Menu

Timesdelhi.com

March 24, 2019
Category archive

reporter

Transportation Weekly: Waymo unleashes laser bear, Bird spreads its wings, Lyft tightens its belt

in alex roy/api/articles/Artificial Intelligence/austin/Automotive/AV/Barcelona/Cabify/california/Canada/ceo/China/Chris Urmson/Delhi/driver/DroneDeploy/Elon Musk/Emerging-Technologies/eurolines/Ford/France/General Partner/geneva/Google/India/Ingrid Lunden/internet connectivity/Kirsten Korosec/laser/latin america/Lidar/lucas matney/Lyft/Malcolm Gladwell/mercedes/mobike/Natasha Lomas/New Zealand/nvidia/operating system/OurCrowd/Ouster/Pandora/Politics/Quanergy/reporter/sacramento/Samsung/san jose/self-driving cars/simulation/spain/subscription services/TechCrunch/Technology/Tesla/transport/Transportation/Transportation Weekly/Travis VanderZanden/Uber/United Kingdom/United States/Velodyne/viper/VOI Technology/volkswagen/waymo/willows/zack Whittaker/Zipcar by

Welcome back to Transportation Weekly; I’m your host Kirsten Korosec, senior transportation reporter at TechCrunch . This is the fifth edition of our newsletter and we love the reader feedback. Keep it coming.

Never heard of TechCrunch’s Transportation Weekly? Catch up here, here and here. As I’ve written before, consider this a soft launch. Follow me on Twitter @kirstenkorosec to ensure you see it each week. (An email subscription is coming). 

This week, we explore the world of light detection and ranging sensors known as LiDAR, young drivers, trouble in Barcelona, autonomous trucks in California, and China among other things.


ONM …

There are OEMs in the automotive world. And here, (wait for it) there are ONMs — original news manufacturers. (Cymbal clash!) This is where investigative reporting, enterprise pieces and analysis on transportation lives.

This week, we’re going to put our on analysis hats as we explore the world of LiDAR, a sensor that measures distance using laser light to generate highly accurate 3D maps of the world around the car. LiDAR is considered by most in the self-driving car industry (Tesla CEO Elon Musk being one exception) a key piece of technology required to safely deploy robotaxis and other autonomous vehicles.

There are A LOT of companies working on LiDAR. Some counts track upwards of 70. For years now, Velodyne has been the primary supplier of LiDAR sensors to companies developing autonomous vehicles. Waymo, back when it was just the Google self-driving project, even used Velodyne LiDAR sensors until 2012.

Dozens of startups have sprung up with Velodyne in its sights. But now Waymo has changed the storyline.

To catch you up: Waymo announced this week that it will start selling its custom LiDAR sensors — the technology that was at the heart of a trade secrets lawsuit last year against Uber.

Waymo’s entry into the market doesn’t necessarily upend other companies’ plans. Waymo is going to sell its short range LiDAR, called Laser Bear Honeycomb, to companies outside of self-driving cars. It will initially target robotics, security and agricultural technology.

It does put pressure on startups, particularly those with less capital or those targeting the same customer base. Pitchbook ran the numbers for us to determine where the LiDAR industry sits at the moment. There are two stories here: there are a handful of well capitalized startups and we may have reached “peak” LiDAR. Last year, there were 28 VC deals in LiDAR technology valued at $650 million. The number of deals was slightly lower than in 2017, but the values jumped by nearly 34 percent.

The top global VC-backed LiDAR technology companies (by post valuation) are Quanergy, Velodyne (although mostly corporate backed), Aurora (not self-driving company Aurora Innovation), Ouster, and DroneDeploy. The graphic below, also courtesy of Pitchbook, shows the latest figures as of January 31, 2019.

Dig In

Researchers discovered that two popular car alarm systems were vulnerable to a manipulated server-side API that could be abused to take control of an alarm system’s user account and their vehicle.

The companies — Russian alarm maker Pandora and California-based Viper (or Clifford in the U.K.) — have fixed the  security vulnerabilities that allowed researchers to remotely track, hijack and take control of vehicles with the alarms installed. What does this all mean?

Our in-house security expert and reporter Zack Whittaker digs in and gives us a reality check. Follow him @zackwhittaker.

