Axios’ Dan Primack on ‘the most polarizing startup that exists’

Hello and welcome back to Equity, TechCrunch’s venture capital-focused podcast, where we unpack the numbers behind the headlines.

This week was a bit special. Instead of meeting up at the TechCrunch HQ to record the episode, Kate and Alex met up in muggy Boston at Drift’s office, where we linked up with Axios’s Dan Primack. And since we were feeling chatty, we went a bit long.

After checking in with Primack (he has a newsletter and a podcast), we first dealt with the latest from Tumblr. In short, Verizon Media is selling Tumblr to Automattic for a few dollars. How did Verizon wind up owning Tumblr? Ah. Well, Yahoo bought it. Later, after Verizon bought AOL, it bought Yahoo. Then it smushed them together and called it Oath. Then Verizon decided that it didn’t like that much and renamed the group Verizon Media. But Verizon doesn’t want to own media (besides TechCrunch, of course), so it sold Tumblr to Automattic, a venture-backed company best known for operating WordPress.

That’s a lot, I know. What matters is that Yahoo bought Tumblr for more than $1 billion. Verizon sold it for around $3 million. Now, Automattic now has a few hundred new employees and a shot at juicing its userbase before it goes public.

After that, we lamented that the WeWork S-1 had yet to appear. This was a tragedy, frankly. We had expected to spend half the show riffing on WeWork’s financials, alas…

So we turned to some normal material, like Ramp’s recent $7 million raise to take on Brex, and, SmartNews’s recent round, which gave it an eye-popping $1.1 billion valuation.

We ran a bit long because we were having fun, fitting in some conversation surrounding the notes from the SEC regarding the now-dead and then-fraudulent Rothenberg Ventures. More on that here if you want to get angry.

And finally, Vision Fund 2. It’s been a big source of interest for everyone on the show, and we expect whatever the second-act Vision Fund winds up becoming to be a big damn deal. The fund will invest in more than just consumer marketplaces, in fact, it’s eyeing more AI businesses and even biotech. That should be interesting.

All that and we have a lot more good stuff coming. Thanks for listening to the show, and we’ll be right back.

Equity drops every Friday at 6:00 am PT, so subscribe to us on Apple PodcastsOvercast, Pocket Casts, Downcast and all the casts.

Where are all the biotech startups raising?

Where are all the biotechnology companies raising these days? We crunched some numbers to arrive at an answer.

Using funding rounds data from Crunchbase, we plotted the count of venture capital funding rounds raised by companies in the fairly expansive biotechnology category in Crunchbase. Click the chart below and you can hover over individual data points to see the number of venture rounds raised in a given metro area between the start of 2018 and late May 2019 (as of publication). Although there are biotechnology companies located throughout the world, we focused here on just the U.S.

USA_Biotech_2018-May2019

Unlike in the software-funding business, where New York City (and its surrounding area) ranks second in overall deal volume, the greater Boston metro area outranks the Big Apple in biotech venture deal volume. The SF Bay Area (which includes both San Francisco and the towns in Silicon Valley north and west of San Jose) outranks Boston in biotech deal volume, but, then again, it’s also a much larger geographic area with a higher density of startups overall.

The bio business model breeds big deals

Crunchbase News recently covered a $120 million round raised by immunotherapy upstart AlloVir. In the software business, a raise that large would be notable; however, in the business of biology, not so much.

Just for reference, the average Series B round raised by U.S. enterprise software startups between 2018 and May 2019 was about $22.7 million. The average Series B for biotech companies from that same time period: just about $40 million on the dot.

Spinning up a cluster of cells at a lab bench is costlier, harder to do and the outcomes of experiments are less certain than the results of implementing a new software framework. Add to that the tremendous cost of performing clinical trials and clearing regulatory hurdles — all before costly sales and marketing campaigns to get treatments in front of doctors and end users — and it’s easy to understand why many biotechnology companies need to raise so much money in the early stages of the startup cycle.

Backed by LG, AmazeVR is hoping to resurrect virtual reality’s consumer dreams

For over 100 years entrepreneurs have come to Hollywood to try their luck in the dream factory and build an empire in the business of storytelling.

Propelled by new technologies, new businessmen have been landing in Los Angeles since the invention of the nickelodeon to create a studio that would dominate popular entertainment. Over the past five years, virtual reality was the latest new thing to make or break fortunes, and the founding team behind the Korean company AmazeVR are the latest would-be dream-makers to take their turn spinning the wheel for Hollywood fortunes.

Despite billions of dollars in investment, and a sustained marketing push from some of the biggest names in the technology industry, virtual reality still doesn’t register with most regular consumers.

But technology companies keep pushing it, driven in part by a belief that maybe this time the next advancement in hardware and services will convince consumers to strap a headset onto their face and stay for a while in a virtual world.

There are significant economic reasons for companies to persist. Sales of headsets in the fourth quarter of 2018 topped 1 million for the first time and new, low cost all-in-one models may further move the needle on adoption. Hardware makers have invested billions to improve the technology, and they’d like that money to not go to waste. At the same time, networking companies are spending billions to roll out new, high speed data networks and they need new data-hungry features (like virtual reality) to make a compelling case for consumers to upgrade to the newer, more expensive networking plans.

Sitting at the intersection of these two market forces are companies like AmazeVR, which is hoping to beat the odds.

Founded by a team of ace Korean technologists who won fame and fortune as early executives of the multi-billion dollar messaging service Kakao (it’s the Korean equivalent of WhatsApp or WeChat), AmazeVR is hoping it can succeed in a marketplace littered with production studios like Baobab Studios, Here Be Dragons, The Virtual Reality Company, and others.

