Author: Anthony Ha

Crimson Hexagon regains Facebook data access

Analytics company Crimson Hexagon says Facebook has reinstated its data access to Facebook and Instagram.

That access was suspended last month, with Facebook saying it was investigating whether the company had violated any of its data use policies. (The social network, of course, has been dealing with the fallout from a separate controversy over user data.)

In this case, the issue appears to be related to some of Crimson Hexagon’s contracts with the U.S. government, with Facebook saying it wasn’t aware of those contracts when contacted by The Wall Street Journal.

What followed, according to a blog post by Crimson Hexagon Dan Shore, was “several weeks of constructive discussion and information exchange.” It seems that Facebook was satisfied with what it learned and ended Crimson Hexagon’s suspension.

Shore said that government customers make up less than 5 percent of the company’s business, adding, “To our knowledge, no government customer has used the Crimson Hexagon platform for surveillance of any individual or group.”

“Over time we have enhanced our vetting procedures for government customers,” he said. “Nevertheless, we recognize it is important to go beyond vetting by monitoring these government customers on an ongoing basis to ensure the public’s expectations of privacy are met. As governments and government-sponsored organizations change how they use data, we too must change.”

Tinder founders sue parent companies Match and IAC for at least $2B

A group of Tinder founders and executives has filed a lawsuit against parent company Match Group and its controlling shareholder IAC.

The plaintiffs in the suit include Tinder co-founders Sean Rad, Justin Mateen and Jonathan Badeen — Badeen still works at Tinder, as do plaintiffs James Kim (the company’s vice president of finance) and Rosette Pambakian (its vice president of marketing and communications).

We’ve reached out to IAC for comment, as well as Pambakian, who’s served as our main contact at Tinder. We’ll update the post if we hear back.

The suit alleges that IAC and Match Group manipulated financial data in order to create “a fake lowball valuation” (to quote the plaintiffs’ press release), then stripped Rad, Mateen, Badeen and others of their stock options. It points to the removal of Rad as CEO, as well as other management changes, as moves designed “to allow Defendants to control the valuation of Tinder and deprive Tinder optionholders of their right to participate in the company’s future success.”

The lawsuit also alleges that Greg Blatt, the Match CEO who became CEO of Tinder as well, groped and sexually harassed Pambakian at the company’s 2016 holiday party, supposedly leading the company to “whitewash” his actions long enough for him to complete the valuation of Tinder and its merger with Match Group, and then to announce his departure.

In response, the plaintiffs are asking for “compensatory damages in an amount to be determined at trial, but not less than $2,000,000,000.”

“We were always concerned about IAC’s reputation for ignoring their contractual commitments and acting like the rules don’t apply to them,” Rad said in the release. “But we never imagined the lengths they would go to cheat all the people who built Tinder. The Tinder team — especially the plaintiffs who are currently senior leaders at the company — have shown tremendous strength in exposing IAC/Match’s systematic violation of employees’ rights.”

As-filed complaint.pdf by TechCrunch on Scribd

Portal offers an easy way to pay creators for their content

Portal founder Jonathan Swerdlin is just the latest media pundit to point to advertising as the root cause of the industry’s problems. But he’s not content to diagnose the illness — he thinks he’s created a cure.

“Digital media has become toxic, in part, because of advertising,” Swerdlin said. “The unmet and unarticulated need is a peer-to-peer economy where you’re rewarded for creating value, rather than a quantity model” where a publisher or creator’s main economic incentive is to attract as many eyeballs as possible.

Naturally, that’s what Swerdlin is trying to offer in Portal. When you open the app, you follow creators and topics that interest you, then get presented with a feed of videos. During or after the video, you can tip the creator in Portal coins — the current price is 1 cent per coin, and individual payments can be anything from 10 to 10,000 coins.

