Apple and Google are launching a joint COVID-19 tracing tool for iOS and Android

Apple and Google’s engineering teams have banded together to create a decentralized contact tracing tool that will help individuals determine whether they have been exposed to someone with COVID-19.

Contact tracing is a useful tool that helps public health authorities track the spread of the disease and inform the potentially exposed so that they can get tested. It does this by identifying and ‘following up with’ people who have come into contact with a COVID-19 affected person.

The first phase of the project is an API that public health agencies can integrate into their own apps. The next phase is a system level contact tracing system that will work across iOS and Android devices on an opt-in basis.

The system uses on-board radios on your device to transmit an anonymous ID over short ranges — using Bluetooth beaconing. Servers relay your last 14 days of rotating IDs to other devices which search for a match. A match is determined based on a threshold of time spent and distance maintained between two devices.

If a match is found with another user that has told the system that they have tested positive, you are notified and can take steps to be tested and to self quarantine.

Contact tracing is a well known and debated tool, but one that has been adopted by health authorities and universities who are working on multiple projects like this. One such example is MIT’s efforts to use Bluetooth to create a privacy-conscious contact tracing tool that was inspired by Apple’s Find My system. The companies say that those organizations identified technical hurdles that they were unable to overcome and asked for help.

The project was started two weeks ago by engineers from both companies. One of the reasons that the companies got involved is that there is poor interoperability between systems on various manufacturer’s devices. With contact tracing, every time you fragment a system like this between multiple apps, you limit its effectiveness greatly. You need a massive amount of adoption in one system for contact tracing to work well.

At the same time, you run into technical problems like Bluetooth power suck, privacy concerns about centralized data collection and the sheer effort it takes to get enough people to install the apps to be effective.

Two Phase Plan

To fix these issues, Google and Apple teamed up to create an interoperable API that should allow the largest number of users to adopt it, if they choose.

The first phase, a private proximity contact detection API, will be released in mid-May by both Apple and Google for use in apps on iOS and Android. In a briefing today, Apple and Google said that the API is a simple one and should be relatively easy for existing or planned apps to integrate. The API would allow apps to ask users to opt-in to contact tracing (the entire system is opt-in only), allowing their device to broadcast the anonymous, rotating identifier to devices that the person ‘meets’. This would allow tracing to be done to alert those who may come in contact with COVID-19 to take further steps.

The value of contact tracing should extend beyond the initial period of pandemic and into the time when self-isolation and quarantine restrictions are eased.

The second phase of the project is to bring even more efficiency and adoption to the tracing tool by bringing it to the operating system level. There would be no need to download an app, users would just opt-in to the tracing right on their device. The public health apps would continue to be supported, but this would address a much larger spread of users.

This phase, which is slated for the coming months, would give the contract tracing tool the ability to work at a deeper level, improving battery life, effectiveness and privacy. If its handled by the system, then every improvement in those areas — including cryptographic advances — would benefit the tool directly.

How it works

A quick example of how a system like this might work.

  1. Two people happen to be near each other for a period of time, let’s say 10 minutes. Their phones exchange the anonymous identifiers (which change every 15 minutes).
  2. Later on, one of those people is diagnosed with COVID-19 and enters it into the system via a Public Health Authority app that has integrated the API.
  3. With an additional consent, the diagnosed user allows his anonymous identifiers for the last 14 days to be transmitted to the system.
  4. The person they came into contact with has a Public Health app on their phone that downloads the broadcast keys of positive tests and alerts them to a match.
  5. The app gives them more information on how to proceed from there.

Privacy and Transparency

Both Apple and Google say that privacy and transparency are paramount in a public health effort like this one and say they are committed to shipping a system that does not compromise personal privacy in any way.

There is zero use of location data, which includes users who report positive. This tool is not about where affected people are but instead whether they have been around other people.

The system works by assigning a random, rotating identifier to a person’s phone and transmitting it via Bluetooth to nearby devices. That identifier, which rotates every 15 minutes and contains no personally identifiable information, will pass through a simple relay server that can be run by health organizations worldwide.

