Big revenues, huge valuations and major losses: charting the era of the unicorn IPO

We can make charts galore about the tech IPO market. Yet none of them diminish the profound sense that we are in uncharted territory.

Never before have so many companies with such high revenues gone public at such lofty valuations, all while sustaining such massive losses. If you’re a “growth matters most” investor, these are exciting times in IPO-land. If you’re the old-fashioned value type who prefers profits, it may be best to sit out this cycle.

Believers in putting market dominance before profits got their biggest IPO opportunity perhaps ever last week, with Uber’s much-awaited dud of a market debut. With a market cap hovering around $64 billion, Uber is far below the $120 billion it was initially rumored to target. Nonetheless, one could convincingly argue it’s still a rich valuation for a company that just posted a Q1 loss of around $1 billion on $3 billion in revenue.

So how do Uber’s revenues, losses and valuation stack up amidst the recent crop of unicorn IPOs? To put things in context, we assembled a list of 15 tech unicorns that went public over the past three quarters. We compared their valuations, along with revenues and losses for 2018 (in most cases the most recently available data), in the chart below:

 

Put these companies altogether in a pot, and they’d make one enormous, money-losing super-unicorn, with more than $25 billion in annual revenue coupled to more than $6 billion in losses. It’ll be interesting to revisit this list in a few quarters to see if that pattern changes, and profits become more commonplace.

History

It’s easy to draw comparisons to the decades-old dot-com bubble, but this time things are different. During the dot-com bubble, I remember penning this lead sentence:

“If the era of the Internet IPO had a theme song, it might be this: There’s no business like no business.”

That notion made sense for bubble-era companies, which commonly went public a few years after inception, before amassing meaningful revenues.

That tune won’t work this time around. If the era of the unicorn IPO had a theme song, it wouldn’t be nearly as catchy. Maybe something like: “There’s no business like lots of business and lots of losses too.”

I won’t be buying tickets to that musical. But when it comes to buying IPO shares, the unicorn proposition is a bit more appealing than the 2000 cycle. After all, it’s reasonably plausible for a company with dominant market share to tweak its margins over time. It’s a lot harder to grow revenues from nothing to hundreds of millions or billions, particularly if investors grow averse to funding continued losses.

Of course, the dot-com bubble and the unicorn IPO era do share a common theme: Investors are betting on an optimistic vision of future potential. If expectations don’t pan out, expect share prices to follow suit.

WorldCover raises $6M round for emerging markets climate insurance

WorldCover, a New York and Africa-based climate insurance provider to smallholder farmers, has raised a $6 million Series A round led by MS&AD Ventures.

Y-Combinator, Western Technology Investment, and EchoVC also participated in the round.

WorldCover’s platform uses satellite imagery, on-ground sensors, mobile phones, and data analytics to create insurance options for farmers whose crops yields are affected adversely by weather events—primarily lack of rain.

The startup currently operates in Ghana, Uganda, and Kenya . With the new funding WorldCover aims to expand its insurance offerings to more emerging market countries.

“We’re looking at India, Mexico, Brazil, Indonesia. India could be first on an 18 month timeline for a launch,” WorldCover co-founder and chief executive Chris Sheehan said in an interview.

The company has served over 30,000 farmers across its Africa operations. Smallholder farmers as those earning all or nearly all of their income from agriculture, farming on 10 to 20 acres of land, and earning around $500 to $5000, according to Sheehan.

Farmer’s connect to WorldCover by creating an account on its USSD mobile app. From there they can input their region, crop type, determine how much insurance they would like to buy and use mobile money to purchase a plan. WorldCover works with payments providers such as M-Pesa in Kenya and MTN Mobile Money in Ghana.

The service works on a sliding scale, where a customer can receive anywhere from 5x to 15x the amount of premium they have paid.  If there is an adverse weather event, namely lack of rain, the farmer can file claim via mobile phone. WorldCover then uses its data-analytics metrics to assess it, and if approved, the farmer will receive an insurance payment via mobile-money.

Common crops farmed by WorldCover clients include maize, rice, and peanuts. It looks to add coffee, cocoa, and cashews to its coverage list.

For the moment, WorldCover only insures for events such as rainfall risk, but in the future it will look to include other weather events, such as tropical storms, in its insurance programs and platform data-analytics.

