TechCrunch+

A notable development for the fraught issue of cross-border data flows from the Organisation for Economic Co-operation and Development (OECD) Wednesday: After two years of closed-door discussions, the intergovernmental organization has adopted a declaration on government access to data held by private sector entities.

The declaration, which has been adopted by the 38 OECD countries and the European Union, talks about “legitimate government access on the basis of common values” — and identifies seven shared principles (summarized below) which member countries have agreed reflect “commonalities” drawn from their existing laws and practices. The stated aim is to increase clarity about how government agencies can access data.

Member countries adopting the declaration include the U.S., U.K., European Union Member States including France and Germany and other international democracies including Australia, Canada, Israel, Japan, Korea, Mexico and New Zealand.

The move comes almost a decade after NSA whistleblower Edward Snowden brought a different kind of clarity to the world on that topic when he leaked scores of intelligence documents to journalists detailing how spooks in the U.S. and other Western democracies were quietly tapping into commercial Internet platforms and helping themselves to user data without a thought for people’s privacy.

Western governments have moved on from the Snowden scandal by — in many cases — updating their legal frameworks to embed mass surveillance (often with a claimed wrapper of democratic accountability and safeguarding). However differences in levels of legal protections afforded for privacy between countries, and discrepancies between how citizens and foreigners may be treated under surveillance regimes, continues to cause trouble for cross border data flows — which the OECD is concerned threatens the smooth scaling of the global digital economy.

The declaration builds on an earlier (1980!) OECD recommendation, on privacy and transborder flows of personal data, by addressing “policy gaps” affecting the cross-border flow of personal data — and specifically tackling what it describes as “the lack of a common articulation at the international level of the safeguards that countries put in place to protect privacy and other human rights and freedoms when they access personal data held by private entities in the course of fulfilling their sovereign responsibilities related to national security and law enforcement”.

Or, put another way, the OECD wants a set of agreed principles for how governments say they will acquire and use private sector user data to be out there, in writing, building trust that surveillance practices have reformed, are regulated, and are becoming increasingly aligned between economically allied nations, to encourage a lowering of barriers to cross border data flows for members of the club.

Here are the seven principles in the declaration — with lightly condensed summaries:

1) Legal basis: The declaration says data access by government is provided for and regulated by the country’s legal framework that is binding on government authorities and adopted and implemented by democratically established institutions operating under the rule of law — and which sets out “purposes, conditions, limitations and safeguards concerning government access, so that individuals have sufficient guarantees against the risk of misuse and abuse”.

2) Legitimate aims: Government access “supports the pursuit of specified and legitimate aims”, so is not excessive vis-a-vis those aims and is in accordance with legal standards of necessity, proportionality, reasonableness etc — and in conformity with the rule of law. So access cannot be used for purposes such as suppressing criticism or dissent; or disadvantaging persons or groups solely on the basis of protected characteristics etc.

3) Approvals: It says prior approval requirements are embedded in the legal framework to ensure access is “conducted in accordance with applicable standards, rules and processes”. The declaration also notes these are “commensurate with the degree of interference with privacy and other human rights and freedoms that will occur as a result of government access” — and stipulates that “stricter approval requirements are in place for cases of more serious interference, and may include seeking approval from judicial or impartial non-judicial authorities”. Emergency exceptions to approval requirements are also provided for in the legal framework, and are “clearly defined, including justifications, conditions, and duration”. Decisions on approvals are “appropriately documented” and “made objectively, on a factual basis in pursuit of a specified and legitimate aim and upon satisfaction that the approval requirements are met”. Where approvals are not required, the declaration states that other safeguards in the legal framework apply to protect against misuse and abuse, including “clear rules that impose conditions or limitations on the access, as well as effective oversight”.

4) Data handling: Personal data acquired through government access can be processed and handled only by authorised personnel — and this activity is subject to requirements provided for in the legal framework, including putting in place physical, technical and administrative measures to maintain privacy, security, confidentiality, and integrity. Mechanisms to ensure that personal data are processed lawfully; retained only for as long as authorised in the legal framework in view of the purpose and taking into account the sensitivity of the data; and are kept accurate and up to date (“to the extent appropriate having regard to the context”) are also included, along with internal controls to detect, prevent and remedy data loss or unauthorised or accidental data access, destruction, use, modification, or disclosure, and to report such instances to oversight bodies.

5)Transparency: The general legal framework for government access is declared as “clear and easily accessible to the public so that individuals are able to consider the potential impact of government access on their privacy and other human rights and freedoms”. The document also states mechanisms exist for providing transparency about government access to personal data “that balance the interest of individuals and the public to be informed with the need to prevent the disclosure of information that would harm national security or law enforcement activities” — providing examples like public reporting by oversight bodies on government compliance with legal requirements; procedures for requesting access to government records; regular reporting by governments; and, “where applicable”, individual notification. Private sector entities may issue “aggregate statistical reports” regarding government access requests “in line with legal framework requirements”.

6) Oversight: Mechanisms exist for “effective and impartial” oversight to ensure that government access complies with the legal framework — provided through bodies including internal compliance offices; courts; parliamentary or legislative committees; and independent administrative authorities. Bodies acting according to individual mandates have powers to obtain and review relevant information; conduct investigations or inquiries; execute audits; engage with government entities on compliance and mitigation; and address non-compliance — also receiving and responding to reports of non-compliance (and potentially to individual complaints) to ensure that government entities are accountable. “In the exercise of their functions, oversight bodies are protected from interference and have the financial, human and technical resources to effectively carry out their mandate,” the declaration states. “They document their findings, produce reports, and make recommendations, which are made publicly available to the greatest extent possible.”

7) Redress: The legal framework provides individuals with “effective judicial and non-judicial redress” to “identify and remedy” violations of the national legal framework. The declaration says such redress mechanisms “take into account the need to preserve confidentiality of national security and law enforcement activities” — stipulating this may include “limitations on the ability to inform individuals whether their data were accessed or whether a violation occurred”. Available remedies (“subject to applicable conditions”) include terminating access; deleting improperly accessed or retained data; restoring the integrity of data; and the cessation of unlawful processing. Compensation for damages suffered by an individual is also included as a possibility — “depending on the circumstances”.

