All posts in “Social”

Women’s March embraces collaborative social app Crunchet


Today’s nationwide Women’s March attendees will advocate for voter registration through every conceivable social network, so one of its planning organizations has allied with a new app that lets you combine posts from across apps.

Crunchet will help the Women’s March Alliance and Chicago march create collages of Facebook, Instagram, Twitter, Twitch, YouTube, Spotify, and uploaded content that can be shared anywhere as a single story. Users can also collaborate, being invited to or asking to become a contributor to someone else’s Crunchet post.

“The reason we created this was that we felt like it was lacking on social media” Crunchet co-founder Denise Holzer tells me. The company hoped to bridge the gap between passive social network voyeurism and posting only about yourself. “Crunchet lets you join a story” Holzer says.

“The women’s marches were successful because of social media tools” says Katherine Siemionko, one of the leaders of 2017 march in New York City and a Womens March Alliance co-founder. “Considering youth is our target market, tools like Crunchet may allow us to reach them faster that older tools like facebook that the youth are moving off of.”

Women’s March Alliance’s Katherine Siemionko

Now since soft-launching a year ago around the first Women’s March, Crunchet has raised over $1.5 million in seed funding and built a team of 14, plus has ambassadors at 50 colleges. While the app is still a bit buggy, there’s potential in both the ideas of social co-posting and aggregating content from across networks.

Crunchet’s iOS app (Android coming in Spring) lets you log in to all your other apps, then select from your content there, paste in links, or upload imagery. It all gets layed out in swipeable carousels so people don’t have to jump between every app to see all your posts on a certain topic. You can even add a soundtrack to your post through Spotify. Then you take your Crunchet links and share them wherever you want.

Crunchet has its own feed, which eskews the Facebook-style algorithmic sorting that can bury posts. You see all the posts of people you follow so you don’t miss updates about important moments like today.

One roadblock might be that those algorithms elsewhere might preference native content over links to seeing that stuff and more on Crunchet. Holzer hopes collaborative posts where multiple Crunchet users team up that you can’t get elsewhere will compel click-throughs, and encourage people to cooperate on making meaningful content.

Still, the algorithm issue could further complicate Crunchet’s growth ambitions. You could see social media fatigue and the crowded app space as an advantage, giving people a reason to use Crunchet so they don’t have to compose redundant posts on each app. But it might make people think they already have too many ways to share. “The biggest challenge is getting people to try it” Holzer admits, a hurdle few social apps ever overcome, even without the threat of Facebook copying what’s special about them. The company is planning a series A funding round to pull in some more resources for its quest to scale.

Beyond today’s Women’s Marches, which you can join in cities around the US and even abroad, Crunchet plans to work with arts, music, fashion, esports, and other festivals as well as protests and rallies. Whether it’s convincing people to enlist in “power to the polls” movements or just helping them discover something beautiful, Crunchet could make sharing everywhere as easy as sharing anywhere.

WTF is GDPR?

European Union lawmakers proposed a comprehensive update to the bloc’s data protection and privacy rules in 2012.

Their aim: To take account of seismic shifts in the handling of information wrought by the rise of the digital economy in the years since the prior regime was penned — all the way back in 1995 when Yahoo was the cutting edge of online cool and cookies were still just tasty biscuits.

Here’s the EU’s executive body, the Commission, summing up the goal:

The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.

For an even shorter tl;dr the EC’s theory is that consumer trust is essential to fostering growth in the digital economy. And it thinks trust can be won by giving users of digital services more information and greater control over how their data is used. Which is — frankly speaking — a pretty refreshing idea when you consider the clandestine data brokering that pervades the tech industry. Mass surveillance isn’t just something governments do.

The General Data Protection Regulation (aka GDPR) was agreed after more than three years of negotiations between the EU’s various institutions.

It’s set to apply across the 28-Member State bloc as of May 25, 2018. That means EU countries are busy transposing it into national law via their own legislative updates (such as the UK’s new Data Protection Bill — yes, despite the fact the country is currently in the process of (br)exiting the EU, the government has nonetheless committed to implementing the regulation because it needs to keep EU-UK data flowing freely in the post-brexit future. Which gives an early indication of the pulling power of GDPR.

Meanwhile businesses operating in the EU are being bombarded with ads from a freshly energized cottage industry of ‘privacy consultants’ offering to help them get ready for the new regs — in exchange for a service fee. It’s definitely a good time to be a law firm specializing in data protection.

GDPR is a significant piece of legislation whose full impact will clearly take some time to shake out. In the meanwhile, here’s our guide to the major changes incoming and some potential impacts.

