Month: February 2020

UK startup Babylon Health pulled app data on a critical user in order to create a press release in which it publicly attacks the UK doctor who has spent years raising patient safety concerns about the symptom triage chatbot service.

In the press release released late Monday Babylon refers to Dr David Watkins — via his Twitter handle — as a “troll” and claims he’s “targeted members of our staff, partners, clients, regulators and journalists and tweeted defamatory content about us”.

It also writes that Watkins has clocked up “hundreds of hours” and 2,400 tests of its service in a bid to discredit his safety concerns — saying he’s raised “fewer than 100 test results which he considered concerning”.

Babylon’s PR also claims that only in 20 instances did Watkins find “genuine errors in our AI”, whereas other instances are couched as ‘misrepresentations’ or “mistakes”, per an unnamed “panel of senior clinicians” which the startup’s PR says “investigated and re-validated every single one” — suggesting the error rate Watkins identified was just 0.8%.

Screengrab from Babylon’s press release which refers to to Dr Watkins’ “Twitter troll tests”

Responding to the attack in a telephone interview with TechCrunch Watkins described Babylon’s claims as “absolute nonsense” — saying, for example, he has not carried out anywhere near 2,400 tests of its service. “There are certainly not 2,400 completed triage assessments,” he told us. “Absolutely not.”

Asked how many tests he thinks he did complete Watkins suggested it’s likely to be between 800 and 900 full runs through “complete triages” (some of which, he points out, would have been repeat tests to see if the company had fixed issues he’d previously noticed).

He said he identified issues in about one in two or one in three instances of testing the bot — though in 2018 says he was finding far more problems, claiming it was “one in one” at that stage for an earlier version of the app.

Watkins suggests that to get to the 2,400 figure Babylon is likely counting instances where he was unable to complete a full triage because the service was lagging or glitchy. “They’ve manipulated data to try and discredit someone raising patient safety concerns,” he said.

“I obviously test in a fashion which is [that] I know what I’m looking for — because I’ve done this for the past three years and I’m looking for the same issues which I’ve flagged before to see have they fixed them. So trying to suggest that my testing is actually any indication of the chatbot is absurd in itself,” he added.

In another pointed attack Babylon writes Watkins has “posted over 6,000 misleading attacks” — without specifying exactly what kind of attacks it’s referring to (or where they’ve been posted).

Watkins told us he hasn’t even tweeted 6,000 times in total since joining Twitter four years ago — though he has spent three years using the platform to raise concerns about diagnosis issues with Babylon’s chatbot.

Such as this series of tweets where he shows a triage for a female patient failing to pick up a potential heart attack.

Watkins told us he has no idea what the 6,000 figure refers to, and accuses Babylon of having a culture of “trying to silence criticism” rather than engage with genuine clinician concerns.

“Not once have Babylon actually approached me and said ‘hey Dr Murphy — or Dr Watkins — what you’ve tweeted there is misleading’,” he added. “Not once.”

Instead, he said the startup has consistently taken a “dismissive approach” to the safety concerns he’s raised. “My overall concern with the way that they’ve approached this is that yet again they have taken a dismissive approach to criticism and again tried to smear and discredit the person raising concerns,” he said.

Watkins, a consultant oncologist at The Royal Marsden NHS Foundation Trust — who has for several years gone by the online (Twitter) moniker of @DrMurphy11, tweeting videos of Babylon’s chatbot triage he says illustrate the bot failing to correctly identify patient presentations — made his identity public on Monday when he attended a debate at the Royal Society of Medicine.

There he gave a presentation calling for less hype and more independent verification of claims being made by Babylon as such digital systems continue elbowing their way into the healthcare space.

In the case of Babylon, the app has a major cheerleader in the current UK Secretary of State for health, Matt Hancock, who has revealed he’s a personal user of the app.

Simultaneously Hancock is pushing the National Health Service to overhaul its infrastructure to enable the plugging in of “healthtech” apps and services. So you can spot the political synergies.

Watkins argues the sector needs more of a focus on robust evidence gathering and independent testing vs mindless ministerial support and partnership ‘endorsements’ as a stand in for due diligence.

He points to the example of Theranos — the disgraced blood testing startup whose co-founder is now facing charges of fraud — saying this should provide a major red flag of the need for independent testing of ‘novel’ health product claims.

“[Over hyping of products] is a tech industry issue which unfortunately seems to have infected healthcare in a couple of situations,” he told us, referring to the startup ‘fake it til you make it’ playbook of hype marketing and scaling without waiting for external verification of heavily marketed claims.

In the case of Babylon, he argues the company has failed to back up puffy marketing with evidence of the sort of extensive clinical testing and validation which he says should be necessary for a health app that’s out in the wild being used by patients. (References to academic studies have not been stood up by providing outsiders with access to data so they can verify its claims, he also says.)

“They’ve got backing from all these people — the founders of Google DeepMind, Bupa, Samsung, Tencent, the Saudis have given them hundreds of millions and they’re a billion dollar company. They’ve got the backing of Matt Hancock. Got a deal with Wolverhampton. It all looks trustworthy,” Watkins went on. “But there is no basis for that trustworthiness. You’re basing the trustworthiness on the ability of a company to partner. And you’re making the assumption that those partners have undertaken due diligence.”

For its part Babylon claims the opposite — saying its app meets existing regulatory standards and pointing to high “patient satisfaction ratings” and a lack of reported harm by users as evidence of safety, writing in the same PR in which it lays into Watkins:

Our track record speaks for itself: our AI has been used millions of times, and not one single patient has reported any harm (a far better safety record than any other health consultation in the world). Our technology meets robust regulatory standards across five different countries, and has been validated as a safe service by the NHS on ten different occasions. In fact, when the NHS reviewed our symptom checker, Healthcheck and clinical portal, they said our method for validating them “has been completed using a robust assessment methodology to a high standard.” Patient satisfaction ratings see over 85% of our patients giving us 5 stars (and 94% giving five and four stars), and the Care Quality Commission recently rated us “Outstanding” for our leadership.

But proposing to judge the efficacy of a health-related service by a patient’s ability to complain if something goes wrong seems, at the very least, an unorthodox approach — flipping the Hippocratic oath principle of ‘first do no harm’ on its head. (Plus, speaking theoretically, someone who’s dead would literally be unable to complain — which could plug a rather large loophole in any ‘safety bar’ being claimed via such an assessment methodology.)

On the regulatory point, Watkins argues that the current UK regime is not set up to respond intelligently to a development like AI chatbots and lacks strong enforcement in this new category.

Complaints he’s filed with the MHRA (Medical and Healthcare products Regulatory Agency) have resulted in it asking Babylon to work on issues, with little or no follow up, he says.

While he notes that confidentiality clauses limit what can be disclosed by the regulator.

All of that might look like a plum opportunity for a certain kind of startup ‘disruptor’, of course.

And Babylon’s app is one of several now applying AI type technologies as a diagnostic aid in chatbot form, across several global markets. Users are typically asked to respond to questions about their symptoms and at the end of the triage process get information on what might be a possible cause. Though Babylon’s PR materials are careful to include a footnote where it caveats that its AI tools “do not provide a medical diagnosis, nor are they a substitute for a doctor”.

Yet, says Watkins, if you read certain headlines and claims made for the company’s product in the media you might be forgiven for coming away with a very different impression — and it’s this level of hype that has him worried.

Other less hype-dispensing chatbots are available, he suggests — name-checking Berlin-based Ada Health as taking a more thoughtful approach on that front.

Asked whether there are specific tests he would like to see Babylon do to stand up its hype, Watkins told us: “The starting point is getting a technology which you feel is safe to actually be in the public domain.”

Notably, the European Commission is working on risk-based regulatory framework for AI applications — including for use-cases in sectors such as healthcare — which would require such systems to be “transparent, traceable and guarantee human oversight”, as well as to use unbiased data for training their AI models.

“Because of the hyperbolic claims that have been put out there previously about Babylon that’s where there’s a big issue. How do they now roll back and make this safe? You can do that by putting in certain warnings with regards to what this should be used for,” said Watkins, raising concerns about the wording used in the app. “Because it presents itself as giving patients diagnosis and it suggests what they should do for them to come out with this disclaimer saying this isn’t giving you any healthcare information, it’s just information — it doesn’t make sense. I don’t know what a patient’s meant to think of that.”

Babylon always present themselves as very patient-facing, very patient-focused, we listen to patients, we hear their feedback. If I was a patient and I’ve got a chatbot telling me what to do and giving me a suggested diagnosis — at the same time it’s telling me ‘ignore this, don’t use it’ — what is it?” he added. “What’s its purpose?

