All posts in “Policy”

Apple fails to block porn & gambling “Enterprise” apps

Facebook and Google were far from the only developers openly abusing Apple’s Enterprise Certificate program meant for companies offering employee-only apps. A TechCrunch investigation uncovered a dozen hardcore pornography apps and a dozen real-money gambling apps that escaped Apple’s oversight. The developers passed Apple’s weak Enterprise Certificate screening process or piggybacked on a legitimate approval, allowing them to sidestep the App Store and Cupertino’s traditional safeguards designed to keep iOS family friendly. Without proper oversight, they were able to operate these vice apps that blatantly flaunt Apple’s content policies.

The situation shows further evidence that Apple has been neglecting its responsibility to police the Enterprise Certificate program, leading to its exploitation to circumvent App Store rules and forbidden categories. For a company whose CEO Tim Cook frequently criticizes its competitors for data misuse and policy fiascos like Facebook’s Cambridge Analytica, Apple’s failure to catch and block these porn and gambling demonstrates it has work to do itself.

Porn apps PPAV and iPorn (iP) continue to abuse Apple’s Enterprise Certificate program to sidestep the App Store’s ban on pornography. Nudity censored by TechCrunch

TechCrunch broke the news last week that Facebook and Google had broken the rules of Apple’s Enterprise Certificate program to distribute apps that installed VPNs or demanded root network access to collect all of a user’s traffic and phone activity for competitive intelligence. That led Apple to briefly revoke Facebook and Google’s Certificates, thereby disabling the companies’ legitimate employee-only apps which caused office chaos.

Apple issued a fiery statement that “Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” Meanwhile, dozens of prohibited apps were available for download from shady developers’ websites.

Apple offers a lookup tool for finding any business’ D-U-N-S number, allowing shady developers to forge their Enterprise Certificate application

The problem starts with Apple’s lax standards for accepting businesses to the enterprise program. The program is for companies to distribute apps only to their employees, and its policy explicitly states “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers”. Yet Apple doesn’t adequately enforce these policies.

Developers simply have to fill out an online form and pay $299 to Apple, as detailed in this guide from Calvium. The form merely asks developers to pledge they’re building an Enterprise Certificate app for internal employee-only use, that they have the legal authority to register the business, provide a D-U-N-S business ID number, and have an up to date Mac. You can easily Google a business’ address details and look up their D-U-N-S ID number with a tool Apple provides. After setting up an Apple ID and agreeing to its terms of service, businesses wait one to four weeks for a phone call from Apple asking them to reconfirm they’ll only distribute apps internally and are authorized to represent their business.

With just a few lies on the phone and web plus some Googleable public information, sketchy developers can get approved for an Apple Enterprise Certificate.

Real-money gambling apps openly advertise that they have iOS versions available that abuse the Enterprise Certificate program

Given the number of policy-violating apps that are being distributed to non-employees using registrations for businesses unrelated to their apps, it’s clear that Apple needs to tighten the oversight on the Enterprise Certificate program. TechCrunch found thousands of sites offering downloads of “sideloaded” Enterprise apps, and investigating just a sample uncovered numerous abuses.  Using a standard un-jailbroken iPhone. TechCrunch was able to download and verify 12 pornography and 12 real-money gambling apps over the past week that were abusing Apple’s Enterprise Certificate system to offer apps prohibited from the App Store. These apps either offered streaming or pay-per-view hardcore pornography, or allowed users to deposit, win, and withdraw real money — all of which would be prohibited if the apps were distributed through the App Store.

A whole screen of prohibited sideloaded porn and gambling apps TechCrunch was able to download through the Enterprise Certificate system

In an apparent effort to step up policy enforcement in the wake of TechCrunch’s investigation into Facebook and Google’s Enterprise Certificate violations, Apple appears to have disabled some of these apps in the past few days, but many remain operational. The porn apps that we discovered which are currently functional include Swag, PPAV, Banana Video, iPorn (iP), Pear, Poshow, and AVBobo, while the currently functional gambling apps include RD Poker and RiverPoker.

The Enterprise Certificates for these apps were rarely registered to company names related to their true purpose. The only example was Lucky8 for gambling. Many of the apps used innocuous names like Interprener, Mohajer International Communications, Sungate, and AsianLiveTech. Yet others seemed to have forged or stolen credentials to sign up under the names of completely unrelated but legitimate businesses. Dragon Gaming was registered to US gravel supplier CSL-LOMA. As for porn apps, PPAV’s certificate is assigned to the Nanjing Jianye District Information Center, Douyin Didi was licensed under Moscow motorcycle company Akura OOO, Chinese app Pear is registered to Grupo Arcavi Sociedad Anonima in Costa Rica, and AVBobo covers its tracks with the name of a Fresno-based company called Chaney Cabinet & Furniture Co.

