Instagram’s garden is starting to blossom

Just as Facebook’s core platform is beginning to wilt, Instagram is launching an assault on the shopping market built on the walled garden business model which bloomed in by-gone years.

A few people might have scoffed at Facebook handing over $1 billion for Instagram in 2012, but this acquisition is looking to be a clever bit of business. Facebook’s core social media platform, and the business model which underpins it, might be looking a bit jaded after recent attacks, but Instagram is maturing into a very attractive proposition.

Launched today (March 19), users can now purchase products from certain brands in the Instagram app. The team has been working hard to create a marketplace in Instagram over the last 12-18 months, and while the digital advertising model has been paying off, you get the impression the narcissistic tendencies of the app lend itself well to the online shopping arena, especially when it comes to fashion.

“When you tap to view a product from a brand’s shopping post, you’ll see a ‘Checkout on Instagram’ button on the product page,” the team said in a blog post. “Tap it to select from various options such as size or color, then you’ll proceed to payment without leaving Instagram. You’ll only need to enter your name, email, billing information and shipping address the first time you check out.”

For retailers, this could be a very interesting route to potential customers, both old and new. Instagram has proven to be a very effective tool for brands to engage consumers from a brand marketing perspective, but in terms of direct sales, the risk of navigating to another website comes with shopping carts being abandoned. Through in-app purchases, one purchasing hurdle is removed, simplifying the buying process.

Customer information will be stored with Instagram, and while it has been reported the details will not be pre-populated in other Facebook platforms, it would not surprise us if this is in the pipeline. Instagram will receive payments as a percentage of the total spent in-app, though in Facebook’s typically transparent fashion, the waters have been muddied with the team not revealing how much this percentage is.

This is perhaps another perfect example of Facebook’s ability to create a walled garden and charge third-parties to access the cultivated digital customers.

For years, Instagram has been creating an incredibly user-orientated platform, which is simple but very usable and addictive. The only way for users to access these users, to try and pry open wallets, is to strike a deal with Facebook. Facebook is not monetizing its users directly but charging third-parties entry at the gate. This model worked incredibly well for years, putting Facebook is the dominant and influential position it is in today.

The beauty of this plan is that Facebook/Instagram seems to have struck at the right time. Users are becoming increasingly used to using the app as an online catalogue, geared around window shopping not purchases. Another update launched last year, allows users to click on products which might features in posts or stories to see more information. Taking it one step further is a logical step, as long as its not done too aggressively.

While the raw materials are certainly there, the challenge which Instagram will face is not to over commercialise the platform. This is what happened with Facebook’s core social media platform, the focus was less on engagement and more on advertising revenues, resulting in the new generation ignoring and traditional users spending less time on it. If Instagram has learned from prior mistakes, this could be a very interesting proposition, with plenty of room for growth.

That said, learning from mistakes is one thing but keeping under-pressure executives in-line is another. Slowing growth figures have put the Facebook management team under pressure from investors, while scrutiny placed on the traditional business model in ever-increasing. New regulations to remove some of the freedoms granted in the data-sharing economy put profits under threat, and as with any other publicly traded company, they will have to be replenished somehow.

Recent attempts to carve out new revenue streams, such as Watch or Today In, have seemingly not produced the hoped-for bonanzas. In the case of news app Today In, the team is ironically struggling because Facebook and Google effectively destroyed the commercial viability of so many regional news sources. The ‘locusts are complaining there is no more corn’ one Twitter user commented.

Another development which is worth keeping an eye on is the change in management. After 14 years working for Facebook and Instagram, Chief Product Officer Chris Cox announced he was leaving last week. A replacement has not been announced, but the experience of this individual might give some insight as to how aggressively commercial elements of Instagram will appear.

Despite criticisms which might be directed towards Facebook and Instagram, this looks to be an excellent strategy. The team have been cultivating this audience for some time and seem to have created the perfect conditions for growth… just as long as the team learn from previous mistakes.

Facebook reportedly facing criminal charges over data sharing

Facebook’s day started off with a major outage and, should reports turn out to be true, it is ending with the social media giant facing a criminal investigation from Federal prosecutors.

According to the New York Times, a grand jury in New York has obtained records from two smartphone manufacturers, via subpoena, which will detail the data sharing partnerships in or previously in place with Facebook. Sources has retained anonymity and it is not exactly clear who the subpoenaed parties were, though Facebook did have more than 150 such relationships in place before winding-down over the last couple of years.

Although the investigation has not been officially confirmed, it will come as a surprise to few considering the scrutiny those dominating the data-sharing economy are facing. Over the last few months, there have been numerous attempts to weaken the influence of the internet giants, with some even suggesting legal force to break-up the empires. The internet giants created a cosy position, but this is certainly under threat.