The company was formed and financed with $6.3 million from its founding team of Kakao co-founder and co-chief executive, JB Lee, who serves as Amaze’s chief product officer; its head of strategy, Steve Lee, AmazeVR’s chief executive; Jeremy Nam, the chief technology officer at AmazeVR and the former senior software engineer of Kakao; and finally, Steve Koo, who led KakaoTalk’s messaging team and is now head of engineering at AmazeVR.

“What we saw as the problem is the content creation itself,” says Lee.

Encouraged by the potential uptake of the Oculus Go and spurred on by $7 million in funding led by Mirae Asset Group with participation from strategic investors including LG Technology Ventures, Timewise Investment, and Smilegate Investment, AmazeVR is looking to plant a flag in Hollywood to encourage producers and content creators to use its platform and get a significant library of content up and running. 

For LG, it’s strategically important to get some applications up on its newly launched 5G subscription network back in Korea, and AmazeVR is already rolling up new content for its VR platform.

In fact, AmazeVR has already partnered with LG U+, the telecommunications network arm of LG to produce virtual reality content. LG U+ will host AmazeVR content on its service use the company’s proprietary content generation tools to make VR production easier as it looks to roll out 1500 new pieces of virtual reality “experiences”.

AmazeVR sells its content as a $7 per-month subscription, with 3 month bundles for $18 and 6 month bundles for $24. So far, they’ve got more than 1,000 subscribers and expect to add more as consumers start opening their wallets to pick up more devices. The company already has 20 different interactive virtual reality experiences available and is in Los Angeles to connect with top talent for additional productions, the company said.

“We believe cloud-based VR is the future, and AmazeVR has developed elegant technology that enables users to create and share interactive content very easily,” said Dong-Su Kim, CEO of LG Technology Ventures, in a statement. “We are incredibly excited about how the AmazeVR platform will enable innovative, quality content to be generated at unprecedented scale and speed.”

AmazeVR uses a proprietary backend to stitch 360-degree video and provide editing and production tools for content creators in addition to building its own cameras for video capture, the company said.

As it builds out its library, AmazeVR is giving video creators a cut of the sales from the company’s subscriptions and individual downloads of their virtual reality experiences.

“We see no reason that VR content shouldn’t be compelling enough to support a Netflix model. To get there, we must devise mechanisms to inspire, assist, and reward content creators,” said Steve Lee, CEO of AmazeVR. “Our approach, commitment to quality, industry-leading technology, and strategic investors provide a path forward to make VR/AR the next great frontier for entertainment and personal displays.”

Cathay Capital and AfricInvest to raise $168M Africa VC fund

Tunisia based private equity firm Africinvest has teamed up with Cathay Capital — a global private equity firm based in Paris — to launch a new Africa tech fund with a target raise of $168 million.

Details are still forthcoming, but the Cathay Africinvest Innovation Fund will focus primarily on series A to C stage investments in African technology companies, says fund co-founder Denis Barrier.

“We’ll look at investments across several countries in Africa. We’ll focus on areas such as fintech, logistics, AI, agtech, and edutech,” Barrier says.

Barrier could not say when the fund would be closed, but did confirm investments could come as early as summer 2019.  He expects to see strong local showing for startups from across Africinvest’s 10 country offices in Abidjan, Algiers, Cairo, Casablanca, Dubai, Lagos, Nairobi, Paris and Port Louis, and Tunis. The firm will open an office in Johannesburg in the near future, according to a company release.

In the private equity space, both founding companies of the new Cathay Africinvest Innovation Fund  carry considerable capital and scope. Co-founded by Denis Barrier and Mingpo Cai, Cathay Capital has $2.5 billion in assets under management and offices in the U.S., Europe, Asia, and the Middle-East.

Per Crunchbase, Africinvest’s 46 venture and debt investments span the brick and mortar side of many of the sectors the new tech fund looks to target, including education and banking.

With the line between banks and fintech also starting to blur in Africa, that could lead to an advantage for the Cathay Africinvest Innovation Fund in sourcing deal flow.

The new investment group enters during a period when investment rounds and the number of funds focused on African startups continues to grow rapidly. By Shenzen or Silicon Valley standards, the value of VC to African startups—which surpassed $1 billion for the first time in 2018 according to Partech—is minuscule. But by one estimate, that represents more than a one-hundred percent increase in VC to Africa over a four-year period.

The number of Africa focused VC firms globally has also grown, topping 51 in 2018 per TechCrunch and Crunchbase research.

The Cathay Africinvest Innovation Fund takes the number of to 52.

Yahoo spinout Altaba is selling its entire Alibaba stake and closing down

Bye bye, Altaba . The Yahoo spinout created to house Yahoo’s lucrative stake in Alibaba and Yahoo Japan, announced today that it will sell its lucrative stake in Alibaba and shut up shop.

The entity has long existed as a proxy to Alibaba — some might argue Yahoo was the same in its final years — and the sale is expected to net shareholders around $40 billion.

Altaba was formed following AOL’s 2017 acquisition of Yahoo to create Oath — disclaimer: that’s TechCrunch’s parent, and it is now called Verizon Media Group — to keep hold of the 15 percent stake in Alibaba and a 35.5 percent stake in Yahoo Japan that Yahoo owned.

Those Yahoo Japan shares were unloaded in September for over $4 billion, and now Altaba will shift its remaining Alibaba holdings — that’s around 11 percent of the company following a partial sale last year; Altaba is Alibaba’s second-largest stakeholder — and disappear from the world by Q4.