“There are other chatbots which I think have defined that far more clearly — where they are very clear in their intent saying we’re not here to provide you with healthcare advice; we will provide you with information which you can take to your healthcare provider to allow you to have a more informed decision discussion with them. And when you put it in that context, as a patient I think that makes perfect sense. This machine is going to give me information so I can have a more informed discussion with my doctor. Fantastic. So there’s simple things which they just haven’t done. And it drives me nuts. I’m an oncologist — it shouldn’t be me doing this.”

Watkins suggested Babylon’s response to his raising “good faith” patient safety concerns is symptomatic of a deeper malaise within the culture of the company. It has also had a negative impact on him — making him into a target for parts of the rightwing media.

“What they have done, although it may not be users’ health data, they have attempted to utilize data to intimidate an identifiable individual,” he said of the company’s attack him. “As a consequence of them having this threatening approach and attempting to intimidate other parties have though let’s bundle in and attack this guy. So it’s that which is the harm which comes from it. They’ve singled out an individual as someone to attack.”

“I’m concerned that there’s clinicians in that company who, if they see this happening, they’re not going to raise concerns — because you’ll just get discredited in the organization. And that’s really dangerous in healthcare,” Watkins added. “You have to be able to speak up when you see concerns because otherwise patients are at risk of harm and things don’t change. You have to learn from error when you see it. You can’t just carry on doing the same thing again and again and again.”

Others in the medical community have been quick to criticize Babylon for targeting Watkins in such a personal manner and for revealing details about his use of its (medical) service.

As one Twitter user, Sam Gallivan — also a doctor — put it: “Can other high frequency Babylon Health users look forward to having their medical queries broadcast in a press release?”

The act certainly raises questions about Babylon’s approach to sensitive health data, if it’s accessing patient information for the purpose of trying to steamroller informed criticism.

We’ve seen similarly ugly stuff in tech before, of course — such as when Uber kept a ‘god-view’ of its ride-hailing service and used it to keep tabs on critical journalists. In that case the misuse of platform data pointed to a toxic culture problem that Uber has had to spend subsequent years sweating to turn around (including changing its CEO).

Babylon’s selective data dump on Watkins is an illustrative example of a digital service’s ability to access and shape individual data at will — pointing to the underlining power asymmetries between these data-capturing technology platforms which are gaining increasing agency over our decisions and the users who only get highly mediated, hyper controlled access to the databases they help to feed.

Watkins, for example, told us he is no longer able to access his query history in the Babylon app — providing a screenshot of an error screen (below) that he says he now sees when he tries to access chat history in the app. He said he does not know why he is no longer able to access his historical usage information but says he was using it as a reference — to help with further testing (and no longer can).

If it’s a bug it’s a convenient one for Babylon PR…

We contacted Babylon to ask it to respond to criticism of its attack on Watkins. The company defended its use of his app data to generate the press release — arguing that the “volume” of queries he had run means the usual data protection rules don’t apply, and further claiming it had only shared “non-personal statistical data”, even though this was attached in the PR to his Twitter identity (and therefore, since Monday, to his real name).

In a statement the Babylon spokesperson told us:

If safety related claims are made about our technology, our medical professionals are required to look into these matters to ensure the accuracy and safety of our products. In the case of the recent use data that was shared publicly, it is clear given the volume of use that this was theoretical data (forming part of an accuracy test and experiment) rather than a genuine health concern from a patient. Given the use volume and the way data was presented publicly, we felt that we needed to address accuracy and use information to reassure our users.  The data shared by us was non-personal statistical data, and Babylon has complied with its data protection obligations throughout. Babylon does not publish genuine individualised user health data.

We also asked the UK’s data protection watchdog about the episode and Babylon making Watkins’ app usage public. The ICO told us: “People have the right to expect that organisations will handle their personal information responsibly and securely. If anyone is concerned about how their data has been handled, they can contact the ICO and we will look into the details.”

Babylon’s clinical innovation director, Dr Keith Grimes, attended the same Royal Society debate as Watkins this week — which was entitled Recent developments in AI and digital health 2020 and billed as a conference that will “cut through the hype around AI”.

So it looks to be no accident that their attack press release was timed to follow hard on the heels of a presentation it would have known (since at least last December) was coming that day — and in which Watkins argued where AI chatbots are concerned “validation is more important than valuation”.

Last summer Babylon announced a $550M Series C raise, at a $2BN+ valuation.

Investors in the company include Saudi Arabia’s Public Investment Fund, an unnamed U.S.-based health insurance company, Munich Re’s ERGO Fund, Kinnevik, Vostok New Ventures and DeepMind co-founder Demis Hassabis, to name a few helping to fund its marketing.

“They came with a narrative,” said Watkins of Babylon’s message to the Royal Society. “The debate wasn’t particularly instructive or constructive. And I say that purely because Babylon came with a narrative and they were going to stick to that. The narrative was to avoid any discussion about any safety concerns or the fact that there were problems and just describe it as safe.”

The clinician’s counter message to the event was to pose a question EU policymakers are just starting to consider — calling for the AI maker to show data-sets that stand up its safety claims.

Checkout.com, the quiet London-based payment platform, has acquired its first startup, ProcessOut. Checkout.com surprised everyone last year when it announced a gigantic $230 million Series A round. It turns out the payment processing boom is not over yet.

Checkout.com focuses on enterprise clients with customers all around the world. It provides a full-stack payment service, from accepting transactions, processing them and detecting fraud. It helps you with reconciliation thanks to an API and a reporting hub.

The startup is particularly efficient when it comes to supporting multiple currencies and payment methods. You can accept payments in over 150 different currencies. Checkout.com supports debit and credit cards, Apple Pay, Google Pay, local payment methods, such as Klarna, iDEAL and Giropay, e-wallets, such as PayPal and Alipay.

ProcessOut is a French startup that realized e-commerce companies have been leaving money on the table by relying on a single payment provider. The company built a smart routing checkout module that works with dozens of payment providers.

When you enter your card number, ProcessOut can select the best payment provider when it comes to fees and acceptance rate. For instance, a local payment provider can be a lot cheaper than Stripe, but transactions get declined a lot more often. The startup can figure out whether a transaction will go through before selecting an obscure payment provider.

The company then shows you dashboards so that you can visualize payment data in a single location. You can generate report and match transactions on your bank account with transactions on different payment providers.

That combination of data visualization and smart routing helped them score some big clients, such as Glovo, Veepee, Rakuten.fr and Dashlane. In 2019, ProcessOut have tracked 10% of online transactions in France. Transactions representing $20 billion have been analyzed by ProcessOut over the past 12 months.

With today’s acquisition, ProcessOut’s team of 14 employees are joining Checkout.com’s team of 600 employees. Checkout.com isn’t disclosing the terms of the transaction. Checkout.com is getting a ton of insights on different payment providers. It can learn from ProcessOut’s technology to optimize its internal payment workflows as well.

Let’s talk about money. More specifically, let’s talk about how much things cost. A few years back, the price of flagship smartphones leapt above the $1,000 threshold, owing largely to the cost of screen technology. It’s a tough calculus, but that’s the price of innovation.

The rising cost of smartphones is largely regarded as a major contributing factor to flagging smartphone sales. Phones have gotten better and last longer, and with four-digit prices, users are far less compelled to upgrade every two years or so.

Samsung knows this as well as anyone. Along with its usual array of budget phones, the company’s gone to great lengths to offer “budget flagships,” a relatively new category that aims to find the sweet spot between high-end features and less-impressive components, first through the S10e and now its new lite devices.

The Galaxy S20 Ultra is decidedly not that. It’s a picture of smartphone opulence in an era of declining smartphone sales. It’s yet another new tier in the company’s ballooning flagship smartphone line(s) designed to reestablish Samsung’s place in the bleeding edge of mobile technologies, while appealing to those with a little extra money to spend in order to future-proof their devices.

“A little more” here being defined as starting at $1,399. Or $1,599, if you’re, say, feeling extra flush after your tax returns and looking to upgrade to 512GB from the default 128GB. As for what top of the line means these days, that, too, has changed. Samsung was ahead of the curve by introducing multiple 5G phones last year. At the time, the handsets were, understandably, confined to the top tier, due to both cost of hardware and the general lack of global coverage.

For 2020, it’s 5G across the board, on all S20 models, so the kitchen sink Ultra needs to find ways to further set itself apart from the S20+. There are a few keys areas in which the Ultra sets itself apart. First and most immediate is size. Along with increased prices, the other thing you can count on, like clockwork, is bigger displays. The good news is that Samsung’s hardware advances have kept the footprint roughly the size of the last generation of devices.

Samsung continues to impress on that front, this time sneaking a roomy 6.9-inch display into a 166.9 x 76 x 8.8 mm; compare that to the 162.6 x 77.1 x 7.9 mm on the 6.7-inch S10 5G. The thick profile is almost certainly due to a larger battery. The 4,500 mAh found on last year’s device and this year’s S20+ is upgraded to a beefy 5,000 mAh.