The startup’s founder clarified that WorldCover’s model does not assess or provide insurance payouts specifically for climate change, though it does directly connect to the company’s business.

“We insure for adverse weather events that we believe climate change factors are exacerbating,” Sheehan explained. WorldCover also resells the risk of its policy-holders to global reinsurers, such as Swiss Re and Nephila.

On the potential market size for WordCover’s business, he highlights a 2018 Lloyd’s study that identified $163 billion of assets at risk, including agriculture, in emerging markets from negative, climate change related events.

“That’s what WorldCover wants to go after…These are the kind of micro-systemic risks we think we can model and then create a micro product for a smallholder farmer that they can understand and will give them protection,” he said.

With the round, the startup will look to possibilities to update its platform to offer farming advice to smallholder farmers, in addition to insurance coverage.

WorldCover investor and EchoVC founder Eghosa Omoigui believes the startup’s insurance offerings can actually help farmers improve yield. “Weather-risk drives a lot of decisions with these farmers on what to plant, when to plant, and how much to plant,” he said. “With the crop insurance option, the farmer says, ‘Instead of one hector, I can now plant two or three, because I’m covered.”

Insurance technologyis another sector in Africa’s tech landscape filling up with venture-backed startups. Other insurance startups focusing on agriculture include Accion Venture Lab backed Pula and South Africa based Mobbisurance.

With its new round and plans for global expansion, WorldCover joins a growing list of startups that have developed business models in Africa before raising rounds toward entering new markets abroad.

In 2018, Nigerian payment startup Paga announced plans to move into Asia and Latin America after raising $10 million. In 2019, South African tech-transit startup FlexClub partnered with Uber Mexico after a seed-raise. And Lagos based fintech startup TeamAPT announced in Q1 it was looking to expand globally after a $5 million Series A round.

 

 

India unseats China as Asia’s top fintech funding source

China’s massive fintech industry took a beating in recent months as the government continued to wind down online lending nationwide, rattling investor confidence.

Funding for fintech startups shrank 87.6 percent year-over-year to $192.1 million during the first quarter of 2019, a new report from data provider CB Insights shows. India, which recorded $285.6 million raised for fintech startups in the period, overtook China to be Asia’s top fundraising hub for financial technology. Both countries clocked in 29 fintech deals, suggesting a cooling investor sentiment in China which saw its height of 76 deals just three quarters ago.

cb insights china q1

Chart: CB Insights

The plunge in China has followed on the heels of tightened regulation around online lending, suggests CB Insights . Over the past few years, China has rolled out a flurry of measures to rein in financial risks arising from its fledgling online lending industry. Peer-to-peer lending, which matches an individual looking for a loan with someone looking to invest, has been the top target in a wave of government crackdowns.

This kind of service offers credit to unbanked individuals who cannot otherwise get loans in a country without a mature unified credit system. But a lack of oversight led to rampant frauds across the board. Thousands of peer-to-peer lending sites shut down due to increased regulation, which is estimated to leave as few as 300 players on the market by the end of 2019, Shanghai-based research firm Yingcai forecasted.

Like China, India’s enthusiasm for finance technology is in part a result of the country’s lack of financial infrastructure. Lending startups are gathering steam as they, like their Chinese counterparts, tailor services to the country’s large unbanked and underbanked consumers and enterprises. Moves from tech leaders are also set to send ripples through the rest of the industry. Amazon finally followed its rivals Paytm, Google Pay and PhonePe to start offering peer-to-peer payments in the country. Walmart is closely watching how Flipkart, which it bought out last year, applies data to payments solution.

cb insights china q1

Chart: CB Insights

Despite the setback in online lending, a new form of consumer-facing financing vehicle — so-called mutual aid platforms that let patients crowdfund for serious diseases — is enjoying an early boom in China, CB Insights noted in its report. As with peer-to-peer lending, internet-powered mutual aid is trying to fill gaps in a traditional industry. Though most Chinese people are part of a national public insurance scheme, surgical bills can easily bring down an average family.

The top two performers in the sector are unsurprisingly from the top two opposing camps in China’s tech world. Shuidihuzhu, which translates as “water drop mutual help” in Chinese, counts Tencent as a major investor. Users contribute as little as half a cent to a pool of funds that pays out when a patient needs financial aid. The three-year-old platform, which leverages Tencent’s billion-user WeChat messenger to sign up members, claims it has attracted 78.8 million users and paid out nearly 440 million yuan $65.34 million to more than 3,100 families so far.

