India considering phased roll out of central bank digital currency

India’s central bank is considering launching a digital currency, according to a top executive, giving a clear indication of its intentions for the first time after previously stating that it was studying the idea.

T Rabi Sankar, the deputy governor of Reserve Bank of India, said at a conference today that the central bank is considering introducing the nation’s digital currency in a “phased” manner while legal changes are made to the South Asian nation’s foreign-exchange rules and IT laws.

The digital currency, which will be backed by sovereign, will lower the economy’s reliance on cash, enable cheaper and smoother international settlements, and protect people from the volatility of privacy cryptocurrencies, he said.

“Every idea has to wait for its time, and the time for CBDC [central bank digital currency] is near. We have carefully evaluated the risks,” he told an audience at a conference held by think-tank Vidhi Centre for Legal Policy.

Sankar said the central bank’s “endeavor is that as we move forward [with the plan],” so that India’s digital currency “can reiterate its leadership position in payment systems of the world.”

The top executive’s remarks follows European Central Bank saying last week that it will begin a 24-month “investigation phase” that, if successful, could lead to the creation of a digital euro by 2025.

Also last week, China’s central bank said its digital yuan trial had reached $5.3 billion in transaction value by the end of June.

“Central banks have increased their attention on digital currencies,” said Sankar. “CBDC will be in the arsenal of most if not all central banks in the world. A calibrated and nuanced approach will be considered at the drawing board as well as with stakeholder consultations,” he said, adding that the central bank has been exploring the benefits and risks of issuing a sovereign CBDC for “quite some time.”

“We have studied specific-purpose CBDCs proposed by different central banks around the world for wholesale and retail segments. The launch of a general-purpose CBDC for population scale is being considered, and RBI is working towards a phased introduction strategy and examining use cases with little or no disruption of India’s banking and monetary systems,” he said. “However, conducting pilots in wholesale and retail segments may be a possibility in near future.”

In his remarks, Sankar also hinted that the central bank hasn’t changed its stand on private cryptocurrencies such as bitcoin.

In 2018, an Indian government panel recommended banning all private cryptocurrencies and proposed up to 10 years of jail time for offenders. The panel also suggested the government to explore a digital version of the fiat currency and ways to implement it.

At the time, RBI said the move was necessary to curb “ring-fencing” of the country’s financial system. It had also argued that bitcoin and other cryptocurrencies cannot be treated as currencies as they are not made of metal or exist in physical form, nor were they stamped by the government.

“They are not commodities or claims on commodities as they have no intrinsic value; some claims that they are akin to gold clearly seem opportunistic,” Sankar said today.

The 2018 notice from the central bank sent a panic to several local startups and companies offering services to trade in cryptocurrency. Nearly all of them have either since closed shop, or pivoted to serve other markets.

This proposal was challenged by several exchanges and traders, who filed a lawsuit in the Supreme Court. The nation’s apex court ruled in their favor last year. This ruling was seen as “historic” but it has yet to impact the earlier circular on the policy level. In the meantime, the country has hinted that it plans to introduce a law to ban private cryptocurrencies.

In the agenda published on the lower house website earlier this year, a legislation sought to “prohibit all private cryptocurrencies in India,” but allow “for certain exceptions to promote the underlying technology [blockchain] of cryptocurrency and its uses.”

India considering phased roll out of central bank digital currency

India’s central bank is considering launching a digital currency, according to a top executive, giving a clear indication of its intentions for the first time after previously stating that it was studying the idea.

T Rabi Sankar, the deputy governor of Reserve Bank of India, said at a conference today that the central bank is considering introducing the nation’s digital currency in a “phased” manner while legal changes are made to the South Asian nation’s foreign-exchange rules and IT laws.

The digital currency, which will be backed by sovereign, will lower the economy’s reliance on cash, enable cheaper and smoother international settlements, and protect people from the volatility of privacy cryptocurrencies, he said.

“Every idea has to wait for its time, and the time for CBDC [central bank digital currency] is near. We have carefully evaluated the risks,” he told an audience at a conference held by think-tank Vidhi Centre for Legal Policy.

Sankar said the central bank’s “endeavor is that as we move forward [with the plan],” so that India’s digital currency “can reiterate its leadership position in payment systems of the world.”

The top executive’s remarks follows European Central Bank saying last week that it will begin a 24-month “investigation phase” that, if successful, could lead to the creation of a digital euro by 2025.

