Femtech hardware startup Elvie inks strategic partnership with UK’s NHS

Elvie, a femtech hardware startup whose first product is a sleek smart pelvic floor exerciser, has inked a strategic partnership with the UK’s National Health Service that will make the device available nationwide through the country’s free-at-the-point-of-use healthcare service so at no direct cost to the patient. It’s a major win for the startup that was […]

Elvie, a femtech hardware startup whose first product is a sleek smart pelvic floor exerciser, has inked a strategic partnership with the UK’s National Health Service that will make the device available nationwide through the country’s free-at-the-point-of-use healthcare service so at no direct cost to the patient.

It’s a major win for the startup that was co-founded in 2013 by CEO Tania Boler and Jawbone founder, Alexander Asseily, with the aim of building smart technology that focuses on women’s issues — an overlooked and underserved category in the gadget space.

Boler’s background before starting Elvie (née Chiaro) including working for the U.N. on global sex education curriculums. But her interest in pelvic floor health, and the inspiration for starting Elvie, began after she had a baby herself and found there was more support for women in France than the U.K. when it came to taking care of their bodies after giving birth.

With the NHS partnership, which is the startup’s first national reimbursement partnership (and therefore, as a spokeswoman puts it, has “the potential to be transformative” for the still young company), Elvie is emphasizing the opportunity for its connected tech to help reduce symptoms of urinary incontinence, including those suffered by new mums or in cases of stress-related urinary incontinence.

The Elvie kegel trainer is designed to make pelvic floor exercising fun and easy for women, with real-time feedback delivered via an app that also gamifies the activity, guiding users through exercises intended to strengthen their pelvic floor and thus help reduce urinary incontinence symptoms. The device can also alert users when they are contracting incorrectly.

Elvie cites research suggesting the NHS spends £233M annually on incontinence, claiming also that around a third of women and up to 70% of expectant and new mums currently suffer from urinary incontinence. In 70 per cent of stress urinary incontinence cases it suggests symptoms can be reduced or eliminated via pelvic floor muscle training.

And while there’s no absolute need for any device to perform the necessary muscle contractions to strengthen the pelvic floor, the challenge the Elvie Trainer is intended to help with is it can be difficult for women to know they are performing the exercises correctly or effectively.

Elvie cites a 2004 study that suggests around a third of women can’t exercise their pelvic floor correctly with written or verbal instruction alone. Whereas it says that biofeedback devices (generally, rather than the Elvie Trainer specifically) have been proven to increase success rates of pelvic floor training programmes by 10% — which it says other studies have suggested can lower surgery rates by 50% and reduce treatment costs by £424 per patient head within the first year.

“Until now, biofeedback pelvic floor training devices have only been available through the NHS for at-home use on loan from the patient’s hospital, with patient allocation dependent upon demand. Elvie Trainer will be the first at-home biofeedback device available on the NHS for patients to keep, which will support long-term motivation,” it adds.

Commenting in a statement, Clare Pacey, a specialist women’s health physiotherapist at Kings College Hospital, said: “I am delighted that Elvie Trainer is now available via the NHS. Apart from the fact that it is a sleek, discreet and beautiful product, the app is simple to use and immediate visual feedback directly to your phone screen can be extremely rewarding and motivating. It helps to make pelvic floor rehabilitation fun, which is essential in order to be maintained.”

Elvie is not disclosing commercial details of the NHS partnership but a spokeswoman told us the main objective for this strategic partnership is to broaden access to Elvie Trainer, adding: “The wholesale pricing reflects that.”

Discussing the structure of the supply arrangement, she said Elvie is working with Eurosurgical as its delivery partner — a distributor she said has “decades of experience supplying products to the NHS”.

“The approach will vary by Trust, regarding whether a unit is ordered for a particular patient or whether a small stock will be held so a unit may be provided to a patient within the session in which the need is established. This process will be monitored and reviewed to determine the most efficient and economic distribution method for the NHS Supply Chain,” she added.

AI training and social network content moderation services bring TaskUs a $250 million windfall

TaskUs, the business process outsourcing service that moderates content, annotates information and handles back office customer support for some of the world’s largest tech companies, has raised $250 million in an investment from funds managed by the New York-based private equity giant, Blackstone Group. It’s been ten years since TaskUs was founded with a $20,000 investment […]

TaskUs, the business process outsourcing service that moderates content, annotates information and handles back office customer support for some of the world’s largest tech companies, has raised $250 million in an investment from funds managed by the New York-based private equity giant, Blackstone Group.

It’s been ten years since TaskUs was founded with a $20,000 investment from its two co-founders, and the new deal, which values the decade-old company at $500 million before the money even comes in, is proof of how much has changed for the service in the years since it was founded.

The Santa Monica-based company, which began as a browser-based virtual assistant company — “You send us a task and we get the task done,” recalled TaskUs chief executive Bryce Maddock — is now one of the main providers in the growing field of content moderation for social networks and content annotation for training the algorithms that power artificial intelligence services around the world.

“What I can tell you is we do content moderation for almost every major social network and it’s the fastest growing part of our business today,” Maddock said.

From a network of offices spanning the globe from Mexico to Taiwan and the Philippines to the U.S., the thirty two year-old co-founders Maddock and Jaspar Weir have created a business that’s largest growth stems from snuffing out the distribution of snuff films; child pornography; inappropriate political content and the trails of human trafficking from the user and advertiser generated content on some of the world’s largest social networks.

(For a glimpse into how horrific that process can be, take a look at this article from Wiredwhich looked at content moderation for the anonymous messaging service, Whisper.)

Maddock estimates that while the vast majority of the business was outsourcing business process services in the company’s early days (whether that was transcribing voice mails to texts for the messaging service PhoneTag, or providing customer service and support for companies like HotelTonight) now about 40% of the business comes from content moderation.

Image courtesy of Getty Images

Indeed, it was the growth in new technology services that attracted Blackstone to the business, according to Amit Dixit, Senior Managing Director at Blackstone.

“The growth in ride sharing, social media, online food delivery, e-commerce and autonomous driving is creating an enormous need for enabling business services,” said Dixit in a statement. “TaskUs has established a leadership position in this domain with its base of marquee customers, unique culture, and relentless focus on customer delivery.”

While the back office business processing services remain the majority of the company’s revenue, Maddock knows that the future belongs to an increasing automation of the company’s core services. That’s why part of the money is going to be invested in a new technology integration and consulting business that advises tech companies on which new automation tools to deploy, along with shoring up the company’s position as perhaps the best employer to work for in the world of content moderation and algorithm training services.

It’s been a long five year journey to get to the place it’s in now, with glowing reviews from employees on Glassdoor and social networks like Facebook, Maddock said. The company pays well above minimum wage in the market it operates in (Maddock estimates at least a 50% premium); and provides a generous package of benefits for what Maddock calls the “frontline” teammates. That includes perks like educational scholarships for one child of employees that have been with the company longer than one year; healthcare plans for the employee and three beneficiaries in the Philippines; and 120 days of maternity leave.

And, as content moderation is becoming more automated, the TaskUs employees are spending less time in the human cesspool that attempts to flood social networks every day.

“Increasingly the work that we’re doing is more nuanced. Does this advertisement have political intent. That type of work is far more engaging and could be seen to be a little bit less taxing,” Maddock said.

But he doesn’t deny that the bulk of the hard work his employees are tasked with is identifying and filtering the excremental trash that people would post online.

“I do think that the work is absolutely necessary. The alternative is that everybody has to look at this stuff. it has to be done in a way thats thoughtful and puts the interests of the people who are on the frontlines at the forefront of that effort,” says Maddock. “There have been multiple people who have been involved in sex trafficking, human trafficking and pedophilia that have been arrested directly because of the work that TaskUs is doing. And the consequence of someone not doing that is a far far worse world.”

