SiriusXM this week offered a few more details on how it plans to leverage its newest asset, Pandora, following its $3.5 billion acquisition of the streaming music service last year, which officially closes on Friday. At the time of the deal, the company spoke about the potential for cross-promotion opportunities between the services and new subscription packages. Now, those efforts are getting off the ground — starting with a promotion within the Pandora app for SiriusXM subscriptions, followed by the launch of Pandora channels within the SiriusXM app.
Currently, SiriusXM offers a variety of programming packages, ranging from a cheaper ($11/mo) “Mostly Music” sampling of channels all the way up to a premium “All Access” ($21/mo) subscription. It also runs various time-limited promotions that offer its service for as little as $5 per month for a set period, like six months.
According to Sirius XM CEO James Meyer — speaking to investors on the Q4 earnings call on Wednesday — the company will now start promoting special SiriusXM packages to Pandora listeners.
The company, he said, intends “to capitalize on cross-promotion opportunities between SiriusXM’s more than 36 million subscribers across North America and Pandora’s approximately 70 million monthly active users. In early February, we will begin a targeted promotion to SiriusXM subscribers and Pandora listeners,” he noted. “Select Pandora listeners will receive an offer to obtain a unique $5 a month ‘Mostly News,’ ‘Mostly Music’ or ‘News Talk’ [SiriusXM subscription] package in their satellite-equipped vehicle.”
In other words, SiriusXM will be pushing low-cost $5 per month streaming plans within the Pandora app itself.
The company believes the cross-promotions will be successful because of the overlap in the two services’ customer bases. It found that approximately half of the owners of the SiriusXM-enabled vehicle fleet of 100 million cars have used Pandora in the past two years, for example. SiriusXM aims to leverage those Pandora listeners’ data in order to convert, retain or bring them back to SiriusXM.
In addition, the exec said that existing SiriusXM subscribers would receive extended 14-day trials to Pandora’s Premium service.
By mid-2019, the company plans to launch a new Pandora-powered channel within its own SiriusXM app, based on their favorite artist. It will also add a new radio channel to the SiriusXM app that’s driven by the latest trends from Pandora’s “billions of thumbs” — meaning the “thumbs up” (likes), songs receive within the streaming app.
Meyer spoke briefly about the challenges facing Pandora — specifically a decline in listening hours, which SiriusXM believes can be fixed by improving Pandora’s in-car listening statistics, making the Pandora app more compelling, and adding more content.
“This is just the beginning. We expect, over time, to create new, unique audio packages that will bring together the best of both services, creating a powerful platform for artists to reach their fans and to create new audiences,” said Meyer.
The merger of the two companies has not been without upheaval, though.
This week, the company announced that Pandora CEO Roger Lynch and other executives would be stepping down, including general counsel Steve Bene, CFO Naveen Chopra and chief human resources officer Kristen Robinson. Meyer will instead lead the combined company, he said, in order to streamline decision-making and increase the speed of the integrations.
SiriusXM reported record revenues for the fourth quarter and year, at $1.5 billion and $5.8 billion, respectively. Net income was $251 million for the quarter, up from a loss of $37 million in the year-ago period. Full-year 2018 net income grew 81 percent to a record $1.2 billion.
The newly combined company will have more than 100 million listeners in North America, with nearly 40 million self-paying subscribers and more than 75 million on trials or using ad-based products.
A new mobile banking startup called Step wants to help bring teenagers and other young adults into the cashless era. Today, cash is used less often, as more consumers shop online and send money to one another through payment apps like Venmo. But teenagers in particular are still heavily burdened with cash — even though they, too, want to spend their money on things that require a payment card, like Amazon.com purchases or mobile gaming, for example.
The company aims to address the needs of what it believes is an underserved market in mobile banking — the 75 million children and young adults under the age of 21 in the U.S., who are still being forced to use cash.
“We’re building an all-in-one banking solution that primarily focuses on teens and parents,” he says. “We want it to be a teen’s first bank account. We want to be a teen’s first spending card. And we want to teach financial literacy and responsibility firsthand.”
MacDonald, along with CTO Alexey Kalinichenko, previously of Square and financial services startup Token, founded Step in May 2018. The 10-person team also includes several prior Gyft employees.
Last summer, Step closed on $3.8 million in seed funding from Sesame Ventures, Crosslink Capital and Collaborative Fund. Crosslink general partner Eric Chin sits on the board.
While there are a number of mobile banking apps out there today — like Chime, Monzo, Simple, Revolut and others — Step will specifically target teens, 13 and up, and other young adults with its marketing. Teens under 18 still need parents’ approval to sign up, of course. But the goal is to encourage the teens to bring the idea to their parents — not the other way around.
The mobile banking service Step provides will also aim to be more comprehensive than just a debit card. It will offer a combination of checking, savings and a Visa card that works as both credit and debit.
The card includes Visa’s Zero Liability Protection on all purchases from unauthorized use, and allows parents to set spending limits.
Parents will also be able to connect their own bank accounts to Step to instantly transfer in funds, which can then be distributed to kids’ accounts for things like allowances and chores, or other everyday spending needs. Step’s bank account itself is backed by Evolve Bank, so it’s FDIC-insured up to $250,000.
Unlike Current, which charges a subscription to use its service, Step aims to be a fee-free bank for consumers. Users don’t have to pay for their account, and there are no fees for things like overdrafts. Instead, Step’s plan is to generate revenue through traditional means — like interchange fees and by way of lending practices, once it has established a deposit base.
The company pays a 2.5 percent interest rate on deposits, offers a round-up savings feature and a range of budgeting tools and supports free instant transfers between Step accounts. It also provides access to a network of 35,000 ATMs with no fees.