Shuidihuzhu’s rival, which is called Xiang Hu Bao and means “mutual protection”, is run by Alibaba’s affiliate e-wallet Alipay. Launched only last September, the service said it had acquired over 50 million users by April and had set itself up for an ambitious goal: to reach low-income groups who can’t afford the premiums and advance payments attached to traditional health insurance and to acquire 300 million users in the next two years. That means almost a third of Alipay users, most of whom live in Chia. By the end of 2018, the digital wallet had over 1 billion annual users worldwide.

TurboTax and H&R Block hide their free tax filing tools from Google on purpose

Low-income Americans can file their taxes for free, but odds are they ended up paying anyway.

ProPublica found that tax-filing giant Intuit is deliberately concealing search results for its free filing service, instead pointing all consumers toward its paid products. While users visiting TurboTax’s homepage will be greeted with what looks like free tax software, the software’s parent company usually finds a way to charge anyone using the product. The manipulative design choice echoes recent conversation around dark pattern design and likely explains why free filing services remain underutilized.

Intuit’s true free filing software is called TurboTax Free File. Compared to the company’s main TurboTax portal, TurboTax Free File is much more difficult to find. That service, designed to make the process free for low-income filers individually making less than $34,000 a year, is part of an agreement between tax-filing companies and the IRS stipulating that a free option must be provided for lower-income filers. In the course of reporting, ProPublica found that Intuit competitor H&R Block uses the same tactic to bury its own free service, H&R Block Free File.

To effectively bury its free filing service, TurboTax included a snippet of code in the page’s robots.txt file instructing search engines not to index it. The code was spotted by a Twitter user Larissa Williams and Redditor ethan1el.

Screenshot via ProPublica

Instead of pointing users toward its free file tool, TurboTax funnels the vast majority of users toward its paid and premium services, whether they qualify for free filing or not. The Senate Finance Committee’s top Democrat Ron Wyden denounced the tactic as “outrageous” in a statement to ProPublica, indicating that he intended to bring up the issue with the IRS.

WTF is dark pattern design?

This is how much money Pinterest execs made last year

Silicon Valley is known for its massive wealth. When these companies file to go public, we all finally get to know how much money these executives take home each year, and the millions they’ll take home after the IPO.

In Pinterest’s S-1, which it filed earlier today, we see that co-founder and CEO Ben Silbermann earned a salary of $197,100. But that’s actually nothing compared to Pinterest CFO Todd Morgenfeld, who earned a base salary of $360,500 with stock awards worth $22,028,696.

It’s still unclear just how much money the execs will make once Pinterest goes public. That’s because Pinterest did not break down stock ownership.

Meanwhile, fellow IPO-bound startup Lyft paid CEO Logan Green a salary of $401,529 and COO Jon McNeill $419,231 last year. At the high end, Green’s stake is worth nearly $523 million, while co-founder John Zimmer’s stake is worth north of $346 million.

Check out our full coverage of Pinterest’s S-1 below.

Pinterest drops its IPO filing

Pi Day wasn’t pleasant for a lot of tech execs

Pi Day is apparently New Job day for tech execs and VCs these days.

Leaving: Lee Fixel

It’s not every day that one of the top VC investors heads out from their shop. TechCrunch’s @cookie aka Connie Loizos has the story:

Lee Fixel, the low-flying head of Tiger Global’s private equity business, is leaving at the end of June, the firm announced today in a letter sent to clients and seen by Reuters . Scott Shleifer and Chase Coleman will continue as co-managers of the portfolios Fixel has overseen, with Shleifer taking over as its head, according to the letter.

Fixel, 39, is reportedly planning to invest his own money and “may start an investment firm in the future,” Tiger Global wrote in the letter.

Tiger Global has become a major force in late-stage investing. As I wrote last fall, it is also part of a small coterie of investment firms which have pushed their portfolio companies to IPO with reasonable speed (the other firm I noted at the time was Benchmark).

One challenge for Tiger has been the rise of the SoftBank Vision Fund, which has driven up valuations for startups and has almost certainly complicated the return profile of many of Tiger’s investments. The two also share a penchant for investing internationally, where Tiger had almost a monopoly position before the Vision Fund burst on the scene.

