Mozilla adds website breach notifications to Firefox

Mozilla is adding a new security feature to its Firefox Quantum web browser that will alert users when they visit a website that has recently reported a data breach.

When a Firefox user lands on a website with a breach in its recent past they’ll see a pop up notification informing them of the barebones details of the breach and suggesting they check to see if their information was compromised.

“We’re bringing this functionality to Firefox users in recognition of the growing interest in these types of privacy- and security-centric features,” Mozilla said today. “This new functionality will gradually roll out to Firefox users over the coming weeks.”

Here’s an example of what the site breach notifications look like and the kind of detail they will provide:

Mozilla’s website breach notification feature in Firefox

Mozilla is tying the site breach notification feature to an email account breach notification service it launched earlier this year, called Firefox Monitor, which it also said today is now available in an additional 26 languages.

Firefox users can click through to Monitor when they get a pop up about a site breach to check whether their own email was involved.

As with Firefox Monitor, Mozilla is relying on a list of breached websites provided by its partner, Troy Hunt’s pioneering breach notification service, Have I Been Pwned.

There can of course be a fine line between feeling informed and feeling spammed with too much information when you’re just trying to get on with browsing the web. But Mozilla looks to sensitive to that because it’s limiting breach notifications to one per breached site. It will also only raise a flag if the breach itself occurred in the past 12 months.

Data breaches are an unfortunate staple of digital life, stepping up in recent years in frequency and size along with big data services. That in turn has cranked up awareness of the problem. And in Europe tighter laws were introduced this May to bring in a universal breach disclosure requirement and raise penalties for data protection failures.

The GDPR framework also generally encourages data controllers and processors to improve their security systems given the risk of much heftier fines.

Although it will likely take some time for any increases in security investments triggered by the regulation to filter down and translate into fewer breaches — if indeed the law ends up having that hoped for impact.

But one early win for GDPR is it has greased the pipe for companies to promptly disclose breaches. This means it’s helping to generate more up-to-date security information which consumers can in turn use to inform the digital choices they make. So the regulation looks to be generating positive incentives.

Pirate Studios raises $20M from Talis Capital for its ‘self-service’ tech-enabled music studios

Pirate Studios, the music technology company that operates fully automated and self-service 24 hour music studios, has secured $20 million. The investment was led by Talis Capital, the London-based VC family office.

Talis was already an existing backer of Pirate Studios, with Talis’ Matus Maar also named as a co-founder of the startup. Other investors include Eric Archambeau (Spotify investor and ex-partner at Benchmark and Wellington Partners), Bart Swanson of Horizons Ventures, and partners of Gaw Capital, the $20 billion Hong Kong-headquartered proptech fund.

The new funding will enable Pirate Studios to continue to expand across the U.K., Germany and the U.S., where it has been building what the startup describes as a community of musicians, DJs, producers and podcasters who need access to professional rehearsal, production and recording studios at affordable rates. The company charges as little as £4 per hour, depending on what kind of music studio space and facilities you book.

However, what really sets Pirate Studios apart from a lot of existing rehearsal rooms and music production and recording studios, is that the startup is employing a lot of tech to power the logistics around its service and, in theory, make it a lot more scalable. This includes online booking, 24 hour keycode access, and other IoT controls for managing facilities.

Perhaps even smarter, Pirate Studios offers “automated recording” and live streaming from many of its studios. This means that bands or DJs rehearsing in one of the company’s rooms can easily record their session via built in room mics and other inputs, and the studio’s cloud software will handle mixing and mastering afterwards. Likewise, rooms are set up to be able to video and audio stream sessions, too.

Both options tap into the YouTube, SoundCloud, and Spotify generation’s unstoppable appetite for more content from their favourite upcoming and established acts, as well as the dreaded music industry’s favourite new metric: how much social media reach an act has, which can in turn make or break a recording contract opportunity or the chance to get booked at larger, more lucrative live events.

I say all of the above as someone who was previously in quite a serious band and used to book rehearsal rooms on a regular basis. I’m also still in touch and collaborating with a number of gigging musicians and professional acts. However, during the last ten years, I’ve seen quite a few studios in London go out of business as property owners look to cash in, and even though there is something a little WeWork about Pirate Studios’ model (and being backed by relatively large amounts of VC cash at this stage) which makes me slightly uneasy, overall I’m very bullish on what the company offers.