Beyond simply facilitating mobile banking, Step’s bigger goal is to teach teens to become financially responsible.
“Schools do not teach kids about money. A lot of families don’t talk about money. And it’s a crucial life skill that’s not really addressed properly when people are growing up,” says MacDonald, who says he was lacking in life skills in this area, even as a young college grad.
“There were ‘Money 101’ skills that I had not learned — that no one had talked to me about. Things like building credit, how many credit cards you should have, debt to income ratio,” he continues. “A lot of people get released into the real world without experience [in those areas],” he says.
Long-term, after solving the needs associated with everyday banking transactions, Step wants to layer on other products and services — like tools that allow a family to save together for college, for example.
The company is launching the banking service under an invite-only system to scale up.
Today, it’s opening a waitlist and referral program. When you invite a friend, you each receive one dollar. Access will then be rolled out on a first-come, first-serve basis this spring. Users can join Step through the website, iOS or Android application.
It’s been a long year for Nintendo fans waiting on Mario Kart Tour to come to mobile and, unfortunately, more patience is required after the game’s launch was moved back to this summer.
The key passage sits within Nintendo’s latest earnings report, released today, which explains that additional time is needed “to improve [the] quality of the application and expand the content offerings after launch.”
The checkered flag has been raised and the finish line is near. A new mobile application is now in development: Mario Kart Tour! #MarioKartTour Releasing in the fiscal year ending in March 2019. pic.twitter.com/8GIyR7ZM4z
It’s frustrating but, as The Verge points out, you can refer to a famous Nintendo phrase if you are seeking comfort.
Shigeru Miyamoto, who created the Mario and Zelda franchises, once remarked that “a delayed game is eventually good, but a rushed game is forever bad.”
There’s plenty riding on the title — excuse the pun. Super Mario Run, the company’s first major game for the iPhone, showed its most popular IP has the potential to be a success on mobile, even though Mario required a $9.99 payment to go beyond the limited demo version. Mario Kart is the most successful Switch title to date, so it figures that it can be a huge smash on mobile if delivered in the right way.
We’ve written extensively about LG’s struggling mobile business, which has suffered at the hands of aggressive Chinese Android makers, and now that unit has dragged its parent company into posting its first quarterly loss for two years.
The Korean electronics giant is generally in good health — it posted a $2.4 billion profit for 2018 — but its smartphone business’s failings saw it post a loss in Q4 2018, its first quarterly negative since Q4 2016.
Overall, the company posted a KRW 75.7 billion ($67.1 million) operating loss as revenue slid seven percent year-on-year to KRW 15.77 trillion ($13.99 billion). LG said the change was “primarily due to lower sales of mobile products.”
Over the full year, LG Mobile posted a $700 million loss (KRW 790.1 billion) but the company claimed things are improving thanks to “better material cost controls and overhead efficiencies based on the company’s platform modularization strategy.”
LG used CES to showcase a range of home entertainment products — that division is doing far better than mobile, with a record annual profit of $1.35 billion in 2018 — so we’ll have to wait until Mobile World Congress in February to see exactly what LG has in mind. Already, though, we have a suggestion and it isn’t exactly set-the-world-on-fire stuff.
“LG’s mobile division will push 5G products and smartphones featuring different form factors while focusing on key markets where the LG brand remains strong,” the company said in a statement.
It will certainly take something very special to turn things around. It seems more likely that LG Mobile head Brian Kwon — who also heads up that hugely-profitable home entertainment business — will focus on cutting costs and squeezing out the few sweet spots left. Continued losses, particularly against success from other units, might eventually see LG shutter its mobile business.
Samsung’s forecast was also dour, at least for the first half of the year. It said annual earnings will decline thanks to continuing weak demand for chips, but expects demand for memory products and OLED panels to improve during the second half.
The company’s fourth-quarter operating profit was 10.8 trillion won (about $9.7 billion), a 28.7 percent decrease from the 15.15 trillion won it recorded in the same period one year ago. Revenue was 59.27 trillion won, a 10.2 percent drop year over year.
Broken out by business, Samsung’s semiconductor unit recorded quarterly operating profit of 7.8 trillion won, down from 10.8 trillion won a year ago. Its mobile unit’s operating profit was 1.5 trillion won, compared to 2.4 trillion won a year ago.
Smartphone makers, including Samsung rival Apple, have been hit hard by slowing smartphone sales around the world, especially in China. Upgrade cycles are also becoming longer as customers wait to buy newer models.
This hurt both Samsung’s smartphone and chip sales, as “overall market demand for NAND and DRAM drop[ped] due to macroeconomic uncertainties and adjustments in inventory levels by customers including datacenter companies and smartphone makers,” said the company’s earnings report.
Samsung expects chip sales to be sluggish during the first quarter because of weak seasonality and inventory adjustments by its biggest customers. The company was optimistic about the last two quarters of 2019, when it expects demand for chips and OLED panels to pick up thanks seasonal demand and customers finishing their inventory adjustments.
Facebook managed to beat Wall Street’s estimates in its Q4 earnings amidst a constant beat down in the press. Facebook hit 2.32 billion monthly users, up 2.2 perecent from 2.27 billion last quarter, speeding up its growth rate. Facebook climbed to 1.52 billion daily active users from 1.49 billion last quarter for a 2 percent growth rate that dwarfed last quarter’s 1.36 percent.
Facebook earned $16.91 billion off all those users with a $2.38 GAAP earnings per share. Those numbers handily beat Wall Street’s expectations of $16.39 billion in revenue and $2.18 GAAP earnings per share, plus 2.32 billion monthly and 1.51 billion daily active users. Facebook’s daily to monthly user ratio, or stickiness, held firm at 66 percent where it’s stayed for years, showing those still on Facebook aren’t using it much less.