Also last week, China’s central bank said its digital yuan trial had reached $5.3 billion in transaction value by the end of June.

“Central banks have increased their attention on digital currencies,” said Sankar. “CBDC will be in the arsenal of most if not all central banks in the world. A calibrated and nuanced approach will be considered at the drawing board as well as with stakeholder consultations,” he said, adding that the central bank has been exploring the benefits and risks of issuing a sovereign CBDC for “quite some time.”

“We have studied specific-purpose CBDCs proposed by different central banks around the world for wholesale and retail segments. The launch of a general-purpose CBDC for population scale is being considered, and RBI is working towards a phased introduction strategy and examining use cases with little or no disruption of India’s banking and monetary systems,” he said. “However, conducting pilots in wholesale and retail segments may be a possibility in near future.”

In his remarks, Sankar also hinted that the central bank hasn’t changed its stand on private cryptocurrencies such as bitcoin.

In 2018, an Indian government panel recommended banning all private cryptocurrencies and proposed up to 10 years of jail time for offenders. The panel also suggested the government to explore a digital version of the fiat currency and ways to implement it.

At the time, RBI said the move was necessary to curb “ring-fencing” of the country’s financial system. It had also argued that bitcoin and other cryptocurrencies cannot be treated as currencies as they are not made of metal or exist in physical form, nor were they stamped by the government.

“They are not commodities or claims on commodities as they have no intrinsic value; some claims that they are akin to gold clearly seem opportunistic,” Sankar said today.

The 2018 notice from the central bank sent a panic to several local startups and companies offering services to trade in cryptocurrency. Nearly all of them have either since closed shop, or pivoted to serve other markets.

This proposal was challenged by several exchanges and traders, who filed a lawsuit in the Supreme Court. The nation’s apex court ruled in their favor last year. This ruling was seen as “historic” but it has yet to impact the earlier circular on the policy level. In the meantime, the country has hinted that it plans to introduce a law to ban private cryptocurrencies.

In the agenda published on the lower house website earlier this year, a legislation sought to “prohibit all private cryptocurrencies in India,” but allow “for certain exceptions to promote the underlying technology [blockchain] of cryptocurrency and its uses.”

FTC puts hardware makers on warning for potential ‘unlawful repair restrictions’

As phones and other consumer devices have gained feature after feature, they have also declined in how easily they can be repaired, with Apple at the head of this ignoble pack. The FTC has taken note, admitting that the agency has been lax on this front but that going forward it will prioritize what could be illegal restrictions by companies as to how consumers can repair, repurpose, and reuse their own property.

Devices are often built today with no concessions made towards easy repair or refurbishment, or even once routine upgrades like adding RAM or swapping out an ailing battery. While companies like Apple do often support hardware for a long time in some respects, the trade-off seems to be that if you crack your screen, the maker is your only real option to fix it.

That’s a problem for many reasons, as right-to-repair activist and iFixit founder Kyle Wiens has argued indefatigably for years (the company posted proudly about the statement on its blog). The FTC sought comment on this topic back in 2019, issued a report on the state of things a few months ago, and now (perhaps emboldened by new Chair Lina Khan’s green light to all things fearful to big tech companies) has issued a policy statement.

The gist of the unanimously approved statement is that they found that the practice of deliberately restricting repairs may have serious repercussions, especially among people who don’t have the cash to pay the Apple tax for what ought to be (and once was) a simple repair.

The Commission’s report on repair restrictions explores and discusses a number of these issues and describes the hardships repair restrictions create for families and businesses. The Commission is concerned that this burden is borne more heavily by underserved communities, including communities of color and lower-income Americans. The pandemic exacerbated these effects as consumers relied more heavily on technology than ever before.

While unlawful repair restrictions have generally not been an enforcement priority for the Commission for a number of years, the Commission has determined that it will devote more enforcement resources to combat these practices. Accordingly, the Commission will now prioritize investigations into unlawful repair restrictions under relevant statutes…

The statement then makes four basic points. First, it reiterates the need for consumers and other public organizations to report and characterize what they perceive as unfair or problematic repair restrictions. The FTC doesn’t go out and spontaneously investigate companies, it generally needs a complaint to set the wheels in motion, such as people alleging that Facebook is misusing their data.

