Connect with us

Uncategorized

Location broker X-Mode continues to track users despite app store bans

Published

on

Privacy researchers say hundreds of Android apps, far more than previously disclosed, have sent granular user location data to X-Mode, a data broker known to sell location data to U.S. military contractors.

The apps include messaging apps, a free video and file converter, several dating sites, and religion and prayer apps — each accounting for tens of millions of downloads to date.

Sean O’Brien, principal researcher at ExpressVPN Digital Security Lab, and Esther Onfroy, co-founder of the Defensive Lab Agency, found close to 200 Android apps that at some point over the past year contained X-Mode tracking code.

Some of the apps were still sending location data to X-Mode as recently as December when Apple and Google told developers to remove X-Mode from their apps or face a ban from the app stores.

But weeks after the ban took effect, one popular U.S. transit map app that had been installed hundreds of thousands of times was still downloadable from Google Play even though it was still sending location data to X-Mode.

The new research, now published, is believed to be the broadest review to date of apps that collaborate with X-Mode, one of dozens of companies in a multibillion-dollar industry that buys and sells access to the location data collected from ordinary phone apps, often for the purposes of serving targeted advertising.

But X-Mode has faced greater scrutiny for its connections to government work, amid fresh reports that U.S. intelligence bought access to commercial location data to search for Americans’ past movements without first obtaining a warrant.

X-Mode pays app developers to include its tracking code, known as a software development kit, or SDK, in exchange for collecting and handing over the user’s location data. Users opt-in to this tracking by accepting the app’s terms of use and privacy policies. But not all apps that use X-Mode disclose to their users that their location data may end up with the data broker or is sold to military contractors.

X-Mode’s ties to military contractors (and by extension the U.S. military) was first disclosed by Motherboard, which first reported that a popular prayer app with more than 98 million downloads worldwide sent granular movement data to X-Mode.

In November, Motherboard found that another previously unreported Muslim prayer app called Qibla Compass sent data to X-Mode. O’Brien’s findings corroborate that and also point to several more Muslim-focused apps as containing X-Mode. By conducting network traffic analysis, Motherboard verified that at least three of those apps did at some point send location data to X-Mode, although none of the versions currently on Google Play do so. You can read Motherboard’s full story here.

X-Mode’s chief executive Josh Anton told CNN last year that the data broker tracks 25 million devices in the U.S., and told Motherboard its SDK had been used in about 400 apps.

In a statement to TechCrunch, Anton said:

“The ban on X-Mode’s SDK has broader ecosystem implications considering X-Mode collected similar mobile app data as most advertising SDKs. Apple and Google have set the precedent that they can determine private enterprises’ ability to collect and use mobile app data even when a majority of our publishers had secondary consent for the collection and use of location data.

We’ve recently sent a letter to Apple and Google to understand how we can best resolve this issue together so that we can both continue to use location data to save lives and continue to power the tech communities’ ability to build location-based products. We believe it’s important to ensure that Apple and Google hold X-Mode to the same standard they hold upon themselves when it comes to the collection and use of location data.”

The researchers also published new endpoints that apps using X-Mode’s SDK are known to communicate with, which O’Brien said he hoped would help others discover which apps are sending — or have historically sent — users’ location data to X-Mode.

“We hope consumers can identify if they’re the target of one of these location trackers and, more importantly, demand that this spying end. We want researchers to build off of our findings in the public interest, helping to shine light on these threats to privacy, security, and rights,” said O’Brien.

TechCrunch analyzed the network traffic on about two-dozen of the most downloaded Android apps in the researchers’ findings to look for apps that were communicating with any of the known X-Mode endpoints, and confirmed that several of the apps were at some point sending location data to X-Mode.

We also used the endpoints identified by the researchers to look for other popular apps that may have communicated with X-Mode.

At least one app identified by TechCrunch slipped through Google’s app store ban.

New York Subway in Google Play., until it was removed by Google. (Image: TechCrunch)

New York Subway, a popular app for navigating the New York City subway system that has been downloaded 250,000 times, according to data provided by Sensor Tower, was still listed in Google Play as of this week. But the app, which had not been updated since the app store bans were implemented, was still sending location data to X-Mode.

As soon as the app loads, a splash screen immediately asks for the user’s consent to send data to X-Mode for ads, analytics and market research, but the app did not mention X-Mode’s government work.