Without a place to practice, hone your craft, in addition to somewhere to perform, rock ‘n’ roll really would be dead.

To that end, in just three years, Pirate has grown to 350 studios in 21 locations, including London, New York, and Berlin.

Cue statement from David Borrie, co-founder and CEO of Pirate Studios: “When we founded Pirate Studios our dream was to create innovative spaces to support emerging talent. We want to see music thrive and help musicians get their music out to their fans, through whatever route they think is most appropriate. We are building both the physical space to create, as well as the technology to record and share, that puts power back into the hands of musicians in a period when the digitisation of music continues to radically upset the old order of this industry”.

UK watchdog has eyes on Google-DeepMind’s health app hand-off

The shock news yesterday that Google is taking over a health app rolled out to UK hospitals over the past few years by its AI division, DeepMind, has caught the eye of the country’s data protection watchdog — which said today that it’s monitoring developments.

An ICO spokesperson told us: “An ICO investigation and an independent audit into the use of Google Deepmind’s Streams service by the Royal Free both highlighted the importance of clear and effective governance when NHS bodies use third parties to provide digital services, particularly to ensure the original purpose for processing personal data is respected.

“We expect all the measures set out in our undertaking, and in the audit, should remain in place even if the identity of the third party changes. We are continuing to monitor the situation.”

We’ve reached out to DeepMind and Google for a response.

The project is already well known to the ICO because, following a lengthy investigation, it ruled last year that the NHS Trust which partnered with DeepMind had broken UK law by passing 1.6 million+ patients’ medical records to the Google owned company during the app’s development.

The Trust agreed to make changes to how it works with DeepMind, with the ICO saying it needed to establish “a proper legal basis” for the data-sharing, as well as share more information about how it handles patients’ privacy.

It also had to submit to an external audit — which was carried out by Linklaters. Though — as we reported in June — this only looked at the current working of the Streams app.

The auditors did not address the core issue of patient data being passed without a legal basis when the app was under construction. And the ICO didn’t sound too happy about that either.

While regulatory actions kicked off in spring 2016, the sanctions came after Streams had already been rolled out to hospital wards — starting with the Royal Free NHS Trust’s own hospitals.

DeepMind also inked additional five-year Streams deals with a handful of other Trusts before the ICO’s intervention, including Imperial College Healthcare NHS Trust and Taunton & Somerset.

Those Trusts are now facing being switched to having Google as their third party app provider.

Until yesterday DeepMind had maintained it operates autonomously from Google, with founder Mustafa Suleyman writing in 2016 that: “We’ve been clear from the outset that at no stage will patient data ever be linked or associated with Google accounts, products or services.”

Two years on and, in their latest Medium blog, the DeepMind co-founders write about how excited they are that the data is going to Google.

Patients might have rather more mixed feelings, given that most people have never been consulted about any of this.

The lack of a legal basis for DeepMind obtaining patient data to develop Streams in the first place remains unresolved. And Google becoming the new data processor for Streams only raises fresh questions about information governance — and trust.

Meanwhile the ICO has not yet given a final view on Streams’ continued data processing — but it’s still watching.

Google gobbling DeepMind’s health app might be the trust shock we need

DeepMind’s health app being gobbled by parent Google is both unsurprising and deeply shocking.

First thoughts should not be allowed to gloss over what is really a gut punch.

It’s unsurprising because the AI galaxy brains at DeepMind always looked like unlikely candidates for the quotidian, margins-focused business of selling and scaling software as a service. The app in question, a clinical task management and alerts app called Streams, does not involve any AI.

The algorithm it uses was developed by the UK’s own National Health Service, a branch of which DeepMind partnered with to co-develop Streams.

In a blog post announcing the hand-off yesterday, “scaling” was the precise word the DeepMind founders chose to explain passing their baby to Google . And if you want to scale apps Google does have the well oiled machinery to do it.

At the same time Google has just hired Dr. David Feinberg, from US health service organization Geisinger, to a new leadership role which CNBC reports as being intended to tie together multiple, fragmented health initiatives and coordinate its moves into the $3TR healthcare sector.

The company’s stated mission of ‘organizing the world’s information and making it universally accessible and useful’ is now seemingly being applied to its own rather messy corporate structure — to try to capitalize on growing opportunities for selling software to clinicians.