Samsung remains conservative with its own expected battery life, owing to power-hungry features like the big AMOLED with a 120Hz refresh rate and the 5G radio. The company rates the phone as “all-day battery.” It’s a pretty nebulous phrase, all things considered. I suspect there’s still research to be done on the adverse impact of next-gen radios on battery life. With the default settings on (and little to no 5G, owing at least somewhat to some network issues), I found I got about 28 total hours on a charge.

That certainly qualifies for the “all-day” mark, even if it’s a bit disappointing given the massive battery size. But it should definitely get you through a day and then some, with no issues. The other good news on that front is super-fast charging if you use the included wall adapter. I was able to go from zero to fully charged in just under a minute.

The design language is pretty much identical on all three S20s, and honestly, largely unchanged from last year’s model, though Samsung has moved to a hole-punch camera (a generous 40 megapixels for selfies) up front. Flip it around and the biggest difference is immediately apparent. The camera module on the Ultra is, well, ultra. There are four cameras back there, in a lip that occupies about a sixth of the phone’s total surface area.

The S20+’s more than adequate 12MP, 64MP telephoto, 12MP ultra wide and time of flight sensor have been bumped up to a 108MP main, 48MP 10x telephoto, 12MP ultra wide and time of flight. The ToF, mind you, is absent on the plain-old S20, bringing an added sense of depth for bokeh effects and fun tricks like 3D scanning. One also gets the sense that Samsung is very much laying the groundwork for an even stronger play in the AR world, extending beyond the current selection of AR emoji. Though, as with the rest of the industry, mainstream implementation is still slow going.

The biggest thing here — both figuratively and literally — is the telephoto. The camera features a folded telephoto, which is essentially turned on its side to fit the form factor. The camera is capable of a solid 10x hybrid zoom. Using a combination of the hardware and software, the company is able to achieve the 100x “Space Zoom,” versus the other models’ 30x max. It’s impressive all around, but important to note that the claims of “losslessness” only extend to 10x.

Beyond that, things start to degrade. And honestly, by the time you get to 100x, things start looking like a digital Monet painting. You can generally make out the objects, but in most cases, it’s probably not something you’re going to rush out to share on Instagram. For things like nosebleed seats at concerts or sporting events, however, sometimes it’s just enough to remember you’re there.

Honestly, though, I think Samsung is laying the groundwork for future updates, as it is with the ToF sensor. It’s easy to imagine how a 100x zoom coupled with some future imaging AI could lead to some pretty impressive telephoto shots, without the need for an external, optical lens. For now, however, it feels like more of a novelty. Honestly, a number of the upgrades over the S20+ feel a bit like excesses, and none but true devotees need to go all in with the Ultra.

My only momentary hesitation in recommending one of the lower-tier devices over the Ultra are questions of what happens to battery life when you dip below 5,000 mAh. The 120Hz screen is great for things like gaming, but for most users, I’d recommended keeping it off most of the time. That should buy you an extra couple of hours of life, switching to 120Hz when needed and back to 60 the rest of the time.

Ditto for the 108-megapixel camera. For most photos it makes sense to utilize pixel binning, which makes for a small 12-megapixel shot, but allows for a lot more light to be let in on a per pixel basis. Photo are brighter and sharper and the phone does better in low light. Also, the image isn’t gigantic — I forgot to swap the setting for a few photos and didn’t realize how massive they were until I sent them.

The best new photo feature, however, isn’t hardware at all. I’ve long posited that the key to a good imaging feature is simplicity. Cameras keep getting better and offer more features for those who want to shoot more professional photos on their mobile devices. That’s great, and if you’re Google, it means that the legendary Annie Leibovitz will show up to your launch event and sing your device’s praises.

But unless something works out of the box, it’s going to be of little use to a majority of consumers. Single Take is a clever addition to default camera settings that takes a whole bunch of different types of photos at once (provided you can stand still for 10 seconds). You get Live Focus, Timelapse and Ultra-Wide all at once. The camera saves everything to the roll, where you can choose the best image. It’s a larger file, but not huge in the grand scheme of things. For those who don’t want to be a digital hoarder, you can always just go in and manually delete them.

The biggest updates to the S20 line feel like future-proofing. Elements like like 5G, 100x zoom and 8K video record don’t always make a ton of sense as of this writing, but much of Samsung’s biggest plays have been centered around getting out in front of the curve. With 5G, for example, there are still coverage barriers, but with users holding onto their handsets for longer, it’s almost certain that the next-gen wireless technology will be ubiquitous before the time comes for many users to upgrade.

In its current state, however, charging $1,399 and up for the Ultra is a pretty hard ask. Thankfully, however, Samsung has more than enough options for users looking for something a little cheaper. It’s a list that now includes the S10 Lite line and newly discounted standard S10 devices. Features like 100x, on the other hand, are novel, but it’s hard to justify the premium.

Stocks slumped and bond prices soared for the second day in a row as fears spread that the widening virus outbreak will put the brakes on the global economy. The losses came a day after the market’s biggest drop in two years. Investors plowed money into bonds, sending the yield on the 10-year Treasury to a record low. Mastercard joined a growing list of companies warning that the outbreak would hurt its finances. The Dow Jones Industrial Average fell 878 points, or 3.1%, to 27,081. The S&P 500 fell 97 points, or 3%, to 3,128. The Nasdaq lost 255 points, or 2.8%, to 8,965.

THIS IS A BREAKING NEWS UPDATE. AP’s earlier story follows below:

Stocks slumped again on Wall Street Tuesday, piling on losses a day after the market’s biggest drop in two years as fears spread that the growing virus outbreak will put the brakes on the global economy.

Nervous investors snapped up low-risk U.S. government bonds, sending the yield on the 10-year Treasury note to a record low.

The latest wave of selling came as more companies, including United Airlines and Mastercard, warned that the outbreak will hurt their finances, and more cases were reported in Europe and the Middle East, far outside the epicenter in China. Meanwhile, U.S. health officials called on Americans to be prepared for the disease to spread in the United States.

“It’s not so much a question of if this will happen anymore, but rather more a question of exactly when this will happen – and how many people in this country will have severe illness,” Dr. Nancy Messonnier of the Centers for Disease Control and Prevention said in a call with reporters.

Travel-related stocks took another drubbing, bringing the two-day loss for American Airlines to 16.8%.

The worst-case scenario for investors hasn’t changed in the last few weeks — where the virus spreads around the world and cripples supply chains and the global economy — but the probability of it happening has risen, said Yung-Yu Ma, chief investment strategist at BMO Wealth Management.

“It’s the combination of South Korea, Japan, Italy and even Iran” reporting virus cases, Ma said. “That really woke up the market, that these four places in different places around the globe can go from low concern to high concern in a matter of days and that we could potentially wake up a week from now and it could be five to 10 additional places.”

The S&P 500 index fell 3.1% as of 3:32 p.m. Eastern time. The benchmark index was on track for its worst four-day losing streak since the end of 2018.

The Dow Jones Industrial Average sank 896 points, or 3.2%, to 27,064. The Nasdaq fell 2.7%,erasingits gains for the year. The Russell 200 index of smaller company stocks dropped 2.9%.

European markets also fell. The Euro Stoxx index lost 2.1%. Markets in Asia were mixed.

Monday’s sell-off sent the Dow more than 1,000 points lower and wiped out its gains for the year. The S&P 500 is now down 7.7% from its record high set last Wednesday and isalso in the red for 2019.

Technology stocks, which rely heavily on China for both sales and supply chains, once again led the decline. Apple dropped 3.3% and chipmaker Nvidia fell 4.7%.

Bond prices continued rising. The yield on the 10-year Treasury fell as low as 1.31%, a record,according to TradeWeb, before recovering somewhat to 1.32% in the afternoon. That’s down from 1.37% late Monday and far below the 1.90% it traded at in early 2020.

The lower bond yields, which force interest rates lower on mortgages and other loans,weighed on banks. JPMorgan Chase slid 4.5% and Bank of America fell 5.3%.

Energy companies fell as crude oil prices headed lower. Real estate companies and utilities also declined, though they held up better than the rest of the market as investors favored safe-play stocks.

The viral outbreak that originated in China has now infected more than 80,000 people globally, with more cases being reported in Europe and the Middle East. The majority of cases and deaths remain centered in China, but the rapid spread to other parts of the world has spooked markets and raised fears that it will hurt the global economy.

United Airlines tumbled 6% after withdrawing its financial forecasts for the year because of the impact on demand for air travel. Mastercard dropped 6.6% after saying the impact on cross-border travel and business could cut into its revenue, depending on the duration and severity of the virus outbreak.

Moderna surged 31.4% after the company sent its potential virus vaccine to government researchers for additional testing. The biotechnology company is one several drug developers racing to develop vaccine.