Thorny issues for cross-border data flows

In a press release accompanying the declaration the OECD says its hope is it will boost trust and get data moving, writing: “The principles set out how legal frameworks regulate government access; the legal standards applied when access is sought; how access is approved, and how the resulting data is handled; as well as efforts by countries to provide transparency to the public. They also tackle some of the thornier issues — such as oversight and redress — that have proved challenging to policy discussions for many years.”

“The project stemmed from growing concerns that the absence of common principles in the sensitive domains of law enforcement and national security could lead to undue restrictions on data flows,” it adds. “Another motivating factor is a desire to increase trust among rule-of-law democratic systems that, while not identical, share significant commonalities.”

“Being able to transfer data across borders is fundamental in this digital era for everything from social media use to international trade and cooperation on global health issues. Yet, without common principles and safeguards, the sharing of personal data across jurisdictions raises privacy concerns, particularly in sensitive areas like national security,” added OECD secretary-general Mathias Cormann in a supporting statement. “Today’s landmark agreement formally recognises that OECD countries uphold common standards and safeguards. It will help to enable flows of data between rule-of-law democracies, with the safeguards needed for individuals’ trust in the digital economy and mutual trust among governments regarding the personal data of their citizens.”

Cross-border data flows remain a very topical issue, with the EU — just yesterday — publishing a draft U.S. adequacy decision on transatlantic data exports. That still-yet-to-be-finalized EU-U.S. Data Privacy Framework is intended to replace two prior data transfer deals that were struck down by the bloc’s top court over concerns about U.S. government surveillance. And in the meanwhile, while EU institutions set to work scrutinzing the quality of redress the U.S. has offered its citizens who have concerns about what’s being done with their data once it’s over the pond, legal uncertainty — and even the risk of regional shutdown — hangs over U.S. cloud services in Europe.

One way to reduce the risk of further legal strikes — and, more broadly, to push back against a rising tide of data localization around the globe when/if countries feel moved to keep a sovereign hold on citizens’ data because of security concerns over foreign surveillance — is for likeminded nations to hew closer to a set of practices governing government access to private sector data.

Hence the declaration reads like an attempt to lower protectionist barriers that the OECD sees as standing in the way of the digital transformation of the global economy — and all the economic upside the latter implies.

But this text is just the end of a lengthy and, by some accounts, rather fraught process. An older version of the text — which was not made public but which we’ve reviewed via a source — contained some substantially different wording on the topic of cross-border data flows that suggests there was appetite among some in the discussion room for the OECD to take a more aggressive approach to beating back barriers to transborder data flows.

The proposal text we reviewed included wording stating that member countries should “refrain” from restricting cross-border data flows over national security or law enforcement access concerns if the destination country, whether an OECD member or not, “substantially observes” and “effectively implements” the principles of the declaration — and suggested member countries should instead focus their concern on data flows to countries where national security or law enforcement access does not align with the principles or is otherwise inconsistent with democratic values, the rule of law and respect for humans rights.

The final OECD declaration scrubs the suggested text — in favor of a considerably less ambitious statement of recognition that “where our legal frameworks require that transborder data flows are subject to safeguards, our countries take into account a destination country’s effective implementation of the principles as a positive contribution towards facilitating transborder data flows in the application of those rules”.

So the idea of signatories agreeing to, essentially, ignore their own rule of law — in the case of the EU (given the General Data Protection Regulation requires local regulators to suspend data exports to third countries if they believe citizens’ data will not get essentially equivalent legal protection at the destination country as it does in the EU — a scenario which is still, currently, the case for the U.S., an OECD member and signatory to this declaration) — in the name of maximizing data flows and economic upside between OECD members has, rather unsurprisingly, been dropped in the final text.

Such a suggestion would have been anathema to the EU — which sent high-level representatives to the Ministerial meeting of the Committee on Digital Economy Policy, in Gran Canaria, Spain, where the declaration was adopted on Wednesday afternoon. So the bloc seems pleased enough with the final outcome. (The Commission’s spokesperson service did not respond to questions about the earlier wording proposing to supplant the GDPR’s regulation of data transfers to third countries with an alternative, lower OECD standard.)

Some implicit inter-OECD member drama aside, it’s worth noting that an OECD declaration is not legally binding in any case. So while this high level statement by members contains commitments they “uphold democracy and the rule of law and protect privacy and other human rights and freedoms” (vis-a-vis government access to data), it’s not clear how much practical impact the declaration could have on surveillance practice and, well, surveillance overreach.

Nor whether any reconfiguring of Western democracies’ troublesome appetite for mass surveillance (to something, er, less legally risky to cross border data flows) is even intended for a declaration that talks about wanting to boost trust in data flows while simultaneously claiming: “[O]ur countries’ approach to government access is in accordance with democratic values; safeguards for privacy and other human rights and freedoms; and the rule of law including an independent judiciary” — despite several OECD members having legislated for state surveillance powers that human rights groups have denounced as anti-democratic and antithetical to privacy, and which continue tenacious sticking with data retention regimes that courts keep finding unlawful.

You won’t find those kind of awkward details recognized in this declaration — despite a claim by members to reject “any approach to government access to personal data held by private sector entities that, regardless of the context, is inconsistent with democratic values and the rule of law, and is unconstrained, unreasonable, arbitrary or disproportionate”.

While stakeholders’ calls for more work by governments to protect privacy and freedom of expression only gets a passing “note[d]” in the text.

The closed door nature of the negotiations to draw up the declaration have also been raised as a concern by civil society groups (aka stakeholders) — who have complained they were prevented from fully participating in the discussion process, with no ability for such groups to comment on the final draft ahead of publication for example.

CSISAC, which acts as the voice of civil society at the OECD’s Committee on the Digital Economy Policy — helping to get information flowing between the oraganization and civil society groups with the aim of achieving better policy outcomes — put out a statement following the declaration’s publication expressing concern at the “lack of procedural guardrails” on the talks on government access and lamenting that the usual formal multi-stakeholder OECD process was not followed in this case.

“The removal of civil society’s voice in one of the most sensitive and important projects at the OECD sets a dangerous precedent,” the committee goes on, pointing out that the reason given by the OECD for this exclusion — namely, the participation of members of the intelligence community in the negotiations for the declaration — need not have led to the exclusion of civil society from later stages of the process. Any future “similarly sensitive discussions” should not see a repeat of civil society input being shut out, it further urges.