That health tech opportunities are growing is clear.

In the UK, where Streams and DeepMind Health operates, the minister for health, Matt Hancock, a recent transplant to the portfolio from the digital brief, brought his love of apps with him — and almost immediately made technology one of his stated priorities for the NHS.

Last month he fleshed his thinking out further, publishing a future of healthcare policy document containing a vision for transforming how the NHS operates — to plug in what he called “healthtech” apps and services, to support tech-enabled “preventative, predictive and personalised care”.

Which really is a clarion call to software makers to clap fresh eyes on the sector.

In the UK the legwork that DeepMind has done on the ‘apps for clinicians’ front — finding a willing NHS Trust to partner with; getting access to patient data, with the Royal Free passing over the medical records of some 1.6 million people as Streams was being developed in the autumn of 2015; inking a bunch more Streams deals with other NHS Trusts — is now being folded right back into Google.

And this is where things get shocking.

Trust demolition

Shocking because DeepMind handing the app to Google — and therefore all the patient data that sits behind it — goes against explicit reassurances made by DeepMind’s founders that there was a firewall sitting between its health experiments and its ad tech parent, Google.

“In this work, we know that we’re held to the highest level of scrutiny,” wrote DeepMind co-founder Mustafa Suleyman in a blog post in July 2016 as controversy swirled over the scope and terms of the patient data-sharing arrangement it had inked with the Royal Free. “DeepMind operates autonomously from Google, and we’ve been clear from the outset that at no stage will patient data ever be linked or associated with Google accounts, products or services.”

As law and technology academic Julia Powles, who co-wrote a research paper on DeepMind’s health foray with the New Scientist journalist, Hal Hodson, who obtained and published the original (now defunct) patient data-sharing agreement, noted via Twitter: “This isn’t transparency, it’s trust demolition.”

Turns out DeepMind’s patient data firewall was nothing more than a verbal assurance — and two years later those words have been steamrollered by corporate reconfiguration, as Google and Alphabet elbow DeepMind’s team aside and prepare to latch onto a burgeoning new market opportunity.

Any fresh assurances that people’s sensitive medical records will never be used for ad targeting will now have to come direct from Google. And they’ll just be words too. So put that in your patient trust pipe and smoke it.

The Streams app data is also — to be clear — personal data that the individuals concerned never consented to being passed to DeepMind. Let alone to Google.

Patients weren’t asked for their consent nor even consulted by the Royal Free when it quietly inked a partnership with DeepMind three years ago. It was only months later that the initiative was even made public, although the full scope and terms only emerged thanks to investigative journalism.

Transparency was lacking from the start.

This is why, after a lengthy investigation, the UK’s data protection watchdog ruled last year that the Trust had breached UK law — saying people would not have reasonably expected their information to be used in such a way.

Nor should they. If you ended up in hospital with a broken leg you’d expect the hospital to have your data. But wouldn’t you be rather shocked to learn — shortly afterwards or indeed years and years later — that your medical records are now sitting on a Google server because Alphabet’s corporate leaders want to scale a fat healthtech profit?

In the same 2016 blog post, entitled “DeepMind Health: our commitment to the NHS”, Suleyman made a point of noting how it had asked “a group of respected public figures to act as Independent Reviewers, to examine our work and publish their findings”, further emphasizing: “We want to earn public trust for this work, and we don’t take that for granted.”

Fine words indeed. And the panel of independent reviewers that DeepMind assembled to act as an informal watchdog in patients’ and consumers’ interests did indeed contain well respected public figures, chaired by former Liberal Democrat MP Julian Huppert.

The panel was provided with a budget by DeepMind to carry out investigations of the reviewers’ choosing. It went on to produce two annual reports — flagging a number of issues of concern, including, most recently, warning that Google might be able to exert monopoly power as a result of the fact Streams is being contractually bundled with streaming and data access infrastructure.

The reviewers also worried whether DeepMind Health would be able to insulate itself from Alphabet’s influence and commercial priorities — urging DeepMind Health to “look at ways of entrenching its separation from Alphabet and DeepMind more robustly, so that it can have enduring force to the commitments it makes”.

It turns out that was a very prescient concern since Alphabet/Google has now essentially dissolved the bits of DeepMind that were sticking in its way.