Data protection + teeth

A major point of note right off the bat is that GDPR does not merely apply to EU businesses; any entities processing the personal data of EU citizens need to comply. Facebook, for example — a US company that handles massive amounts of Europeans’ personal data — is going to have to rework multiple business processes to comply with the new rules. Indeed, it’s been working on this for a long time already.

Last year the company told us it had assembled “the largest cross functional team” in the history of its family of companies to support GDPR compliance — specifying this included “senior executives from all product teams, designers and user experience/testing executives, policy executives, legal executives and executives from each of the Facebook family of companies”.

“Dozens of people at Facebook Ireland are working full time on this effort,” it said, noting too that the data protection team at its European HQ (in Dublin, Ireland) would be growing by 250% in 2017. It also said it was in the process of hiring a “top quality data protection officer” — a position the company appears to still be taking applications for.

The new EU rules require organizations to appoint a data protection officer if they process sensitive data on a large scale (which Facebook very clearly does). Or are collecting info on many consumers — such as by performing online behavioral tracking. But, really, which online businesses aren’t doing that these days?

The extra-territorial scope of GDPR casts the European Union as a global pioneer in data protection — and some legal experts suggest the regulation will force privacy standards to rise outside the EU too.

Sure, some US companies might prefer to swallow the hassle and expense of fragmenting their data handling processes, and treating personal data obtained from different geographies differently, i.e. rather than streamlining everything under a GDPR compliant process. But doing so means managing multiple data regimes. And at very least runs the risk of bad PR if you’re outed as deliberately offering a lower privacy standard to your home users vs customers abroad.

Ultimately, it may be easier (and less risky) for businesses to treat GDPR as the new ‘gold standard’ for how they handle all personal data, regardless of where it comes from.

And while not every company harvests Facebook levels of personal data, almost every company harvests some personal data. So for those with customers in the EU GDPR cannot be ignored. At very least businesses will need to carry out a data audit to understand their risks and liabilities.

Privacy experts suggest that the really big change here is around enforcement. Because while the EU has had long established data protection standards and rules — and treats privacy as a fundamental right — its regulators have lacked the teeth to command compliance.

But now, under GDPR, financial penalties for data protection violations step up massively.

The maximum fine that organizations can be hit with for the most serious infringements of the regulation is 4% of their global annual turnover (or €20M, whichever is greater). Though data protection agencies will of course be able to impose smaller fines too. And, indeed, there’s a tiered system of fines — with a lower level of penalties of up to 2% of global turnover (or €10M).

This really is a massive change. Because while data protection agencies (DPAs) in different EU Member States can impose financial penalties for breaches of existing data laws these fines are relatively small — especially set against the revenues of the private sector entities that are getting sanctioned.

In the UK, for example, the Information Commissioner’s Office (ICO) can currently impose a maximum fine of just £500,000. Compare that to the annual revenue of tech giant Google (~$90BN) and you can see why a much larger stick is needed to police data processors.

It’s not necessarily the case that individual EU Member States are getting stronger privacy laws as a consequence of GDPR (in some instances countries have arguably had higher standards in their domestic law). But the beefing up of enforcement that’s baked into the new regime means there’s a better opportunity for DPAs to start to bark and bite like proper watchdogs.

GDPR inflating the financial risks around handling personal data should naturally drive up standards — because privacy laws are suddenly a whole lot more costly to ignore.

More types of personal data that are hot to handle

So what is personal data under GDPR? It’s any information relating to an identified or identifiable person (in regulatorspeak people are known as ‘data subjects’).

While ‘processing’ can mean any operation performed on personal data — from storing it to structuring it to feeding it to your AI models. (GDPR also includes some provisions specifically related to decisions generated as a result of automated data processing but more on that below).

A new provision concerns children’s personal data — with the regulation setting a 16-year-old age limit on kids’ ability to consent to their data being processed. However individual Member States can choose (and some have) to derogate from this by writing a lower age limit into their laws.

GDPR sets a hard cap at 13-years-old — making that the defacto standard for children to be able to sign up to digital services. So the impact on teens’ social media habits seems likely to be relatively limited.

The new rules generally expand the definition of personal data — so it can include information such as location data, online identifiers (such as IP addresses) and other metadata. So again, this means businesses really need to conduct an audit to identify all the types of personal data they hold. Ignorance is not compliance.

GDPR also encourages the use of pseudonymization (such as encrypting personal data and storing the encryption key separately and securely) — as a pro-privacy, pro-security technique that can help minimize the risks of processing personal data. Although pseudonymized data is likely to still be considered personal data; certainly where a risk of reidentification remains. So it does not get a general pass from requirements under the regulation.