OECD adopts declaration on trusted government access to private sector data by Natasha Lomas originally published on TechCrunch

To get a roundup of TechCrunch’s biggest and most important stories delivered to your inbox every day at 3 p.m. PDT, subscribe here.

Hello, and happy Wednesday! As I write this, I am also enjoying a virtual “holiyay” celebration with my fellow TechCrunchers. Haje is leaving on a jet plane, but he’ll be back tomorrow. Let’s dive into the news. — Christine

The TechCrunch Top 3

You can’t handle the jet: Elon Musk stated that he was going to protect free speech, even for the person behind Elon Jet, the Twitter account tracking his flights, but alas the account has been permanently suspended. Amanda has more.
If you can’t beat ’em, join ’em: It used to be that Apple fought what they call “sideloading” alternative app stores on the iPhone, but in order to comply with European laws, the consumer tech giant is now reportedly looking at allowing them with iOS 17, which will come out next year, Ivan reports.
Cash flow conundrum: Mary Ann reports on Nilus, a startup that secured $8.5 million to automate financial workflows for companies to more easily manage customer payments.

Startups and VC

Wow, you all were eating up the fintech news today. Okay, here is another one. Bondaval, a London-based B2B company providing credit teams with assurance that customers will pay their bills, raised $15 million in Series A funding, with Catherine writing that Bondaval has now expanded into new use cases for credit managers at large companies, including those in the energy sector.

And we have four more for you:

You look mahvelous: Bollywood star Deepika Padukone has a hit on her hands with her skincare startup, which took in $7.5 million, Manish writes.
Taking off: Ingrid reports on another round of funding for Shield AI, which gives it a $2.3 billion valuation. The company, with its military autonomous flying tech, is a bright spot in the defense sector, which continues to attract investments.
I need a dollar, or 1 billion of them: Visa is committing $1 billion to Africa over the next five years to target partnerships and invest in businesses tackling problems ranging from food insecurity to the underbanked, Tage writes.
You can bet on this: Blockchain has faced its fair share of challenges this year, between crypto winter and other scandals, Mike writes, but it seems to be finding its stride in the sports betting market.

Dear Sophie: When can I register my employee for the H-1B lottery?

Dear Sophie,

We’re a pre-seed startup thinking about sponsoring an early employee’s H-1B visa to stay in the U.S. and work for us.

How does the process work?

— Seeking in San Mateo

Three more from the TC+ team:

Round, round, Getaround: Alex has been following Getaround and why the SPAC route makes sense for the consumer car rental marketplace.
Sunny days are hopefully here again: Solar panels are great, when they work. Haje writes about SmartHelio raising $5 million to continue developing its AI technology to catch when solar panels need fixing, before they break.
Jumping on the SaaS bandwagon: Guidewheel has plans to turn $9 million of new funding into SaaS that boosts manufacturing and trims carbon emissions, writes Tim.

TechCrunch+ is our membership program that helps founders and startup teams get ahead of the pack. You can sign up here. Use code “DC” for a 15% discount on an annual subscription!

Big Tech Inc.

The U.S. National Security Agency warned that Chinese hackers were exploiting a zero-day bug in two of Citrix’s networking products. Carly writes that “the critical-rated vulnerability allows an unauthenticated attacker to remotely run malicious code on vulnerable devices — no passwords needed.” Ooof!

Another warning that Twitter news is coming. Natasha L writes that Elon Musk reportedly forcing tracking ads on Twitter is putting him on the short list for a talking-to by the European Union. Also, Twitter co-founder Jack Dorsey had a good one-day run posting on Revue, Twitter’s newsletter platform, before the social media giant announced it was shutting it down. Amanda has more on that.

And we have four more for you:

Fancy meeting you here: It’s good to have goals. Do you have a goal? Well, Tinder is taking a nod from sister dating app Hinge and wants its users to make relationship goals, Lauren reports.
All your subscriptions in one place: Lauren also writes about Verizon testing a subscription service aggregator called +Play.
Give a gift, get a gift: If you are looking for some last-minute gift ideas for some of your more picky pals, Matt has some high-tech gift ideas for the cannabis users in your life, while Darrell gathered seven for that person who is a smart-home smartypants.
Here’s something you can bet on: You can get a lot of things delivered to your hotel, and Las Vegas visitors can now add semi-autonomous EVs, writes Rebecca.

Daily Crunch: Twitter backpedals on CEO’s promise, permanently bans user who tracked his private jet by Christine Hall originally published on TechCrunch

Over the last decade or so, the once-clubby world of startup investing has been cracked wide open by a number of innovations, including special purpose vehicles (SPVs), which are essentially pop-up venture funds that come together quickly with monies from all kinds of accredited investors — from institutions to VCs to dentists — to nab a stake in a single privately held company.

Yet as the market has soured, many investors are learning the hard way that SPVs are complicated, expensive, and not the sure-fire path to riches they once appeared to be. In fact, some who began assembling these SPVs were just left high and dry by a popular SPV administration platform, Assure, which announced somewhat abruptly in late November that it is shutting down and that its customers need to find a new home for their funds by the end of the year.

The move has left many scrambling, and furious. Says Eric Bahn, a co-founder of the seed-stage firm Hustle Fund, which turned to Assure five years ago to set up some SPVs: “We were very unhappy there for some time; the software felt janky to use. But to be told Assure is shutting down right before Thanksgiving — it’s the worst timing possible. If you’re going to run a search for a new provider, you don’t want to do it at the end of the year.”

The shutdown is also costing Assure customers money at a time when many are already feeling the pinch of an economic downturn. Eric Seufert, the sole general partner of Heracles Capital, an Austin-based pre-seed stage fund that is managing $10 million, says he paid the outfit $8,000 per SPV that it managed on his behalf to service the vehicle over its life span. “It was a one-time fee for them to handle all the taxes and all that.”

When Assure said it was shutting down, however, it added that it wouldn’t be refunding those fees, no matter that it didn’t deliver on its promise. “That means we have to pay another provider another fee,” says Seufert, and while investors in each SPV helped cover the initial cost, “it’s not like I’m going to reach out to investors and have them pay again,” he adds. “For me, that’s tens of thousands of dollars unexpectedly that’s coming out of my pocket.”

