Connect with us

Uncategorized

Facebook’s tardy disclosure of breach timing raises GDPR compliance questions

Published

on

The question of whether Facebook will face any regulatory sanction over the latest massive historical platform privacy fail to come to light remains unclear. But the timeline of the incident looks increasingly awkward for the tech giant.

While it initially sought to play down the data breach revelations published by Business Insider at the weekend by suggesting that information like people’s birth dates and phone numbers was “old”, in a blog post late yesterday the tech giant finally revealed that the data in question had in fact been scraped from its platform by malicious actors “in 2019” and “prior to September 2019”.

That new detail about the timing of this incident raises the issue of compliance with Europe’s General Data Protection Regulation (GDPR) — which came into application in May 2018.

Under the EU regulation data controllers can face fines of up to 2% of their global annual turnover for failures to notify breaches, and up to 4% of annual turnover for more serious compliance violations.

The European framework looks important because Facebook indemnified itself against historical privacy issues in the US when it settled with the FTC for $5BN back in July 2019 — although that does still mean there’s a period of several months (June to September 2019) which could fall outside that settlement.

Yesterday, in its own statement responding to the breach revelations, Facebook’s lead data supervisor in the EU said the provenance of the newly published dataset wasn’t entirely clear, writing that it “seems to comprise the original 2018 (pre-GDPR) dataset” — referring to an earlier breach incident Facebook disclosed in 2018 which related to a vulnerability in its phone lookup functionality that it had said occurred between June 2017 and April 2018 — but also writing that the newly published dataset also looked to have been “combined with additional records, which may be from a later period”.

Facebook followed up the Irish Data Protection Commission (DPC)’s statement by confirming that suspicion — admitting that the data had been extracted from its platform in 2019, up until September of that year.

Another new detail that emerged in Facebook’s blog post yesterday was the fact users’ data was scraped not via the aforementioned phone lookup vulnerability — but via another method altogether: A contact importer tool vulnerability.

This route allowed an unknown number of “malicious actors” to use software to imitate Facebook’s app and upload large sets of phone numbers to see which ones matched Facebook users.

In this way a spammer (for example), could upload a database of potential phone numbers and link them to not only names but other data like birth date, email address, location — all the better to phish you with.

In its PR response to the breach, Facebook quickly claimed it had fixed this vulnerability in August 2019. But, again, that timing places the incident squarely in the period of GDPR being active.

As a reminder, Europe’s data protection framework bakes in a data breach notification regime that requires data controllers to notify a relevant supervisory authority if they believe a loss of personal data is likely to constitute a risk to users’ rights and freedoms — and to do so without undue delay (ideally within 72 hours of becoming aware of it).

Yet Facebook made no disclosure at all of this incident to the DPC. Indeed, the regulator made it clear yesterday that it had to proactively seek information from Facebook in the wake of BI’s report. That’s the opposite of how EU lawmakers intended the regulation to function.

Data breaches, meanwhile, are broadly defined under the GDPR. It could mean personal data being lost or stolen and/or accessed by unauthorized third parties. It can also relate to deliberate or accidental action or inaction by a data controller which exposes personal data.

Legal risk attached to the breach likely explains why Facebook has studiously avoided describing this latest data protection failure, in which the personal information of more than half a billion users was posted for free download on an online forum, as a ‘breach’.

And, indeed, why it’s sought to downplay the significance of the leaked information — dubbing people’s personal information “old data”. (Even as few people regularly change their mobile numbers, email address, full names and biographical information and so on, and no one (legally) gets a new birth date… )

Its blog post instead refers to data being scraped; and to scraping being “a common tactic that often relies on automated software to lift public information from the internet that can end up being distributed in online forums” — tacitly implying that the personal information leaked via its contact importer tool was somehow public.

The self-serving suggestion being peddled here by Facebook is that hundreds of millions of users had both published sensitive stuff like their mobile phone numbers on their Facebook profiles and left default settings on their accounts — thereby making this personal information ‘publicly available for scraping/no longer private/uncovered by data protection legislation’.

This is an argument as obviously absurd as it is viciously hostile to people’s rights and privacy. It’s also an argument that EU data protection regulators must quickly and definitively reject or be complicit in allowing Facebook (ab)use its market power to torch the very fundamental rights that regulators’ sole purpose is to defend and uphold.

Even if some Facebook users affected by this breach had their information exposed via the contact importer tool because they had not changed Facebook’s privacy-hostile defaults that still raises key questions of GPDR compliance — because the regulation also requires data controllers to adequately secure personal data and apply privacy by design and default.

Facebook allowing hundreds of millions of accounts to have their info freely pillaged by spammers (or whoever) doesn’t sound like good security or default privacy.

In short, it’s the Cambridge Analytica scandal all over again.

Facebook is trying to get away with continuing to be terrible at privacy and data protection because it’s been so terrible at it in the past — and likely feels confident in keeping on with this tactic because it’s faced relatively little regulatory sanction for an endless parade of data scandals. (A one-time $5BN FTC fine for a company than turns over $85BN+ in annual revenue is just another business expense.)