Data has to be rendered truly anonymous to be outside the scope of the regulation. (And given how often ‘anonymized’ data-sets have been shown to be re-identifiable, relying on any anonymizing process to be robust enough to have zero risk of re-identification seems, well, risky.)

The incoming data protection rules apply to both data controllers (i.e. entities that determine the purpose and means of processing personal data) and data processors (entities that are responsible for processing data on behalf of a data controller — aka subcontractors).

Indeed, data processors have some direct compliance obligations under GDPR, and can also be held equally responsible for data violations, with individuals able to bring compensation claims directly against them, and DPAs able to hand them fines or other sanctions.

So the intent for the regulation is there be no diminishing in responsibility down the chain of data handling subcontractors. GDPR aims to have every link in the processing chain be a robust one.

For companies that rely on a lot of subcontractors to handle data operations on their behalf there’s clearly a lot of risk assessment work to be done.

As noted above, there is a degree of leeway for EU Member States in how they implement some parts of the regulation (such as with the age of data consent for kids).

Consumer protection groups are calling for the UK government to include an optional GDPR provision on collective data redress to its DP bill, for example — a call the government has so far rebuffed.

But the wider aim is for the regulation to harmonize as much as possible data protection rules across all Member States to reduce the regulatory burden on digital businesses trading around the bloc.

On data redress, European privacy campaigner Max Schrems — most famous for his legal challenge to US government mass surveillance practices that resulted in a 15-year-old data transfer arrangement between the EU and US being struck down in 2015 — is currently running a crowdfunding campaign to set up a not-for-profit privacy enforcement organization to take advantage of the new rules and pursue strategic litigation on commercial privacy issues.

Schrems argues it’s simply not viable for individuals to take big tech giants to court to try to enforce their privacy rights, so thinks there’s a gap in the regulatory landscape for an expert organization to work on EU citizen’s behalf. Not just pursuing strategic litigation in the public interest but also promoting industry best practice.

The proposed data redress body — called noyb; short for: ‘none of your business’ — is being made possible because GDPR allows for collective enforcement of individuals’ data rights. And that provision could be crucial in spinning up a centre of enforcement gravity around the law. Because despite the position and role of DPAs being strengthened by GDPR, these bodies will still inevitably have limited resources vs the scope of the oversight task at hand.

Some may also lack the appetite to take on a fully fanged watchdog role. So campaigning consumer and privacy groups could certainly help pick up any slack.

Privacy by design and privacy by default

Another major change incoming via GDPR is ‘privacy by design’ no longer being just a nice idea; privacy by design and privacy by default become firm legal requirements.

This means there’s a requirement on data controllers to minimize processing of personal data — limiting activity to only what’s necessary for a specific purpose, carrying out privacy impact assessments and maintaining up-to-date records to prove out their compliance.

Consent requirements for processing personal data are also considerably strengthened under GDPR — meaning lengthy, inscrutable, pre-ticked T&Cs are likely to be unworkable. (And we’ve sure seen a whole lot of those hellish things in tech.) The core idea is that consent should be an ongoing, actively managed process; not a one-off rights grab.

As the UK’s ICO tells it, consent under GDPR for processing personal data means offering individuals “genuine choice and control” (for sensitive personal data the law requires a higher standard still — of explicit consent).

There are other legal bases for processing personal data under GDPR — such as contractual necessity; or compliance with a legal obligation under EU or Member State law; or for tasks carried out in the public interest — so it is not necessary to obtain consent in order to process someone’s personal data. But there must always be an appropriate legal basis for each processing.

Transparency is another major obligation under GDPR, which expands the notion that personal data must be lawfully and fairly processed to include a third principle of accountability. Hence the emphasis on data controllers needing to clearly communicate with data subjects — such as by informing them of the specific purpose of the data processing.

The obligation on data handlers to maintain scrupulous records of what information they hold, what they are doing with it, and how they are legally processing it, is also about being able to demonstrate compliance with GDPR’s data processing principles.

But — on the plus side for data controllers — GDPR removes the requirement to submit notifications to local DPAs about data processing activities. Instead, organizations must maintain detailed internal records — which a supervisory authority can always ask to see.

It’s also worth noting that companies processing data across borders in the EU may face scrutiny from DPAs in different Member States if they have users there (and are processing their personal data). Although the GDPR sets out a so-called ‘one-stop-shop’ principle — that there should be a “lead” DPA to co-ordinate supervision between any “concerned” DPAs — this does not mean that once it applies a cross-EU-border operator like Facebook is only going to be answerable to the concerns of the Irish DPA.

