It’s official: Brexit campaign broke the law — with social media’s help

The UK’s Electoral Commission has published the results of a near nine-month-long investigation into Brexit referendum spending and has found that the official Vote Leave campaign broke the law by breaching election campaign spending limits.

Vote Leave broke the law including by channeling money to a Canadian data firm, AggregateIQ, to use for targeting political advertising on Facebook’s platform, via undeclared joint working with another Brexit campaign, BeLeave, it found.

Aggregate IQ remains the subject of a separate joint investigation by privacy watchdogs in Canada and British Columbia.

The Electoral Commission’s investigation found evidence that BeLeave spent more than £675,000 with AggregateIQ under a common arrangement with Vote Leave. Yet the two campaigns had failed to disclose on their referendum spending returns that they had a common plan.

As the designated lead leave campaign, Vote Leave had a £7M spending limit under UK law. But via its joint spending with BeLeave the Commission determined it actually spent £7,449,079 — exceeding the legal spending limit by almost half a million pounds.

The June 2016 referendum in the UK resulted in a narrow 52:48 majority for the UK to leave the European Union. Two years on from the vote, the government has yet to agree a coherent policy strategy to move forward in negotiations with the EU, leaving businesses to suck up ongoing uncertainty and society and citizens to remain riven and divided.

Meanwhile, Facebook — whose platform played a key role in distributing referendum messaging — booked revenue of around $40.7BN in 2017 alone, reporting a full year profit of almost $16BN.

Back in May, long-time leave supporter and MEP, Nigel Farage, told CEO Mark Zuckerberg to his face in the European Parliament that without “Facebook and other forms of social media there is no way that Brexit or Trump or the Italian elections could ever possibly have happened”.

The Electoral Commission’s investigation focused on funding and spending, and mainly concerned five payments made to Aggregate IQ in June 2016 — payments made for campaign services for the EU Referendum — by the three Brexit campaigns it investigated (the third being: Veterans for Britain).

Veterans for Britain’s spending return included a donation of £100,000 that was reported as a cash donation received and accepted on 20 May 2016. But the Commission found this was in fact a payment by Vote Leave to Aggregate IQ for services provided to Veterans for Britain in the final days of the EU Referendum campaign. The date was also incorrectly reported: It was actually paid by Vote Leave on 29 June 2016.

Despite the donation to a third Brexit campaign by the official Vote Leave campaign being for services provided by Aggregate IQ, which was also simultaneously providing services to Vote Leave, the Commission did not deem it to constitute joint working, writing: “[T]he evidence we have seen does not support the concern that the services were provided to Veterans for Britain as joint working with Vote Leave.”

It was, however, found to constitute an inaccurate donation report — another offense under the UK’s Political Parties, Elections and Referendums Act 2000.

The report details multiple issues with spending returns across the three campaigns. And the Commission has issued a series of fines to the three Brexit campaigns.

It has also referred two individuals — Vote Leave’s David Alan Halsall and BeLeave’s Darren Grimes — to the UK’s Metropolitan Police Service, which has the power to instigate a criminal investigation.

Early last year the Commission decided not to fully investigate Vote Leave’s spending but by October it says new information had emerged — which suggested “a pattern of action by Vote Leave” — so it revisited the assessment and reopened an investigation in November.

Its report also makes it clear that Vote Leave failed to co-operate with its investigation — including by failing to produce requested information and documents; by failing to provide representatives for interview; by ignoring deadlines to respond to formal investigation notices; and by objecting to the fact of the investigation, including suggesting it would judicially review the opening of the investigation.

Judging by the Commission’s account, Vote Leave seemingly did everything it could to try to thwart and delay the investigation — which is only reporting now, two years on from the Brexit vote and with mere months of negotiating time left before the end of the formal Article 50 exit notification process.

What’s crystal clear from this report is that following money and data trails takes time and painstaking investigation, which — given that, y’know, democracy is at stake — heavily bolsters the case for far more stringent regulations and transparency mechanisms to prevent powerful social media platforms from quietly absorbing politically motivated money and messaging without recognizing any responsibility to disclose the transactions, let alone carry out due diligence on who or what may be funding the political spending.

The political ad transparency measures that Facebook has announced so far come far too late for Brexit — or indeed, for the 2016 US presidential election when its platform carried and amplifiedKremlin funded divisive messaging which reached the eyeballs of hundreds of millions of US voters.