Even then, the list of identifiers you’ve been in contact with doesn’t leave your phone unless you choose to share it. Users that test positive will not be identified to other users, Apple or Google. Google and Apple can disable the broadcast system entirely when it is no longer needed.

All identification of matches is done on your device, allowing you to see — within a 14-day window — whether your device has been near the device of a person who has self-identified as having tested positive for COVID-19.

The entire system is opt-in. Users will know up front that they are participating, whether in app or at a system level. Public health authorities are involved in notifying users that they have been in contact with an affected person. Apple and Google say that they will openly publish information about the work that they have done for others to analyze in order to bring the most transparency possible to the privacy and security aspects of the project.

“All of us at Apple and Google believe there has never been a more important moment to work together to solve one of the world’s most pressing problems,” the companies said in a statement. “Through close cooperation and collaboration with developers, governments and public health providers, we hope to harness the power of technology to help countries around the world slow the spread of COVID-19 and accelerate the return of everyday life.”

You can find more information about the contact tracing API on Apple’s page here including specifications.

Report: Apple’s iOS 14 contains code that would let you sample apps before download

Apple has under development a feature that would allow iOS users to interact with a third-party app, even if the app wasn’t yet installed on your device, according to a report from 9to5Mac. The report is based on information discovered in the iOS 14 code, which is not necessarily an indication of launch plans on Apple’s part — but rather an insight into some of Apple’s work in progress.

The feature is referenced internally as the “Clips” API — not to be confused with Apple’s video editing app of the same name. Based on 9to5Mac’s analysis, the new API works in conjunction with the QR Code reader, allowing a user to scan a code linked to an app, then interact with that app from a card that appears on their screen.

Described like this, the feature sounds like a marketing tool for app publishers, as it would offer a way for users to try out new apps before they download them to get a better feel for the experience than a banner ad would allow. In addition to offering some interactivity with an app before it’s downloaded, the card could also be used to redirect users to the App Store if they choose to download the full version. The card could also be used to open the app directly to the content, in the case of apps the user already had installed.

Google’s Android, the report noted, offers a similar feature called “Slices,” launched in 2018. While Google had already introduced a way to interact with small pieces of an app in an experience called Instant Apps, the newer Slices feature was meant to drive usage of apps — like booking a ride or hotel room, for example, without having to first locate the app and launch it. On iOS, perhaps, these app “clips” could be pulled up by Siri or in Spotlight search — but that functionality wasn’t demonstrated by the code the report referenced today.

It’s unclear what Apple’s intentions are with the Clips API or how experimental its efforts are at this time.

However, the report found the feature was being tested with OpenTable, Yelp, DoorDash, Sony (the PS4 Second Screen app) and YouTube. This could indicate a plan to demo examples of the app’s functionality in a future reveal to developers.

Android gets a built-in Braille keyboard

Android has received a wealth of accessibility features over the last couple of years, but one that has been left to third-party developers is a way for blind users to type using braille. That changes today with Android’s new built-in braille keyboard, which should soon be available as an option on all phones running version 5 and up of the OS.

Braille is a complex topic in the accessibility community, as in many ways it has been supplanted by voice recognition, screen readers and other tools. But many people are already familiar with it and use it regularly — and after all, one can’t always chat out loud.

Third-party braille keyboards are available, but some cost money or are no longer in development. And because the keyboard essentially has access to everything you type, there are security considerations as well. So it’s best for the keyboard you use to be an official one from a reputable company. Google will have to do!

(Apple, it must be said, has had a braille keyboard like this one for years that plugs into its OS’s other accessibility tools. It can be activated using the instructions here.)

The new keyboard, the company writes in a blog post, was created as a collaboration with various users and developers of braille software, and should be familiar to anyone who’s used something like it in the past.

The user holds the phone in landscape mode, with the screen facing away from them, and taps the regions corresponding to each of the six dots that form letters in the braille alphabet. It works with Android’s TalkBack function, which reads off words the user types or selects, so like any other writing method errors can be quickly detected and corrected. There are also some built-in gestures for quickly deleting letters and words or sending the text to the recipient or selected field.