Including — it seems — the entire external reviewer structure…

A DeepMind spokesperson told us that the panel’s governance structure was created for DeepMind Health “as a UK entity”, adding: “Now Streams is going to be part of a global effort this is unlikely to be the right structure in the future.”

It turns out — yet again — that tech industry DIY ‘guardrails’ and self-styled accountability are about as reliable as verbal assurances. Which is to say, not at all.

This is also both deeply unsurprisingly and horribly shocking. The shock is really that big tech keeps getting away with this.

None of the self-generated ‘trust and accountability’ structures that tech giants are now routinely popping up with entrepreneurial speed — to act as public curios and talking shops to draw questions away from what’s they’re actually doing as people’s data gets sucked up for commercial gain — can in fact be trusted.

They are a shiny distraction from due process. Or to put it more succinctly: It’s PR.

There is no accountability if rules are self-styled and therefore cannot be enforced because they can just get overwritten and goalposts moved at corporate will.

Nor can there be trust in any commercial arrangement unless it has adequately bounded — and legal — terms.

This stuff isn’t rocket science nor even medical science. So it’s quite the pantomime dance that DeepMind and Google have been merrily leading everyone on.

It’s almost as if they were trying to cause a massive distraction — by sicking up faux discussions of trust, fairness and privacy — to waste good people’s time while they got on with the lucrative business of mining everyone’s data.

Discover the next messaging giant at Disrupt Berlin

Truecaller may already be a familiar name, but many of you probably don’t know that it’s slowly becoming a significant messaging app. That’s why I’m excited to announce that Truecaller co-founder and CEO Alan Mamedi will join us at TechCrunch Disrupt Berlin.

Truecaller first started as a call screening app. Some countries are more affected than others. But it’s clear that text and call spam is the most intrusive form of spam.

The Swedish company then leveraged this user base to quietly turn the app into a full-fledged messaging app with one focus in particular — India.

With the acquisition of Chillr, the company shows that it wants to recreate a sort of WeChat for India. The company launched payment features — Truecaller Pay lets you pay other Truecaller users as well as pay your bills.

Eventually, Truecaller wants to open up its platform to third-party services. Back in April, the company reported that it had 100 million daily active users.

If you’re impressed by Truecaller’s growth strategy, you should buy your ticket to Disrupt Berlin to listen to this discussion and many others. The conference will take place on November 29-30.

In addition to fireside chats and panels, like this one, new startups will participate in the Startup Battlefield Europe to win the highly coveted Battlefield cup.

Alan Mamedi

CEO & Co-founder, Truecaller

Alan Mamedi is the CEO and Co-founder of Truecaller. Truecaller is one of the leading communication apps in the world with services in messaging, payment, caller ID, spam detection, dialer functionalities, and has more than 300 million users globally. In this position, Alan focuses on product development and innovation, and charting the strategic roadmap for the company’s success. To date, Truecaller has raised 80 million USD from Sequoia Capital, Atomico, and Kleiner Perkins Caufield & Byers.

Loans marketplace Mintos scores €5M Series A and plans to launch a debit card

Mintos, the Latvian fintech that operates a global loans marketplace to let you invest in loans from various loan originators, has raised €5 million in Series A funding. Backing the startup once again is the Riga-based venture capital firm Grumpy Investments (previously known as Skillion Ventures). More noteworthy, the new capital will be used to launch a Mintos banking account and debit card, significantly expanding the company’s offering.

“Both banking account and the card in our opinion is a natural step in our journey of revolutionising financial services through technology and serving our investors and will nicely complement our current offering of investments in loans, and low-fee mid-market rate currency exchange,” Mintos co-founder and CEO Martins Sulte tells me. “This development also means that, theoretically, our investors won’t need their banks anymore”.

The Mintos banking account will act like any other IBAN account. You’ll be able to receive a salary into your Mintos account, use it to get paid by companies, or receive money from friends. And of course you’ll be able to transfer money out of your Mintos account, just like a regular bank account.

Sulte says the idea behind plans to launch a Mintos banking account, and the reason why the company is applying for a European e-money license, is to improve the overall Mintos experience. This includes making it quicker to access money generated by the loans you have invested in (which is held by Mintos on your behalf) and easier to invest on a regular basis.

