Facebook removes hundreds of accounts linked to fake news group in Indonesia

Facebook said it has removed hundreds of Facebook and Instagram counts with links to an organization that peddled fake news.

The world’s fourth largest country with a population of over 260 million, Indonesia is in election year alongside Southeast Asia neighbors Thailand and the Philippines. Facebook said this week it has set up an ‘election integrity’ team in Singapore, its APAC HQ, as it tries to prevent its social network being misused in the lead-up to voting as happened in the U.S.

This Indonesia bust is the first move announced since that task force was put in place, and it sees 207 Facebook Pages, 800 Facebook accounts, 546 Facebook Groups, and 208 Instagram accounts removed for “engaging in coordinated inauthentic behavior.”

“About 170,000 people followed at least one of these Facebook Pages, and more than 65,000 followed at least one of these Instagram accounts,” Facebook said of the reach of the removed accounts.

The groups and accounts are linked to Saracen Group, a digital media group that saw three of its members arrested by police in 2016 for spreading “incendiary material,’ as Reuters reports.

Facebook isn’t saying too much about the removals other than: “we don’t want our services to be used to manipulate people.”

In January, the social network banned a fake news group in the Philippines in similar circumstances.

Despite the recent action, the U.S. company has struggled to manage the flow of false information that flows across its services in Asia. The most extreme examples come from Myanmar, where the UN has concluded that Facebook played a key role in escalating religious hatred and fueling violence. Facebook has also been criticized for allowing manipulation in Sri Lanka and the Philippines among other places.

from TechCrunch https://tcrn.ch/2RthELq
via IFTTT

Indian state government leaks thousands of Aadhaar numbers

A lapse in security has led to the leaking of over a hundred thousand Aadhaar numbers, TechCrunch can reveal.

One of the web systems used to record attendance of government workers for the Indian state of Jharkhand was left exposed and without a password as far back as 2014, allowing anyone access to names, job titles, and partial phone numbers on 166,000 workers as of the time of writing.

But the photo on each record page used the file name as that worker’s Aadhaar number, a confidential 12-digit number assigned to each Indian citizen as part of the country’s national identity and biometric database.

The data leak isn’t a direct breach of the central database run by Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), but represents another lapse in responsibility from the authority charged with protecting its data.

Aadhaar numbers aren’t strictly secret but are treated similarly to Social Security numbers. Anyone of the 1.23 billion Indian citizens enrolled in Aadhaar — more than 90 percent of the population — can use their unique number or their thumbprint to verify their identity in order to enroll in state services, like voting, welfare or financial assistance. Aadhaar users can even use their Aadhaar identity to open a bank account, get a SIM card, call an Uber, buy something on Amazon, or rent an Airbnb.

But the system has been plagued with problems that have led to starvation in cases, and the illicit trade of citizen data on the underground market.

It’s unclear why the Jharkhand government site was accessible to anyone who knew where to look, but little effort had been put in to ensure the security of the system — or even hide it from the outside world. The site was easily found on a subdomain of the state government’s website, but for long enough that it was indexed by Google, which cached copies of not only the site itself, but also its attendance record pages that still contain Aadhaar numbers in each worker’s photo.

TechCrunch asked Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, to take a look at the site. Robert has prior experience in revealing Aadhaar-related data leaks. Using less than a hundred lines of Python code, Robert demonstrated that it was easy for anyone to scrape the entire site in batches to download their photos and corresponding Aadhaar numbers.

TechCrunch verified a small selection of Aadhaar numbers from the site using UIDAI’s own verification tool on its website. (We used a VPN in Bangalore as the page was unavailable in the U.S.). Each record came back as a positive match.

After confirming our findings, we reached out to both the Jharkhand government and UIDAI.

Jharkhand’s attendance site leaking worker data. (Image: TechCrunch)

At the time of publication, neither had responded, but the website had been pulled offline.

The exposure may represent a fraction of the billion-plus users registered with Aadhaar, but uncovers yet another inadvertent disclosure of citizen data from a system that UIDAI claims is impenetrable. Instead of learning from mistakes and mishaps, UIDAI instead has shown a long history of rebuffing evidence of security incidents or breaches with mockery and declaring findings as “fake news,” by claiming to refute evidence without presenting any of its own.