The sale is expected to generate a net return of around $40 billion for Altaba stockholders — the provided range is between $39.8 billion and $41.1 billion based on share prices and associated expenditure — and it’ll happen in two parts. The first will see up to 50 percent of the stake sold, the rest will be traded if Altaba receives approval from its stockholders.

Therein Altaba — and Yahoo’s long association — with Alibaba will be over. The reality is that this essentially happened following the Oath deal, Altaba was merely created to hold the asset and at some point that would mean liquidating it. That day is now confirmed and on its way.

“Since June of 2017 we have taken a series of aggressive actions designed to drive shareholder value and these have yielded measurable results as our trading discount has narrowed and our stock has meaningfully outperformed a composite of its underlying assets. The right next action for shareholders is the plan we are announcing today as it represents the most definitive step, generally within our control, that we could take to reduce the discount to net asset value at which our Shares trade,” said Altaba CEO Thomas J. McInerney in a statement.

“Stocks are for trading. Any shareholder has the right to deal stock anytime on the market, for any purpose. We’re happy to have had Yahoo invest in Alibaba in the past and to see it now collecting a strong return on its investment,” an Alibaba spokesperson told TechCrunch.

The story of Yahoo’s involvement with Alibaba is a legendary one.

Yahoo invested $1 billion for 30 percent Alibaba back in 2005 through a (now famous) story between Yahoo CEO Jerry Yang and Alibaba president Jack Ma. Ma, a former English teacher who was then a government employee, was assigned to accompany Yang on a planned trip to see the Great Wall of China and their relationship went from there.

Yahoo infamously sold half of its stake back to Alibaba in 2012 through a deal that valued the shares at $13. Just two years later, Alibaba went public in a record-breaking U.S. IPO. Shares were $68 at the bell, and today they are worth around $181 so Yahoo missed out on an even greater fortune.

Former Oath CEO Tim Armstrong is exiting Verizon with a payout worth more than $60 million

Tim Armstrong will leave Verizon Communications with an awards and benefits package worth more than $60 million. The Wall Street Journal calculated the total amount based on a securities filing from last Monday by combining Armstrong’s compensation in 2018, severance and a special incentive package he was given by Verizon when it acquired AOL in 2015. Armstrong was head of Oath (now called Verizon Media), which took a write down of $4.5 billion last year and laid off seven percent of its workforce as it struggled to compete with other digital media companies.

Oath, the company’s digital media unit, was created in 2017 by merging AOL and Yahoo, two companies acquired by Verizon Communications. (Disclosure: TechCrunch was part of AOL, then Oath and now Verizon Media).

Verizon Communications announced Oath’s $4.5 billion after-tax write down at the end of last year. It said the sum, which basically cancelled out the benefits of the merger, was due to increased competition in digital advertising and other market pressures last year had resulted in lower-than-expected 2018 results and that it expected those issues to continue.

The business unit also announced in late January that it would lay off seven percent of its workforce, or about 800 employees.

After months of rumors, Verizon Communications announced that Armstrong would be succeeded as CEO of Oath by Guru Gowrappan last September. Armstrong formally left the company at the end of 2018.

TechCrunch has contacted Verizon for comment.

EU gov’t and public health sites lousy with adtech, study finds

A study of tracking cookies running on government and public sector health websites in the European Union has found commercial adtech to be operating pervasively even in what should be core not-for-profit corners of the Internet.

The researchers used searches including queries related to HIV, mental health, pregnancy, alcoholism and cancer to examine how frequently European Internet users are tracked when accessing national health service webpages to look for publicly funded information about sensitive concerns.

The study also found that most EU government websites have commercial trackers embedded on them, with 89 per cent of official government websites found to contain third party ad tracking technology.

The research was carried out by Cookiebot using its own cookie scanning technology to examine trackers on public sector websites, scanning 184,683 pages on all 28 EU main government websites.

Only the Spanish, German and the Dutch websites were found not to contain any commercial trackers.

The highest number of tracking companies were present on the websites of the French (52), Latvian (27), Belgian (19) and Greek (18) governments.

The researchers also ran a sub-set of 15 health-related queries across six EU countries (UK, Ireland, Spain, France, Italy and Germany) to identify relevant landing pages hosted on the websites of the corresponding national health service — going on to count and identify tracking domains operating on the landing pages.

Overall, they found a majority (52 per cent) of landing pages on the national health services of the six EU countries contained third party trackers.

Broken down by market, the Irish health service ranked worst — with 73 per cent of landing pages containing trackers.

While the UK, Spain, France and Italy had trackers on 60 per cent, 53 per cent, 47 per cent and 47 per cent of landing pages, respectively.

Germany ranked lowest of the six, yet they still found a third of the health service landing pages contained trackers.

Searches on publicly funded health service sites being compromised by the presence of adtech suggests highly sensitive inferences could be being made about web users by the commercial companies behind the trackers.

Cookiebot found a very long list of companies involved — flagging for example how 63 companies were monitoring a single German webpage about maternity leave; and 21 different companies were monitoring a single French webpage about abortion.

Vulnerable citizens who seek official health advice are shown to be suffering sensitive personal data leakage,” it writes in the report. “Their behaviour on these sites can be used to infer sensitive facts about their health condition and life situation. This data will be processed and often resold by the ad tech industry, and is likely to be used to target ads, and potentially affect economic outcomes, such as insurance risk scores.”

“These citizens have no clear way to prevent this leakage, understand where their data is sent, or to correct or delete the data,” it warns. 

It’s worth noting that Cookiebot and its parent company Cybot’s core business is related to selling EU data protection compliance services. So it’s not without its own commercial interests here. Though there’s no doubting the underlying adtech sprawl the report flags.