Maddock also said that TaskUs now shields its employees from having to perform content moderation for an entire shift. “What we have tried to do universally is that there is a subject matter rotation so that you are not just sitting and doing that work all day.”

And the company’s executive knows how taxing the work can be because he said he does it himself. “I try to spend a day a quarter doing the work of our frontline teammates. I spend half my time in our offices,” Maddock said.

Now, with the new investment, TaskUs is looking to expand into additional markets in the UK, Europe, India, and Latin America, Maddock said.

“So far all we’ve been doing is hiring as fast as we possibly can,” said Maddock. “At some point in the future, there’s going to be a point when companies like ours will see the effects of automation,” he added, but that’s why the company is investing in the consulting business… so it can stay ahead of the trends in automation.

Even with the threat that automation could pose to the company’s business, TaskUs had no shortage of other suitors for the massive growth equity round, according to one person familiar with the company. Indeed, Goldman Sachs and Softbank were among the other bidders for a piece of TaskUs, the source said.

Currently, the company has over 11,000 employees (including 2,000 in the U.S.) and is looking to expand.

“We chose to partner with Blackstone because they have a track record of building category defining businesses. Our goal is to build TaskUs into the world’s number one provider of tech enabled business services.  This partnership will help us dramatically increase our investment in consulting, technology and innovation to support our customer’s efforts to streamline and refine their customer experience,” said Maddock in a statement.

The transaction is expected to close in the fourth quarter of 2018, subject to regulatory approvals and customary closing conditions.

India’s Uber rival Ola is headed to Europe with ride-hailing launch in the UK

The UK is getting a new alternative to Uber after India-based ride-hailing company Ola announced plans to expand to the country, which will become its first market in Europe. Ola was founded in 2010 and it covers over 110 cities in India where it offers licensed taxis, private hire cars and rickshaws through a network […]

The UK is getting a new alternative to Uber after India-based ride-hailing company Ola announced plans to expand to the country, which will become its first market in Europe.

Ola was founded in 2010 and it covers over 110 cities in India where it offers licensed taxis, private hire cars and rickshaws through a network of over one million drivers. The company has raised around $3 billion from investors that include SoftBank, Chinese duo Tencent and Didi Chuxing and DST Global . It was last valued at $7 billion. Ola ventured overseas for the first time when it launched in Australia earlier this year — it is now in seven cities there — and its move into the UK signals a further expansion into Europe.

Ola’s UK service isn’t live right now, but the company said it will begin offering licensed taxi and private hire bookings initially in South Wales and Greater Manchester “soon.” Ola plans to expand that coverage nationwide before the end of this year. That will eventually mean taking on Uber and potentially Taxify another unicorn startup backed by Didi which is looking to relaunch in the UK — in London and other major cities.

So, why the UK?

Ola CEO and co-founder Bhavish Aggarwal called the country “a fantastic place to do business” and added that he “look[s] forward to providing a responsible, compelling, new service that can help the country meet its ever demanding mobility needs.”

It’s no secret that Uber has struggled in London, where its gung-ho attitude to business — ‘launch first, apologize later’ — has seen it run into issues with regulators. Uber (just about) won a provisional 15-month transport license earlier this year following an appeal against the city’s transportation regulator, Transport for London (TfL) earlier rejected its application.

The’ New Uber’ — under CEO Dara Khosrowshahi — is trying to right the wrongs of the past, but compliance with regulators takes time and requires wholesale changes to business, operations and company culture.

Ola isn’t commenting directly on its rivalry with Uber — we did ask, but got a predictable “no comment” — but the tone of its announcement today shows it is focused on being a more collaborative player than Uber.

Indeed, there’s been much groundwork. Aggarwal met with regulators in London last year and he said in a statement released today that he plans “continued engagement with policymakers and regulators” as the Ola service expands across the UK.

International expansion is very much part of Ola’s ambition to go public, which Aggarwal recently said could happen in the next three to four years. But Ola isn’t alone in looking overseas. Didi, the firm that defeated Uber in China and has backed Ola, Taxify and many others, has also been busy moving into new markets.

Last year, the firm raised $4 billion to double down on technology, AI and go overseas and it has come good on that promise by entering MexicoAustralia and Taiwan. It also landed Brazil through the acquisition of local player and Uber rival 99 and it is preparing to go live in Japan, where it will operate a taxi-booking service through a joint venture with SoftBank.

Wonga investors inject £10M so cash-strapped payday lender can fund claims

If you were at Disrupt London four years ago you may remember more than a little awkwardness during an investor panel when two VCs that had invested in European payday loans firm Wonga declined to comment on what had gone wrong at their portfolio company in the wake of a £220M write down. Yesterday Sky News reported that those same […]

If you were at Disrupt London four years ago you may remember more than a little awkwardness during an investor panel when two VCs that had invested in European payday loans firm Wonga declined to comment on what had gone wrong at their portfolio company in the wake of a £220M write down.

Yesterday Sky News reported that those same two, Accel Partners and Balderton Capital, are among a group of Wonga investors that have agreed to inject a further £10M (~$13M) into the business to help fund compensation claims related to its past censured practices.

We’ve reached out to Accel and Balderton for comment.

Prior to the latest emergency funding, Wonga had raised a total of around £145.5M, according to Crunchbase. Its 2011 Series C round was backed by investors including Accel, Oak Investment, Meritech Capital, 83North; while a 2009 Series B included Accel, Balderton, Dawn Capital, HV Holtzbrinck Ventures and 83North. It was founded in the UK in 2006.

By 2014 rising concern about the rates of interest being charged to vulnerable customers on short term loan products led to a regulatory intervention to clean up the sector, and Wonga agreed to write off the loans of 330,000 customers.

It also agreed to waive the interest and fees for a further 45,000 after admitting its automated checks had failed to adequately assess affordability. The algorithmic technology it had touted as its core IP had been lending money to people who did not have the income to pay it back.

The company was also censured by the Financial Conduct Authority (FCA) for sending fake lawyers’ letters to customers in arrears — and had to pay out a further £2.6M in compensation for that.

Four years later Wonga is still paying the bill for its past conduct — in the form of increasing numbers of individual compensation claims.

In a statement issued to Sky News, a Wonga Group spokesman said there has been a “marked increase” in compensation claims for legacy loans driven by claims management companies.

“Wonga continues to make progress against the transformation plan set out for the business. In recent months, however, the short-term credit industry has seen a marked increase in claims related to legacy loans, driven principally by claims management company activity,” the spokesman said.

“In line with this changing market environment, Wonga has seen a significant increase in claims related to loans taken out before the current management team joined the business in 2014. As a result, the team has raised £10M of new capital from existing shareholders, who remain fully supportive of management’s plans for the business.‎”

According to Sky News, Wonga was on the brink of insolvency when its investors agreed to inject more capital into the business, with CEO Tara Kneafsey‎ warning its institutional shareholders in late May the company risked becoming insolvent without a capital injection.

Following the shredding of its original business model — with the FCA’s cap of 0.8 per cent per day for all high-cost short-term credit loans applying from January 2015 — Wonga has been loss making for the past several years, reporting a £65M loss for 2016 and just over £80M for 2015.

And Sky reports that its latest emergency fundraising took place at valuation of just $30M (£23M) for the business.

This represents a swingeing haircut for a company that, in 2012, had believed it was on a three-year growth path to a £15BN valuation, i.e. off the back of short term loan products that charged annual interests rates as high as 5,853% that were sold to hundreds of thousands of people who couldn’t afford to pay them back.

Wonga’s website now lists as “representative” an APR of 1,460% in an online FAQ — and further claims: “We’ve introduced lots of changes at Wonga to make sure we offer better, fairer loans to customers. We take a responsible approach and lend only to those we believe can reasonably afford to repay.”

As part of this process of ‘transformation’ — i.e. from algorithmic loan sharking to regulatory compliant short term lending — one recent focus for Wonga’s executive team to try to drum up ethical business has been on offering more flexible loan products.

