Technology

The underpinnings of how app store analytics platforms operate were exposed this week by BuzzFeed, which uncovered the network of mobile apps used by popular analytics firm Sensor Tower to amass app data. The company had operated at least 20 apps, including VPNs and ad blockers, whose main purpose was to collect app usage data from end users in order to make estimations about app trends and revenues. Unfortunately, these sorts of data collection apps are not new — nor unique to Sensor Tower operation.

Sensor Tower was found to operate apps such as Luna VPN, for example, as well as Free and Unlimited VPN, Mobile Data and Adblock Focus, among others. After BuzzFeed reached out, Apple removed Adblock Focus and Google removed Mobile Data. Others are still being investigated, the report said.

Apps& collection of usage data has been an ongoing issue across the app stores.

Facebook and Google have both operated such apps, not always transparently, and Sensor Towerkey rival App Annie continues to do the same today.

Facebook

For Facebook, its 2013 acquisition of VPN app maker Onavo for years served as a competitive advantage. The traffic through the app gave Facebook insight into which other social applications were growing in popularity — so Facebook could either clone their features or acquire them outright. When Apple finally booted Onavo from the App Store half a decade later, Facebook simply brought back the same code in a new wrapper — then called the Facebook Research app. This time, it was a bit more transparent about its data collection, as the Research app was actually paying for the data.

But Apple kicked out that app, too. So Facebook last year launched Study and Viewpoints to further its market research and data collection efforts. These apps are still live today.

Google

Google was also caught doing something similar by way of its Screenwise Meter app, which invited users 18 and up (or 13 if part of a family group) to download the app and participate in the panel. The appusers allowed Google to collect their app and web usage in exchange for gift cards. But like Facebook, Googleapp used AppleEnterprise Certificate program to work — a violation of Apple policy that saw the app removed, again following media coverage. Screenwise Meter returned to the App Store last year and continues to track app usage, among other things, with panelists& consent.

App Annie

App Annie, a firm that directly competes with Sensor Tower, has acquired mobile data companies and now operates its own set of apps to track app usage under those brands.

In 2014, App Annie bought Distimo, and as of 2016 has run Phone Guardian, a &secure Wi-Fi and VPN& app, under the Distimo brand.

The app discloses its relationship with App Annie in its App Store description, but remains vague about its true purpose:

&Trusted by more than 1 million users, App Annie is the leading global provider of mobile performance estimates. In short, we help app developers build better apps. We build our mobile performance estimates by learning how people use their devices. We do this with the help of this app.&

In 2015, App Annie acquired Mobidia. Since 2017, it has operated real-time data usage monitor My Data Manager under that brand, as well. The App Store description only offers the same vague disclosure, which means users aren&t likely aware of what they&re agreeing to.

Disclosure?

The problem with apps like App Annieand Sensor Toweris that they&re marketed as offering a particular function, when their real purpose for existing is entirely another.

The app companies& defense is that they do disclose and require consent during onboarding. For example, Sensor Tower apps explicitly tell users what is collected and what is not:

App Annieapp offers a similar disclosure, and takes the extra step of identifying the parent company by name:

App Annie also says its apps can continue to be used even if data sharing is turned off.

Despite these opt-ins, end users may still not understand that their VPN app is actually tied to a much larger data collection operation, however anonymized that data may be. After all, App Annie and Sensor Tower aren&t household names (unless you&re an app publisher or marketer.)

Apple and Googleresponsibility

Apple and Google, letbe fair, are also culpable here.

Of course, Google is more pro-data collection because of the nature of its own business as an advertising-powered company. (It even tracks users in the real world via the Google Maps app.)

Apple, meanwhile, markets itself as a privacy-focused company, so is deserving of increased scrutiny.

It seems unfathomable that, following the Onavo scandal, Apple wouldn&t have taken a closer look into the VPN app category to ensure its apps were compliant with its rules and transparent about the nature of their businesses. In particular, it seems Apple would have paid close attention to apps operated by companies in the app store intelligence business, like App Annie and its subsidiaries.

Apple is surely aware of how these companies acquire data — itcommon industry knowledge. Plus, App Annieacquisitions were publicly disclosed.

But Apple is conflicted. It wants to protect app usage and user data (and be known for protecting such data) by not providing any broader app store metrics of its own. However, it also knows that app publishers need such data to operate competitively on the App Store. So instead of being proactive about sweeping the App Store for data collection utilities, it remains reactive by pulling select apps when the media puts them on blast, as BuzzFeedreport has since done. That allows Apple to maintain a veil of innocence.