Where there’s some fuzziness is around exactly what these trackers are doing, as some could be used for benign site functions like website analytics.

Albeit, if/when the owner of the freebie analytics services in question is also adtech giant Google that still may not feel reassuring, from a privacy point of view.

100+ firms tracking EU public sector site users

Across both government and health service websites, Cookiebot says it identified a total of 112 companies using trackers that send data to a total of 131 third party tracking domains.

It also found 10 companies which actively masked their identity — with no website hosted at their tracking domains, and domain ownership (WHOIS) records hidden by domain privacy services, meaning they could not be identified. That’s obviously of concern. 

Here’s the table of identified tracking companies — which, disclosure alert, includes AOL and Yahoo which are owned by TechCrunch’s parent company, Verizon.

Adtech giants Google and Facebook are also among adtech companies tracking users across government and health service websites, along with a few other well known tech names — such as Oracle, Microsoft and Twitter.

Cookiebot’s study names Google “the kingpin of tracking” — finding the company performed more than twice as much tracking as any other, seemingly as a result of Google owning several of the most dominant ad tracking domains.

Google-owned YouTube.com, DoubleClick.net and Google.com were the top three tracking domains IDed by the study. 

“Through the combination of these domains, Google tracks website visits to 82% of the EU’s main government websites,” Cookiebot writes. “On each of the 22 main government websites on which YouTube videos have been installed, YouTube has automatically loaded a tracker from DoubleClick .net (Google’s primary ad serving domain). Using DoubleClick.net and Google.com, Google tracks visits to 43% of the scanned health service landing pages.”

 

Given its control of many of the Internet’s top platforms (Google Analytics, Maps, YouTube, etc.), it is no surprise that Google has greater success at gaining tracking access to more webpages than anyone else,” it continues. “It is of special concern that Google is capable of cross-referencing its trackers with its 1st party account details from popular consumer-oriented services such as Google Mail, Search, and Android apps (to name a few) to easily associate web activity with the identities of real people.”

Under European data protection law “subjective” information that’s associated with an individual — such as opinions or assessments — is absolutely considered personal data.

So tracker-fuelled inferences being made about site visitors are subject to EU data protection law — which has even more strict rules around the processing of sensitive categories of information like health data.

That in turn suggests that any adtech companies doing third-party-tracking of Internet users and linking sensitive health queries to individual identities would need explicit user consent to do so.

The presence of adtech trackers on sensitive health data pages certainly raises plenty of questions.

We asked Google for a response to the Cookiebot report, and a spokesperson sent us the following statement regarding sensitive category data specifically — in which it claims: “We do not permit publishers to use our technology to collect or build targeting lists based on users’ sensitive information, including health conditions like pregnancy or HIV.”

Google also claims it does not itself infer sensitive user interest categories.

Furthermore it said its policies for personalized ads prohibit its advertisers from collecting or using sensitive interest categories to target users. (Though saying you’re telling someone not to do something is not the same as that thing not being done. That would depend on the enforcement.)

Google’s spokesperson was also keen to point to its EU user consent policy — where it says it requires site owners that use its services to ensure they have correct disclosures and consents for personalised ads and cookies from European end users.

The company warns it may suspend or terminate a site’s use of its services if they have not obtained the right disclosures and consents. It adds there’s no exception for government sites.

On tags and disclosure generally, the Google spokesperson provided the following comment: “Our policies are clear: If website publishers choose to use Google web or advertising products, they must obtain consent for cookies associated with those products.”

Where Google Analytics cookies are concerned, Google said traffic data is only collected and processed per instructions it receives from site owners and publishers — further emphasizing that such data would not be used for ads or Google purposes without authorization from the website owner or publisher.

Albeit sloppy implementations of freebie Google tools by resource-strapped public sector site administrators might make such authorizations all too easy to unintentionally enable.

So, tl;dr — as Google tells it — the onus for privacy compliance is on the public sector websites themselves.

Though given the complex and opaque mesh of technology that’s grown up sheltering under the modern ‘adtech’ umbrella, opting out of this network’s clutches entirely may be rather easier said than done.

Cookiebot’s founder, Daniel Johannsen, makes a similar point to Google’s in the report intro, writing: “Although the governments presumably do not control or benefit from the documented data collection, they still allow the safety and privacy of their citizens to be compromised within the confines of their digital domains — in violation of the laws that they have themselves put in place.”

More than nine months into the GDPR [General Data Protection Regulation], a trillion-dollar industry is continuing to systematically monitor the online activity of EU citizens, often with the unintentional assistance of the very governments that should be regulating it,” he adds, calling for public sector bodies to “lead by example – at a minimum by shutting down any digital rights infringements that they are facilitating on their own websites”.

“The fact that so many public sector websites have failed to protect themselves and their visitors against the inventive methods of the tracking industry clearly demonstrates the educational challenge that the wider web faces: How can any organisation live up to its GDPR and ePrivacy obligations if it does not control unauthorised tracking actors accessing their website?”

Trackers creeping in by the backdoor

On the “inventive methods” front, the report flags how third party javascript technologies — used by websites for functions like video players, social sharing widgets, web analytics, galleries and comments sections — can offer a particularly sneaky route for trackers to be smuggled into sites and apps by the ‘backdoor’.

Cookiebot gives the example of social sharing tool, ShareThis, which automatically adds buttons to each webpage to make it easy for visitors to share information across social media platforms.

The ShareThis social plugin is used by Ireland’s public health service, the Health Service Executive (HSE). And there Cookiebot found it releases trackers from more than 20 ad tech companies into every webpage it is installed on.