Since the first widely publicized car hack in 2015 proved hijacking and controlling a car was possible, it’s opened the door to understanding the wider threat to modern vehicles.

Most modern cars have internet connectivity, making their baseline surface area of attack far greater than a car that doesn’t. But the effort that goes into remotely controlling a vehicle is difficult and convoluted, and the attack — often done by chaining together a set of different vulnerabilities — can take weeks or even longer to develop.

Keyfob or replay attacks are far more likely than say remote attacks over the internet or cell network. A keyfob sends an “unlock” signal, a device captures that signal and replays it. By replaying it you can unlock the car.

This latest car hack, featuring flawed third-party car alarms, was far easier to exploit, because the alarm systems added a weakness to the vehicles that weren’t there to begin with. Car makers, with vast financial and research resources, do a far greater job at securing their vehicle than the small companies that focus on functionality over security. For now, the bigger risk comes from third parties in the automobile space, but the car makers can’t afford to drop their game either.


A little bird …

We hear a lot. But we’re not selfish. Let’s share.

blinky-cat-bird

The California Department Motor Vehicles is the government body that regulates autonomous vehicle testing on public roads. The job of enforcement falls to the California Highway Patrol.

In an effort to gauge the need for more robust testing guidelines, the California Highway Patrol decided to hold an event at its headquarters in Sacramento. Eight companies working on autonomous trucking technology were invited. It was supposed to be a large event with local and state politicians in attendance. And it was supposed to validate autonomous trucking as an emerging industry.

There’s just one problem: only one AV trucking company is willing and able to complete this course. We hear that this AV startup actually already went ahead and completed the test course.

The California Highway Patrol has postponed event, for now, presumably until more companies can join.

Got a tip or overheard something in the world of transportation? Email me or send a direct message to @kirstenkorosec.


Deal of the week

Instead of highlighting one giant deal, let’s step back and take a broader view of mobility this week. The upshot: 2018 saw a decline in total investments in the sector and money moved away from ride-hailing and towards two-wheeled transportation.

According to new research from EY, mobility investments in 2018 reached $39.1 billion, down from $55.2 billion in the previous year. (The figures EY provided was through November 2018).

Ride-hailing companies raised $7.1 billion in 2018, a 73 percent decline from the previous year when $26.7 billion poured into this sector.

Investors, it seems, are shifting their focus to other business models, notably first and last-mile connectivity. EY estimates $7 billion was invested in two-wheeler mobility companies such as bike-sharing and electric scooters in 2018. The U.S. and China together have contributed to more than 80 percent of overall two-wheeler mobility investments this year alone, according to EY research shared with TechCrunch.

Other deals:

  • FlixBus, the German Uber-like bus service, is buying rival Eurolines from Transdev

  • Vayavision, an autonomous vehicle technology startup that developed perception software received a 2.45 million euro grant ($2.75 million) from the European Commission’s European Innovation Council. The company is backed by backed by LG Corp and Mitsubishi UFJ Capital.

  • Remix picks up $15 million to help cities make better decisions around transit
  • Hammerhead raises $4.2 million to build a better operating system for bikes
  • Brodmann17 — named after the primary visual cortex in the human brain — raised $11 million in a Series A round of funding led by OurCrowd, with participation also from Maniv Mobility, AI Alliance, UL Ventures, Samsung NEXT, and the Sony Innovation Fund.

Snapshot

Let’s talk about Generation Z, that group of young people born 1996 to the present, and one startup that is focused on turning that demographic into car owners.

There’s lots of talk and hand wringing about young people choosing not to get a driver’s license, or not buying a vehicle. In the UK, for instance, about 42 percent of young drivers aged 17 to 24, hold a driver’s license. That’s about 2.7 million people, according to the National Travel Survey 2018 (NTS) of the UK government’s department of transport. An additional 2.2 million have a provisional or learner license. Combined, that amounts to about 13 percent of the car driving population of the UK.

In the UK, evidence suggests that a rise in motoring costs have discouraged young people from learning. And there lies one opportunity that a new startup called Driver1 is targeting.

Driver 1 is a car subscription service designed exclusively for first car drivers aged 17 to 24. The company has been in stealth mode for about a year and is just now launching.