But pulling user data directly covertly is only one way to operate. As Facebook and Google have since realized, iteasier to run these sorts of operations on the App Store if the apps just say, basically, &this is a data collection app,& and/or offer payment for participation — as do many marketing research panels. This is a more transparent relationship from a consumerperspective too, as they know they&re agreeing to sell their data.

Meanwhile, Sensor Tower and App Annie competitor Apptopia says it tested then scrapped its own ad blocker app around six years ago, but claims it never collected data with it. It now favors getting its data directly from its app developer customers.

&We can confidently state that 100% of the proprietary data we collect is from shared App Analytics Accounts where app developers proactively and explicitly share their data with us, and give us the right to use it for modeling,& stated Apptopia co-founder and COO, Jonathan Kay. &We do not collect any data from mobile panels, third-party apps or even at the user/device level.&

This system (which is used by the others as well) isn&t necessarily a solution for end users concerned about data collection, as it further obscures the collection and sharing process. Generally, consumers don&t know which app developers are sharing this data, what data is being shared, or how itbeing utilized. App data of this nature isn&t on the user level (meaning itnot personal data), but itstill about reporting back to the developer things like installs, daily and monthly users, and revenue, among other things. (Fortunately, Apple allows users to disable the sharing of some diagnostic and usage data from within iOS Settings.)

Data collection done by app analytics firms is only one of many, many ways that apps leak data, however.

In fact, many apps collect personal data — including data thatfar more sensitive than anonymized app usage trends — by way of their included SDKs (software development kits). These tools allow apps to share data with numerous technology companies, including ad networks, data brokers and aggregators, both large and small. Itnot illegal, and mainstream users probably don&t know about this either.

Instead, user awareness seems to crop up through conspiracy theories, like &Facebook is listening through the microphone,& without realizing that Facebook collects so much data it doesn&t really need to do so. (Well, except when it does).

In the wake of BuzzFeedreporting, Sensor Tower says it&taking immediate steps to make Sensor Towerconnection to our apps perfectly clear, and adding even more visibility around the data their users share with us.&

Google isn&t providing an official comment. Apple didn&t respond to requests for comment.

Sensor Towerfull statement is below:

Our business model is predicated on high-level, macro app trends. As such, we do not collect or store any personally identifiable information (PII) about users on our servers or elsewhere. In fact, based on the way our apps are designed, such data is separated before we could possibly view or interact with it, and all we see are ad creatives being served to users. What we do store is extremely high level, aggregated advertising data that may demonstrate trends that we share with customers.

Our privacy policy follows best practices and makes our data use clear. We want to reiterate that our apps do not collect any PII, and therefore it cannot be shared with any other entity, Sensor Tower or otherwise. We&ve made this very clear in our privacy policy, which users actively opt into during the apps& onboarding processes after being shown an unambiguous disclaimer detailing what data is shared with us. As a routine matter, and as our business evolves, we&ll always take a privacy-centric approach to new features to help ensure that any PII remains uncollected and is fully safeguarded.

Based on the feedback we&ve received, we&re taking immediate steps to make Sensor Towerconnection to our apps perfectly clear, and adding even more visibility around the data their users share with us.

App Annie shared the below statement, referencing the root certificate installations mentioned in the BuzzFeed article. (On iOS devices, VPN certificates don&t get full root access, however):

App Annie does not use root certificates at any point in its data collection process.

App Annie discloses that when users opt into data collection (and data sharing is not mandatory to use our apps), data will be shared with App Annie for the purposes of creating market research. We only collect data after users expressly consent to this collection within our apps. We are very transparent, both on the app stores and in the apps themselves and clearly connect App Annie to our mobile apps.

Two video startups are making dueling legal claims against the other.

The Wall Street Journal broke the news yesterday that interactive video company Eko is accusing Quibi of infringing on its patented technology.

At around the same time, The Hollywood Reporter noted that Quibi (which is launching its short-form mobile video service next month) has filed a complaint in California federal court claiming that Eko has engaged in &a campaign of threats and harassment.&

At the heart of the dispute is QuibiTurnstyle technology, which allows viewers to seamlessly switch between landscape and portrait-mode viewing.

Both companies seem to agree that Eko CEO Yoni Bloch met with Jeffrey Katzenberg in March 2017 (before Katzenberg had even founded Quibi) about a possible investment in Eko, and that there was at least one follow-up meeting between Quibi and Eko employees in 2019.

Eko claims that it provided Quibi employees — both while they were working at Quibi and before then, when they were previously at Snap — with details and code behind its technology. Then, after Katzenberg and Quibi CEO Meg Whitman showed off Turnstyle at CES this year, Eko sent a letter to Quibi claiming that the feature infringed on its intellectual property. (According to the Journalstory, Ekolawyers have sent a letter to Quibi but have not filed a lawsuit.)