The leak of Aadhaar numbers may not be seen as sensitive compared to leaked biometric data. Former attorney general Mukul Rohtagi once called a separate leak of Aadhaar numbers “much ado about nothing.” But it’s raises fears that obtaining and misusing someone’s number could lead to identity theft and fraud — which reportedly peaked last year.

Others have expressed concern that the system puts privacy at risk by recording information on a person’s life, which authorities can use to conduct surveillance on ordinary citizens.

But the exposure alone contradicts the Indian government’s claims that the Aadhaar system as a whole is secure.

In recent years, several security lapses involving data relating to Aadhaar have reignited fresh concerns about the centralized database — including several issues found by Robert. Last year, security researcher Karan Saini, a New Delhi-based security researcher, found a poorly-secured web address used by state-owned utility company Indane that had direct access to the Aadhaar database, allowing him to query results from the system. UIDAI rubbished the reports, baselessly claiming that there was “no truth to this story” in a series of tweets from its official Twitter account, despite evidence to the contrary. In the same year, India’s Tribune newspaper reported that some were selling direct access to the Aadhaar database. UIDAI responded by filing a complaint against the reporter with police.

Despite the security concerns, India’s Supreme Court ruled the database constitutional in September after a long-running court battle.

India’s largest bank SBI leaked account data on millions of customers

from TechCrunch https://tcrn.ch/2WuRc7X
via IFTTT

We dismantle Facebook’s memo defending its “Research”

Facebook published an internal memo today trying to minimize the morale damage of TechCrunch’s investigation that revealed it’d been paying people to suck in all their phone data. Attained by Business Insider’s Rob Price, the memo from Facebook’s VP of production engineering and security Pedro Canahuati gives us more detail about exactly what data Facebook was trying to collect from teens and adults in the US and India. But it also tries to claim the program wasn’t secret, wasn’t spying, and that Facebook doesn’t see it as a violation of Apple’s policy against using its Enterprise Certificate system to distribute apps to non-employees — despite Apple punishing it for the violation.

For reference, Facebook was recruiting users age 13-35 to install a Research app, VPN, and give it root network access so it could analyze all their traffic. It’s pretty sketchy to be buying people’s privacy, and despite being shut down on iOS, it’s still running on Android.

Here we lay out the memo with section by section responses to Facebook’s claims challenging TechCrunch’s reporting. Our responses are in bold and we’ve added images.

Memo from Facebook VP Pedro Canahuati

APPLE ENTERPRISE CERTS REINSTATED

Early this morning, we received agreement from Apple to issue a new enterprise certificate; this has allowed us to produce new builds of our public and enterprise apps for use by employees and contractors. Because we have a few dozen apps to rebuild, we’re initially focusing on the most critical ones, prioritized by usage and importance: Facebook, Messenger, Workplace, Work Chat, Instagram, and Mobile Home.

New builds of these apps will soon be available and we’ll email all iOS users for detailed instructions on how to reinstall. We’ll also post to iOS FYI with full details.

Meanwhile, we’re expecting a follow-up article from the New York Times later today, so I wanted to share a bit more information and background on the situation.

What happened?

On Tuesday TechCrunch reported on our Facebook Research program. This is a market research program that helps us understand consumer behavior and trends to build better mobile products.

TechCrunch implied we hid the fact that this is by Facebook – we don’t. Participants have to download an app called Facebook Research App to be involved in the stud. They also characterized this as “spying,” which we don’t agree with. People participated in this program with full knowledge that Facebook was sponsoring this research, and were paid for it. They could opt-out at any time. As we built this program, we specifically wanted to make sure we were as transparent as possible about what we were doing, what information we were gathering, and what it was for — see the screenshots below.

We used an app that we built ourselves, which wasn’t distributed via the App Store, to do this work. Instead it was side-loaded via our enterprise certificate. Apple has indicated that this broke their Terms of Service so disabled our enterprise certificates which allow us to install our own apps on devices outside of the official app store for internal dogfooding.