Another wrinkle worth tracking is the increasing opposition of Indian founders to both Tiger (and specifically Fixel) and SoftBank. As I wrote in the newsletter just a few weeks ago:

There is a clear lack of trust between India’s startup and venture communities, which ultimately threatens the sustainability and growth outlook of the country’s tech sector.

But a solution to the problem is not so cut and dry. Mega growth funds like SoftBank and Tiger Global have given limited control to their Indian portfolio companies and have forced their hands on numerous occasions. Yet Ola’s avoidance of SoftBank has led to lower valuations and more difficult and lengthier fundraising processes.

Leaving: Chris Cox & Chris Daniels

Facebook’s chief product officer is leaving along with Chris Daniels, the VP of WhatsApp. TechCrunch’s Josh Constine summarized the situation:

The changes solidify that Facebook is entering a new era as it chases the trend of feed sharing giving way to private communication. Cox and Daniels may feel they’ve done their part advancing Facebook’s product, and that the company needs renewed energy as it shifts from a relentless growth focus to keeping its users loyal while learning to monetize a new from of social networking.

There has been much ink spilled here about what this all means strategically, but I do think that there are no good times for prominent 13-year and 8-year veterans to leave their positions. Zuckerberg seems ready to begin a whole new era for Facebook, and perhaps neither wanted to make the multi-year commitment that his new vision entails.

That, or Cox unplugged the servers yesterday.

Leaving (America): Jay Jorgensen

A very rare move from the United States to Korea for a senior exec, from TechCrunch’s Catherine Shu:

Coupang, the unicorn that is defining e-commerce in Korea, announced today that it has hired Jay Jorgensen, Walmart’s former global chief ethics and compliance officer, to serve as its general counsel and chief compliance officer. Jorgensen will relocate to Seoul for the position.

Founded in 2010, with a total of $3.4 billion raised from investors, including SoftBank, and a valuation of $9 billion, Coupang currently operates only in Korea, where it is the largest e-commerce player, but has offices in Seoul, Beijing, Los Angeles, Mountain View, Seattle and Shanghai.

Coupang has been the outlier success of the Korean startup ecosystem for the past few years. The company’s founder, Bom Kim, who holds a bachelor’s and an MBA from Harvard, has worked to apply American management models to Coupang, attempting to eschew the insular culture typical of Korea’s technology companies. Clearly, that vision is drawing international talent.

Staying: Zachary Kirkhorn

Tesla is getting some financial help from itself, from TechCrunch’s Kirsten Korosec:

The automaker officially tapped as its next chief financial officer Zachary Kirkhorn, a longtime employee who has been part of the automaker’s finance team for nine years, according to securities filings posted Thursday. The automaker also appointed Vaibhav Taneja, who led the integration of Tesla and SolarCity’s accounting teams, as its chief accounting officer. Taneja, who will report to Kirkhorn, will oversee corporate financial reporting, global accounting functions and personnel.

No telling whether Kirkhorn knows how to blow a whistle though….

No Longer Admitted: Bill McGlashan

Sometimes when you venture to make an investment, it doesn’t always pan out, from Maggie Fitzgerald at CNBC:

TPG’s Bill McGlashan was fired from the private equity firm on Thursday amid the massive college cheating scandal.

McGlashan, 55, has been terminated for cause from his positions with TPG and Rise effective immediately.

“After reviewing the allegations of personal misconduct in the criminal complaint, we believe the behavior described to be inexcusable and antithetical to the values of our entire organization,” said a TPG spokesperson.

McGlashan founded TPG Growth, which has had a litany of successes investing in later-stage startups such as Airbnb.

Leaving (but not by choice): Bird employees

Once high-flying and now somewhat not as high-flying scooter startup Bird announced that it was laying off around 40 employees. From TechCrunch’s Megan Rose Dickey:

“As we establish local service centers and deeper roots in cities where we provide service, we have shifting geographic workforce needs,” a Bird spokesperson told TechCrunch. “We are expanding our employee bases in locations that match our growing operations around the world, while developing an efficient operating structure at our Santa Monica headquarters. The recent events are a reflection of shifting geographical needs and our annual talent review process.”

I hope they flip them the Bird on the way out.