Instructions for activating the braille keyboard are here. Right now it’s only available in English, but more languages will likely be added in the near future.

 

MIT develops privacy-preserving COVID-19 contact tracing inspired by Apple’s ‘Find My’ feature

One of the efforts that’s been proposed to contain the spread of COVID-19 is a contact trace and track program, that would allow health officials to keep better tabs on individuals who have been infected, and alert them to potential spread. Contract tracing has already seemingly proven effective in some parts of the world that have managed to curb the coronavirus spread, but privacy advocates have big reservations about any such system’s implementation in the U.S.

There are a number of proposals of how to implement a contact tracing system that preserves privacy, including a decentralization proposal for a group of European experts. In the U.S., MIT researchers have devised a new method to would provide automated contact tracing that taps into the Bluetooth signals sent out by everyone’s mobile devices, tying contacts to random numbers that aren’t linked to an individual’s identity in any way.

The system works by having each mobile device constantly be sending out random strings of numbers that the the researchers liken to “chirps” (though not actually audible). These are sent via Bluetooth, which is key for a couple of reasons, including that most people have Bluetooth enabled on their device all the time, and that it’s a short-range radio communication protocol that ensures any reception of a “chirp” came from someone you were in relatively close contact to.

If any person tests positive for COVID-19, they can then upload a full list of the chirps that their phone has broadcast over the past 14 days (which at the outside, should represent the full time they’ve been contagious). Those go into a database of chirps associated with confirmed positive cases, which others can scan against to see if their phone has received one of those chirps during that time. A positive match with one of those indicates that an individual could be at risk, since they were at least within 40 feet or so of a person who has the virus, and it’s a good indicator that they should seek a test if available, or at least self-quarantine for the recommended two-week period.

MIT’s system sidesteps entirely many of the thorniest privacy-related issues around contact tracing, which have been discussed in detail by the ACLU and other privacy protection organizations: It doesn’t use any geolocation information at all, nor does it connect any diagnosis or other information to a particular individual. It’s still not entirely left to individual discretion, which would be a risk from the perspective of ensuring compliance, because MIT envisions a health official providing a QR code along with delivering any positive diagnosis that would trigger the upload of a person’s chirp history to the database.

The system would work through an app they install on their phone, and its design was inspired by Apple’s “Find My” system for locating lost Mac and IOS hardware, as well as keeping track of the location of devices owned by loved ones. Find My also uses chirps to broadcast locations to passing Apple hardware.

“Find My inspired this system,” ays Marc Zissman, the associate head of MIT Lincoln Laboratory’s Cyber Security and Information Science Division and co-principal investigator of the project in a blog post describing the research. “If my phone is lost, it can start broadcasting a Bluetooth signal that’s just a random number; it’s like being in the middle of the ocean and waving a light. If someone walks by with Bluetooth enabled, their phone doesn’t know anything about me; it will just tell Apple, ‘Hey, I saw this light.’”

The system could be adapted to automate check-ins against the positive chirp database, and provide alerts to individuals who should get tested or self-isolate. Researchers worked closely with public health officials to ensure that this will suit their needs and goals as well as preserving privacy.

MIT’s team says that a critical next step to making this actually work broadly is to get Apple, Google and Microsoft on board with the plan. This requires close collaboration with mobile device platform operators to work effectively, they note. Extrapolating a step further, were iOS and Android to offer these as built-in features, that would go a long way towards encouraging widespread adoption.

Jack Dorsey creates $1B COVID-19 relief fund using Square equity

Jack Dorsey announced in a series of tweets today that he is shifting $1 billion in his Square equity to create a fund dedicated to COVID-19 relief. The Twitter and Square CEO is calling the fund Start Small and posting a tally of disbursements and recipients in a public spreadsheet.