Author’s response: To start, “build better products” is a vague way of saying determining what’s popular and buying or building it. Facebook has used competitive analysis gathered by its similar Onavo Protect app and Facebook Research app for years to figure out what apps were gaining momentum and either bring them in or box them out. Onavo’s data is how Facebook knew WhatsApp was sending twice as many messages as Messenger, and it should invest $19 billion to acquire it.

Facebook claims it didn’t hide the program, but it was never formally announced like every other Facebook product. There were no Facebook Help pages, blog posts, or support info from the company. It used intermediaries Applause (which owns uTest) and CentreCode (which owns Betabound) to run the program under names like Project Atlas and Project Kodiak. Users only found out Facebook was involved once they started the sign-up process and signed a non-disclosure agreement prohibiting them from discussing it publicly.

TechCrunch has reviewed communications indicating Facebook would threaten legal action if a user spoke publicly about being part of the Research program. While the program had run since 2016, it had never been reported on. We believe that these facts combined justify characterizing the program as “secret”

The Facebook Research program was called Project Atlas until you signed up

How does this program work?

We partner with a couple of market research companies (Applause and CentreCode) to source and onboard candidates based in India and USA for this research project. Once people are onboarded through a generic registration page, they are informed that this research will be for Facebook and can decline to participate or opt out at any point. We rely on a 3rd party vendor for a number of reasons, including their ability to target a Diverse and representative pool of participants. They use a generic initial Registration Page to avoid bias in the people who choose to participate.

After generic onboarding people are asked to download an app called the ‘Facebook Research App,’ which takes them through a consent flow that requires people to check boxes to confirm they understand what information will be collected. As mentioned above, we worked hard to make this as explicit and clear as possible.

This is part of a broader set of research programs we conduct. Asking users to allow us to collect data on their device usage is a highly efficient way of getting industry data from closed ecosystems, such as iOS and Android. We believe this is a valid method of market research.

Author’s response: Facebook claims it wasn’t “spying”, yet it never fully laid out the specific kinds of information it would collect. In some cases, descriptions of the app’s data collection power were included in merely a footnote. The program did not specify specific data types gathered, only saying it would scoop up “which apps are on your phone, how and when you use them” and “information about your internet browsing activity”

The parental consent form from Facebook and Applause lists none of the specific types of data collected or the extent of Facebook’s access. Under “Risks/Benefits”, the form states “There are no known risks associated with this project however you acknowledge that the inherent nature of the project involves the tracking of personal information via your child’s use of Apps. You will be compensated by Applause for your child’s participation.” It gives parents no information about what data their kids are giving up.

Facebook claims it uses third-parties to target a diverse pool of participants. Yet Facebook conducts other user feedback and research programs on its own without the need for intermediaries that obscure its identity, and only ran the program in two countries. It claims to use a generic signup page to avoid biasing who will choose to participate, yet the cash incentive and technical process of installing the root certificate also bias who will participate, and the intermediaries conveniently prevent Facebook from being publicly associated with the program at first glance. Meanwhile, other clients of the Betabound testing platform like Amazon, Norton, and SanDisk reveal their names immediately before users sign up.

Facebook’s ads recruiting teens for the program didn’t disclose its involvement

Did we intentionally hide our identity as Facebook?

No — The Facebook brand is very prominent throughout the download and installation process, before any data is collected. Also, the app name of the device appears as “Facebook Research” — see attached screenshots. We use third parties to source participants in the research study, to avoid bias in the people who choose to participate. But as soon as they register, they become aware this is research for Facebook

Author’s response: Facebook here admits that users did not know Facebook was involved before they registered.

What data do we collect? Do we read people’s private messages?

No, we don’t read private messages. We collect data to understand how people use apps, but this market research was not designed to look at what they share or see. We’re interested in information such as watch time, video duration, and message length, not that actual content of videos, messages, stories or photos. The app specifically ignores information shared via financial or health apps.

Author’s response: We never reported that Facebook was reading people’s private messages, but that it had the ability to collect them. Facebook here admits that the program was “not designed to look at what they share or see”, but stops far short of saying that data wasn’t collected. Fascinatingly, Facebook reveals it was that it was closely monitoring how much time people spent on different media types.

Facebook Research abused the Enterprise Certificate system meant for employee-only apps

Did we break Apple’s terms of service?

