Opera’s Africa fintech startup OPay gains $120M from Chinese investors

Africa focused fintech startup OPay has raised a $120 million Series B round backed by Chinese investors.

Located in Lagos and founded by consumer internet company Opera, OPay will use the funds to scale in Nigeria and expand its payments product to Kenya, Ghana and South Africa — Opera’s CFO Frode Jacobsen confirmed to TechCrunch.

Series B investors included Meituan-Dianping, GaoRong, Source Code Capital, Softbank Asia, BAI, Redpoint, IDG Capital, Sequoia China and GSR Ventures.

OPay’s $120 million round comes after the startup raised $50 million in June.

It also follows Visa’s $200 million investment in Nigerian fintech company Interswitch and a $40 million raise by Lagos based payments startup PalmPay — led by China’s Transsion.

There are a couple quick takeaways. Nigeria has become the epicenter for fintech VC and expansion in Africa. And Chinese investors have made an unmistakable pivot to African tech.

Opera’s activity on the continent represents both trends. The Norway based, Chinese (majority) owned company founded OPay in 2018 on the popularity of its internet search engine.

Opera’s web-browser has ranked No. 2 in usage in Africa, after Chrome, the last four years.

The company has built a hefty suite of internet-based commercial products in Nigeria around OPay’s financial utility. These include motorcycle ride-hail app ORide, OFood delivery service, and OLeads SME marketing and advertising vertical.

“Opay will facilitate the people in Nigeria, Ghana, South Africa, Kenya and other African countries with the best fintech ecosystem. We see ourselves as a key contributor to…helping local businesses…thrive from…digital business models,” Opera CEO and OPay Chairman Yahui Zhou, said in a statement.

Opera CFO Frode Jacobsen shed additional light on how OPay will deploy the $120 million across Opera’s Africa network. OPay looks to capture volume around bill payments and airtime purchases, but not necessarily as priority.  “That’s not something you do ever day. We want to focus our services on things that have high-frequency usage,” said Jacobsen.

Those include transportation services, food services, and other types of daily activities, he explained. Jacobsen also noted OPay will use the $120 million to enter more countries in Africa than those disclosed.

Since its Series A raise, OPay in Nigeria has scaled to 140,000 active agents and $10 million in daily transaction volume, according to company stats.

Beyond standing out as another huge funding round, OPay’s $120 million VC raise has significance for Africa’s tech ecosystem on multiple levels.

It marks 2019 as the year Chinese investors went all in on the continent’s startup scene. OPay, PalmPay, and East African trucking logistics company Lori Systems have raised a combined $240 million from 15 different Chinese actors in a span of months.

OPay’s funding and expansion plans are also harbinger for fierce, cross-border fintech competition in Africa’s digital finance space. Parallel events to watch for include Interswitch’s imminent IPO, e-commerce venture Jumia’s shift to digital finance, and WhatsApp’s likely entry in African payments.

The continent’s 1.2 billion people represent the largest share of the world’s unbanked and underbanked population — which makes fintech Africa’s most promising digital sector. But it’s becoming a notably crowded sector where startup attrition and failure will certainly come into play.

And not to be overlooked is how OPay’s capital raise moves Opera toward becoming a multi-service commercial internet platform in Africa.

This places OPay and its Opera-supported suite of products on a competitive footing with other ride-hail, food delivery and payments startups across the continent. That means inevitable competition between Opera and Africa’s largest multi-service internet company, Jumia.

 

 

 

 

 

Africa Roundup: Canal+ acquires ROK, Flutterwave and Alipay partner, OPay raises $50M

in July, French television company Canal+ acquired the ROK film studio from VOD company IROKOtv.

Canal+ would not disclose the acquisition price, but confirmed there was a cash component of the deal.

Founded by Jason Njoku  in 2010 — and backed by $45 million  in VC — IROKOtv boasts the world’s largest online catalog of Nollywood: a Nigerian movie genre that has become Africa’s de facto film industry and one of the largest globally (by production volume).

Based in Lagos, ROK film studios was incubated to create original content for IROKOtv, which can be accessed digitally anywhere in the world.

ROK studio founder and producer Mary Njoku  will stay on as director general under the Canal+ acquisition.

With the ROK deal, Canal+ looks to bring the Nollywood production ethos to other African countries and regions. The new organization plans to send Nigerian production teams to French speaking African countries starting this year.

The ability to reach a larger advertising network of African consumers on the continent and internationally was a big acquisition play for Canal+.

San Francisco and Lagos-based fintech  startup Flutterwave  partnered with Chinese e-commerce company Alibaba’s Alipay to offer digital payments between Africa and China.

Flutterwave is a Nigerian-founded B2B payments service (primarily) for companies in Africa to pay other companies on the continent and abroad.

Alipay is Alibaba’s digital wallet and payments platform. In 2013, Alipay surpassed PayPal in payments volume and currently claims a global network of more than 1 billion active users, per Alibaba’s latest earnings report.

A large portion of Alipay’s network is in China, which makes the Flutterwave integration significant to capturing payments activity around the estimated $200 billion in China-Africa trade.

Flutterwave will earn revenue from the partnership by charging its standard 3.8% on international transactions. The company currently has more than 60,000 merchants on its platform, according to CEO Olugbenga Agboola.

In a recent Extra Crunch feature, TechCrunch tracked Flutterwave as one of several Africa-focused fintech companies that have established headquarters in San Francisco and operations in Africa to tap the best of both worlds in VC, developers, clients and digital finance.

Flutterwave’s Alipay collaboration also tracks a trend of increased presence of Chinese companies in African tech. July saw Chinese owned Opera raise $50 million in venture spending to support its growing West African digital commercial network, which includes browser, payments and ride-hail services. The funds are predominately for OPay, an Opera owned, Africa-focused mobile payments startup.

Lead investors included Sequoia China, IDG Capital  and Source Code Capital. Opera  also joined the round in the payments venture it created.

OPay will use the capital (which wasn’t given a stage designation) primarily to grow its digital finance business in Nigeria — Africa’s most populous nation and largest economy.