Last week the UK’s information commissioner, Elizabeth Denham, criticized Facebook for transparency and control failures relating to political ads on its platform, and also announced its intention to fine Facebook the maximum possible for breaches of UK data protection law relating to the Cambridge Analytica scandal, after it emerged that information on as many as 87 million Facebook users was extracted from its platform and passed to a controversial UK political consultancy without most people’s knowledge or consent.

She also published a series of policy recommendations around digital political campaigning — calling for an ethical pause on the use of personal data for political ad targeting, and warning that a troubling lack of transparency about how people’s data is being used risks undermining public trust in democracy

“Without a high level of transparency – and therefore trust amongst citizens that their data is being used appropriately – we are at risk of developing a system of voter surveillance by default,” she warned.

The Cambridge Analytica Facebook scandal is linked to the Brexit referendum via AggregateIQ — which was also a contractor for Cambridge Analytica, and also handled Facebook user information which the former company had improperly obtained, after paying a Cambridge University academic to use a quiz app to harvest people’s data and use it to create psychometric profiles for ad targeting.

The Electoral Commission says it was approached by Facebook during the Brexit campaign spending investigation with “some information about how Aggregate IQ used its services during the EU Referendum campaign”.

We’ve reached out to Facebook for comment on the report and will update this story with any response.

The Commission states that evidence from Facebook indicates that AggregateIQ used “identical target lists for Vote Leave and BeLeave ads”, although at least in one instance the BeLeave ads “were not run”.

It writes:

BeLeave’s ability to procure services from Aggregate IQ only resulted from the actions of Vote Leave, in providing those donations and arranging a separate donor for BeLeave. While BeLeave may have contributed its own design style and input, the services provided by Aggregate IQ to BeLeave used Vote Leave messaging, at the behest of BeLeave’s campaign director. It also appears to have had the benefit of Vote Leave data and/or data it obtained via online resources set up and provided to it by Vote Leave to target and distribute its campaign material. This is shown by evidence from Facebook that Aggregate IQ used identical target lists for Vote Leave and BeLeave ads, although the BeLeave ads were not run.

“We also asked for copies of the adverts Aggregate IQ placed for BeLeave, and for details of the reports he received from Aggregate IQ on their use. Mr Grimes replied to our questions,” it further notes in the report.

At the height of the referendum campaign — at a crucial moment when Vote Leave had reached its official spending limit — officials from the official leave campaign persuaded BeLeave’s only other donor, an individual called Anthony Clake, to allow it to funnel a donation from him directly to Aggregate IQ, who Vote Leave campaign director Dominic Cummins dubbed a bunch of “social media ninjas”.

The Commission writes:

On 11 June 2016 Mr Cummings wrote to Mr Clake saying that Vote Leave had all the money it could spend, and suggesting the following: “However, there is another organisation that could spend your money. Would you be willing to spend the 100k to some social media ninjas who could usefully spend it on behalf of this organisation? I am very confident it would be well spent in the final crucial 5 days. Obviously it would be entirely legal. (sic)”

Mr Clake asked about this organisation. Mr Cummings replied as follows: “the social media ninjas are based in canada – they are extremely good. You would send your money directly to them. the organisation that would legally register the donation is a permitted participant called BeLeave, a “young people’s organisation”. happy to talk it through on the phone though in principle nothing is required from you but to wire money to a bank account if you’re happy to take my word for it. (sic)

Mr Clake then emailed Mr Grimes to offer a donation to BeLeave. He specified that this donation would made “via the AIQ account.”

And while the Commission says it found evidence that Grimes and others from BeLeave had “significant input into the look and design of the BeLeave adverts produced by Aggregate IQ”, it also determined that Vote Leave messaging was “influential in their strategy and design” — hence its determination of a common plan between the two campaigns. Aggregate IQ was the vehicle used by Vote Leave to breech its campaign spending cap.

Providing examples of the collaboration it found between the two campaigns, the Commission quotes internal BeLeave correspondence — including an instruction from Grimes to: “Copy and paste lines from Vote Leave’s briefing room in a BeLeave voice”.

It writes:

On 15 June 2016 Mr Grimes told other BeLeave Board members and Aggregate IQ that BeLeave’s ads needed to be: “an effective way of pushing our more liberal and progressive message to an audience which is perhaps not as receptive to Vote Leave’s messaging.”

