “Research”

Facebook published an internal memo today trying to minimize the morale damage of TechCrunch’s investigation that revealed it’d been paying people to suck in all their phone data. Attained by Business Insider’s Rob Price, the memo from Facebook’s VP of production engineering and security Pedro Canahuati gives us more detail about exactly what data Facebook was trying to collect from teens and adults in the US and India. But it also tries to claim the program wasn’t secret, wasn’t spying, and that Facebook doesn’t see it as a violation of Apple’s policy against using its Enterprise Certificate system to distribute apps to non-employees — despite Apple punishing it for the violation.

Here we lay out the memo with section by section responses to Facebook’s claims challenging TechCrunch’s reporting. Our responses are in bold and we’ve added images.

Memo from Facebook VP Pedro Canahuati

APPLE ENTERPRISE CERTS REINSTATED

Early this morning, we received agreement from Apple to issue a new enterprise certificate; this has allowed us to produce new builds of our public and enterprise apps for use by employees and contractors. Because we have a few dozen apps to rebuild, we’re initially focusing on the most critical ones, prioritized by usage and importance: Facebook, Messenger, Workplace, Work Chat, Instagram, and Mobile Home.

New builds of these apps will soon be available and we’ll email all iOS users for detailed instructions on how to reinstall. We’ll also post to iOS FYI with full details.

Meanwhile, we’re expecting a follow-up article from the New York Times later today, so I wanted to share a bit more information and background on the situation.

What happened?

On Tuesday TechCrunch reported on our Facebook Research program. This is a market research program that helps us understand consumer behavior and trends to build better mobile products.

TechCrunch implied we hid the fact that this is by Facebook – we don’t. Participants have to download an app called Facebook Research App to be involved in the stud. They also characterized this as “spying,” which we don’t agree with. People participated in this program with full knowledge that Facebook was sponsoring this research, and were paid for it. They could opt-out at any time. As we built this program, we specifically wanted to make sure we were as transparent as possible about what we were doing, what information we were gathering, and what it was for — see the screenshots below.

We used an app that we built ourselves, which wasn’t distributed via the App Store, to do this work. Instead it was side-loaded via our enterprise certificate. Apple has indicated that this broke their Terms of Service so disabled our enterprise certificates which allow us to install our own apps on devices outside of the official app store for internal dogfooding.

Author’s response: To start, “build better products” is a vague way of saying determining what’s popular and buying or building it. Facebook has used competitive analysis gathered by its similar Onavo Protect app and Facebook Research app for years to figure out what apps were gaining momentum and either bring them in or box them out. Onavo’s data is how Facebook knew WhatsApp was sending twice as many messages as Messenger, and it should invest $19 billion to acquire it.

Facebook claims it didn’t hide the program, but it was never formally announced like every other Facebook product. There were no Facebook Help pages, blog posts, or support info from the company. It used intermediaries Applause (which owns uTest) and CentreCode (which owns Betabound) to run the program under names like Project Atlas and Project Kodiak. Users only found out Facebook was involved once they started the sign-up process and signed a non-disclosure agreement prohibiting them from discussing it publicly.

TechCrunch has reviewed communications indicating Facebook would threaten legal action if a user spoke publicly about being part of the Research program. While the program had run since 2016, it had never been reported on. We believe that these facts combined justify characterizing the program as “secret”

The Facebook Research program was called Project Atlas until you signed up

How does this program work?

We partner with a couple of market research companies (Applause and CentreCode) to source and onboard candidates based in India and USA for this research project. Once people are onboarded through a generic registration page, they are informed that this research will be for Facebook and can decline to participate or opt out at any point. We rely on a 3rd party vendor for a number of reasons, including their ability to target a Diverse and representative pool of participants. They use a generic initial Registration Page to avoid bias in the people who choose to participate.

After generic onboarding people are asked to download an app called the ‘Facebook Research App,’ which takes them through a consent flow that requires people to check boxes to confirm they understand what information will be collected. As mentioned above, we worked hard to make this as explicit and clear as possible.

This is part of a broader set of research programs we conduct. Asking users to allow us to collect data on their device usage is a highly efficient way of getting industry data from closed ecosystems, such as iOS and Android. We believe this is a valid method of market research.