Dorsey said in his announcement that the new initiative will shift the focus to other causes at some point, naming health and education for girls and universal basic income

The first Start Small contribution listed is $100,000 to America’s Food Fund — an effort led by Leonardo DiCaprio and Laurene Powell Jobs dedicated to providing meals to vulnerable populations disrupted by the COVID-19 pandemic.

Other top backers of America’s Food Fund include Oprah Winfrey ($1 million) and Apple ($5 million), according to the organization’s GoFundMe page.

That’s what we know so far from a tweet posted Tuesday afternoon by the American tech entrepreneur who co-founded and leads not one, but two publicly listed companies.

On why he sourced the equity for Start Small from his payments company Square, vs. Twitter, “I own a lot more Square. And I’ll need to pace the sales over some time,” Jack said in a subsequent tweet.

There’s still a lot to learn about Dorsey’s new initiative, including how it will be managed, whether it will make investments (along with donations) and exactly how those interested can seek funding. TechCrunch has asked Square for additional details and will update this post when we hear back.

Cookie consent still a compliance trash-fire in latest watchdog peek

The latest confirmation of the online tracking industry’s continued flouting of EU privacy laws which — at least on paper — are supposed to protect citizens from consent-less digital surveillance comes by via Ireland’s Data Protection Commission (DPC).

The watchdog did a sweep survey of around 40 popular websites last year — covering sectors including media and publishing; retail; restaurants and food ordering services; insurance; sport and leisure; and the public sector — and in a new report, published yesterday, it found almost all failing on a number of cookie and tracking compliance issues, with breaches ranging from minor to serious.

Twenty were graded ‘amber’ by the regulator, which signals a good response and approach to compliance but with at least one serious concern identified; twelve were graded ‘red’, based on very poor quality responses and a plethora of bad practices around cookie banners, setting multiple cookies without consent, badly designed cookies policies or privacy policies, and a lack of clarity about whether they understood the purposes of the ePrivacy legislation; while a further three got a borderline ‘amber to red’ grade.

Just two of the 38 controllers got a ‘green’ rating (substantially compliance with any concerns straightforward and easily remedied); and one more got a borderline ‘green to amber’ grade.

EU law means that if a data controller is relying on consent as the legal basis for tracking a user the consent must be specific, informed and freely given. Additional court rulings last year have further finessed guidance around online tracking — clarifying pre-checked consent boxes aren’t valid, for example.

Yet the DPC still found examples of cookie banners that offer no actual choice at all. Such as those which serve a dummy banner with a cookie notice that users can only meaningless click ‘Got it!’. (‘Gotcha data’ more like.. )

In fact the watchdog writes that it found ‘implied’ consent being relied upon by around two-thirds of the controllers, based on the wording of their cookie banners (e.g. notices such as: “by continuing to browse this site you consent to the use of cookies”) — despite this no longer meeting the required legal standard.

“Some appeared to be drawing on older, but no longer extant, guidance published by the DPC that indicated consent could be obtained ‘by implication’, where such informational notices were put in place,” it writes, noting that current guidance on its website “does not make any reference to implied consent, but it also focuses more on user controls for cookies rather than on controller obligations”.

Another finding was that all but one website set cookies immediately on landing — with “many” of these found to have no legal justification for not asking first, as the DPC determined they fall outside available consent exemptions in the relevant regulations.

It also identified widespread abuse of the concept of ‘strictly necessary’ where the use of trackers are concerned. “Many controllers categorised the cookies deployed on their websites as having a ‘necessary’ or ‘strictly necessary’ function, where the stated function of the cookie appeared to meet neither of the two consent exemption criteria set down in the ePrivacy Regulations/ePrivacy Directive,” it writes in the report. “These included cookies used to establish chatbot sessions that were set prior to any request by the user to initiate a chatbot function. In some cases, it was noted that the chatbot function on the websites concerned did not work at all.

“It was clear that some controllers may either misunderstand the ‘strictly necessary’ criteria, or that their definitions of what is strictly necessary are rather more expansive than the definitions provided in Regulation 5(5),” it adds.