“The young driver market is being underserved by the car industry, Driver1 founder Tim Hammond told TechCrunch. “And primarily it’s the financing that’s not available for that age group. It’s also something that’s not really affordable for any of the car subscription models like Fair.com and it’s not suitable for the OEM subscription services either financially or from an age perspective for young drivers.”

The company’s own research has found this group wants a newer car for 12 to 15 months.

“The car is the extension of their device,” Hammond said, noting these drivers don’t want the old junkers. “They want their iPhones and they want the car that goes with it.”

The company is working directly with leasing companies — not dealerships — to provide young drivers with 3 to 5-year-old cars that have lost 60 percent or so of their value. Driver1 is targeting under $120 a month for the customer and has a partnership with remarketing company Manheim, which is owned by Cox Automotive.

The startup is focused on the UK for now and has about 600 members who have reserved their cars for purchase. Driver1 is aiming to capture about 10 percent of the 1 million or so young people in the UK who pass their learners permit each year. The company plans it expand to France and other European countries in the fall.


Tiny but mighty micromobility

Bird Rocking Out GIF - Find & Share on GIPHY

Ca-caw, ca-caw! That’s the sound of Bird gearing up to launch Bird Platform in New Zealand, Canada and Latin America in the coming weeks. The platform is part of Bird’s mission to bring its scooters across the world “and empower local entrepreneurs in regions where we weren’t planning to launch to run their own electric-scooter sharing program with Bird’s tech and vehicles,” Bird CEO Travis VanderZanden told TechCrunch.

MRD’s two cents: Bird Platform seems like a way for Bird to make extra cash without having to do any of the work i.e. charging the vehicles, maintaining them and working with city officials to get permits. Smart!

Meanwhile, the dolla dolla bills keep pouring into micromobility. European electric scooter startup Voi Technology raised an additional $30 million in capital. That was on top of a $50 million Series A round just three months ago.

Oh, and because micromobility isn’t just for startups, Volkswagen decided to launch a kind of weird-looking electric scooter in Geneva. Because, why not?

Megan Rose Dickey

One more thing …

Lyft is trimming staff to prepare for its IPO. TechCrunch’s Ingrid Lunden learned that the company has laid off about 50 staff in its bike and scooter division. It appears most of these folks are people who joined the Lyft through its acquisition of  electric bike sharing startup Motivate a deal that closed about three months ago.


Notable reads

It’s probably not smart to suggest another newsletter, but if you haven’t checked out Michael Dunne’s  The Chinese Are Coming newsletter, you should. Dunne has a unique perspective on what’s happening in China, particularly as it related to automotive and newer forms of mobility such as ride-hailing. One interesting nugget from his latest edition: there are more than 20 other new electric vehicle makers in China.

“Most will fall away within the next 3 to 4 years as cash runs out,” Dunne predicts.

Other quotable notables:

Here’s a fun read for the week. TechCrunch’s Lucas Matney wrote about a YC Combinator startup Jetpack Aviation.The startup has launched pre-orders this week for the moonshot of moonshots, the Speeder, a personal vertical take-off and landing vehicle with a svelte concept design that looks straight out of Star Wars or Halo.


Testing and deployments

Spanish ride-hailing firm Cabify is back operating in Barcelona, Spain despite issuing dire warnings that new regulations issued by local government would crush its business and force it to fire thousands of drivers and leave forever. Turns out forever is one month.

The Catalan Generalitat issued a decree last month imposing a wait time of at least 15 minutes between a booking being made and a passenger being picked up. The policy was made to ensure taxis and ride-hailing firms are not competing for the same passengers, following a series of taxi strikes, which included scenes of violence. Our boots on the ground reporter Natasha Lomas has the whole story.

Sure, Barcelona is just one city. But what happened in Barcelona isn’t an isolated incident. The early struggles between conventional taxis and ride-hailing operations might be over, but that doesn’t mean the matter has been settled altogether.

And it’s not likely to go away. Once, robotaxis actually hit the road en masse — and yes, that’ll be awhile — these same struggles will pop up again.

Other deployments, or, er, retreats ….