The S&P 500 is on track for its first four-day losing streak since early August. One measure of fear in the market, which shows how much traders are paying to protect themselves from future swings for the S&P 500, touched its highest level since the start of 2019, when stocks were tumbling on worries about a possible recession.

The chief risk is that the stock market was already “priced to perfection,” or something close to it, before the virus worries exploded, according to Brian Nick, chief investment officer at Nuveen.

After getting the benefit of three interest-rate cuts from the Federal Reserve last year and the consummation of a “Phase 1” U.S.-China trade deal, investors were willing to pay high prices for stocks on the expectation that profits would grow in the future. The S&P 500 was recently trading at its most expensive level, relative to its expected earnings per share, since the dot-com bubble was deflating in 2002, according to FactSet.

If profit growth doesn’t ramp up this year, that makes a highly priced stock market even more vulnerable. After a growing number of companies have cut or withdrawn their revenue and profit forecasts for the year, analysts have slashed their expectations for S&P 500 earnings growth to 7.9% for this year, down from expectations of 9.6% at the start of 2020, according to FactSet.

___

AP Business writer Damian J. Troiseand AP Medical Writer Mike Stobbe contributed.

A significant majority of Americans have lost faith in tech companies’ ability to prevent the misuse of their platforms to influence the 2020 presidential election, according to a new study from Pew Research Center, released today. The study found that nearly three-quarters of Americans (74%) don’t believe platforms like Facebook, Twitter and Google will be able to prevent election interference. What’s more, this sentiment is felt by both political parties evenly.

Pew says that nearly identical shares of Republicans and Republican-leaning independents (76%) and Democrats and Democrat-leaning independents (74%) have little or no confidence in technology companies’ ability to prevent their platforms’ misuse with regard to election interference.

And yet, 78% of Americans believe it’s tech companies’ job to do so. Slightly more Democrats (81%) took this position, compared with Republicans (75%).

While Americans had similar negative feelings about platforms’ misuse ahead of the 2018 midterm elections, their lack of confidence has gotten even worse over the past year. As of January 2020, 74% of Americans report having little confidence in the tech companies, compared with 66% back in September 2018. For Democrats, the decline in trust is even greater, with 74% today feeling “not too” confident or “not at all” confident, compared with 62% in September 2018. Republican sentiment has declined somewhat during this same time, as well, with 72% expressing a lack of confidence in 2018, compared with 76% today.

Even among those who believe the tech companies are capable of handling election interference, very few (5%) of Americans feel “very” confident in their capabilities. Most of the optimists see the challenge as difficult and complex, with 20% saying they feel only “somewhat” confident.

Across age groups, both the lack of confidence in tech companies and a desire for accountability increase with age. For example, 31% of those 18 to 29 feel at least somewhat confident in tech companies’ abilities, versus just 20% of those 65 and older. Similarly, 74% of youngest adults believe the companies should be responsible for platform misuse, compared with 88% of the 65-and-up crowd.

Given the increased negativity felt across the board on both sides of the aisle, it would have been interesting to see Pew update its 2018 survey that looked at other areas of concern Republicans and Democrats had with tech platforms. The older study found that Republicans were more likely to feel social media platforms favored liberal views while Democrats were more heavily in favor of regulation and restricting false information.

Issues around election interference aren’t just limited to the U.S., of course. But news of Russia’s meddling in U.S. politics in particular — which involved every major social media platform — has helped to shape Americans’ poor opinion of tech companies and their ability to prevent misuse. The problem continues today, as Russia is being called out again for trying to intervene in the 2020 elections, according to several reports. At present, Russia’s focus is on aiding Sen. Bernie Sanders’ campaign in order to interfere with the Democratic primary, the reports said.

Meanwhile, many of the same vulnerabilities that Russia exploited during the 2016 elections remain, including the platforms’ ability to quickly spread fake news, for example. Russia is also working around blocks the tech companies have erected in an attempt to keep Russian meddling at bay. One report from The NYT said Russian hackers and trolls were now better at covering their tracks and were even paying Americans to set up Facebook pages to get around Facebook’s ban on foreigners buying political ads.

Pew’s report doesn’t get into any details as to why Americans have lost so much trust in tech companies since the last election, but it’s likely more than just the fallout from election interference alone. Five years ago, tech companies were viewed largely as having a positive impact on the U.S., Pew had once reported. But Americans no longer feel as they did, and now only around half of U.S. adults believe the companies are having a positive impact.

More Americans are becoming aware of how easily these massive platforms can be exploited and how serious the ramifications of those exploits have become across a number of areas, including personal privacy. It’s not surprising then that user sentiment around how well tech companies are capable of preventing election interference has declined, too, along with all the rest.

A Juul patent suggests a product that would help people quit nicotine through machine learning technology.

Photo by Matt Dunham – WPA Pool/Getty Images

The internet is a place where everyone meets everyone else. It is the site of a billion different micro- and macro-cultures; it is a space where you can find out anything you want, provided humans have come up with it; it is a weirdly temporary repository of our species’s history, which will end when the server lights finally wink off.

In historical terms, it’s also very new. The World Wide Web debuted to the general public in August 1991, only 29 short years ago. And because it was a new technology, a kind of public square that felt novel and transformative, things felt lawless, and people began to behave lawlessly, as though the web was a place beyond pro-social norms. Today, that has changed somewhat, if only because now it’s easy…

Continue reading…

Just under a month ago Facebook switched on global availability of a tool which affords users a glimpse into the murky world of tracking that its business relies upon to profile users of the wider web for ad targeting purposes.

Facebook is not going boldly into transparent daylight — but rather offering what privacy rights advocacy group Privacy International has dubbed “a tiny sticking plaster on a much wider problem”.

The problem it’s referring to is the lack of active and informed consent for mass surveillance of Internet users via background tracking technologies embedded into apps and websites, including as people browse outside Facebook’s own content garden.

The dominant social platform is also only offering this feature in the wake of the 2018 Cambridge Analytica data misuse scandal, when Mark Zuckerberg faced awkward questions in Congress about the extent of Facebook’s general web tracking. Since then policymakers around the world have dialled up scrutiny of how its business operates — and realized there’s a troubling lack of transparency in and around adtech generally and Facebook specifically. 

Facebook’s tracking pixels and social plugins — aka the share/like buttons that pepper the mainstream web — have created a vast tracking infrastructure which silently informs the tech giant of Internet users’ activity, even when a person hasn’t interacted with any Facebook-branded buttons.

Facebook claims this is just ‘how the web works’. And other tech giants are similarly engaged in tracking Internet users (notably Google). But as a platform with 2.2BN+ users Facebook has got a march on the lion’s share of rivals when it comes to harvesting people’s data and building out a global database of person profiles.

It’s also positioned as a dominant player in an adtech ecosystem which means it’s the one being fed with intel by data brokers and publishers who deploy tracking tech to try to survive in such a skewed system.

Meanwhile the opacity of online tracking means the average Internet user is none the wiser that Facebook can be following what they’re browsing all over the Internet. Questions of consent loom very large indeed.

Facebook is also able to track people’s usage of third party apps if a person chooses a Facebook login option which the company encourages developers to implement in their apps — again the carrot being to be able to offer a lower friction choice vs requiring users create yet another login credential.

The price for this ‘convenience’ is data and user privacy as the Facebook login gives the tech giant a window into third part app usage.

The company has also used a VPN app it bought and badged as a security tool to glean data on third party app usage — though it’s recently stepped back from the Onavo app after a public backlash (though that did not stop it running a similar tracking program targeted at teens).

Background tracking is how Facebook’s creepy ads function (it prefers to call such behaviorally targeted ads ‘relevant’) — and how they have functioned for years

Yet it’s only in recent months that it’s offered users a glimpse into this network of online informers — by providing limited information about the entities that are passing tracking data to Facebook, as well as some limited controls.

From ‘Clear History’ to “Off-Facebook Activity”

Originally briefed in May 2018, at the crux of the Cambridge Analytica scandal, as a ‘Clear History’ option this has since been renamed ‘Off-Facebook Activity’ — a label so bloodless and devoid of ‘call to action’ that the average Facebook user, should they stumble upon it buried deep in unlovely settings menus, would more likely move along than feel moved to carry out a privacy purge.

(For the record you can access the setting here — but you do need to be logged into Facebook to do so.)

The other problem is that Facebook’s tool doesn’t actually let you purge your browsing history, it just delinks it from being associated with your Facebook ID. There is no option to actually clear your browsing history via its button. Another reason for the name switch. So, no, Facebook hasn’t built a clear history ‘button’.

“While we welcome the effort to offer more transparency to users by showing the companies from which Facebook is receiving personal data, the tool offers little way for users to take any action,” said Privacy International this week, criticizing Facebook for “not telling you everything”.