That said, while the scandals over the last 18 months might lead some to presume the practice of selling personal data would be scaled back, there seems to be little evidence of this. A recent Motherboard investigation suggests various US telcos are still reaping the benefits, and in some cases, scaling up the practice.

What is worth noting is the concept of selling personal information is not illegal, as long as the right consent has been obtained from the end user. This is what Facebook, and the third-parties who entered into such arrangements, are facing criticism for today. Accusers suggest proper content was not obtained or done so in such a complicated fashion it should not be considered valid.

The data-sharing economy is gaining validity across the world, but only when the practice is managed in a fair and responsible manner. This is what GDPR and other regulations intend to enforce. The idea is not to stop the practice, but to ensure the companies involved act in a responsible manner, with the user properly informed and in control of the situation. The data-sharing economy can work, and can benefit everyone involved, as long as no single party abuses their position.

The partnerships which are reportedly being investigated here, however, have come under criticism for some time. Privacy campaigners suggest the partnerships violate a 2011 consent agreement between Facebook and the FTC, after allegations the social media giant had shared personal information in a way that deceived users. At one point, there were more than 150 such partnerships in place, though Facebook has been phasing out most of the agreements over the last few years.

Although this is a retrospective investigation into the company, it could potentially contradict statements from CEO Mark Zuckerberg and other executives suggesting the business was being more transparent and managing user data responsibly. Facebook has been making this statement for several years. This case could prove Facebook mislead the world with these claims as well.

There is a general feeling of ‘if’ not ‘when’ here. Politicians, governments and regulators are seemingly scouring the Facebook business for any cracks, allowing them to slap a significant fine and parade the streets with a victory on behalf of consumer privacy. Facebook’s lawyers have done a pretty good job of wriggling so far, but there is a bit of a feeling the dam could burst at any point.

Security is a concern, especially as it can hit bank accounts now

New research from EY suggests British businesses are more concerned than ever about security. Funny that, considering there’s now a whopping fine to worry about.

Security is one of those areas which is constantly discussed but little is done to address. Irrelevant as to how many CEOs tell you its top of the agenda or how many statements start with the phrase ‘our customers security is our number one concern’, it’s an aspect of the technology world which has been swept aside. But not according to this research from EY.

“It’s not surprising that businesses are most concerned with the threat of cyberattacks,” said Adrian Baschnonga, Global Lead Telecommunications Analyst at EY. “The introduction of 5G will help organisations unlock new growth opportunities, but this transition comes at a time when fears regarding data breaches and network security are especially pronounced.”

While you always have to take statements like this with a pinch of salt, it might be right this time. Why? Because if you want to make executives care about something aside from their annual bonuses, you have to fight fire with fire.

Under the General Data Protection Regulations (GDPR) brought into play last May, any company which is found to have inadequately protected customer or employee data are subject to fines of 3% of annual turnover or €20 million. GDPR fines are proportionate to the risk posed by a breach, allowing flexibility for regulators to tackle the problem, but it certainly seems to have caught some attention.

According to professional services firm RPC, in the 12 months prior to September 30 2018 (the period in which GDPR was introduced) the Information Commissioners Office issued fines totalling just over £5 million, a 24% increase on the previous period of 12 months. Considering the ICO only had a couple of months to swing the GDPR stick at offenders, it would be fair to assume the watchdog is fully embracing the new powers offered to it.

This also seems to have hit home with those investing in new technologies. 40% of respondents to EY’s survey are worried about 5G and cyberattacks, while 37% saw IoT as a risk. These numbers aren’t particularly high, but they are the biggest concerns.

Another factor to consider is the consumer. While many will have been blind to the risk of data breaches in by-gone years, this does not seem to be the case anymore. Recent Lloyd’s research claims 44% of UK consumers believe there is a risk to personal safety in the sharing economy, perhaps indicating they would be hard-pushed to share data. If enterprise organizations are going to benefit from the data boom, they’ll have to convince customers that their personal information will be safe.

Whether this translates to appropriate security investments remains to be seen, as there seems to be a lack of ownership over security overall. Enterprise organizations are looking to suppliers for security to be built into products, while it is perfectly reasonable for suppliers to ask enterprise organizations to do more. Security should be built into products, but if an individual buys a front door, the manufacturer cannot be blamed when it is left open or an inadequate lock is used.

More often than not the carrot is used to incentivise business, but it seems the GDPR stick is an effective tool in bringing security to the front of executive’s minds. Hopefully now there will be less pandering for PR headlines and more affirmative action.