Bike share pioneer Mobike retreats to China

On the autonomous vehicle front:

China Post, the official postal service of China, and delivery and logistics companies Deppon Express, will begin autonomous package delivery services in April. The delivery trucks will operate on autonomous driving technologies developed by FABU Technology, an AI company focused on intelligent driving systems.


On our radar

There is a lot of transportation-related activity this month. Come find me.

SXSW in Austin: TechCrunch will be at SXSW. And there is a lot of mobility action here. Aurora CEO and co-founder Chris Urmson was on stage Saturday morning with Malcolm Gladwell. Mayors from a number of U.S. cities as well as companies like Ford and Mercedes are on the scene. Here’s where I’ll be. 

  • 2 p.m. to 6:30 p.m. (local time) March 9 at the Empire Garage for the Smart Mobility Summit, an annual event put on by Wards Intelligence and C3 Group. The Autonocast, the podcast I co-host with Alex Roy and Ed Niedermeyer, will also be on hand.
  • 9:30 a.m. to 10:30 a.m. (local time) March 12 at the JW Marriott. The Autonocast and founding general partner of Trucks VC, Reilly Brennan will hold a SXSW podcast panel on automated vehicle terminology and other stuff.
  • 3:30 p.m (local time) over at the Hilton Austin Downtown, I’ll be moderating a panel Re-inventing the Wheel: Own, Rent, Share, Subscribe. Sherrill Kaplan with Zipcar, Amber Quist, with Silvercar and Russell Lemmer with Dealerware will join me on stage.
  • TechCrunch is also hosting a SXSW party from 1 pm to 4 pm Sunday, March 10, 615 Red River St., that will feature musical guest Elderbrook. RSVP here

Nvidia GTC

TechCrunch (including yours truly) will also be at Nvidia’s annual GPU Technology Conference from March 18 to 21 in San Jose.

Self Racing Cars

The annual Self Racing Car event will be held March 23 and March 24 at Thunderhill Raceway near Willows, California.

There is still room for participants to test or demo their autonomous vehicles, drive train innovation, simulation, software, teleoperation, and sensors. Hobbyists are welcome. Sign up to participate or drop them a line at contact@selfracingcars.com.

Thanks for reading. There might be content you like or something you hate. Feel free to reach out to me at kirsten.korosec@techcrunch.com to share those thoughts, opinions or tips. 

Nos vemos la próxima vez.

News Source = techcrunch.com

Facebook won’t let you opt-out of its phone number ‘look up’ setting

in Alex Stamos/computing/Delhi/Facebook/India/photo sharing/Politics/privacy/reporter/Security/social media/Software/terms of service by

Users are complaining that the phone number Facebook hassled them to use to secure their account with two-factor authentication has also been associated with their user profile — which anyone can use to “look up” their profile.

Worse, Facebook doesn’t give you an option to opt-out.

Last year, Facebook was forced to admit that after months of pestering its users to switch on two-factor by signing up their phone number, it was also using those phone numbers to target users with ads. But some users are finding out just now that Facebook’s default setting allows everyone — with or without an account — to look up a user profile based off the same phone number previously added to their account.

The recent hubbub began today after a tweet by Jeremy Burge blew up, criticizing Facebook’s collection and use of phone numbers, which he likened to “a unique ID that is used to link your identity across every platform on the internet.”

Although users can hide their phone number on their profile so nobody can see it, it’s still possible to “look up” user profiles in other ways, such as “when someone uploads your contact info to Facebook from their mobile phone,” according to a Facebook help article. It’s a more restricted way than allowing users to search for user profiles using a person’s phone number, which Facebook restricted last year after admitting “most” users had their information scraped.

Facebook gives users the option of allowing users to “look up” their profile using their phone number to “everyone” by default, or to “friends of friends” or just the user’s “friends.”

But there’s no way to hide it completely.

Security expert and academic Zeynep Tufekci said in a tweet: “Using security to further weaken privacy is a lousy move — especially since phone numbers can be hijacked to weaken security,” referring to SIM swapping, where scammers impersonate cell customers to steal phone numbers and break into other accounts.

Tufekci’s argued that users can “no longer keep keep private the phone number that [they] provided only for security to Facebook.”