We’ve reached out to Assure in recent days for comment and haven’t received a response. We also reached out to Jason Calacanis, an investor who formed an SPV to invest in Assure, then heavily promoted its services on his “This Week in Startups” podcast.

In response to our request for help, Calacanis replied via email to “feel free to ask me on Twitter.”

Based on conversations we had with Bahn, Seufert and numerous other Assure customers who spoke with us on background, Assure’s offering was never the sophisticated option. The advantage that the 10-year-old, Salt Lake City firm offered was that it was priced competitively. Whereas some customers paid $8,000 per SPV, others say they paid even less for Assure’s management of their SPVs, including $2,000 and $3,000 per SPV in some cases.

Compared to AngelList — the investment platform that helped popularize SPV investing and that charges a setup fee of $8,000 plus the cost of add-ons, including $4,000 for follow-on investments, $1,000 for international investments, $2,000 for crypto investments that involve tokens, and $10,000 to manage the SPV’s financial statements — Assure seemed to some like a steal.

Alas, because Assure didn’t charge more upfront, the company relied on a steady stream of new clients in order to cover all of its operating costs. When the market turned and investors lost their appetite for SPVs, those new clients slowed to a trickle, prompting Assure’s shutdown.

Says one fund manager, who spoke anonymously about his experience with Assure, which managed tens of SPVs for his firm: “As much as Assure talked about its products, it was a services business that had to keep bringing in [employees]. When the market slowed down and it was facing churn,” that revenue shortfall killed it.

Not that anyone feels sorry for Assure or its founder and CEO, Jeremy Neilson, who was previously a managing director at the Utah Fund of Funds, the state of Utah’s private equity program. On Twitter, Assure customers have variously vented about forming a class action lawsuit and their wish to see Neilson behind bars.

Bahn says that part of that anger ties to the way the company shut down — without apparent contrition or an explanation of what happened. Further, Assure offered “no real migration path,” says Bahn. “‘You’ll figure it out’ was the messaging from Assure,” he says.

That’s no exaggeration, seemingly. Assure’s surprise November announcement came only with a 30-minute-long pre-recorded video in which Neilson reports flatly: “This is an Assure transition presentation. As you’ve heard, Assure is shutting down. Assure will be handing back to you all of your SPVs funds. So these things are being handed back to you. You’re going to now have the ownership. You’re now going to be responsible for maintenance and be responsible for taxes and all post-close activities . . . of course you can find a third-party to assist . . .”

Afterward, customers say, the firm stopped responding to them almost completely.

Not everyone has gotten their money out of Assure, either. Seufert says one of his SPVs produced a return for investors in October, but while Assure issued checks to two-thirds of the individuals who contributed capital to the SPV, Assure stopped wiring money after that and became wholly unresponsive to Seufert until he mentioned this week that he was talking with TechCrunch.

After sending Assure a “pleading email to beg them to finish the distributions for the SPV that exited, they have agreed to do that,” he says, though of this writing, that money has not been transferred.

Meanwhile, Neilson’s timing could scarcely be worse. Though newer platforms are advertising their related services right now — Vauban, an online investing platform recently acquired by Carta, has been promoting its services heavily; Assure meanwhile pointed customers to the nascent private markets platform Allocations — other providers “aren’t excited to talk to you,” says Bahn, because they are “already doing tax and auditing work for Q1.”

They also don’t want to take on unnecessary risk from a company that clearly did not have its ducks in a row.

Bahn, for example, was able to turn to AngelList, but the company is turning away many other managers for its own safety, explains AngelList venture CEO Avlok Kohli. “We’ve been reserved about blanket taking on any customer precisely because we are very deliberate about the types of customers and products we want to support, and in our view, there are some unknown unknowns in taking on products from another provider.”

Unfortunately, that leaves a lot of SPV managers without a lot of good options while also needing to take action quickly.

Jason Burke, the Boston-based founder and CEO of a software platform called All Stage that paid Assure to manage more than 30 SPVs on his behalf, is among those still mulling over his options. What he knows for certain is that he can’t do nothing.

“I think we’ll find some who put a blindfold on and just ignore this for now, but people will regret doing that,” says Burke. “The government, the IRS, isn’t going to ignore this stuff. People put money into these SPVs and they want a return or to able to write off losses, so it falls to the syndicate group lead to find a path.”

Seufert hears much of the same from others of Assure’s frustrated customers; he started a Slack group for them several weeks ago that now counts 35 members. Still, it’s mid-December and Seufert — who in addition to managing a venture fund also publishes a mobile advertising trade blog — is himself still trying to figure out a plan for his SPVs as he juggles his other responsibilities.

There are a “bunch of other companies vying for this business, a bunch of startups chasing this space,” he observes. But he wonders whether, like Assure, they really know what they are doing. Says Seufert, “How do I know I won’t have to do this again a few years from now?”

Frustration and anger after SPV platform Assure dumps users at the curb ahead of holidays by Connie Loizos originally published on TechCrunch

Two weeks ago, the password manager giant LastPass disclosed its systems were compromised for a second time this year.

Back in August, LastPass found that an employee’s work account was compromised to gain unauthorized access to the company’s development environment, which stores some of LastPass’ source code. LastPass CEO Karim Toubba said the hacker’s activity was limited and contained, and told customers that there was no action they needed to take.

Fast forward to the end of November, and LastPass confirmed a second compromise that it said was related to its first. This time around, LastPass wasn’t as lucky. The intruder had gained access to customer information.

In a brief blog post, Toubba said information obtained in the August incident was used to access a third-party cloud storage service that LastPass uses to store customer data, as well as customer data for its parent company GoTo, which also owns LogMeIn and GoToMyPC.

But since then, we’ve heard nothing new from LastPass or GoTo, whose CEO Paddy Srinivasan posted an even vaguer statement saying only that it was investigating the incident, but neglected to specify if its customers were also affected.

GoTo spokesperson Nikolett Bacso Albaum declined to comment.