&Our Turnstyle technology was developed internally at Quibi by our talented engineers and we have, in fact, received a patent for it,& Quibi said in a statement. &These claims have absolutely no merit and we will vigorously defend ourselves against them in court.&

Meanwhile, in a statement, Eko described Quibitechnology as &a near-identical copy of its own,& and said the companylegal motion is ¬hing more than a PR stunt&:

It is telling that Quibi filed the motion only after learning the Wall Street Journal was going to publish an article exposing allegations of Quibitheft of Ekotechnology … Eko will take the legal actions necessary to defend its intellectual property and looks forward to demonstrating its patent rights to the court.

You can read Quibifull complaint below.

Quibi complaint by TechCrunch on Scribd

Twitter today updated its Developer Policy to clarify rules around data usage, including in academic research, as well as its position on bots, among other things. The policy has also been entirely rewritten in an effort to simplify the language used and make it more conversational, Twitter says. The new policy has been shortened from eight sections to four, and the accompanying Twitter Developer Agreement has been updated to align with the Policy changes, as well.

One of the more notable updates to the new policy is a change to the rules to better support non-commercial research.

Twitter data is used to study topics like spam, abuse and other areas related to conversation health, the company noted, and it wants these efforts to continue. The revised policy now allows the use of the Twitter API for academic research purposes. In addition, Twitter is simplifying its rules around the redistribution of Twitter data to aid researchers. Now, researchers will be able to share an unlimited number of Tweet IDs and/or User IDs, if they&re doing so on behalf of an academic institution and for the sole purpose of non-commercial research, such as peer review, says Twitter.

The company is also revising rules to clarify how developers are to proceed when the use cases for Twitter data change. In the new policy, developers are informed that they must notify the company of any &substantive& modification to their use case and receive approval before using Twitter content for that purpose. Not doing so will result in suspension and termination of their API and data access, Twitter warns.

The policy additionally outlines when and where &off-Twitter matching& is permitted, meaning when a Twitter account is being associated with a profile built using other data. Either the developer will need to obtain opt-in consent from the user in question, or they can only proceed if the information was provided by the person or is based on publicly available data.

The above changes are focused on ensuring Twitter data is accessible when being used for something of merit, like academic research, and that itprotected from more questionable use cases.

Finally, the revamped policy clarifies that not all bots are bad. Some even enhance the Twitter experience, the company says, or provide useful information. As examples of good bots, Twitter pointed to the fun account@everycolorbot and informative @earthquakesSF.

Twitter identifies a bot as any account where behaviors like &creating, publishing, and interacting with Tweets or Direct Messages are automated in some way through our API.&

Going forward, developers must specify if they&re operating a bot account, what the account is, and who is behind it. This way, explains Twitter, &iteasier for everyone on Twitter to know whata bot & and whatnot.&

Of course, those operating bots for more nefarious purposes — like spreading propaganda or disinformation — will likely just ignore this policy and hope not to be found out. This particular change follows the recent finding that a quarter of all tweets about climate change were coming from bots posting messages of climate change denialism. In addition, it was recently discovered that Trump supporters and QAnon conspiracists were using an app called Power10 to turn their Twitter accounts into bots.

Twitter says since it introduced a new developer review process in July 2018, it has reviewed over a million developer applications and approved 75%. It also suspended more than 144,000 apps from bad actors in the last six months and revamped its developer application to be easier to use. Itnow working on the next generation of the Twitter API and is continuing to explore new products, including through its testing program, Twitter Developer Labs.

Criteo faces a privacy investigation, an e-discovery startup raises $62 million and hackers hack other hackers. Hereyour Daily Crunch for March 10, 2020.

1. Adtech giant Criteo is being investigated by Francedata watchdog

Criteo is under investigation by the French data protection watchdog, the CNIL, following a complaint filed by privacy rights campaign group Privacy International.

Back in November 2018, a few months after GDPR (Europeupdated data protection framework) came into force, Privacy International filed complaints against a number of companies operating in the space — including Criteo. A subsequent investigation by the rights group found adtech trackers on mental health websites sharing sensitive user data for ad targeting purposes.

2. Everlaw announces $62M Series C to continue modernizing legal discovery

Everlaw is bringing modern data management, visualization and machine learning to e-discovery, the process in which legal entities review large amounts of evidence to build a case. CapitalG (Alphabetgrowth equity investment fund) and Menlo Ventures led the round.

3. Hackers are targeting other hackers by infecting their tools with malware

CybereasonAmit Serper found that the attackers in this years-long campaign are taking existing hacking tools and injecting a powerful remote-access trojan. When the tools are opened, the hackers gain full access to the targetcomputer.