“By analysing web pages on HSE.ie, we found that ShareThis loads 25 other trackers, which track users without permission,” it writes. “This result was confirmed on pages linked from search queries for “mortality rates of cancer patients” and “symptoms of postpartum depression”.”

“Although website operators like the HSE do control which 3rd parties (like ShareThis) they add to their websites, they have no direct control over what additional “4th parties” those 3rd parties might smuggle in,” it warns.

We’ve reached out to ShareThis for a response.

Another example flagged by the report is what Cookiebot dubs “YouTube’s Tracking Cover-Up”.

Here it says it found that even when a website has enabled YouTube’s so-called “Privacy-enhanced Mode”, in a bid to limit its ability to track site users, the mode “currently stores an identifier named “yt-remote-device -id” in the web browser’s “Local Storage”” which Cookiebot found “allows tracking to continue regardless of whether users click, watch, or in any other way interact with a video – contrary to Google’s claims”.

“Rather than disabling tracking, “privacy-enhanced mode” seems to cover it up,” they claim. 

Google did not provide an on the record comment regarding that portion of the report.

Instead the company sent some background information about “privacy-enhanced mode” — though its points did not engage at all with Cookiebot’s claim that tracking continues regardless of whether a user watches or interacts with a video in any way.

Overall, Google’s main point of rebuttal vis-a-vis the report’s conclusion — i.e. that even on public sector sites surveillance capitalism is carrying on business as usual — is that not all cookies and pixels are ad trackers. So it’s claim is a cookie ‘signal’ might just be harmless background ‘noise’.

(In additional background comments Google suggested that if a website is running an advertising campaign using its services — which presumably might be possible in a public sector scenario if an embedded YouTube video contains an ad (for example) — then an advertising cookie could be a conversion pixel used (only) to measure the effectiveness of the ad, rather than to track a user for ad targeting.

For DoubleClick cookies on websites in general, Google told us this type of cookie would only appear if the website specifically signed up with its ad services or another vendor which uses its ad services.

It further claimed it does not embed tracking pixels on random pages or via Google Analytics with Doubleclick cookies.)

The problem here is the lack of opacity in the adtech industry which requires users to take ad targeters at their word — and trust that an adtech giant like Google, which makes pots of money off of tracking web users to target them with ads, has nonetheless built perfectly privacy-respecting, non-leaky infrastructure that operates 100% as separately and cleanly as claimed, even as the entire adtech industry’s business incentives are pushing in the opposite direction.

Also a problem: Certain adtech giants having a long and storied history of bundling purposes for user data and manipulating consent in privacy-hostile ways.

And with trust in adtech at such a historic low — plus regulation having been rebooted in Europe to put the focus on enforcement (which is encouraging a cottage industry of GDPR ‘compliance’ services to wade in) — the industry’s preferred cloak of complex opacity is under attack on multiple front (including from policymakers) and does look to be on borrowed time.

And as more light shines in and risk steps up, sensitive public sector websites could just decide to nix using any of these freebie plugins.

In another “inventive” case study highlighted by the report, Cookiebot writes that it documented instances of Facebook using a first party cookie workaround for Safari’s intelligent tracker blocking system to harvest user data on two Irish and UK health landing pages.

So even though Apple’s browser natively purges third party cookies to enhance user privacy by default Facebook’s engineers appear to have managed to create a workaround.

Cookiebot says this works by Facebook’s new first party cookie — “_fbp” — storing a unique user ID that’s then forwarded as a URL parameter in the pixel tracker “tr” to Facebook.com — “thus allowing Facebook to track users after all”, i.e. despite Safari’s best efforts to prevent pervasive third party tracking.

“In our study, this combined tracking practice was documented on 2 Irish and UK landing pages featuring health information about HIV and mental illness,” it writes. “These types of workarounds of browser tracking prevention are highly intrusive as they undermine users’ attempts to protect their personal data – even when using browsers and extensions with the most advanced protection settings.”

Reached for a response to the Cookiebot report Facebook also did not engage with the case study of its Safari third party cookie workaround.

Instead, a spokesman sent us the following line: “[Cookiebot’s] investigation highlights websites that have chosen to use Facebook’s Business Tools — for example, the Like and Share buttons, or the Facebook pixel. Our Business Tools help websites and apps grow their communities or better understand how people use their services. For example, we could tell them that their site is most popular among people aged 20-25.”

In further information provided to us on background the company confirmed that data it receives from websites can be used for enhancing ad targeting on Facebook. (It said Facebook users can switch off ad personalization based on such signals — via the “Ads Based on Data from Partners” setting in Ad Preferences.)

It also said organizations that make use of its tools are subject to its Business Tools terms — which Facebook said require them to provide users with notice and obtain any required legal consent, including being clear with users about any information they share with it. 

Facebook further claimed it prohibits apps and websites from sending it sensitive data — saying it takes steps to detect and remove data that should not be shared with it.

ePrivacy Regulation needed to raise the bar

Commenting on the report in a statement, Diego Naranjo, senior policy advisor at digital rights group EDRi, called for European regulators to step up to defend citizens’ privacy.

For the last 20 years, Europe has fought to regulate the sprawling chaos of data tracking. The GDPR is a historical attempt to bring the information economy in line with our core civil liberties, securing the same level of democratic control and trust online as we take for granted in our offline world. Yet, as this study has provided evidence of, nine months into the new regulation, online tracking remains as hidden, uncontrollable, and plentiful as ever,” he writes in the report. “We stress that it is the duty of regulators to ensure their citizens’ privacy.”

Naranjo also warned that another EU privacy regulation, the ePrivacy Regulation — which is intended to deal directly with tracking technologies — risks being watered down.