OPay will also support Opera’s growing commercial network in Nigeria, which includes motorcycle ride-hail app ORide and OFood delivery service.

Opera founded OPay in 2018 on the popularity of its internet search engine. Opera’s web-browser has ranked No. 2 in usage in Africa, after Chrome, the last four years.

July also saw transit tech news in East Africa. Global ride-hail startup InDriver launched its app-based service in Kampala (Uganda), bringing its Africa operating countries to four: Kenya,  Uganda, South Africa and Tanzania. InDriver’s mobile app allows passengers to name their own fare for nearby drivers to accept, decline or counter.

Nairobi-based internet hardware and service startup BRCK and Egyptian ride-hail venture Swvl are partnering to bring Wi-Fi and online entertainment to on-demand bus service in Kenya.

Swvl BRCK Moja KenyaBRCK is installing its routers on Swvl vehicles in Kenya  to run its Moja service, which offers free public Wi-Fi — internet, music and entertainment — subsidized by commercial partners.

Founded in Cairo in 2017, Swvl is a mass transit service that has positioned itself as an Uber  for shared buses.

The company raised a $42 million Series B round in June, with intent to expand in Africa, Swvl CEO Mostafa Kandil said in an interview.

BRCK and Swvl wouldn’t confirm plans on expanding their mobile internet partnership to additional countries outside of Kenya .

Africa’s ride-hail markets are becoming a multi-wheeled and global affair making the continent home to a number of fresh mobility use cases, including the BRCK and Swvl Wi-Fi partnership.

More Africa-related stories @TechCrunch

African tech around the ‘net

Three great opportunities for startups in the entertainment space

With over-the-top (OTT) changing the way we consume entertainment across devices, most of the media attention is going to the big players trying to elbow their way into the streaming space with big new subscription services and original programming. Less discussed is the suite of technologies that pave the way for those services to connect to their audience and monetize the content.

Okay, it’s true video compression, identity management, analytics, front-end personalization and device-specific experience optimization are not the sexiest topics in the media world. But without those core features and functions, the OTT revolution would be dead in its tracks. And with the big providers focused on content development, user acquisition and business model optimization, development of those technologies is wide open for innovative startups.

As always, entrepreneurs should look for cracks and gaps in the existing processes to find better solutions. Right now, the biggest systemic pains in the emerging OTT ecosystem are around the complexity of the fragmented user experience – having to sign in and out of multiple systems to get to the content we want to watch – and around adapting old mass-audience advertising models to the new era of multi-device, multi-platform, personalized viewing.

Here are three areas where small, nimble startups could make a real contribution to the industry.

Enabling the Evolving Advertising Model

Currently the streaming market is divided between ad-supported services and premium-fee subscription models, but that hard division is unlikely to survive the next wave of market disruption. Premium services like Netflix will need to introduce a lower-fee ad-based tier to expand their audience and compete with lower-priced offerings like Disney+. More fundamentally, streamers will need additional sources of revenue once they have harvested all the low-hanging fruit in terms of subscriber base growth. And because streamers have access to so much user-specific data, the potential for personalized advertising is vast.

Online ad-tech platforms are already scrambling to retool their marketplaces to serve streamers. Is that the right way to look at the new OTT ecosystem, or does the way we sell, serve and measure ads for streaming services need to evolve to address audiences binge-watching longform content rather than snacking on short-form listicles, GIFs and short videos?

There’s also a blue sky opportunity to monitor and measure the performance of interactive ads that provide click-through transactions for viewers watching on tablets or handheld devices. Early data shows these ads can be extremely effective… or they can be so annoying and intrusive that they risk alienating viewers entirely. Do we trust the big companies to get this balance right? Sounds to me like this is a job for small, focused, innovative startups with a single-minded devotion to solving one facet of this problem for the industry.

Screen Shot 2019 07 11 at 1.26.04 PM 1

Reducing Platform Friction

One byproduct of the fragmentation of the old bundled cable viewing experience is the demise of the relatively simply program grid. What we found in the 00’s is that, even with 500+ channels available through some cable systems, you can make that simple and consumable for viewers if you present it intuitively and augment it with a little bit of intelligence.

Now that we’re entering a world which each content provider requires membership in its private OTT service to access original content plus its archive of movies and shows, it’s no longer so simple. In fact, there’s a lot of friction and overhead between the user and their shows.

We see a huge opportunity for startups to address this by creating a meta-layer on top of the fragmented streaming environment that abstracts away the complexity for viewers while preserving the underlying integrity of the individual services. This layer would act like a web browser, passing user access credentials seamlessly to each site to simplify sign in, standardizing the presentation of content and ads, and securely passing user data to each back end system.

The big players have invested specifically in making these platforms closed and proprietary to maximize their own competitive advantage. You can’t count on them to fix a situation that they perceive as being in their individual interests, even if it ends up hurting the industry and the ecosystem as a whole. But there’s a great opportunity for an outside innovator to come in and disrupt this model before it ossifies into a near-monopoly situation for a few carriers.

Telephone switchboard operators circa 1914. Photo courtesy Flickr and reynermedia.

Personalizing Content

The third big opportunity also addresses this big consumer pain point of complexity, specifically around having too many content choices and no road map for finding the programs we want to see. Once again, this is a problem we were able to solve in the old bunded cable era with smart collaborative filtering technologies, recommendations, and automation that allowed people to essentially build their own personalized content channels featuring stuff they already liked and might possibly like.

Fragmentation of content across closed services makes that more challenging. Luckily, AI capabilities have evolved as well, to the point that we don’t need to think only in terms of personalizing viewing options, but personalizing the entire viewing experience.

Again, business incentives dictate that each OTT service develop its own UX to differentiate itself from competitors, but those incentives work against the desires of viewers to have a simple way to find and view content that’s standard across whatever services they use. There’s a great opportunity for startups to bring forward all that we’ve learned about UX design, customization and personalization, plus a layer of AI to simplify search and discovery of content users prefer, to make the whole streaming world much simpler.