As the saying goes, a little knowledge can be a dangerous thing. So a little transparency implies — well — anything but clarity. And Privacy International sums up the Off-Facebook Activity tool with an apt oxymoron — describing it as “a new window to the opacity”.

“This tool illustrates just how impossible it is for users to prevent external data from being shared with Facebook,” it writes, warning with emphasis: “Without meaningful information about what data is collected and shared, and what are the ways for the user to opt-out from such collection, Off-Facebook activity is just another incomplete glimpse into Facebook’s opaque practices when it comes to tracking users and consolidating their profiles.”

It points out, for instance, that the information provided here is limited to a “simple name” — thereby preventing the user from “exercising their right to seek more information about how this data was collected”, which EU users at least are entitled to.

“As users we are entitled to know the name/contact details of companies that claim to have interacted with us. If the only thing we see, for example, is the random name of an artist we’ve never heard before (true story), how are we supposed to know whether it is their record label, agent, marketing company or even them personally targeting us with ads?” it adds.

Another criticism is Facebook is only providing limited information about each data transfer — with Privacy International noting some events are marked “under a cryptic CUSTOM” label; and that Facebook provides “no information regarding how the data was collected by the advertiser (Facebook SDK, tracking pixel, like button…) and on what device, leaving users in the dark regarding the circumstances under which this data collection took place”.

“Does Facebook really display everything they process/store about those events in the log/export?” queries privacy researcher Wolfie Christl, who tracks the adtech industry’s tracking techniques. “They have to, because otherwise they don’t fulfil their SAR [Subject Access Request] obligations [under EU law].”

Christl notes Facebook makes users jump through an additional “download” hoop in order to view data on tracked events — and even then, as Privacy International points out, it gives up only a limited view of what has actually been tracked…

“For example, why doesn’t Facebook list the specific sites/URLs visited? Do they infer data from the domains e.g. categories? If yes, why is this not in the logs?” Christl asks.

We reached out to Facebook with a number of questions, including why it doesn’t provide more detail by default. It responded with this statement attributed to spokesperson:

We offer a variety of tools to help people access their Facebook information, and we’ve designed these tools to comply with relevant laws, including GDPR. We disagree with this [Privacy International] article’s claims and would welcome the chance to discuss them with Privacy International.

Facebook also said it’s continuing to develop which information it surfaces through the Off-Facebook Activity tool — and said it welcomes feedback on this.

We also asked it about the legal bases it uses to process people’s information that’s been obtained via its tracking pixels and social plug-ins. It did not provide a response to those questions.

Six names, many questions…

When the company launched the Off-Facebook Activity tool a snap poll of available TechCrunch colleagues showed very diverse results for our respective tallies (which also may not show the most recent activity, per other Facebook caveats) — ranging from one colleague who had an eye-watering 1,117 entities (likely down to doing a lot of app testing); to several with several/a few hundred apiece; to a couple in the middle tens.

In my case I had just six. But from my point of view — as an EU citizen with a suite of rights related to privacy and data protection; and as someone who aims to practice good online privacy hygiene, including having a very locked down approach to using Facebook (never using its mobile app for instance) — it was still six too many. I wanted to find out how these entities had circumvented my attempts not to be tracked.

And in the case of the first one in the list who on earth it was…

Turns out cloudfront is an Amazon Web Services Content Delivery Network subdomain. But I had to go searching online myself to figure out that the owner of that particular domain is (now) a company called Nativo.

Facebook’s list provided only very bare bones information. I also clicked to delink the first entity, since it immediately looked so weird, and found that by doing that Facebook wiped all the entries — which meant I was unable to retain access to what little additional info it had provided about the respective data transfers.

Undeterred I set out to contact each of the six companies directly with questions — asking what data of mine they had transferred to Facebook and what legal basis they thought they had for processing my information.

(On a practical level six names looked like a sample size I could at least try to follow up manually — but remember I was the TechCrunch exception; imagine trying to request data from 1,117 companies, or 450 or even 57, which were the lengths of lists of some of my colleagues.)

This process took about a month and a lot of back and forth/chasing up. It likely only yielded as much info as it did because I was asking as a journalist; an average Internet user may have had a tougher time getting attention on their questions — though, under EU law, citizens have a right to request a copy of personal data held on them.

Eventually, I was able to obtain confirmation that tracking pixels and Facebook share buttons had been involved in my data being passed to Facebook in certain instances. Even so I remain in the dark on many things. Such as exactly what personal data Facebook received.

In one case I was told by a listed company that it doesn’t know itself what data was shared — only Facebook knows because it’s implemented the company’s “proprietary code”. (Insert your own ‘WTAF’ there.)

The legal side of these transfers also remains highly opaque. From my point of view I would not intentionally consent to any of this tracking — but in some instances the entities involved claim that (my) consent was (somehow) obtained (or implied).

In other cases they said they are relying on a legal basis in EU law that’s referred to as ‘legitimate interests’. However this requires a balancing test to be carried out to ensure a business use does not have a disproportionate impact on individual rights.

I wasn’t able to ascertain whether such tests had ever been carried out.

Meanwhile, since Facebook is also making use of the tracking information from its pixels and social plug ins (and seemingly more granular use, since some entities claimed they only get aggregate not individual data), Christl suggests it’s unlikely such a balancing test would be easy to pass for that tiny little ‘platform giant’ reason.

Notably he points out Facebook’s Business Tool terms state that it makes use of so called “event data” to “personalize features and content and to improve and secure the Facebook products” — including for “ads and recommendations”; for R&D purposes; and “to maintain the integrity of and to improve the Facebook Company Products”.

In a section of its legal terms covering the use of its pixels and SDKs Facebook also puts the onus on the entities implementing its tracking technologies to gain consent from users prior to doing so in relevant jurisdictions that “require informed consent” for tracking cookies and similar — giving the example of the EU.

“You must ensure, in a verifiable manner, that an end user provides the necessary consent before you use Facebook Business Tools to enable us to store and access cookies or other information on the end user’s device,” Facebook writes, pointing users of its tools to its Cookie Consent Guide for Sites and Apps for “suggestions on implementing consent mechanisms”.

Christl flags the contradiction between Facebook claiming users of its tracking tech needing to gain prior consent vs claims I was given by some of these entities that they don’t because they’re relying on ‘legitimate interests’.

“Using LI as a legal basis is even controversial if you use a data analytics company that reliably processes personal data strictly on behalf of you,” he argues. “I guess, industry lawyers try to argue for a broader applicability of LI, but in the case of FB business tools I don’t believe that the balancing test (a businesses legitimate interests vs. the impact on the rights and freedoms of data subjects) will work in favor of LI.”

Those entities relying on legitimate interests as a legal base for tracking would still need to offer a mechanism where users can object to the processing — and I couldn’t immediately see such a mechanism in the cases in question.

One thing is crystal clear: Facebook itself does not provide a mechanism for users to object to its processing of tracking data nor opt out of targeted ads. That remains a long-standing complaint against its business in the EU which data protection regulators are still investigating.

One more thing: Non-Facebook users continue to have no way of learning what data of theirs is being tracked and transferred to Facebook. Only Facebook users have access to the Off-Facebook Activity tool, for example. Non-users can’t even access a list.

Facebook has defended its practice of tracking non-users around the Internet as necessary for unspecified ‘security purposes’. It’s an inherently disproportionate argument of course. The practice also remains under legal challenge in the EU.

Tracking the trackers

SimpleReach (aka d8rk54i4mohrb.cloudfront.net)

What is it? A California-based analytics platform (now owned by Nativo) used by publishers and content marketers to measure how well their content/native ads performs on social media. The product began life in the early noughties as a simple tool for publishers to recommend similar content at the bottom of articles before the startup pivoted — aiming to become ‘the PageRank of social’ — offering analytics tools for publishers to track engagement around content in real-time across the social web (plugging into platform APIs). It also built statistical models to predict which pieces of content will be the most social and where, generating a proprietary per article score. SimpleReach was acquired by Nativo last year to complement analytics tools the latter already offered for tracking content on the publisher/brand’s own site.

Why did it appear in your Off-Facebook Activity list? Given it’s a b2b product it does not have a visible consumer brand of its own. And, to my knowledge, I have never visited its own website prior to investigating why it appeared in my Off-Facebook Activity list. Clearly, though, I must have visited a site (or sites) that are using its tracking/analytics tools. Of course an Internet user has no obvious way to know this — unless they’re actively using tools to monitor which trackers are tracking them.

In a further quirk, neither the SimpleReach (nor Nativo) brand names appeared in my Off-Facebook Activity list. Rather a domain name was listed — d8rk54i4mohrb.cloudfront.net — which looked at first glance weird/alarming.

I found this is owned by SimpleReach by using a tracker analytics service.

Once I knew the name I was able to connect the entry to Nativo — via news reports of the acquisition — which led me to an entity I could direct questions to.  