Second is a surprising antitrust tie-in, where the FTC says it will look at said restrictions aiming to answer whether monopolistic practices like tying and exclusionary design are in play. This could be something like refusing to allow upgrades, then charging an order of magnitude higher than market price for something like a few extra gigs of storage or RAM, or designing products in such a way that it moots competition. Or perhaps arbitrary warranty violations for doing things like removing screws or taking the device to third party for repairs. (Of course, these would depend on establishing monopoly status or market power for the company, something the FTC has had trouble doing.)

More in line with the FTC’s usual commercial regulations, it will assess whether the restrictions are “unfair acts or practices,” which is a much broader and easier to meet requirement. You don’t need a monopoly to make claims of an “open standard” to be misleading, or for a hidden setting to slow the operations of third party apps or peripherals, for instance.

And lastly the agency mentions that it will be working with states in its push to establish new regulations and laws. This is perhaps a reference to the pioneering “right to repair” bills like the one passed by Massachusetts last year. Successes and failures along those lines will be taken into account and the feds and state policymakers will be comparing notes.

This isn’t the first movement in this direction by a long shot, but it is one of the plainest. Tech companies have seen the writing on the wall, and done things like expand independent repair programs — but it’s arguable that these actions were taken in anticipation of the FTC’s expected shift toward establishing hard lines on the topic.

The FTC isn’t showing its full hand here, but it’s certainly hinting that it’s ready to play if the companies involved want to push their luck. We’ll probably know more soon once it starts ingesting consumer complaints and builds a picture of the repair landscape.

Biden nominates another Big Tech enemy, this time to lead the DOJ’s antitrust division

The Biden administration tripled down on its commitment to reining in powerful tech companies Tuesday, proposing committed Big Tech critic Jonathan Kanter to lead the Justice Department’s antitrust division.

Kanter is a lawyer with a long track record of representing smaller companies like Yelp in antitrust cases against Google. He currently practices law at his own firm, which specializes in advocacy for state and federal antitrust enforcement.

“Throughout his career, Kanter has also been a leading advocate and expert in the effort to promote strong and meaningful antitrust enforcement and competition policy,” the White House press release stated. Progressives celebrated the nomination as a win, though some of Biden’s new antitrust hawks have enjoyed support from both political parties.

The Justice Department already has a major antitrust suit against Google in the works. The lawsuit, filed by Trump’s own Justice Department, accuses the company of “unlawfully maintaining monopolies” through anti-competitive practices in its search and search advertising businesses. If successfully confirmed, Kanter would be positioned to steer the DOJ’s big case against Google.

In a 2016 NYT op-ed, Kanter argued that Google is notorious for relying on an anti-competitive “playbook” to maintain its market dominance. Kanter pointed to Google’s long history of releasing free ad-supported products and eventually restricting competition through “discriminatory and exclusionary practices” in a given corner of the market.

Kanter is just the latest high-profile Big Tech critic that’s been elevated to a major regulatory role under Biden. Last month, Biden named fierce Amazon critic Lina Khan as FTC chair upon her confirmation to the agency. In March, Biden named another noted Big Tech critic, Columbia law professor Tim Wu, to the National Economic Council as a special assistant for tech and competition policy.

All signs point to the Biden White House gearing up for a major federal fight with Big Tech. Congress is working on a set of Big Tech bills, but in lieu of — or in tandem with — legislative reform, the White House can flex its own regulatory muscle through the FTC and DOJ.

In new comments to MSNBC, the White House confirmed that it is also “reviewing” Section 230 of the Communications Decency Act, a potent snippet of law that protects platforms from liability for user-generated content.

Maine’s facial recognition law shows bipartisan support for protecting privacy

Maine has joined a growing number of cities, counties and states that are rejecting dangerously biased surveillance technologies like facial recognition.

The new law, which is the strongest statewide facial recognition law in the country, not only received broad, bipartisan support, but it passed unanimously in both chambers of the state legislature. Lawmakers and advocates spanning the political spectrum — from the progressive lawmaker who sponsored the bill to the Republican members who voted it out of committee, from the ACLU of Maine to state law enforcement agencies — came together to secure this major victory for Mainers and anyone who cares about their right to privacy.

Maine is just the latest success story in the nationwide movement to ban or tightly regulate the use of facial recognition technology, an effort led by grassroots activists and organizations like the ACLU. From the Pine Tree State to the Golden State, national efforts to regulate facial recognition demonstrate a broad recognition that we can’t let technology determine the boundaries of our freedoms in the digital 21st century.