Author’s response: Facebook claims it wasn’t “spying”, yet it never fully laid out the specific kinds of information it would collect. In some cases, descriptions of the app’s data collection power were included in merely a footnote. The program did not specify specific data types gathered, only saying it would scoop up “which apps are on your phone, how and when you use them” and “information about your internet browsing activity”

The parental consent form from Facebook and Applause lists none of the specific types of data collected or the extent of Facebook’s access. Under “Risks/Benefits”, the form states “There are no known risks associated with this project however you acknowledge that the inherent nature of the project involves the tracking of personal information via your child’s use of Apps. You will be compensated by Applause for your child’s participation.” It gives parents no information about what data their kids are giving up.

Facebook claims it uses third-parties to target a diverse pool of participants. Yet Facebook conducts other user feedback and research programs on its own without the need for intermediaries that obscure its identity, and only ran the program in two countries. It claims to use a generic signup page to avoid biasing who will choose to participate, yet the cash incentive and technical process of installing the root certificate also bias who will participate, and the intermediaries conveniently prevent Facebook from being publicly associated with the program at first glance. Meanwhile, other clients of the Betabound testing platform like Amazon, Norton, and SanDisk reveal their names immediately before users sign up.

Facebook’s ads recruiting teens for the program didn’t disclose its involvement

Did we intentionally hide our identity as Facebook?

No — The Facebook brand is very prominent throughout the download and installation process, before any data is collected. Also, the app name of the device appears as “Facebook Research” — see attached screenshots. We use third parties to source participants in the research study, to avoid bias in the people who choose to participate. But as soon as they register, they become aware this is research for Facebook

Author’s response: Facebook here admits that users did not know Facebook was involved before they registered.

What data do we collect? Do we read people’s private messages?

No, we don’t read private messages. We collect data to understand how people use apps, but this market research was not designed to look at what they share or see. We’re interested in information such as watch time, video duration, and message length, not that actual content of videos, messages, stories or photos. The app specifically ignores information shared via financial or health apps.

Author’s response: We never reported that Facebook was reading people’s private messages, but that it had the ability to collect them. Facebook here admits that the program was “not designed to look at what they share or see”, but stops far short of saying that data wasn’t collected. Fascinatingly, Facebook reveals it was that it was closely monitoring how much time people spent on different media types.

Facebook Research abused the Enterprise Certificate system meant for employee-only apps

Did we break Apple’s terms of service?

Apple’s view is that we violated their terms by sideloading this app, and they decide the rules for their platform, We’ve worked with Apple to address any issues; as a result, our internal apps are back up and running. Our relationship with Apple is really important — many of us use Apple products at work every day, and we rely on iOS for many of our employee apps, so we wouldn’t put that relationship at any risk intentionally. Mark and others will be available to talk about this further at Q&A later today.

Author’s response: TechCrunch reported that Apple’s policy plainly states that the Enterprise Certificate program requires companies to “Distribute Provisioning Profiles only to Your Employees and only in conjunction with Your Internal Use Applications for the purpose of developing and testing” and that “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers”. Apple took a firm stance in its statement that Facebook did violate the program’s policies, stating “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple.”

Given Facebook distributed the Research apps to teenagers that never signed tax forms or formal employment agreements, they were obviously not employees or contractors, and most likely use some Facebook-owned service that qualifies them as customers. Also, I’m pretty sure you can’t pay employees in gift cards.



Source: TechCrunch http://j.mp/2MHaceE

Nintendo is making Dr. Mario for iOS and Android

Nintendo held off on building smartphone games for years, but now they just can’t stop. They started with a little stumble with the short-lived Miitomo, but then found an audience with Super Mario Run. Then came Fire Emblem Heroes. Then Animal Crossing: Pocket Camp, and Dragalia Lost.

Next up? Dr. Mario.

Nintendo announced this afternoon that it’s working on a title called Dr. Mario World, built in collaboration with LINE (as in the company that makes the LINE chat app. They also make Disney’s mobile Tsum Tsum games.) and NHN.

For the many folks out there who might be too young to remember Super Mario’s stint as an M.D., Dr. Mario was a falling-tile style game which had the player quickly trying to arrange.. pills. To kill viruses.

This was the box art. Nintendo was just like “Mario is a doctor now” and everyone was like “Oh okay cool.” It was the 90s, okay?

Nintendo doesn’t say much about what the game will be like, besides referring to it as an “action puzzle game”. They say it should ship by “early summer” of 2019, and will be free to download (with in-app purchases) on iOS and Android.



