User blogs

The European Union’s lead data protection supervisor has recommended that a ban on targeted advertising based on tracking Internet users’ digital activity be included in a major reform of digital services rules which aims to increase operators’ accountability, among other key goals.

The European Data Protection Supervisor (EDPS), Wojciech Wiewiorówski, made the call for a ban on surveillance-based targeted ads in reference to the Commission’s Digital Services Act (DSA) — following a request for consultation from EU lawmakers.

The DSA legislative proposal was introduced in December, alongside the Digital Markets Act (DMA) — kicking off the EU’s (often lengthy) co-legislative process which involves debate and negotiations in the European Parliament and Council on amendments before any final text can be agreed for approval. This means battle lines are being drawn to try to influence the final shape of the biggest overhaul to pan-EU digital rules for decades — with everything to play for.

The intervention by Europe’s lead data protection supervisor calling for a ban on targeted ads is a powerful pre-emptive push against attempts to water down legislative protections for consumer interests.

The Commission had not gone so far in its proposal — but big tech lobbyists are certainly pushing in the opposite direction so the EDPS taking a strong line here looks important.

In his opinion on the DSA the EDPS writes that “additional safeguards” are needed to supplement risk mitigation measures proposed by the Commission — arguing that “certain activities in the context of online platforms present increasing risks not only for the rights of individuals, but for society as a whole”.

Online advertising, recommender systems and content moderation are the areas the EDPS is particularly concerned about.

“Given the multitude of risks associated with online targeted advertising, the EDPS urges the co-legislators to consider additional rules going beyond transparency,” he goes on. “Such measures should include a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking, as well as restrictions in relation to the categories of data that can be processed for targeting purposes and the categories of data that may be disclosed to advertisers or third parties to enable or facilitate targeted advertising.”

It’s the latest regional salvo aimed at mass-surveillance-based targeted ads after the European Parliament called for tighter rules back in October — when it suggested EU lawmakers should consider a phased in ban.

Again, though, the EDPS is going a bit further here in actually calling for one. (Facebook’s Nick Clegg will be clutching his pearls.)

More recently, the CEO of European publishing giant Axel Springer, a long time co-conspirator of adtech interests, went public with a (rather protectionist-flavored) rant about US-based data-mining tech platforms turning citizens into “the marionettes of capitalist monopolies” — calling for EU lawmakers to extend regional privacy rules by prohibiting platforms from storing personal data and using it for commercial gain at all.

Apple CEO, Tim Cook, also took to the virtual stage of a (usually) Brussels based conference last month to urge Europe to double down on enforcement of its flagship General Data Protection Regulation (GDPR).

In the speech Cook warned that the adtech ‘data complex’ is fuelling a social catastrophe by driving the spread of disinformation as it works to profit off of mass manipulation. He went on to urge lawmakers on both sides of the pond to “send a universal, humanistic response to those who claim a right to users’ private information about what should not and will not be tolerated”. So it’s not just European companies (and institutions) calling for pro-privacy reform of adtech.

The iPhone maker is preparing to introduce stricter limits on tracking on its smartphones by making apps ask users for permission to track, instead of just grabbing their data — a move that’s naturally raised the hackles of the adtech sector, which relies on mass surveillance to power ‘relevant’ ads.

Hence the adtech industry has resorted to crying ‘antitrust‘ as a tactic to push competition regulators to block platform-level moves against its consentless surveillance. And on that front it’s notable than the EDPS’ opinion on the DMA, which proposes extra rules for intermediating platforms with the most market power, reiterates the vital links between competition, consumer protection and data protection law — saying these three are “inextricably linked policy areas in the context of the online platform economy”; and that there “should be a relationship of complementarity, not a relationship where one area replaces or enters into friction with another”.

Wiewiorówski also takes aim at recommender systems in his DSA opinion — saying these should not be based on profiling by default to ensure compliance with regional data protection rules (where privacy by design and default is supposed to be the legal default).

Here too be calls for additional measures to beef up the Commission’s legislative proposal — with the aim of “further promot[ing] transparency and user control”.

This is necessary because such system have “significant impact”, the EDPS argues.