In the wake of GDPR it’s become the focus of major lobbying efforts, as we’ve reported before.

“One of the great added values of the ePrivacy Regulation is that it is meant to raise the bar for companies and other actors who want to track citizens’ behaviour on the Internet. Regrettably, now we are seeing signs of the ePrivacy Regulation becoming watered out, specifically in areas concerning “legitimate interest” and “consent”,” he warns.

“A watering down of the ePrivacy Regulation will open a Pandora’s box of more and more sharing, merging and reselling of personal data in huge online commercial surveillance networks, in which citizens are being unwittingly tracked and micro-targeted with commercial and political manipulation. Instead, the ePrivacy Regulation must set the bar high in line with the wishes of the European Parliament, securing that the privacy of our fellow citizens does not succumb to the dominion of the ad tech industry.”

Fifty years of the internet

When my team of graduate students and I sent the first message over the internet on a warm Los Angeles evening in October, 1969, little did we suspect that we were at the start of a worldwide revolution. After we typed the first two letters from our computer room at UCLA, namely, “Lo” for “Login,” the network crashed.

Hence, the first Internet message was “Lo” as in “Lo and behold” – inadvertently, we had delivered a message that was succinct, powerful, and prophetic.

The ARPANET, as it was called back then, was designed by government, industry and academia so scientists and academics could access each other’s computing resources and trade large research files, saving time, money and travel costs. ARPA, the Advanced Research Projects Agency, (now called “DARPA”) awarded a contract to scientists at the private firm Bolt Beranek and Newman to implement a router, or Interface Message Processor; UCLA was chosen to be the first node in this fledgling network.

By December, 1969, there were only four nodes – UCLA, Stanford Research Institute, the University of California-Santa Barbara and the University of Utah. The network grew exponentially from its earliest days, with the number of connected host computers reaching 100 by 1977, 100,000 by 1989, a million by the early 1990’s, and a billion by 2012; it now serves more than half the planet’s population.

Along the way, we found ourselves constantly surprised by unanticipated applications that suddenly appeared and gained huge adoption across the Internet; this was the case with email, the World Wide Web, peer-to-peer file sharing, user generated content, Napster, YouTube, Instagram, social networking, etc.

It sounds utopian, but in those early days, we enjoyed a wonderful culture of openness, collaboration, sharing, trust and ethics. That’s how the Internet was conceived and nurtured.  I knew everyone on the ARPANET in those early days, and we were all well-behaved. In fact, that adherence to “netiquette” persisted for the first two decades of the Internet.

Today, almost no one would say that the internet was unequivocally wonderful, open, collaborative, trustworthy or ethical. How did a medium created for sharing data and information turn into such a mixed blessing of questionable information? How did we go from collaboration to competition, from consensus to dissention, from a reliable digital resource to an amplifier of questionable information?

The decline began in the early 1990s when spam first appeared at the same time there was an intensifying drive to monetize the Internet as it reached deeply into the world of the consumer. This enabled many aspects of the dark side to emerge (fraud, invasion of privacy, fake news, denial of service, etc.).

It also changed the nature of internet technical progress and innovations as risk aversion began to stifle the earlier culture of “moon shots”. We are currently still suffering from those shifts. The internet was designed to promote decentralized information, democracy and consensus based upon shared values and factual information. In this it has disappointed to fully achieve the aspirations of its founding fathers.

As the private sector gained more influence, their policies and goals began to dominate the nature of the Internet.  Commercial policies gained influence, companies could charge for domain registration, and credit card encryption opened the door for e-commerce. Private firms like AOL, CompuServe and Earthlink would soon charge monthly fees for access, turning the service from a public good into a private enterprise.

This monetization of the internet has changed it flavor. On the one hand, it has led to valuable services of great value. Here one can list pervasive search engines, access to extensive information repositories, consumer aids, entertainment, education, connectivity among humans, etc.  On the other hand, it has led to excess and control in a number of domains.

Among these one can identify restricted access by corporations and governments, limited progress in technology deployment when the economic incentives are not aligned with (possibly short term) corporate interests, excessive use of social media for many forms of influence, etc.

If we ask what we could have done to mitigate some of these problems, one can easily name two.  First, we should have provided strong file authentication – the ability to guarantee that the file that I receive is an unaltered copy of the file I requested. Second, we should have provided strong user authentication – the ability for a user to prove that he/she is whom they claim to be.

Had we done so, we should have turned off these capabilities in the early days (when false files were not being dispatched and when users were not falsifying their identities). However, as the dark side began to emerge, we could have then gradually turned on these protections to counteract the abuses at a level to match the extent of the abuse. Since we did not provide an easy way to provide these capabilities from the start, we suffer from the fact that it is problematic to do so for today’s vast legacy system we call the Internet.

A silhouette of a hacker with a black hat in a suit enters a hallway with walls textured with blue internet of things icons 3D illustration cybersecurity concept

Having come these 50 years since its birth, how is the Internet likely to evolve over the next 50? What will it look like?

That’s a foggy crystal ball. But we can foresee that it is fast on its way to becoming “invisible” (as I predicted 50 years ago) in the sense that it will and should disappear into the infrastructure.

It should be as simple and convenient to use as is electricity; electricity is straightforwardly available via a trivially simple interface by plugging it into the wall; you don’t know or care how it gets there or where it comes from, but it delivers its services on demand.

Sadly, the internet is far more complicated to access than that. When I walk into a room, the room should know I’m there and it should provide to me the services and applications that match my profile, privileges and preferences.  I should be able to interact with the system using the usual human communication methods of speech, gestures, haptics, etc.