Open Innovation Starts with IP

These are just a few examples of areas where disruptive innovators can fix problems that the industry leaders can’t or won’t. We believe that an open model for innovation needs to be part of the conversation around the future of entertainment, and that conversation must include small insurgent companies as well as the giant incumbents. But for that model to work, we need to ensure that the IP rights of those companies are protected and respected.

If we can stick by those principles, we can create a more stable foundation for the post-cable world of TV entertainment, bring new solutions to market more quickly and more efficiently, and continue to delight audiences with great content rather than frustrating them with complexity and impossible choices.

Space startup Wyvern wants to make data about Earth’s health much more accessible

The private space industry is seeing a revolution driven by cube satellites, which are affordable, lightweight satellites that are much easier than traditional satellites to design, build and launch. It’s paving the way for new businesses like Wyvern, an Alberta-based startup that provides a very specific service that wouldn’t even have been possible to offer a decade ago: Relatively low-cost access to hyperspectral imaging taken from low-Earth orbit, which is a method for capturing image data of Earth across many more bands than we’re able to see with our eyes or traditional optics.

Wyvern’s founding team, including CEO Chris Robson, CTO Kristen Cote, CSO Callie Lissinna and VP of Engineering/COO Kurtis Broda, had experience building satellites through their schooling, including working on building the first-ever satellite in space designed and built in Alberta, Ex-Alta 1. They’ve also developed their own proprietary optical technology to develop the kind of imagery that will best serve the needs of the clients they’re pursuing. Their first target market, for instance, are farmers, who will be able to log into the commercial version of their product and get up-to-date hyperspectral imaging data of their fields, which can help them optimize yield, detect changes in soil makeup (which will tell them if they have too little nitrogen) or even help them spot invasive plants and insects.

“We’re doing all sorts of things that directly affect the bottom line of farmers,” explained Robson in an interview. “If you can detect them, and you can quantify them, and the farmers can make decisions on how to act and ultimately how to increase the bottom line. A lot of those things you can’t do with multi-spectral [imaging] right now, for example, you can’t speciate with multi-spectral, so you can’t detect invasive species.”

Multi-spectral imaging, in contrast to hyperspectral imaging, measures light on average in between three to 15 bands, while hyperspectral can manage as many as hundreds of adjoining or neighboring bands, which is why it can do more specialist things like identifying the species of animals on the ground in an observed area from a satellite’s perspective.

Hyperspectral imaging is already a proven technology in use around the world for exactly these purposes, but the main way it’s captured is via drone airplanes, which Robson says is much more costly and less efficient than using CubeSats in orbit.

“Drone airplanes are really expensive, and with us, we’re able to provide it for 10 times less than a lot of these drones currently in use,” he said.

Wyvern’s business model will focus on owning and operating the satellites; providing access to the data, it caters to customers in a way that’s easy for anyone to access and use.

“Our key differentiator is the fact that we allow access to actual actionable information,” Robson said. “Which means that if you want to order imagery, you do it through a web browser, instead of calling somebody up and waiting one to three days to get a price on it, and to find out whether they could even do what you’re asking.”

Robson says that it’s only even become possible and affordable to do this because of advances in optics (“Our optical system allows us to basically put what should be a big satellite into the form factor of a small one without breaking the laws of physics,” Robson told me), small satellites, data storage and monitoring stations, and privatized launches making space accessible through hitching a ride on a launch alongside other clients.

Wyvern will also occupy its own, underserved niche providing this highly specialized info, first to agricultural clients, and then expanding to five other verticals, including forestry, water quality monitoring, environmental monitoring and defense. This isn’t something other more generalist satellite imaging providers like Planet Labs will likely be interested in pursuing, Robson said, because it’s an entirely different kind of business with entirely different equipment, clientele and needs. Eventually, Wyvern hopes to be able to open more broadly access to the data it’s gathering.

“You have the right to access [information regarding] the health of the Earth regardless of who you are, what government you’re under, what country you’re a part of or where you are in the world,” he said. “You have the right to see how other humans are treating the Earth, and to see how you’re treating the Earth and how your country is behaving. But you also have the right to take care of the Earth, because we’re super predators. We’re the most intelligent species. We are; we have the responsibility of being stewards of the Earth. And part of that, though, is being able to add almost omniscience of what’s going on in the Earth in the same way that we understand what’s going on in our bodies. That’s what we want for people.”

Right now, Wyvern is very early on the trajectory of making this happen — they’re working on their first round of funding, and have been speaking to potential customers and getting their initial product validation work finalized. But with actual experience building and launching satellites, and a demonstrated appetite for what they want to build, it seems like they’re off to a promising start.

Backer of Musical.ly, Grindr and Opera to invest $50M in self-driving startup Pony.ai

A games publisher in China is following the path of its larger peer Tencent to back a wide spectrum of startups for financial gains. Beijing Kunlun Wanwei, or Kunlun, announced in a filing this week that it plans to inject $50 million into autonomous driving startup Pony.ai in exchange for a 3 percent stake.

Pony.ai confirmed the investment with TechCrunch in an email response, adding that the money contributes to its pre-B round of financing. The startup last pocketed $102 million that valued it at nearly $1 billion. It’s raised $214 million in total fundings to date according to data from CrunchBase.

Shanghai-listed Kunlun has its bets on one of China’s most aggressive smart driving companies. Pony.ai, co-founded by James Peng, formerly a leader in Baidu’s self-driving division, was only second to Baidu in total autonomous miles driven in Beijing last year (although by a large margin).

While neither Kunlun nor Pony.ai provided an inkling of possible strategic collaboration between them, next-gen vehicles have become a much sought-after space for hosting entertainment content, and without a doubt that includes video games.

Few outside China’s internet industry know of Kunlun, which has over the years been squeezed by industry leaders Tencent and NetEase . The 11-year-old company has, however, gradually earned its reputation as a savvy investor. Led by Zhou Yahui, a shrewd investor himself, Kunlun has backed companies that broadened distribution channels for its gaming titles. Other fundings appear more tangential. Here’s a taste of Kunlun’s lucrative portfolio:

Musical.ly: Kunlun laid out $20 million for Musical.ly and cashed out $41.08 million when Bytedance acquired Musical.ly in 2017, according to a filing. Musical.ly is now part of the popular short video app TikTok.