Google challenges France’s first swing of the GDPR stick

Google has stated it will appeal the French regulator’s decision to dish out a €50 million fine for not being forthright enough with how it collects, stores and processes user’s personal data.

For Google, this is not about the money. €50 million for Google is nothing. This is a company which generated $33.7 billion over the final quarter of 2018. It would take a matter of minutes for the team to pay off this fine. However, should this ruling be allowed to stand Google would have to alter its business model, as would the rest of the data-sharing economy, causing a very unwelcomed, and potentially costly, disruption.

“The 50 million euro fine issued by the CNIL on 21 January 2019 significantly impacts Google as it directly challenges its business model based on the processing of personal data,” said Sonia Cissé, Head of TMT Practice of law firm Linklaters in Paris.

“Considering the seriousness of the CNIL’s findings and the broad publicity of this case, a potential appeal by Google is no surprise and makes perfect sense from a legal-strategy perspective.”

On Monday, France’s National Data Protection Commission (CNIL) dished out the fine for two violations of Europe’s General Data Protection Regulation (GDPR). Firstly, the search giant was not specific enough when requesting consent from users. Secondly, for users who wanted to dig deeper into the Google data practices, the company made it unnecessarily difficult to see the entire picture. Google was being too vague and not accessible enough.

“Users are not able to fully understand the extent of the processing operations carried out by Google,” the CNIL said in a statement.

This is the first time a regulator has used GDPR to hold one of the internet giants accountable, but there are plenty of other cases in the pipeline. Google is of course not the only target, as various different privacy advocates across the bloc lodge their complaints against the likes of Spotify, Amazon and Apple, just to name a few others.

In appealing this case, Google is making itself the tip of the spear for the entire internet ecosystem. There will be multiple appeals against the various rulings over the coming months because of how important precedent in this saga. If Google was to just let this ruling stand, it is effectively validating its opinion potentially undermining its own business model. If similar ruling start to appear across the continent the disruption to the data-sharing economy would be massive.

“In all likelihood, Google will challenge the CNIL’s decision on two main grounds: (i) procedural aspects (i.e., the competence of the CNIL); and (ii) the content of the case (i.e., challenging the facts),” said Cissé.

“Should Google be able to demonstrate that Google Ireland Limited was its main establishment in the European Union (EU) at the time of the CNIL’s investigations, then the competence of the CNIL could be validly challenged.

“Second, the content of the decision is another ground for action, and it will be up to the French administrative judges to determine, in light of the circumstances at stake, whether the transparency requirements under GDPR were met or not.”

GDPR is an incredibly complicated set of rules mainly because there are so many different definitions and clauses, but also certain exemptions. In most cases, companies would have to obtain consent from users to use data for explicit purposes, retaining the data only until these purposes have been satisfied. However, companies do not have to obtain consent when it is necessary to comply with another law, or there are ‘legitimate interests’. It paints a complicated picture.

Of course, for those who are more privacy sensitive, such rules and grey areas are a bounty of riches. The rules have created amble opportunity to challenge the internet giants’ business models, as well as the influence they have over the world. One of those is privacy campaigner Max Schrems.

“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” Schrems said following the CNIL ruling.

“Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

Schrems’ firm, None of Your Business (NYOB), has filed several complaints against other internet businesses on the grounds of accessibility. Those who will come under the scrutiny of Austrian courts include Apple, DAZN, Filmmit, Netflix and Amazon. More specifically, these complaints suggest the companies violated GDPR’s ‘right to access’, enshrined in Article 15 GDPR and Article 8(2) of the Chart of Fundamental Rights.

All of these cases will dictate how the internet economy will function over the coming years, but this battle between the CNIL and Google could prove to be a critical one, such is the power of precedent in the legal world.

“In a nutshell, it is highly difficult to identify certainties regarding the outcome of Google’s appeal,” said Cissé.

“Since data protection is a field of law particularly subject to interpretation and grey areas, one cannot exclude the possibility that Google could be successful in appealing the CNIL’s decision before the French Administrative Supreme Court. In any event, the ruling of the French administrative judges will be closely monitored by all the tech companies.”

Cybersecurity investments on the up but not sustainable – study

Research from Strategic Cyber Ventures points to an increased appetite for cyber security investments, but the euphoria sweeping the segment forward is not sustainable.

On numerous occasions we have commented security is the ugly duckling of the technology world. It is critical to ensure the industry, and digital society on the whole, functions appropriately, though more often than not it is ignored. There will be numerous reasons for this, perhaps because security is a thankless and often impossible task, but the data suggests 2018 might have been a watershed year.

