Daily Crunch: Facebook faces new privacy investigations

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

1. Facebook hit with three privacy investigations in a single day

First came a probe by the Irish data protection authority looking into the breach of “hundreds of millions” of Facebook and Instagram user passwords that were stored in plaintext on its servers. Then, Canadian authorities confirmed that the beleaguered social networking giant broke its strict privacy laws.

Lastly, and slightly closer to home, Facebook was hit by its third investigation — this time by New York attorney general Letitia James.

2. Movie subscription service Sinemia is ending US operations

Over the past few months, Sinemia has gone from promising MoviePass competitor to the source of frustration for moviegoers across the country.

3. Slack files to go public, reports $138.9M in losses on revenue of $400.6M

The company attributes these losses to its decision “to invest in growing our business to capitalize on our market opportunity,” and notes that they’re shrinking as a percentage of revenue.

CHICAGO, IL – JANUARY 11: A sign hangs outside Walmart store on January 11, 2018 in Chicago, Illinois. (Photo by Scott Olson/Getty Images)

4. Walmart unveils an AI-powered store of the future, now open to the public

Walmart unveiled a new test grounds for emerging technologies, including AI-enabled cameras and interactive displays. This “store of the future” operates out of a Walmart Neighborhood Market in Levittown, New York.

5. Grocery delivery startup Honestbee is running out of money and trying to sell

The company has held early conversations with a number of suitors in Asia, including ride-hailing giants Grab and Go-Jek, over the potential acquisition of part, or all, of its business.

6. Amazon is prepping a high-fidelity TIDAL competitor

That’s according to Music Business Worldwide, which also accurately reported the recent launch of a free, ad-supported Amazon Music service for Echo device owners.

7. Zwift CEO Eric Min on fitness-gaming and bringing esports into the Olympics

The five-year-old startup has raised more than $170 million as a pioneer of fitness-gaming ― physical sport carried out in a virtual world. (Extra Crunch membership required.)

Facebook gets one step closer to building your virtual copy

When it comes to representing yourself on social media, who you actually portray yourself as has always been a bit of a caricature. That thinking has always made it a little interesting to examine how a company like Facebook approaches avatar design for services like their VR avatar system.

Oculus Avatars have undergone a number of transformations and today they’re pushing an update that creates more robust facial expressions that are more human-like than the stiff representations that past iterations showcased. The new Sims-like “Expressive Avatars” are certainly the company’s most unsettling to date, but they’re also the most ambitious.

The company calls the update, the “culmination of user feedback and years of research and innovations in machine learning, engineering, and design.”

There’s this oft-repeated concept of the uncanny valley where things get up to a certain point of realism but then they’re just deeply unsettling because the representation is close but not quite there. That’s more than a little evident here. Oculus initially chose to veer wide when it came to structuring its avatar system based on how people actually looked, but with their latest Expressive Avatars update, things seem to be moving in a different direction.

In a blog post, the company seemed to acknowledge the risks of going all-in on realism while emphasizing that the trade-offs were worth it. They say they discovered people are simply more willing to interact with avatars when they look and behave more like humans:

Back in 2016, we made a conscious decision to avoid showing what we didn’t know in order to better represent what we knew with certainty. Since then, we’ve learned a great deal not only about how our hardware canhelpus simulate believable behaviors with higher confidence, but also about how we can use machine learning and well-understood priors to translate subtle signals into great social presence.

The new avatars boast more realistic mouth and eye movements, a small upgrade that Facebook maintains was intensely challenging to pull off.

This could be a bit of a perilous direction to choose. After all, there’s really one ideal the company can hit, recreating a perfect digital person. They’ve already copped to designing deeply human-like avatar systems; the limits here are obviously both the low power of today’s consumer systems and the inabilities of the platforms to infer very much in terms of interaction and movement aside from what’s captured precisely by sensors.

Facebook’s new Avatar system goes live today on Oculus mobile and PC platforms.

Facebook asked some users for their email passwords, because why not

Sorry.

Enlarge / Sorry. (credit: Bloomberg/Getty Images)

As company executives try to rebrand Facebook as a privacy company, the company is still apparently struggling to instill a privacy culture internally and with third-party developers. As Kevin Poulson of the Daily Beast reported on April 2, some new Facebook users were being asked to provide both their email address and their email password in order to register accounts.