Indeed, Facebook’s tactic of only claiming to be under the jurisdiction of a single EU DPA looks to be on borrowed time. And the one-stop-shop provision in the GDPR seems more about creating a co-operation mechanism to allow multiple DPAs to work together in instances where they have joint concerns. Rather than offering a way for multinationals to go ‘forum shopping’ — which the regulation does not permit (per WP29 guidance).

Another change: Privacy policies that contain vague phrases like ‘We may use your personal data to develop new services’ or ‘We may use your personal data for research purposes’ will not pass muster under the new regime. So a wholesale rewriting of vague and/or confusingly worded T&Cs is something Europeans can look forward to this year.

Add to that, any changes to privacy policies must be clearly communicated to the user on an ongoing basis. Which means no more references in the privacy statement telling users to ‘regularly check for changes or updates’ — that just won’t be workable.

The onus is firmly on the data controller to keep the data subject fully informed of what is being done with their information. (Which almost implies that good data protection practice could end up tasting a bit like spam, from a user PoV.)

The overall intent behind GDPR is to inculcate an industry-wide shift in perspective regarding who ‘owns’ user data — disabusing companies of the notion that other people’s personal information belongs to them just because it happens to be sitting on their servers.

“Organizations should acknowledge they don’t exist to process personal data but they process personal data to do business,” is how analyst Gartner research director Bart Willemsen sums this up. “Where there is a reason to process the data, there is no problem. Where the reason ends, the processing should, too.”

The data protection officer (DPO) role that GDPR brings in as a requirement for many data handlers is intended to help them ensure compliance.

This officer, who must report to the highest level of management, is intended to operate independently within the organization, with warnings to avoid an internal appointment that could generate a conflict of interests.

Which types of organizations face the greatest liability risks under GDPR? “Those who deliberately seem to think privacy protection rights is inferior to business interest,” says Willemsen, adding: “A recent example would be Uber, regulated by the FTC and sanctioned to undergo 20 years of auditing. That may hurt perhaps similar, or even more, than a one-time financial sanction.”

“Eventually, the GDPR is like a speed limit: There not to make money off of those who speed, but to prevent people from speeding excessively as that prevents (privacy) accidents from happening,” he adds.

Another right to be forgotten

Under GDPR, people who have consented to their personal data being processed also have a suite of associated rights — including the right to access data held about them (a copy of the data must be provided to them free of charge, typically within a month of a request); the right to request rectification of incomplete or inaccurate personal data; the right to have their data deleted (another so-called ‘right to be forgotten’ — with some exemptions, such as for exercising freedom of expression and freedom of information); the right to restrict processing; the right to data portability (where relevant, a data subject’s personal data must be provided free of charge and in a structured, commonly used and machine readable form).

Twitter updates total of Russia-linked election bots to 50,000


Twitter has provided updated details on its investigation into Russian election interference on its platform in 2016. Its identification of more than 13,000 more Russian-linked bots that made election-related tweets puts the total over 50,000. In addition, about 3,800 (up 1,000 from Twitter’s data in the fall) were associated with the now-notorious Internet Research Agency.

Still, Twitter denied that these accounts were a significant problem:

The results of this supplemental analysis are consistent with the results of our previous work: automated election-related content associated with Russian signals represented a very small fraction of the overall activity on Twitter in the ten-week period preceding the 2016 election.

As if to demonstrate the different scales at work here, the Twitter blog post then changed topics to its efforts to block bots and suspicious activity platform-wide.

For reference, those 3,800 IRA bots tweeted about 176,000 times during that 10-week period, of which less than 15,000 were election-related. And 677,775 people saw, followed or retweeted one of these accounts during that same period, and are being notified.

Example of some of the IRA-bot-promoted content on Twitter.

But in a way that’s just a drop in the bucket.

“In December 2017, our systems identified and challenged more than 6.4 million suspicious accounts globally per week,” the company wrote. “Since June 2017, we’ve removed more than 220,000 applications in violation of our rules, collectively responsible for more than 2.2 billion low-quality Tweets.”

It’s not exactly apples to apples, but it is a good reminder that this was more of an experiment in influence, not a full-scale push. If simple spammers can create and promote bots by the tens of thousands, Russian intelligence could easily have brought more to bear here.

Of course, the numbers are much higher on Facebook — some 150 million people are estimated to have been reached by troll accounts there.

Lastly, Twitter explains some concrete steps it’s taking to make the 2018 elections a bit less susceptible to this type of interference, which, while not actually too grand in scale, was certainly more widespread than expected.

Specifically, the company is working on verifying all candidates, escalating issues of impersonation or hijacking, and monitoring election-related conversations closely for evidence of manipulation or bot participation.