“The card will allow investors to access the money they hold on the Mintos account instantly by paying at their local grocery shop or online or withdrawing money at ATMs; basically use the card like any other bank card,” he says. “They will no longer need to request a withdrawal from the platform to their bank account and wait up to two days for their money to arrive”.

The fintech startup claims a customer base of 87,000 investors from 71 different countries. In addition to launching the Mintos banking account, the company will use the additional funding for further geographical expansion, including Latin America, Africa, and Southeast Asia). It will also invest in acquiring more customers, and significantly expanding the size of its 60 person team. Notably, Mintos has been profitable since January 2017.

To the end, the fintech company says it has already facilitated more than €1 billion in investments in loans through its marketplace since launching in 2005. It says Investors in total have earned €26.7 million in interest through loans to individuals and businesses and have attained an average net return of nearly 12 percent.

Kaspersky starts processing threat data in Europe as part of trust reboot

Security firm Kaspersky Labs has opened its first self-styled ‘Transparency Center’ and begun processing threat-related data from European users in data centers located in Switzerland — flipping the switch on the start of a relocation commitment it announced late last year in the face of suspicion that its antivirus software had been compromised by the Russian government and used to suck up US intelligence. 

The first stage of its fightback strategy to reboot trust, a code review plan, was announced a year ago.

Then, in May, the company announced it would be moving some core infrastructure processes to Zurich in Switzerland, saying also that it would arrange for its processes to be independently supervised by a third party qualified to conduct technical software reviews.

This facility has now begun processing data, starting with European users. Although this is just the start of the reconfiguration.

Software assembly will also move to Zurich in time — but not until phase two of the project, after processing for customers in other regions has also been relocated there.

It writes today:

From November 13, threat-related data coming from European users will start to be processed in two datacenters. These provide world-class facilities in compliance with industry standards to ensure the highest levels of security.

The data, which users have actively chosen to share with Kaspersky Lab, includes suspicious or previously unknown malicious files and corresponding meta-data that the company’s products send to Kaspersky Security Network (KSN) for automated malware analysis.

Files comprise only part of the data processed by Kaspersky Lab technologies, yet the most important one. Protection of customers’ data, together with the safety and integrity of infrastructure is a top priority for Kaspersky Lab, and that is why the file processing relocation comes first and is expected to be fully accomplished by the end of 2019. The relocation of other types of data processed by Kaspersky Lab products, consisting of several kinds of anonymized threat and usage statistics, is planned to be conducted during later phases of the Global Transparency Initiative.

By the end of 2019 the company has said the Zurich facility will be storing and processing all information for users in Europe, North America, Singapore, Australia, Japan and South Korea, with more countries slated to follow in future. Kaspersky is not exiting Russia entirely, though, as products for the Russian market will continue to be developed and distributed out of Moscow.

The Zurich Transparency Center will also provide authorized partners with access to reviews of Kaspersky code, and software updates and threat detection rules — as well as functioning as a secure location where governments and partners can come and ask questions and review documentation.

We’d wager journalists will also be invited on inspection tours.

Commenting in a statement, CEO Eugene Kaspersky claims: “Transparency is becoming the new normal for the IT industry — and for the cybersecurity industry in particular.”

“We are proud to be on the front line of this process. As a technological company, we are focused on ensuring the best IT infrastructure for the security of our products and data, and the relocation of key parts of our infrastructure to Switzerland places them in one of the most secure locations in the world,” he goes on, reiterating that the the intent of the Global Transparency Initiative is to increase “the resilience and visibility of our products”.

Which of course sounds a lot better than saying it’s responding to a trust crisis.

“Through the new Transparency Center, also in Switzerland, trusted partners and governments will be able to see external reviews of our products and make up their own minds. We believe that steps such as these are just the beginning – for the company and for the security industry as a whole. The need to prove trustworthiness will soon become an industry standard,” he adds.

Kaspersky says it has engaged “one of the Big Four professional services firms” to conduct an audit of its engineering practices around the creation and distribution of threat detection rule databases — “with the goal of independently confirming their accordance with the highest industry security practices”.

We’ve asked which third party has been selected to oversee the facility.

“The assessment will be done under the SSAE 18 standard (Statement of Standards for Attestation Engagements). The scope of the assessment includes regular automatic updates of antivirus records, created and distributed by Kaspersky Lab for its products operating on Windows and Unix Servers. The company is planning the assessment under SSAE 18 with the issue of the SOC 2 (The Service and Organization Controls) report for Q2 2019,” it further notes.