Inke: Back in 2016, Kunlun invested 68 million yuan ($10 million) in live streaming company Inke. By 2017 it had sold all its stakes in the startup and was poised to cash out a total of 824 million yuan ($123 million) after the transaction completed, according to a filing. Inke is the currently third-largest live streaming app by monthly active devices in China, says data from iResearch.

Opera: Kunlun was part of a consortium that acquired the web browser in 2016 when it shelled out $600 million in investment. Through the consortium, Kunlun now owns a 48 percent stake in Opera, which floated on Nasdaq in 2018.

Grindr: Kunlun paid $93 million for a 60 percent stake in Grindr, the popular dating app for gay, bisexual, transgender and queer users, back in 2016 and completed the buyout with $152 million in fundings in 2018. Kunlun is reportedly looking to sell Grindr after the Committee on Foreign Investment in the United States decided its ownership of the dating app may threaten national security.

Qudian: Kunlun owned a 19.2 percent stake in Qudian when the micro-lender became one of the first Chinese fintech companies to list on Nasdaq. Kunlun has since been selling its stakes through a gradual exit and Zhou recently told analysts that his firm was expected to make around 2 billion yuan ($300 million) in profit from the Qudian investment.

Mozilla’s free password manager, Firefox Lockbox, launches on Android

Mozilla’s free password manager designed for users of the Firefox web browser is today officially arriving on Android. The standalone app, called Firefox Lockbox, offers a simple if a bit basic way for users to access from their mobile device their logins already stored in their Firefox browser.

The app is nowhere near as developed as password managers like 1Password, Dashlane, LastPass and others as it lacks common features like the ability to add, edit or delete passwords; suggest complex passwords; or alert you to potentially compromised passwords resulting from data breaches, among other things.

However, the app is free — and if you’re already using Firefox’s browser, it’s at the very least a more secure alternative to writing down your passwords in an unprotected notepad app, for example. And you can opt to enable Lockbox as an Autofill service on Android.

But the app is really just a companion to Firefox. The passwords in Lockbox securely sync to the app from the Firefox browser — they aren’t entered by hand. For security, the app can be locked with facial recognition or a fingerprint (depending on device support). The passwords are also encrypted in a way that doesn’t allow Mozilla to read your data, it explains in a FAQ.

Firefox Lockbox is now one of several projects Mozilla developed through its now-shuttered Test Flight program. Over a few years’ time, the program had allowed the organization to trial more experimental features — some of which made their way to official products, like the recently launched file-sharing app, Firefox Send.

Others in the program — including Firefox Color⁩⁨Side View⁩⁨Firefox Notes⁩⁨Price Tracker and ⁨Email Tabs⁩ — remain available, but are no longer actively developed beyond occasional maintenance releases. Mozilla’s current focus is on its suite of “privacy-first” solutions, not its other handy utilities.

According to Mozilla, Lockbox was downloaded more than 50,000 times on iOS ahead of today’s Android launch.

The Android version is a free download on Google Play.

EU gov’t and public health sites lousy with adtech, study finds

A study of tracking cookies running on government and public sector health websites in the European Union has found commercial adtech to be operating pervasively even in what should be core not-for-profit corners of the Internet.

The researchers used searches including queries related to HIV, mental health, pregnancy, alcoholism and cancer to examine how frequently European Internet users are tracked when accessing national health service webpages to look for publicly funded information about sensitive concerns.

The study also found that most EU government websites have commercial trackers embedded on them, with 89 per cent of official government websites found to contain third party ad tracking technology.

The research was carried out by Cookiebot using its own cookie scanning technology to examine trackers on public sector websites, scanning 184,683 pages on all 28 EU main government websites.

Only the Spanish, German and the Dutch websites were found not to contain any commercial trackers.

The highest number of tracking companies were present on the websites of the French (52), Latvian (27), Belgian (19) and Greek (18) governments.

The researchers also ran a sub-set of 15 health-related queries across six EU countries (UK, Ireland, Spain, France, Italy and Germany) to identify relevant landing pages hosted on the websites of the corresponding national health service — going on to count and identify tracking domains operating on the landing pages.

Overall, they found a majority (52 per cent) of landing pages on the national health services of the six EU countries contained third party trackers.

Broken down by market, the Irish health service ranked worst — with 73 per cent of landing pages containing trackers.

While the UK, Spain, France and Italy had trackers on 60 per cent, 53 per cent, 47 per cent and 47 per cent of landing pages, respectively.

Germany ranked lowest of the six, yet they still found a third of the health service landing pages contained trackers.

Searches on publicly funded health service sites being compromised by the presence of adtech suggests highly sensitive inferences could be being made about web users by the commercial companies behind the trackers.

Cookiebot found a very long list of companies involved — flagging for example how 63 companies were monitoring a single German webpage about maternity leave; and 21 different companies were monitoring a single French webpage about abortion.

Vulnerable citizens who seek official health advice are shown to be suffering sensitive personal data leakage,” it writes in the report. “Their behaviour on these sites can be used to infer sensitive facts about their health condition and life situation. This data will be processed and often resold by the ad tech industry, and is likely to be used to target ads, and potentially affect economic outcomes, such as insurance risk scores.”

“These citizens have no clear way to prevent this leakage, understand where their data is sent, or to correct or delete the data,” it warns. 

It’s worth noting that Cookiebot and its parent company Cybot’s core business is related to selling EU data protection compliance services. So it’s not without its own commercial interests here. Though there’s no doubting the underlying adtech sprawl the report flags.

Where there’s some fuzziness is around exactly what these trackers are doing, as some could be used for benign site functions like website analytics.

Albeit, if/when the owner of the freebie analytics services in question is also adtech giant Google that still may not feel reassuring, from a privacy point of view.