The role of content recommendation engines in driving Internet users towards hateful and extremist points of view has long been a subject of public scrutiny. Back in 2017, for example, UK parliamentarians grilled a number of tech companies on the topic — raising concerns that AI-driven tools, engineered to maximize platform profit by increasing user engagement, risked automating radicalization, causing damage not just to the individuals who become hooked on hateful views the algorithms feeds them but cascading knock-on harms for all of us as societal cohesion is eaten away in the name of keeping the eyeballs busy.

Yet years on little information is available on how such algorithmic recommender systems work because the private companies that operate and profit off these AIs shield the workings as proprietary business secrets.

The Commission’s DSA proposal takes aim at this sort of secrecy as a bar to accountability — with its push for transparency obligations. The proposed obligations (in the initial draft) include requirements for platforms to provide “meaningful” criteria used to target ads; and explain the “main parameters” of their recommender algorithms; as well as requirements to foreground user controls (including at least one “nonprofiling” option).

However the EDPS wants regional lawmakers to go further in the service of protecting individuals from exploitation (and society as a whole from the toxic byproducts that flow from an industry based on harvesting personal data to manipulate people).

On content moderation, Wiewiorówski’s opinion stresses that this should “take place in accordance with the rule of law”. Though the Commission draft has favored leaving it with platforms to interpret the law.

“Given the already endemic monitoring of individuals’ behaviour, particularly in the context of online platforms, the DSA should delineate when efforts to combat ‘illegal content’ legitimise the use of automated means to detect, identify and address illegal content,” he writes, in what looks like a tacit recognition of recent CJEU jurisprudence in this area.

“Profiling for purposes of content moderation should be prohibited unless the provider can demonstrate that such measures are strictly necessary to address the systemic risks explicitly identified by the DSA,” he adds.

The EDPS has also suggested minimum interoperability requirements for very large platforms, and for those designated as ‘gatekeepers’ (under the DMA), and urges lawmakers to work to promote the development of technical standards to help with this at the European level.

On the DMA, he also urges amendments to ensure the proposal “complements the GDPR effectively”, as he puts it, calling for “increasing protection for the fundamental rights and freedoms of the persons concerned, and avoiding frictions with current data protection rules”.

Among the EDPS’ specific recommendations are: That the DMA makes it clear that gatekeeper platforms must provide users with easier and more accessible consent management; clarification to the scope of data portability envisaged in the draft; and rewording of a provision that requires gatekeepers to provide other businesses with access to aggregated user data — again with an eye on ensuring “full consistency with the GDPR”.

The opinion also raises the issue of the need for “effective anonymisation” — with the EDPS calling for “re-identification tests when sharing query, click and view data in relation to free and paid search generated by end users on online search engines of the gatekeeper”.

ePrivacy reform emerges from stasis

Wiewiorówski’s contributions to shaping incoming platform regulations come on the same day that the European Council has finally reached agreement on its negotiating position for a long-delayed EU reform effort around existing ePrivacy rules.

In a press release announcing the development, the Commission writes that Member States agreed on a negotiating mandate for revised rules on the protection of privacy and confidentiality in the use of electronic communications services.

“These updated ‘ePrivacy’ rules will define cases in which service providers are allowed to process electronic communications data or have access to data stored on end-users’ devices,” it writes, adding: “Today’s agreement allows the Portuguese presidency to start talks with the European Parliament on the final text.”

Reform of the ePrivacy directive has been stalled for years as conflicting interests locked horns — putting paid to the (prior) Commission’s hopes that the whole effort could be done and dusted in 2018. (The original ePrivacy reform proposal came out in January 2017; four years later the Council has finally settled on its arguing mandate.)

The fact that the GDPR was passed first appears to have upped the stakes for data-hungry ePrivacy lobbyists — in both the adtech and telco space (the latter having a keen interest in removing existing regulatory barriers on comms data in order that it can exploit the vast troves of user data which Internet giants running rival messaging and VoIP services have long been able to).

There’s a concerted effort to try to use ePrivacy to undo consumer protections baked into GDPR — including attempts to water down protections provided for sensitive personal data. So the stage is set for an ugly rights battle as negotiations kick off with the European Parliament.