A year ago the security firm also announced a hike in its bug bounty rewards — saying it would now pay up to $100K per discovered vulnerability in its main Kaspersky Lab products.

Since then it says it has fixed more than 50 bugs reported by security researchers, claiming several were “acknowledged to be especially valuable”.

BlaBlaCar to acquire Ouibus and offer bus service

French startup BlaBlaCar is announcing plans to acquire Ouibus, the bus division of France’s national railway company SNCF. For the first time, BlaBlaCar is moving beyond carpooling and plans to offer both long-distance carpooling rides and bus rides.

BlaBlaCar already ran a test with Ouibus for the past six months on popular corridors. It looks like both companies are happy with this test as SNCF is willing to let BlaBlaCar run Ouibus from now on.

As part of this deal, BlaBlaCar is announcing a new $114 million investment (€101 million) from SNCF and existing BlaBlaCar investors. I’d guess that this isn’t just cash but probably cash and shares as part of the move with SNCF. Yes, you read that correctly, SNCF is now an investor in BlaBlaCar.

Ouibus has transported over 12 million passengers over the past few years in France and Europe. Many thoughts that buses would hurt BlaBlaCar over the long run. By offering buses on BlaBlaCar directly, the company can capitalize on its brand and huge community to counter that trend. BlaBlaCar is now a marketplace for road travel.

BlaBlaCar is taking a risk as Ouibus has been relentlessly losing money. Just like other bus companies, Ouibus relies heavily on contractors, which means that BlaBlaCar could quickly adjust the offering. It’ll also depend on product integrations on BlaBlaCar, OUI.sncf and other platforms.

BlaBlaCar currently has 65 million users in 22 countries and is about to reach profitability. And you can expect to find ride-sharing offers on OUI.sncf in the coming months.

SAP agrees to buy Qualtrics for $8B in cash, just before the survey software company’s IPO

Ryan Smith of Qualtrics speaks onstage during TechCrunch Disrupt SF 2015

Enterprise software giant SAP announced today that it has agreed to acquire Qualtrics for $8 billion in cash, just before the survey and research software company was set to go public. The deal is expected to be completed in the first half of 2019. Qualtrics last round of venture capital funding in 2016 raised $180 million at a $2.5 billion valuation.

This is the second-largest ever acquisition of a SaaS company, after Oracle’s purchase of Netsuite for $9.3 billion in 2016.

In a conference call, SAP CEO Bill McDermott said Qualtrics’ IPO was already oversubscribed and that the two companies began discussions a few months ago. SAP claims its software touches 77 percent of the world’s transaction revenue, while Qualtrics’ products include survey software that enables its 9,000 enterprise users to gauge things like customer sentiment and employee engagement.

McDermott compared the potential impact of combining SAP’s operational data with Qualtrics’ customer and user data to Facebook’s acquisition of Instagram. “The legacy players who carried their ‘90s technology into the 21st century just got clobbered. We have made existing participants in the market extinct,” he said. (SAP’s competitors include Oracle, Salesforce.com, Microsoft, and IBM.)

SAP, whose global headquarters is in Walldorf, Germany, said it has secured financing of €7 billion (about $7.93 billion) to cover acquisition-related costs and the purchase price, which will include unvested employee bonuses and cash on the balance sheet at close.

Ryan Smith, who co-founded Qualtrics in 2002, will continue to serve as its CEO. After the acquisition is finalized, the company will become part of SAP’s Cloud Business Group, but retain its dual headquarters in Provo, Utah and Seattle, as well as its own branding and personnel.

According to Crunchbase, the company raised a total of $400 million in VC funding from investors including Accel, Sequoia, and Insight Ventures. It had intended to sell 20.5 million shares in its debut for $18 to $21, which could have potentially grossed up to about $495 million. This would have put its valuation between $3.9 billion to $4.5 billion, according to CrunchBase’s Alex Wilhelm.

This year, Qualtrics’ revenue grew 8.5 percent from $97.1 million in the second-quarter to $105.4 million in the third-quarter, according to its IPO filing. It reported third-quarter GAAP net income of $4.9 million. That represented an increase from the $975,000 it reported in the previous quarter, as well as its net profit in the same period a year ago of $4.7 million. Qualtrics grew its operating cash flow to $52.5 million in the first nine months of 2018, compared to $36.1 million during the same period in 2017.