India fintech and the growing proxy war between global tech giants

Photo by anand purohit via Getty Images

Written by Arman Tabatabai

South African media conglomerate and investment giant Naspers is reportedly planning to invest $1 billion in India this year.

According to reports earlier this week, Naspers is looking towards India’s budding fintech market in particular to unload the fresh pile of dough it’s sitting on after recently lowering its stake in Tencent and cashing out on Walmart’s $16 billion acquisition of portfolio company Flipkart last year.

The fintech heavy thesis directionally makes sense in the context of Naspers’ broader strategy. Naspers has openly discussed its attraction to India’s financial services market and the company already has an established footprint in the region as the owner of payments platform PayU.

That said, the amount Naspers is reportedly looking to gift in just one year is astounding. Indian fintech startups saw around $2.6 billion of investment in 2018 according to Pitchbook. Naspers’ investment alone would represent a 40% spike in India’s total fintech venture capital.

Though one billion dollars in one year may seem ambitious, Naspers has proven it’s not afraid to pour billions into India and emerging verticals, having just led a $1 billion round in Indian food delivery startup Swiggy only a few months ago.

More importantly, Naspers’ push shows that the company is seriously doubling down in the escalating competition to become the dominant force in India’s booming fintech ecosystem. As we discussed in our recent conversation with Billionaire Raj author James Crabtree, India’s financial system is ripe for disruption. With secular tailwinds like growing mobile penetration and financial literacy, innovative financial models in India have begun leap-frogging traditional institutions, with Google and Boston Consulting Group even forecasting that the market for digital payments in India would reach $500 billion in size by 2020.

And many have taken notice — the number of fintech investments in India has grown at a 200%-plus compound annual growth rate over the last five years, according to data from Pitchbook, as leading investors and global tech powerhouses all battle to become the layer of financial infrastructure on which the future Indian economy sits.

A recent deep dive in the WSJ highlighted how crowded the ongoing fight for Indian payments dominance has become in the context of Paytm, an Indian startup that received a $1.4 billion investment from venture behemoth SoftBank:

The Indian market is one worth fighting for, with hundreds of millions of Indians getting online and starting to transact for the first time, thanks to plummeting prices for mobile data and smartphones.

Digital payments in India are soaring” and “set to explode,” Credit Suisse said in a February research note. They should rise nearly five times to $1 trillion by 2023, the report said…

…Meanwhile, it isn’t just Google and WhatsApp challenging Paytm . Indian e-commerce titan Flipkart, in which Walmart Inc. bought a controlling stake for $16 billion earlier this year, has a popular payments service called PhonePe. Amazon.com Inc. has its own payments service and two of India’s biggest telecom players, Bharti Airtel Ltd. and Reliance Jio Infocomm Ltd., offer digital wallets, as well.”

Next to peers like Alibaba, SoftBank, or Google, Naspers can often seem like the biggest tech company no one has ever heard of. But if its latest swan dive into India can help Naspers strike gold — as it did with its early investment in Tencent — it might just become the company powering the next economies of the world.

Thanks

To every member of Extra Crunch: thank you. You allow us to get off the ad-laden media churn conveyor belt and spend quality time on amazing ideas, people, and companies. If I can ever be of assistance, hit reply, or send an email to danny@techcrunch.com.

This newsletter is written with the assistance of Arman Tabatabai from New York

Investors are still failing to back founders from diverse backgrounds

The large majority of venture dollars are invested in companies run by white men with a university degree, according to a new report by RateMyInvestor and Diversity VC.

This new data reveals that despite the lip service investors have paid to backing founders from diverse backgrounds, much, much, more work needs to be done to actually achieve the industry’s stated goals. It also shows the vast gulf that separates the meritocratic myth that Silicon Valley has created for itself from the hard truths of its natural nepotistic state.

In 2017, venture capital investment reached $84.24 billion, a height not seen since the dot-com bubble of the early 2000s. The data from RateMyInvestor and Diversity VC covers a survey of the seed to Series D investments made during that year from what the two organizations selected as the top 135 firms by deal activity. Those firms invested in 4,475 companies, which collectively included 9,874 co-founders, according to the report.

Of those co-founders only 9 percent were women, while 17 percent identified as Asian American, 2.4 percent identified as Middle Eastern, 1.9 percent identified as Latinx and 1 percent identified as black.