This changes the equation for creators. If you’re monetizing a video with ads, 1,000 views would represent a negligible amount of ad revenue — but if 1,000 people like the video and are willing to pay a dollar, then then you’re starting to talk about real money.

Conversely, there’s no financial incentive to post a video on Portal that gets a million views if everyone’s going to think it’s a complete waste of their time.

Swerdlin said removing advertising changes the incentives for Portal too, because the startup doesn’t benefit from promoting content just because it’ll get clicks.

In fact, he said Portal will pretty allow users to post anything, as long as it doesn’t violate community standards around things like pornography and hate speech. And it presents a purely reverse chronological feed of content based on what you follow — the question of surfacing interesting content in the feed will probably get more complicated as more users join the platform, but Swerdlin argued, “We don’t need algorithms to solve feed problems.”

“We’re not going to bury things that are not advertiser-friendly,” he added. “It’s a very different game. Portal is very much about people having a place to freely express themselves and not worry about being buried by an algorithm.”

Swerdlin acknowledged that these aren’t entirely new ideas or strategies — micropayments have been touted as a solution to media monetization for years, and he pointed to services like Netflix and Medium as offering models that help creators “break free of advertising.”

At the same time, Swerdlin said Portal’s approach to payments is truly offers “no friction” — it’s uses your App Store payment info, so you don’t even need to enter your credit information. He also said that by creating an app for content (rather than just a micropayment platform that plugs into existing websites), Portal can truly solving the problem by offering a media environment that’s “safe, it’s a healthy media diet, as opposed ot the juunk food.”

Currently, Portal’s content is limited to videos, but those videos cover a range of topics and genres like advice (personal- and business-related), comedy, music and personal vlogging. Over time, Swerdlin wants to expand to other content formats.

You also need an invite code to access the app, but if you want to try it out, feel free to use mine: “anthonyha”. (Don’t blame me; I didn’t choose it.)

Maisie Williams shows off Daisie, an app for artistic collaboration

Maisie Williams, who’s best-known for playing Arya Stark on Game of Thrones, announced earlier this year that she’s founding a startup called Daisie. With the app set to launch on August 1, Williams and her co-founder Dom Santry came by the TechCrunch New York office to discuss her plans for the company.

Daisie will offer a way for filmmakers, musicians, visual artists, writers and other creators to showcase their work and find collaborators. The startup has already picked an initial 100 creators to kick things off.

Williams and Santry also gave us a quick runthrough of the app. At first glance, it might look like other social media services, but there are no follower counts, as Williams (who has no shortage of followers) explained: “If you have follower counts it then becomes about a competition, like a popularity contest between who can get the most.”

In addition, she noted that social media followings are generally one-sided, whereas Daisie is all about enabling “chains” of users who aren’t just viewing your profile, but can actually view your projects and contribute.

“A chain is where you reach out to someone who is in your area — or maybe even not,” she said. “So connecting with someone you’re inspired by, reaching out to them and saying, ‘Hey, I have this 30-second video of me singing the song, but I realized I’m actually a better lyricist than I am a songwriter, a musician. And I really love what you play, I wonder if you could make me a melody and we could sort of work together on this.'”

Ultimately, Williams is hoping that people’s Daisie profiles becomes an “online résumé or portfolio of work that they’re really proud of, that can be shown to the world.” And that, in turn, could help them find paying work, ideally on their own terms.

“We want to basically give the power back to the creator,” Williams said. “Instead of them having to market themselves to fit someone else’s idea of what their job would be, they can let their art speak for themselves.”

Former Viki CEO Tammy Nam joins PicsArt as its first COO

PicsArt, the company behind the photo-editing app of the same name, has hired Tammy Nam as its first chief operating officer.

Nam was most recently the CEO of Viki, the Rakuten-acquired video streaming service, and before that served as a marketing executive at Viki, Scribd and Slide.

PicsArt said Nam will report to founder and CEO Hovhannes Avoyan, and that she will oversee all aspects of the business except for product and engineering.