Sky says Wonga’s board has previously expressed confidence it can build a sustainable business, and notes the company had been targeting a return to profitability last year but has yet to report its results for 2017.

According to its sources, Wonga’s cashflow situation has become so tight its board is evaluating the sale of some of its assets in addition to raising more debt.

Already last year wonga sold off its German payments business, BillPay, to Klarna — raising around £60M.

UK report highlights changing gadget habits — and our need for an online fix

A look back at the past decade of consumer technology use in the UK has shone a light on changing gadget habits, underlining how Brits have gone from being smartphone dabblers back in 2008 when a top-of-the-range smartphone cost ~£500 to true addicts in today’s £1k+ premium smartphone era. The report also highlights what seems […]

A look back at the past decade of consumer technology use in the UK has shone a light on changing gadget habits, underlining how Brits have gone from being smartphone dabblers back in 2008 when a top-of-the-range smartphone cost ~£500 to true addicts in today’s £1k+ premium smartphone era.

The report also highlights what seems to be, at times, a conflicted relationship between Brits and the Internet.

While nine in ten people in the UK have home access to the Internet, here in 2018, some web users report feeling being online is a time-sink or a constraint on their freedom.

But even more said they feel lost or bored without it.

Over the past decade the Internet looks to have consolidated its grip on the spacetime that boredom occupied for the less connected generations that came before.

The overview comes via regulator Ofcom’s 2018 Communications Market report. The full report commenting on key market developments in the country’s communications sector is a meaty, stat and chart-filled read.

The regulator has also produced a 30-slide interactive version this year.

Commenting on the report findings in a statement, Ian Macrae, Ofcom’s director of market intelligence, said: “Over the last decade, people’s lives have been transformed by the rise of the smartphone, together with better access to the Internet and new services. Whether it’s working flexibly, keeping up with current affairs or shopping online, we can do more on the move than ever before.

“But while people appreciate their smartphone as their constant companion, some are finding themselves feeling overloaded when online, or frustrated when they’re not.”

We’ve pulled out some highlights from the report below…

  • Less than a fifth (17%) of UK citizens owned a smartphone a decade ago; the figure now stands at 78% — and a full 95% of 16-24 year-olds. So, yeah, kids don’t get called digital natives for nothin’
  • People in the UK check their smartphones, on average, every 12 minutes of the waking day. (‘Digital wellbeing’ tools clearly have their work cut out to kick against this grain… )
  • Ofcom found that two in five adults (40%) first look at their phone within five minutes of waking up (rising to 65% of the under 35s). While around a third (37%) of adults check their phones five minutes before lights out (again rising to 60% of under-35s). Shame it didn’t also ask how well people are sleeping
  • Contrary to a decade ago, most UK citizens say they need and expect a constant Internet connection wherever they go. Two thirds of adults (64%) say it’s an essential part of their life. One in five adults (19%) say they spend more than 40 hours a week online, up from 5% just over ten years ago
  • Three quarters (74%) of people say being online keeps them close to friends and family. Two fifths (41%) say it enables them to work more flexibly

Smartphone screen addicts, much?

  • Seventy-two per cent of adults say their smartphone is their most important device for accessing the Internet; 71% say they never turn off their phone; and 78% say they could not live without it
  • Ofcom found the amount of time Brits spend making phone calls from mobiles has fallen for the first time — using a mobile for phone calls is only considered important by 75% of smartphone users vs 92% who consider web browsing on a smartphone to be important (and indeed the proportion of people accessing the Internet on their mobile has increased from 20% almost a decade ago to 72% in 2018)
  • The average amount of time spent online on a smartphone is 2 hours 28 minutes per day. This rises to 3 hours 14 minutes among 18-24s

Social and emotional friction, plus the generation gap…

  • On the irritation front, three quarters of people (76%) find it annoying when someone is listening to music, watching videos or playing games loudly on public transport; while an impressive 81% object to people using their phone during meal times
  • TV is another matter though. The majority (53%) of adults say they are usually on their phone while watching TV with others. There’s a generation gap related to social acceptance of this though: With a majority (62%) of people over the age of 55 thinking it’s unacceptable — dropping to just two in ten (21%) among those aged 18-34
  • Ofcom also found that significant numbers of people saying the online experience has negative effects. Fifteen per cent agree it makes them feel they are always at work, and more than half (54%) admit that connected devices interrupt face-to-face conversations with friends and family — which does offer a useful counterpoint to social media giant’s shiny marketing claims that their platforms ‘connect people’ (the truth is more they both connect & disconnect). While more than two in five (43%) also admit to spending too much time online
  • Around a third of people say they feel either cut off (34%) or lost (29%) without the Internet, and if they can’t get online, 17% say they find it stressful. Half of all UK adults (50%) say their life would be boring if they could not access the Internet 
  • On the flip side, a smaller proportion of UK citizens view a lack of Internet access in a positive light. One in ten says they feel more productive offline (interestingly this rises to 15% for 18-34 year-olds); while 10% say they find it liberating; and 16% feel less distracted

The impact of (multifaceted and increasingly powerful and capable) smartphones can also be seen on some other types of gadgets. Though TV screens continue to compel Brits (possibly because they feel it’s okay to keep using their smartphones while sitting in front of a bigger screen… )

  • Ofcom says ownership of tablets (58% of UK households) and games consoles (44% of UK adults) has plateaued in the last three years
  • Desktop PC ownership has declined majorly over the past decade — from a large majority (69%) of households with access in 2008 to less than a third (28%) in 2018
  • As of 2017, smart TVs were in 42% of households — up from just 5% in 2012
  • Smart speakers weren’t around in 2008 but they’ve now carved out a space in 13% of UK households
  • One in five households (20%) report having some wearable tech (smart watches, fitness trackers). So smart speakers look to be fast catching up with fitness bands

BBC mightier than Amazon

  • BBC website visitor numbers overtook those of Amazon in the UK in 2018. Ofcom found the BBC had the third-highest number of users after Google and Facebook
  • Ofcom also found that six in ten people have used next-day delivery for online purchases, but only three in ten have used same-day delivery in 2018. So most Brits are, seemingly, content to wait until tomorrow for ecommerce purchases — rather than demanding their stuff right now

What else are UK citizens getting up to online? More of a spread of stuff than ever, it would appear…

  • Less general browsing/surfing than last year, though it’s still the most popular reported use for Internet activity (69% saying they’ve done this in the past week vs 80% who reported the same in 2017)
  • Sending and receiving email is also still a big deal — but also on the slide (66% reporting doing this in the past week vs 76% in 2017)
  • Social media use is another popular but slightly less so use-case than last year (50% in 2017 down to 45% in 2018). (Though Twitter bucks the trend with a percentage point usage bump (13% -> 14%) though it’s far less popular overall)
  • Instant messaging frequency also dropped a bit (46% -> 41%)
  • As did TV/video viewing online (40% -> 36%), including for watching short video clips (31% to 28%)
  • Online shopping has also dropped a bit in frequency (48% -> 44%)
  • But accessing news has remained constant (36%)
  • Finding health information has seen marginal slight growth (22% -> 23%); ditto has finding/downloading information for work/college (32% -> 33%); using local council/government services (21% -> 23%); and playing games online/interactively (17% -> 18%)
  • Streaming audio services have got a bit more popular (podcasts, we must presume), with 15% reporting using them in the past week in 2017 up to 19% in 2018. Listening to the radio online is also up (13% -> 15%)
  • However uploading/adding content to the Internet has got a bit less popular, though (17% to 15%)

One more thing: Women in the UK are bigger Internet fans than men.