Facebook shares had closed today at $150.42 but shot up over 9 percent following the record revenue and profit announcements to hover around $162. A big 30 percent year-over-year boost in average revenue per user in North America fueled those gains. Yet that’s still way down from $186 where it was a year ago and a peak of $217 in July.
CEO Mark Zuckerberg went beyond his usual intro to the earnings report where he assures investors things are going well and highlights new opportunities. This quarter he noted “We’ve fundamentally changed how we run our company to focus on the biggest social issues, and we’re investing more to build new and inspiring ways for people to connect.”
Squeezing Money From The Olds
Facebook managed to grow its DAU in both the critical US & Canada and Europe markets where it earns the most money after stagnation or shrinkage in previous quarters. The fact that Facebook is no longer dwindling it its most lucrative markets is surely contributing to its share price climb. Facebook’s monthly active user plateaued in North America but roared up in Europe. That was shored up by a reversal of last quarter’s decline in Rest Of World average revenue per user, which fell 4.7% in Q3 but bounced back with 16.5 percent growth in Q4.
Facebook raked in $6.8 billion in profit this quarter as it slowed down hiring and only grew headcount 5 percent from 33,606 to 35,587. It seems Facebook has gotten to a comfortable place with its security staff-up in the wake of election interference, fake news, and content moderation troubles. Its revenue is up 30 percent year-over-year while profits grew 61 percent, which is pretty remarkable for a 15-year old technology company.
But morale isn’t quite as rosy. It’s been a brutal quarter for Facebook At least its swifter user growth rates show Facebook survived its biggest ever data breach without scaring off too many people. Meanwhile it’s continuously struggled with scandals like hiring opposition research firm Definers, and it saw its new teen app Lasso largely flop. Facebook will have to convince investors it knows how to win back the next generation, or at least keep squeezong a lot more money out of the last one like it did in Q4.
In response to TechCrunch’s investigation of Facebook paying teens and adults to install a VPN that lets it analyze all their phone’s traffic, Senator Mark Warner (D-VA) has sent a letter to Mark Zuckerberg. It admonishes Facebook for not spelling out exactly which data the Facebook Research app was collecting or giving users adequate information necessary to determine if they should accept payment in exchange for selling their privacy. Following our report, Apple banned Facebook’s Research app from iOS and shut down its internal employee-only workplace apps too as punishment, causing mayhem in Facebook’s office.
Warner wrote to Zuckerberg, “In both the case of Onavo and the Facebook Research project, I have concerns that users were not appropriately informed about the extent of Facebook’s data-gathering and the commercial purposes of this data collection. Facebook’s apparent lack of full transparency with users – particularly in the context of ‘research’ efforts – has been a source of frustration for me.”
Warner is working on writing new laws to govern data collection initiatives like Facebook Research. He asks Zuckerberg, “Will you commit to supporting legislation requiring individualized, informed consent in all instances of behavioral and market research conducted by large platforms on users?”
Senator Blumenthal’s fierce statement
Meanwhile, Senator Richard Blumenthal (D-CT) provided TechCrunch with a fiery statement regarding our investigation. He calls Facebook anti-competitive, which could fuel calls to regulate or break up Facebook, says the FTC must address the issue and that he’s planning to work with congress to safeguard teens’ privacy:
“Wiretapping teens is not research, and it should never be permissible. This is yet another astonishing example of Facebook’s complete disregard for data privacy and eagerness to engage in anti-competitive behavior. Instead of learning its lesson when it was caught spying on consumers using the supposedly ‘private’ Onavo VPN app, Facebook rebranded the intrusive app and circumvented Apple’s attempts to protect iPhone users. Facebook continues to demonstrate its eagerness to look over everyone’s shoulder and watch everything they do in order to make money.
Mark Zuckerberg’s empty promises are not enough. The FTC needs to step up to the plate, and the Onavo app should be part of its investigation. I will also be writing to Apple and Google on Facebook’s egregious behavior, and working in Congress to make sure that teens are protected from Big Tech’s privacy intrusions.”
Senator Markey says stop surveiling teens
And finally, Senator Edward J. Markey (D-MA) requests that Facebook stop recruiting teens for its Research program, and notes he’ll push his “Do Not Track Kids” act in Congress:
“It is inherently manipulative to offer teens money in exchange for their personal information when younger users don’t have a clear understanding how much data they’re handing over and how sensitive it is. I strongly urge Facebook to immediately cease its recruitment of teens for its Research Program and explicitly prohibit minors from participating. Congress also needs to pass legislation that updates children’s online privacy rules for the 21st century. I will be reintroducing my ‘Do Not Track Kids Act’ to update the Children’s Online Privacy Protection Act by instituting key privacy safeguards for teens.
But my concerns also extend to adult users. I am alarmed by reports that Facebook is not providing participants with complete information about the extent of the information that the company can access through this program. Consumers deserve simple and clear explanations of what data is being collected and how it being used.”
The senators’ statements do go a bit overboard. Though Facebook Research was aggressively competitive and potentially misleading, Blumenthal calling it “anti-competitive” is a stretch. And Warner’s questioning on whether “any user reasonably understood that they were giving Facebook root device access through the enterprise certificate” or that it uses the data to track competitors oversteps the bounds. Surely some savvy technologists did, but the question is whether all the teens and everyone else understood.
Facebook isn’t the only one paying users to analyze all their phone data. TechCrunch found that Google had a similar program called Screenwise Meter. Though it was more upfront about it, Google also appears to have violated Apple’s employee-only Enterprise Certificate rules. We may be seeing the start to an industry-wide crack down on market research surveillance apps that dangle gift cards in front of users to get them to give up a massive amount of privacy.