4. Amazon creates $5M relief fund to aid small businesses in Seattle impacted by coronavirus outbreak

The fund will provide cash grants to local small businesses in need during the novel coronavirus outbreak. The money will be directed toward small businesses with fewer than 50 employees or less than $7 million in annual revenue, and with a physical presence within a few blocks of Regrade and South Lake Union office buildings.

5. Stitch Fixsharp decline signals high growth hurdles for tech-enabled startups

Shares of Stitch Fix, a digitally-enabled &styling service,& are off sharply this morning after its earnings failed to excite public market investors. The firm, worth over $29 per share as recently as February, opened today worth just $14.75 per share. (Extra Crunch membership required.)

6. Facebook Stories tests cross-posting to its pet, Instagram

Facebooklatest colonization of Instagram has begun — the social network is testing the option to cross-post Stories to Instagram, instead of just vice-versa.

7. Sequoia is giving away $21M to a payments startup it recently funded as it walks away from deal

Sequoia Capital has, for the first time in its history, parted ways with a newly funded company (Finix) over a purported conflict of interest and, almost more shockingly, handed back its board seat, its information rights, its shares and its full investment.

The Daily Crunch is TechCrunchroundup of our biggest and most important stories. If you&d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.

&Dear Sophie& is an advice column that answers immigration-related questions about working at technology companies.

&Your questions are vital to the spread of knowledge that allows people all over the world to rise above borders and pursue their dreams,& says Sophie Alcorn, a Silicon Valley immigration attorney. &Whether you&re in people ops, a founder or seeking a job in Silicon Valley, I would love to answer your questions in my next column.&

&Dear Sophie& columns are accessible for Extra Crunch subscribers; use promo code ALCORN to purchase a one or two-year subscription for 50% off.

Dear Sophie:

I work at a startup and my company is sponsoring me for an EB-2 NIW green card because they didn&t want to deal with PERM. I have some unique skills and am helping create a new technology that will support Americans and create jobs.

We just got hit with a massive Request for Evidence. I&m supposed to marry my American fiancé next month, but I really wanted to immigrate based on my own accomplishments. What should I do?

Marrying in the Marina

Dear Marrying,

I get it. We can strive so hard to achieve everything based on our merit and accomplishments, but for tech professionals who are used to success, it can be frustrating when we&re forced to depend on our employer or our beloved for our future. The startup ecosystem rewards fierce independence, and it can feel uncomfortable to ask others for support.

Monograph, a startup working on cloud-based software that makes project and cost management easier for architects, announced today that it has raised $1.9 million in seed funding. The round was led by Homebrew Ventures and Parade Ventures, with participation from Designer Fund, Hustle Fund VC and angel investors.

The San Francisco-based startup was founded last year by Robert Yuen, Alex Dixon and Moe Amaya. Each has experience in architecture, design and software development, making them well-positioned to create a management platform tailored for architects.

Monograph was designed to be easy to use, with an emphasis on the onboarding process so firms are encouraged to switch from traditional project management methods, like spreadsheets, to the software. The startup says hundreds of architects, ranging from solo practitioners to firms with more than 60 people, have already signed up. Monograph has been used to help manage more than $125 million in projects, ranging in size from bathroom and kitchen remodeling to building large hotels.

[gallery ids="1956919,1956918,1956917"]

Before Monograph, the three were partners in an agency called Dixon and Moe, working as UI/UX consultants for tech startups and architecture firms.

&Monograph really grew out of the agency as a product we saw solving problems that we saw in our day to day lives as architectural designers, and also in our everyday lives with our friends,& Yuen told TechCrunch. &Thatthe loss in the transparency of information between how much time you are spending on work, how projects are going, who is working on it. There is really no accurate way to manage a project and they are growing in complexity each year.&

Like other tech companies in the architecture space, including PlanGrid, Procore and UpCodes, Monograph is designed to streamline aspects of the design and building process, while making it easier for teams to collaborate.

Monograph is currently designed for use by architects and consultants, and includes tools to assign milestones, manage project timelines and for timesheets, billing and invoicing. Data is then used for cost and progress analytics, like MoneyGantt, a feature for budget forecasting.

Yuen says that no matter a projectsize, each team includes architects, designers and engineers. By the end of the year, the company plans to start releasing new versions of Monograph that can be used by structural, electrical and mechanical engineers, as well as other licensed professionals.

The companyfunding will be used to hire for its software engineering and customer support teams.

In a press statement, Homebrew partner Satya Patel said &Monograph offers transformative organization and project management software that is changing the way architects and designers work so that they can deliver better client service, manage costs and earn more profit. We look forward to seeing the companycontinued growth and innovation in a market that has been waiting for modern solutions.&