Perhaps contrary to some people’s expectations, women in the UK spend more time online on average than men across almost all age groups, with the sole exception being the over 55s (where the time difference is pretty marginal)…

The dramatic rise and fall of online P2P lending in China

Editor’s note: This post originally appeared on TechNode, an editorial partner of TechCrunch based in China. When Emily Zhang was interning with a peer-to-peer (P2P) lending firm in the Summer of 2016, her main task was to carry out research on other P2P lending firms. She found the rates of return tempting and some underlying […]

Editor’s note: This post originally appeared on TechNode, an editorial partner of TechCrunch based in China.

When Emily Zhang was interning with a peer-to-peer (P2P) lending firm in the Summer of 2016, her main task was to carry out research on other P2P lending firms. She found the rates of return tempting and some underlying assets reliable, so she decided to invest in the market herself. Until now, none of her investments have matured, but she worries about whether she can actually withdraw her profits, much less get back the principal.

Even so, Zhang considers herself lucky that the companies that sold her the assets are still in business while many other P2P companies have collapsed, leaving their investors in despair.

Stories have been circulating across Chinese social networks about desperate investors who have lost their life savings. Zhang Xue, for instance, a 47-year old single mother with a 13-year-old son, was reported to have lost the 3.8 million RMB her husband left her with when he died of a heart attack. “I am totally desperate. 3.8 million RMB. It’s finished, all finished,” she told local media.

Some of those affected protested in front of police stations and chanted the Chinese national anthem, March of the Volunteers, in an effort to pressure authorities. Others organized online investor rights groups, making a collective effort to get the money back. Together, the protesters made headlines in domestic media and sparked intense online debates on who is responsible for the losses and where the industry is heading.

P2P lending, or online lending, is generally considered as a method of debt financing that directly connects borrowers, whether they are individuals or companies, with lenders. The world’s first online lending platform, Zopa, was founded in the UK in 2005. China’s online lending industry has seen rapid growth since 2007 without significant regulation.

Default rates have been soaring since June. In May, only 10 platforms were considered in trouble. But by June, that number had increased to 63. By the end of July, 163 platforms were on the concern list. The Home of Online Lending (网贷之家), a platform that compiles the data, defines “troubled” as companies that have difficulty paying off investors, have been investigated by national economic crime investigation department, or whose owners have run away with investors’ money.

One of the key factors contributing to the sudden surge is the national P2P rectification campaign that was supposed to have been finished by June. “The due date of rectification has passed, but many P2P platforms have not met the requirements. Strict regulations have propelled a break-out of the compliance issues,” Shen Wei, Dean and Professor of Law at Shangdong University Law School, told TechNode.

In late 2017, the platforms were asked to register with local authorities by June 2018, according to China Banking Regulatory Commission, which has now merged with China’s insurance regulator to become China Banking and Insurance Regulatory Commission.

Shen said the main purpose of the regulations is to restrict P2P lending platforms to be information intermediaries only, matching borrowers and investors. Under such regulations, the platforms are not allowed to pool funds from investors or grant loans to any client or provide any credit services, which most of the platforms were doing when they first started.

The rise of P2P lending in China

China’s first online lending platform, PPDAI Group (拍拍货), launched in 2007 and went public on the New York Stock Exchange in late 2017. The industry has gone through rapid growth since then. In January 2016, there were 3,383 platforms in business with combined monthly transactions reaching 130 billion RMB, according to Home of Online Lending.

In a recent research paper, Robin Hui Huang, professor of law at the Chinese University of Hong Kong, attributed the increase of P2P in China to three factorsa high 56 percent rate of internet penetration by 2018, a large supply of available funds from investors, and financial demands of small-to-medium-sized companies that cannot be satisfied by the existing banking system.

P2P lending is a tempting and easy investment option because the loans usually promise 8-12 percent interest rates, according to Home of Online Lending, of which many mature within a year, much higher than the 2.75 percent rate for three-year fixed deposits found at most banks.

P2P lending is also friendlier to smaller businesses since major banks in China generally prefer state-owned enterprises or large companies. Huang cited a joint 2016 report by the Development Bank of Singapore and Ernst & Young, that only 20-25 percent of bank loans went to small to medium-size enterprises, even though they accounted for 60 percent of China’s gross domestic product.

China’s financial system is still dominated by banks, especially the established “Big Four”— the Bank of China, China Construction Bank, the Agricultural Bank of China, and the Industrial and Commercial Bank of China. Ryan Roberts, a research analyst at MCM Partners, told TechNode that about 70 percent of the banks’ loans are commercial loans, with just 30 percent for individuals.

Unresolved regulations

Before the government first signaled regulations in 2016, the P2P lending industry aggressively expanded. Compared with the current defaulting scandals, the situation back then wasn’t any better.

By the end of 2015, there were 1,031 total troubled platforms out of 3,448 platforms still in operation. So, on average, one out of four was problematic. Chinese media reported on a number of Ponzi scheme stories concerning dubious platforms that tempted would-be investors with fat bonuses for referring family and friends, too.

Despite the fact that there was no established regulatory framework, the government was watching. Since mid-2015, a series of announcements set the stage for China’s first regulatory instrument for online lending in August 2016. Called Interim Measures on Administration of Business Activities of Online Lending Information Intermediaries, violations of its articles can lead to administrative or even criminal penalties.

The interim measures set the business scope of the platforms to be mere information intermediaries. It also asked all platforms to set up custody accounts with commercial banks for investor and borrower funds held by the platforms in order to reduce the risks that platform owners abscond with funds. The measures require online lending platforms to register with their local financial regulatory authority.

Later, a specific timeline was set for the implementation. Provincial government agencies were told to complete general investigations into local P2P platforms by July 2016 and formulate regulatory policies based on regional conditions. Overall rectification and registration should have been completed by June 2018, the latest.

It’s August now and, obviously, the work still isn’t finished

Huang said the measures, in general, have covered all the factors of the industry that should be regulated, but when it came to implementation, all we really saw was a delay.

“It’s good that the measures are carried out locally, which means that local government can develop policies in line with local conditions,” Huang explained to us. However, in order to attract more capital locally, local authorities have engaged in a race to the bottom, competing with one and another to have the loosest regulations, and therefore, have been hesitant to finalize them.

Moreover, the general public has a different understanding of the registration process. “Registering with local authorities doesn’t mean that local governments have recognized or will guarantee the legitimacy and quality of platforms. However, in reality, the public seems to perceive registration as official assurance,” Huang said. This has lead to very cautious approaches from government agencies towards the whole registration project since they don’t intend to be held responsible for the fallout or future wrongdoings of the P2P firms.

The concern is quite reasonable. Huoq.com—a P2P lending platform launched in December 2016 and backed by state-owned enterprises—announced on July 11, 2018, that it went into liquidation. The platform is owned by Dingxi Zhuoyue Online Lending Information Intermediary. One-third of Dingxi is owned by Xinjiang Tianfu Lanyu Optoelectronics Technology while Tianfu Lanyu itself is partly owned by a state-owned company in Xinjiang. On July 10, however, owners of the platform disappeared. Neither the company nor investors were able to locate them.

Their still-functioning official site doesn’t show the slightest sign of liquidation, displaying various certificates and recognition from government agencies and industry associations. A banner at the bottom of their mobile app icon still says “Central enterprises are our majority shareholders.”

The unresolved regulations are also affecting P2P lending companies listed overseas. Shares of PPDAI plummeted to $4.77 as of July 30 from $13.08 when it was first traded in late 2017. The stock price of Yirendai (宜人贷), the first Chinese online lending company to go public overseas, dropped to $19.33 compared with $38.26 the same period last year.

That the shares of these companies don’t trade well indicates that investors are skeptical towards the business, said Roberts. With the ongoing regulations, it’s still possible that regulators can outlaw and ban their businesses, he explained. Some borrowers even take advantage of the unsettled regulation and stop paying back their loans, in the hopes that the platform they have borrowed from would fail, Roberts added.