Source: TechCrunch http://j.mp/2Bcimaq

Apple reactivates Facebook’s employee apps after punishment for Research spying

After TechCrunch caught Facebook violating Apple’s employee-only app distribution policy to pay people for all their phone data, Apple invalidated the social network’s Enterprise Certificate as punishment. That deactivated not only this Facebook Research app VPN, but also all of Facebook’s internal iOS apps for workplace collaboration, beta testing, and even getting the company lunch or bus schedule. That threw Facebook’s offices into chaos yesterday morning. Now after nearly two work days, Apple has ended Facebook’s time-out and restored its Enterprise Certification. That means employees can once again access all their office tools, pre-launch test versions of Facebook and Instagram…and the lunch menu.

A Facebook spokesperson issued this statement to TechCrunch: “We have had our Enterprise Certification, which enables our internal employee applications, restored. We are in the process of getting our internal apps up and running. To be clear, this didn’t have an impact on our consumer-facing services.”

 

Meanwhile, TechCrunch’s follow-up report found that Google was also violating the Enterprise Certificate program with its own “market research” VPN app called Screenwise Meter that paid people to snoop on their phone activity. After we informed Google and Apple yesterday, Google quickly apologized and took down the app. But apparently in service of consistency, this morning Apple invalidated Google’s Enterprise Certificate too, breaking its employee-only iOS apps.

Google’s internal apps are still broken. Unlike Facebook that has tons of employees on iOS, Google at least employs plenty of users of its own Android platform so the disruption may have caused fewer probelms in Mountain View than Menlo park. “We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon,” said a Google spokesperson. A spokesperson for Apple said: “We are working together with Google to help them reinstate their enterprise certificates very quickly.”

TechCrunch’s investigation found that the Facebook Research app not only installed an Enterprise Certificate on users phones and a VPN that could collect their data, but also demanded root network access that allows Facebook to man-in-the-middle their traffic and even deencrypt secure transmissions. It paid users 13 to 35 $10 to $20 per month to run the app so it could collect competitive intelligence on who to buy or copy. The Facebook Research app contained numerous code references to Onavo Protect, the app Apple banned and pushed Facebook to remove last August, yet Facebook kept on operating the data collection program.

When we first contacted Facebook, it claimed the Research app and its Enterprise Certificate distribution that sidestepped Apple’s oversight was in line with Apple’s policy. Seven hours later, Facebook announced it would shut down the Research app on iOS (though it’s still running on Android which has fewer rules). Facebook also claimed that “there was nothing ‘secret’ about this” as we had reported. However, TechCrunch has since reviewed communications proving that the Facebook Research program threatened legal action if its users spoke publicly about the app. That sounds pretty “secret to us”.

Then we learned yesterday morning that Facebook hadn’t voluntarily pulled the app as Apple had actually already invalidated Facebook’s Enterprise Certificate, thereby breaking the Research app and the social network’s employee tools. The company provided this brutally frank statement, which it in turn applied to Google today.

We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”

Some are likening Apple to a privacy regulator overseeing Facebook and Google, perhaps with too much power given they’re all competitors. But in this case, both Facebook and Google blatantly violated Apple’s policies to collect the maximum amount of data about iOS users, including teenagers. That means Apple was fully within its right to shut down their market research apps. Breaking their employee apps too could be seen as just collateral damage since they all use the same Enterprise Certification, or as additional punishment for violating the rules. This only becomes a real problem if Apple steps beyond the boundaries of its policies. But now, all eyes are on how it enforces its rules, whether to benefit its users or beat up on its rivals.



Source: TechCrunch http://j.mp/2MIPPOn

After bans from Apple and Google, Sarahah debuts Enoff, an iOS app for anonymous feedback at work

Sarahah, the anonymous messaging app founded in Saudi Arabia that became an unexpected viral sensation with teens, clocking up over 300 million registered users before getting banned by Apple and Google over bullying, is making a return to the App Store — but not as you might think.

The startup has launched a new, free iOS app called Enoff (pronounced “enough”) aimed at organizations, tapping into the wave of employee activism and speaking out about unfair practices to provide a way for people in a team to give anonymous, one-way feedback to bosses and human resources reps.

Available also on the web, the aim is to provide a way to give feedback in cases of harassment, corruption and other tricky workplace situations where employees might fear repercussions for speaking out.

[gallery ids="1777180,1777181"]

Enoff is going head to head with a number of alternatives already in the market for giving “anonymous” feedback in the workplace, including other apps like Blind as well as incumbent solutions that business might already have in place for getting feedback. But it’s also a return to the startup’s roots: the original Sarahah was originally built to let employees provide honest feedback anonymously to bosses, before it inadvertently got hijacked and turned into a hit with consumers.