Metadata and cookie consent rules are also bound up with ePrivacy so there’s all sorts of messy and contested issues on the table here.

Digital rights advocacy group Access Now summed up the ePrivacy development by slamming the Council for “hugely” missing the mark.

“The reform is supposed to strengthen privacy rights in the EU [but] States poked so many holes into the proposal that it now looks like French Gruyère,” said Estelle Massé, senior policy analyst at Access Now, in a statement. “The text adopted today is below par when compared to the Parliament’s text and previous versions of government positions. We lost forward-looking provisions for the protection of privacy while several surveillance measures have been added.”

The group said it will be pushing to restore requirements for service providers to protect online users’ privacy by default and for the establishment of clear rules against online tracking beyond cookies, among other policy preferences.

The Council, meanwhile, appears to be advocating for a highly dilute (and so probably useless) flavor of ‘do not track’ — by suggesting users should be able to give consent to the use of “certain types of cookies by whitelisting one or several providers in their browser settings”, per the Commission.

“Software providers will be encouraged to make it easy for users to set up and amend whitelists on their browsers and withdraw consent at any moment,” it adds in its press release.

Clearly the devil will be in the detail of the Council’s position there. (The European Parliament has, by contrast, previously clearly endorsed a “legally binding and enforceable” Do Not Track mechanism for ePrivacy so, again, the stage is set for clashes.)

Encryption is another likely bone of ePrivacy contention.

As security and privacy researcher, Dr Lukasz Olejnik, noted back in mid 2017, the parliament strongly backed end-to-end encryption as a means of protecting the confidentiality of comms data — saying then that Member States should not impose any obligations on service providers to weaken strong encryption.

So it’s notable that the Council does not have much to say about e2e encryption — at least in the PR version of its public position. (A line in this that runs: “As a main rule, electronic communications data will be confidential. Any interference, including listening to, monitoring and processing of data by anyone other than the end-user will be prohibited, except when permitted by the ePrivacy regulation” is hardly reassuring, either.)

It certainly looks like a worrying omission given recent efforts at the Council level to advocate for ‘lawful’ access to encrypted data. Digital and humans rights groups will be buckling up for a fight.

Source: https://techcrunch.com/2021/02/10/eus-top-privacy-regulator-urges-ban-on-surveillance-based-ad-targeting/

Last night, MetroMile and SPAC INSU Acquisition Corp. II completed their combination, putting the per-mile auto insurance startup up for regular trading today for the first time.

In the wake of last year’s debuts by neoinsurance companies Lemonade and Root, it’s not surprising to see others test the public markets. For example, Oscar Health recently announced its intention to go public via a traditional IPO.

How the new entrants will fare, however, is not clear.

The Exchange explores startups, markets and money. Read it every morning on Extra Crunch, or get The Exchange newsletter every Saturday.

There is something of a tale of two companies in Lemonade and Root, with the pair valued at divergent multiples and sporting very different post-IPO trajectories, at least concerning their value.

While Lemonade has appreciated greatly from its IPO price ($29) to its current value ($155.33), Root’s share price dropped from its debut ($27) to today ($21.75).

This morning, as MetroMile starts its life as a public company, Oscar Health preps its own run at an IPO and other neoinsurance players like Hippo wait in the wings, let’s quickly check the difference between how Root and Lemonade have fared, and then ask what we can learn their different valuation multiples and what they might mean for the next startup insurance players hoping to gov v public while the IPO window is wide open.

Root, Lemonade

Lemonade’s path to the public markets was one that started modestly with its first IPO pricing, improved, and then, after technically going public at a down-round valuation, took off like a rocket. Root’s IPO pricing run involved what we thought of as a strong IPO range and then an above-target pricing.

But since then, Lemonade shares have rallied to several times their original price, while Root has dropped around 20%. Lemonade, for reference, sells rental insurance with an eye on going up-market in time to other forms of home-focused insurance. Root is in the auto insurance market, where MetroMile also works.