Another problem the report highlights is a lack of tools for users to vary or withdraw their consent choices, despite some of the reviewed sites using so called ‘consent management platforms’ (CMPs) sold by third-party vendors.

This chimes with a recent independent study of CPMs — which earlier this year found illegal practices to be widespread, with “dark patterns and implied consent… ubiquitous”, as the researchers put it.

“Badly designed — or potentially even deliberately deceptive — cookie banners and consent-management tools were also a feature on some sites,” the DPC writes in its report, detailing some examples of Quantcast’s CPM which had been implemented in such a way as to make the interface “confusing and potentially deceptive” (such as unlabelled toggles and a ‘reject all’ button that had no effect).

Pre-checked boxes/sliders were also found to be common, with the DPC finding ten of the 38 controllers used them — despite ‘consent’ collected like that not actually being valid consent.

“In the case of most of the controllers, consent was also ‘bundled’ — in other words, it was not possible for users to control consent to the different purposes for which cookies were being used,” the DPC also writes. “This is not permitted, as has been clarified in the Planet49 judgment. Consent does not need to be given for each cookie, but rather for each purpose. Where a cookie has more than one purpose requiring consent, it must be obtained for all of those purposes separately.”

In another finding, the regulator came across instances of websites that had embedded tracking technologies, such as Facebook pixels, yet their operators did not list these in responses to the survey, listing only http browser cookies instead. The DPC suggests this indicates some controllers aren’t even aware of trackers baked into their own sites.

“It was not clear, therefore, whether some controllers were aware of some of the tracking elements deployed on their websites — this was particularly the case where small controllers had outsourced their website management and development to a third-part,” it writes.

The worst sector of its targeted sweep — in terms of “poor practices and, in particular, poor understanding of the ePrivacy Regulations and their purpose” — was the restaurants and food-ordering sector, per the report. (Though the finding is clearly based on a small sampling across multiple sectors.)

Despite encountering near blanket failure to actually comply with the law, the DPC, which also happens to be the lead regulator for much of big tech in Europe, has responded by issuing, er, further guidance.

This includes specifics such as pre-checked consent boxes must be removed; cookie banners can’t be designed to ‘nudge’ users to accept and a reject option must have equal prominence; and no non-necessary cookies be set on landing. It also stipulates there must always be a way for users to withdraw consent — and doing so should be as easy as consenting.

All stuff that’s been clear and increasingly so at least since the GDPR came into application in May 2018. Nonetheless the regulator is giving the website operators in question a further six months’ grace to get their houses in order — after which it has raised the prospect of actually enforcing the EU’s ePrivacy Directive and the General Data Protection Regulation.

“Where controllers fail to voluntarily make changes to their user interfaces and/or their processing, the DPC has enforcement options available under both the ePrivacy Regulations and the GDPR and will, where necessary, examine the most appropriate enforcement options in order to bring controllers into compliance with the law,” it warns.

The report is just the latest shot across the bows of the online tracking industry in Europe.

The UK’s Information Commission’s Office (ICO) has been issuing sternly worded blog posts for months. Its own report last summer found illegal profiling of Internet users by the programmatic ad industry to be rampant — also giving the industry six months to reform.

However the ICO still hasn’t done anything about the adtech industry’s legal blackhole — leading to privacy experts to denouncing the lack of any “substantive action to end the largest data breach ever recorded in the UK”, as one put it at the start of this year.

Ireland’s DPC, meanwhile, has yet to put the decision trigger on multiple cross-border investigations into the data-mining business practices of tech giants including Facebook and Google, following scores of GDPR complaints — including several targeting their legal base to process people’s data.

A two-year review of the pan-EU regulation, set for May 2020, provides one hard deadline that might concentrate minds.

This Week in Apps: Zoom has issues, Pinterest founder’s new COVID-19 research app, record Q1 spending

Welcome back to This Week in Apps, the Extra Crunch series that recaps the latest OS news, the applications they support and the money that flows through it all.