“PicsArt has grown organically so far, but our next big opportunity is in directing this growth through the right market development, community engagement and revenue channels,” Avoyan said in the announcement. “In addition to her proven operational experience in both consumer advertising and subscription-based businesses, Tammy adds deep bench strength in market, brand and community development — areas that will be critical for us moving forward.”

The company announced last year that it’s reaching 100 million monthly active users. Nam told me she was particularly impressed that it achieved that growth without significant marketing spend.

“I understand what it takes to grow quickly, but also thoughtfully,” she said. “Because of my background, the CEO and the board felt like I would be a great match to [help PicsArt] reach the next 200 million, the next 500 million users.”

Asked what thoughtful growth looks like for PicsArt, Nam said it means not just growing at any cost, but also considering things like revenue and the different communities using the app. She said she’s trying to examine the company’s structure to ensure it can “maximize efficiencies towards these big goals.”

“It will continue to grow organically, but the branding, the user development will definitely evolve,” she added. “There’s a sea of companies that play in our space … How do you stand out? And how do you stay relevant?”

Nam also said that she’ll be looking at PicsArt’s opportunities for international growth. Not that the company has been neglecting the world beyond the United States — China is its fastest-growing market and already one of its top countries for revenue. (The company says it recently became profitable following the launch of its PicsArt Gold subscription.)

Nam suggested that PicsArt can move into new markets without competing with the dominant social media platforms, because it’s “agnostic” in terms of where users publish their edited photos.

“It’s completely lowered the barrier,” she said. “It used to be you had to know Photoshop. Now it’s so easy to create professional-looking photos, images and soon animations, videos, etc. Everyone is a creator.”

Here’s what Facebook employees were saying about Holocaust denial … in 2009

Mark Zuckerberg has been in hot water this week thanks to comments he made during an interview with Kara Swisher about the kinds of content that should and shouldn’t be removed from the platform.

Zuckerberg brought up Holocaust deniers as an example, saying he found them “deeply offensive,” then added, “But at the end of the day, I don’t believe that our platform should take that down because I think there are things that different people get wrong.” (In a follow-up email, Zuckerberg repeated that he found Holocaust denial to be “deeply offensive” and said, “I absolutely didn’t intend to defend the intent of people who deny that.”)

In light of the ensuing controversy, it seems worth bringing up some old posts by TechCrunch founder Michael Arrington — from all the way back in 2009, when Arrington highlighted an effort by Brian Cuban to get Holocaust denial groups removed from the social network.

Those posts drew comments from a number of Facebook employees, including Adam Mosseri, who’s currently the VP of product management in charge of the Facebook News Feed, and Andrew Bosworth, who took over the company’s hardware efforts last year.

We’re exhuming these old comments not as a “gotcha!” moment, but simply as a reminder that this is a longstanding debate, one in which senior Facebook figures (some of whom took pains to emphasize that they were speaking for themselves, not the company) have articulated a pretty consistent position. Here’s Mosseri, for example:

I don’t understand how one can rationalize censorship, no matter how wrong or evil the message. It’s not the place of government, news media or communication platforms to tell anyone what they can or cannot say.

And here’s Bosworth:

Yelling fire in a crowded building isn’t protected (legally or morally) because it directly infringes on the physical safety of others, something they have a right to in our moral judgement. I think it is pretty clear that these groups pose no such imminent threat. They are distasteful and ignorant to all of us, but they should not be shut down unless they pose a credible threat to the physical safety of others, such as through threats of violence.

And here’s Ezra Callahan, who was then on the PR team:

You do not combat ignorance by trying to cover up that ignorance exists. You confront it head on. Facebook will do the world no good by trying to become its thought police.

There’s a lot more discussion in the original post.

Timehop admits that additional personal data was compromised in breach

Timehop is admitting that additional personal information was compromised in a data breach on July 4.