In today’s announcement, Qualtrics said it expects its full-year 2018 revenue to exceed $400 million and forecasts a forward growth rate of more than 40 percent, not counting the potential synergies of its acquisition by SAP.

Qualtrics’ main competitors include SurveyMonkey, which went public in September.

A tale of two scooter cities

The kids in Madrid’s El Retiro Park are loving their new on-demand joyriding toys. Lime launched its scooters in the Spanish capital this summer.

Spending a weekend in the city center last month the craze was impossible to miss. Scooters parked in clusters vying for pay-to-play time. Sometimes lined up tidily. All too often not.

The bright Lime rides really stood out, though it’s not the only brand in town. Scooter startups have been quick to hop on the international expansion bandwagon as they gun for growth.

Grandly proportioned El Retiro clearly makes a great spot for taking a scooter for a spin. Test rides beget joyrides, and so the kids were hopping on. Sometimes two to one.

The boulevard linking the Prado with the Reina Sofia was another popular route to scoot.

While a busy central bar district was a hot ride-ditching spot later on. Lines of scooters were vying for space with the vintage street bollards.

The appeal was obvious: Bowl up to the bar and drink! No worries about parking or how to get your ride home afterwards. But for Saturday night revellers there was suddenly a new piece of street furniture to lurch around, with slouching handlebars sticking up all over the place. Anyone trying to navigate the pavement in a wheelchair wouldn’t have had much fun.

In another of Spain’s big tourist cities the scooter story is a little different: Catalan capital Barcelona hasn’t had an invasion of on-demand scooter startups yet but scooters have crept in. In recent years locals have tapped in of their own accord — buying not renting.

Rides are a front-of-store sight in electronics shops, big and small — costing a few hundred euros. Even for a flashy Italian design…

Electronic scooters

Take a short walk in one of the more hipster barrios and chances are you’ll pass someone who’s bought into the craze for nipping around on two wheels. There’s lots of non-electric scooters too but e-scooters do seem to have carved out a growing niche for themselves with a certain type of Barcelona native.

Again, you can see the logic: Well-dressed professionals can zip around narrow streets that aren’t always great for finding a place to (safely) lock up a bike.

There’s actually a pretty wide variety of wheeled e-rides in play for locals with the guts to get on them. Some with seats and/or handles, others with almost nothing. (The hands-in-pockets hipsters on self-balancing unicycles are quite the sight.)

In both of these Spanish cities it’s clear people are falling for — and, well, sometimes off — the micro-mobility trend.

But the difference between the on-demand scooters being toyed with in Madrid vs Barcelona’s locally owned two wheelers is a level of purpose and intent.

The Lime rides in Madrid’s center seemed mostly a tourist novelty. At least for now, having only had a couple of months to bed in.

Whereas the organic growth of scooters in Barcelona barrios is about people who live there feeling a need.

Even the unicycling hipsters seem to be actually on their way somewhere.

Hop on

What does this mean for scooter startups? It’s another example of how technology’s utility and wider societal impacts can vary when you parachute a new thing into a market and hope people jump on board vs growth being organic and more gradual because it’s led by real-world demand.

And it’s essential to think about impacts where scooters and micro-mobility is concerned because all this stuff must piggyback on shared public spaces. No one has the luxury of being able to avoid what’s buzzing up and down their street.

That’s why lots of on-demand scooters have ended up trashed and vandalized — as residents make their feelings known (having not been asked about the alien invaders in the first place).

In Europe there’s a further twist because the spaces scooter startups are seeking to colonize are already well served with all sorts of public transport options. So there’s a clear and present danger that these new kids on the block won’t displace anything. And will just mean more traffic and extra congestion — as happened with ride-hailing.

In Madrid, the first tranche of on-demand scooters seems to be generating pretty superficial and additive use. Offering a novel alternative to walking between sights or bars on a trip to-do list. Just possibly they’re replacing a short taxi or metro hop.

In the park, they were being used 100% for fun. Perhaps takings are down at the boating lake.

Barcelona has plenty of electro-powered joyriding down at the beach front in summer — where shops rent all sorts of wheels to tourists by the hour. But away from the beach locals don’t seem to be wasting scooter charge riding in circles.