The app industry saw a record 204 billion downloads and $120 billion in consumer spending in 2019, according to App Annie’s “State of Mobile” annual report. People are now spending 3 hours and 40 minutes per day using apps, rivaling TV. Apps aren’t just a way to pass idle hours — they’re a big business. In 2019, mobile-first companies had a combined $544 billion valuation, 6.5x higher than those without a mobile focus.

In this Extra Crunch series, we help you keep up with the latest news from the world of apps, delivered on a weekly basis.

This week, we’re continuing our special coverage of how the COVID-19 outbreak is impacting apps and the wider mobile app industry — or rather, the boost many apps are receiving as a result. In fact, the first quarter saw consumer spending hit record levels in Q1 as everyone was staying indoors. But as some apps shoot up the charts, scrutiny over their practices increases. This week saw No. 1 app Zoom defending itself against a host of complaints over security issues, for example, while social video app Houseparty defended itself against a possible smear campaign. There’s also a new app from the Pinterest CEO for tracking the spread of COVID-19.

Also this week: more leaks about the new version of iOS, Apple bought Dark Sky, Niantic pivoted, TikTok moved up the charts and more.

Coronavirus/COVID-19 special coverage

Pinterest CEO, scientists team up on COVID-19 tracking app

Google research makes for an effortless robotic dog trot

As capable as robots are, the original animals after which they tend to be designed are always much, much better. That’s partly because it’s difficult to learn how to walk like a dog directly from a dog — but this research from Google’s AI labs make it considerably easier.

The goal of this research, a collaboration with UC Berkeley, was to find a way to efficiently and automatically transfer “agile behaviors” like a light-footed trot or spin from their source (a good dog) to a quadrupedal robot. This sort of thing has been done before, but as the researchers’ blog post points out, the established training process can often “require a great deal of expert insight, and often involves a lengthy reward tuning process for each desired skill.”

That doesn’t scale well, naturally, but that manual tuning is necessary to make sure the animal’s movements are approximated well by the robot. Even a very doglike robot isn’t actually a dog, and the way a dog moves may not be exactly the way the robot should, leading the latter to fall down, lock up or otherwise fail.

The Google AI project addresses this by adding a bit of controlled chaos to the normal order of things. Ordinarily, the dog’s motions would be captured and key points like feet and joints would be carefully tracked. These points would be approximated to the robot’s in a digital simulation, where a virtual version of the robot attempts to imitate the motions of the dog with its own, learning as it goes.

So far, so good, but the real problem comes when you try to use the results of that simulation to control an actual robot. The real world isn’t a 2D plane with idealized friction rules and all that. Unfortunately, that means that uncorrected simulation-based gaits tend to walk a robot right into the ground.

To prevent this, the researchers introduced an element of randomness to the physical parameters used in the simulation, making the virtual robot weigh more, or have weaker motors, or experience greater friction with the ground. This made the machine learning model describing how to walk have to account for all kinds of small variances and the complications they create down the line — and how to counteract them.

Learning to accommodate for that randomness made the learned walking method far more robust in the real world, leading to a passable imitation of the target dog walk, and even more complicated moves like turns and spins, without any manual intervention and only a little extra virtual training.

Naturally manual tweaking could still be added to the mix if desired, but as it stands this is a large improvement over what could previously be done totally automatically.

In another research project described in the same post, another set of researchers describe a robot teaching itself to walk on its own, but imbued with the intelligence to avoid walking outside its designated area and to pick itself up when it falls. With those basic skills baked in, the robot was able to amble around its training area continuously with no human intervention, learning quite respectable locomotion skills.

The paper on learning agile behaviors from animals can be read here, while the one on robots learning to walk on their own (a collaboration with Berkeley and the Georgia Institute of Technology) is here.

Want to survive the downturn? Better build a platform

When you look at the most successful companies in the world, they are almost never just one simple service. Instead, they offer a platform with a range of services and an ability to connect to it to allow external partners and developers to extend the base functionality that the company provides.