Warner’s full letter to Zuckerberg can be found below:
Dear Mr. Zuckerberg:
I write to express concerns about allegations of Facebook’s latest efforts to monitor user activity. On January 29th, TechCrunch revealed that under the auspices of partnerships with beta testing firms, Facebook had begun paying users aged 13 to 35 to install an enterprise certificate, allowing Facebook to intercept all internet traffic to and from user devices. According to subsequent reporting by TechCrunch, Facebook relied on intermediaries that often “did not disclose Facebook’s involvement until users had begun the signup process.” Moreover, the advertisements used to recruit participants and the “Project Disclosure” make no mention of Facebook or the commercial purposes to which this data was allegedly put.
This arrangement comes in the wake of revelations that Facebook had previously engaged in similar efforts through a virtual private network (VPN) app, Onavo, that it owned and operated. According to a series of articles by the Wall Street Journal, Facebook used Onavo to scout emerging competitors by monitoring user activity – acquiring competitors in order to neutralize them as competitive threats, and in cases when that did not work, monitor usage patterns to inform Facebook’s own efforts to copy the features and innovations driving adoption of competitors’ apps. In 2017, my staff contacted Facebook with questions about how Facebook was promoting Onavo through its Facebook app – in particular, framing the app as a VPN that would “protect” users while omitting any reference to the main purpose of the app: allowing Facebook to gather market data on competitors.
Revelations in 2017 and 2018 prompted Apple to remove Onavo from its App Store in 2018 after concluding that the app violated its terms of service prohibitions on monitoring activity of other apps on a user’s device, as well as a requirement to make clear what user data will be collected and how it will be used. In both the case of Onavo and the Facebook Research project, I have concerns that users were not appropriately informed about the extent of Facebook’s data-gathering and the commercial purposes of this data collection.
Facebook’s apparent lack of full transparency with users – particularly in the context of ‘research’ efforts – has been a source of frustration for me. As you recall, I wrote the Federal Trade Commission in 2014 in the wake of revelations that Facebook had undertaken a behavioral experiment on hundreds of thousands of users, without obtaining their informed consent. In submitted questions to your Chief Operating Officer, Sheryl Sandberg, I once again raised these concerns, asking if Facebook provided for “individualized, informed consent” in all research projects with human subjects – and whether users had the ability to opt out of such research. In response, we learned that Facebook does not rely on individualized, informed consent (noting that users consent under the terms of the general Data Policy) and that users have no opportunity to opt out of being enrolled in research studies of their activity. In large part for this reason, I am working on legislation to require individualized, informed consent in all instances of behavioral and market research conducted by large platforms on users.
Fair, robust competition serves as an impetus for innovation, product differentiation, and wider consumer choice. For these reasons, I request that you respond to the following questions:
1. Do you think any user reasonably understood that they were giving Facebook root device access through the enterprise certificate? What specific steps did you take to ensure that users were properly informed of this access?
2. Do you think any user reasonably understood that Facebook was using this data for commercial purposes, including to track competitors?
3. Will you release all participants from the confidentiality agreements Facebook made them sign?
4. As you know, I have begun working on legislation that would require large platforms such as Facebook to provide users, on a continual basis, with an estimate of the overall value of their data to the service provider. In this instance, Facebook seems to have developed valuations for at least some uses of the data that was collected (such as market research). This further emphasizes the need for users to understand fully what data is collected by Facebook, the full range of ways in which it is used, and how much it is worth to the company. Will you commit to supporting this legislation and exploring methods for valuing user data holistically?
5. Will you commit to supporting legislation requiring individualized, informed consent in all instances of behavioral and market research conducted by large platforms on users?
I look forward to receiving your responses within the next two weeks. If you should have any questions or concerns, please contact my office at 202-224-2023.
If you’re interested in Meizu’s insane smartphone that doesn’t have any port or button, you can now pre-order it on Indiegogo for $1,299. Supply is limited as the company is only selling 100 units for now.
The Meizu Zero looks like any modern phone at first sight. But if you look beyond the display, you’ll notice that there’s absolutely zero port or button.
The volume button has been replaced with a touch-sensitive surface. The fingerprint sensor is integrated in the display. Wireless charging is the only way to charge the device. And if you’re thinking about putting your SIM card in the phone, there’s no SIM slot either — I hope your carrier supports eSIM cards.
There’s no speaker grille either. Meizu is using the screen as a speaker by sending vibrations through the display. It also works as a microphone, apparently.
It’s unclear if this is just a giant joke or an actual product. But it’s an interesting experiment. For $1,299, you get a phone with a 5.99-inch AMOLED display and a Snapdragon 845 system-on-a-chip. The company expects to ship the device in April 2019.
India’s largest bank has secured an unprotected server that allowed anyone to access financial information on millions of its customers, like bank balances and recent transactions.
The server, hosted in a regional Mumbai-based datacenter, stored two months of data from SBI Quick, a text message and call-based system used to request basic information about their bank accounts by customers of of the government-owned State Bank of India (SBI), the largest bank in the country and a highly ranked company in the Fortune 500.
But the bank had not protected the server with a password, allowing anyone who knew where to look to access the data on millions of customers’ information.
It’s not known for how long the server was open, but long enough for it to be discovered by a security researcher, who told TechCrunch of the leak, but did not want to be named for the story.
SBI Quick allows SBI’s banking customers to text the bank, or make a missed call, to retrieve information back by text message about their finances and accounts. It’s ideal for millions of the banking giant’s customers who don’t use smartphones or have limited data service. By using predefined keywords, like “BAL” for a customer’s current balance, the service recognizes the customer’s registered phone number and will send back current amount in that customer’s bank account. The system can also be used to send back the last five transactions, block an ATM card, and make inquiries about home or car loans.