The company first acknowledged the breach on Sunday, saying that users’ names, email addresses and phone numbers had been compromised. Today it said it that additional information, including date of birth and gender, was also taken.

To understand what happened, and what Timehop is doing to fix things, I spoke to CEO Matt Raoul, COO Rick Webb and the security consultant that the company hired to manage its response. (The security consultant agreed to be interviewed on-the-record on the condition that they not be named.)

To be clear, Timehop isn’t saying that there was a separate breach of its data. Instead, the team has discovered that more data was taken in the already-announced incident.

Why didn’t they figure that out sooner? In an updated version of its report (which was also emailed to customers), the company put it simply: “Because we messed up.” It goes on:

In our enthusiasm to disclose all we knew, we quite simply made our announcement before we knew everything. With the benefit of staff who had been vacationing and unavailable during the first four days of the investigation, and a new senior engineering employee, as we examined the more comprehensive audit on Monday of the actual database tables that were stolen it became clear that there was more information in the tables than we had originally disclosed. This was precisely why we had stated repeatedly that the investigation was continuing and that we would update with more information as soon as it became available.

In both the email and my interviews, the Timehop team noted that the service does not have any financial information from users, nor does it perform the kinds of detailed behavioral tracking that you might expect from an ad-supported service. The team also emphasized that users’ “memories” — namely, the older social media posts that people use Timehop to rediscover — were not compromised.

How can they be sure, particularly since some of the compromised data was overlooked in the initial announcement? Well, the breach affected one specific database, while the memories are stored separately.

“That stuff is what we cared about, that stuff was protected,” Webb said. The challenge is, “We have to make a mental note to think about everything else.”

The breach occurred when someone accessed a database in Timehop’s cloud infrastructure that was not protected by two-factor authentication, though Raoul insisted that the company was already using two-factor quite broadly — it’s just that this “fell through the cracks.”

It’s also worth noting that while 21 million accounts were affected, Timehop had varying amounts of data about different users. For example, it says that 18.6 million email addresses were compromised (down from the “up to 21 million” addresses first reported), compared to 15.5 million dates of birth. In total, the company says 3.3 million records were compromised that included names, email addresses, phone numbers and DOBs.

None of those things may seem terribly sensitive (anyone with a copy of my business card and access to Google could probably get that information about me), but the security consultant acknowledged that in the “very, very small percentage” of cases where the records included full names, email addresses, phone numbers and DOBs, “identity theft becomes more likely,” and he suggested that users take standard steps to protect themselves, including password-protecting their phones.

Meanwhile, the company says that it worked with the social media platforms to detect activity that used the compromised authorization tokens, and it has not found anything suspicious. At this point, all of the tokens have been deauthorized (requiring users to re-authorize all of their accounts), so it shouldn’t be an ongoing issue.

As for other steps Timehop is taking to prevent future breaches, the security consultant told me the company is already in the process of ensuring that two-factor authentication is adopted across the board and encrypting its databases, as well as improving the process of deploying code to address security issues.

In addition, the company has shared the IP addresses used in the attack with law enforcement, and it will be sharing its “indicators of compromise” with partners in the security community.

Everyone acknowledged that Timehop made real mistakes, both in its security and in the initial communication with customers. (As the consultant put it, “They made a schoolboy mistake by not doing two-factor authentication.”) However, they also suggested that their response was guided, in part, by the accelerated disclosure timeline required by Europe’s GDPR regulations.

The security consultant told me, “We haven’t had the time fine-toothed comb kinds of things we normally want to do,” like an in-depth forensic analysis. Those things will happen, he said — but thanks to GDPR, the company needed to make the announcement before it had all the information.

And overall, the consultant said he’s been impressed by Timehop’s response.

“I think it really says a lot to their integrity that they decided to go fully public the second they knew it was a breach,” he said. “I want to point out these guys responded within 24 hours with a full-on incident response and secured their environments. That’s better than so many companies.”