You can see a full list of the policy violating apps we found below:

Apple refused to explain how these apps slipped into the Enterprise Certificate app program. It declined say if it does any follow-up compliance audits on developers in the program or if it plans to change admission process. An Apple spokesperson did provide this statement, though, indicating it will work to shut these apps down and potentially ban the developers from building iOS products entirely:

“Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.”

TechCrunch asked Guardian Mobile Firewall’s security expert Will Strafach to look at the apps we found and their Certificates. Strafach’s initial analysis of the apps didn’t find any glaring evidence that the apps misappropriate data, but they all do violate Apple’s Certificate policies and provide content banned from the App Store. “At the moment, I have noticed that action is slower regarding apps available from an independent website and not these easy-to-scrape app directories” that occasionally crop up offering centralized access to a plethora of sideloaded apps.

Porn app AVBobo uses an Enterprise Certificate registered to Fresno’s Chaney Cabinet & Furniture Co

Strafach explained how “A significant number of the Enterprise Certificates used to sign publicly available apps are referred to informally as ‘rogue certificates’ as they are often not associated with the named company. There are no hard facts to confirm the manner in which these certificates originate, but the result of the initial step is that individuals will gain control of an Enterprise Certificate attributable to a corporation, usually China/HK-based. Code services are then sold quietly on Chinese language marketplaces, resulting in sometimes 5 to 10 (or more) distinct apps being signed with the same Enterprise Certificate.” We found Sungate and Mohajer Certificates were farmed out for use by multiple apps in this way.

“In my experience, Enterprise Certificate signed apps available on independent websites have not been harmful to users in a malicious sense, only in the sense that they have broken the rules” Strafach notes. “Enterprise Certificate signed apps from these Chinese ‘helper’ tools, however, have been a mixed bag. Zoe example, in multiple cases, we have noticed such apps with additional tracking and adware code injected into the original now-repackaged app being offered.”

Porn apps like Swag openly advertise their availability on iOS

Interestingly, none of the off-limits apps we discovered asked users to install a VPN like Google Screenwise, let alone root network access like Facebook Research. TechCrunch reported this month that both apps had been paying users to snoop on their private data. But the iOS versions were banned by Apple after we exposed their policy violations, and Apple also caused chaos at Facebook and Google’s offices by temporarily shutting down their employee-only iOS apps too. The fact that these two US tech giants were more aggressive about collecting user data than shady Chinese porn and gambling apps is telling.“This is a cat-and-mouse game” Strafach concluded regarding Apple’s struggle to keep out these apps. But given the rampant abuse, it seems Apple could easily add stronger verification processes and more check-ups to the Enterprise Certificate program. Developers should have to do more to prove their apps’ connection with the Certificate holder, and Apple should regularly audit certificates to see what kind of apps they’re powering.

Back when Facebook missed Cambridge Analytica’s abuse of its app platform, Cook was asked what he’d do in Mark Zuckerberg’s shoes. “I wouldn’t be in this situation” Cook frankly replied. But if Apple can’t keep porn and casinos off iOS, perhaps Cook shouldn’t be lecturing anyone else.

Reddit confirms $300M Series D led by China’s Tencent at $3B value

Last week TechCrunch reported that Reddit was raising $150 million from Chinese tech giant Tencent and up to $150 million more in a Series D that would value the company at $2.7 billion pre-money or $3 billion post-money. After no-commenting on our scoop, today Reddit confirmed it’s raised $300 million at $3 billion post-money, with $150 million from Tencent.

The deal makes for an odd pairing between one of the architects of China’s Great Firewall of censorship and one of America’s most lawless free-speech forums. Some Redditors are already protesting the funding by trying to post content that would rile Chinese’s internet watchdogs, like imagery from Tiananmen Square and Winnie The Pooh memes mocking Chinese President Xi Jinping’s appearance.

The round brings the Conde Nast-majority owned Reddit to $550 million in total funding. Beyond Tencent, the rest of the round came from previous investors potentially including Andreessen Horowitz, Sequoia, and Fidelity. Apparently frustrated that we had disrupted its PR plan, Reddit today handed confirmation of the round to CNBC which re-reported our scoop without citation.

Reddit’s CEO Steve Huffman has had his own problems with attribution after the exec was caught editing users’ comments to mislead viewers into thinking they were insulting their Subreddit’s moderators. Huffman managed to get off with just an apology and vow not to do it again, though he seemed to laugh off and excuse the abuse of power by saying “I spent my formative years as a young troll on the Internet.”