Not only did 2018 see $5.3 billion in global venture capital funding, 81% more than 2016, M&A activity increased as did private equity investments. On the M&A side of things, Cisco made a bang with a $2.4 billion acquisition of Duo Security, while Blackberry acquired Cylance for $1.4 billion. These are two of the larger deals, though there was increased activity in the segment across the period.

In terms of private equity, Barracuda Networks was acquired for $1.6 billion by Thoma Bravo, Bomgar by Francisco Partners for $739 million, while Blackrock spent $400 million on Cofense. Elsewhere in the more complicated financial world, Skyhigh Networks acquired McAfee with assistance from its financial sponsors Thoma Bravo and TPG Capital.

Cybersecurity one

Overall, the trends for the security segments are heading in the right direction. Perhaps now this is an area which will be taken more seriously by the industry, with adequate investments heading into security department.

That said, Strategic Cyber Ventures has warned the trends from a funding perspective are not exactly the most favourable. The amount of cash being invested is increasing, though it does not appear the rewards are reflecting this. Some of these companies have raised funds through big rounds, but growth has slowed, perhaps due to vendor fatigue or increased competition. The risk here is firms cannot raise additional funds at increased valuations from prior rounds, meaning they will have to lean on existing investors. Eventually these parties will grow tired of keeping them alive for minimal rewards.

The issue here is the need and hype around security. Its critical to secure the expanding perimeter of the digital economy, creating the need for the segment, while executives constantly talk about security being a number one priority of firms, creating the hype. This would seem to be the perfect recipe for investment in security companies and start-ups. However, the segment hasn’t taken off, perhaps due to the preference of customers investing in technologies which will make the company money as opposed to more secure?

This is maybe the most accurate assumption on why the security segment has faltered continuously over the years. Companies have limited spending power with executives choosing to invest in areas which will make the company more profitable, such is the pressure from investors and shareholders. However, consumer attitudes might be changing.

While many would have ignored the security risks of the digital economy in years gone, today’s consumer is more educated. Privacy scandals have demonstrated the power of data forcing the consumer to consider security more critically. This might have an impact on future buying decisions.

According to research by Onbuy.com 60% of US and 44% of UK consumers believe there is a risk to personal safety in the sharing economy, while 58% of all the respondents believed the risks outweigh the benefits in the sharing economy. Such attitudes will force companies to consider their security credentials as there is now a direct link back to the bottom line.

What this means for VC funding and investments from around the ecosystem remains to be seen, though the tides are turning in favour of the security segment. As Strategic Cyber Ventures notes, the current levels of investment are unsustainable, but there certainly are rewards.

Privacy International points GDPR finger at Facebook

An investigation from privacy advocacy group Privacy International on the flow of personal information has questioned whether Facebook and its advertisers are violating Europe’s GDPR.

To date there have not been any major challenges using the data privacy regulation. There have of course been numerous violations of user privacy, but as these incidents occurred prior to the implementation of GDPR, the old-version of the rules and punishments were used. This investigation from Privacy International could prove to be a landmark.

The investigation itself questions whether Facebook and the app-developers which use its platform for data collection and user identification is acting responsibly and legally. Using the Facebook Software Development Kit (SDK), data is automatically sent back to the social media giant, irrelevant as to whether consent has been collected, or even if the user has a Facebook book account.

“Facebook routinely tracks users, non-users and logged-out users outside its platform through Facebook Business Tools,” Privacy International states on its website.

“App developers share data with Facebook through the Facebook Software Development Kit (SDK), a set of software development tools that help developers build apps for a specific operating system. Using the free and open source software tool called ‘mitmproxy’, an interactive HTTPS proxy, Privacy International has analysed the data that a number of Android apps transmit to Facebook through the Facebook SDK.”

After testing dozens of different apps, Privacy International claims 61% automatically transfer data to Facebook the moment a user opens the app, while others routinely send Facebook data that is incredibly detailed. Some of these users may be logged out of the platform or might not even have a Facebook account in the first place. Developers tested include travel comparison app Kayak, job search company Indeed and crowd-sourced search service Yelp.

Looking at the Kayak example, not only was information transferred back to Facebook once the app was opened and closed, but also during each stage of the search process. In the example Privacy International gives, the user selected a flight from London Gatwick to Tokyo between December 2 and 5, Narita Airport was then selected, before another search was conducted searching for hotels for two adults in the city. All of this information was sent to Facebook without prompt, despite Kayak claiming, ‘don’t worry, we’ll never share anything without your permission’, when the user signs in.