It was the back-end text message system that was exposed, TechCrunch can confirm, storing millions of text messages each day.
A redacted example of some of the banking and credit information found in the database. (Image: TechCrunch)
The passwordless database allowed us to see all of the text messages going to customers in real-time, including their phone numbers, bank balances, and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking.
The bank sent out close to three million text messages on Monday alone.
The database also had daily archives of millions of text messages each, going back to December, allowing anyone with access a detailed view into millions of customers’ finances.
We verified the data by asking India-based security researcher Karan Saini to send a text message to the system. Within seconds, we found his phone number in the database, including the text message that he received back.
“The data available could potentially be used to profile and target individuals that are known to have high account balances,” said Saini in a message to TechCrunch. Saini previously found a data leak in India’s Aadhaar, the country’s national identity database, and a two-factor bypass bug in Uber’s ride-sharing app.
Saini said that knowing a phone number “could be used to aid social engineering attacks — which is one the most common attack vector here with regard to financial fraud,” he said.
SBI claims more than 500 million customers across the globe with 740 million accounts.
Just days earlier, SBI accused Aadhaar’s authority, UIDAI, of mishandling citizen data that allowed fake Aadhaar identity cards to be created, despite numerous security lapses and misuse of the system. UIDAI denied the report, saying there was “no security breach” of its system. (UIDAI often uses the term “fake news” to describe coverage it doesn’t like.)
TechCrunch reached out to SBI and India’s National Critical Information Infrastructure Protection Centre, which receives vulnerability reports for the banking sector. The database was secured overnight.
Despite several emails, SBI did not comment prior to publication.
In the wake of TechCrunch’s investigation yesterday, Apple blocked Facebook’s Research VPN app before the social network could voluntarily shut it down. The Research app asked users for root network access to all data passing through their phone in exchange for $20 per month. Apple tells TechCrunch that yesterday evening it pulled the certificate that allows Facebook to distribute the Research app through Apple’s Enterprise Certificate system.
TechCrunch had reported that Facebook was breaking Apple’s policy that the Enterprise system is only for distributing internal corporate apps to employees, not paid external testers. That was actually before Facebook released a statement last night saying that it had shut down the iOS version of the Research program without mentioning that it was forced by Apple to do so.
TechCrunch’s investigation discovered that Facebook has been quietly operated the Research program on iOS and Android since 2016, recently under the name Project Atlas. It recruited 13 to 35 year olds, 5 percent of which were teenagers, with ads on Instagram and Snapchat and paid them a monthly fee plus referral bonuses to install Facebook’s Research app, the included VPN app that routes traffic to Facebook, and to ‘Trust’ the company with root network access to their phone. That lets Facebook pull in a user’s web browsing activity, what apps are on their phone and how they use them, and even decrypt their encrypted traffic. Facebook went so far as to ask users to screenshot and submit their Amazon order history. Facebook uses all this data to track competitors, assess trends, and plan its product roadmap.
Facebook was forced to remove its similar Onavo Protect app in August last year after Apple changed its policies to prohibit the VPN app’s data collection practices. But Facebook never shut down the Research app with the same functionality it was running in parallel. In fact, TechCrunch commissioned security expert Will Strafach to dig into the Facebook Research app, and we found that it featured tons of similar code and references to Onavo Protect. That means Facebook was purposefully disobeying the spirit of Apple’s 2018 privacy policy change while also abusing the Enterprise Certificate program.
Facebook’s legitimate internal-use only apps like pre-launch versions of Facebook and Instagram as well as its employee logistics apps are still functioning, a source says. That would indicate that Apple didn’t go so far as to completely shut down Facebook’s access to the Enterprise developer program.
This morning, Apple informed us it had banned Facebook’s Research app yesterday before the social network seemingly pulled it voluntarily. Apple provided us with this strongly worded statement condemning the social network’s behavior:
“We designed our Enterprise Developer Program solely for the internal distribution of apps within an organization. Facebook has been using their membership to distribute a data-collecting app to consumers, which is a clear breach of their agreement with Apple. Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.”
That comes in direct contradiction to Facebook’s initial response to our investigation. Facebook claimed it was in alignment with Apple’s Enterprise Certificate policy and that the program was no different than a focus group.
Seven hours later, a Facebook spokesperson said it was pulling its Research program from iOS without mentioning that Apple forced it to do so, and issued this statement disputing the characterization of our story:
“Key facts about this market research program are being ignored. Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research App. It wasn’t ‘spying’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.”
We refute those accusations by Facebook. As we wrote yesterday night, Facebook did not publicly promote the Research VPN itself and used intermediaries that often didn’t disclose Facebook’s involvement until users had begun the signup process. While users were given clear instructions and warnings, the program never stresses nor mentions the full extent of the data Facebook can collect through the VPN. A small fraction of the users paid may have been teens, but we stand by the newsworthiness of its choice not to exclude minors from this data collection initiative.
The situation will surely worsen the relationship between Facebook and Apple after years of mounting animosity between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices, and Facebook’s Mark Zuckerberg has countered that it offers products for free for everyone rather than making products few can afford like Apple. Flared tensions could see Facebook receive less promotion in the App Store, fewer integrations into iOS, and more jabs from Cook. Meanwhile, the world sees Facebook as having been caught red-handed threatening user privacy and breaking Apple policy.
Desperate for data on its competitors, Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms. Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits, and it has no plans to stop.
Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe.
Facebook’s Research app requires users to ‘Trust’ it with extensive access to their data
We asked Guardian Mobile Firewall’s security expert Will Strafach to dig into the Facebook Research app, and he told us that “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.” It’s unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user’s device once they install the app.