Facebook spokesperson Jay Nancarrow told TechCrunch that the settings “are not new,” adding that, “the setting applies to any phone numbers you added to your profile and isn’t specific to any feature.”

Gizmodo reported last year that when a user gives Facebook a phone number for two-factor, it “became targetable by an advertiser within a couple of weeks.”

If a user doesn’t like it, they can set up two-factor without using a phone number — which hasn’t been mandatory for additional login security since May 2018.

But even if users haven’t set up two-factor, there are well documented cases of users having their phone numbers collected by Facebook, whether the user expressly permitted it or not.

In 2017, one reporter for The Telegraph described her alarm at the “look up” feature, given she had “not given Facebook my number, was unaware that it had found it from other sources, and did not know it could be used to look me up.”

WhatsApp, the messaging app also owned by Facebook (alongside Messenger and Instagram), uses your phone number as the primary way to create your account and connect you to its service. Facebook has long had a strategy to further integrate the two services, although it has run into some bumps along the way.

To the specific concerns by users, Facebook said: “We appreciate the feedback we’ve received about these settings and will take it into account.”

Concerned users should switch their “look up” settings to “Friends” to mitigate as much of the privacy risk as possible.

When asked specifically if Facebook will allow users to users to opt-out of the setting, Facebook said it won’t comment on future plans. And, asked why it was set to “everyone” by default, Facebook said the feature makes it easier to find people you know but aren’t yet friends with.

Others criticized Facebook’s move to expose phone numbers to “look ups,” calling it “unconscionable.”

Alex Stamos, former chief security officer and now adjunct professor at Stanford University, also called out the practice in a tweet. “Facebook can’t credibly require two-factor for high-risk accounts without segmenting that from search and ads,” he said.

Since Stamos left Facebook in August, Facebook has not hired a replacement chief security officer.

News Source = techcrunch.com

Indian state government leaks thousands of Aadhaar numbers

in aadhaar/bangalore/biometrics/Delhi/Government/Identification/India/New Delhi/Politics/privacy/Python/reporter/Security/Supreme Court/Unique Identification Authority of India/United States/vpn by

A lapse in security has led to the leaking of over a hundred thousand Aadhaar numbers, TechCrunch can reveal.

One of the web systems used to record attendance of government workers for the Indian state of Jharkhand was left exposed and without a password as far back as 2014, allowing anyone access to names, job titles, and partial phone numbers on 166,000 workers as of the time of writing.

But the photo on each record page used the file name as that worker’s Aadhaar number, a confidential 12-digit number assigned to each Indian citizen as part of the country’s national identity and biometric database.

The data leak isn’t a direct breach of the central database run by Aadhaar’s regulator, the Unique Identification Authority of India (UIDAI), but represents another lapse in responsibility from the authority charged with protecting its data.

Aadhaar numbers aren’t strictly secret but are treated similarly to Social Security numbers. Anyone of the 1.23 billion Indian citizens enrolled in Aadhaar — more than 90 percent of the population — can use their unique number or their thumbprint to verify their identity in order to enroll in state services, like voting, welfare or financial assistance. Aadhaar users can even use their Aadhaar identity to open a bank account, get a SIM card, call an Uber, buy something on Amazon, or rent an Airbnb.

But the system has been plagued with problems that have led to starvation in cases, and the illicit trade of citizen data on the underground market.

It’s unclear why the Jharkhand government site was accessible to anyone who knew where to look, but little effort had been put in to ensure the security of the system — or even hide it from the outside world. The site was easily found on a subdomain of the state government’s website, but for long enough that it was indexed by Google, which cached copies of not only the site itself, but also its attendance record pages that still contain Aadhaar numbers in each worker’s photo.

TechCrunch asked Baptiste Robert, a French security researcher who goes by the online handle Elliot Alderson, to take a look at the site. Robert has prior experience in revealing Aadhaar-related data leaks. Using less than a hundred lines of Python code, Robert demonstrated that it was easy for anyone to scrape the entire site in batches to download their photos and corresponding Aadhaar numbers.

TechCrunch verified a small selection of Aadhaar numbers from the site using UIDAI’s own verification tool on its website. (We used a VPN in Bangalore as the page was unavailable in the U.S.). Each record came back as a positive match.