Alone this information is useful, but not incredibly so. However, when you consider the huge number of apps which will be sending information back to Facebook, an incredibly detailed picture of the user can be built. Using the other apps tested in this investigation, Facebook could also learn or make assumptions about the user’s religion (Muslim Pro), music interests (Shazam), salary and disposable income (Indeed Job Search) and interest in physical activities (MyFitnessPal). All of this information could be used to feed incredibly personalised advertisements to the user.

The big question which remains is whether this could be perceived as a violation of GDPR. Facebook has stated it released an update to the SDK which allowed developers to suspend the automatic data transfers, though this was only for version 4.34 and later. With the Opt-out section (the Google advertising ID) automatically turned off, some might suggest the user is being led as opposed to asked.

Another factor which could work against Facebook is the collection of data on users who do not have Facebook accounts; this is much more suspect. As per GDPR, a company has to have a specific and justified reason to collect personal information. It does appear Facebook is collecting information on users despite having no purpose or valid reason to do so.

With fines for violating GDPR up to 3% of annual turnover, the stakes are very high. This could prove to be one of the first tests of the rules, designed to protect the privacy of the general public, and few will be surprised Facebook is a central character in the story. With the social media giant seemingly antagonising many governments around the world, we suspect there will be a queue forming to have a swing with the sharp GDPR stick.

A ticket to ride is just a Whim away

The subscription based mobile app Whim aims to replace car ownership. It is getting closer to that aim but is not quite there yet.

The app, and the Finnish startup behind it, MaaS Global (standing for “Mobility as a Service”), drew broader attention outside of Finland when Whim won the European Startup Prize for Mobility earlier this year. The concept is to consolidate journey planner, ride booking, and payment of customers’ travels on public transport (bus, metro, tram, and local train), bike hire, car sharing, car rental, and taxi rides, all to one mobile app. When the user selects the starting and ending points and the time of travel, the app will plan the optimum trip combining all means of transport available.

It offers subscribers different payment options. Cautious users may choose the pay per ride option, to test out the app. In Helsinki, a basic tier of €49 per month will give users unlimited access to all local public transport, plus bike hires, at a price level slightly lower than the official monthly travel card (€54.70, without access to bike hires). The user then can choose “pay-as-you-go” if she needs to add taxi rides and other services. An all-inclusive package of €499 will also cover a certain mileage of taxi ride, car rental, and car sharing.

Helsinki set itself a target to rid all cars from the city centre by 2050. Whim is moving in the right direction. In monetary terms, the €499 monthly package is already more economical than the total cost of owning a car, to consider the annual depreciation, insurance, tax, parking, fuel, maintenance, and, unique to countries in the far north, winter and summer tyres. Helsinki also has an advantage to make the app more useful: the buses almost always run on time, to the minute. This will become less of a concern for busier cities with more traffic when connected vehicles supported by IoT come to the streets, especially when 5G becomes more available.

MaaS Global has raised funds from private investors, the biggest being Toyota and the Japanese insurance company Aioi Nissay Dowa, which combined have invested over €10 million. Whim is now operational in Finland’s capital area, the four-city cluster including Helsinki, and has recently expanded to Birmingham, the UK’s second largest city. More cities on its map or been explored include Seoul, Toronto, Antwerp, Vienna, Amsterdam, Vancouver, Miami, etc.

However if a consumer should make the decision to sell his car and sign on services like Whim, monetary savings would not be his only consideration. He should not make too much sacrifice in convenience owning a car would have brought him. It is on this point that Whim still falls short, largely due to two main factors.

One is temporary and easier to fix. Helsinki’s bike-sharing is still dock-based. They will not be easily integrated into Whim planning if there is not a station near a user or along the route she is travelling. Introduction of dockless bikes will alleviate this problem, like the one we have seen in Manchester, supplied by the Chinese venture Mobike.

The other is generic and more difficult to fix: the availability of transport at the right place at the right time. Just imagine 20,000 people coming out of a concert at the O2 Arena after midnight, and the tube has stopped. Hardly any car-sharing apps could help take these people home quick enough.

There are also special cases when owning a car would be easier. For example a group of friends decide to transport their bicycles to the countryside for a ride. They would need a couple of cars fixed with the gear to transport bikes to be available at a specific location at a specific time.

The app, and the concept, is clearly running on consumer trend to move from ownership to access, as demonstrated in streaming music and video overtaking download and disc purchase. But, as was commented in a feature done recently by the BBC’s technology reporter Dave Lee, when subscriptions become the essence of being, we would be left with nothing if we could no longer afford the subscription, or the service we subscribe to ceases to operate. It is the psychological hesitation that may prevent us from giving up ownership entirely, cars or something else.