Desoline, the Israel-based app maker, did not respond to multiple requests for comment, but removed references to X-Mode from its privacy policy a short while after we reached out. At the time of writing, the app has not returned to Google Play.

A Google spokesperson confirmed the company removed the app from Google Play.

Using the researchers’ list of apps, TechCrunch also found that previous versions of two highly popular apps, Moco and Video MP3 Converter, which account for more than 115 million downloads to date, are still sending user location data to X-Mode. That poses a privacy risk to users who install Android apps from outside Google Play, and those who are running older apps that are still sending data to X-Mode.

Neither app maker responded to a request for comment. Google would not say if it had removed any other apps for similar violations or what measures it would take, if any, to protect users running older app versions that are still sending location data to X-Mode.

None of the corresponding and namesake apps for Apple’s iOS that we tested appeared to communicate with X-Mode’s endpoints. When reached, Apple declined to say if it had blocked any apps after its ban went into effect.

Read more on TechCrunch

“The sensors in smartphones provide rich data that can be exploited to limit our movements, our free expression, and our autonomy,” said O’Brien. “Location spying poses a serious threat to human rights because it peers into the most sensitive aspects of our lives and who we associate with.”

The newly published research is likely to bring fresh scrutiny to how ordinary smartphone apps are harvesting and selling vast amounts of personal data on millions of Americans, often without the user’s explicit consent.

Several federal agencies, including the Internal Revenue Service and Homeland Security, are under investigation by government watchdogs for buying and using location data from various data brokers without first obtaining a warrant. Last week it emerged that intelligence analysts at the Defense Intelligence Agency buy access to commercial databases of Americans’ location data.

Critics say the government is exploiting a loophole in a 2018 Supreme Court ruling, which stopped law enforcement from obtaining cell phone location data directly from the cell carriers without a warrant.

Now the government says it doesn’t believe it needs a warrant for what it can buy directly from brokers.

Sen. Ron Wyden, a vocal privacy critic whose office has been investigating the data broker industry, previously drafted legislation that would grant the Federal Trade Commission new powers to regulate and fine data brokers.

“Americans are sick of learning that their location data is being sold by data brokers to anyone with a credit card. Industry self-regulation clearly isn’t working — Congress needs to pass tough legislation, like my Mind Your Own Business Act, to give consumers effective tools to prevent their data being sold and to give the FTC the power to hold companies accountable when they violate Americans’ privacy,” said Wyden.


Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents with SecureDrop.

Lyron Foster is a Hawaii based African American Musician, Author, Actor, Blogger, Filmmaker, Philanthropist and Multinational Serial Tech Entrepreneur.

Continue Reading
Comments

Uncategorized

Daily Crunch: A huge fintech exit as the week ends

Published

on

To get a roundup of TechCrunch’s biggest and most important stories delivered to your inbox every day at 3 p.m. PDT, subscribe here.

Our thanks to everyone who wrote in this week about the format changes to the newsletter! Feedback largely sorted into two themes: Some people really like the more narrative format, and some folks really want a more link-list styled missive. What follows is an attempt to balance both perspectives.

Starting today we’ll bold company names, so that you can more quickly pick out startups, add more bulleted points to sections, and, per a different piece of feedback, include more regular descriptors of companies that are not household names.

That said, we’re not going to abandon chatting with you every day, as TechCrunch is nothing if not full of things to say. So here’s a blend of what the new, updated Daily Crunch team had in mind, and your notes. A big thanks to everyone who wrote in!

Alex @alex on Twitter

A mega-exit for American fintech

The news that public fintech company Bill.com will buy Divvy, a Utah-based startup that helps small and midsized businesses manage their spend, was perhaps the biggest startup story of the week. Breaking late Thursday, the $2.5 billion transaction was long expected. Divvy had raised more than $400 million from PayPal Ventures, New Enterprise Associates, Insight Partners and Pelion Venture Partners.

TechCrunch covered the impending sale, rumors of which sprung up before Bill.com reported its Q1 earnings. To see the company drop the news at the same time as its earnings was not a surprise. For the burgeoning corporate payment space (more here on startups in the space like Ramp, Airbase and Brex).

I got to noodle on the financial results that Bill.com detailed regarding Divvy — they are pretty key metrics to help us value the startups that are competing to go public or find a similarly feathered corporate nest. In short, the corporate spend startup cohort is doing great. It’s even spawning new startups like Latin American-focused Clara, which raised $3.5 million earlier this year.