Facial recognition technology poses a profound threat to civil rights and civil liberties. Without democratic oversight, governments can use the technology as a tool for dragnet surveillance, threatening our freedoms of speech and association, due process rights, and right to be left alone. Democracy itself is at stake if this technology remains unregulated.

Facial recognition technology poses a profound threat to civil rights and civil liberties.

We know the burdens of facial recognition are not borne equally, as Black and brown communities — especially Muslim and immigrant communities — are already targets of discriminatory government surveillance. Making matters worse, face surveillance algorithms tend to have more difficulty accurately analyzing the faces of darker-skinned people, women, the elderly and children. Simply put: The technology is dangerous when it works — and when it doesn’t.

But not all approaches to regulating this technology are created equal. Maine is among the first in the nation to pass comprehensive statewide regulations. Washington was the first, passing a weak law in the face of strong opposition from civil rights, community and religious liberty organizations. The law passed in large part because of strong backing from Washington-based megacorporation Microsoft. Washington’s facial recognition law would still allow tech companies to sell their technology, worth millions of dollars, to every conceivable government agency.

In contrast, Maine’s law strikes a different path, putting the interests of ordinary Mainers above the profit motives of private companies.

Maine’s new law prohibits the use of facial recognition technology in most areas of government, including in public schools and for surveillance purposes. It creates carefully carved out exceptions for law enforcement to use facial recognition, creating standards for its use and avoiding the potential for abuse we’ve seen in other parts of the country. Importantly, it prohibits the use of facial recognition technology to conduct surveillance of people as they go about their business in Maine, attending political meetings and protests, visiting friends and family, and seeking out healthcare.

In Maine, law enforcement must now — among other limitations — meet a probable cause standard before making a facial recognition request, and they cannot use a facial recognition match as the sole basis to arrest or search someone. Nor can local police departments buy, possess or use their own facial recognition software, ensuring shady technologies like Clearview AI will not be used by Maine’s government officials behind closed doors, as has happened in other states.

Maine’s law and others like it are crucial to preventing communities from being harmed by new, untested surveillance technologies like facial recognition. But we need a federal approach, not only a piecemeal local approach, to effectively protect Americans’ privacy from facial surveillance. That’s why it’s crucial for Americans to support the Facial Recognition and Biometric Technology Moratorium Act, a bill introduced by members of both houses of Congress last month.

The ACLU supports this federal legislation that would protect all people in the United States from invasive surveillance. We urge all Americans to ask their members of Congress to join the movement to halt facial recognition technology and support it, too.

This tool tells you if NSO’s Pegasus spyware targeted your phone

Over the weekend, an international consortium of news outlets reported that several authoritarian governments — including Mexico, Morocco, and the United Arab Emirates — used spyware developed by NSO Group to hack into the phones of thousands of their most vocal critics, including journalists, activists, politicians and business executives.

A leaked list of 50,000 phone numbers of potential surveillance targets was obtained by Paris-based journalism non-profit Forbidden Stories and Amnesty International, and shared with the reporting consortium, including the Washington Post and The Guardian. Researchers analyzed the phones of dozens of victims to confirm they were targeted by the NSO’s Pegasus spyware, which can access all of the data on a person’s phone. The reports also confirm new details of the government customers themselves, which NSO Group closely guards. Hungary, a member of the European Union where privacy from surveillance is supposed to be a fundamental right for its 500 million residents, is named as an NSO customer.

The reporting shows for the first time how many individuals are likely targets of NSO’s intrusive device-level surveillance. Previous reporting had put the number of known victims in the hundreds or over a thousand.

NSO Group sharply rejected the claims. NSO has long said that it doesn’t know who its customers target, which it reiterated in a statement to TechCrunch on Monday.

Researchers at Amnesty, whose work was reviewed by the Citizen Lab at the University of Toronto, found that NSO can deliver Pegasus by sending a victim a link which when opened infects the phone, or silently and without any interaction at all through a “zero-click” exploit, which takes advantage of vulnerabilities in the iPhone’s software. Citizen Lab researcher Bill Marczak said in a tweet that NSO’s zero-clicks worked on iOS 14.6, which until today was the most up-to-date version.

Amnesty’s researchers showed their working by publishing meticulously detailed technical notes and a toolkit that they said may help others identify if their phones have been targeted by Pegasus.