We are rapidly moving into such a future as the Internet of Things pervades our environmental infrastructure with logic, memory, processors, cameras, microphones, speakers, displays, holograms, sensors. Such an invisible infrastructure coupled with intelligent software agents imbedded in the internet will seamlessly deliver such services. In a word, the internet will essentially be a pervasive global nervous system.

That is what I judge will be the likely essence of the future infrastructure. However, as I said above, the applications and services are extremely hard to predict as they come out of the blue as sudden, unanticipated, explosive surprises!  Indeed, we have created a global system for frequently shocking us with surprises – what an interesting world that could be!

Even the IAB warned adtech risks EU privacy rules

A privacy complaint targeting the behavioral advertising industry has a new piece of evidence that shows the Internet Advertising Bureau (IAB) shedding doubt on whether it’s possible to obtain informed consent from web users for the programmatic ad industry’s real-time bidding (RTB) system to broadcast their personal data.

The adtech industry functions by harvesting web users’ data, packaging individual identifiers and browsing data in bid requests that are systematically shared with third parties in order to solicit and scale advertiser bids for the user’s attention.

However a series of RTB complaints — filed last fall by Jim Killock, director of the Open Rights Group; Dr Johnny Ryan of private browser Brave; and Michael Veale, a data and policy researcher at University College London — allege this causes “wide-scale and systemic breaches” of European Union data protection rules.

So far complaints have been filed with data protection agencies in Ireland, the UK and Poland, though the intent is for the action to expand across the EU given that behavioral advertising isn’t region specific.

Google and the IAB set the RTB specifications used by the online ad industry and are thus the main targets here, with complainants advocating for amendments to the specification to bring the system into compliance with the bloc’s data protection regime.

We’ve covered the complaint before, including an earlier submission showing the highly sensitive inferences that can be included in bid requests. But documents obtained by the complainants via freedom of information request and newly published this week show the IAB itself warned in 2017 that the RTB system risks falling foul of the bloc’s privacy rules, and specifically the rules around consent under the EU’s General Data Protection Regulation (GDPR), which came into force last May.

The complainants have published the latest evidence on a new campaign website.

At the very least the admission looks awkward for online ad industry body.

“incompatible with consent under GDPR “

In an email sent to senior personnel at the European Commission in June 2017 by Townsend Feehan, the CEO of IAB Europe — and now being used as evidence in the complaints — she writes that she wants to expand on concerns voiced at a roundtable session about the Commission’s ePrivacy proposals that she claims could “mean the end of the online advertising business model”.

Feehan attached an 18-page document to the email in which the IAB can be seen lobbying against the Commission’s ePrivacy proposal — claiming it will have “serious negative impacts on the digital advertising industry, on European media, and ultimately on European citizens’ access to information and other online content and services”.

The IAB goes on to push for specific amendments to the proposed text of the regulation. (As we’ve written before a major lobbying effort has blow up since GDPR was agreed to try to block updating the ePrivacy rules which operate alongside, covering marketing and electronic communications and cookies and other online tracking technologies.)

As it lobbies to water down ePrivacy rules, the IAB suggests it’s “technically impossible” for informed consent to function in a real-time bidding scenario — writing the following, in a segment entitled ‘Prior information requirement will “break” programmatic trading’:

As it is technically impossible for the user to have prior information about every data controller involved in a real-time bidding (RTB) scenario, programmatic trading, the area of fastest growth in digital advertising spend, would seem, at least prima facie, to be incompatible with consent under GDPR – and, as noted above, if a future ePrivacy Regulation makes virtually all interactions with the Internet subject solely to the consent legal basis, and consent is unavailable, then there will be no legal be no basis for such processing to take place or for media to monetise their content in this way.

The notion that it’s impossible to obtain informed consent from web users for processing their personal data prior to doing so is important because the behavioral ad industry, as it currently functions, includes personal data in bid requests that it systematically broadcasts to what can be thousands of third party companies.

Indeed, the crux of the RTB complaints are that personal data should be stripped out of these requests — and only contextual information broadcast for targeting ads, exactly because the current system is systematically breaching the rights of European web users by failing to obtain their consent for personal data to be sucked out and handed over to scores of unknown entities.

In its lobbying efforts to knock the teeth out of the ePrivacy Regulation the IAB can here be seen making a similar point — when it writes that programmatic trading “would seem, at least prima facie, to be incompatible with consent under GDPR”. (Albeit, injecting some of its own qualifiers into the sentence.)

The IAB is certainly seeking to deploy pro-privacy arguments to try to dilute Europeans’ privacy rights.

Despite it’s own claimed reservations about there being no technical fix to get consent for programmatic trading under GDPR the IAB nonetheless went on to launch a technical mechanism for managing — and, it claimed — complying with GDPR consent requirements in April 2018, when it urged the industry to use its GDPR “Consent & Transparency Framework”.

But in another piece of evidence obtained by the group of individuals behind the RTB complaints — an IAB document, dated May 2018, intended for publishers making use of this framework — the IAB also acknowledges that: “Publishers recognize there is no technical way to limit the way data is used after the data is received by a vendor for decisioning/bidding on/after delivery of an ad”.

In a section on liability, the IAB document lays out other publisher concerns that each bid request assumes “indiscriminate rights for vendors” — and that “surfacing thousands of vendors with broad rights to use data without tailoring those rights may be too many vendors/permissions”.

So again, er, awkward.

Another piece of evidence now attached to the RTB complaints shows a set of sample bid requests from the IAB and Google’s documentation for users of their systems — with annotations by the complainants showing exactly how much personal data gets packaged up and systematically shared.