We asked Facebook why it failed to notify the DPC about this 2019 breach back in 2019, when it realized people’s information was once again being maliciously extracted from its platform — or, indeed, why it hasn’t bothered to tell affected Facebook users themselves — but the company declined to comment beyond what it said yesterday.

Then it told us it would not be commenting on its communications with regulators.

Under the GDPR, if a breach poses a high risk to users’ rights and freedoms a data controller is required to notify affected individuals — with the rational being that prompt notification of a threat can help people take steps to protect themselves from the risks of their data being breached, such as fraud and ID theft.

Yesterday Facebook also said it does not have plans to notify users either.

Perhaps the company’s trademark ‘thumbs up’ symbol would be more aptly expressed as a middle finger raised at everyone else.

 

Lyron Foster is a Hawaii based African American Musician, Author, Actor, Blogger, Filmmaker, Philanthropist and Multinational Serial Tech Entrepreneur.

Continue Reading
Comments

Uncategorized

Vietnamese electric motorbike startup Dat Bike raises $2.6M led by Jungle Ventures

Published

on

Son Nguyen, founder and chief executive officer of Dat Bike on one of the startup's motorbikes

Son Nguyen, founder and chief executive officer of Dat Bike

Dat Bike, a Vietnamese startup with ambitions to become the top electric motorbike company in Southeast Asia, has raised $2.6 million in pre-Series A funding led by Jungle Ventures. Made in Vietnam with mostly domestic parts, Dat Bike’s selling point is its ability to compete with gas motorbikes in terms of pricing and performance. Its new funding is the first time Jungle Ventures has invested in the mobility sector and included participation from Wavemaker Partners, Hustle Fund and iSeed Ventures.

Founder and chief executive officer Son Nguyen began learning how to build bikes from scrap parts while working as a software engineer in Silicon Valley. In 2018, he moved back to Vietnam and launched Dat Bike. More than 80% of households in Indonesia, Malaysia, Thailand and Vietnam own two-wheeled vehicles, but the majority are fueled by gas. Nguyen told TechCrunch that many people want to switch to electric motorbikes, but a major obstacle is performance.

Nguyen said that Dat Bike offers three times the performance (5 kW versus 1.5 kW) and 2 times the range (100 km versus 50 km) of most electric motorbikes in the market, at the same price point. The company’s flagship motorbike, called Weaver, was created to compete against gas motorbikes. It seats two people, which Nguyen noted is an important selling point in Southeast Asian countries, and has a 5000W motor that accelerates from 0 to 50 km per hour in three seconds. The Weaver can be fully charged at a standard electric outlet in about three hours, and reach up to 100 km on one charge (the motorbike’s next iteration will go up to 200 km on one charge).

Dat Bike’s opened its first physical store in Ho Chi Minh City last December. Nguyen said the company “has shipped a few hundred motorbikes so far and still have a backlog of orders.” He added that it saw a 35% month-over-month growth in new orders after the Ho Chi Minh City store opened.

At 39.9 million dong, or about $1,700 USD, Weaver’s pricing is also comparable to the median price of gas motorbikes. Dat Bike partners with banks and financial institutions to offer consumers twelve-month payment plans with no interest.

“These guys are competing with each other to put the emerging middle class of Vietnam on the digital financial market for the first time ever and as a result, we get a very favorable rate,” he said.

While Vietnam’s government hasn’t implemented subsidies for electric motorbikes yet, the Ministry of Transportation has proposed new regulations mandating electric infrastructure at parking lots and bike stations, which Nguyen said will increase the adoption of electric vehicles. Other Vietnamese companies making electric two-wheeled vehicles include VinFast and PEGA.

One of Dat Bike’s advantages is that its bikes are developed in house, with locally-sourced parts. Nguyen said the benefits of manufacturing in Vietnam, instead of sourcing from China and other countries, include streamlined logistics and a more efficient supply chain, since most of Dat Bike’s suppliers are also domestic.

“There are also huge tax advantages for being local, as import tax for bikes is 45% and for bike parts ranging from 15% to 30%,” said Nguyen. “Trade within Southeast Asia is tariff-free though, which means that we have a competitive advantage to expand to the region, compare to foreign imported bikes.”

Dat Bike plans to expand by building its supply chain in Southeast Asia over the next two to three years, with the help of investors like Jungle Ventures.

In a statement, Jungle Ventures founding partner Amit Anand said, “The $25 billion two-wheeler industry in Southeast Asia in particular is ripe for reaping benefits of new developments in electric vehicles and automation. We believe that Dat Bike will lead this charge and create a new benchmark not just in the region but potentially globally for what the next generation of two-wheeler electric vehicles will look and perform like.”

Continue Reading

Uncategorized

Binance Labs leads $1.6M seed round in DeFi startup MOUND, the developer of Pancake Bunny

Published

on

Decentralized finance startup MOUND, known for its yield farming aggregator Pancake Bunny, has raised $1.6 million in seed funding led by Binance Labs. Other participants included IDEO CoLab, SparkLabs Korea and Handshake co-founder Andrew Lee.