What happened when you asked them about this? There was a bit of back and forth and then they sent a detailed response to my questions in which they claim they do not share any data with Facebook — “or perform ‘off site activity’ as described on Facebook’s activity tool”.

They also suggested that their domain had appeared as a result of their tracking code being implemented on a website I had visited which had also implemented Facebook’s own trackers.

“Our technology allows our Data Controllers to insert other tracking pixels or tags, using us as a tag manager that delivers code to the page. It is possible that one of our customers added a Facebook pixel to an article you visited using our technology. This could lead Facebook to attribute this pixel to our domain, though our domain was merely a ‘carrier’ of the code,” they told me.

In terms of the data they collect, they said this: “The only Personal Data that is collected by the SimpleReach Analytics tag is your IP Address and a randomly generated id.  Both of these values are processed, anonymized, and aggregated in the SimpleReach platform and not made available to anyone other than our sub-processors that are bound to process such data only on our behalf. Such values are permanently deleted from our system after 3 months. These values are used to give our customers a general idea of the number of users that visited the articles tracked.”

So, again, they suggested the reason why their domain appeared in my Off-Facebook Activity list is a combination of Nativo/SimpleReach’s tracking technologies being implemented on a site where Facebook’s retargeting pixel is also embedded — which then resulted in data about my online activity being shared with Facebook (which Facebook then attributes as coming from SimpleReach’s domain).

Commenting on this, Christl agreed it sounds as if publishers “somehow attach Facebook pixel events to SimpleReach’s cloudfront domain”.

“SimpleReach probably doesn’t get data from this. But the question is 1) is SimpleReach perhaps actually responsible (if it happens in the context of their domain); 2) The Off-Facebook activity is a mess (if it contains events related to domains whose owners are not web or app publishers).”

Nativo offered to determine whether they hold any personal information associated with the unique identifier they have assigned to my browser if I could send them this ID. However I was unable to locate such an ID (see below).

In terms of legal base to process my information the company told me: “We have the right to process data in accordance with provisions set forth in the various Data Processor agreements we have in place with Data Controllers.”

Nativo also suggested that the Offsite Activity in question might have predated its purchase of the SimpleReach technology — which occurred on March 20, 2019 — saying any activity prior to this would mean my query would need to be addressed directly with SimpleReach, Inc. which Nativo did not acquire. (However in this case the activity registered on the list was dated later than that.)

Here’s what they said on all that in full:

Thank you for submitting your data access request.  We understand that you are a resident of the European Union and are submitting this request pursuant to Article 15(1) of the GDPR.  Article 15(1) requires “data controllers” to respond to individuals’ requests for information about the processing of their personal data.  Although Article 15(1) does not apply to Nativo because we are not a data controller with respect to your data, we have provided information below that will help us in determining the appropriate Data Controllers, which you can contact directly.

First, for details about our role in processing personal data in connection with our SimpleReach product, please see the SimpleReach Privacy Policy.  As the policy explains in more detail, we provide marketing analytics services to other businesses – our customers.  To take advantage of our services, our customers install our technology on their websites, which enables us to collect certain information regarding individuals’ visits to our customers’ websites. We analyze the personal information that we obtain only at the direction of our customer, and only on that customer’s behalf.

SimpleReach is an analytics tracker tool (Similar to Google Analytics) implemented by our customers to inform them of the performance of their content published around the web.  “d8rk54i4mohrb.cloudfront.net” is the domain name of the servers that collect these metrics.  We do not share data with Facebook or perform “off site activity” as described on Facebook’s activity tool.  Our technology allows our Data Controllers to insert other tracking pixels or tags, using us as a tag manager that delivers code to the page.  It is possible that one of our customers added a Facebook pixel to an article you visited using our technology.  This could lead Facebook to attribute this pixel to our domain, though our domain was merely a “carrier” of the code.

The SimpleReach tool is implemented on articles posted by our customers and partners of our customers.  It is possible you visited a URL that has contained our tracking code.  It is also possible that the Offsite Activity you are referencing is activity by SimpleReach, Inc. before Nativo purchased the SimpleReach technology. Nativo, Inc. purchased certain technology from SimpleReach, Inc. on March 20, 2019, but we did not purchase the SimpleReach, Inc. entity itself, which remains a separate entity unaffiliated with Nativo, Inc. Accordingly, any activity that occurred before March 20, 2019 pre-dates Nativo’s use of the SimpleReach technology and should be addressed directly with SimpleReach, Inc. If, for example, TechCrunch was a publisher partner of SimpleReach, Inc. and had SimpleReach tracking code implemented on TechCrunch articles or across the TechCrunch website prior to March 20, 2019, any resulting data collection would have been conducted by SimpleReach, Inc., not by Nativo, Inc.

As mentioned above, our tracking script collects and sends information to our servers based on the articles it is implemented on. The only Personal Data that is collected by the SimpleReach Analytics tag is your IP Address and a randomly generated id.  Both of these values are processed, anonymized, and aggregated in the SimpleReach platform and not made available to anyone other than our sub-processors that are bound to process such data only on our behalf. Such values are permanently deleted from our system after 3 months.  These values are used to give our customers a general idea of the number of users that visited the articles tracked.

We do not, nor have we ever, shared ANY information with Facebook with regards to the information we collect from the SimpleReach Analytics tag, be it Personal Data or otherwise. However, as mentioned above, it is possible that one of our customers added a Facebook retargeting pixel to an article you visited using our technology. If that is the case, we would not have received any information collected from such pixel or have knowledge of whether, and to what extent, the customer shared information with Facebook. Without more information, we are unable to determine the specific customer (if any) on behalf of which we may have processed your personal information. However, if you send us the unique identifier we have assigned to your browser… we can determine whether we have any personal information associated with such browser on behalf of a customer controller, and, if we have, we can forward your request on to the controller to respond directly to your request.

As a Data Processor we have the right to process data in accordance with provisions set forth in the various Data Processor agreements we have in place with Data Controllers.  This type of agreement is designed to protect Data Subjects and ensure that Data Processors are held to the same standards that both the GDPR and the Data Controller have put forth.  This is the same type of agreement used by all other analytics tracking tools (as well as many other types of tools) such as Google Analytics, Adobe Analytics, Chartbeat, and many others.

I also asked Nativo to confirm whether Insider.com (see below) is a customer of Nativo/SimpleReach.

The company told me it could not disclose this “due to confidentiality restrictions” and would only reveal the identity of customers if “required by applicable law”.

Again, it said that if I provided the “unique identifier” assigned to my browser it would be “happy to pull a list of personal information the SimpleReach/Nativo systems currently have stored for your unique identifier (if any), including the appropriate Data Controllers”. (“If we have any personal data collected from you on behalf of Insider.com, it would come up in the list of DataControllers,” it suggested.)

I checked multiple browsers that I use on multiple devices but was unable to locate an ID attached to a SimpleReach cookie. So I also asked whether this might appear attached to any other cookie.

Their response:

Because our data is either pseudonymized or anonymized, and we do not record of any other pieces of Personal Data about you, it will not be possible for us to locate this data without the cookie value.  The SimpleReach user cookie is, and has always been, in the “__srui” cookie under the “.simplereach.com” domain or any of its sub-domains. If you are unable to locate a SimpleReach user cookie by this name on your browser, it may be because you are using a different device or because you have cleared your cookies (in which case we would no longer have the ability to map any personal data we have previously collected from you to your browser or device). We do have other cookies (under the domains postrelease.com, admin.nativo.com, and cloud.nativo.com) but those cookies would not be related to the appearance of SimpleReach in the list of Off Site Activity on your Facebook account, per your original inquiry.

What did you learn from their inclusion in the Off-Facebook Activity list? There appeared to be a correlation between this domain and a publisher, Insider.com, which also appeared in my Off-Facebook Activity list — as both logged events bear the same date; plus Insider.com is a publisher so would fall into the right customer category for using Nativo’s tool.

Given those correlations I was able to guess Insider.com is a customer of Nativo. (I confirmed this when I spoke to Insider.com) — so Facebook’s tool is able to leak relational inferences related to the tracking industry by surfacing/mapping business connections that might not have been otherwise evident.

Insider.com

What is it? A New York based business media company which owns brands such as Business Insider and Markets Insider

Why did it appear in your Off-Facebook Activity list? I imagine I clicked on a technology article that appeared in my Facebook News Feed or elsewhere but when I was logged into Facebook

What happened when you asked them about this? After about a week of radio silence an employee in Insider’com’s legal department got in touch to say they could discuss the issue on background.

This person told me the information in the Off-Facebook Activity tool came from the Facebook share button which is embedded on all articles it runs on its media websites. They confirmed that the share button can share data with Facebook regardless of whether the site visitor interacts with the button or not.