Featured Image: Bryce Durbin/TechCrunch/Getty Images

Facebook’s latest News Feed update will prioritize trustworthy publishers


Facebook is gearing up to prioritize news content by publishers a group of Facebook users have deemed trustworthy. Facebook head of News Feed Adam Mosseri said the company surveyed “a diverse and representative sample” of U.S.-based people about their familiarity and trust in various sources of news, he wrote in a blog post.

That data, Mosseri said, will serve to inform News Feed rankings. The plan is to first do this in the U.S. before rolling it out internationally. That means, starting next week, “publications deemed trustworthy by people using Facebook may see an increase in their distribution,” Mosseri wrote. “Publications that do not score highly as trusted by the community may see a decrease.”

As part of Facebook’s ongoing quality surveys, Facebook will now ask people if they’re familiar with a news source and if they trust it. Facebook CEO Mark Zuckerberg provided a bit more detail about the thinking behind it in a post:

“The idea is that some news organizations are only trusted by their readers or watchers, and others are broadly trusted across society even by those who don’t follow them directly,” Zuckerberg wrote. “(We eliminate from the sample those who aren’t familiar with a source, so the output is a ratio of those who trust the source to those who are familiar with it.)”

Prioritizing news from trusted publishers is part of Facebook’s broader effort to revamp the News Feed and “encourage meaningful social interactions with family and friends over passive consumption,” Zuckerberg wrote. Last week, Facebook announced major changes to News Feed, which entails less public content, like news and nonsense from brands.

Facebook also now expects news make up four percent, instead of about five percent, of content in the News Feed,  Zuckerberg said. But Zuckerberg also says the update “will not change the amount of news you see.”

“It will only shift the balance of news you see towards sources that are determined to be trusted by the community,” Zuckerberg wrote. “My hope is that this update about trusted news and last week’s update about meaningful interactions will help make time on Facebook time well spent: where we’re strengthening our relationships, engaging in active conversations rather than passive consumption, and, when we read news, making sure it’s from high quality and trusted sources.”

Correction: An earlier version of this story misstated that public content would make up 4 percent of News Feed. Rather, news will now roughly make up 4 percent of content in News Feed.

Yahoo Finance launches social savings app Tanda, an alternative to credit cards


Yahoo Finance today launched a new app called Tanda that allows small groups of either five or nine people to save money together for short-term goals. The app uses the concept of a “money pool” – that is, everyone participating in one Tanda’s collaborative savings circles will pay a fixed amount to the group’s savings pot every month. And every month, one member gets to take home the full pot.

But Tanda is not a gambling app. That is, users are not contributing in the hopes of “winning” the pot of money – everyone in the savings circle gets a chance to take home the full pot at some point.

The app is based on the age-old “rotating savings and credit associations” (ROSCA) concept, which pushes people to save through the use of collective pressure.

In other words, while it’s true that you could just set aside a set a fixed amount of money on your own, Tanda’s makes saving a more collaborative and social construct.

The other difference between saving in Tanda and saving on your own is how the app handles payouts. The first two people to receive their money pay a fee, but the last payout position receives a 2 percent cash bonus. This rewards users who are willing to wait to receive their turn at the pot, though some will want higher positions in order to get the large payout sooner.

A higher position is obviously more desirable if you have a more immediate need for the funds – like buying books for school or replacing a dead laptop, for example. Of course, you still have to pay into Tanda to take money out, so it’s not a direct replacement for a credit card. But, with some planning, it could used as an alternative to charging larger purchases.

As a user participates in Tanda by making contributions, their “Tanda score” increases. With higher scores, the user gains access to higher value savings circles and earlier payout positions. These savings circles can reach up to $2,000.

And if someone drops out, Tanda will step in to cover their positions.

Tanda is also working with its partner Dwolla to vet users before they can begin saving, the company says.

Yahoo explains that the app is designed to help individuals achieve their financial goals without racking up more debt.

The company hopes this will allow Tanda to attract a millennial audience, which is already drawn to social apps in the finance space, like Venmo. In addition, this younger demographic is facing a variety of financial struggles, like higher costs of living, difficulties in finding work, and they often struggle to save on their own.

[embedded content]

The app is being released under the Yahoo Finance brand.

Yahoo, like (disclosure!) TechCrunch parent company AOL, combined to form Oath, which is now owned by Verizon. But Yahoo continues to maintain its own app store presence through apps like Yahoo Finance, Yahoo Weather, Yahoo Newsroom, Yahoo Sports, Yahoo Fantasy Football, Yahoo Mail, and many others.

Tanda is available today in both English and Spanish on Android, and will arrive on iOS within the next few days.