This does not signal an end to Sarahah itself. Despite its origins in Saudi Arabia and all the potential controversy that might come along with that, the eponymous app now has 320 million registered users with concentrations especially in the US, UK, India, Egypt and Japan, according to CEO and founder Zain al-Alabdin Tawfiq. And it has been getting rebuilt to provide better safeguards and blocks against bullying, harassment and other negative uses that raised the ire of parents and many others.

Specifically, Sarahah is now tapping into APIs from bigger tech companies like Google to develop better filters that go beyond keywords to flag content based on sentiment and inference. (Tawfiq said that the company is also building its own technology, although with only 10 employees currently working for the startup, it’s slow work to create anything new in-house on top of running the app that already exists.)

The plan is to launch Enoff while resubmitting Sarahah to Apple’s App Store and the Google Play Android store in coming months to hopefully get it listed again. These days, people are using the app primarily via the web, where they can get to a user’s profile by following links on other platforms, Tawfiq said. Sarahah currenly sees “millions” of active users each month.

“We are working on improving the platform and protection measures,” Tawfiq said, of the bullying that eventually brought the original app down, he described it as “a very limited use case, but we’re working on fixing it.”

To coincide with the launch of Enoff and the work on rebuilding Sarahah, Tawfiq said the startup is working on raising a Series A round of funding to hire more staff, as well as pay for the infrastructure to provide the bigger app and build more of a business around it. He would not comment on how much Sarahah is raising, nor how much it has raised from private backers to date.

Enoff works like this: a company or organization initially registers its domain, which includes on-boarding where a person has to upload identification to get verified to become the company representative on the site. Once an organization has been added, a code to communicate with the representative can be shared with employees, clients, or partners. These individuals then register and can start to provide feedback.

That feedback, in turn, never gets shared with anyone except for whoever is the administrator of that organization, essentially running it like an open-ended tips line going to a single mailbox.

Tawfiq confirmed that Enoff will be free to use with no plans to add any paid tiers to the app, but Sarahah itself is quietly building other kinds of monetization into the wider platform. He notes that select advertising is now running in Sarahah and over time the plan will be to introduce wider data analytics services tapping into the platform’s wider trove of anonymous information, an area he refers to as “corporate solutions” that will draw on the fact that many organizations — Netflix is one — are already using Sarahah to run feedback campaigns, by providing more targeted analytics and sentiment analysis.

“The service we provide right now is generic, so individuals and companies get the same experience, but we have a great opportunity to provide added value services for companies to give them more benefits from the feedback they receive,” Tawfiq said. “We believe that the billions of messages that are available in Sarahah can be extracted, to find a lot of useful information to help companies improve their processes.”

In all, Sarahah’s continuing popularity points not only to how — despite its issues — we still seem to be craving, as an internet culture, more forums for revealing our thoughts; but that sometimes the simplest solutions, even if flawed, continue to have sticky attraction.

“I think that Sarahah was born with a clear objective. It’s different from other platforms because it was created to break down barriers around giving candid feedback,” Tawfiq said. “Focusing on this objective will help us grow our business even when other services like us have failed.”



Source: TechCrunch http://j.mp/2sVTm2J

Step targets teens and parents with a no-fees mobile bank account and Visa card

A new mobile banking startup called Step wants to help bring teenagers and other young adults into the cashless era. Today, cash is used less often, as more consumers shop online and send money to one another through payment apps like Venmo. But teenagers in particular are still heavily burdened with cash — even though they, too, want to spend their money on things that require a payment card, like Amazon.com purchases or mobile gaming, for example.

That’s where Step comes in.

The company aims to address the needs of what it believes is an underserved market in mobile banking — the 75 million children and young adults under the age of 21 in the U.S., who are still being forced to use cash.

This market isn’t the “unbanked,” it’s the “pre-banked,” explains Step CEO CJ MacDonald, whose previous startup, mobile gift card platform Gyft, sold to First Data several years ago.

Above: Step CEO, CJ MacDonald

“We’re building an all-in-one banking solution that primarily focuses on teens and parents,” he says. “We want it to be a teen’s first bank account. We want to be a teen’s first spending card. And we want to teach financial literacy and responsibility firsthand.”

MacDonald, along with CTO Alexey Kalinichenko, previously of Square and financial services startup Token, founded Step in May 2018. The 10-person team also includes several prior Gyft employees.

Last summer, Step closed on $3.8 million in seed funding from Sesame Ventures, Crosslink Capital and Collaborative Fund. Crosslink general partner Eric Chin sits on the board.