On 17 June 2016 Mr Grimes told other BeLeave Board members: “So as soon as we can go live. Advertising should be back on tomorrow and normal operating as of Sunday. I’d like to make sure we have loads of scheduled tweets and Facebook status. Post all of those blogs including Shahmirs [aka Shahmir Sami; who became a BeLeave whistleblower], use favstar to check out and repost our best performing tweets. Copy and paste lines from Vote Leave’s briefing room in a BeLeave voice”

Klang gets $8.95M for an MMO sim sitting atop Improbable’s dev platform

Berlin-based games studio Klang, which is building a massive multiplayer online simulation called Seed utilizing Improbable’s virtual world builder platform, has just bagged $8.95M in Series A funding to support development of the forthcoming title.

The funding is led by veteran European VC firm Northzone. It follows a seed raise for Seed, finalized in March 2018, and led by Makers Fund, with participation by firstminute capital, Neoteny, Mosaic Ventures, and Novator — bringing the total funding raised for the project to $13.95M.

The studio was founded in 2013, and originally based in Reykjavík, Iceland, before relocating to Berlin. Klang’s original backers include Greylock Partners, Joi Ito, and David Helgason, as well as original investors London Venture Partners.

The latest tranche of funding will be used to expand its dev team and for continued production on Seed which is in pre-alpha at this stage — with no release date announced yet.

Nor is there a confirmed pricing model. We understand the team is looking at a variety of ideas at this stage, such as tying the pricing to the costs of simulating the entities.

They have released the below teaser showing the pre-alpha build of the game — which is described as a persistent simulation where players are tasked with colonizing an alien planet, managing multiple characters in real-time and interacting with characters managed by other human players they encounter in the game space.

The persistent element refers to the game engine maintaining character activity after the player has logged off — supporting an unbroken simulation.

Klang touts its founders’ three decades of combined experience working on MMOs EVE Online and Dust 514, andnow being rolled into designing and developing the large, player-driven world they’re building with Seed.

Meanwhile London-based Improbable bagged a whopping $502M for its virtual world builder SpatialOS just over a year ago. The dev platform lets developers design and build massively detailed environments — to offer what it bills as a new form of simulation on a massive scale — doing this by utilizing distributed cloud computing infrastructure and machine learning technology to run a swarm of hundreds of game engines so it can support a more expansive virtual world vs software running off of a single engine or server.

Northzone partner Paul Murphy, who is leading the investment in Klang, told us: “It is unusual to raise for a specific title, and we are for all intents and purposes investing in Klang as a studio. We are very excited about the team and the creative potential of the studio. But our investment thesis is based on looking for something that really stands out and is wildly ambitious over and above everything else that’s out there. That is how we feel about the potential of Seed as a simulation.”

Undo gets $14M to scale to meet the software accountability challenge

Undo, a long time player in the debugging tools space, offering its program execution capture and replay technology to help others diagnose software failures, has closed a $14 million Series B round led by Cambridge Innovation Capital, the Cambridge, UK-based builder of tech and healthcare companies.

The 2005 founded startup — initially bootstrapped (out of founder Greg Law’s garden shed) — has come a long way, and now has more than 30 paying customers for what it describes as its “record, rewind and replay” debugging technology, including the likes of SAP HANA, Mentor Graphics, Cadence and Micro Focus.

A quick potted history: In 2012, Law quit his job to go full time on Undo, raising a small amount of angel funding and then a $1.25M from seed investment in 2014, followed by $3.3M in a series A funding in 2016.

New investors in the Series B round include Global Brain Corporation, a Japanese venture capital fund; and UK-focused Parkwalk Advisors, while all Undo’s existing investor groups also participated —  including Rockspring; Martlet; Sir Peter Michael (founder of Quantel, Classic FM and California’s Peter Michael Winery); the Cambridge Angels group and Jaan Tallinn (co-founder of Skype and Kazaa).

The Series B will be used to expand Undo’s software development team, accelerate product development and grow its US operations. Undo says its best markets so far are electronic design automation (EDA); database manufacturers/data management; and networking.

“This funding will be used to significantly improve performance as part of Undo’s always-on recording vision, and also to accelerate our product roadmap and broaden the technology beyond compiled code so that it can be used with Java and other VM-based languages,” it tells us.

“Our main competitor is the status quo — engineering organisations that do not evolve with the times. Old-school debugging techniques (e.g. printf, logging, core dump analysis) have been around for decades. 2000 was all about static analysis. 2010 was about dynamic analysis, 2020 will be about capturing software failures ‘in the act’ through capture & replay technology.”