Apple’s view is that we violated their terms by sideloading this app, and they decide the rules for their platform, We’ve worked with Apple to address any issues; as a result, our internal apps are back up and running. Our relationship with Apple is really important — many of us use Apple products at work every day, and we rely on iOS for many of our employee apps, so we wouldn’t put that relationship at any risk intentionally. Mark and others will be available to talk about this further at Q&A later today.

Author’s response: TechCrunch reported that Apple’s policy plainly states that the Enterprise Certificate program requires companies to “Distribute Provisioning Profiles only to Your Employees and only in conjunction with Your Internal Use Applications for the purpose of developing and testing” and that “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers”. Apple took a firm stance in its statement that Facebook did violate the program’s policies, stating “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple.”

Given Facebook distributed the Research apps to teenagers that never signed tax forms or formal employment agreements, they were obviously not employees or contractors, and most likely use some Facebook-owned service that qualifies them as customers. Also, I’m pretty sure you can’t pay employees in gift cards.

from TechCrunch https://tcrn.ch/2S2wIEU
via IFTTT

Go-Jek confirms first close of $2B Series F round at $9.5B valuation

Go-Jek, the Indonesia-based ride-hailing company that is challenging Grab in Southeast Asia, has announced the first close of its Series F round, as TechCrunch reported last week. The company isn’t revealing numbers but sources previously told us it has closed around $920 million. Go-Jek is planning to raise $2 billion for the round, as reported last year.

Go-Jek said that the first close is led by existing backers Google, JD.com, and Tencent, with participation from Mitsubishi Corporation and Provident Capital. It didn’t provide a valuation but sources told us that week that it is around $9.5 billion.

Starting out with motorbike taxis in 2015, Go-Jek has since expanded to taxis, private car and more. The company said it plans to spend the money deepening its business in Indonesia, its home market, and growing its presence in new market expansions Vietnam, Singapore and Thailand. It is also working to enter the Philippines, where it had a request for an operating license rejected although it did complete a local acquisition after buying fintech startup Coins.ph.

The Go-Jek business in Indonesia includes transportation, food delivery, services on demand, payments and financial services. That’s very much the blueprint for its expansion markets, all of which are in different stages. Go-Viet, its Vietnamese service, offers food delivery and motorbike taxis, Get in Thailand operates motorbike taxis and in Singapore Go-Jek provides four-wheeled car options.

Combined those efforts cover 204 cities, two million drivers and 400,000 merchants, the company said, but the majority of that is in Indonesia.

Grab, meanwhile, became the top dog after buying Uber’s local business, and it operates in eight countries. It recently crossed three billion rides to date and claims 130 million downloads. Grab said revenue for 2018 was $1 billion, it expects that to double this year. It has raised $6.8 billion from investors, according to Crunchbase, and its current Series H round could reach $5 billion.

Go-Jek claims it has 130 million downloads — despite just being in three markets — while it said it reached an annualized transaction volume of two billion in 2018 and $6.7 billion in annualized GMV. Those figures require some explaining as Go-Jek is being a little creative with its efforts to compete with Grab on paper.

Transactions don’t mean revenue — a transaction could be a $1 motorbike ride or a payment via QR code — and GMV is not revenue either, while both are ‘annualized’ which means they are scaled up after measuring a short period. In other words, don’t take these figures too literally, they aren’t comparable to Grab.

from TechCrunch https://tcrn.ch/2ToeSZt
via IFTTT

Mixtape Podcast: Oracle’s alleged $400M issue with underrepresented groups

Screen time for kids, corporations allegedly not paying people from underrepresented groups and IBM offers some hope for the future of facial recognition technology: These are the topics that Megan Rose Dickey and I dive into on this week’s episode of Mixtape.

According to research by psychologists from the University of Calgary, spending too much time in front of screens can stung the development of toddlers. The study found that kids 2-5 years old who engage in more screen time received worse scores in developmental screening tests.” We talk a bit about this then wax nostalgically about “screen time” of yore.

We then turn to a filing against Oracle by the U.S. Department of Labor’s Office of Federal Contract Compliance Programs that states the enterprise company allegedly withheld upwards of $400 million to employees from underrepresented minority groups. The company initially declined to comment, but then thought better of itself and returned the very next day with its thoughts on the matter.