“VCs should make more of a deliberate effort to spend quality time with communities of color that are otherwise unfamiliar,” said Suzy Ryoo, a venture partner and vice president of technology at Cross Culture Ventures . “Another tactical suggestion would be to co-host salon dinners community events with the growing group of early-stage venture funds managed by diverse investors, such as Cross Culture Ventures, Backstage Capital, Precursor Ventures, etc.”

The data compiled by Diversity VC and RateMyInvestor contains some other staggering statistics. Ivy League-educated founders captured 27 percent of all the dollars invested in venture capital startups, while all graduates from all other universities across the U.S. represented 50 percent of venture funding. Founders who graduated from international institutions had nearly 16 percent of venture funding. Founders without a university degree accounted for around 6 percent of the total capital invested.

Finally, investors are still wildly reluctant to leave Silicon Valley to look for new deals, according to the survey. This despite skyrocketing prices for real estate and talent and the emergence of big technology ecosystems in cities across the U.S.

“Silicon Valley has done a poor job of fostering diversity of all forms, especially diversity of thought,” said DCM partner Kyle Lui. “VCs and founders tend to back/hire people who are in their existing network who most likely share the same views as them, went to the same school as them, and shared similar life experiences as them.”

Investors are still failing to back founders from diverse backgrounds

The large majority of venture dollars are invested in companies run by white men with a university degree, according to a new report by RateMyInvestor and Diversity VC.

This new data reveals that despite the lip service investors have paid to backing founders from diverse backgrounds, much, much, more work needs to be done to actually achieve the industry’s stated goals. It also shows the vast gulf that separates the meritocratic myth that Silicon Valley has created for itself from the hard truths of its natural nepotistic state.

In 2017, venture capital investment reached $84.24 billion, a height not seen since the dot-com bubble of the early 2000s. The data from RateMyInvestor and Diversity VC covers a survey of the seed to Series D investments made during that year from what the two organizations selected as the top 135 firms by deal activity. Those firms invested in 4,475 companies, which collectively included 9,874 co-founders, according to the report.

Of those co-founders only 9 percent were women, while 17 percent identified as Asian American, 2.4 percent identified as Middle Eastern, 1.9 percent identified as Latinx and 1 percent identified as black.

“VCs should make more of a deliberate effort to spend quality time with communities of color that are otherwise unfamiliar,” said Suzy Ryoo, a venture partner and vice president of technology at Cross Culture Ventures . “Another tactical suggestion would be to co-host salon dinners community events with the growing group of early-stage venture funds managed by diverse investors, such as Cross Culture Ventures, Backstage Capital, Precursor Ventures, etc.”

The data compiled by Diversity VC and RateMyInvestor contains some other staggering statistics. Ivy League-educated founders captured 27 percent of all the dollars invested in venture capital startups, while all graduates from all other universities across the U.S. represented 50 percent of venture funding. Founders who graduated from international institutions had nearly 16 percent of venture funding. Founders without a university degree accounted for around 6 percent of the total capital invested.

Finally, investors are still wildly reluctant to leave Silicon Valley to look for new deals, according to the survey. This despite skyrocketing prices for real estate and talent and the emergence of big technology ecosystems in cities across the U.S.

“Silicon Valley has done a poor job of fostering diversity of all forms, especially diversity of thought,” said DCM partner Kyle Lui. “VCs and founders tend to back/hire people who are in their existing network who most likely share the same views as them, went to the same school as them, and shared similar life experiences as them.”

Everything you need to know about Facebook, Google’s app scandal

Facebook and Google landed in hot water with Apple this week after two investigations by TechCrunch revealed the misuse of internal-only certificates — leading to their revocation, which led to a day of downtime at the two tech giants.

Confused about what happened? Here’s everything you need to know.

How did all this start, and what happened?

On Monday, we revealed that Facebook was misusing an Apple-issued enterprise certificate that is only meant for companies to use to distribute internal, employee-only apps without having to go through the Apple App Store. But the social media giant used that certificate to sign an app that Facebook distributed outside the company, violating Apple’s rules.

The app, known simply as “Research,” allowed Facebook unparalleled access to all of the data flowing out of a device. This included access to some of the users’ most sensitive network data. Facebook paid users — including teenagers — $20 per month to install the app. But it wasn’t clear exactly what kind of data was being vacuumed up, or for what reason.