Over the years, TechCrunch has reported on countless data breaches and what to look for when companies disclose security incidents. With that, TechCrunch has marked up and annotated LastPass’ data breach notice with our analysis of what it means and what LastPass has left out — just as we did with Samsung’s still-yet-unresolved breach earlier this year.

What LastPass said in its data breach notice

LastPass and GoTo share their cloud storage

A key part of why both LastPass and GoTo are notifying their respective customers is because the two companies share the same cloud storage .

Neither company named the third-party cloud storage service but it’s likely to be Amazon Web Services, the cloud computing arm of Amazon, given that an Amazon blog post from 2020 described how GoTo, known as LogMeIn at the time, migrated over a billion records from Oracle’s cloud to AWS.

It’s not uncommon for companies to store their data — even from different products — on the same cloud storage service. That’s why it’s important to ensure proper access controls and to segment customer data, so that if a set of access keys or credentials are stolen, they cannot be used to access a company’s entire trove of customer data.

If the cloud storage account shared by both LastPass and GoTo was compromised, it may well be that the unauthorized party obtained keys that allowed broad, if not unfettered access to the company’s cloud data, encrypted or otherwise.

LastPass doesn’t yet know what was accessed, or if data was taken

In its blog post, LastPass said it was “working diligently” to understand what specific information was accessed by the unauthorized party. In other words, at the time of its blog post, LastPass doesn’t yet know what customer data was accessed, or if data was exfiltrated from its cloud storage.

It’s a tough position for a company to be in. Some move to announce security incidents quickly, especially in jurisdictions that obligate prompt public disclosures, even if the company has little or nothing yet to share about what has actually happened.

LastPass will be in a far better position to investigate if it has logs it can comb through, which can help incident responders learn what data was accessed and if anything was exfiltrated. It’s a question that we ask companies a lot and LastPass is no different. When companies say that they have “no evidence” of access or compromise, it may be that it lacks the technical means, such as logging, to know what was going on.

A malicious actor is probably behind the breach

The wording of LastPass’ blog post in August left open the possibility that the “unauthorized party” may not have been acting in bad faith.

It is both possible to gain unauthorized access to a system (and break the law in the process), and still act in good faith if the end goal is to report the issue to the company and get it fixed. It might not let you off a hacking charge if the company (or the government) isn’t happy with the intrusion. But common sense often prevails when it’s clear that a good-faith hacker or security researcher is working to fix a security issue, not cause one.

At this point it’s fairly safe to assume that the unauthorized party behind the breach is a malicious actor at work, even if the motive of the hacker — or hackers — is not yet known.

LastPass’ blog post says that the unauthorized party used information obtained during in the August breach to compromise LastPass a second time. LastPass does not say what this information is. It could mean access keys or credentials that were obtained by the unauthorized party during their raid on LastPass’ development environment in August, but which LasPass never revoked.

What LastPass didn’t say in its data breach

We don’t know when the breach actually happened

LastPass did not say when the second breach happened, only that it was “recently detected” , which refers to the company’s discovery of the breach and not necessarily the intrusion itself.

There is no reason why LastPass, or any company, would withhold the date of intrusion if it knew when it was. If it was caught fast enough, you would expect it to be mentioned as a point of pride.

But companies will instead sometimes use vague terms like “recently” (or “enhanced”), which don’t really mean anything without necessary context. It could be that LastPass didn’t discover its second breach until long after the intruder gained access.

LastPass won’t say what kind of customer information could have been at risk

An obvious question is what customer information is LastPass and GoTo storing in their shared cloud storage? LastPass only says that “certain elements” of customer data were accessed. That could be as broad as the personal information that customers gave LastPass when they registered, such as their name and email address, all the way through to sensitive financial or billing information and customers’ encrypted password vaults.

LastPass is adamant that customers’ passwords are safe due to how the company designed its zero knowledge architecture. Zero knowledge is a security principle that allows companies to store their customers’ encrypted data so that only the customer can access it. In this case, LastPass stores each customer’s password vault in its cloud storage, but only the customer has the master password to unlock the data, not even LastPass.

The wording of LastPass’ blog post is ambiguous as to whether customers’ encrypted password vaults are stored in the same shared cloud storage that was compromised. LastPass only says that customer passwords “remain safely encrypted” which can still be true, even if the unauthorized party accessed or exfiltrated encrypted customer vaults, since the customer’s master password is still needed to unlock their passwords.

If it comes to be that customers’ encrypted password vaults were exposed or subsequently exfiltrated, that would remove a significant obstacle in the way of accessing a person’s passwords, since all they would need is a victim’s master password. An exposed or compromised password vault is only as strong as the encryption used to scramble it.

LastPass hasn’t said how many customers are affected

If the intruder accessed a shared cloud storage account storing customer information, it’s reasonable to assume that they had significant, if not unrestricted access to whatever customer data was stored.

A best case scenario is that LastPass segmented or compartmentalized customer information to prevent a scenario like a catastrophic data theft.

LastPass says that its development environment, initially compromised in August, does not store customer data. LastPass also says its production environment — a term for servers that are actively in use for handling and processing user information — is physically separated from its development environment. By that logic, it appears that the intruder may have gained access to LastPass’ cloud production environment, despite LastPass saying in its initial August post-mortem that there was “no evidence” of unauthorized access to its production environment. Again, it’s why we ask about logs.

Assuming the worst, LastPass has about 33 million customers. GoTo has 66 million customers as of its most recent earnings in June.

Why did GoTo hide its data breach notice?

If you thought LastPass’ blog post was light on details, the statement from its parent company GoTo was even lighter. What was more curious is why if you searched for GoTo’s statement, you wouldn’t initially find it. That’s because GoTo used “noindex” code on the blog post to tell search engine crawlers, like Google, to skip it and not catalog the page as part of its search results, ensuring that nobody could find it unless you knew its specific web address.

Lydia Tsui, a director at crisis communications firm Brunswick Group, which represents GoTo, told TechCrunch that GoTo had removed the “noindex” code blocking the data breach notice from search engines, but declined to say for what reason the post was blocked to begin with.

Some mysteries we may never solve.

Parsing LastPass’ data breach notice by Zack Whittaker originally published on TechCrunch

Apple’s new “Emergency SOS” service that lets off-grid iPhone users call for help via satellite has led to what may very well be its first successful rescue operation, certainly the first to be documented live.