And finally, IBM is trying to make facial recognition technology a thing that doesn’t unfairly target people of color. Technology! The positive news comes a week after Amazon shareholders demanded that the company stop selling Rekognition, its very own facial recognition tech that it sells to law enforcement and government agencies.

Click play above to listen to this week’s episode. And if you haven’t subscribed yet, what are you waiting for? Find us on Apple Podcasts, Stitcher, Overcast, CastBox or whatever other podcast platform you can find.

from TechCrunch https://tcrn.ch/2Ux4KxA
via IFTTT

Joseph Gordon-Levitt’s artist-collaboration platform HitRecord raises $6.4M

In the early 2000s, actor Joseph Gordon-Levitt was frustrated with the roles he was being offered. Instead of starring in critically acclaimed indies, he was typecast as “the funny kid on TV” due to roles like Tommy from “3rd Rock from the Sun.”

So like anyone who matured alongside the internet, he created a website where he could ideate, produce and share his work. More than 10 years later, he wants to turn that pet project, called HitRecord, into a full-fledged technology company.

Onstage at Upfront Venture’s annual summit outside of Los Angeles, Gordon-Levitt announced a $6.4 million Series A funding to do just that. Javelin Venture Partners has led the round, with participation from Crosslink Capital, Advancit Capital, YouTube co-founder Steve Chen, Twitch co-founder Kevin Lin and MasterClass co-founder David Rogier.

Gordon-Levitt, known for starring in “Inception,” “Snowden” and, my personal favorite, “10 Things I Hate About You,” tells TechCrunch that HitRecord has a team of 24 employees, with himself at the helm as chief executive officer, co-founder Jared Geller serving as president and co-founder Marke Johnson as creative director. The trio plan to use the investment to transform HitRecord from a traditional production company to a new collaborative media platform.

The company provides an online portal for artists to work together on projects, “building off of each other’s contributions, to create things [they] couldn’t have made on [their] own.” If projects created within the HitRecord community are sold, the creators are paid based on their original contributions. Since 2010, HitRecord has paid its community roughly $3 million.

HitRecord hasn’t accepted outside capital, until now. Initially, Gordon-Levitt used his own cash to push the company forward, and for the last five years, the startup has been cash-flow positive. I sat down with Gordon-Levitt to learn more about what he’s been working on and why he decided to pursue venture capital dollars. The following conversation has been lightly edited for length.

TC: How do you explain HitRecord in one sentence?

JGL: It’s a collaborative media platform where people make all kinds of creative things together. I guess that’s one sentence, but if I can keep going… As opposed to places where people post things that they’ve made on their own, this is a place where people collaborate, right? So they submit their ideas onto the platform and then they find people who want to collaborate with them and then they’re able to make money if the projects [find] a buyer.

We’ve done all kinds of monetized productions, but I certainly wouldn’t include money in the third or fifth or even 10th sentence of why people come to HitRecord.

TC: HitRecord launched a decade ago… what inspired you to create it?

JGL: I started HitRecord as this little hobby message board with my brother and it grew very slowly. It came out of a time in my life when I wanted to be an actor and I wanted to be in sort of like more serious Sundance movies and everyone was like, ‘oh, but you’re the funny kid on TV’ and you know, it was really painful for me. I said, okay, you know what, I can’t just wait around for someone to give me a part. I want to make my own things. And I started making my own. I started making videos and songs and stories and stuff. And my brother helped me set up a website that we called HitRecord. We didn’t spend any money; we had no intention of making any money. It was just a fun thing we were doing.

So I’ve been working on something for years, along with everyone here @hitRECord. No joke—YEARS! Today’s the first day I’m talking about it… https://t.co/F0BYFupaor pic.twitter.com/OeCMkKhUFx

— Joseph Gordon-Levitt (@hitRECordJoe) January 31, 2019

TC: And now you want to expand it into a full-fledged tech platform. But… you’re cash-flow positive and you’ve built a solid community of avid users, why take venture money?