Undo argues that its Live Recorder technology offers “a completely new way of diagnosing software failures during development and in production” — arguing that its approach is superior to traditional debugging techniques such as printf, logging, core dump analysis which are “general purpose and provide limited information”, while it says static and dynamic analysis “are deep but can only look at specific instances of bugs” — whereas it claims its tech “can capture failure instances across the whole spectrum and therefore plugs in the gaps which no-one else has filled yet”.

The UK company also sees a growing opportunity for its approach given increasingly complex and increasingly autonomous software risks becoming unaccountable, if it’s making decisions without people knowing how and why. So the wider vision for Undo is not just getting faster at fixing bugs but addressing the growing need for software makers to be able to articulate — and account for — what their programs are doing at any given moment.

“Longer term it’s about that journey towards software accountability,” says Law. “Software accountability is quite a broad thing — it really means the ability to be able to know for sure what some software did as it ran. And today that’s all about the programmer’s understanding of what their program has done. But actually it’s far more than just programmers that need to understand software — and particularly as we move into this second chapter of the information revolution where computers are beginning to make decisions that affect our lives and our livelihoods. I mean in the case of social media and Facebook and things, Western democracy! The ability to have that accountability behind software actions is going to become a really important thing. That’s a progressive journey that we’re on.

“So the question is what did the software actually do? And as we grow, and as time goes on, we’ll answer that question in progressively bigger and bigger contexts.”

Meero raises $45 million for its on-demand photography service

Have you ever wondered why photos on Airbnb, UberEats and your favorite hotel platform always look so good? French startup Meero has been working on a marketplace and AI-powered technology to make it easy to get good photos of products and places.

The company has raised a new $45 million round led by Alven Capital and Idinvest. Eight months ago, Meero already raised $15 million from Global Founders Capital, Aglaé Ventures, Alven Capital and White Star Capital.

“We focused on this idea because we wanted to make the web beautiful,” co-founder and CEO Thomas Rebaud told me last year. “We realized that we are all on Instagram and that photos are beautiful. But then, you go on a marketplace and photos aren’t great.”

The company first looked at the real estate market and partnered with real estate companies to optimize the photography process as much as possible.

It starts with finding a photographer. Instead of working with hundreds of photographers in hundreds of cities, Meero lets you find a photographer in over a hundred countries. Prices, contracts and processes are all standardized in order to avoid any surprise. Meero takes a cut on every transaction.

After the shooting, photographers usually have to spend hours selecting and editing the best photos. This usually takes even longer than the shooting itself.

Meero has been working on AI-powered algorithms so that you don’t have much to do. You upload your photos, and the service will automagically take care of the editing. By speeding up this process, a photographer can work on more projects. And Meero can also cut variable costs drastically — this is key when it comes to Meero’s scalability.

With today’s funding round, the startup is going to open new offices in the U.S. and somewhere in Asia. Meero will also hire more computer vision experts in France.

Meero currently has 40,000 clients and processes a new transaction every 30 seconds. Clients usually get photos within 24 hours. The company now also lets you order videos from the same platform.

Pointy raises $12M Series B to help bricks and mortar retailers fight Amazon

Pointy​,​ the​ ​startup​ ​that​ offers tech to help ​bricks and mortar​ ​retailers put their stock online so that it can be discovered via search engines, has picked up $12 million in new funding. The Series B round is led Polaris Partners and Vulcan Capital, and brings total funding for the Irish company to $19 million.

Founded on the premise that people often resort to e-commerce behemoths like Amazon because they can’t find the same item locally, Pointy has developed a hardware and cloud software solution that makes it easy to create a bespoke website as means of making local stock discoverable online. Specifically, the ​”Pointy​ ​box”​ hardware ​gadget connects to a store’s barcode scanner and automatically puts scanned items on a Pointy-powered website for the store.

Store pages are then optimised for search engines, so that when you search for products locally — say your favourite artisan beer — a Pointy-powered result shows up and encourages you to visit the store and make a purchase. In other words, this is about helping local retailers drive more footfall, but with very little additional overhead.

Pointy CEO and co-founder Mark Cummins says the Series B round will be used by the startup to accelerate growth and build on an increased uptake by U.S. retailers. It currently counts 5,500 retailers using Pointy in total, with 70 percent from the U.S, and the remaining in Canada, U.K. and Ireland. “To put the U.S. number in context, just under 1 in 200 U.S retailers is now using Pointy,” a company spokesperson tells me.