As related by the Montrose Search & Rescue Team, which conducted the operation, two people were in a vehicle driving through the Angeles National Forest yesterday afternoon when their car went off the road and “off the side of the mountain, approximately 300′.” The impact was serious enough to strip the front bumper off the car, which seems to have then tumbled or slid into a narrow valley well below the highway.

With no cell coverage (they were about 19 miles into the forest) and possibly injured, the pair made the decision to try out the new satellite communication service introduced in September for the iPhone 14 and 14 Pro.

The service requires users to point their phone at a passing partner satellite, and when a connection is established their location is sent along with any circumstances, like whether someone is hurt. The message goes to a relay service, which then passes it to the appropriate authorities — in this case LA county fire department, sheriffs, and the SAR team in Montrose. (I’ve contacted the team to see how the experience was from their end and will update if I hear back.)

“The call center gave us an accurate latitude and longitude for the victims,” wrote the rescue team. “[Helicopter] Rescue 5 was able to locate the victims and insert a paramedic. The paramedic learned the patients, a male and female in their 20s, had mild to moderate injuries. The helicopter was able to hoist the victims out of the canyon and transport them to a local area hospital.”

Apple’s service is just one of several ways people may soon be able to use satellites directly from their phones. Lynk promises a regular exchange of data for SMS and emergency alert purposes, and T-Mobile is partnering with Starlink to enable something like that for subscribers as well.

Apple’s Emergency SOS via satellite prompts rescue after car goes off a cliff north of LA by Devin Coldewey originally published on TechCrunch

The conversation in startup land has shifted from building in public to, hey, maybe let’s just figure things out internally before we scream to the masses.

At least that’s what I’m gleaning from the growth story of Murmur, a startup that wants to make decision-making easier for private companies. Built by entrepreneur Aaron Dignan, Murmur launched its closed beta in 2021 with a vision to create a public forum of private work agreements so companies could scale remote policies faster.

Now Dignan is back, nearly two years later, to say that early-stage founders on Murmur’s beta had a separate-yet-related product request that has now taken priority: they want a better way to make collaborative decisions, no meeting required.

Murmur is currently working on a collaborative platform that helps companies make decisions in an open and feedback-oriented way. Employees and executives can go in and propose a change, make a work agreement around it and then ask for approvals with a deadline ticking in the background.

It’s a smarter Google doc, meant to be built with a decision-making framework in mind — whether that be figuring out a way to productize the back-and-forth of a compromise, or optimize for more eyes before an agreement is set in stone. Fundamentally, the product is a bet on the idea that companies want a smarter way to work in a remote-first environment, one that factors in time zones as more than an inconvenience.

“People do not like to read and they do not like to write — you have to think about that when you build a product and that means that people are looking for a way to make decisions with less work,” Dignan said. While Murmur is still focused on transparency and public agreements, it’s also working on an artificial intelligence writer that will allow employees to whip up a proposal for, say, a four-day work week within minutes. Dignan also hinted at a Slack tool that will listen to conversations and, if someone writes the word “should” or “what if” in a channel, pop up a bot in a private DM that’ll ask if they want to make a proposal around the idea. While that certainly raised some questions for me around privacy, Dignan stressed that users will be able to choose which channels the feature pops up on and train it to be more thoughtful over time. The Slack feature is not available for general users right now, to be clear — only alpha users.

Murmur’s goal, and biggest challenge, is figuring out the right entry point for its product. Should it sell to decentralized autonomous organizations? Universities? Big Tech? Early-stage startups? Each potential customer has an entirely different goal and incentive structure around decisions. At this point, out of the 100 most active accounts on Murmur, less than a quarter would be considered tech companies, according to Dignan. Top customers include Adidas, Bitly and Philippine Space Agency.

Dignan thinks interest in a tool like Murmur boils down to how serious a company is about building inclusion and transparency into their remote work policies.

“It’s a weird cross-section where some people in the startup game have this mindset, but a lot don’t,” he said. “In general when we have tech founders on Murmur, they’re a second-time founder because they’ve been to the puppet show, they’ve seen the strings, they see how things go wrong at scale and how when you blitzscale, it gets even worse.” Dignan added that, when he’s talking to some founders, his message is that “this is going to seem like a little bit of overkill to you, but I promise, it’s not.”

While waiting for tech to hit a point where the weight of remote work is too much, Dignan doesn’t seem to be sweating his industry’s complacency. And neither do his investors.

Murmur’s broader product vision has helped it close an $8 million round co-led by Asymmetric and Greenfield, with participation from all the investors in its prior round, including Lerer Hippeau, SemperVirens, Human Ventures and Vitalize. For just a murmur, that’s a pretty loud sign of validation.

Murmur gets a loud ask: reinvent closed door decisions by Natasha Mascarenhas originally published on TechCrunch

Even as Sam Bankman-Fried, the former CEO of the collapsed crypto exchange FTX, was arrested and denied bail earlier this week, the questions around the case — and what lies ahead — continue to linger.

“The arrest of Bankman-Fried was both overdue and jumping the gun,” Matthew Barhoma, founder of Barhoma Law and Power Trial Lawyers, told TechCrunch.

What we have seen may just be the beginning, Barhoma hinted: “Expect more charges against Bankman-Fried and others associated with FTX.”

On Tuesday, the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) all filed charges against Bankman-Fried for defrauding investors. He’s also being investigated for other securities law violations, alongside other pending investigations against others involved.

As the situation unfolds, Miles Fuller, head of government solutions for Taxbit, agrees with Barhoma that more charges will arise. “SBF’s arrest was not unexpected,” he said.

Damian Williams, the U.S. attorney for the Southern District of New York, was asked during a press conference on Tuesday afternoon whether the entities will bring charges against other individuals allegedly involved in the FTX collapse, to which he replied, “I can only say this: Clearly, we are not done.”

“Of the eight counts in the indictment, five are conspiracy counts,” Fuller said. “A criminal conspiracy, by definition, requires more than one individual, so we should anticipate that at least some other individuals will need to be identified and possibly charged as co-conspirators.”