And in a blog post today, researchers from the cloud security firm UpGuard reported that they had discovered two publicly accessible caches of Facebook user data created by third-party applications that connected to the Facebook platform. Both caches were hosted by Amazon Web Services’ Simple Storage Service (S3) in the AWS public cloud.

Password, please

The email password practice was first noticed by a software developer and information security expert who goes by the handle “e-sushi”:

Read 7 remaining paragraphs | Comments

Pi Day wasn’t pleasant for a lot of tech execs

Pi Day is apparently New Job day for tech execs and VCs these days.

Leaving: Lee Fixel

It’s not every day that one of the top VC investors heads out from their shop. TechCrunch’s @cookie aka Connie Loizos has the story:

Lee Fixel, the low-flying head of Tiger Global’s private equity business, is leaving at the end of June, the firm announced today in a letter sent to clients and seen by Reuters . Scott Shleifer and Chase Coleman will continue as co-managers of the portfolios Fixel has overseen, with Shleifer taking over as its head, according to the letter.

Fixel, 39, is reportedly planning to invest his own money and “may start an investment firm in the future,” Tiger Global wrote in the letter.

Tiger Global has become a major force in late-stage investing. As I wrote last fall, it is also part of a small coterie of investment firms which have pushed their portfolio companies to IPO with reasonable speed (the other firm I noted at the time was Benchmark).

One challenge for Tiger has been the rise of the SoftBank Vision Fund, which has driven up valuations for startups and has almost certainly complicated the return profile of many of Tiger’s investments. The two also share a penchant for investing internationally, where Tiger had almost a monopoly position before the Vision Fund burst on the scene.

Another wrinkle worth tracking is the increasing opposition of Indian founders to both Tiger (and specifically Fixel) and SoftBank. As I wrote in the newsletter just a few weeks ago:

There is a clear lack of trust between India’s startup and venture communities, which ultimately threatens the sustainability and growth outlook of the country’s tech sector.

But a solution to the problem is not so cut and dry. Mega growth funds like SoftBank and Tiger Global have given limited control to their Indian portfolio companies and have forced their hands on numerous occasions. Yet Ola’s avoidance of SoftBank has led to lower valuations and more difficult and lengthier fundraising processes.

Leaving: Chris Cox & Chris Daniels

Facebook’s chief product officer is leaving along with Chris Daniels, the VP of WhatsApp. TechCrunch’s Josh Constine summarized the situation:

The changes solidify that Facebook is entering a new era as it chases the trend of feed sharing giving way to private communication. Cox and Daniels may feel they’ve done their part advancing Facebook’s product, and that the company needs renewed energy as it shifts from a relentless growth focus to keeping its users loyal while learning to monetize a new from of social networking.

There has been much ink spilled here about what this all means strategically, but I do think that there are no good times for prominent 13-year and 8-year veterans to leave their positions. Zuckerberg seems ready to begin a whole new era for Facebook, and perhaps neither wanted to make the multi-year commitment that his new vision entails.

That, or Cox unplugged the servers yesterday.

Leaving (America): Jay Jorgensen

A very rare move from the United States to Korea for a senior exec, from TechCrunch’s Catherine Shu:

Coupang, the unicorn that is defining e-commerce in Korea, announced today that it has hired Jay Jorgensen, Walmart’s former global chief ethics and compliance officer, to serve as its general counsel and chief compliance officer. Jorgensen will relocate to Seoul for the position.

Founded in 2010, with a total of $3.4 billion raised from investors, including SoftBank, and a valuation of $9 billion, Coupang currently operates only in Korea, where it is the largest e-commerce player, but has offices in Seoul, Beijing, Los Angeles, Mountain View, Seattle and Shanghai.

Coupang has been the outlier success of the Korean startup ecosystem for the past few years. The company’s founder, Bom Kim, who holds a bachelor’s and an MBA from Harvard, has worked to apply American management models to Coupang, attempting to eschew the insular culture typical of Korea’s technology companies. Clearly, that vision is drawing international talent.

Staying: Zachary Kirkhorn

Tesla is getting some financial help from itself, from TechCrunch’s Kirsten Korosec:

The automaker officially tapped as its next chief financial officer Zachary Kirkhorn, a longtime employee who has been part of the automaker’s finance team for nine years, according to securities filings posted Thursday. The automaker also appointed Vaibhav Taneja, who led the integration of Tesla and SolarCity’s accounting teams, as its chief accounting officer. Taneja, who will report to Kirkhorn, will oversee corporate financial reporting, global accounting functions and personnel.