100+ firms tracking EU public sector site users

Across both government and health service websites, Cookiebot says it identified a total of 112 companies using trackers that send data to a total of 131 third party tracking domains.

It also found 10 companies which actively masked their identity — with no website hosted at their tracking domains, and domain ownership (WHOIS) records hidden by domain privacy services, meaning they could not be identified. That’s obviously of concern. 

Here’s the table of identified tracking companies — which, disclosure alert, includes AOL and Yahoo which are owned by TechCrunch’s parent company, Verizon.

Adtech giants Google and Facebook are also among adtech companies tracking users across government and health service websites, along with a few other well known tech names — such as Oracle, Microsoft and Twitter.

Cookiebot’s study names Google “the kingpin of tracking” — finding the company performed more than twice as much tracking as any other, seemingly as a result of Google owning several of the most dominant ad tracking domains.

Google-owned YouTube.com, DoubleClick.net and Google.com were the top three tracking domains IDed by the study. 

“Through the combination of these domains, Google tracks website visits to 82% of the EU’s main government websites,” Cookiebot writes. “On each of the 22 main government websites on which YouTube videos have been installed, YouTube has automatically loaded a tracker from DoubleClick .net (Google’s primary ad serving domain). Using DoubleClick.net and Google.com, Google tracks visits to 43% of the scanned health service landing pages.”

 

Given its control of many of the Internet’s top platforms (Google Analytics, Maps, YouTube, etc.), it is no surprise that Google has greater success at gaining tracking access to more webpages than anyone else,” it continues. “It is of special concern that Google is capable of cross-referencing its trackers with its 1st party account details from popular consumer-oriented services such as Google Mail, Search, and Android apps (to name a few) to easily associate web activity with the identities of real people.”

Under European data protection law “subjective” information that’s associated with an individual — such as opinions or assessments — is absolutely considered personal data.

So tracker-fuelled inferences being made about site visitors are subject to EU data protection law — which has even more strict rules around the processing of sensitive categories of information like health data.

That in turn suggests that any adtech companies doing third-party-tracking of Internet users and linking sensitive health queries to individual identities would need explicit user consent to do so.

The presence of adtech trackers on sensitive health data pages certainly raises plenty of questions.

We asked Google for a response to the Cookiebot report, and a spokesperson sent us the following statement regarding sensitive category data specifically — in which it claims: “We do not permit publishers to use our technology to collect or build targeting lists based on users’ sensitive information, including health conditions like pregnancy or HIV.”

Google also claims it does not itself infer sensitive user interest categories.

Furthermore it said its policies for personalized ads prohibit its advertisers from collecting or using sensitive interest categories to target users. (Though saying you’re telling someone not to do something is not the same as that thing not being done. That would depend on the enforcement.)

Google’s spokesperson was also keen to point to its EU user consent policy — where it says it requires site owners that use its services to ensure they have correct disclosures and consents for personalised ads and cookies from European end users.

The company warns it may suspend or terminate a site’s use of its services if they have not obtained the right disclosures and consents. It adds there’s no exception for government sites.

On tags and disclosure generally, the Google spokesperson provided the following comment: “Our policies are clear: If website publishers choose to use Google web or advertising products, they must obtain consent for cookies associated with those products.”

Where Google Analytics cookies are concerned, Google said traffic data is only collected and processed per instructions it receives from site owners and publishers — further emphasizing that such data would not be used for ads or Google purposes without authorization from the website owner or publisher.

Albeit sloppy implementations of freebie Google tools by resource-strapped public sector site administrators might make such authorizations all too easy to unintentionally enable.

So, tl;dr — as Google tells it — the onus for privacy compliance is on the public sector websites themselves.

Though given the complex and opaque mesh of technology that’s grown up sheltering under the modern ‘adtech’ umbrella, opting out of this network’s clutches entirely may be rather easier said than done.

Cookiebot’s founder, Daniel Johannsen, makes a similar point to Google’s in the report intro, writing: “Although the governments presumably do not control or benefit from the documented data collection, they still allow the safety and privacy of their citizens to be compromised within the confines of their digital domains — in violation of the laws that they have themselves put in place.”

More than nine months into the GDPR [General Data Protection Regulation], a trillion-dollar industry is continuing to systematically monitor the online activity of EU citizens, often with the unintentional assistance of the very governments that should be regulating it,” he adds, calling for public sector bodies to “lead by example – at a minimum by shutting down any digital rights infringements that they are facilitating on their own websites”.

“The fact that so many public sector websites have failed to protect themselves and their visitors against the inventive methods of the tracking industry clearly demonstrates the educational challenge that the wider web faces: How can any organisation live up to its GDPR and ePrivacy obligations if it does not control unauthorised tracking actors accessing their website?”

Trackers creeping in by the backdoor

On the “inventive methods” front, the report flags how third party javascript technologies — used by websites for functions like video players, social sharing widgets, web analytics, galleries and comments sections — can offer a particularly sneaky route for trackers to be smuggled into sites and apps by the ‘backdoor’.

Cookiebot gives the example of social sharing tool, ShareThis, which automatically adds buttons to each webpage to make it easy for visitors to share information across social media platforms.

The ShareThis social plugin is used by Ireland’s public health service, the Health Service Executive (HSE). And there Cookiebot found it releases trackers from more than 20 ad tech companies into every webpage it is installed on.

“By analysing web pages on HSE.ie, we found that ShareThis loads 25 other trackers, which track users without permission,” it writes. “This result was confirmed on pages linked from search queries for “mortality rates of cancer patients” and “symptoms of postpartum depression”.”

“Although website operators like the HSE do control which 3rd parties (like ShareThis) they add to their websites, they have no direct control over what additional “4th parties” those 3rd parties might smuggle in,” it warns.

We’ve reached out to ShareThis for a response.

Another example flagged by the report is what Cookiebot dubs “YouTube’s Tracking Cover-Up”.