There is much speculation around the extent of the criminal action and who was involved in the FTX saga, according to Joby Carpenter, global head of crypto assets and illicit finance at ACAMS. “The unsealed indictment from the U.S. Department of Justice references massive fraud, money laundering and violations of campaign finance laws in the U.S. There’s more to play out, though,” he told TechCrunch.

Despite the FTX mess, the crypto market looks to the future by Jacquelyn Melinek originally published on TechCrunch

“God of War” fans are in for a treat. Amazon announced today that Prime Video is getting a live-action series based on the extremely popular PlayStation game. While a premiere date has not been announced, “God of War” will be available on Prime Video in more than 240 countries and territories.

The show will follow Kratos, the God of War, who leaves his gory past in ancient Greece to reside in the Norse realm of Midgard. Kratos mourns the death of his wife and sets out on a treacherous journey with his estranged son, Atreus, to fulfill her dying wish — spreading her ashes from the highest peak. However, on this adventure, Kratos is forced to fight all kinds of new Gods and monsters as his bond with his son is tested.

The new “God of War” series will likely be a huge hit for Amazon. The announcement comes as the “God of War” sequel, “God of War: Ragnarök,” released to the public last month, caused a flurry of excited gamers to snatch up copies. Developed by Santa Monica Studio, PlayStation tweeted that “God of War: Ragnarök” was the “fastest-selling first-party launch game in PlayStation history.” The record-breaking game sold a whopping 5.1 million copies in the first week alone.

“The ‘God of War’ is a compelling, character-driven franchise that we believe will captivate our global customers as much with its expansive and immersive worlds as its rich storytelling,” said Vernon Sanders, head of global television at Amazon Studio, in a statement.

Amazon’s latest live-action series joins many other video game adaptations, such as HBO’s upcoming series, “The Last of Us,” Paramount+’s “Halo” and various Netflix series like “Arcane,” “Resident Evil” and “Witcher,” among others.

Amazon set to release a ‘God of War’ live-action series on Prime Video by Lauren Forristal originally published on TechCrunch

While the TechCrunch crew enjoys a tweet and a post from time to time, we also enjoy reading longer-form materials. So much so that we are compiling a year-end revue of our favorite reads.

This is not just a list of serious business books, or just fiction that was published this year.

Instead, we have put together a list of just our favorite stuff that we read this year. Some of it won’t surprise; I hope that some of it does — but given how literate the average TechCrunch reader is, perhaps I will be contentedly disappointed.

The following list is in no particular order. And while we may earn a dollar or two off of commissions if you buy one of the books below, we’re not doing this for the money. We just love books, and reading, and want to share some of our joy with you. (TechCrunch also has lists of recommendations from founders, and venture investors coming later this month!)

Hugs, happy holidays, and may your 2023 reading crop be fruitful.

This article contains links to affiliate partners where available. When you buy through these links, TechCrunch may earn an affiliate commission.

The best books TechCrunch read in 2022

Each recommender’s books are grouped, links go to Amazon. Summaries are via the TechCruncher in questions, at times lightly edited for clarity and format.

Rebecca Szkutak:

The Secret Life of Groceries: A super fun and interesting book about the history of grocery stores and what their supply chain looks like today. Yes, I’m a jumbo nerd.
Crying in H Mart:A lovely memoir that made me cry in the Goa airport.

Harri Weber:

Writing Down the Bones
You Are Here

From Harri: “Both my picks are rereads that gently address existential spirals with reassurance, through self love in the case of You Are Here, and through writing in the case of Writing Down the Bones.”

Ram Iyer:

Anno Dracula: It’s 1888 and Dracula has won the fight against Van Helsing & Co., married Queen Victoria, and turned a lot of London into vampires. And Jack the Ripper is a human who’s cutting up young vampire girls. A grim and stark whodunit featuring a variety of characters from popular fiction as well as real historical figures of the time.

Neesha Tambe:

Little Gods: Love seeing culture dynamics represented through fresh lenses. Educated immigrant experiences in the US are often not written about. The chapters weave between timelines and characters, making picking up the book absolutely addictive.
Atomic Habits: Okay okay. I know it’s old and basic, but I needed to establish better physical and mental habits coming out of deep pandemic. Recognizing that making 1% changes regularly can lead to big dividends made making daily decisions in line with long term goals, easier.
Untamed: An absolute must read, especially for people who have felt the constraints of society. An autobiographical collection of stories, the author breaks down toxic standards and encourages readers to identify and pursue their own true vision for happiness
The Prince: In an era where people believe that principles should be policy, this is a good reminder of the political *science* involved in governance and learning from past mistakes.

Dominic Madori Davis:

The Color of Law: An interesting look into how the federal government indirectly helped and upheld illegal housing discrimination in the US, and the impact that has had on the Black community in terms of wealth building, access to educational and city resources, and the stereotypes still associated with many Black neighborhoods today.
Token Black Girl: An honest memoir from a former Black fashion editor as she grappled with her childhood and eventual working life trying to assimilate into, and find acceptance rich, white environments. She talks about the psychological toll this took on her, the mental journey she is still on in unlearning self-hatred, and how she is finally coming to terms with loving her natural Black self.

Natasha Lomas:

Super-Infinite: The Transformations of John Donne: The metaphysical poet’s life engagingly deconstructed

Amanda Silberling:

Tomorrow and Tomorrow and Tomorrow: I feel like this is one of those perfectly constructed novels that will be studied in weird (appreciative) liberal arts school fiction classes in fifty years (or, like, fifty days). It’s hard to pull off the kind of story that follows characters from the time they’re small children to fully-formed adults, but it’s a joy (and, at times, agonizing) to watch these two friensd grow from awkward artistic teens to niche-famous game developers who use their craft to navigate murky questions about how and why we make art and how it affects people. Even if you’re not a video game person, there’s a lot to love in this book, so long as you care about… uh…. art and people.
True Biz: I am always annoyed when people think you can only learn about things by reading nonfiction — case in point, True Biz taught me so much about Deaf culture, disability and the ever-present threat of eugenicist science. I love when fiction can help me empathize with people different from me, yet this book is more than that. It’s just an amazing story in itself, alternating among the points-of-view of various characters from different perspectives in the Deaf community: angsty teens fighting for their right to Deaf education, a teacher navigating her rocky marraige, a hearing parent of a Deaf child who must come to terms with her prejudices. This was the kind of book that I was sad to finish, because I wanted to spend more time with the characters who I so quickly grew to root for and love.