Aspiring to be a platform and actually succeeding at building one are not the same. While every startup probably sees themselves as becoming a platform play eventually, the fact is it’s hard to build one. But if you can succeed and your set of services become an integral part of a given business workflow, your company could become bigger and more successful than even the most optimistic founder ever imagined.

Look at the biggest tech companies in the world, from Microsoft to Oracle to Facebook to Google and Amazon. All of them offer a rich complex platform of services. All of them provide a way for third parties to plug in and take advantage of them in some way, even if it’s by using the company’s sheer popularity to advertise.

Michael A. Cusumano, David B. Yoffie and Annabelle Gawer, who wrote the book The Business of Platforms, wrote an article recently in MIT Sloan Review on The Future of Platforms, saying that simply becoming a platform doesn’t guarantee success for a startup.

“Because, like all companies, platforms must ultimately perform better than their competitors. In addition, to survive long-term, platforms must also be politically and socially viable, or they risk being crushed by government regulation or social opposition, as well as potentially massive debt obligations,” they wrote.

In other words, it’s not cheap or easy to build a successful platform, but the rewards are vast. As Cusumano, Yoffie and Gawer point out their studies have found, “…Platform companies achieved their sales with half the number of employees [of successful non-platform companies]. Moreover, platform companies were twice as profitable, were growing twice as fast, and were more than twice as valuable as their conventional counterparts.”

From an enterprise perspective, look at a company like Salesforce . The company learned long ago that it couldn’t possibly build every permutation of customer requirements with a relatively small team of engineers (especially early on), so it started to build hooks into the platform it had built to allow customers and consultants to customize it to meet the needs of individual organizations.

Eventually Salesforce built APIs, then it built a whole set of development tools, and built a marketplace to share these add-ons. Some startups like FinancialForce, Vlocity and Veeva have built whole companies on top of Salesforce.

Rory O’Driscoll, a partner at Scale Venture Partners, speaking at a venture capitalist panel at BoxWorks in 2014, said that many startups aspire to be platforms, but it’s harder than it looks. “You don’t make a platform. Third-party developers only engage when you achieve a critical mass of users. You have to do something else and then become a platform. You don’t come fully formed as a platform,” he said at the time.

If you’re thinking, how you could possibly start a company like that in the middle of a massive economic crisis, consider that Microsoft launched in 1975 in the middle of recession. Google and Salesforce both launched in the late 1990s, just ahead of the dot-com crash, and Facebook launched in 2004, four years before the massive downturn in 2008. All went on to become tremendously successful companies

That success often requires massive spending and sales and marketing burn, but when it works, the rewards are enormous. Just don’t expect that it’s an easy path to success.

Google rolls back SameSite cookie changes to keep essential online services from breaking

Google today announced that it will temporarily roll back the changes it recently made to how its Chrome browser handles cookies in order to ensure that sites that perform essential services like banking, online grocery, government services and healthcare won’t become inaccessible to Chrome users during the current COVID-19 pandemic.

The new SameSite rules, which the company started rolling out to a growing number of Chrome users in recent months, are meant to make it harder for sites to access cookies from third-party sites and hence track a user’s online activity. These new rules are also meant to prevent cross-site request forgery attacks.

Under Google’s new guidance, developers have to explicitly allow their cookies to be read by third-party sites, otherwise, the browser will prevent these third-party sites from accessing them.

Since this is a pretty major change, Google gave developers quite a bit of time to adapt their applications to it. Still, not every site is ready yet and so the Chrome team decided to halt the gradual rollout and stop enforcing these new rules for the time being.

“While most of the web ecosystem was prepared for this change, we want to ensure stability for websites providing essential services including banking, online groceries, government services and healthcare that facilitate our daily life during this time,” writes Google Chrome engineering director Justin Schuh. “As we roll back enforcement, organizations, users and sites should see no disruption.”

A Google spokesperson also told us that the team saw some breakage in sites “that would not normally be considered essential, but with COVID-19 having become more important, we made this decision in an effort to ensure stability during this time.”

The company says it plans to resume its SameSite enforcement over the summer, though the exact timing isn’t yet clear.