Buyer beware

In June 2018, 17.8 billion RMB worth of transactions took place on China’s P2P lending platforms and outstanding loan balance reached 1.3 trillion RMB. The number looks insignificant if compared with 1.8 trillion RMB in net new bank loans in June alone.

However, they have made quite a splash. Victims of the troubled online lending platforms gathered in Hangzhou in early July, filling two of the largest local sports stadiums, which the local government had set up as temporary complaint centers.

“One of the reasons why the current wave of defaults has drawn so much attention is that many troubled platforms were pretty big,” Huang said. Some of the platforms violated the rules, pooling funds illegally, and some were suffering from China’s slowing economic growth and the ongoing deleveraging campaigns.

P2P lending has helped fund small-to-medium-sized enterprises in some way, but in general, the role it plays in the financial system is limited, said Shen. Most of the P2P investors are speculative and they themselves should be responsible for their losses, he added.

“If the rate of return exceeds 6 percent, investors should be alert; if it is more than 8 percent, the investment is very risky, and if it’s more than 10 percent, investors should prepare themselves for losing all their capital,” said Guo Shuqing, chairmen of China Banking and Insurance Regulatory Commission at a finance forum in June in Shanghai, referring to financial scams that lure investors in with high returns.

Although P2P lending is only a relatively small piece in China’s financial industry, there are still concerns that the collapse of these platforms should trigger systematic risks, Shen said. This also implied that Chinese investors have very limited investment options.

According to research by China International Capital Corporation, experts predicted only 10 percent of the current P2P lending companies, less than 200, could still be in business after three years.

Zhang said P2P lending needs regulations because many platforms are not innocent. “P2P platforms have high moral hazards and it’s really easy to fake borrowers’ information. However, I believe the government is supportive towards the industry and some platforms will survive till the end,” said Zhang. “I just wish I can be lucky enough to pick the right one.”

What can we learn from the Dixons data breach that blew up after disclosure

European consumer electronics retailer Dixons Carphone’s apologetic admission yesterday that a 2017 data breach was in fact considerably worse than it first reported suggests disclosures of major breaches could get a bit more messy — at least under the early reign of the region’s tough new data protection framework, GDPR — as organizations scramble to comply with […]

European consumer electronics retailer Dixons Carphone’s apologetic admission yesterday that a 2017 data breach was in fact considerably worse than it first reported suggests disclosures of major breaches could get a bit more messy — at least under the early reign of the region’s tough new data protection framework, GDPR — as organizations scramble to comply with requirements to communicate serious breaches “without undue delay”.

Although, to be clear, it’s not the regulation that’s the problem. Dixons’ handling of this particular security incident has come in for sharp criticism — and is most certainly not a textbook example of how to proceed.

Dixons Carphone disclosed a breach of 5.9M payment cards and 1.2M customer records in mid June, saying it had discovered the unauthorized access to its systems during a security review.

However this week the company revised upwards the number of customer records affected — to around 10M. The breach itself occurred sometime last year.

“They are clearly concerned about regulatory enforcement but they seem completely unprepared to handle customer reactions. With privacy and security awareness increasing exponentially, it will not be long before we see customer churn, reputational damage, and further decrease in the value of the business as a result of such a poor response to a very large breach,” says Enza Iannopollo, a security expert at the analyst Forrester, responding to Dixon’s revised report of the security incident in a statement yesterday. 

The ballooning size of the Dixons breach is interesting in light of Europe’s strict new data protection regulation, which put the onus on data controllers to disclose breaches rapidly. Rather than — as has all-too-often been the case — sitting like broody hens waiting for the most opportune corporate moment to hatch a confession, yet leaving their users in the dark in the meanwhile, unwittingly shouldering all the risk.

In the case of this Dixons 2017 breach (NB: it’s not the only breach the Group has suffered), it’s not yet clear whether the EU’s new regulation will apply (given the incident was publicly disclosed after GDPR had come into force); or whether it will fall under the UK’s prior data protection regime — given the hack itself occurred prior to May 25, when GDPR came into force.

A spokesperson for the UK’s Information Commissioner’s Office (ICO) told us: “Our investigation has not yet concluded which data protection law applies in this case — DPA98 or the GDPR.”

While the UK’s Data Protection Act 1998 encouraged data controllers to disclose serious data breaches, the EU’s General Data Protection Regulation (transposed into national law in the UK via the DPA 2018) goes much further, putting in place a universal obligation to report serious breaches of personal data within 72 hours of becoming aware of an incident. And of course this means not just personal data that’s been actually confirmed as lost or stolen but also when a security incident entails the risk of unauthorized access to customer data.

The exception to ‘undue delay within 72 hours’ is where a personal data breach is “unlikely to result in a risk to the rights and freedoms of natural persons”. Which, while it’s clear that not every breach will require disclosure (say for example if personal data was robustly encrypted a company may deem it unnecessary to disclose a breach), is a caveat that still sets a pretty low disclosure bar. At least where a breach entails a risk of personal information being extracted from compromised data. (Which is yet another reason why strong encryption is good for everyone.)

Certainly, any companies discovering a breach that puts their customers at risk, and which took place on or after May 25, 2018, but which then decide to ‘do an Uber’ — i.e. sit on it for the best part of a year before ‘fessing up — will put themselves squarely in EU regulators’ crosshairs for an equally major penalty. (GDPR has supersized fines for data violations — and therefore also something that the bloc’s DP law has sorely lacked for years: Teeth to encourage compliance.)

If a breach is likely to result in a “high risk of adversely affecting individuals’ rights and freedoms” the regulation also urges data controllers to communicate the incident to the people affected — and do so without “undue delay”.

Dixons said in June that it was contacting “those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take”. But at that time it only thought 1.2M people had been affected.

More than a month later it now puts the number of records swiped at ~10M — and yet is only now contacting the millions more customers whose data was also compromised last year.

Clearly, this is not a good look. Customers who got faux reassurance in June, when the company did not write to them to warn them their data was at risk, will feel rightly angry about any delay in communicating with them.

It will be up to the UK’s data protection watchdog to decide whether Dixons’ security practices and response to the breach of its systems meets the standards it expects from data controllers. And a lot will depend upon whether the incident falls under the DPA98, which encourages discloses of serious breaches but does not legally require them to deadline, vs GDPR which absolutely does.

The maximum possible penalties under the two regimes are also very different: With the ICO capable of issuing a maximum fine of just £500k under the DPA98 (it recently announced it would be issuing a fine of this size to Facebook, for instance, for data misuse related to the Cambridge Analytica incident — which took place in 2014); and up to €20M (or 4% of the total worldwide annual turnover of the preceding financial year) under GDPR.

For a sense of what a GDPR level fine would mean for Dixons Carphone, the company’s 2017/18 revenue is around £10.5BN so — if GDPR were indeed to apply — it would be facing a maximum possible penalty of £420M. Which would surely get the shareholders talking.

But Iannopollo argues it’s not even the risk of major financial penalties that companies are most worried about when it comes to GDPR compliance — rather it’s damage to their reputation and to customer trust that’s really making them sweat.

In a recent Forrester survey, asking companies about their biggest concerns vis-a-vis the consequences of failure to comply with the regulation, Iannopollo says the main worries reported to it were loss of customer trust and reputational damage, followed by regulatory enforcement — with fines coming lower down the list.

“It’s interesting the point about regulatory enforcement — I remember working with a number of banks and actually they were very worried about enforcement action,” she adds. “You don’t want a regulator to impose on you a specific process to handle data. You don’t want a regulator to impose on you a limitation on some processing activities. And they understand that the effect of such an enforcement action can probably be even more detrimental than a fine in some ways.”

Whatever the particular driver, security must now be front of mind for any (well run) organization routinely handling the personal data of EU people. Because the risks for screwing up are getting real.

It’s also clear that consumers are waking up to the fact their personal information is at risk — doubtless in large part because of how poorly their data has been protected before now — and also waking up to the fact they have enhanced data rights they can exercise to help manage and shrink their personal risk.