Devin Coldewey:

Ministry for the Future: Near-future fiction extrapolated directly from the present can be very weak, but Robinson is both unflinching and imaginative of what a climate crisis would look like, how it might play out, and what kind of bonkers moonshots might be necessary for us to continue to live on Earth.

Romain Dillet:

Abolish Silicon Valley: This book is an honest and engaging first-person story that showcases the hubris of Silicon Valley’s corporate culture. Wendy Liu depicts situations that are sometimes so absurd that she will make you laugh. She also takes a step back and looks at the political implications of startup culture and Silicon Valley.

Anna Heim:

A Very British Christmas
Four Thousand Weeks: Time Management for Mortals
How to Be Good

Anna did not provide commentary on her picks, so I have decided that the way to Be Good is to spend Four Thousand Weeks each year having a Very British Christmas.

Alex Wilhelm:

The Golden Enclaves: Third book in a breakout fantasy series with one of the best protagonists I have ever had the pleasure of getting to know, and cheering on. I am going to re-read the whole series, again, I think this holiday period.
Priory of the Orange Tree:You know how they say that you shouldn’t judge a book by its cover? I bought this beast strictly by dent of its heft. More or less it was a hugely chunky paperback, and I thought, well, I like fantasy, and this book must be good to get published at this length, right? Turns out I was right! Huge, interesting, good, and with characters I adored by the end. And dragons.

Here are the best books that TechCrunch read this year by Alex Wilhelm originally published on TechCrunch

This year was a big one for the smart home thanks to the actual introduction of Matter after a couple years of discussion and refining the standard. It’s still early days for the cross-brand compatibility layer, and it’s probably still something that should only be one factor in how you set up your smart home and select your devices, rather than the deciding factor.

Accordingly, some of the below items support Matter, but not all. Complexity of interoperability is definitely a consideration, but in the end the best smart home is the one that actually feels smart, regardless of what does or doesn’t talk to what.

If you’re looking to pick up some added smarts for the true smart home lover in your life, the following gifts should hit the spot.

This article contains links to affiliate partners where available. When you buy through these links, TechCrunch may earn an affiliate commission.

1. Philips Hue Gradient Signe lamps

Philips consistently makes great smart lighting products through its Hue lineup, and the Hue Gradient versions of its Signe table and floor lamps are no exception.

The Signe lamps are long, vertical light bars built into heavy cylindrical bases. It sounds simple because it is, but the Gradient version adds the ability to project multiple colors across the entire length of the bar. This is super useful if you’re using them in tandem with Philips’ Sync box for TV, but provides really nice accent lighting effects for virtually any room.

Price: $220 (table) or $330 (floor) from Amazon

2. Ikea Symfonisk Wi-Fi picture frame speaker

To complete the home theater setup in a way that’s relatively innocuous, consider adding a pair of Ikea’s Symfonisk flat speakers, which are powered by Sonos technology. Besides the dangling cord, which you can blend into most decor with a little creativity, there’s not much here to give away the fact that these actually output sound.

They make for the perfect rear speakers in a room where you don’t want to sacrifice aesthetics to get surround, and when you pair them up with one of Sonos’ sounders and its new Sub Mini, you have a great sound system for your TV without sacrificing a lot of square footage or bringing down the general vibes.

Price: $250 from Ikea

3. Level Lock+

The best new smart lock out this year has to be the Level Lock+, which uses Level’s genius design to give you a sophisticated smart lock that looks like an ordinary deadbolt. This new version adds Apple Home Key support into the mix.

Home Key works with modern iPhones and Apple Watches, and provides a dead simple and rock solid way to unlock and lock your door. The Home Key feature adds to the Level Lock’s existing remote and touch-based locking and unlocking options.

Price: $330from Apple

4. Ecobee Smart Thermostat Premium

Canadian smart thermostat maker Ecobee updated their lineup this year with two new models, including the Ecobee Smart Thermostat Premium and the Smart Thermostat Enhanced. The top-of-the-line Premium comes with high-end finishes and materials, as well as a built-in indoor air quality monitor.

The Premium model definitely looks better than any prior Ecobee thermostat, and it also supports Siri or Alexa voice control, as well as streaming Spotify or other Bluetooth audio. Plus, it can act as a hands-free intercom system if you need to relay something floor-to-floor or room-to-room.

Price: $250 from Ecobee

5. iRobot Roomba Combo j7+

Smart vacuum maker iRobot released their first new model in a little while this year, and it’s a big upgrade – the first U.S. Roomba to include both vacuum and mop in one. With the ability to distinguish carpets from floors, and a way to maneuver the mop pad down and up as needed, it’s the smart cleaner you need to get more thorough with your approach.

It can empty its vacuum bin via the included docking station, but it’ll need your help to empty and refill the mopping tank. Still less work than the manual way.

Price: $1,100 (discounted to $900 at time of publication) from Amazon

6. Oral-B iO Series 9 toothbrush

You would think that at this point the humble toothbrush would be a long-solved problem, but you would be wrong. Oral-B released its modern iO lineup of toothbrushes a couple of years ago now, but they’re still the best you can buy, and after two years I now have the first-hand recommendations of multiple dentists and hygienists to back that up.

The Oral-B iO Series 9 is the top of the line model, with different colored indicators to tell you when you’re brushing too hard or too soft, and a whole host of different modes – including a dedicated one for tongue cleaning. It also comes with a charging travel case in the box.

Price: $299 (discounted to $249 at time of publication) from Amazon

7. Aviron Impact Smart Rower

Aviron’s smart rowers are packed with tech, durable, quiet and well-built. The company has put a special focus on software development chops, employing actual game designers to build the interactive programs and apps that drive its workouts.

The Impact is the smaller of its two models, with a folding design that makes it easier to stow in a corner when not in use. The combo air and magnetic resistance system it uses helps provide a natural rowing feel without the adding complication of bringing actual water into the mix.

Price: $2,199 (discounted to $1,999 at time of publication) from Aviron

7 great gifts for smart home smarties by Darrell Etherington originally published on TechCrunch