Since we last covered Pointy, the started has extended its reach considerably with partnerships with Lightspeed, Clover and Square, which allows retailers using these POS systems to use the Pointy platform for free because it doesn’t require the purchase of the $499 Pointy device. It has also partnered with Google via the search giant’s new See What’s In Store (SWIS) program so that shoppers can discover what a store sells within Google’s search and maps pages.

“For all the hype around e-commerce and the media narrative of ‘Retail Apocalypse’, people still make the vast majority of their purchases in local stores,” adds Cummins in a statement. “But local retailers have lost out in not having their products visible online – we solve that problem for them”.

Meanwhile, Point’s previous backers include Draper Associates, Frontline Ventures, and notable angel investors such as Matt Mullenweg (founder of WordPress), Lars Rasmussen (co-founder of Google Maps), Taavet Hinrikus (co-founder of TransferWise), and Michael Birch (co-founder of Bebo).

Xara Cloud is an easy to use design tool to help businesses create better looking content

Xara is on a mission to help businesses create better looking content, and in turn save us all from having to consume visually unappealing marketing and comms material. The German startup has developed Xara Cloud, a design tool that resides in the cloud and attempts to bridge the gap between professional design and business content created by non-design professionals.

Specifically, Xara Cloud consists of a drag and drop browser-based editor that lets you create designs using text, shapes, icons, charts and imported images, but with a few extra tricks up its sleeve. These include the ability to use off-the-shelf professionally created colour schemes or have the software create a new colour scheme based on an image, such as your company logo, that you’ve uploaded.

As you’d expect, you can also choose from a library of pre-made templates ranging from social media graphics to flyer and brochures to presentations. These can be designed on top of or tweaked ad nauseam, and in addition you can create your own templates to function as reusable assets.

The editor adheres to a smart grid system, too, which helps non-designers create more disciplined and visually appealing layouts. There are also collaboration features so you can easily create content as part of a team.

“The problem being solved is that there is a massive software gap between basic document editors like Word, PowerPoint, etc. and professional design software like Adobe,” Xara co-founder and CEO Matt Bolton tells me. “Xara Cloud is a robust suite of rich design and editing tools packaged in a drag and drop editing platform that allows anyone to create designer-quality documents… It is 100 percent browser-based with a consistent UI across all desktop and touch devices”.

Bolton says the business case for using Xara Cloud is that brand inconsistency impacts business revenue. “The estimated average revenue attributed to always presenting the brand consistently is 23 percent,” he says, citing a report by Zimmer Communication.

“Repetition and consistency are critical pillars of any branding effort. By a business presenting a brand consistently, over time, consumers will internalize the brand values and be more likely to purchase”.

To mitigate brand inconsistency, Xara Cloud lets you add your logo, fonts, and brand colours, which are then automatically applied to any of Xara Cloud’s templates. “This ensures that any document, no matter the type, will have the current and consistent brand when it reaches the customer,” adds the Xara co-founder.

Meanwhile, the Berlin-based startup is disclosing that it has raised €3 million in funding. Backing the young company is investment group Bellevue Investments & Co.

Ledger finally has a good app for its crypto wallet

French startup Ledger has been working for a while on a brand new app to manage your crypto assets on your computer. The company is designing and manufacturing one of the most secure hardware wallets out there.

While it’s clear that security has always been the first focus of the company, the user experience has been lacking, especially on the software front. The company launched a new app called Ledger Live to handle everything you used to do with Chrome apps before.

That’s right, before today, the company relied on Google Chrome for its desktop apps. You had to install the browser first, and then install a new app for each cryptocurrency. There was also a main app to update the firmware. It could quickly become a mess.

Now, everything is centralized in a single app. After downloading and installing the app on Windows, macOS or Linux, you can either configure the app with an existing Ledger device or configure a new Ledger wallet.

The app first checks the integrity of your device and then lets you manage the device. You can upgrade the firmware and install apps on your Ledger Nano S or Ledger Blue from the “Manager” tab.

More interestingly, you can now add all your wallets to the Ledger Live app. You won’t have to switch from one app to another to view your wallets. When you click the add button, the app will try and retrieve existing wallets on your device. You can also generate a new set of keys (and a new wallet) from there.