No telling whether Kirkhorn knows how to blow a whistle though….

No Longer Admitted: Bill McGlashan

Sometimes when you venture to make an investment, it doesn’t always pan out, from Maggie Fitzgerald at CNBC:

TPG’s Bill McGlashan was fired from the private equity firm on Thursday amid the massive college cheating scandal.

McGlashan, 55, has been terminated for cause from his positions with TPG and Rise effective immediately.

“After reviewing the allegations of personal misconduct in the criminal complaint, we believe the behavior described to be inexcusable and antithetical to the values of our entire organization,” said a TPG spokesperson.

McGlashan founded TPG Growth, which has had a litany of successes investing in later-stage startups such as Airbnb.

Leaving (but not by choice): Bird employees

Once high-flying and now somewhat not as high-flying scooter startup Bird announced that it was laying off around 40 employees. From TechCrunch’s Megan Rose Dickey:

“As we establish local service centers and deeper roots in cities where we provide service, we have shifting geographic workforce needs,” a Bird spokesperson told TechCrunch. “We are expanding our employee bases in locations that match our growing operations around the world, while developing an efficient operating structure at our Santa Monica headquarters. The recent events are a reflection of shifting geographical needs and our annual talent review process.”

I hope they flip them the Bird on the way out.

India fintech and the growing proxy war between global tech giants

Photo by anand purohit via Getty Images

Written by Arman Tabatabai

South African media conglomerate and investment giant Naspers is reportedly planning to invest $1 billion in India this year.

According to reports earlier this week, Naspers is looking towards India’s budding fintech market in particular to unload the fresh pile of dough it’s sitting on after recently lowering its stake in Tencent and cashing out on Walmart’s $16 billion acquisition of portfolio company Flipkart last year.

The fintech heavy thesis directionally makes sense in the context of Naspers’ broader strategy. Naspers has openly discussed its attraction to India’s financial services market and the company already has an established footprint in the region as the owner of payments platform PayU.

That said, the amount Naspers is reportedly looking to gift in just one year is astounding. Indian fintech startups saw around $2.6 billion of investment in 2018 according to Pitchbook. Naspers’ investment alone would represent a 40% spike in India’s total fintech venture capital.

Though one billion dollars in one year may seem ambitious, Naspers has proven it’s not afraid to pour billions into India and emerging verticals, having just led a $1 billion round in Indian food delivery startup Swiggy only a few months ago.

More importantly, Naspers’ push shows that the company is seriously doubling down in the escalating competition to become the dominant force in India’s booming fintech ecosystem. As we discussed in our recent conversation with Billionaire Raj author James Crabtree, India’s financial system is ripe for disruption. With secular tailwinds like growing mobile penetration and financial literacy, innovative financial models in India have begun leap-frogging traditional institutions, with Google and Boston Consulting Group even forecasting that the market for digital payments in India would reach $500 billion in size by 2020.

And many have taken notice — the number of fintech investments in India has grown at a 200%-plus compound annual growth rate over the last five years, according to data from Pitchbook, as leading investors and global tech powerhouses all battle to become the layer of financial infrastructure on which the future Indian economy sits.

A recent deep dive in the WSJ highlighted how crowded the ongoing fight for Indian payments dominance has become in the context of Paytm, an Indian startup that received a $1.4 billion investment from venture behemoth SoftBank:

The Indian market is one worth fighting for, with hundreds of millions of Indians getting online and starting to transact for the first time, thanks to plummeting prices for mobile data and smartphones.

Digital payments in India are soaring” and “set to explode,” Credit Suisse said in a February research note. They should rise nearly five times to $1 trillion by 2023, the report said…

…Meanwhile, it isn’t just Google and WhatsApp challenging Paytm . Indian e-commerce titan Flipkart, in which Walmart Inc. bought a controlling stake for $16 billion earlier this year, has a popular payments service called PhonePe. Amazon.com Inc. has its own payments service and two of India’s biggest telecom players, Bharti Airtel Ltd. and Reliance Jio Infocomm Ltd., offer digital wallets, as well.”