The Mobile Verification Toolkit, or MVT, works on both iPhones and Android devices, but slightly differently. Amnesty said that more forensic traces were found on iPhones than Android devices, which makes it easier to detect on iPhones. MVT will let you take an entire iPhone backup (or a full system dump if you jailbreak your phone) and feed in for any indicators of compromise (IOCs) known to be used by NSO to deliver Pegasus, such as domain names used in NSO’s infrastructure that might be sent by text message or email. If you have an encrypted iPhone backup, you can also use MVT to decrypt your backup without having to make a whole new copy.

The Terminal output from the MVT toolkit, which scans iPhone and Android backup files for indicators of compromise. (Image: TechCrunch)

The toolkit works on the command line, so it’s not a refined and polished user experience and requires some basic knowledge of how to navigate the terminal. We got it working in about ten minutes, plus the time to create a fresh backup of an iPhone, which you will want to do if you want to check up to the hour. To get the toolkit ready to scan your phone for signs of Pegasus, you’ll need to feed in Amnesty’s IOCs, which it has on its GitHub page. Any time the indicators of compromise file updates, download and use an up-to-date copy.

Once you set off the process, the toolkit scans your iPhone backup file for any evidence of compromise. The process took about a minute or two to run and spit out several files in a folder with the results of the scan. If the toolkit finds a possible compromise, it will say so in the outputted files. In our case, we got one “detection,” which turned out to be a false positive and has been removed from the IOCs after we checked with the Amnesty researchers. A new scan using the updated IOCs returned no signs of compromise.

Given it’s more difficult to detect an Android infection, MVT takes a similar but simpler approach by scanning your Android device backup for text messages with links to domains known to be used by NSO. The toolkit also lets you scan for potentially malicious applications installed on your device.

The toolkit is — as command line tools go — relatively simple to use, though the project is open source so not before long surely someone will build a user interface for it. The project’s detailed documentation will help you — as it did us.

Read more:


You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more

US blames China for Exchange server hacks and ransomware attacks

The Biden administration and its allies has formally accused China of the mass-hacking of Microsoft Exchange servers earlier this year, which prompted the FBI to intervene as concerns rose that the hacks could lead to widespread destruction.

The mass-hacking campaign targeted Microsoft Exchange email servers with four previously undiscovered vulnerabilities that allowed the hackers — which Microsoft already attributed to a China-backed group of hackers called Hafnium — to steal email mailboxes and address books from tens of thousands of organizations around the United States.

Microsoft released patches to fix the vulnerabilities, but the patches did not remove any backdoor code left behind by the hackers that might be used again for easy access to a hacked server. That prompted the FBI to secure a first-of-its-kind court order to effectively hack into the remaining hundreds of U.S.-based Exchange servers to remove the backdoor code. Computer incident response teams in countries around the world responded similarly by trying to notify organizations in their countries that were also affected by the attack.

In a statement out Monday, the Biden administration said the attack, launched by hackers backed by China’s Ministry of State Security, resulted in “significant remediation costs for its mostly private sector victims.”

“We have raised our concerns about both this incident and the [People’s Republic of China’s] broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace,” the statement read.

The National Security Agency also released details of the attacks to help network defenders identify potential routes of compromise.

Several allies, including the U.K. and the members of NATO, also backed the Biden administration in its findings. In a statement, the U.K. government found Beijing responsible for a “pervasive pattern” of hacking. The Chinese government has repeatedly denied claims of state-backed or sponsored hacking.

The Biden administration also blamed China’s Ministry of State Security for contracting with criminal hackers to conduct unsanctioned operations, like ransomware attacks, “for their own personal profit.” The government said it was aware that China-backed hackers have demanded millions of dollars in ransom demands against hacked companies. Last year, the Justice Department charged two Chinese spies for their role in a global hacking campaign that saw prosecutors accuse the hackers of operating for personal gain.

Although the U.S. has publicly engaged the Kremlin to try to stop giving ransomware gangs safe harbor from operating from within Russia’s borders, the U.S. has not previously accused Beijing of launching or being involved with ransomware attacks.

“The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” said Monday’s statement.

The statement also said that the China-backed hackers engaged in extortion and cryptojacking, a way of forcing a computer to run code that uses its computing resources to mine cryptocurrency, for financial gain.