The strategy shows how far Facebook is willing to go and how much it’s willing to pay to protect its dominance — even at the risk of breaking the rules of Apple’s iOS platform on which it depends. Apple could seek to block Facebook from continuing to distribute its Research app, or even revoke it permission to offer employee-only apps, and the situation could further chill relations between the tech giants. Apple’s Tim Cook has repeatedly criticized Facebook’s data collection practices. Facebook disobeying iOS policies to slurp up more information could become a new talking point. TechCrunch has spoken to Apple and it’s aware of the issue, but the company did not provide a statement before press time.
Facebook’s Research program is referred to as Project Atlas on sign-up sites that don’t mention Facebook’s involvement
“The fairly technical sounding ‘install our Root Certificate’ step is appalling,” Strafach tells us. “This hands Facebook continuous access to the most sensitive data about you, and most users are going to be unable to reasonably consent to this regardless of any agreement they sign, because there is no good way to articulate just how much power is handed to Facebook when you do this.”
Facebook’s surveillance app
Facebook first got into the data-sniffing business when it acquired Onavo for around $120 million in 2014. The VPN app helped users track and minimize their mobile data plan usage, but also gave Facebook deep analytics about what other apps they were using. Internal documents acquired by Charlie Warzel and Ryan Mac of BuzzFeed News reveal that Facebook was able to leverage Onavo to learn that WhatsApp was sending more than twice as many messages per day as Facebook Messenger. Onavo allowed Facebook to spot WhatsApp’s meteoric rise and justify paying $19 billion to buy the chat startup in 2014. WhatsApp has since tripled its user base, demonstrating the power of Onavo’s foresight.
Over the years since, Onavo clued Facebook in to what apps to copy, features to build and flops to avoid. By 2018, Facebook was promoting the Onavo app in a Protect bookmark of the main Facebook app in hopes of scoring more users to snoop on. Facebook also launched the Onavo Bolt app that let you lock apps behind a passcode or fingerprint while it surveils you, but Facebook shut down the app the day it was discovered following privacy criticism. Onavo’s main app remains available on Google Play and has been installed more than 10 million times.
The backlash heated up after security expert Strafach detailed in March how Onavo Protect was reporting to Facebook when a user’s screen was on or off, and its Wi-Fi and cellular data usage in bytes even when the VPN was turned off. In June, Apple updated its developer policies to ban collecting data about usage of other apps or data that’s not necessary for an app to function. Apple proceeded to inform Facebook in August that Onavo Protect violated those data collection policies and that the social network needed to remove it from the App Store, which it did, Deepa Seetharaman of the WSJ reported.
But that didn’t stop Facebook’s data collection.
Project Atlas
TechCrunch recently received a tip that despite Onavo Protect being banished by Apple, Facebook was paying users to sideload a similar VPN app under the Facebook Research moniker from outside of the App Store. We investigated, and learned Facebook was working with three app beta testing services to distribute the Facebook Research app: BetaBound, uTest and Applause. Facebook began distributing the Research VPN app in 2016. It has been referred to as Project Atlas since at least mid-2018, around when backlash to Onavo Protect magnified and Apple instituted its new rules that prohibited Onavo. Facebook didn’t want to stop collecting data on people’s phone usage and so the Research program continued, in disregard for Apple banning Onavo Protect.
Facebook’s Research App on iOS
Ads (shown below) for the program run by uTest on Instagram and Snapchat sought teens 13-17 years old for a “paid social media research study.” The sign-up page for the Facebook Research program administered by Applause doesn’t mention Facebook, but seeks users “Age: 13-35 (parental consent required for ages 13-17).” If minors try to sign-up, they’re asked to get their parents’ permission with a form that reveal’s Facebook’s involvement and says “There are no known risks associated with the project, however you acknowledge that the inherent nature of the project involves the tracking of personal information via your child’s use of apps. You will be compensated by Applause for your child’s participation.” For kids short on cash, the payments could coerce them to sell their privacy to Facebook.
The Applause site explains what data could be collected by the Facebook Research app (emphasis mine):
“By installing the software, you’re giving our client permission to collect data from your phone that will help them understand how you browse the internet, and how you use the features in the apps you’ve installed … This means you’re letting our client collect information such as which apps are on your phone, how and when you use them, data about your activities and content within those apps, as well as how other people interact with you or your content within those apps. You are also letting our client collect information about your internet browsing activity (including the websites you visit and data that is exchanged between your device and those websites) and your use of other online services. There are some instances when our client will collect this information even where the app uses encryption, or from within secure browser sessions.”
Meanwhile, the BetaBound sign-up page with a URL ending in “Atlas” explains that “For $20 per month (via e-gift cards), you will install an app on your phone and let it run in the background.” It also offers $20 per friend you refer. That site also doesn’t initially mention Facebook, but the instruction manual for installing Facebook Research reveals the company’s involvement.
Facebook’s intermediary uTest ran ads on Snapchat and Instagram, luring teens to the Research program with the promise of money
Facebook seems to have purposefully avoided TestFlight, Apple’s official beta testing system, which requires apps to be reviewed by Apple and is limited to 10,000 participants. Instead, the instruction manual reveals that users download the app from r.facebook-program.com and are told to install an Enterprise Developer Certificate and VPN and “Trust” Facebook with root access to their phone plus much of the data it transmits. Apple requires that developers agree to only use this certificate system for distributing internal corporate apps to their own employees. Randomly recruiting testers and paying them a monthly fee appears to violate the spirit of that rule.
Security expert Will Strafach found Facebook’s Research app contains lots of code from Onavo Protect, the Facebook-owned app Apple banned last year
Once installed, users just had to keep the VPN running and sending data to Facebook to get paid. The Applause-administered program requested that users screenshot their Amazon orders page. This data could potentially help Facebook tie browsing habits and usage of other apps with purchase preferences and behavior. That information could be harnessed to pinpoint ad targeting and understand which types of users buy what.