Here it says it found that even when a website has enabled YouTube’s so-called “Privacy-enhanced Mode”, in a bid to limit its ability to track site users, the mode “currently stores an identifier named “yt-remote-device -id” in the web browser’s “Local Storage”” which Cookiebot found “allows tracking to continue regardless of whether users click, watch, or in any other way interact with a video – contrary to Google’s claims”.

“Rather than disabling tracking, “privacy-enhanced mode” seems to cover it up,” they claim. 

Google did not provide an on the record comment regarding that portion of the report.

Instead the company sent some background information about “privacy-enhanced mode” — though its points did not engage at all with Cookiebot’s claim that tracking continues regardless of whether a user watches or interacts with a video in any way.

Overall, Google’s main point of rebuttal vis-a-vis the report’s conclusion — i.e. that even on public sector sites surveillance capitalism is carrying on business as usual — is that not all cookies and pixels are ad trackers. So it’s claim is a cookie ‘signal’ might just be harmless background ‘noise’.

(In additional background comments Google suggested that if a website is running an advertising campaign using its services — which presumably might be possible in a public sector scenario if an embedded YouTube video contains an ad (for example) — then an advertising cookie could be a conversion pixel used (only) to measure the effectiveness of the ad, rather than to track a user for ad targeting.

For DoubleClick cookies on websites in general, Google told us this type of cookie would only appear if the website specifically signed up with its ad services or another vendor which uses its ad services.

It further claimed it does not embed tracking pixels on random pages or via Google Analytics with Doubleclick cookies.)

The problem here is the lack of opacity in the adtech industry which requires users to take ad targeters at their word — and trust that an adtech giant like Google, which makes pots of money off of tracking web users to target them with ads, has nonetheless built perfectly privacy-respecting, non-leaky infrastructure that operates 100% as separately and cleanly as claimed, even as the entire adtech industry’s business incentives are pushing in the opposite direction.

Also a problem: Certain adtech giants having a long and storied history of bundling purposes for user data and manipulating consent in privacy-hostile ways.

And with trust in adtech at such a historic low — plus regulation having been rebooted in Europe to put the focus on enforcement (which is encouraging a cottage industry of GDPR ‘compliance’ services to wade in) — the industry’s preferred cloak of complex opacity is under attack on multiple front (including from policymakers) and does look to be on borrowed time.

And as more light shines in and risk steps up, sensitive public sector websites could just decide to nix using any of these freebie plugins.

In another “inventive” case study highlighted by the report, Cookiebot writes that it documented instances of Facebook using a first party cookie workaround for Safari’s intelligent tracker blocking system to harvest user data on two Irish and UK health landing pages.

So even though Apple’s browser natively purges third party cookies to enhance user privacy by default Facebook’s engineers appear to have managed to create a workaround.

Cookiebot says this works by Facebook’s new first party cookie — “_fbp” — storing a unique user ID that’s then forwarded as a URL parameter in the pixel tracker “tr” to Facebook.com — “thus allowing Facebook to track users after all”, i.e. despite Safari’s best efforts to prevent pervasive third party tracking.

“In our study, this combined tracking practice was documented on 2 Irish and UK landing pages featuring health information about HIV and mental illness,” it writes. “These types of workarounds of browser tracking prevention are highly intrusive as they undermine users’ attempts to protect their personal data – even when using browsers and extensions with the most advanced protection settings.”

Reached for a response to the Cookiebot report Facebook also did not engage with the case study of its Safari third party cookie workaround.

Instead, a spokesman sent us the following line: “[Cookiebot’s] investigation highlights websites that have chosen to use Facebook’s Business Tools — for example, the Like and Share buttons, or the Facebook pixel. Our Business Tools help websites and apps grow their communities or better understand how people use their services. For example, we could tell them that their site is most popular among people aged 20-25.”

In further information provided to us on background the company confirmed that data it receives from websites can be used for enhancing ad targeting on Facebook. (It said Facebook users can switch off ad personalization based on such signals — via the “Ads Based on Data from Partners” setting in Ad Preferences.)

It also said organizations that make use of its tools are subject to its Business Tools terms — which Facebook said require them to provide users with notice and obtain any required legal consent, including being clear with users about any information they share with it. 

Facebook further claimed it prohibits apps and websites from sending it sensitive data — saying it takes steps to detect and remove data that should not be shared with it.

ePrivacy Regulation needed to raise the bar

Commenting on the report in a statement, Diego Naranjo, senior policy advisor at digital rights group EDRi, called for European regulators to step up to defend citizens’ privacy.

For the last 20 years, Europe has fought to regulate the sprawling chaos of data tracking. The GDPR is a historical attempt to bring the information economy in line with our core civil liberties, securing the same level of democratic control and trust online as we take for granted in our offline world. Yet, as this study has provided evidence of, nine months into the new regulation, online tracking remains as hidden, uncontrollable, and plentiful as ever,” he writes in the report. “We stress that it is the duty of regulators to ensure their citizens’ privacy.”

Naranjo also warned that another EU privacy regulation, the ePrivacy Regulation — which is intended to deal directly with tracking technologies — risks being watered down.

In the wake of GDPR it’s become the focus of major lobbying efforts, as we’ve reported before.

“One of the great added values of the ePrivacy Regulation is that it is meant to raise the bar for companies and other actors who want to track citizens’ behaviour on the Internet. Regrettably, now we are seeing signs of the ePrivacy Regulation becoming watered out, specifically in areas concerning “legitimate interest” and “consent”,” he warns.

“A watering down of the ePrivacy Regulation will open a Pandora’s box of more and more sharing, merging and reselling of personal data in huge online commercial surveillance networks, in which citizens are being unwittingly tracked and micro-targeted with commercial and political manipulation. Instead, the ePrivacy Regulation must set the bar high in line with the wishes of the European Parliament, securing that the privacy of our fellow citizens does not succumb to the dominion of the ad tech industry.”