Next to peers like Alibaba, SoftBank, or Google, Naspers can often seem like the biggest tech company no one has ever heard of. But if its latest swan dive into India can help Naspers strike gold — as it did with its early investment in Tencent — it might just become the company powering the next economies of the world.

Thanks

To every member of Extra Crunch: thank you. You allow us to get off the ad-laden media churn conveyor belt and spend quality time on amazing ideas, people, and companies. If I can ever be of assistance, hit reply, or send an email to danny@techcrunch.com.

This newsletter is written with the assistance of Arman Tabatabai from New York

Facebook is introducing a new “Tributes” section for memorialized accounts

Facebook is rolling out a new feature for memorialized accounts that will allow people to leave messages in a Tributes section that is separate from the rest of the profile’s timeline. Depending on a memorialized account’s privacy settings, friends can currently still post on its timeline, including in the comments of posts the person made before they died. If a memorialized account has a Tributes section, however, posts made after the day it was memorialized (which prevents anyone else from logging in) will be placed there.

Some Facebook users who have designated “legacy contacts” to manage their accounts after they die were alerted to the new feature by a notification today that contained the euphemistic phrase “if your account is memorialized.”

A page on Facebook’s Help Center describes the new tributes section “as a space on memorialized profiles where friends and family can post stories, commemorate a birthday, share memories and more.”

“Legacy contacts” will have more leeway over tribute posts than they do over the rest of the account. For example, they have the ability to decide who can see and post tributes and can delete posts. They can also change who can see posts the deceased person is tagged in or remove the tag. If the account had timeline review turned on, the legacy contact will be able to turn it off for tribute posts. Posts made to a profile after it is memorialized will be separated into the tributes section. The feature’s help page says “we do our best to separate tribute posts from timeline posts based on the info we’re given.”

Legacy contacts still can’t log into accounts, read private messages or remove and add friends.

2018 really was more of a dumpster fire for online hate and harassment, ADL study finds

Around 37 percent of Americans were subjected to severe hate and harassment online in 2018, according to a new study by the Anti-Defamation League, up from about 18 percent in 2017. And over half of all Americans experienced some form of harassment according to the ADL study.

Facebook users bore the brunt of online harassment on social networking sites according to the ADL study, with around 56 percent of survey respondents indicating that at least some of their harassment occurred on the platform. — unsurprising given Facebook’s status as the dominant social media platform in the U.S.

Around 19 percent of people said they experienced severe harassment on Twitter (only 19 percent? That seems low); while 17 percent reported harassment on YouTube; 16 percent on Instagram; and 13 percent on WhatsApp .

Chart courtesy of the Anti-Defamation League

In all, the blue ribbon standards for odiousness went to Twitch, Reddit, Facebook and Discord, when the ADL confined their surveys to daily active users. nearly half of all daily users on Twitch have experienced harassment, the report indicated. Around 38% of Reddit users, 37% of daily Facebook users, and 36% of daily Discord users reported being harassed.

“It’s deeply disturbing to see how prevalent online hate is, and how it affects so many Americans,” said ADL chief executive Jonathan A. Greenblatt. “Cyberhate is not limited to what’s solely behind a screen; it can have grave effects on the quality of everyday lives – both online and offline. People are experiencing hate and harassment online every day and some are even changing their habits to avoid contact with their harassers.”

And the survey respondents seem to think that online hate makes people more susceptible to committing hate crimes, according to the ADL.

The ADL also found that most Americans want policymakers to strengthen laws and improve resources for police around cyberbullying and cyberhate. Roughly 80 percent said they wanted to see more action from lawmakers.

Even more Americans, or around 84 percent, think that the technology platforms themselves need to do more work to curb the harassment, hate, and hazing they see on social applications and websites.

As for the populations that were most at risk to harassment and hate online, members of the LGBTQ community were targeted most frequently, according to the study. Some 63 percent of people identifying as LGBTQ+ said they were targeted for online harassment because of their identity.

“More must be done in our society to lessen the prevalence of cyberhate,” said Greenblatt. “There are key actions every sector can take to help ensure more Americans are not subjected to this kind of behavior. The only way we can combat online hate is by working together, and that’s what ADL is dedicated to doing every day.”

The report also revealed that cyberbullying had real consequences on user behavior. Of the survey respondents 38 percent stopped, reduced or changed online activities, and 15 percent took steps to reduce risks to their physical safety.