In my case I certainly would not have interacted with the Facebook share button. Nonetheless data was passed, simply by merit of loading the article page itself.

Insider.com said the Facebook share button widget is integrated into its sites using a standard set-up that Facebook intends publishers to use. If the share button is clicked information related to that action would be shared with Facebook and would also be received by Insider.com (though, in this scenario, it said it doesn’t get any personalized information — but rather gets aggregate data).

Facebook can also automatically collect other information when a user visits a webpage which incorporates its social plug-ins.

Asked whether Insider.com knows what information Facebook receives via this passive route the company told me it does not — noting the plug-in runs proprietary Facebook code. 

Asked how it’s collecting consent from users for their data to be shared passively with Facebook, Insider.com said its Privacy Policy stipulates users consent to sharing their information with Facebook and other social media sites. It also said it uses the legal ground known as legitimate interests to provide functionality and derive analytics on articles.

In the active case (of a user clicking to share an article) Insider.com said it interprets the user’s action as consent.

Insider.com confirmed it uses SimpleReach/Nativo analytics tools, meaning site visitor data is also being passed to Nativo when a user lands on an article. It said consent for this data-sharing is included within its consent management platform (it uses a CMP made by Forcepoint) which asks site visitors to specify their cookie choices.

Here site visitors can choose for their data not to be shared for analytics purposes (which Insider.com said would prevent data being passed).

I usually apply all cookie consent opt outs, where available, so I’m a little surprised Nativo/SimpleReach was passed my data from an Insider.com webpage. Either I failed to click the opt out one time or failed to respond to the cookie notice and data was passed by default.

It’s also possible I did opt out but data was passed anyway — as there has been research which has found a proportion of cookie notifications ignore choices and pass data anyway (unintentionally or otherwise).

Follow up questions I sent to Insider.com after we talked:

1) Can you confirm whether Insider has performed a legitimate interests assessment?
2) Does Insider have a site mechanism where users can object to the passive data transfer to Facebook from the share buttons?

Insider.com did not respond to my additional questions.

What did you learn from their inclusion in the Off-Facebook Activity list? That Insider.com is a customer of Nativo/SimpleReach.

Rei.com

What is it? A California-based ecommerce website selling outdoor gear

Why did it appear in your Off-Facebook Activity list? I don’t recall ever visiting their site prior to looking into why it appeared in the list so I’m really not sure

What happened when you asked them about this? After saying it would investigate it followed up with a statement, rather than detailed responses to my questions, in which it claims it does not hold any personal data associated with — presumably — my TechCrunch email, since it did not ask me what data to check against.

It also appeared to be claiming that it uses Facebook tracking pixels/tags on its website, without explicitly saying as much, writing that: “Facebook may collect information about your interactions with our websites and mobile apps and reflect that information to you through their Off-Facebook Activity tool.”

It claims it has no access to this information — which it says is “pseudonymous to us” but suggested that if I have a Facebook account Facebook could link any browsing on Rei’s site to my Facebook’s identity and therefore track my activity.

The company also pointed me to a Facebook Help Center post where the company names some of the activities that might have resulted in Rei’s website sending activity data on me to Facebook (which it could then link to my Facebook ID) — although Facebook’s list is not exhaustive (included are: “viewing content”, “searching for an item”, “adding an item to a shopping cart” and “making a donation” among other activities the company tracks by having its code embedded on third parties’ sites).

Here’s Rei’s statement in full:

Thank you for your patience as we looked into your questions.  We have checked our systems and determined that REI does not maintain any personal data associated with you based on the information you provided.  Note, however, that Facebook may collect information about your interactions with our websites and mobile apps and reflect that information to you through their Off-Facebook Activity tool. The information that Facebook collects in this manner is pseudonymous to us — meaning we cannot identify you using the information and we do not maintain the information in a manner that is linked to your name or other identifying information. However, if you have a Facebook account, Facebook may be able to match this activity to your Facebook account via a unique identifier unavailable to REI. (Funnily enough, while researching this I found TechCrunch in MY list of Off-Facebook activity!)

For a complete list of activities that could have resulted in REI sharing pseudonymous information about you with Facebook, this Facebook Help Center article may be useful.  For a detailed description of the ways in which we may collect and share customer information, the purposes for which we may process your data, and rights available to EEA residents, please refer to our Privacy Policy.  For information about how REI uses cookies, please refer to our Cookie Policy.

As a follow up question I asked Rei to tell me which Facebook tools it uses, pointing out that: “Given that, just because you aren’t (as I understand it) directly using my data yourself that does not mean you are not responsible for my data being transferred to Facebook.”

The company did not respond to that point.

I also previously asked Rei.com to confirm whether it has any data sharing arrangements with the publisher of Rock & Ice magazine (see below). And, if so, to confirm the processes involved in data being shared. Again, I got no response to that.

What did you learn from their inclusion in the Off-Facebook Activity list? Given that Rei.com appeared alongside Rock & Ice on the list — both displaying the same date and just one activity apiece — I surmised they have some kind of data-sharing arrangement. They are also both outdoors brands so there would be obvious commercial ‘synergies’ to underpin such an arrangement.

That said, neither would confirm a business relationship to me. But Facebook’s list heavily implies there is some background data-sharing going on

Rock & Ice magazine 

What is it? A climbing magazine produced by a California-based publisher, Big Stone Publishing

Why did it appear in your Off-Facebook Activity list? I imagine I clicked on a link to a climbing-related article in my Facebook feed or else visited Rock & Ice’s website while I was logged into Facebook in the same browser session

What happened when you asked them about this? After ignoring my initial email query I subsequently received a brief response from the publisher after I followed up — which read:

The Rock and Ice website is opt in, where you have to agree to terms of use to access the website. I don’t know what private data you are saying Rock and Ice shared, so I can’t speak to that. The site terms are here. As stated in the terms you can opt out.

Following up, I asked about the provision in the Rock & Ice website’s cookie notice which states: “By continuing to use our site, you agree to our cookies” — asking whether it’s passing data without waiting for the user to signal their consent.

(Relevant: In October Europe’s top court issued a ruling that active consent is necessary for tracking cookies, so you can’t drop cookies prior to a user giving consent for you to do so.)

The publisher responded:

You have to opt in and agree to the terms to use the website. You may opt out of cookies, which is covered in the terms. If you do not want the benefits of these advertising cookies, you may be able to opt-out by visiting: http://www.networkadvertising.org/optout_nonppii.asp.

If you don’t want any cookies, you can find extensions such as Ghostery or the browser itself to stop and refuse cookies. By doing so though some websites might not work properly.

I followed up again to point out that I’m not asking about the options to opt in or opt out but, rather, the behavior of the website if the visitor does not provide a consent response yet continues browsing — asking for confirmation Rock & Ice’s site interprets this state as consent and therefore sends data.

The publisher stopped responding at that point.

Earlier I had asked it to confirm whether its website shares visitor data with Rei.com? (As noted above, the two appeared with the same date on the list which suggests data may be being passed between them.) I did not get a respond to that question either.

What did you learn from their inclusion in the Off-Facebook Activity list? That the magazine appears to have a data-sharing arrangement with outdoor retailer Rei.com, given how the pair appeared at the same point in my list. However neither would confirm this when I asked

MatterHackers

What is it? A California-based retailer focused on 3D printing and digital manufacturing

Why did it appear in your Off-Facebook Activity list? I honestly have no idea. I have never to my knowledge visited their site prior to investigating why they should appear on my Off Site Activity list.

I remain pretty interested to know how/why they managed to track me. I can only surmise I clicked on some technology-related content in my Facebook feed, either intentionally or by accident.

What happened when you asked them about this? They first asked me for confirmation that they were on my list. After I had sent a screenshot, they followed up to say they would investigate. I pushed again after hearing nothing for several weeks. At this point they asked for additional information from the Off-Facebook Activity tool — namely more granular metrics, such as a time and date per event and some label information — to help with tracking down this particular data-exchange.

I had previously provided them with the date (as it appears in the screenshot) but it’s possible to download additional an additional level of information about data transfers which includes per event time/date-stamps and labels/tags, such as “VIEW_CONTENT” .

However, as noted above, I had previously selected and deleted one item off of my Off-Facebook Activity list, after which Facebook’s platform had immediately erased all entries and associated metrics. There was no obvious way I could recover access to that information.

“Without this information I would speculate that you viewed an article or product on our site — we publish a lot of ‘How To’ content related to 3D printing and other digital manufacturing technologies — this information could have then been captured by Facebook via Adroll for ad retargeting purposes,” a MatterHackers spokesman told me. “Operationally, we have no other data sharing mechanism with Facebook.”

Subsequently, the company confirmed it implements Facebook’s tracking pixel on every page of its website.