The Justice Department also announced fresh charges against four China-backed hackers working for the Ministry of State Security, which U.S. prosecutors said were engaged in efforts to steal intellectual property and infectious disease research into Ebola, HIV and AIDS, and MERS against victims based in the U.S., Norway, Switzerland and the United Kingdom by using a front company to hide their operations.

“The breadth and duration of China’s hacking campaigns, including these efforts targeting a dozen countries across sectors ranging from healthcare and biomedical research to aviation and defense, remind us that no country or industry is safe. Today’s international condemnation shows that the world wants fair rules, where countries invest in innovation, not theft,” said deputy attorney general Lisa Monaco.

GSA blocks senator from reviewing documents used to approve Zoom for government use

The General Services Administration has denied a senator’s request to review documents Zoom submitted to have its software approved for use in the federal government.

The denial was in response to a letter sent by Democratic senator Ron Wyden to the GSA in May, expressing concern that the agency cleared Zoom for use by federal agencies just weeks before a major security vulnerability was discovered in the app.

Wyden said the discovery of the bug raises “serious questions about the quality of FedRAMP’s audits.”

Zoom was approved to operate in government in April 2019 after receiving its FedRAMP authorization, a program operated by the GSA that ensures cloud services comply with a standardized set of security requirements designed to toughen the service from some of the most common threats. Without this authorization, federal agencies cannot use cloud products or technologies that are not cleared.

Months later, Zoom was forced to patch its Mac app after a security researcher found a flaw that could be abused to remotely switch on a user’s webcam without their permission. Apple was forced to intervene since users were still affected by the vulnerabilities even after uninstalling Zoom. As the pandemic spread and lockdowns were enforced, Zoom’s popularity skyrocketed — as did the scrutiny — including a technical analysis by reporters that found Zoom was not truly end-to-end encrypted as the company long claimed.

Wyden wrote to the GSA to say he found it “extremely concerning” that the security bugs were discovered after Zoom’s clearance. In the letter, the senator requested the documents known as the “security package,” which Zoom submitted as part of the FedRAMP authorization process, to understand how and why the app was cleared by GSA.

The GSA declined Wyden’s first request in July 2020 on the grounds that he was not a committee chair. In the new Biden administration, Wyden was named chair of the Senate Finance Committee and requested Zoom’s security package again.

But in a new letter sent to Wyden’s office late last month, GSA declined the request for the second time, citing security concerns.

“GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.” Sen. Ron Wyden (D-OR)

“The security package you have requested contains highly sensitive proprietary and other confidential information relating to the security associated with the Zoom for Government product. Safeguarding this information is critical to maintaining the integrity of the offering and any government data it hosts,” said the GSA letter. “Based on our review, GSA believes that disclosure of the Zoom security package would create significant security risks.”

In response to the GSA’s letter, Wyden told TechCrunch that he was concerned that other flawed software may have been approved for use across the government.

“The intent of GSA’s FedRAMP program is good — to eliminate red tape so that multiple federal agencies don’t have to review the security of the same software. But it’s vitally important that whichever agency conducts the review do so thoroughly,” said Wyden. “I’m concerned that the government’s audit of Zoom missed serious cybersecurity flaws that were subsequently uncovered and exposed by security researchers. GSA’s refusal to share the Zoom audit with Congress calls into question the security of the other software products that GSA has approved for federal use.”

Of the people we spoke with who have first-hand knowledge of the FedRAMP process, either as a government employee or as a company going through the certification, FedRAMP was described as a comprehensive but by no means an exhaustive list of checks that companies have to meet in order to meet the security requirements of the federal government.

Others said that the process had its limits and would benefit from reform. One person with knowledge of how FedRAMP works said the process was not a complete audit of a product’s source code but akin to a checklist of best practices and meeting compliance requirements. Much of it relies on trusting the vendor, said the person, describing it like ” an honor system.” Another person said the FedRAMP process cannot catch every bug, as evidenced by executive action taken by President Biden this week aimed at modernizing and improving the FedRAMP process.

Most of the people we spoke to weren’t surprised that Wyden’s office was denied the request, citing the sensitivity of a company’s FedRAMP security package.

The people said that companies going through the certification process have to provide highly technical details about the security of their product, which if exposed would almost certainly be damaging to the company. Knowing where security weaknesses might be could tip off cyber-criminals, one of the people said. Companies often spend millions on improving their security ahead of a FedRAMP audit but companies wouldn’t risk going through the certification if they thought their trade secrets would get leaked, they added.