Once you’ve added all your wallets, you can get an overview of your entire portfolio. The app gets historical pricing information from popular exchanges, such as Kraken and Bitfinex. You can also click on individual accounts to see how a specific cryptocurrency has evolved over time.

The portfolio interface looks like a Coinbase account. It’s well-designed and it’s a great way to get a quick look of your accounts.

Many Ledger users have been using tracker websites and apps. These services let you enter a cryptocurrency and the amount you own to get an overview of everything you own independently of the wallet.

Ledger’s new app partially replace tracker services. If you don’t need to check your balance from your phone, you can get enough information with the Ledger app. You can see your balance without having to plug your Ledger device.

The company is already working on new features. You’ll be able to view and manager ERC20 tokens in the future. So if you invested in a bunch of obscure ICOs, your tokens will be there too.

Ledger also told me that you could imagine an integration with decentralized exchanges eventually. This way, you would be able to send tokens to an address and get another set of tokens back on another Ledger-generated address. It would be a great way to exchange cryptocurrencies without signing up to a centralized exchange and leaving the Ledger app.

Lodgify, the SaaS for vacation rentals, books $5M in Series A funding

Lodgify, the Barcelona-based SaaS for property owners to manage vacation rentals, today announced it has secured $5 million in Series A funding.

Existing backers Nauta Capital, Howzat Partners, and a number of angels participated, in addition to new investor Intermedia Vermögensverwaltung. It brings total funding for the Spanish startup to $7.3 million yo date.

Primary pitched as a way for property owners to grow their direct vacation rental bookings, as opposed to solely relying on platforms like Airbnb or Booking.com, the Lodgify SaaS enables the creation of a mobile-friendly website for each property. Crucially, this includes the ability to accept online bookings and take payment.

“Just like Shopify became the decentralised platform for businesses by democratizing access to e-commerce technology, Lodgify is empowering lodging operators with direct channel technology,” the company’s co-founder and CEO Dennis Klett tells me. “That allows them to build their own booking channel to generate more direct bookings”.

To help support this, Lodgify is attempting to fully automate the booking workflow for hosts: from booking management, to guest communication, to payment scheduling and refunding in case of refundable cancellations. “All these steps basically run on autopilot, empowering our hosts to be instantly bookable and eliminating time-consuming tasks for them,” Klett says.

As part of these efforts, the company is keeping an eye on the development of crypto currencies and “smart contracts. Perhaps somewhat optimistically, Klett says this would allow for “self-executing and risk-free bookings”.

He is also bullish on the potential for direct bookings to continually grow, noting that a number of vacation booking sites, such as Housetrip, Roomoroma and 9flats, have either consolidated or disappeared over the the last couple of years.

“The direct channel is emerging to become a significant channel on par with the two to three major online travel agencies left in the market,” says Klett. “Since Lodgify’s primary product focus is on direct channel technology, we have been able to help our customers to significantly grow their share of direct bookings. This will remain our primary product focus for the coming years”.

That’s not to say Lodgify is ignoring Airbnb and Booking.com entirely. The startup’s software also supports both sites via “advanced API integrations,” making it easy to manage listings and for hosts to use Lodgify as a true multi-channel platform for direct and indirect bookings.

Meanwhile, I’m told Lodgify will use its Series A funding to scale the team, which now stands at 50 people, and to accelerate product development and increase marketing efforts globally. The company also recently hired Alex Vuilleumier as COO. He was previously a Director of Marketing at Expedia Group.

Timehop discloses July 4 data breach affecting 21 million

Timehop has disclosed a security breach that has compromised the personal data (names and emails) of 21 million users. Around a fifth of the affected users — or 4.7M — have also had a phone number that was attached to their account breached in the attack.

The startup, whose service plugs into users’ social media accounts to resurface posts and photos they may have forgotten about, says it discovered the attack while it was in progress, at 2:04 US Eastern Time on July 4, and was able to shut it down two hours, 19 minutes later — albeit, not before millions of people’s data had been breached.

According to its preliminary investigation of the incident, the attacker first accessed Timehop’s cloud environment in December — using compromised admin credentials, and apparently conducting reconnaissance for a few days that month, and again for another day in March and one in June, before going on to launch the attack on July 4, during a US holiday.

Timehop publicly disclosed the breach in a blog post on Saturday, several days after discovering the attack.