Of the pixel Facebook writes that it enables website owners to track “conversions” (i.e. website actions); create custom audiences which segment site visitors by criteria that Facebook can identify and match across its user-base, allowing for the site owner to target ads via Facebook’s platform at non-customers with a similar profile/criteria to existing customers that are browsing its site; and for creating dynamic ads where a template ad gets populated with product content based on tracking data for that particular visitor.

Regarding the legal base for the data sharing, MatterHackers had this to say: “MatterHackers is not an EU entity, nor do we conduct business in the EU and so have not undertaken GDPR compliance measures. CCPA [California’s Consumer Privacy Act] will likely apply to our business as of 2021 and we have begun the process of ensuring that our website will be in compliance with those regulations as of January 1st.”

I pointed out that GDPR is extraterritorial in scope — and can apply to non-EU based entities, such as if they’re monitoring individuals in the EU (as in this case).

Also likely relevant: A ruling last year by Europe’s top court found sites that embed third party plug-ins such as Facebook’s like button are jointly responsible for the initial data processing — and must either obtain informed consent from site visitors prior to data being transferred to Facebook, or be able to demonstrate a legitimate interest legal basis for processing this data.

Nonetheless it’s still not clear what legal base the company is relying on for implementing the tracking pixel and passing data on EU Facebook users.

When asked about this MatterHacker COO, Kevin Pope, told me:

While we appreciate the sentiment of GDPR, in this case the EU lacks the legal standing to pursue an enforcement action. I’m sure you can appreciate the potential negative consequences if any arbitrary country (or jurisdiction) were able to enforce legal penalties against any website simply for having visitors from that country. Techcrunch would have been fined to oblivion many times over by China or even Thailand (for covering the King in a negative light). In this way, the attempted overreach of the GDPR’s language sets a dangerous precedent.

To provide a little more detail – MatterHackers, at the time of your visit, wouldn’t have known that you were from the EU until we cross-referenced your session with  Facebook, who does know. At that point you would have been filtered from any advertising by us. MatterHackers makes money when our (U.S.) customers buy 3D printers or materials and then succeed at using them (hence the how-to articles), we don’t make any money selling advertising or data.

Given that Facebook does legally exist in the EU and does have direct revenues from EU advertisers, it’s entirely appropriate that Facebook should comply with EU regulations. As a global solution, I believe more privacy settings options should be available to its users. However, given Facebook’s business model, I wouldn’t expect anything other than continued deflection (note the careful wording on their tool) and avoidance from them on this issue.

What did you learn from their inclusion in the Off-Facebook Activity List? I found out that an ecommerce company I had never heard of had been tracking me

Wallapop

What is it? A Barcelona-based peer-to-peer marketplace app that lets people list secondhand stuff for sale and/or to search for things to buy in their proximity. Users can meet in person to carry out a transaction paying in cash or there can be an option to pay via the platform and have an item posted

Why did it appear in your Off-Facebook Activity list? This was the only digital activity that appeared in the list that was something I could explain — figuring out I must have used a Facebook sign-in option when using the Wallapop app to buy/sell. I wouldn’t normally use Facebook sign-in but for trust-based marketplaces there may be user benefits to leveraging network effects.

What happened when you asked them about this? After my query was booted around a bit a PR company that works with Wallapop responded asking to talk through what information I was trying to ascertain.

After we chatted they sent this response — attributed to sources from Wallapop:

Same as it happens with other apps, wallapop can appear on our users’ Facebook Off Site Activity page if they have interacted in any way with the platform while they were logged in their Facebook accounts. Some interaction examples include logging in via Facebook, visiting our website or having both apps opened and logged.

As other apps do, wallapop only shares activity events with Facebook to optimize users’ ad experience. This includes if a user is registered in wallapop, if they have uploaded an item or if they have started a conversation. Under no circumstance wallapop shares with Facebook our users’ personal data (including sex, name, email address or telephone number).

At wallapop, we are thoroughly committed with the security of our community and we do a safe treatment of the data they choose to share with us, in compliance with EU’s General Data Protection Regulation. Under no circumstance these data are shared with third parties without explicit authorization.

I followed up to ask for further details about these “activity events” — asking whether, for instance, Wallapop shares messaging content with Facebook as well as letting the social network know which items a user is chatting about.

“Under no circumstance the content of our users’ messages is shared with Facebook,” the spokesperson told me. “What is shared is limited to the fact that a conversation has been initiated with another user in relation to a specific item, this is, activity events. Under no circumstance we would share our users’ personal information either.”

Of course the point is Facebook is able to link all app activity with the user ID it already has — so every piece of activity data being shared is personal data.

I also asked what legal base Wallapop relies on to share activity data with Facebook. They said the legal basis is “explicit consent given by users” at the point of signing up to use the app.

“Wallapop collects explicit consent from our users and at any time they can exercise their rights to their data, which include the modification of consent given in the first place,” they said.

“Users give their explicit consent by clicking in the corresponding box when they register in the app, where they also get the chance to opt out and not do it. If later on they want to change the consent they gave in first instance, they also have that option through the app. All the information is clearly available on our Privacy Policy, which is GDPR compliant.”

“At wallapop we take our community’s privacy and security very seriously and we follow recommendations from the Spanish Data Protection Agency,” it added

What did you learn from their inclusion in the Off-Facebook Activity list? Not much more than I would have already guessed — i.e. that using a Facebook sign-in option in a third party app grants the social media giant a high degree of visibility into your activity within another service.

In this case the Wallapop app registered the most activity events of all six of the listed apps, displaying 13 vs only one apiece for the others — so it gave a bit of a suggestive glimpse into the volume of third party app data that can be passed if you opt to open a Facebook login wormhole into a separate service.

Public demand for tech regulation is rising.

Vimeo signaled last year its plans to move further into the social video creation and editing space with its acquisition of short-form video editor Magisto. Today, the company is unveiling the results of its work in the months following the deal’s close with the debut of Vimeo Create. The new app includes a set of video creation tools aimed at small businesses and marketers looking to tell their stories using social video, but who lack the resources, time or budget to invest in video production at the scale they need to compete.

With Vimeo Create, available on both the desktop and as an app, businesses choose from pre-made, professionally-designed video templates that can be customized to meet their needs. More advanced users could opt to start a new video from scratch, as an alternative.

The app includes a library of stock content to add to videos, including millions of HD video clips, photos, and commercially-licensed music tracks available for no extra fee, Vimeo says. Businesses can also customize their videos by selecting the colors, fonts, layouts, logos, text captions and calls-to-action they want to use.

The app then leverages A.I.-powered technology to turn the clips, photos, music, and text into a high-quality social video in minutes.

Vimeo Create also simplifies the process of designing videos for different social platforms, where aspect ratios (e.g., square, vertical, horizontal) and format requirements vary. After the video is finalized, users are able to publish across the web — including to Facebook, YouTube, Instagram, Twitter and LinkedIn — as a part of the Vimeo Create workflow.

The move into social video creation is part of Vimeo’s larger strategy of becoming a one-stop-shop for companies and individuals who publish videos online. The company has long since abandoned its plans to be a YouTube competitor, instead seeing the potential in the other side of the video market. Today, Vimeo makes money by offering tools and services to video creators both large and small. It has launched tools for uploading and livestreaming across social sites and updated its mobile app to include more features previously available only to desktop users, among other things.

Vimeo decision to prioritize social video resulted from its own research. The company found that only 22% of small business owners felt they were using enough video. The businesses complained that issues around time, cost and complexity were keeping them from going further. Nearly all (96%) of small business owners said they would create more video if all those friction points were removed.

The service was built using parts of Magisto’s backend and its A.I., but the overall app, feature set, content, user interface and integration into Vimeo’s tools were built from the ground-up, the company says.

The company hopes Vimeo Create will help it to grow its subscription revenue, as the service is offered as a part of Vimeo’s Pro, Business and Premium membership plans, instead of as a standalone paid or freemium app.

“Video is the most impactful medium we have today for human expression at scale, and businesses
need an online video strategy to reach their customers. But the research is clear: small business owners
and entrepreneurs don’t have the tools, time or budgets to make videos at the volume and quality
needed to compete,” said Vimeo CEO Anjali Sud, in a statement about the launch. “Vimeo Create levels the playing field. It’s a radically simple tool that shortens the distance from idea to execution, so more businesses can have a successful video strategy.”

Vimeo isn’t alone in addressing the social video needs of small businesses. Last fall, Facetune maker Lightricks launched a full suite of apps for small businesses to use for their social media marketing campaigns. There are also dozens of tools for video editing on the market, including those from incumbents, like Adobe and Apple, as well as from others like Magisto, Canva, PicsArt and many more that offer features craved by small business owners like templates, easy editing tools, access to stock content, and support one-click multiplatform publishing, among other things.

Vimeo first launched Vimeo Create into beta back in January, but today it’s available to all across web, iOS, and Android.