TechCrunch commissioned Strafach to analyze the Facebook Research app and find out where it was sending data. He confirmed that data is routed to “vpn-sjc1.v.facebook-program.com” that is associated with Onavo’s IP address, and that the facebook-program.com domain is registered to Facebook, according to MarkMonitor. The app can update itself without interacting with the App Store, and is linked to the email address PeopleJourney@fb.com. He also discovered that the Enterprise Certificate indicates Facebook renewed it on June 27th, 2018 — weeks after Apple announced its new rules that prohibited the similar Onavo Protect app.
“It is tricky to know what data Facebook is actually saving (without access to their servers). The only information that is knowable here is what access Facebook is capable of based on the code in the app. And it paints a very worrisome picture,” Strafach explains. “They might respond and claim to only actually retain/save very specific limited data, and that could be true, it really boils down to how much you trust Facebook’s word on it. The most charitable narrative of this situation would be that Facebook did not think too hard about the level of access they were granting to themselves … which is a startling level of carelessness in itself if that is the case.”
“Flagrant defiance of Apple’s rules”
In response to TechCrunch’s inquiry, a Facebook spokesperson confirmed it’s running the program to learn how people use their phones and other services. The spokesperson told us “Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate. We don’t share this information with others and people can stop participating at any time.”
Facebook’s Research app requires Root Certificate access, which Facebook gather almost any piece of data transmitted by your phone
Facebook’s spokesperson claimed that the Facebook Research app was in line with Apple’s Enterprise Certificate program, but didn’t explain how in the face of evidence to the contrary. They said Facebook first launched its Research app program in 2016. They tried to liken the program to a focus group and said Nielsen and comScore run similar programs, yet neither of those ask people to install a VPN or provide root access. The spokesperson confirmed the Facebook Research program does recruit teens but also other age groups from around the world. They claimed that Onavo and Facebook Research are separate programs, but admitted the same team supports both as an explanation for why their code was so similar.
Facebook’s Research program requested users screenshot their Amazon order history to provide it with purchase data
However, Facebook claim that it doesn’t violate Apple’s Enterprise Certificate policy is directly contradicted by the terms of that policy. Those include that developers “Distribute Provisioning Profiles only to Your Employees and only in conjunction with Your Internal Use Applications for the purpose of developing and testing”. The policy also states that “You may not use, distribute or otherwise make Your Internal Use Applications available to Your Customers” unless under direct supervision of employees or on company premises. Given Facebook’s customers are using the Enterprise Certificate-powered app without supervision, it appears Facebook is in violation.
Facebook disobeying Apple so directly could hurt their relationship. “The code in this iOS app strongly indicates that it is simply a poorly re-branded build of the banned Onavo app, now using an Enterprise Certificate owned by Facebook in direct violation of Apple’s rules, allowing Facebook to distribute this app without Apple review to as many users as they want,” Strafach tells us. ONV prefixes and mentions of graph.onavo.com, “onavoApp://” and “onavoProtect://” custom URL schemes litter the app. “This is an egregious violation on many fronts, and I hope that Apple will act expeditiously in revoking the signing certificate to render the app inoperable.”
Facebook is particularly interested in what teens do on their phones as the demographic has increasingly abandoned the social network in favor of Snapchat, YouTube and Facebook’s acquisition Instagram. Insights into how popular with teens is Chinese video music app TikTok and meme sharing led Facebook to launch a clone called Lasso and begin developing a meme-browsing feature called LOL, TechCrunch first reported. But Facebook’s desire for data about teens riles critics at a time when the company has been battered in the press. Analysts on tomorrow’s Facebook earnings call should inquire about what other ways the company has to collect competitive intelligence.
Last year when Tim Cook was asked what he’d do in Mark Zuckerberg’s position in the wake of the Cambridge Analytica scandal, he said “I wouldn’t be in this situation … The truth is we could make a ton of money if we monetized our customer, if our customer was our product. We’ve elected not to do that.” Zuckerberg told Ezra Klein that he felt Cook’s comment was “extremely glib.”
Now it’s clear that even after Apple’s warnings and the removal of Onavo Protect, Facebook is still aggressively collecting data on its competitors via Apple’s iOS platform. “I have never seen such open and flagrant defiance of Apple’s rules by an App Store developer,” Strafach concluded. If Apple shuts the Research program down, Facebook will either have to invent new ways to surveil our behavior amidst a climate of privacy scrutiny, or be left in the dark.
If you haven’t been paying attention to TikTok, you haven’t been paying attention. The short-form video app hailing from Beijing’s ByteDance just had its biggest month ever with the addition of 75 million new users in December — a 275 percent increase from the 20 million it added in December 2017, according a recent report from Sensor Tower.
Despite its rapid rise, there are still plenty of people — often, older people — who aren’t quite sure what TikTok is.
TikTok is often referred to as a “lip-syncing” app, which makes it sound like it’s some online karaoke experience. But a closer comparison would be Vine, Twitter’s still sorely missed short-form video app whose content lives on as YouTube compilations.
While it’s true that TikTok is home to some standard lip-syncing, it’s actually better known for its act-out memes backed by music and other sound clips, which get endlessly reproduced and remixed among its young users.
Its tunes are varied — pop, rap, R&B, electro and DJ tracks serve as backing for its 15-second video clips. But the sounds may also be snagged from YouTube music videos (see: I Baked You A Pie above), SoundCloud or from pop culture — like weird soundbites from Peppa Pig or Riverdale — or just original creations.