Reddit will have to compete for ad dollars with the Google-Facebook duopoly despite having less information about its users, who are often anonymous. Reddit sees 330 million users per month across its Subreddit forums for discussing everything from news and entertainment to niche types of pornography, conspiracy theories, and other highly brand-unsafe content. Meanwhile, users may be concerned that Reddit’s policy views could be tightened as it cosies up to Tencent.

Reddit has struggled with staff departures and user revolts over the years as it tries to balance freedom of expression with civility. The hope is the cash could help it pay for experienced leaders and more moderation staff to maintain that balance. But without proper oversight, the cash could simply scale up Reddit and its problems along with it.

Dating apps face questions over age checks after report exposes child abuse

The UK government has said it could legislate to require age verification checks on users of dating apps, following an investigation into underage use of dating apps published by the Sunday Times yesterday.

The newspaper found more than 30 cases of child rape have been investigated by police related to use of dating apps including Grindr and Tinder since 2015. It reports that one 13-year-old boy with a profile on the Grindr app was raped or abused by at least 21 men. 

The Sunday Times also found 60 further instances of child sex offences related to the use of online dating services — including grooming, kidnapping and violent assault, according to the BBC, which covered the report.

The youngest victim is reported to have been just eight years old. The newspaper obtaining the data via freedom of information requests to UK police forces.

Responding to the Sunday Times’ investigation, a Tinder spokesperson told the BBC it uses automated and manual tools, and spends “millions of dollars annually”, to prevent and remove underage users and other inappropriate behaviour, saying it does not want minors on the platform.

Grindr also reacting to the report, providing the Times with a statement saying: “Any account of sexual abuse or other illegal behaviour is troubling to us as well as a clear violation of our terms of service. Our team is constantly working to improve our digital and human screening tools to prevent and remove improper underage use of our app.”

We’ve also reached out to the companies with additional questions.

The UK’s secretary of state for digital, media, culture and sport (DCMS), Jeremy Wright, dubbed the newspaper’s investigation “truly shocking”, describing it as further evidence that “online tech firms must do more to protect children”.

He also suggested the government could expand forthcoming age verification checks for accessing pornography to include dating apps — saying he would write to the dating app companies to ask “what measures they have in place to keep children safe from harm, including verifying their age”.

“If I’m not satisfied with their response, I reserve the right to take further action,” he added.

Age verification checks for viewing online porn are due to come into force in the UK in April, as part of the Digital Economy Act.

Those age checks, which are clearly not without controversy given the huge privacy considerations of creating a database of adult identities linked to porn viewing habits, have also been driven by concern about children’s exposure to graphic content online.

Last year the UK government committed to legislating on social media safety too, although it has yet to set out the detail of its policy plans. But a white paper is due imminently.

A parliamentary committee which reported last week urged the government to put a legal ‘duty of care’ on platforms to protect minors.

It also called for more robust systems for age verification. So it remains at least a possibility that some types of social media content could be age-gated in the country in future.

Last month the BBC reported on the death of a 14-year-old schoolgirl who killed herself in 2017 after being exposed to self-harm imagery on the platform.

Following the report, Instagram’s boss met with Wright and the UK’s health secretary, Matt Hancock, to discuss concerns about the impact of suicide-related content circulating on the platform.

After the meeting Instagram announced it would ban graphic images of self-harm last week.

Earlier the same week the company responded to the public outcry over the story by saying it would no longer allow suicide related content to be promoted via its recommendation algorithms or surfaced via hashtags.

Also last week, the government’s chief medical advisors called for a code of conduct for social media platforms to protect vulnerable users.

The medical experts also called for greater transparency from platform giants to support public interest-based research into the potential mental health impacts of their platforms.

Facebook will reveal who uploaded your contact info for ad targeting

Facebook’s crack down on non-consensual ad targeting last year will finally produce results. In March, TechCrunch discovered Facebook planned to require advertisers pledge that they had permission to upload someone’s phone number or email address for ad targeting. That tool debuted in June, though there was no verification process and Facebook just took businesses at their word despite the financial incentive to lie. In November, Facebook launched a way for ad agencies and marketing tech developers to specify who they were buying promotions ‘on behalf of’. Soon that information will finally be revealed to users.

Facebook’s new Custom Audiences transparency feature shows when your contact info was uploaded by who, and if it was shared between brands and partners

Facebook previously only revealed what brand was using your contact info for targeting, not who uploaded it or when

Starting February 28th, Facebook’s “Why am I seeing this?” button in the drop-down menu of feed posts will reveal more than the brand who paid for the ad, some biographical details they targeted, and if they’d uploaded your contact info. Facebook will start to show when your contact info was uploaded, if it was by the brand or one of their agency/developer partners, and when access was shared between partners. A Facebook spokesperson tells me the goal to keep giving people a better understanding of how advertisers use their information.