When asked by GSA why it objected to Wyden’s request, Zoom’s head of U.S. government relations Lauren Belive argued that handing over the security package “would set a dangerous precedent that would undermine the special trust and confidence” that companies place in the FedRAMP process.

GSA puts strict controls on who can access a FedRAMP security package. You need a federal government or military email address, which the senator’s office has. But the reason for GSA denying Wyden’s request still isn’t clear, and when reached a GSA spokesperson would not explain how a member of Congress would obtain a company’s FedRAMP security package

“GSA values its relationship with Congress and will continue to work with Senator Wyden and our committees of jurisdiction to provide appropriate information regarding our programs and operations,” said GSA spokesperson Christina Wilkes, adding:

“GSA works closely with private sector partners to provide a standardized approach to security authorizations for cloud services through the [FedRAMP]. Zoom’s FedRAMP security package and related documents provide detailed information regarding the security measures associated with the Zoom for Government product. GSA’s consistent practice with regard to sensitive security and trade secret information is to withhold the material absent an official written request of a congressional committee with jurisdiction, and pursuant to controls on further dissemination or publication of the information.”

GSA wouldn’t say which congressional committee had jurisdiction or whether Wyden’s role as chair of the Senate Finance Committee suffices, nor would the agency answer questions about the efficacy of the FedRAMP process raised by Wyden.

Zoom spokesperson Kelsey Knight said that cloud companies like Zoom “provide proprietary and confidential information to GSA as part of the FedRAMP authorization process with the understanding that it will be used only for their use in making authorization decisions. While we do not believe Zoom’s FedRAMP security package should be disclosed outside of this narrow purpose, we welcome conversations with lawmakers and other stakeholders about the security of Zoom for Government.”

Zoom said it has “engaged in security enhancements to continually improve its products,” and received FedRAMP reauthorization in 2020 and 2021 as part of its annual renewal. The company declined to say to what extent the Zoom app was audited as part of the FedRAMP process.

Over two dozen federal agencies use Zoom, including the Defense Department, Homeland Security, U.S. Customs and Border Protection, and the Executive Office of the President.

What the growing federal focus on ESG means for private markets

The increasing regulation of ESG (environmental, social, governance) disclosure reporting may have started in the public markets, but will almost certainly have downstream effects for private market actors — for founders, companies and investors.

Since his confirmation as the chair of the U.S. Securities and Exchange Commission in April, Gary Gensler has made reforming ESG disclosures concerning climate change risk and human capital a top priority. The SEC’s regulatory agenda confirms as much. And Gensler is not alone in his focus on ESG at the federal level.

President Joe Biden issued an executive order encouraging regulators to assess climate-related financial risk. At the end of March, Treasury Secretary Janet Yellen wrote on Twitter that “our future livelihoods … depend on the financial sector to build a more sustainable and resilient economy.” Congress is considering measures that would require increased ESG disclosures, including the Improving Corporate Governance Through Diversity Act, the Diversity and Inclusion Data Accountability and Transparency Act and the Climate Risk Disclosure Act.

This renewed federal focus on ESG issues will bolster the SEC’s effort to create disclosure practices for public companies and mutual funds. Regardless of whether these federal policies around ESG come to pass, they reflect a momentum that will almost certainly impact private markets:

  • Firms that want to go public — whether via SPAC, direct listing or traditional IPO — may have to seriously consider board diversity or environmental reporting in conjunction with — or well in advance of — their debuts.
  • Private companies seeking to align with public companies as vendors or partners may be expected to meet specific ESG requirements before the engagement.
  • Startup founders and venture funds raising capital may work to maintain the largest target market by proactively scoping ESG engagements to ensure they meet criteria for investors who may have their own ESG-focused investment requirements.

In his confirmation hearing before the Senate in early March, Gensler said, “Markets — and technology — are always changing. Our rules have to change along with them.”

The federal government is moving to increase regulation around ESG disclosure requirements with the goals of establishing greater transparency and metrics for public companies.

The federal government is moving to increase regulation around ESG disclosure requirements with the goals of establishing greater transparency and metrics for public companies. These requirements are a response to the changing markets — demands from consumers, scrutiny from investors and a general insistence for higher corporate standards from society at large.