Interviews for the survey were conducted between Dec. 17 to Dec. 27, 2018 by the public opinion and data analysis company YouGov, and was conducted by the ADL’s Center for Technology and Society. The non-profit admitted that it oversampled for respondents who identified as Jewish, Muslim, African American, Asian AMerican or LGBTQ+ to “understand the experiences of individuals who may be especially targeted because of their group identity.”

The survey had a margin of error of plus or minus three percentage points, according to a statement from the ADL.

2018 really was more of a dumpster fire for online hate and harassment, ADL study finds

Around 37 percent of Americans were subjected to severe hate and harassment online in 2018, according to a new study by the Anti-Defamation League, up from about 18 percent in 2017. And over half of all Americans experienced some form of harassment according to the ADL study.

Facebook users bore the brunt of online harassment on social networking sites according to the ADL study, with around 56 percent of survey respondents indicating that at least some of their harassment occurred on the platform. — unsurprising given Facebook’s status as the dominant social media platform in the U.S.

Around 19 percent of people said they experienced severe harassment on Twitter (only 19 percent? That seems low); while 17 percent reported harassment on YouTube; 16 percent on Instagram; and 13 percent on WhatsApp .

Chart courtesy of the Anti-Defamation League

In all, the blue ribbon standards for odiousness went to Twitch, Reddit, Facebook and Discord, when the ADL confined their surveys to daily active users. nearly half of all daily users on Twitch have experienced harassment, the report indicated. Around 38% of Reddit users, 37% of daily Facebook users, and 36% of daily Discord users reported being harassed.

“It’s deeply disturbing to see how prevalent online hate is, and how it affects so many Americans,” said ADL chief executive Jonathan A. Greenblatt. “Cyberhate is not limited to what’s solely behind a screen; it can have grave effects on the quality of everyday lives – both online and offline. People are experiencing hate and harassment online every day and some are even changing their habits to avoid contact with their harassers.”

And the survey respondents seem to think that online hate makes people more susceptible to committing hate crimes, according to the ADL.

The ADL also found that most Americans want policymakers to strengthen laws and improve resources for police around cyberbullying and cyberhate. Roughly 80 percent said they wanted to see more action from lawmakers.

Even more Americans, or around 84 percent, think that the technology platforms themselves need to do more work to curb the harassment, hate, and hazing they see on social applications and websites.

As for the populations that were most at risk to harassment and hate online, members of the LGBTQ community were targeted most frequently, according to the study. Some 63 percent of people identifying as LGBTQ+ said they were targeted for online harassment because of their identity.

“More must be done in our society to lessen the prevalence of cyberhate,” said Greenblatt. “There are key actions every sector can take to help ensure more Americans are not subjected to this kind of behavior. The only way we can combat online hate is by working together, and that’s what ADL is dedicated to doing every day.”

The report also revealed that cyberbullying had real consequences on user behavior. Of the survey respondents 38 percent stopped, reduced or changed online activities, and 15 percent took steps to reduce risks to their physical safety.

Interviews for the survey were conducted between Dec. 17 to Dec. 27, 2018 by the public opinion and data analysis company YouGov, and was conducted by the ADL’s Center for Technology and Society. The non-profit admitted that it oversampled for respondents who identified as Jewish, Muslim, African American, Asian AMerican or LGBTQ+ to “understand the experiences of individuals who may be especially targeted because of their group identity.”

The survey had a margin of error of plus or minus three percentage points, according to a statement from the ADL.

Instagram is now testing a web version of Direct messages

Insta-chat addicts, rejoice. You could soon be trading memes and emojis from your computer. Instagram is internally testing a web version of Instagram Direct messaging that lets people chat without the app. If, or more likely, when this rolls out publicly, users on a desktop or laptop PC or Mac, a non-Android or iPhone or that access Instagram via a mobile web browser will be able to privately message other Instagrammers.

Instagram web DMs was one of the features I called for in a product wish list I published in December alongside a See More Like This button for the feed and an upload quality indicator so your Stories don’t look crappy if you’re on a slow connection.

A web version could make Instagram Direct a more full-fledged SMS alternative rather than just a tacked-on feature for discussing the photo and video app’s content. Messages are a massive driver of engagement that frequently draws people back to an app, and knowing friends can receive them anywhere could get users sending more. While Facebook doesn’t monetize Instagram Direct itself, it could get users browsing through more ads while they wait for replies.