It turns out that the app was a repackaged app that was effectively banned from Apple’s App Store last year for collecting too much data on users.

Apple was angry that Facebook was misusing its special-issue enterprise certificates to push an app it already banned, and revoked it — rendering the app unable to open. But Facebook was using that same certificate to sign its other employee-only apps, effectively knocking them offline until Apple re-issued the certificate.

Then, it turned out Google was doing almost exactly the same thing with its Screenwise app, and Apple’s ban-hammer fell again.

What’s the controversy over these enterprise certificates and what can they do?

If you want to develop Apple apps, you have to abide by its rules — and Apple expressly makes companies agree to its terms.

A key rule is that Apple doesn’t allow app developers to bypass the App Store, where every app is vetted to ensure it’s as secure as it can be. It does, however, grant exceptions for enterprise developers, such as to companies that want to build apps that are only used internally by employees. Facebook and Google in this case signed up to be enterprise developers and agreed to Apple’s developer terms.

Each Apple-issued certificate grants companies permission to distribute apps they develop internally — including pre-release versions of the apps they make, for testing purposes. But these certificates aren’t allowed to be used for ordinary consumers, as they have to download apps through the App Store.

What’s a “root” certificate, and why is its access a big deal?

Because Facebook’s Research and Google’s Screenwise apps were distributed outside of Apple’s App Store, it required users to manually install the app — known as sideloading. That requires users to go through a convoluted few steps of downloading the app itself, and opening and trusting either Facebook or Google’s enterprise developer code-signing certificate, which is what allows the app to run.

Both companies required users after the app installed to agree to an additional configuration step — known as a VPN configuration profile — allowing all of the data flowing out of that user’s phone to funnel down a special tunnel that directs it all to either Facebook or Google, depending on which app you installed.

This is where the Facebook and Google cases differ.

Google’s app collected data and sent it off to Google for research purposes, but couldn’t access encrypted data — such as the content of any network traffic protected by HTTPS, as most apps in the App Store and internet websites are.

Facebook, however, went far further. Its users were asked to go through an additional step to trust an additional type of certificate at the “root” level of the phone. Trusting this Facebook Research root certificate authority allowed the social media giant to look at all of the encrypted traffic flowing out of the device — essentially what we call a “man-in-the-middle” attack. That allowed Facebook to sift through your messages, your emails and any other bit of data that leaves your phone. Only apps that use certificate pinning — which reject any certificate that isn’t its own — were protected, such as iMessage, Signal and additionally any other end-to-end encrypted solutions.

Facebook’s Research app requires Root Certificate access, which Facebook gather almost any piece of data transmitted by your phone (Image: supplied)

Google’s app might not have been able to look at encrypted traffic, but the company still flouted the rules — and had its separate enterprise developer code-signing certificate revoked anyway.

What data did Facebook have access to on iOS?

It’s hard to know for sure, but it definitely had access to more data than Google.

Facebook said its app was to help it “understand how people use their mobile devices.” In reality, at root traffic level, Facebook could have accessed any kind of data that left your phone.

Will Strafach, a security expert with whom we spoke for our story, said: “If Facebook makes full use of the level of access they are given by asking users to install the certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.”

Remember: this isn’t “root” access to your phone, like jailbreaking, but root access to the network traffic.

How does this compare to the technical ways other market research programs work?

In fairness, these aren’t market research apps unique to Facebook or Google. Several other companies, like Nielsen and comScore, run similar programs, but neither ask users to install a VPN or provide root access to the network.

In any case, Facebook already has a lot of your data — as does Google. Even if the companies only wanted to look at your data in aggregate with other people, it can still hone in on who you talk to, when, for how long and, in some cases, what about. It might not have been such an explosive scandal had Facebook not spent the last year cleaning up after several security and privacy breaches.

Can they capture the data of people the phone owner interacts with?

In both cases, yes. In Google’s case, any unencrypted data that involves another person’s data could have been collected. In Facebook’s case, it goes far further — any data of yours that interacts with another person, such as an email or a message, could have been collected by Facebook’s app.

How many people did this affect?

It’s hard to know for sure. Neither Google nor Facebook have said how many users they have. Between them, it’s believed to be in the thousands. As for the employees affected by the app outages, Facebook has more than 35,000 employees and Google has more than 94,000 employees.