Private markets aren’t immune to these forces. Already, three-quarters of investors in a 2020 survey said it was very important to measure the success of sustainability initiatives, but they also said there’s been a lack of clarity on how to define and measure outcomes.

To be sure, private markets are not headed toward full-scale adoption of ESG regulations. They will not be subject to the same reporting or disclosures framework as their public counterparts. Not today, and possibly not for some time.

But we may begin to see private investors, funds and companies adapting to get ahead of ESG regulation and position themselves to effectively operate in a new — albeit adjacent — regulatory environment. In their case, the rules may not change — but the game could.

You can see fires, but now Qwake wants firefighters to see through them

When it comes to tough environments to build new technology, firefighting has to be among the most difficult. Smoke and heat can quickly damage hardware, and interference from fires will disrupt most forms of wireless communications, rendering software all but useless. From a technology perspective, not all that much has really changed today when it comes to how people respond to blazes.

Qwake Technologies, a startup based in San Francisco, is looking to upgrade the firefighting game with a hardware augmented reality headset named C-THRU. Worn by responders, the device scans surrounding and uploads key environmental data to the cloud, allowing all responders and incident commanders to have one common operating picture of their situation. The goal is to improve situational awareness and increase the effectiveness of firefighters, all while minimizing potential injuries and casualties.

The company, which was founded in 2015, just raised about $5.5 million in financing this week. The company’s CEO, Sam Cossman, declined to name the lead investor, citing a confidentiality clause in the term sheet. He characterized the strategic investor as a publicly-traded company, and Qwake is the first startup investment this company has made.

(Normally, I’d ignore fundings without these sorts of details, but given that I am obsessed with DisasterTech these days, why the hell not).

Qwake has had success in recent months with netting large government contracts as it approaches a wider release of its product in late-2021. It secured a $1.4 million contract from the Department of Homeland Security last year, and also secured a partnership with the U.S. Air Force along with RSA in April. In addition, it raised a bit of angel funding and participated in Verizon’s 5G First Responder Lab as part of its inaugural cohort (reminder that TechCrunch is still owned by Verizon).

Cossman, who founded Qwake along with John Long, Mike Ralston, and Omer Haciomeroglu, has long been interested in fires, and specifically, volcanos. For years, he has been an expeditionary videographer and innovator who climbed calderas and attempted to bridge the gap between audiences, humanitarian response, and science.

“A lot of the work that I have done up until this point was focused on earth science and volcanoes,” he said. “A lot of projects were focused on predicting volcanic eruptions and looking at using sensor networks and different things of that nature to make people who live in those regions that are exposed to volcanic threats safer.”

During one project in Nicaragua, his team suddenly found itself lost amidst the smoke of an active volcano. There were “thick, dense superheated volcanic gases that prevented us from navigating correctly,” Cossman said. He wanted to find technology that might help them navigate in those conditions in the future, so he explored the products available to firefighters. “We figured, ‘Surely these men and women have figured out how do you see in austere environments, how do you make quick decisions, etc.’”

He was left disappointed, but also with a new vision: to build such technology himself. And thus, Qwake was born. “I was pissed off that the men and women who arguably need this stuff more than anybody — certainly more than a consumer — didn’t have anywhere to get it, and yet it was entirely possible,” he said. “But it was only being talked about in science fiction, so I’ve dedicated the last six years or so to make this thing real.”

Building such a product required a diverse set of talent, including hardware engineering, neuroscience, firefighting, product design and more. “We started tinkering and building this prototype. And it very interestingly got the attention of the firefighting community,” Cossman said.

Qwake offers a helmet-based IoT product that firefighters wear to collect data from environments. Image Credits: Qwake Technologies

Qwake at the time didn’t know any firefighters, and as the founders did customer calls, they learned that sensors and cameras weren’t really what responders needed. Instead, they wanted more operational clarity: not just more data inputs, but systems that can take all that noise, synthesize it, and relay critical information to them about exactly what’s going on in an environment and what the next steps should be.

Ultimately, Qwake built a full solution, including both an IoT device that attaches to a firefighter’s helmet and also a tablet-based application that processes the sensor data coming in and attempts to synchronize information from all teams simultaneously. The cloud ties it all together.

So far, the company has design customers with the fire departments of Menlo Park, California and Boston. With the new funding, the team is looking to advance the state of its prototype and get it ready for wider distribution by readying it for scalable manufacturing as it approaches a more public launch later this year.