Given Facebook’s own chat feature started on the web before going mobile and getting its own Messenger app, and WhatsApp launched a web portal in 2015 followed by desktop clients in 2016, it’s sensible for Instagram Direct to embrace the web too. It could also pave the way for Facebook’s upcoming unification of the backend infrastructure for Messenger, WhatsApp and Instagram Direct that should expand encryption and allow cross-app chat, as reported by The New York Times’ Mike Isaac.

Mobile reverse-engineering specialist and frequent TechCrunch tipster Jane Manchun Wong alerted us to Instagram’s test. It’s not available to users yet, as it’s still being internally “dogfooded” — used heavily by employees to identify bugs or necessary product changes. But she was able to dig past security and access the feature from both a desktop computer and mobile web browser.

In the current design, Direct on the web is available from a Direct arrow icon in the top right of the screen. The feature looks like it will use an Instagram.com/direct/…. URL structure. If the feature becomes popular, perhaps Facebook will break it out with its own Direct destination website similar to https://www.messenger.com, which launched in 2015. Instagram began testing a standalone Direct app last year, but it’s yet to be officially launched and doesn’t seem exceedingly popular.

Instagram’s web experience has long lagged behind its native apps. You still can’t post Stories from the desktop like you can with Facebook Stories. It only added notifications on the web in 2016 and Explore, plus some other features, in 2017.

Instagram did not respond to requests for comment before press time. The company rarely provides a statement on internal features in development until they’re being externally tested on the public, at which point it typically tells us “We’re always testing ways to improve the Instagram experience.” [Update: Instagram confirms to TechCrunch it’s not publicly testing this, which is its go-to line when a product surfaces that’s still in internal development. Meanwhile, Wong notes that Instagram has now cut off her access to the web Direct feature.]

After cloning Snapchat Stories to create Instagram Stories, the Facebook-owned app decimated Snap’s growth rate. That left Snapchat to focus on premium video and messaging. Last year Instagram built IGTV to compete with Snapchat Discover. And now with it testing a web version of Direct, it seems poised to challenge Snap for chat too.

Instagram is now testing a web version of Direct messages

Insta-chat addicts, rejoice. You could soon be trading memes and emojis from your computer. Instagram is internally testing a web version of Instagram Direct messaging that lets people chat without the app. If, or more likely, when this rolls out publicly, users on a desktop or laptop PC or Mac, a non-Android or iPhone or that access Instagram via a mobile web browser will be able to privately message other Instagrammers.

Instagram web DMs was one of the features I called for in a product wish list I published in December alongside a See More Like This button for the feed and an upload quality indicator so your Stories don’t look crappy if you’re on a slow connection.

A web version could make Instagram Direct a more full-fledged SMS alternative rather than just a tacked-on feature for discussing the photo and video app’s content. Messages are a massive driver of engagement that frequently draws people back to an app, and knowing friends can receive them anywhere could get users sending more. While Facebook doesn’t monetize Instagram Direct itself, it could get users browsing through more ads while they wait for replies.

Given Facebook’s own chat feature started on the web before going mobile and getting its own Messenger app, and WhatsApp launched a web portal in 2015 followed by desktop clients in 2016, it’s sensible for Instagram Direct to embrace the web too. It could also pave the way for Facebook’s upcoming unification of the backend infrastructure for Messenger, WhatsApp and Instagram Direct that should expand encryption and allow cross-app chat, as reported by The New York Times’ Mike Isaac.

Mobile reverse-engineering specialist and frequent TechCrunch tipster Jane Manchun Wong alerted us to Instagram’s test. It’s not available to users yet, as it’s still being internally “dogfooded” — used heavily by employees to identify bugs or necessary product changes. But she was able to dig past security and access the feature from both a desktop computer and mobile web browser.

In the current design, Direct on the web is available from a Direct arrow icon in the top right of the screen. The feature looks like it will use an Instagram.com/direct/…. URL structure. If the feature becomes popular, perhaps Facebook will break it out with its own Direct destination website similar to https://www.messenger.com, which launched in 2015. Instagram began testing a standalone Direct app last year, but it’s yet to be officially launched and doesn’t seem exceedingly popular.