Built on Binance Smart Chain, a blockchain for developing high-performance DeFi apps, MOUND says Pancake Bunny now has over 30,000 daily average users, and has accumulated more than $2.1 billion in total value locked (TVL) since its launch in December 2020.

The new funding will be used to expand Pancake Bunny and develop new products. MOUND recently launched Smart Vaults and plans to unveil Cross-Chain Collateralization in about a month, bringing the startup closer to its goal of covering a wide range of DeFi use cases, including farming, lending and swapping.

Smart Vaults are for farming single asset yields on leveraged lending products. It also automatically checks if the cost of leveraging may be more than anticipated returns and can actively lend assets for MOUND’s cross-chain farming.

Cross-Chain Collateralization is cross-chain yield farming that lets users keep original assets on their native blockchain instead of relying on a bridge token. The user’s original assets serve as collateral when the Bunny protocol borrows assets on the Binance Smart Chain for yield farming. This allows users to keep assets on native blockchains while giving them liquidity to generate returns on the Binance Smart Chain.

In statement, Wei Zhou, Binance chief financial officer, and head of Binance Labs and M&A’s, said “Pancake Bunny’s growth and MOUND’s commitent to execution are impressive. Team MOUND’s expertise in live product design and servie was a key factor in our decision to invest. We look forward to expanding the horizons of Defi together with MOUND.”

Continue Reading

Uncategorized

Battery Resourcers raises $20M to commercialize its recycling-plus-manufacturing operations

Published

on

As a greater share of the transportation market becomes electrified, companies have started to grapple with how to dispose of the thousands of tons of used electric vehicle batteries that are expected to come off the roads by the end of the decade.

Battery Resourcers proposes a seemingly simple solution: recycle them. But the company doesn’t stop there. It’s engineered a “closed loop” process to turn that recycled material into nickel-manganese-cobalt cathodes to sell back to battery manufacturers. It is also developing a process to recover and purify graphite, a material used in anodes, to battery-grade.

Battery Resourcers’ business model has attracted another round of investor attention, this time with a $20 million Series B equity round led by Orbia Ventures, with injections from At One Ventures, TDK Ventures, TRUMPF Venture, Doral Energy-Tech Ventures and InMotion Ventures. Battery Resourcers CEO Mike O’Kronley declined to disclose the company’s new valuation.

The cathode and anode, along with the electrolyzer, are major components of battery architecture, and O’Kronley told TechCrunch it is this recycling-plus-manufacturing process that distinguishes the company from other recyclers.

“When we say that we’re on the verge of revolutionizing this industry, what we are doing is we are making the cathode active material — we’re not just recovering the metals that are in the battery, which a lot of other recyclers are doing,” he said. “We’re recovering those materials, and formulating brand new cathode active material, and also recovering and purifying the graphite active material. So those two active materials will be sold to a battery manufacturer and go right back into the new battery.”

“Other recycling companies, they’re focused on recovering just the metals that are in [batteries]: there’s copper, there’s aluminum, there’s nickel, there’s cobalt. They’re focused on recovering those metals and selling them back as commodities into whatever industry needs those metals,” he added. “And they may or may not go back into a battery.”

The company says its approach could reduce the battery industry’s reliance on mined metals — a reliance that’s only anticipated to grow in the coming decades. A study published last December found that demand for cobalt could increase by a factor of 17 and nickel by a factor of 28, depending on the size of EV uptake and advances in battery chemistries.

Thus far, the company’s been operating a demonstration-scale facility in Worcester, Massachusetts, and has expanded into a facility in Novi, Michigan, where it does analytical testing and material characterization. Between the two sites, the company can make around 15 tons of cathode materials a year. This latest funding round will help facilitate the development of a commercial-scale facility, which Battery Resourcers said in a statement will boost its capacity to process 10,000 tons of batteries per year, or batteries from around 20,000 EVs.

Another major piece of its proprietary recycling process is the ability to take in both old and new EV batteries, process them and formulate the newest kind of cathodes used in today’s batteries. “So they can take in 10-year-old batteries from a Chevy Volt and reformulate the metals to make the high-Ni cathode active materials in use today,” a company spokesman explained to TechCrunch.

Battery Resourcers is already receiving inquiries from automakers and consumer electronics companies, O’Kronley said, though he did not provide additional details. But InMotion Ventures, the venture capital arm of Jaguar Land Rover, said in a statement its participation in the round as a “significant investment.”

“[Battery Resourcers’] proprietary end-to-end recycling process supports Jaguar Land Rover’s journey to become a net zero carbon business by 2039,” InMotion managing director Sebastian Peck said.

Battery Resourcers was founded in 2015 after being spun out from Massachusetts’ Worcester Polytechnic Institute. The company has previously received support from the National Science Foundation and the U.S. Advanced Battery Consortium, a collaboration between General Motors, Ford Motor Company and Fiat Chrysler Automobiles.

Continue Reading

Trending