Broadly, the fintech market had a huge Q1 and is blasting its way toward a record venture capital year, like AI startups and the rest of the VC world.

Startups and venture capital

5 investors discuss the future of RPA after UiPath’s IPO

Much ink (erm, pixels) has been spilled about robotic process automation (RPA) recently, particularly in the wake of UiPath’s IPO last month.

But while some of the individuals Ron interviewed about the future of RPA believe the technology is in its “early infancy,” the pandemic increased attention toward things we can let robots handle for us. And it’s hard to argue that repetitive tasks like billing and spreadsheeting and paper-pushing should not be outsourced to robots.

“RPA allows companies to automate a group of highly mundane tasks and have a machine do the work instead of a human,” Ron writes. “Think of finding an invoice amount in an email, placing the figure in a spreadsheet and sending a Slack message to accounts payable. You could have humans do that, or you could do it more quickly and efficiently with a machine. We’re talking mind-numbing work that is well suited to automation.”

Although RPA is the fastest-growing category in enterprise software, the market remains surprisingly small. Ron spoke to five investors about where the sector is headed, where there are opportunities and the biggest threats to the RPA startup ecosystem.

(Extra Crunch is our membership program, which helps founders and startup teams get ahead. You can sign up here.)

The tech giants

It was a quieter day from the tech giants, who made plenty of news earlier in the week. The good news is that their relative calm means we can take a look at news from other Big Tech companies, those that don’t quite crack the $1 trillion market cap threshold yet:

Community

Some of us are mourning the shutdown of Nuzzel, so we asked … would you pay for it (and why)? Let us know what you think!

Continue Reading

Uncategorized

Tesla refutes Elon Musk’s timeline on ‘full self-driving’

Published

on

What Tesla CEO Elon Musk says publicly about the company’s progress on a fully autonomous driving system doesn’t match up with “engineering reality,” according to a memo that summarizes a meeting between California regulators and employees at the automaker.

The memo, which transparency site Plainsite obtained via a Freedom of Information Act request and subsequently released, shows that Musk has inflated the capabilities of the Autopilot advanced driver assistance system in Tesla vehicles, as well the company’s ability to deliver fully autonomous features by the end of the year. 

Tesla vehicles come standard with a driver assistance system branded as Autopilot. For an additional $10,000, owners can buy “full self-driving,” or FSD — a feature that Musk promises will one day deliver full autonomous driving capabilities. FSD, which has steadily increased in price and capability, has been available as an option for years. However, Tesla vehicles are not self-driving. FSD includes the parking feature Summon as well as Navigate on Autopilot, an active guidance system that navigates a car from a highway on-ramp to off-ramp, including interchanges and making lane changes. Once drivers enter a destination into the navigation system, they can enable “Navigate on Autopilot” for that trip.

Tesla vehicles are far from reaching that level of autonomy, a fact confirmed by statements made by the company’s director of Autopilot software CJ Moore to California regulators, the memo shows.

“Elon’s tweet does not match engineering reality per CJ,” according to the memo summarizing the conversation between regulators with the California Department of Motor Vehicles’ autonomous vehicles branch and four Tesla employees, including Moore.

The memo, which was written by California DMV’s Miguel Acosta, states that Moore described Autopilot — and the new features being tested — as a Level 2 system. That description matters in the world of automated driving.

There are five levels of automation under standards created by SAE International. Level 2 means two primary functions — like adaptive cruise and lane keeping — are automated and still have a human driver in the loop at all times. Level 2 is an advanced driver assistance system, and has become increasingly available in new vehicles, including those produced by Tesla, GM, Volvo and Mercedes. Tesla’s Autopilot and its more capable FSD were considered the most advanced systems available to consumers. However, other automakers have started to catch up.

Level 4 means the vehicle can handle all aspects of driving in certain conditions without human intervention and is what companies like Argo AI, Aurora, Cruise, Motional, Waymo and Zoox are working on. Level 5, which is widely viewed as a distant goal, would handle all driving in all environments and conditions.

Here is an important bit via Acosta’s summarization:

DMV asked CJ to address from an engineering perspective, Elon’s messaging about L5 capability by the end of the year. Elon’s tweet does not match engineering reality per CJ. Tesla is at Level 2 currently. The ratio of driver interaction would need to be in the magnitude of 1 or 2 million miles per driver interaction to move into higher levels of automation. Tesla indicated that Elon is extrapolating on the rates of improvement when speaking about L5 capabilities. Tesla couldn’t say if the rate of improvement would make it to L5 by end of calendar year.