This new level of transparency could help users pinpoint what caused a brand to get ahold of their contact info. That might help them to change their behavior to stay more private. The system could also help Facebook zero in on agencies or partners who are constantly uploading contact info and might not have attained it legitimately. Apparently seeking not to dredge up old privacy problems, Facebook didn’t publish a blog post about the change but simply announced it in a Facebook post to the Facebook Advertiser Hub Page.

The move comes in the wake of Facebook attaching immediately visible “paid for by” labels to more political ads to defend against election interference. With so many users concerned about how Facebook exploits their data, the Custom Audiences transparency feature could provide a small boost of confidence in a time where people have little faith in the social network’s privacy practices.

NYC launches partnership network, “The Grid”, to help grow urban tech ecosystem

The New York City Economic Development Corporation (NYCEDC) and CIV:LAB – a nonprofit dedicated to connecting urban tech leaders – have announced the launch of The Grid, a member-based partnership network for New York’s urban tech community. The goal of the network is to link organizations, academia and local tech leaders, in order to promote collaboration and the sharing of knowledge and resources.

In addition to connecting member companies and talent, The Grid will host various events, educational programs, and co-innovation projects, while hopefully improving access to investors as well as pilot program opportunities. The Grid is launching with over 70 member organizations – approved through an application and screening process – across various stages and sectors.

In recent years, the tech and startup scene in New York has notably ballooned – evolving from the Valley’s obscure younger sibling to one of the top cities for talent, entrepreneurship, and venture capital investment. And while the city has seen countless startups, VCs, accelerators, and other entrepreneurial resources set up shop within its borders, getting the right tools in place is only part of the battle.

New York wants to prove its initiatives are more than just “show-and-tell” projects and city officials believe that building a truly sustainable innovation economy is dependent on all its local resources working in conjunction, allowing entrepreneurship to permeate every arm of commerce. With an institutionalized network like The Grid, New York hopes it can further fuse its pockets of innovation into to one well-oiled machine, consistently producing transformative ideas.

“The Grid represents a promising new way for NYCEDC to work across sectors to strengthen collaboration and innovation, first in New York City and hopefully soon in many more cities across the country and around the world,” said NYCEDC President and CEO James Patchett in a statement. “It signals that New York City is leading with  a new approach to technology and startup culture, with a real focus on diversity, inclusion, equity, and community.”

As one of the largest and most industrially diverse cities in the world, New York has naturally placed a heightened focus on the growing sector of “urban tech” – which has been broadly categorized as innovation focused on improving city functionality, equality or ease of living. According to NYCEDC, the urban tech space has seen nearly $80 billion in VC investment since 2016, with nearly 10% going to New York-based beneficiaries.

The launch of The Grid is part of an expansion of NYCEDC’s larger UrbanTech NYC program, which has already helped establish the New York innovation hubs New LabUrban Future Lab, and Company. Alongside the membership network and a new site for UrbanTech NYC, NYCEDC is also launching The Grid Academy, an adjacent academic group with the mission of creating applied R&D partnerships between local academic institutions and corporate sponsors. The expansion of UrbanTech NYC represents the latest of several initiatives NYCEDC is pursuing to develop the broader ecosystem, coming just months after the EDC announced the launch of Cyber NYC, a $30 million investment initiative focused on growing New York’s cybersecurity presence and infrastructure.

The group will be led by a steering committee that will guide decisions related to strategic priorities, funding, events, and communications. Members of the committee include some of The Grid’s largest government and corporate members including the Bronx Cooperative Development Initiative, the Downtown Brooklyn Partnership, Civic Hall, Company, New Lab, Urban Future Lab, Dreamit UrbanTech, URBAN-X, Urban.Us, Accenture, Samsung NEXT, Rentlogic, Smarter Grid Solutions, Civic Consulting USA, and the World Economic Forum.

“Since its early days, innovation has been part of the DNA that is New York City,” said Jeff Merritt, Head of IoT + Smart Cities at World Economic Forum. “Nowhere else in the world can you find an ecosystem that combines as many industries and nationalities. New York’s thriving urban technology community is a natural byproduct of what happens when you allow diversity, entrepreneurship and ambition to collide in one of the greatest cities in the world.” 

The Grid’s first meeting will be held on February 19th at Samsung NEXT’s New York HQ. Membership applications for The Grid are accepted on a rolling basis and can be found here on the UrbanTech NYC website.