These memes-as-videos reference things familiar to Gen Z, like gaming culture (see below). They come in the form of standalone videos, reactions, duets, mirrors/clones and more.
The app has been growing steadily since it acquired its U.S.-based rival Musical.ly in November 2017 for north of $800 million, then merged the two apps’ user bases last August.
This gave TikTok the means to grow in Western markets, where it has attracted the interest of U.S. celebrities like Jimmy Fallon and Tony Hawk, for example, along with YouTubers on the hunt for the next new thing.
But unlike Vine (RIP), YouTube or Instagram, TikTok doesn’t yet feel dominated by micro-celebs, though they certainly exist.
Instead, its main feed often surfaces everyday users — aka, amateurs — doing something cute, funny or clever, with a tacit acknowledgement that “yes, this is an internet joke” underlying much of the content.
But that’s because those of us trying to talk about TikTok are old(er) people who grew up on the big ol’ mean internet.
Cringey, frankly, is an unfair label, as it dismisses TikTok’s success in setting a tone for its community. Here, users will often post and share unapologetically wholesome content, and receive less mocking than elsewhere on the web — largely because everyone else on TikTok posts similar “cringey” content, too.
You might not know this, however, if your only exposure to TikTok comes from YouTube’s TikTok Cringe Compilations. But spend a day in the (oddly addictive) TikTok feed, and you’ll find a whole world of video that doesn’t exist anywhere else on the web — including on YouTube. Videos that are weird, sure — but also fun to watch.
It’s a stark comparison to the existing social media platforms.
Users today are engaged in the culture wars on Twitter (ban the Nazis! protect free speech!), while YouTubers are gaming the algorithm with hateful, exploitive, dangerous and otherwise questionable content that freaks out advertisers. And Facebook is, well, contributing to war crimes and the toppling of democracy.
Meanwhile, TikTok presents an alternative version of online sharing. Simple, goofy, irreverent — and frankly, it’s a much needed reset.
For example, some of the popular TikTok memes have included videos of kids proclaiming what a great mom they have, as they drag her into frame, or they remind people to pick up litter and conserve water. They might give themselves silly, but self-affirming makeovers where, afterwards, they cite themselves not as “cute” but rather “drop. dead. gorgeous.”
They shout out “hit or miss!” in public places and wait to see who answers. (Look it up.)
Sometimes it’s dumb, Sometimes it’s clever. But it’s addictive.
Of course, it is still the internet. And TikTok isn’t perfect.
The app has also been the subject of troubling reports about its “dark” side, which is reportedly filled with child predators and teens bullying and harassing one another. It’s not clear, however, that TikTok’s affliction with these matters is any worse than any other large, social, public-by-default app of its size.
And unlike some apps, concerned parents — or the users themselves — can set a TikTok account to private, turn off commenting, hide the account from search, disable downloads, disallow reactions and duets and restrict an account from receiving messages.
It is concerning, however, that under-13 kids are setting up social media accounts without parental consent. (But, uh, have you seen Fortnite and Roblox? This is what kids do. At least the TikTok main feed isn’t worrisome, we’ve found.)
The bigger issue, though — and one that could ultimately prove damaging to TikTok — is whether it will be able to keep up with content filtering and takedown requests, or handle its security and privacy protection issues as it scales up.
Content and community aren’t the only things contributing to TikTok’s growth.
While Vine may have introduced the concept of short-form video, TikTok made video editing incredibly simple. You don’t need to be a video expert to put together clips with a range of effects. It’s the Instagram for the mobile video age — in a way that Instagram itself won’t be able to reproduce, having already aligned its community with influencers and advertisers.
TikTok’s sizable user base, meanwhile, is due not only to its growth in Western markets, but because of its traction in emerging markets like China and India.
This allowed TikTok to rank No. 4 worldwide across iOS and Android, combined, according to App Annie’s data on the most-downloaded apps of 2018. On iOS, TikTok was the No. 1 most-downloaded app of the year, mainly thanks to China.
The country accounted for 27 percent of new installs between December 2017 and December 2018, and last month was the source for 32.3 million of TikTok’s 75 million total new downloads — a 25x increase from last year.
Some of this growth comes from ad spend, according to a report from Apptopia, which examined the app’s widened use of ad networks. (It’s also drivingpeoplebonkers with its YouTube ads).
The revenue is starting to arrive, as well.
Worldwide, users spent $6 million tipping their favorite live streamers, a 253 percent year-over-year jump from December 2017’s total of $1.7 million, Sensor Tower estimates. But live streaming is not the default activity on TikTok — it added the feature after shutting down Musical.ly’s live streaming app, Live.ly.
Above: full-screen ad in TikTok when app is first launched; spotted today
TikTok is also starting to test in-app advertising, and is being eyed by agencies as a result. When you launch TikTok, you may see a full-page splash screen ad of some kind — though the company has not officially launched ad products.
But the brands are starting to take notice. This week, for example, TikTok collaborated with SportsManias, an officially licensed NFL Players Association partner, for the introduction of NFL-themed AR animated stickers in time for the Super Bowl. The move feels like a test for how well branded content will perform within the TikTok universe, but the company says it’s “not an ad deal.”
The company also declined to say how many are today using TikTok.
However, parent company ByteDance had publicly stated last year that it had 500 million monthly active users when it announced the app’s rebranding post-merger. It has yet to release new numbers for its global user base.
Step’s focus on this younger demographic puts it in a different space, where there are fewer competitors. Its more direct rivals are not the bigger mobile banks, but rather startups like 
The company pays a 2.5 percent interest rate on deposits, offers a round-up savings feature and a range of budgeting tools and supports free instant transfers between Step accounts. It also provides access to a network of 35,000 ATMs with no fees.