JGL: You know, it started as just a hobby that I was doing for fun. We launched it as a production company as a way to do more ambitious, creative things and do it with everybody. But if you talk to our users, what people really enjoy is having that experience of being creative and being creative with other people because I think honestly, being creative is really hard alone. Venture money will not only allow us to do even cooler productions, but it’ll also allow this whole other world and more people to participate.

TC: Now that you’re venture-funded, how do you plan on making money for your investors?

JGL: So historically, the way we’ve made money was as a production company, and the collaborative efforts of our community and our staff made money because we turned something into a TV show, or we licensed it to a brand or we did any number of things that generated revenue. [HitRecord partnered with Ubisoft earlier this year to allow artists and musicians to contribute their own content to be used in its game, for example.] So moving forward, as we grow into a collaborative platform, the idea is that it’s not just our staff that’s leading these projects and letting people collaboratively finish them. The idea is anybody could come to start their own thing and there will be better tools to self-organize and find your collaborators.

TC: And how do you better monetize once you’ve expanded your user base?

JGL: I think, look, we were not ready to talk about exactly how we would make money that way. I think we have a number of ideas. There are ways that the internet gets monetized these days that I think incentivize the wrong things like attention for myself and I don’t want to enter into a business model that incentivizes that kind of behavior.

Actor Joseph Gordon-Levitt attends the 2014 Creative Arts Emmy Awards at the Nokia Theatre L.A. Live on August 16, 2014 in Los Angeles, California. (Photo by Tommaso Boddi/WireImage).

TC: What was the process of raising venture capital like? Did being Joseph Gordon-Levitt make it a little less terrible?

JGL: I think, honestly, it was a double-edged sword. I think there was justified skepticism and people would assume that oh, I’m an actor so I can’t start a company and I faced a certain amount of that skepticism. I don’t blame anybody for having that. The assumption is that there’s not any substance behind the company or the idea, that it’s all sizzle and no steak.

But we’re also not really a startup, per se. It’s not like I was going into these offices and saying, like, I have an idea. It’s like, here’s what we’ve done for the last 10 years and we’ve been cash flow positive five years. We know how to run a business. It’s just we’ve been running a production company business, now we want to run something that’s more like a technology business.

TC: What’s your long-term vision for HitRecord?

JGL: My ultimate goal is for my acting career and HitRecord to kind of become one in the same thing. I would love to be, you know, developing a movie not for a Hollywood studio, but like in this new collaborative way for HitRecord. I mean, we won an Emmy for our TV show. We’re about to release this special that we’re doing with Logic, the rapper, and he used the platform to lead a collaboration and make a song and a music video and we documented the process and that special is going to come out on YouTube. What I really want is to be able to put an app in Logic’s hand where he goes like, oh, I understand this and is able to use it instantly. We don’t have that app yet. This is why we raised capital.

from TechCrunch https://tcrn.ch/2HLprV9
via IFTTT

Nintendo is making Dr. Mario for iOS and Android

Nintendo held off on building smartphone games for years, but now they just can’t stop. They started with a little stumble with the short-lived Miitomo, but then found an audience with Super Mario Run. Then came Fire Emblem Heroes. Then Animal Crossing: Pocket Camp, and Dragalia Lost.

Next up? Dr. Mario.

Nintendo announced this afternoon that it’s working on a title called Dr. Mario World, built in collaboration with Line (as in the company that makes the Line chat app; they also make Disney’s mobile Tsum Tsum games) and NHN.

The doctor is in! Mario puts on the white coat once again in the mobile game Dr. Mario World, targeting an early summer 2019 global release. #DrMario https://t.co/DTRBympHj0 pic.twitter.com/RfMZbbs3Mp

— Nintendo of America (@NintendoAmerica) January 31, 2019

For anyone out there who might be too young to remember Super Mario’s stint as an M.D., Dr. Mario was a falling-tile style game that had the player quickly trying to arrange… pills. To kill viruses.

This was the box art. Nintendo was just like, “Mario is a doctor now,” and everyone was like, “Oh, okay, cool.” It was the ’90s, okay?

Nintendo doesn’t say much about what the game will be like, besides referring to it as an “action puzzle game.” They say it should ship by “early summer” of 2019, and will be free to download (with in-app purchases) on iOS and Android.

from TechCrunch https://tcrn.ch/2DLM5IR
via IFTTT