They’re stepping out for regular trips like commuting to and from work. In other words, scooters are useful.

Given all this activity and engagement micro-mobility does seem to offer genuine transformative potential in dense urban environments. At least where the climate doesn’t punish for most of the year.

This is why investors are so hot on scooters. But the additive nature of micro-mobility underlines a pressing need for the technology to be properly steered if cities, residents and societies are to get the best benefits.

Scooters could certainly replace some moped trips. Even some local car journeys. So they could play an important role in reducing pollution and noise by taking trips away from petrol- and diesel-powered vehicles.

Because they offer a convenient, low-barrier-to-entry alternative with populist pull.

Not being too high speed also means, in and of themselves, they’re fairly safe.

If you’re just barrio hopping or can map most of your social life across a few city blocks there’s no doubting their convenience. Novelty is not the only lure.

Hop off

Though, equally, the local-level journeys that scooters are best suited for could just as easily be completed on foot, by bike or via public transit options like a metro.

And Barcelona’s congested streets don’t look any less packed with petrol engines — yet.

Which means scooters are both an opportunity and a risk.

If policymakers get the regulations right, a smart city could leverage their fun factor to nudge commuters away from more powerful but less environmentally friendly vehicles — with, potentially, some very major gains up for grabs.

Subsidized scooters coupled with a framework of congestion zones that levy fees on petrol/diesel engines is one simple example.

A clever policy could open the possibility of excluding cars almost entirely from city centers — so that streets could be reclaimed for new leisure and retail opportunities that don’t demand masses of parking space on tap.

Pollution is a chronic problem in almost all large cities in the world. So reshaping city centers to be more people-centric and less toxic to human health by displacing cars would be an incredible win for micro-mobility.

Even as the hop on, hop off ease of scooters offers a suggestive glimpse of what’s possible if we dare to rethink urban architecture to put people rather than four-wheeled vehicles first.

Yet get the policy wrong and scooters could end up — at very best — a frivolous irrelevance. A joyride that disrupts going nowhere. Yet another nuisance on already choked streets. An optional extra that feels disposable and gets rudely discarded because no one feels invested.

In this scenario the technology is not socially transformative. It’s more likely an antisocial nuisance. And a pointless drain on resources because it’s doing no more than disrupting walking.

Scooter startups have already run into some of these issues. And that’s not surprising given how fast they’ve been trying to grow. Their early expansionist playbook does also risk looking like Uber all over again.

Yet Uber could have pioneered micro-mobility itself. But being ‘laser focused on growth’ seemingly gave the company tunnel vision. Only now, under a new CEO, it’s all change. Now Uber wants to be a one-stop platform for all sorts of transport options.

But how many years did it waste missing the disruptive potential of micro-mobility coming down the road because it was too busy trying to fit more cars into cities — and ignoring how residents felt about that?

An obsession with growth at all costs may well be a side effect of major VC dollars flooding in. But for startups it really does pay to stay self-aware, perhaps especially when you’re rolling in money. Else you might find your investors funding your biggest blind spot — if you end up missing the next even more transformative disruption.

The really clever trick to pull off is not ‘scale fast or die trying’; it’s smart growth that’s predicated upon applying innovative technologies in ways that bring whole communities along with them. That’s true transformation.

For scooters that means not just dumping them on cities without any thought beyond creaming a profit off of anything that moves. But getting residents and communities engaged with the direction of travel. Partnering with people and policymakers on the right incentives to steer innovation onto its best track.

Move people around cities, yes, and shift them out of their cars.

There’s little doubt that Uber’s old ‘growth at any cost’ playbook was hugely wasteful and damaging (not least to the company’s own reputation). And now it’s having to retrofit a more inclusive approach at the same time as unpicking an ‘environmentally insensitive’ legacy that original playbook really doesn’t look so smart.

Scooter startups are still young and have made some of their own mistakes trying to chase early scale. But there are reasons to be cheerful about this new crop of mobility startups too.

Signs they see value and opportunities in being pro-actively engaged with the environments they’re operating in. Having also learnt some hard early lessons about the need to be very sensitive to shared spaces.

Bird announced a program this summer offering discounted rides to people on low incomes, for example. Lime has a similar program.

These are small but interesting steps. Here’s hoping we’re going to see a lot more.