“Probably the biggest push to GDPR enforcement is coming from customers themselves, both end users and business customers,” says Iannopollo.

Discussing Dixons’ breach response, she is very critical of the company’s lack of customer focus in its public comments. “I saw a lot of emphasis around whether the breach happened before GDPR — so hoping that there was not this standard. And also there was something else that was said about ‘there is no evidence that our customers suffered any financial loss’ as a result of the breach. And again it’s interesting because until a few days ago they didn’t even know the breadth of the breach and now they are saying there wasn’t a financial loss so we’re not prepared to provide compensation. This is not exactly what we see as a constructive way to tackle the breach and help your customers figure out how they can be safe even if you lost their data,” she says.

“In the UK customers can ask for compensation even if they have emotional distress as a result of a breach — there is a potential to develop class action for the mishandling of customer data,” she adds. “And also they said well we are now finally sending some letters to our customers to try and explain what happened — well it’s way too late. Your customers are already very worried. There is no way this company can now show in any way the customers that they have competency over what happened because clearly we all doubt that actually there is some competency there. And actually I don’t think that they are showing there is a remediation strategy in place for their customers.

“All they did was to say that we don’t have any evidence of financial losses so we are not ready to compensate. Are you really taking care of your customers in this instance? Are you really showing that there is a commitment to make sure that they still feel that you are responsible for their data, doing your best to protect this data? I don’t think so. The executive team were involved but I don’t think they were doing really a good job from their customer sentiment and customer trust point of view.”

In its statement yesterday, the company’s CEO Alex Baldock said he was “disappointed in having fallen short” — and apologized “for any distress we’ve caused our customers”, adding that the company is “fully committed” to safeguarding customers’ personal data.

A month earlier, when the company disclosed a much smaller sized breach, he had said: “We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here.”

Does Iannopollo believe GDPR’s breach disclosure requirements could lead to more disclosures that similarly inflate in size after the fact — i.e. because an initial disclosure put out to hit the GDPR 72-hour disclosure window gets revised upwards later — at least in the short term, as companies that perhaps have not yet doubled down on their security investments, let alone rearchitected any data processes, are caught on the hop?

“It remains a technical challenge to understand what happened, quantify the number of records that were lost — so all that forensics work and the classic incident response immediately after you discover the breach cannot necessarily provide a full answer, a full picture immediately after — so definitely there is a part of that [that] is a genuine delay. And the regulation accounts for this,” she replies on that.

“Regulators do expect organizations to do a first disclosure, but also they give an opportunity to organizations to come back and provide additional details as they become available. Again it’s very genuine, the idea here — it’s not a strategy to avoid a potential fine; the regulator understands companies might need more time.”

We asked the ICO how it’s likely to respond to breach reports that are revised upwards a considerable time after the initial disclosure (such as one month+ in Dixons’ case).

A spokeswoman for the watchdog told us the regulation does allow for phased breach reporting, as more information is uncovered during an investigation. However she also emphasized that it expects the investigation to be prioritized — so, again, that there be no additional “undue” delays in any follow-on disclosures.

In general terms the GDPR’s rules around personal data breach reporting recognize that it will not always be possible to investigate a breach fully within 72 hours to understand exactly what has happened and what needs to be done to mitigate it. So Article 34(4) allows organizations to provide the required information in phases, as long as this is done without undue further delay,” the ICO told us. 

“However, we expect controllers to prioritise the investigation, give it adequate resources, and expedite it urgently. They must still notify us of the breach when they become aware of it, and submit further information as soon as possible. If they know they won’t be able to provide full details within 72 hours, it is a good idea to explain the delay to us and tell us when to expect more information.”

The watchdog has more guidance on how data controllers should handle breach disclosures here.

Iannopollo reckons organizations won’t (or shouldn’t) struggle to make a breach disclosure to their regulator within the GDPR timeframe — pointing to rising numbers of reports being made to DPAs in the wake of GDPR coming into force. (Late last month Ireland’s Data Protection Commission said it had received more than 1,100 reports of data breaches since May 25 vs an average of just 230 prior to GDPR, for instance.)

What she argues is more challenging for organizations to get right is not to lose sight of the impact of a breach on your users/customers — in the midst of needing to make (awkward) public pronouncements and communicate with those affected by the incident.

“You might feel that as an organization you want just to undermine the kind of breach that you have suffered, you may say that the less people were involved the less records were involved, but the point is that if you are the one communicating to the affected customers in the very first place, and you have an opportunity to explain to them what happened, and to explain in which way you are taking care of them and their data even after the breach, then you have an opportunity to manage their response in a way that doesn’t destroy the trust that your customers have in you,” she says.

“If you instead decide to go very small, and say ‘well nothing really happened’, and you do what [Dixons did] and say, well it’s about 1M and then we discover that actually it’s 10M records that they lost, at that point you have lost your opportunity to manage the breach with your customers because it means that they might realize that they were part of the data breach — they might be affected… without the business being in touch with them… So this is really the risk. So whatever they can do to have a full picture of what happened, as soon as possible, that will help them managing their response of the breach… with your customers so that — hopefully — it doesn’t become a breach of trust.”

“A breach of trust has consequences that are well beyond a fine,” she adds. “The challenge to me is really communicating to the public, communicating to customers — this is something that for European customers this is something new. We are not used to receive these sorts of communication.

“And what I see from the data that we have is customers that are really becoming much more aware of these sorts of incidents, what it means for them, and they know that they have rights when it comes to privacy. And it’s not just compensation — it’s ‘I want to get control over my data and I expect a business to respect these sorts of rights that I have and to be able to give me that control over my data’.

“The incident response team cannot be just a technical team or a legal team, it has to be marketing team, PR, it has to be the executive team. You need to have a plan about what we say to these customers, which is the remediation that we offer — is it going to be credit monitoring, identity protection… are we setting up a call center to be able to respond to questions if there are questions from customers.”

Of course GDPR also puts strong emphasis on practices that should — in theory — minimize the chances of risky data breaches happening in the first place, because the law now encourages good practices like data minimization, privacy by design, and indeed investment in strong security.

So, over the longer term, the theory is that data controllers’ priorities and processes will be re-worked in a way that makes data breaches — if not as rare as hens’ teeth then (hopefully) a whole lot less common than they’ve become in recent years, when another major breach has seemingly hit the headlines every few weeks.

But Iannopollo is under no illusions that that sort of transformational shift will happen overnight.

“Ideally we would see that. That would be the best outcome,” she says, discussing the possibility of GDPR leading to fewer data breaches in future, if it’s successful in transforming attitudes and approaches to data processing and security across multiple industries and sectors. “There is no question that GDPR has driven a lot of investment into specific security technologies… Many companies have made improvements… in terms of the controls that they are using.

“Hopefully also they’ve thought about the processes that underpins the deployment of these technologies. The changes around data minimization, the management around third parties, the ability to build data architectures that are really flexible and transparent in the same way — it will take some time.”

She also says there are companies now starting to offer managed services to help organizations respond effectively at the point of a breach disclosure — such as by supplying additional call center resource. So there are startup opportunities there.

GDPR triggering a comprehensive reorganization of organizations’ data processing is certainly “not the rule” yet though. “What we have seen is more organizations backing one or two requirements — heavily relying on technology, as much as they could, but not taking enough time to think about changes to their governance, and the processes and also people skills, as an element of compliance with GDPR,” she adds.

“So, again, ideally — and for those organizations that really have taken this comprehensive approach — we might see those results in the medium term: A decrease of these sorts of incidents, and better discipline around data handling practices. But the reality is that many organizations have just taken this very piecemeal approach to GDPR. So for that sort of overall outcome we will need to wait some time to see.”