While there are a number of mobile banking apps out there today — like Chime, Monzo, Simple, Revolut and others — Step will specifically target teens, 13 and up, and other young adults with its marketing. Teens under 18 still need parents’ approval to sign up, of course. But the goal is to encourage the teens to bring the idea to their parents — not the other way around.

Step’s focus on this younger demographic puts it in a different space, where there are fewer competitors. Its more direct rivals are not the bigger mobile banks, but rather startups like teen debit card and bank app Current, or the parent-managed debit card for kids from Greenlight.

The mobile banking service Step provides will also aim to be more comprehensive than just a debit card. It will offer a combination of checking, savings and a Visa card that works as both credit and debit.

The card includes Visa’s Zero Liability Protection on all purchases from unauthorized use, and allows parents to set spending limits.

Parents will also be able to connect their own bank accounts to Step to instantly transfer in funds, which can then be distributed to kids’ accounts for things like allowances and chores, or other everyday spending needs. Step’s bank account itself is backed by Evolve Bank, so it’s FDIC-insured up to $250,000.

Unlike Current, which charges a subscription to use its service, Step aims to be a fee-free bank for consumers. Users don’t have to pay for their account, and there are no fees for things like overdrafts. Instead, Step’s plan is to generate revenue through traditional means — like interchange fees and by way of lending practices, once it has established a deposit base.

The company pays a 2.5 percent interest rate on deposits, offers a round-up savings feature and a range of budgeting tools and supports free instant transfers between Step accounts. It also provides access to a network of 35,000 ATMs with no fees.

Beyond simply facilitating mobile banking, Step’s bigger goal is to teach teens to become financially responsible.

“Schools do not teach kids about money. A lot of families don’t talk about money. And it’s a crucial life skill that’s not really addressed properly when people are growing up,” says MacDonald, who says he was lacking in life skills in this area, even as a young college grad.

“There were ‘Money 101’ skills that I had not learned — that no one had talked to me about. Things like building credit, how many credit cards you should have, debt to income ratio,” he continues. “A lot of people get released into the real world without experience [in those areas],” he says.

Long-term, after solving the needs associated with everyday banking transactions, Step wants to layer on other products and services — like tools that allow a family to save together for college, for example.

The company is launching the banking service under an invite-only system to scale up.

Today, it’s opening a waitlist and referral program. When you invite a friend, you each receive one dollar. Access will then be rolled out on a first-come, first-serve basis this spring. Users can join Step through the website, iOS or Android application.



Source: TechCrunch http://j.mp/2MJTWcM

Smartphone Mario Kart Delayed To This Summer In Japan

When Mario Kart Tour was first announced last year, it was slated for release on Android and iOS sometime before March 2019. Now, in Japan, the smartphone game has been pushed back to summer.

Read more...



Source: Gizmodo http://j.mp/2HEJoNd

Tencent moves into automotive with $150M joint venture

China’s internet firms are getting pally with giant state-owned automakers as they look to deploy their artificial intelligence and cloud computing services across traditional industries. Ride-hailing startup Didi Chuxing, which owns Uber China, announced earlier this week a new joint venture with state-owned BAIC. Hot on the heels came another entity set up between Tencent and the GAC Group.

GAC, which is owned by the Guangzhou municipal government in southern China, announced Thursday in a filing it will jointly establish a mobility company with social media and gaming behemoth Tencent, Guangzhou Public Transport Group alongside other investors.

The announcement followed an agreement between Tencent and GAC in 2017 to team up on internet-connected cars and smart driving, a deal that saw the carmaker tapping into Tencent’s expertise in mobile payments, social networking, big data and cloud services. Tencent, which is most famous for its instant messenger WeChat, went through a major restructuring last October to place more focus on enterprise-facing services, and the GAC tie-up appears to fit nicely into that pivot.

The fresh venture will bank a capital infusion of 1 billion yuan ($149 million) with GAC owning a 35 percent stake. Tencent and Guangzhou Public Transport will take up 25 percent and 10 percent, respectively.

A flurry of Chinese internet service providers have made forays into the automotive industry, marketing their digital and machine learning capabilities at old-school automakers. Besides Tencent, GAC has also recruited telecommunications equipment maker Huawei and voice assistant startup iFlytec to upgrade its vehicles. Search titan Baidu, on the other hand, operates an open platform for autonomous driving cars and has chosen state-owned Hongqi to test out its autonomous driving solutions. Ecommerce behemoth Alibaba has also set foot in transportation with a smart sedan jointly developed with state-owned SAIC.



Source: TechCrunch http://j.mp/2GbgYs6