Opera Touch brings website cookie blocking to iOS

Last fall, Opera introduced Opera Touch for iOS – a solid alternative to Safari on iPhone, optimized for one-handed use. Today, the company is rolling out a notable new feature to this app: cookie blocking. Yes, it can now block those annoying dialogs that ask you to accept the website’s cookies. These are particularly problematic on mobile, where they often entirely interrupt your ability to view the content, as opposed to on many desktop websites where you can (kind of) ignore the pop-up banner that appears at the bottom or the top of the page.

Cookie dialogs have become prevalent across the web as a result of Europe’s GDPR, but many people find them overly intrusive. Today, it takes an extra click to dismiss these prompts, which slows down web browsing – especially for those times you’re on the hunt for a particular piece of information and are visiting several websites in rapid succession.

The cookie blocking feature was first launched in November on Opera’s flagship app for Android, but hadn’t yet made its way to iOS – through any browser app, that is, not just one from Opera. The company says it uses a mix of CSS and JavaScript heuristics in order to block the prompts.

At the time of the launch, Opera noted it had tested the feature with some 15,000 sites.

It’s important to note that the default setting for the cookie blocker on Opera Touch will allow the websites to set cookies.

Here’s how it works. When you enable the feature, it will hide the dialog boxes from appearing, allowing you to read a website without having to first close the prompt. However, when you turn on the Cookie Blocker option, another setting is also switched on: one that says “automatically accept cookie dialogs.”

That means, in practice, when you’re enabling the Cookie Blocker, you’re also enabling cookie acceptance if you don’t take further action.

But Opera says you can disable this checkbox, if you don’t want your browser to give websites your acceptance.

In addition to the new cookie blocking, the browser has a number of other options that make it an interesting alternative to Safari on iOS or Google Chrome.

For example, if offers built-in ad blocking, cryptocurrency mining protection (which prevents malicious sites from using your device’s resources to mine for cryptocurrencies), a way to send web content to your PC through Opera’s “Flow” technology, and – most importantly – a design focused on using the app with just one hand.

Since the app’s launch in April, the company has rolled out 23 new features in total. This include a new dark theme, as well as the addition of a private mode, plus search engine choice which offers 11 options, including Qwant and DuckDuckGo, and other features.

The app is a free download on iOS.

How to browse the web securely and privately

Getty Images

So you want to browse the web securely and privately? Here’s a hard truth: it’s almost impossible.

It’s not just your internet provider that knows which sites you visit, it’s also the government — and other governments! And when it’s not them, it’s social media sites, ad networks or apps tracking you across the web to serve you specific and targeted ads. Your web browsing history can be highly personal. It can reveal your health concerns, your political beliefs and even your porn habits — you name it. Why should anyone other than you know those things?

Any time you visit a website, you leave a trail of data behind you. You can’t stop it all — that’s just how the internet works. But there are plenty of things that you can do to reduce your footprint.

Here are a few tips to cover most of your bases.

A VPN can help hide your identity, but doesn’t make you anonymous

You might have heard that a VPN — or a virtual private network — might keep your internet traffic safe from snoopers. Well, not really.

A VPN lets you create a dedicated tunnel that all of your internet traffic flows through — usually a VPN server — allowing you to hide your internet traffic from your internet provider. That’s good if you’re in a country where censorship or surveillance is rife or trying to avoid location-based blocking. But otherwise, you’re just sending all of your internet traffic to a VPN provider instead. Essentially, you have to choose who you trust more: your VPN provider or your internet provider. The problem is, most free VPN providers make their money by selling your data or serving you ads — and some are just downright shady. Even if you use a premium VPN provider for privacy, they can connect your payment information to your internet traffic, and many VPN providers don’t even bother to encrypt your data.

Some VPN providers are better than others: tried, tested — and trusted — by security professionals.

Services like WireGuard are highly recommended, and are available on a variety of devices and systems — including iPhones and iPads. We recently profiled the Guardian Mobile Firewall, a smart firewall-type app for your iPhone that securely tunnels your data anonymously so that even its creators don’t know who you are. The app also prevents apps on your phone from tracking you and accessing your data, like your contacts or your geolocation.

As TechCrunch’s Romain Dillet explains, the best VPN providers are the ones that you control yourself. You can create your own Algo VPN server in just a few minutes. Algo is created by Trial of Bits, a highly trusted and respected security company in New York. The source code is available on GitHub, making it far more difficult to covertly insert backdoors into the code.

With your own Algo VPN setup, you control the connection, the server, and your data.

You’ll need a secure DNS

What does it mean that “your internet provider knows what sites you visit,” anyway?

Behind the scenes on the internet, DNS — or Domain Name System — converts web addresses into computer-readable IP addresses. Most devices automatically use the resolver that’s set by the network you’re connected to — usually your internet provider. That means your internet provider knows what websites you’re visiting. And recently, Congress passed a law allowing your internet provider to sell your browsing history to advertisers.

You need a secure and private DNS provider. Many use publicly available services — like OpenDNS or Google’s Public DNS. They’re easy to set up — usually on your computer or device, or on your home router.

One recommended offering is Cloudflare’s secure DNS, which it calls 1.1.1.1. Cloudflare encrypts your traffic, won’t use your data to serve ads, and doesn’t store your IP address for any longer than 24 hours. You can get started here, and you can even download Cloudflare’s 1.1.1.1 app from Apple’s App Store and Google Play.

HTTPS is your friend

One of the best things for personal internet security is HTTPS.

HTTPS secures your connection from your phone or your computer all the way to the site you’re visiting. Most major websites are HTTPS-enabled, and appear as such with a green padlock in the address bar. HTTPS makes it almost impossible for someone to spy on your internet traffic intercept and steal your data in transit.

Every time your browser lights up in green or flashes a padlock, HTTPS encrypts the connection between your computer and the website. Even when you’re on a public Wi-Fi network, an HTTPS-enabled website will protect you from snoopers on the same network.

Every day, the web becomes more secure, but there’s a way to go. Some websites are HTTPS ready but don’t have it enabled by default. That means you’re loading an unencrypted HTTP page when you could be accessing a fully HTTPS page.

That’s where one browser extension, HTTPS Everywhere, comes into play. This extension automatically forces websites to load HTTPS by default. It’s a lightweight, handy tool that you’ll forget is even there.