This can include a person’s latitude and longitude GPS coordinates; IP address; device specific identifiers; various ID codes; inferred interests (which could include highly sensitive personal data); and the current webpage they’re looking at;

“The fourteen sample bid requests further prove that very personal data are contained in bid requests,” the complainants argue.

They have also included an estimated breakdown of seven major ad exchanges’ daily bid requests — Index Exchange, OpenX, Rubicon Project, Oath/AOL*, AppNexus, Smaato, Google DoubleClick — showing they collectively broadcast “hundreds of billions of bid requests per day”, to illustrate the scale of data being systematically broadcast by the ad industry.

“This suggests that the New Economics Foundation’s estimate in December that bid requests broadcast data about the average UK internet user 164 times a day was a conservative estimate,” they add.

The IAB has responded to the new evidence by couching the complainants’ claims as “false” and “intentionally damaging to the digital advertising industry and to European digital media”.

Regarding its 2017 document, in which it wrote that it was “technically impossible” for an Internet user to have prior information about every data controller involved in a RTB “scenario”, the IAB responds that “that was true at the time, but has changed since” — pointing to its Transparency & Consent framework (TCF) as the claimed fix for that, and further claiming it “demonstrates that real-time bidding is certainly not ‘incompatible with consent under GDPR'”.

Here are the relevant paras of IAB rebuttal on that:

The TCF provides a way to provide transparency to users about how, and by whom, their personal data is processed. It also enables users to express choices. Moreover, the TCF enables vendors engaged in programmatic advertising to know ahead of time whether their own and/or their partners’ transparency and consent status allows them to lawfully process personal data for online advertising and related purposes. IAB Europe’s submission to the European Commission in April 2017 showed that the industry needed to adapt to meet higher standards for transparency and consent under the GDPR. The TCF demonstrates how complex challenges can be overcome when industry players come together. But most importantly, the TCF demonstrates that real-time bidding is certainly not “incompatible with consent under GDPR”.

The OpenRTB protocol is a tool that can be used to determine which advertisement should be served on a given web page at a given time. Data can inform that determination. Like all technology, OpenRTB must be used in a way that complies with the law. Doing so is entirely possible and greatly facilitated by the IAB Europe Transparency & Consent Framework, whose whole raison d’être is to help ensure that the collection and processing of user data is done in full compliance with EU privacy and data protection rules.

The IAB goes on to couch the complaints as stemming from a “hypothetical possibility for personal data to be processed unlawfully in the course of programmatic advertising processes”.

“This hypothetical possibility arises because neither OpenRTB nor the TCF are capable of physically preventing companies using the protocol to unlawfully process personal data. But the law does not require them to,” the IAB claims.

However the crux of the RTB complaint is that programmatic advertising’s processing of personal data is not adequately secure — and they have GDPR Article 5, paragraph 1, point f to point to; which requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss”.

So it will be down to data protection authorities to determine what “appropriate security of personal data” means in this context. And whether behavioral advertising is inherently hostile to data protection law (not forgetting that other forms of non-personal-data-based advertising remain available, e.g. contextual advertising).

Discussing the complaint with TechCrunch late last year, Brave’s Ryan likened the programmatic ad system to dumping truck-loads of briefcases in the middle of a busy railway station in “the full knowledge that… business partners will all scramble around and try and grab them” — arguing that such a dysfunctional and systematic breaching of people’s data is lurking at the core of the online ad industry.

The solution Ryan and the other complainants are advocating for is not pulling the plug on the online ad industry entirely — but rather an update to the RTB spec to strip out personal data so that it respects Internet users’ rights. Ads can still be targeted contextually and successfully without Internet users having to be surveilled 24/7 online, is the claim.

They also argue that this would lead to a much better situation for quality online publishers because it would make it harder for their high value audiences to be arbitraged and commodified by privacy-hostile tracking technologies which — as it stands — trail Internet users everywhere they go. Albeit they freely concede that purveyors of low quality clickbait might fair less well.

*Disclosure: TechCrunch is owned by Verizon Media Group, aka Oath/AOL . We also don’t consider ourselves to be purveyors of low quality clickbait  

Reserve your demo table today for the TechCrunch Winter Party at Galvanize

There are just three short weeks until Silicon Valley’s startup community takes a night off to relax, connect and get down at the 2nd Annual TechCrunch Winter Party at Galvanize. It’s not just an opportunity to have a great time — although you will. It’s also the chance for promising early-stage startups to strut their stuff. We have a handful of demo tables available, but they won’t last long. Why not book a demo table today? You never know who might attend the party and facilitate your big break.

Here’s one legendary example. TechCrunch founder Michael Arrington used to hold these parties in his back yard. And that’s where Box founders Aaron Levie and Dylan Smith met one of their first investors, DFJ. Demo your early-stage startup at our Winter Party, and you just might start your own legend.

What can you expect at our Winter fete? Great food, delicious libations and outstanding company for starters. Last year, nearly 1,000 of the early-stage startup community — movers, shakers and star-makers — attended. Join us for a great night of community, networking and fun.

Here’s the lowdown on the particulars:

  • When: Friday, February 8, 6:00 p.m. – 9:00 p.m.
  • Where: Galvanize, 44 Tehama St., San Francisco, CA 94105
  • Tickets: $85
  • Demo table: $1,500 (includes three attendee tickets)

Demo tables are open to early-stage startups with $3 million or less in funding.

Along with conversation and networking, every TechCrunch bash includes plenty of games, activities, photo ops, swag and giveaways. Who wants free tickets to Disrupt 2019? You do! So, book your demo table now, before they’re gone. Come party with your people on February 8 and show us your stuff!