Portions of this commentary were redacted. However, Plainsite was able to copy and paste the redacted part, which shows up as white space on a PDF, into another document.

The comments in the memo are contrary to what Musk has said repeatedly in the public sphere.

Musk is frequently asked on Twitter and in quarterly earnings calls for progress reports on FSD, including questions about when it will be rolled out via software updates to owners who have purchased the option. In a January earnings call, Musk said he was “highly confident the car will be able to drive itself with reliability in excess of a human this year.” In April 2021, during the company’s first quarter earnings call, Musk said “it’s really quite, quite tricky. But I am highly confident that we will get this done.”

The memo released this week provided other insights into Tesla’s push to test and eventually unlock greater levels of autonomy, including the number of vehicles testing a beta version of “Navigate on Autopilot on City Streets,” a feature that is meant to handle driving in urban areas and not just highways. Regulators also asked the Tesla employees if and how participants were being trained to test this feature, and how the sales team ensures that messaging about the vehicle capabilities and limitations are communicated.

As of the March meeting, there were 824 vehicles in a pilot program testing a beta version of “city streets.”  About 750 of those vehicles were being driven by employees and 71 by non-employees. Pilot participants are located across 37 states, with the majority of participants in California. As of March 2021, pilot participants have driven more than 153,000 miles using the City Streets feature, the memo states. The memo noted that Tesla planned to expand this pool of participants to approximately 1,600 later that month.

Tesla told the DMV that it is working on developing a video for the participants and that the next group of participants will include referrals from existing participants. “The new participants will be vetted by Tesla by looking at insurance telematics based on the VINs registered to that participant,” according to the memo.

Tesla also told the DMV that it is able to track when there are failures or when the feature is deactivated. Moore described these as “disengagements,” a term also used by companies testing and developing autonomous vehicle technology. The primary difference worth noting here is that these companies only use employees who are trained safety drivers, not the public.

Continue Reading

Uncategorized

Betting on upcoming startup markets

Published

on

Welcome back to The TechCrunch Exchange, a weekly startups-and-markets newsletter. It’s broadly based on the daily column that appears on Extra Crunch, but free, and made for your weekend reading. Want it in your inbox every Saturday? Sign up here.

Ready? Let’s talk money, startups and spicy IPO rumors.

Betting on upcoming startup markets

This week M25, a venture capital concern focused on investing in the Midwest of the United States, announced a new fund worth $31.8 million. As the firm noted in a release that The Exchange reviewed, its new fund is about three times the size of its preceding investment vehicle.

I caught up with M25 partner Mike Asem to chat about the round. Asem joined M25 in 2016 after partner Victor Gutwein spearheaded the effort with a small $1 million fund. Asem and Gutwein have led the firm since its first material, if technically second fund.

Asem said that his team had targeted a $25 million to $30 million fund three, meaning that they came in a bit higher than anticipated in fundraising terms. That’s not a surprise in today’s venture capital market, given the pace at which capital is both invested into VC funds and startups.

The investor told The Exchange that M25 has been investing out of its third fund for some time, including CASHDROP, a startup that I’ve heard good things about regarding its growth rate. (More here on the CASHDROP round that M25 put capital into.)

All that’s fine, but what makes M25 an interesting bet is that the firm only invests in Midwest-headquartered startups. Often when I chat to a fund that has a unique geographical focus, it’s merely that, a focus. As opposed to M25’s more hard-and-fast rule. Now with more capital and plans to take part in 12-15 deals per year, the group can double down on its thesis.

Per Asem, M25 has done about a third of its deals in Chicago, where it’s based, but has put capital into startups in 24 cities thus far. TechCrunch covered one of those companies, Metafy, earlier this week when it closed more than $5 million in new capital.

Why does M25 think that the Midwest is the place to deploy capital and generate outsize returns? Asem listed a number of perspectives that underpin his team’s thesis: The Midwest’s economic might, the network that his partner and him developed in the area before founding M25, and the fact that valuations can prove to be more attractive in the region at the stage that his firm invests. They are sufficiently different, he said, that his firm can generate material returns even with exits at around the $100 million mark, a lower threshold than most VCs with larger capital vehicles might find palatable.