Instagram’s web experience has long lagged behind its native apps. You still can’t post Stories from the desktop like you can with Facebook Stories. It only added notifications on the web in 2016 and Explore, plus some other features, in 2017.

Instagram did not respond to requests for comment before press time. The company rarely provides a statement on internal features in development until they’re being externally tested on the public, at which point it typically tells us “We’re always testing ways to improve the Instagram experience.” [Update: Instagram confirms to TechCrunch it’s not publicly testing this, which is its go-to line when a product surfaces that’s still in internal development. Meanwhile, Wong notes that Instagram has now cut off her access to the web Direct feature.]

After cloning Snapchat Stories to create Instagram Stories, the Facebook-owned app decimated Snap’s growth rate. That left Snapchat to focus on premium video and messaging. Last year Instagram built IGTV to compete with Snapchat Discover. And now with it testing a web version of Direct, it seems poised to challenge Snap for chat too.

Everything you need to know about Facebook, Google’s app scandal

Facebook and Google landed in hot water with Apple this week after two investigations by TechCrunch revealed the misuse of internal-only certificates — leading to their revocation, which led to a day of downtime at the two tech giants.

Confused about what happened? Here’s everything you need to know.

How did all this start, and what happened?

On Monday, we revealed that Facebook was misusing an Apple-issued enterprise certificate that is only meant for companies to use to distribute internal, employee-only apps without having to go through the Apple App Store. But the social media giant used that certificate to sign an app that Facebook distributed outside the company, violating Apple’s rules.

The app, known simply as “Research,” allowed Facebook unparalleled access to all of the data flowing out of a device. This included access to some of the users’ most sensitive network data. Facebook paid users — including teenagers — $20 per month to install the app. But it wasn’t clear exactly what kind of data was being vacuumed up, or for what reason.

It turns out that the app was a repackaged app that was effectively banned from Apple’s App Store last year for collecting too much data on users.

Apple was angry that Facebook was misusing its special-issue enterprise certificates to push an app it already banned, and revoked it — rendering the app unable to open. But Facebook was using that same certificate to sign its other employee-only apps, effectively knocking them offline until Apple re-issued the certificate.

Then, it turned out Google was doing almost exactly the same thing with its Screenwise app, and Apple’s ban-hammer fell again.

What’s the controversy over these enterprise certificates and what can they do?

If you want to develop Apple apps, you have to abide by its rules — and Apple expressly makes companies agree to its terms.

A key rule is that Apple doesn’t allow app developers to bypass the App Store, where every app is vetted to ensure it’s as secure as it can be. It does, however, grant exceptions for enterprise developers, such as to companies that want to build apps that are only used internally by employees. Facebook and Google in this case signed up to be enterprise developers and agreed to Apple’s developer terms.

Each Apple-issued certificate grants companies permission to distribute apps they develop internally — including pre-release versions of the apps they make, for testing purposes. But these certificates aren’t allowed to be used for ordinary consumers, as they have to download apps through the App Store.

What’s a “root” certificate, and why is its access a big deal?

Because Facebook’s Research and Google’s Screenwise apps were distributed outside of Apple’s App Store, it required users to manually install the app — known as sideloading. That requires users to go through a convoluted few steps of downloading the app itself, and opening and trusting either Facebook or Google’s enterprise developer code-signing certificate, which is what allows the app to run.

Both companies required users after the app installed to agree to an additional configuration step — known as a VPN configuration profile — allowing all of the data flowing out of that user’s phone to funnel down a special tunnel that directs it all to either Facebook or Google, depending on which app you installed.

This is where the Facebook and Google cases differ.

Google’s app collected data and sent it off to Google for research purposes, but couldn’t access encrypted data — such as the content of any network traffic protected by HTTPS, as most apps in the App Store and internet websites are.

Facebook, however, went far further. Its users were asked to go through an additional step to trust an additional type of certificate at the “root” level of the phone. Trusting this Facebook Research root certificate authority allowed the social media giant to look at all of the encrypted traffic flowing out of the device — essentially what we call a “man-in-the-middle” attack. That allowed Facebook to sift through your messages, your emails and any other bit of data that leaves your phone. Only apps that use certificate pinning — which reject any certificate that isn’t its own — were protected, such as iMessage, Signal and additionally any other end-to-end encrypted solutions.