Reconsider your web plug-ins

Remember Flash? How about Java? You probably haven’t seen much of them recently, because the web has evolved to render them obsolete. Both Flash and Java, two once-popular web plug-ins, let you view interactive content in your web browser. But nowadays, most of that has been replaced by HTML5, a technology native to your web browser.

Flash and Java were long derided for their perpetual state of insecurity. They were full of bugs and vulnerabilities that plagued the internet for years — so much so that web browsers started to pull the plug on Java back in 2015, with Flash set to sunset in 2020. Good riddance!

If you don’t use them — and most people don’t anymore — you should remove them. Just having them installed can put you at risk of attack. It takes just a minute to uninstall Flash on Windows and Mac, and to uninstall Java on Windows and Mac.

Most browsers — like Firefox and Chrome — let you run other add-ons or extensions to improve your web experience. Like apps on your phone, they often require certain access to your browser, your data or even your computer. Although browser extensions are usually vetted and checked to prevent malicious use, sometimes bad extensions slip through the net. Sometimes, extensions that were once fine are automatically updated to contain malicious code or secretly mine cryptocurrency in the background.

There’s no simple rule to what’s a good extension and what isn’t. Use your judgment. Make sure each extension you install doesn’t ask for more access than you think it needs. And make sure you uninstall or remove any extension that you no longer use.

These plug-ins and extensions can protect you

There are some extensions that are worth their weight in gold. You should consider:

  • An ad-blocker: Ad-blockers are great for blocking ads — as the name suggests — but also the privacy invasive code that can track you across sites. uBlock is a popular, open source efficient blocker that doesn’t consume as much memory as AdBlock and others. Many ad-blockers now permit “acceptable ads” that allow publishers to still make money but aren’t memory hogs or intrusive — like the ones that take over your screen. Ad-blockers also make websites load much faster.
  • A cross-site tracker blocker: Privacy Badger is a great tool that blocks tiny “pixel”-sized trackers that are hidden on web pages but track you from site to site, learning more about you to serve you ads. To advertisers and trackers, it’s as if you vanish. Ghostery is another example of an advanced-level anti-tracker that aims to protect the user by default from hidden trackers.

And you could also consider switching to more privacy-minded search engines, like DuckDuckGo, a popular search engine that promises to never store your personal information and doesn’t track you to serve ads.

Use Tor if you want a better shot at anonymity

But if you’re on the quest for anonymity, you’ll want Tor.

Tor, known as the anonymity network is a protocol that bounces your internet traffic through a series of random relay servers dotted across the world that scrambles your data and covers your tracks. You can configure it on most devices and routers. Most people who use Tor will simply use the Tor Browser, a preconfigured and locked-down version of Firefox that’s good to go from the start — whether it’s a regular website, or an .onion site — a special top-level domain used exclusively for websites accessible only over Tor.

Tor makes it near-impossible for anyone to snoop on your web traffic, know which site you’re visiting, or that you are the person accessing the site. Activists and journalists often use Tor to circumvent censorship and surveillance.

But Tor isn’t a silver bullet. Although the browser is the most common way to access Tor, it also — somewhat ironically — exposes users to the greatest risk. Although the Tor protocol is largely secure, most of the bugs and issues will be in the browser. The FBI has been known to use hacking tools to exploit vulnerabilities in the browser in an effort to unmask criminals who use Tor. That puts the many ordinary, privacy-minded people who use Tor at risk, too.

It’s important to keep the Tor browser up to date and to adhere to its warnings. The Tor Project, which maintains the technology, has a list of suggestions — including changing your browsing behavior — to ensure you’re as protected as you can be. That includes not using web plug-ins, not downloading documents and files through Tor, and keeping an eye out for in-app warnings that advise you on the best action.

Just don’t expect Tor to be fast. It’s not good for streaming video or accessing bandwidth-hungry sites. For that, a VPN would probably be better.

Check out our full Cybersecurity 101 guides here.

Mozilla adds website breach notifications to Firefox

Mozilla is adding a new security feature to its Firefox Quantum web browser that will alert users when they visit a website that has recently reported a data breach.

When a Firefox user lands on a website with a breach in its recent past they’ll see a pop up notification informing them of the barebones details of the breach and suggesting they check to see if their information was compromised.

“We’re bringing this functionality to Firefox users in recognition of the growing interest in these types of privacy- and security-centric features,” Mozilla said today. “This new functionality will gradually roll out to Firefox users over the coming weeks.”

Here’s an example of what the site breach notifications look like and the kind of detail they will provide:

Mozilla’s website breach notification feature in Firefox

Mozilla is tying the site breach notification feature to an email account breach notification service it launched earlier this year, called Firefox Monitor, which it also said today is now available in an additional 26 languages.

Firefox users can click through to Monitor when they get a pop up about a site breach to check whether their own email was involved.

As with Firefox Monitor, Mozilla is relying on a list of breached websites provided by its partner, Troy Hunt’s pioneering breach notification service, Have I Been Pwned.

There can of course be a fine line between feeling informed and feeling spammed with too much information when you’re just trying to get on with browsing the web. But Mozilla looks to sensitive to that because it’s limiting breach notifications to one per breached site. It will also only raise a flag if the breach itself occurred in the past 12 months.

Data breaches are an unfortunate staple of digital life, stepping up in recent years in frequency and size along with big data services. That in turn has cranked up awareness of the problem. And in Europe tighter laws were introduced this May to bring in a universal breach disclosure requirement and raise penalties for data protection failures.

The GDPR framework also generally encourages data controllers and processors to improve their security systems given the risk of much heftier fines.

Although it will likely take some time for any increases in security investments triggered by the regulation to filter down and translate into fewer breaches — if indeed the law ends up having that hoped for impact.

But one early win for GDPR is it has greased the pipe for companies to promptly disclose breaches. This means it’s helping to generate more up-to-date security information which consumers can in turn use to inform the digital choices they make. So the regulation looks to be generating positive incentives.