The strength of the regulation’s impact will depend most on two things: How much push there is below, i.e from users and customers — so how people feel; what they say; and via specific legal redress actions they could choose to take, such as class action style actions seeking compensation.

And also of course on the regulatory enforcement — when that lands.

That all important piece of the compliance puzzle remains to be seen, given we’re only in the first months after GDPR came into force — when regulators are likely allowing organizations a bit of time to get their compliance ducks in order.

How DPAs ultimately respond to all the extra complaints they’re getting will be very important in setting the tone of the new regime because it will end up shaping data controllers’ perception of and response to GDPR.

Rules without enforcement quickly stop being worth the paper they’re written on. And a watchdog that barks but doesn’t bite will soon get treated like a pet.

However, given EU consumers are increasingly aware and even active when it comes to their data rights, it would be a major misstep if the region’s regulators fell short by failing to listen to rising concerns.

In the meanwhile, it’s likely there will be a period where information about data breaches gets a bit more dynamic — with news of a breach emerging with less delay than it might have, prior to GDPR, but perhaps also with a greater possibility that an initial disclosure does not paint the full picture because an investigation is still in train. So, in short, compliance, like security, is an ongoing process.

Dixons Carphone now says ~8.8M more customers affected by 2017 breach

A Dixons Carphone data breach that was disclosed earlier this summer was worse than initially reported. The company is now saying that personal data of 10 million customers could also have been accessed when its systems were hacked. The European electronics and telecoms retailer believes its systems were accessed by unknown and unauthorized person/s in 2017, although […]

A Dixons Carphone data breach that was disclosed earlier this summer was worse than initially reported. The company is now saying that personal data of 10 million customers could also have been accessed when its systems were hacked.

The European electronics and telecoms retailer believes its systems were accessed by unknown and unauthorized person/s in 2017, although it only disclosed the breach in June, after discovering it during a review of its security systems.

Last month it said 5.9M payment cards and 1.2M customer records had been accessed. But with its investigation into the breach “nearing completion”, it now says approximately 10M records containing personal data (but no financial information) may have been accessed last year — in addition to the 5.9M compromised payment cards it disclosed last month.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated,” the company said in a statement.

In terms of what personal data the 10M records contained, a Dixons Carphone spokeswoman told us: “This continues to relate to personal data, and the types of data that may have been accessed are, for example, name, address or email address.”

The company says it’s taking the precaution of contacting all its customers — to apologize and advise them of “protective steps to minimize the risk of fraud”.

It adds it has no evidence that the unauthorized access is continuing, having taken steps to secure its systems when the breach was discovered last month, saying: “We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring and testing.”

Commenting in a statement, Dixons Carphone CEO, Alex Baldock, added: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.

“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”

Back in 2015, Carphone Warehouse, a mobile division of Dixons Carphone, also suffered a hack which affected around 3M people. And in January the company was fined £400k by the ICO as a consequence of that earlier breach.

Since then new European Union regulations (GDPR) have come into force which greatly raise the maximum penalties which regulators can impose for serious data breaches.

Last month, following Dixon’s disclosure of the latest breach, the UK’s data watchdog, the ICO, told us it was liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.

Of the 5.9M payment cards which Dixons disclosed last month as having been compromised, it said the vast majority had been protected by chip and PIN technology. But around 105,000 lacked the security tech so Dixons said at the time could therefore have been compromised.

It’s the additional 1.2M records containing non-financial personal data — such as name, address or email address — that have been revised upwards now, to ~10M records, which constitutes almost half the Group’s customer base in the UK and Ireland.

The spokeswoman told us the Group has approximately 22M customers in the region.

One more thing re: “privacy concerns” raised by the DCMS fake new report…

A meaty first report by the UK parliamentary committee that’s been running an inquiry into online disinformation since fall 2017, including scrutinizing how people’s personal information was harvested from social media services like Facebook and used for voter profiling and the targeting of campaign ads — and whose chair, Damian Collins — is a member […]

A meaty first report by the UK parliamentary committee that’s been running an inquiry into online disinformation since fall 2017, including scrutinizing how people’s personal information was harvested from social media services like Facebook and used for voter profiling and the targeting of campaign ads — and whose chair, Damian Collins — is a member of the UK’s governing Conservative Party, contains one curious omission.

Among the many issues the report raises are privacy concerns related to a campaign app developed by a company called uCampaign — which, much like the scandal-hit (and now seemingly defunct) Cambridge Analytica, worked for both the Ted Cruz for President and the Donald J Trump for President campaigns — although in its case it developed apps for campaigns to distribute to supporters to gamify digital campaigning via a tool which makes it easy for them to ‘socialize’ (i.e. share with contacts) campaign messaging and materials.

The committee makes a passing reference to uCampaign in a section of its report which deals with “data targeting” and the Cambridge Analytica Facebook scandal, specifically — where it writes [emphasis ours]:

There have been data privacy concerns raised about another campaign tool used, but not developed, by AIQ [Aggregate IQ: Aka, a Canadian data firm which worked for Cambridge Analytica and which remains under investigation by privacy watchdogs in the UK, Canada and British Columbia]. A company called uCampaign has a mobile App that employs gamification strategy to political campaigns. Users can win points for campaign activity, like sending text messages and emails to their contacts and friends. The App was used in Donald Trump’s presidential campaign, and by Vote Leave during the Brexit Referendum.

The developer of the uCampaign app, Vladyslav Seryakov, is an Eastern Ukrainian military veteran who trained in computer programming at two elite Soviet universities in the late 1980s. The main investor in uCampaign is the American hedge fund magnate Sean Fieler, who is a close associate of the billionaire backer of SCL and Cambridge Analytica, Robert Mercer. An article published by Business Insider on 7 November 2016 states: “If users download the App and agree to share their address books, including phone numbers and emails, the App then shoots the data [to] a third-party vendor, which looks for matches to existing voter file information that could give clues as to what may motivate that specific voter. Thomas Peters, whose company uCampaign created Trump’s app, said the App is “going absolutely granular”, and will—with permission—send different A/B tested messages to users’ contacts based on existing information.”

What’s curious is that Collins’ Conservative Party also has a campaign app built by — you guessed it! — uCampaign, which the party launched in September 2017.

While there is nothing on the iOS and Android app store listings for the Conservative Campaigner app to identify uCampaign as its developer, if you go directly to uCampaign’s website the company lists the UK Conservative Party as one of it’s clients — alongside other rightwing political parties and organizations such as the (pro-gun) National Rife Association; the (anti-abortion) SBA List; and indeed the UK’s Vote Leave (Brexit) campaign, (the latter) as the DCMS report highlights.

uCampaign’s involvement as the developer of the Conservative Campaigner app was also confirmed to us (in June) by the (now former) deputy director & head of digital strategy for The Conservative Party, Anthony Hind, who — according to his LinkedIn profile — also headed up the party’s online marketing, between mid 2015 and, well, the middle of this month.

But while, in his initial response to us, Hind readily confirmed he was personally involved in the procurement of uCampaign as the developer of the Conservative Campaigner app, he failed to respond to any of our subsequent questions — including when we raised specific concerns about the privacy policy that the app had been using, prior to May 23 (just before the EU’s new GDPR data protection framework came into force on May 25 — a time when many apps updated their privacy polices as a compliance precaution related to the new data protection standard).

Since May 23 the privacy policy for the Conservative Campaigner app has pointed to the Conservative Party’s own privacy policy. However prior to May 23 the privacy policy was a literal (branded) copy-paste of uCampaign’s own privacy policy. (We know because we were tipped to it by a source — and verified this for ourselves.)

Here’s a screengrab of the exchange we had with Hind over LinkedIn — including his sole reply:

What looks rather awkward for the Conservative Party — and indeed for Collins, as DCMS committee chair, given the valid “privacy concerns” his report has raised around the use (and misuse/abuse) of data for political targeting — is that uCampaign’s privacy policy has, shall we say, a verrrrry ‘liberal’ attitude to sharing the personal data of app users (and indeed of any of their contacts it would have been able to harvest from their devices).