Both Lemonade and Root have yet to announce Q4 2020 results, so we’ll look at their Q3 details instead. We want to get a handle for how divergently their insurance incomes are being treated. This should give us a better understanding of how Wall Street values each, then we’ll apply those learnings to our two new companies. What we learn today will hopefully bear on other insurtech startups that want liquidity during the current cycle.

Results via the company, comparisons are Q3 2019:

• Root Q3 2020 revenue: $50.5 million (impaired from $75.8 million)
• Root Q3 2020 gross profit: $0.7 million (improved from -$36 million)
• Root Q3 2020 net loss: $85.2 million (improved from -$100.1 million)
• Premiums in force: $600.1 million
• Valuation: $5.45 billion (Google Finance)

This gives us Root revenue run rate multiple of around 27x, and a premium in force multiple of just over 9x. Now let’s observe Lemonade’s data.

Results via the company, comparisons are Q3 2019:

• Lemonade Q3 2020 revenue: $10.5 million (impaired from $17.8 million)
• Lemonade Q3 2020 gross profit: $7.3 million (improved from $4.0 million)
• Lemonade Q3 2020 net loss: $30.9 million (improved from $31.1 million)
• Premiums in force: $188.9 million
• Valuation: $9.33 billion (Google Finance)

Looking at the same two metrics, Lemonade has a run rate multiple of 222x, and a premium in force multiple of more than 49x.

Source: https://techcrunch.com/2021/02/10/how-will-investors-value-metromile-and-oscar-health/

Alexa von Tobel has a unique vantage point on the world of startups. She debuted in the tech space with the launch of LearnVest in 2009. The company raised nearly $70 million and sold to Northwestern Mutual in 2015 for an estimated $250 million, according to reports.

Since, von Tobel has founded her own venture firm called Inspired Capital. Portfolio companies include Finix, Chief, Orum, Habi and more.

But before she was an entrepreneur, or the Chief Digital Officer of a major financial services company (and then Chief Innovation Officer, overseeing the Northwestern Mutual’s venture arm), or the founding partner of a venture capital firm, she was a Certified Financial Planner.

At TechCrunch Early Stage in April, von Tobel will lead a breakout on financial planning targeted specifically at early stage startups.

Take a look:

Finance for Founders

As a founder, you not only have to master your company’s finances, you also have to tackle your own personal finances. Managing your money as a founder comes with a unique set of questions. Leveraging her expertise from LearnVest and as a Certified Financial Planner, Alexa will share financial planning best practices so founders can remove this layer of stress from the pressure of building a business.

Early Stage is back in 2021 and better than ever. The event is centered around all the startup core competencies that founders will need in their tool chest to build successful businesses, from marketing to operations to fundraising.

von Tobel joins an all-star lineup, which includes experts in the fields of sales, seed and A fundraising, recruiting, and much much more. These experts will give presentations across a variety of topics, and then answer questions live from the audience.

The event is split across two days: On April 1 we’ll be hearing from experts in fundraising and operations, and on July 8 we’ll learn more from experts in fundraising and marketing. At both events, the TechCrunch pitch-off will be center stage, giving early stage companies the chance to pitch to and get feedback from seasoned investors. Early Stage is entirely virtual, so folks from anywhere in the world can pick up and ticket and show up from the comfort of their couch.

We sincerely hope you’ll join us!

Source: https://techcrunch.com/2021/02/10/alexa-von-tobel-brings-15-years-of-financial-savvy-to-early-stage-2021/

DNA profiling company Ancestry has confirmed it fought two U.S. law enforcement requests to access its DNA database in the past six months, but that neither request resulted in turning over customer or DNA data.

The Utah-based company disclosed the two requests in its latest transparency report covering the latter half of 2020. The report said Ancestry “challenged both of these requests, which were withdrawn,” and that the company “provided no data” at the time of the report, published Tuesday.

Ancestry did not say which agencies or police departments requested the DNA data or for what reason the company challenged the request. Ancestry spokesperson Gina Spatafore confirmed the search warrants were to obtain DNA data but declined to comment beyond what was in the report.

The company also said in its most recent report that it “refused numerous inquiries” from U.S. law enforcement for failing to obtain the proper legal process. The report also said the company received four valid law enforcement requests, but that it did not provide any data in response.