Why did internal apps at Facebook and Google break after Apple revoked the certificates?

You might own your Apple device, but Apple still gets to control what goes on it.

Apple can’t control Facebook’s root certificates, but it can control the enterprise certificates it issues. After Facebook was caught out, Apple said: “Any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked, which is what we did in this case to protect our users and their data.” That meant any app that relied on Facebook’s enterprise certificate — including inside the company — would fail to load. That’s not just pre-release builds of Facebook, Instagram and WhatsApp that staff were working on, but reportedly the company’s travel and collaboration apps were down. In Google’s case, even its catering and lunch menu apps were down.

Facebook’s internal apps were down for about a day, while Google’s internal apps were down for a few hours. None of Facebook or Google’s consumer services were affected, however.

How are people viewing Apple in all this?

Nobody seems thrilled with Facebook or Google at the moment, but not many are happy with Apple, either. Even though Apple sells hardware and doesn’t use your data to profile you or serve you ads — like Facebook and Google do — some are uncomfortable with how much power Apple has over the customers — and enterprises — that use its devices.

In revoking Facebook and Google’s enterprise certificates and causing downtime, it has a knock-on effect internally.

Is this legal in the U.S.? What about in Europe with GDPR?

Well, it’s not illegal — at least in the U.S. Facebook says it gained consent from its users. The company even said its teenage users must obtain parental consent, even though it was easily skippable and no verification checks were made. It wasn’t even explicitly clear that the children who “consented” really understood how much privacy they were really handing over.

That could lead to major regulatory headaches down the line. “If it turns out that European teens have been participating in the research effort Facebook could face another barrage of complaints under the bloc’s General Data Protection Regulation (GDPR) — and the prospect of substantial fines if any local agencies determine it failed to live up to consent and ‘privacy by design’ requirements baked into the bloc’s privacy regime,” wrote TechCrunch’s Natasha Lomas.

Who else has been misusing certificates?

Don’t think that Facebook and Google are alone in this. It turns out that a lot of companies might be flouting the rules, too.

According to many finding companies on social media, Sonos uses enterprise certificates for its beta program, as does finance app Binance, as well as DoorDash for its fleet of contractors. It’s not known if Apple will also revoke their enterprise certificates.

What next?

It’s anybody’s guess, but don’t expect this situation to die down any time soon.

Facebook may face repercussions with Europe, as well as at home. Two U.S. senators, Mark Warner and Richard Blumenthal, have already called for action, accusing Facebook of “wiretapping teens.” The Federal Trade Commission may also investigate, if Blumenthal gets his way.

Daily Crunch: AR startups face an uneasy future in 2019

The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here:

1. Magic Leap and other AR startups have a rough 2019 ahead of them 

2018 was supposed to be the year where the foundation of AR was set to expand, but now it looks like momentum has been sucked out of the industry’s heavy hitters.

2. Sorry I took so long to upgrade, Apple 

Apple missed Wall Street’s Q1 sales projections yesterday and the company blamed faltering sales in China for the reason behind the drop. But let’s not kid ourselves; anyone who has an iPhone now is part of the problem. As essential as these devices have become to our lives, it’s too hard for many consumers around the world to justify spending more than $1,000 for a new phone.

BERND THISSEN/AFP/Getty Images

3. China’s lunar probe makes history by successfully soft-landing on the far side of the moon

China crossed a major milestone in space exploration last night by becoming the first country to land a probe on the far side of the moon. Named after the Chinese moon goddess, Chang’e 4 will use a low-frequency radio to survey the terrain of the moon.

4. Mary Meeker targets $1.25B for debut fund, called Bond

With Bond, Meeker is set to be the first woman to raise a $1 billion-plus VC fund.

5. Money is no object: China’s Luckin sets sights on rivaling Starbucks 

Caffeinated drinks are taking off in the tea-drinking nation. Luckin, which is only a year old, has announced an ambitious plan to topple Starbucks and expand to 6,000 stores by 2022.

6. 10 predictions on the future of gaming in 2019 

Will the gaming industry clutch up in 2019?

7. Segway unveils a more durable electric scooter and autonomous delivery bot 

Segway’s Model Max scooter is designed to help services like Bird and Lime reduce their respective operating and maintenance costs, while its new Loomo delivery bot is made for autonomous deliveries for food, packages and other items.