It says no social media content, financial data or Timehop data was affected by the breach — and its blog post emphasizes that none of the content its service routinely lifts from third party social networks in order to present back to users as digital “memories” was affected.

However the keys that allow it to read and show users their social media content were compromised — so it has all keys deactivated, meaning Timehop users will have to re-authenticate to its App to continue using the service.

“If you have noticed any content not loading, it is because Timehop deactivated these proactively,” it writes, adding: “We have no evidence that any accounts were accessed without authorization.”

It does also admit that the tokens could “theoretically” have been used for unauthorized users to access Timehop users’ own social media posts during “a short time window” — although again it emphasizes “we have no evidence that this actually happened”.

“We want to be clear that these tokens do not give anyone (including Timehop) access to Facebook Messenger, or Direct Messages on Twitter or Instagram, or things that your friends post to your Facebook wall. In general, Timehop only has access to social media posts you post yourself to your profile,” it adds.

“The damage was limited because of our long-standing commitment to only use the data we absolutely need to provide our service. Timehop has never stored your credit card or any financial data, location data, or IP addresses; we don’t store copies of your social media profiles, we separate user information from social media content — and we delete our copies of your “Memories” after you’ve seen them.”

In terms of how its network was accessed, it appears that the attacker was able to compromise Timehop’s cloud computing environment by targeting an account that had not been protected by multifactor authentication.

That’s very clearly a major security failure — but one Timehop does not explicitly explain, writing only that: “We have now taken steps that include multifactor authentication to secure our authorization and access controls on all accounts.”

Part of its formal incident response, which it says began on July 5, was also to add multifactor authentication to “all accounts that did not already have them for all cloud-based services (not just in our Cloud Computing Provider)”. So evidently there was more than one vulnerable account for attackers to target.

Its exec team will certainly have questions to answer about why multifactor authentication was not universally enforced for all its cloud accounts.

For now, by way of explanation, it writes: “There is no such thing as perfect when it comes to cyber security but we are committed to protecting user data. As soon as the incident was recognized we began a program of security upgrades.” Which does have a distinct ‘stable door being locked after the horse has bolted’ feel to it.

It also writes that it carried out “the introduction of more pervasive encryption throughout our environment” — so, again, questions should be asked why it took an incident response to trigger a “more pervasive” security overhaul.

Also not entirely clear from Timehop’s blog post: When/if affected users were notified their information has been breached.

The company posed the blog post disclosing the security breach to its Twitter account on July 8. But prior to that its Twitter account was only noting that some “unscheduled maintenance” might be causing problems for users accessing the app…

We’ve reached out to the company with questions and will update this post with any response.

Timehop does say that at the same time as it was working to shut down the attack and tighten up its security, company executives contacted local and federal law enforcement officials — presumably to report the breach.

Breach reporting requirements are baked into Europe’s recently updated data protection framework, the GDPR, which puts the onus firmly on data controllers to disclose breaches to supervisory authorities — and to do so quickly — with the regulation setting a universal standard of within 72 hours of becoming aware of it (unless the personal data breach is unlikely to result in “a risk to the rights and freedoms of natural persons”).

Referencing GDPR, Timehop writes: “Although the GDPR regulations are vague on a breach of this type (a breach must be “likely to result in a risk to the rights and freedoms of the individuals”), we are being pro-active and notifying all EU users and have done so as quickly as possible. We have retained and have been working closely with our European-based GDPR specialists to assist us in this effort.”

The company also writes that it has engaged the services of an (unnamed) cyber threat intelligence company to look for evidence of use of the email addresses, phone numbers, and names of users being posted or used online and on the Dark Web — saying that “while none have appeared to date, it is a high likelihood that they will soon appear”.

Timehop users who are worried the network intrusion and data breach might have impact their “Streak” — aka the number Timehop displays to denote how many consecutive days they have opened the app — are being reassured by the company that “we will ensure all Streaks remain unaffected by this event”.

Watch all the interviews from TechCrunch Sessions: Blockchain

What a day. Yesterday, hundreds of people gathered in Zug, Switzerland for TechCrunch Sessions: Blockchain. In addition to some of the key people of the Ethereum Foundation, the team interviewed the entrepreneurs behind Binance, Coinbase, ConsenSys, CryptoKitties and many other organizations.

The event was packed with interesting content. But if you couldn’t be there in person, don’t worry as you can watch everything that happened in Zug:














Disclosure: I own small amounts of various cryptocurrencies.