Ancestry has more than 3.6 million subscribers and has more than 18 million customer DNA profiles in its database, making it the largest in the world.

DNA profiling companies like Ancestry are increasingly popular with customers wanting to learn more about their family heritage, their genetic markers, and to understand their cultural and ethnic backgrounds. But as these DNA databases become larger, they are also attracting attention from law enforcement who want access to help solve crimes.

On its website, Ancestry says: “We believe that the nature of our members’ DNA data is particularly sensitive, so we insist on a court order or search warrant as the minimum level of due process before we will review our ability to comply with the request. We also seek to put our members’ privacy first, so we also will try to minimize the scope or even invalidate the warrant before complying.”

It’s not the first time Ancestry has pushed back against a legal demand. Last year the company said it rejected an out-of-state search warrant, ordered by a court in Pennsylvania, to “seek access” to its DNA database on the grounds that the warrant was “improperly served.”

Ancestry has only complied with one search warrant for DNA data from a database it acquired and later made public, not realizing that police would use the database to search for leads.

It’s not uncommon for companies with large amounts of customer data to frequently receive law enforcement demands for user data — or for companies to publish periodic transparency reports that detail the number of legal demands they receive.

To its credit, Ancestry is one of only two DNA profiling sites that publishes a transparency report. 23andMe also publishes the number of data demands it receives each quarter, but to date has not released any customer data to law enforcement. FamilyDNA said over a year ago that it was “working on publishing” a transparency report.

The move by Ancestry and 23andMe came shortly after police used DNA profiling site GEDmatch to identify the DNA of a suspected serial killer, a breakthrough which later led to the arrest of the so-called Golden State Killer in 2018. GEDmatch said it was “not approached by law enforcement” prior to the search. GEDmatch soon after allowed its users to opt-in for their DNA to be included in police searches.

Last year, GEDmatch confirmed it was hit by two data breaches that made user profiles visible to other users, including law enforcement.

Source: https://techcrunch.com/2021/02/10/ancestry-police-warrant-dna-database/

Apple Maps is inching into more Waze-like territory with an update that will give drivers the ability to report road hazards, accidents, or even speed traps. The new features are live now in the iOS 14.5 beta, which is now open to public beta testers as well as developers, but won’t roll out to the general public until later this spring, Apple says.

To use the new features, drivers will be able to report road issues and incidents by using Siri on their iPhone or through Apple’s CarPlay. For example, during navigation, they’ll be able to tell Siri things like “there’s a crash up head,” “there’s something on the road,” or “there’s a speed trap here.” They’ll also be able to correct stale accident or hazard alert information by saying things like “the hazard is gone” or the “incident is no longer here.”

While using Siri makes the reporting experience safer, the updated app will also allow users to swipe up on the map to tap a report button to alert others to accidents, hazards or speed traps, as well.

The update could present a challenge to Google-owned navigation app Waze, which has long been a popular tool for staying alerted to road conditions, hazards, accidents and police presence. In Waze, users can interact by touching the screen or issuing commands through Google Assistant, but voice support for iOS users, naturally, is more limited. Today, Waze supports the use of Siri Shortcuts, which have to be manually configured and added to Siri, for example.

The new Apple Maps features could also make Apple’s app more appealing to users who feel their user data is safer within Apple’s ecosystem, thanks to the work Apple has done to position itself as the company that cares more about consumer privacy.

Notable, too, is the addition of speed traps, which represents a shift in direction for Apple Maps. Historically, Apple has been opposed to including police warnings in its product. But that lack of support has contributed to Google’s ability to dominate the navigation and mapping market on mobile devices.

Apple’s decision here also follows an expansion of Waze-like features to Google Maps, blurring the distinctions between Google’s two navigation products even further. And as Google continued to roll out the ability to report accidents, traffic, speed traps and more to Google Maps users on iOS, it made it even harder for anyone who would have otherwise considered switching to Apple Maps to make the jump.

Apple, belatedly, has seemed to realize this as well.

Source: https://techcrunch.com/2021/02/10/apple-maps-to-gain-waze-like-features-for-reporting-accidents-hazards-and-speed-traps/