M25 is not alone in its bets on alternative regions. The Exchange also chatted with Somak Chattopadhyay of Armory Square Ventures on Friday, a firm that is based in upstate New York and invests in B2B software companies in what we might call post-manufacturing cities. One of its investments has gone public, and the group’s latest fund is a multiple of the size of its first. Armory now has around $60 million in AUM.

All that’s to say that the venture capital boom is not merely helping firms like a16z raise another billion here, or another billion there. But the generally hot market for startups and private capital is helping even smaller firms raise more capital to take on less traditional spaces. It’s heartening.

On-demand pricing, and grokking the insurance game

This week The Exchange chatted with Twilio CFO Khozema Shipchandler about his company’s earnings report. You can read more on the hard numbers here. The short gist is that it was a good quarter. But what mattered most in our chat was Shipchandler riffing on where the center of gravity at Twilio will remain in revenue terms.

Briefly, Twilio is best known for building APIs that allow developers to leverage telecom services. Those developers and their employers pay for as much Twilio as they used. But over time Twilio has bought more and more companies, building out a diverse product set after its 2016-era IPO.

So we were curious: Where does the company stand on the on-demand versus SaaS pricing debate that is currently raging in the software world? Staunchly in the first camp, still, despite buying Segment, which is a SaaS service. Per Shipchandler, Twilio revenue is still more than 70% on-demand, and the company wants to make sure that its customers only buy more of its services as they sell more of their own.

Startups, then, probably don’t have to give up on on-demand pricing as they scale. Twilio is huge and is sticking to it!

Then there was Root’s earnings report. Again, here are the core numbers. The Exchange is keeping tabs on Root’s post-IPO performance not only because it was a company we tracked extensively during its late private life, but also because it is a bellwether of sorts for the yet-private, neoinsurane companies. Which matters for fellow neoinsurance player Hippo, as it is going public via a SPAC.

Alex Timm, Root’s CEO, said that his firm performed well in the first quarter, generating more direct written premium than anticipated, and at better loss-rates to boot. The company also remains very cash-rich post IPO, and Timm is confident that his company’s data science work has lots more room to improve Root’s underwriting models.

So, faster-than-expected growth, lots of cash, improving economics and a bullish technology take — Root’s stock is flying, right? No, it is not. Instead Root has taken a bit of a public-market pounding in recent months. The Exchange asked Timm about the disparity between how he views his company’s performance and future, and how it is being valued. He said that the insurance folks don’t always get its technology work and that tech folks don’t always grok Root’s insurance business.

That’s tough. But with years and years of cash at its current burn rate, Root has more than enough space to prove its critics wrong, provided that its modeling holds up over the next dozen quarters or so. Its share price can’t be great for the yet-private neoinsurance companies, however. Even if Next Insurance did just raise another grip of cash at another new, higher valuation.

Corporate spend’s big week

As you’ve read by now, Bill.com is buying corporate-spend unicorn Divvy for $2.5 billion. I dug into the numbers behind the deal here, if that’s your sort of thing.

But after collecting notes from the CEOs of Divvy competitors Ramp and Brex here, another bit of commentary came in that I wanted to share. Thejo Kote, the corporate spend startup Airbase’s CEO and founder did some math on Divvy’s results that Bill.com shared with its own investors, arguing that the company’s March payment volume and active customer account implies that the company’s “average spend volume per customer was $44,400 per month.”

Is that good or bad? Kote is not impressed, saying that Airbase’s “average spend volume per customer is almost 10 [times] that of Divvy,” or around “$375,000 per month.” What’s driving that difference? A focus on larger customers, and the fact that Airbase covers more ground, in Kote’s view, than Divvy by encompassing software work that Bill.com itself and Expensify manage.

I bring you all of this as the war in managing spend for companies large and small is heating up in software terms. With Divvy off the table, Ramp is now perhaps the largest player in the space not charging for the software it wraps around corporate cards. Brex recently launched a software product that it charges for on a recurring basis. (More on Brex at this link, if you are into it.)

Various and sundry

Two final notes for you, things that should make you either laugh, grimace, or howl:

  1. The Wall Street Journal’s Eliot Brown tweeted some data this week from the Financial Times, namely that amongst the roughly 40 SPACs that completed deals last year, a dozen and a half have lost more than half their value. And that the average drop amongst the combined entities is 38%. Woof.
  2. And, finally, welcome to peak everything.

More to come next week, including notes on the return of the Kaltura and Procore IPOs, and whatever it is we can suss out from the Krispy Kreme S-1 filing, as donuts are life.

Alex

Continue Reading

Trending