Here’s a taster of the data-sharing permissions this U.S. company affords itself over its clients’ users’ data [emphasis ours] — according to its own privacy policy:

CAMPAIGNS YOU SUPPORT AND ALIGNED ORGANIZATIONS

We will share your Personal Information with third party campaigns selected by you via the Platform. In addition, we may share your Personal Information with other organizations, groups, causes, campaigns, political organizations, and our clients that we believe have similar viewpoints, principles or objectives as us.

UCAMPAIGN FRIENDS

We may share your Personal Information with other users of the Platform, for example if they connect their address book to our services, or if they invite you to use our services via the Platform.

BUSINESS TRANSFERS

We may share your Personal Information with other entities affiliated with us for internal reasons, primarily for business and operational purposes. uCampaign, or any of its assets, including the Platform, may be sold, or other transactions may occur in which your Personal Information is one of the business assets of the transaction. In such case, your Personal Information may be transferred.

To spell it out, the Conservative Party paid for a campaign app that could, according to the privacy policy it had in place prior to May 23, have shared supporters’ personal data with organizations that uCampaign’s owners — who the DCMS committee states have close links to “the billionaire backer of SCL and Cambridge Analytica, Robert Mercer” — view as ideologically affiliated with their objectives, whatsoever those entities might be.

Funnily enough, the Conservative Party appears to have tried to scrub out some of its own public links to uCampaign — such as changing link for the developer website on the app listing page for the Conservative Campaigner app to the Conservative Party’s own website (whereas before it linked through to uCampaign’s own website).

As the veteran UK satirical magazine Private Eye might well say — just fancy that! 

One of the listed “features” of the Conservative Campaigner app urges Tory supporters to: “Invite your friends to join you on the app!”. If any did, their friends’ data would have been sucked up by uCampaign too to further causes of its choosing.

The version of the Campaigner app listed on Google Play is reported to have 1,000+ installs (iOS does not offer any download ranges for apps) — which, while not in itself a very large number, could represent exponentially larger amounts of personal data should users’ contacts have been synced with the app where they would have been harvested by uCampaign.

We did flag the link between uCampaign and the Conservative Campaigner app directly to the DCMS committee’s press office — ahead of the publication of its report, on June 12, when we wrote:

The matter of concern here is that the Conservative party could itself be an unwitting a source of targeting data for rival political organizations, via an app that appears to offer almost no limits on what can be done with personal data.
Prior to the last update of the Conservative Campaigner app the privacy policy was simply the boilerplate uCampaign T&Cs — which allow the developer to share app users personal info (and phone book contacts) with “other organizations, groups, causes, campaigns, political organizations, and our clients that we believe have similar viewpoints, principles or objectives as us”.
That’s incredibly wide-ranging.
So every user’s phone book contacts (potentially hundreds of individuals per user) could have been passed to multiple unidentified organizations without people’s knowledge or consent. (Other uCampaign apps have been built for the NRA, and for anti-abortion organizations, for example.)
uCampaign‘s T&Cs are here: https://ucampaignapp.com/privacy.html
Even the current T&Cs allow for sharing with US suppliers.
Given the committee’s very public concerns about access to people’s data for political targeting purposes I am keen to know whether Mr Collins has any concerns about the use of uCampaign‘s app infrastructure by the Conservative party?
And also whether he is concerned about the lack of a robust data protection policy by his own party to ensure that valuable membership data is not simply passed around to unknown and unconnected entities — perhaps abroad, perhaps not — with zero regard for or accountability to the individuals in question.

Unfortunately this email (and a follow up) to the DCMS committee, asking for a response from Collins to our privacy concerns, went unanswered.

It’s also worth noting that the Conservative Party’s own privacy policy (which it’s now using for its Campaigner app) is pretty generous vis-a-vis the permissions it’s granting itself over sharing supporters’ data — including stating that it shares data with

  • The wider Conservative Party
  • Business associates and professional advisers
  • Suppliers
  • Service providers
  • Financial organisations – such as credit card payment providers
  • Political organisations
  • Elected representatives
  • Regulatory bodies
  • Market researchers
  • Healthcare and welfare organisations
  • Law enforcement agencies

The UK’s data watchdog recently found fault with pretty much all of the UK political parties’ when it comes to handling of voter data — saying it had sent warning letters to 11 political parties and also issued notices compelling them to agree to audits of their data protection practices.

Safe to say, it’s not just private companies that have been sticking their hand in the personal data cookie jar in recent years — the political establishment is facing plenty of awkward questions as regulators unpick where and how data has been flowing.

This is also not the only awkward story re: data privacy concerns related to a Tory political app. Earlier this year the then-minister in charge of the digital brief, Matt Hancock, launched a self-promotional, self-branded app intended for his constituents to keep up with news about Matt Hancock MP.

However the developers of the app (Disciple Media) initially uploaded the wrong privacy policy — and were forced to issue an amended version which did not grant the minister such non-specific and oddly toned rights to users’ data — such as that the app “may disclose your personal information to the Publisher, the Publisher’s management company, agent, rights image company, the Publisher’s record label or publisher (as applicable) and any other third parties, for use in conjunction with additional user promotions or offers they may run from time to time or in relation to the sale of other goods and services”.

Of course the Matt Hancock App was a PR initiative of (and funded by) an individual Conservative MP — rather than a formal campaign tool paid for by the Conservative Party and intended for use by hundreds (or even thousands) of Party activists for use during election campaigns.

So while there are two issues of Tory-related privacy concern here, only one loops back to the Conservative Party political organization itself.

PSA: Drone flight restrictions are in force in the UK from today

Consumers using drones in the UK have new safety restrictions they must obey from today, with a change to the law prohibiting drones from being flown above 400ft or within 1km of an airport boundary. Anyone caught flouting the new restrictions could be charged with recklessly or negligently acting in a manner likely to endanger an […]

Consumers using drones in the UK have new safety restrictions they must obey from today, with a change to the law prohibiting drones from being flown above 400ft or within 1km of an airport boundary.

Anyone caught flouting the new restrictions could be charged with recklessly or negligently acting in a manner likely to endanger an aircraft or a person in an aircraft — which carries a penalty of up to five years in prison or an unlimited fine, or both.

The safety restrictions were announced by the government in May, and have been brought in via an amendment the 2016 Air Navigation Order.

They’re a stop-gap because the government has also been working on a full drone bill — which was originally slated for Spring but has been delayed.

However the height and airport flight restrictions for drones were pushed forward, given the clear safety risks — after a year-on-year increase in reports of drone incidents involving aircraft.

The Civil Aviation Authority has today published research to coincide with the new laws, saying it’s found widespread support among the public for safety regulations for drones.

Commenting in a statement, the regulator’s assistant director Jonathan Nicholson said: “Drones are here to stay, not only as a recreational pastime, but as a vital tool in many industries — from agriculture to blue-light services — so increasing public trust through safe drone flying is crucial.”

“As recreational drone use becomes increasingly widespread across the UK it is heartening to see that awareness of the Dronecode has also continued to rise — a clear sign that most drone users take their responsibility seriously and are a credit to the community,” he added, referring to the (informal) set of rules developed by the body to promote safe use of consumer drones — ahead of the government legislating.

Additional measures the government has confirmed it will legislate for — announced last summer — include a requirement for owners of drones weighing 250 grams or more to register with the CAA, and for drone pilots to take an online safety test. The CAA says these additional requirements will be enforced from November 30, 2019 — with more information on the registration scheme set to follow next year.

For now, though, UK drone owners just need to make sure they’re not flying too high or too close to airports.

Earlier this month it emerged the government is considering age restrictions on drone use too. Though it remains to be seen whether or not those proposals will make it into the future drone bill.