Facebook’s Research app requires Root Certificate access, which Facebook gather almost any piece of data transmitted by your phone (Image: supplied)

Google’s app might not have been able to look at encrypted traffic, but the company still flouted the rules — and had its separate enterprise developer code-signing certificate revoked anyway.

What data did Facebook have access to on iOS?

It’s hard to know for sure, but it definitely had access to more data than Google.

Facebook said its app was to help it “understand how people use their mobile devices.” In reality, at root traffic level, Facebook could have accessed any kind of data that left your phone.

Will Strafach, a security expert with whom we spoke for our story, said: “If Facebook makes full use of the level of access they are given by asking users to install the certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.”

Remember: this isn’t “root” access to your phone, like jailbreaking, but root access to the network traffic.

How does this compare to the technical ways other market research programs work?

In fairness, these aren’t market research apps unique to Facebook or Google. Several other companies, like Nielsen and comScore, run similar programs, but neither ask users to install a VPN or provide root access to the network.

In any case, Facebook already has a lot of your data — as does Google. Even if the companies only wanted to look at your data in aggregate with other people, it can still hone in on who you talk to, when, for how long and, in some cases, what about. It might not have been such an explosive scandal had Facebook not spent the last year cleaning up after several security and privacy breaches.

Can they capture the data of people the phone owner interacts with?

In both cases, yes. In Google’s case, any unencrypted data that involves another person’s data could have been collected. In Facebook’s case, it goes far further — any data of yours that interacts with another person, such as an email or a message, could have been collected by Facebook’s app.

How many people did this affect?

It’s hard to know for sure. Neither Google nor Facebook have said how many users they have. Between them, it’s believed to be in the thousands. As for the employees affected by the app outages, Facebook has more than 35,000 employees and Google has more than 94,000 employees.

Why did internal apps at Facebook and Google break after Apple revoked the certificates?

You might own your Apple device, but Apple still gets to control what goes on it.

Apple can’t control Facebook’s root certificates, but it can control the enterprise certificates it issues. After Facebook was caught out, Apple said: “Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” That meant any app that relied on Facebook’s enterprise certificate — including inside the company — would fail to load. That’s not just pre-release builds of Facebook, Instagram and WhatsApp that staff were working on, but reportedly the company’s travel and collaboration apps were down. In Google’s case, even its catering and lunch menu apps were down.

Facebook’s internal apps were down for about a day, while Google’s internal apps were down for a few hours. None of Facebook or Google’s consumer services were affected, however.

How are people viewing Apple in all this?

Nobody seems thrilled with Facebook or Google at the moment, but not many are happy with Apple, either. Even though Apple sells hardware and doesn’t use your data to profile you or serve you ads — like Facebook and Google do — some are uncomfortable with how much power Apple has over the customers — and enterprises — that use its devices.

In revoking Facebook and Google’s enterprise certificates and causing downtime, it has a knock-on effect internally.

Is this legal in the U.S.? What about in Europe with GDPR?

Well, it’s not illegal — at least in the U.S. Facebook says it gained consent from its users. The company even said its teenage users must obtain parental consent, even though it was easily skippable and no verification checks were made. It wasn’t even explicitly clear that the children who “consented” really understood how much privacy they were really handing over.

That could lead to major regulatory headaches down the line. “If it turns out that European teens have been participating in the research effort Facebook could face another barrage of complaints under the bloc’s General Data Protection Regulation (GDPR) — and the prospect of substantial fines if any local agencies determine it failed to live up to consent and ‘privacy by design’ requirements baked into the bloc’s privacy regime,” wrote TechCrunch’s Natasha Lomas.

Who else has been misusing certificates?

Don’t think that Facebook and Google are alone in this. It turns out that a lot of companies might be flouting the rules, too.

According to many finding companies on social media, Sonos uses enterprise certificates for its beta program, as does finance app Binance, as well as DoorDash for its fleet of contractors. It’s not known if Apple will also revoke their enterprise certificates.

What next?

It’s anybody’s guess, but don’t expect this situation to die down any time soon.

Facebook may face repercussions with Europe, as well as at home. Two U.S. senators, Mark Warner and Richard Blumenthal, have already called for action, accusing Facebook of “wiretapping teens.” The Federal Trade Commission may also investigate, if Blumenthal gets his way.