After confirming our findings, we reached out to both the Jharkhand government and UIDAI.

Jharkhand’s attendance site leaking worker data. (Image: TechCrunch)

At the time of publication, neither had responded, but the website had been pulled offline.

The exposure may represent a fraction of the billion-plus users registered with Aadhaar, but uncovers yet another inadvertent disclosure of citizen data from a system that UIDAI claims is impenetrable. Instead of learning from mistakes and mishaps, UIDAI instead has shown a long history of rebuffing evidence of security incidents or breaches with mockery and declaring findings as “fake news,” by claiming to refute evidence without presenting any of its own.

The leak of Aadhaar numbers may not be seen as sensitive compared to leaked biometric data. Former attorney general Mukul Rohtagi once called a separate leak of Aadhaar numbers “much ado about nothing.” But it’s raises fears that obtaining and misusing someone’s number could lead to identity theft and fraud — which reportedly peaked last year.

Others have expressed concern that the system puts privacy at risk by recording information on a person’s life, which authorities can use to conduct surveillance on ordinary citizens.

But the exposure alone contradicts the Indian government’s claims that the Aadhaar system as a whole is secure.

In recent years, several security lapses involving data relating to Aadhaar have reignited fresh concerns about the centralized database — including several issues found by Robert. Last year, security researcher Karan Saini, a New Delhi-based security researcher, found a poorly-secured web address used by state-owned utility company Indane that had direct access to the Aadhaar database, allowing him to query results from the system. UIDAI rubbished the reports, baselessly claiming that there was “no truth to this story” in a series of tweets from its official Twitter account, despite evidence to the contrary. In the same year, India’s Tribune newspaper reported that some were selling direct access to the Aadhaar database. UIDAI responded by filing a complaint against the reporter with police.

Despite the security concerns, India’s Supreme Court ruled the database constitutional in September after a long-running court battle.

News Source = techcrunch.com

Amazon’s barely-transparent transparency report somehow gets more opaque

in amazon alexa/Apps/computing/Delhi/e-book/Government/India/Online Music Stores/Politics/privacy/publishing/reporter/world wide web by

Amazon posted its bi-annual report Thursday detailing the number of government data demands it receives.

The numbers themselves are unremarkable, neither spiking nor falling in the second-half of last year compared to the first-half. The number of subpoenas, search warrants and other court orders totaled 1,736 for the duration, down slightly on the previous report. Amazon still doesn’t break out demands for Echo data, but does with its Amazon Web Services content — a total of 175 requests down from 253 requests.

But noticeably absent compared to earlier reports was how many requests the company received to remove data from its service.

In its first-half report, the retail and cloud giant said in among the other demands it gets that it may receive court orders that might demand Amazon “remove user content or accounts.” Amazon used to report the requests “separately” in its report.

Now it’s gone. Yet where freedom of speech and expression is more important than ever, it’s just not there any more — not even a zero.

We reached out to Amazon to ask why it took out removal requests, but not a peep back on why.

Amazon has long had a love-hate relationship with transparency reports. Known for its notorious secrecy — once telling a reporter, “off the record, no comment” — the company doesn’t like to talk when it doesn’t have to. In the wake of the Edward Snowden disclosures, most companies that weren’t disclosing their government data demands quickly started. Even though Amazon wasn’t directly affected by the surveillance scandal, it held out — because it could — but later buckled, becoming the last of the major tech giants to come out with a transparency report.

Even then, the effort Amazon put in was lackluster.

Unlike most other transparency reports, Amazon’s is limited to just two pages — most of which are dedicated to explaining what it does in response to each kind of demand, from subpoenas to search warrants and court orders. No graphics, no international breakdown and no announcement. It’s almost as if Amazon doesn’t want anyone to notice.

That hasn’t changed in years. Where most other companies have expanded their reports — Apple records account deletions, so does Facebook, and Microsoft, Twitter, Google and a bunch more — Amazon’s report has stayed the same.

And for no good reason except that Amazon just can. Now it’s getting even slimmer.

News Source = techcrunch.com

Scooter startup Bird tried to silence a journalist. It did not go well.

in bank/blogs/Boing Boing/China/copyright law/cyberpunk/Delhi/digital media/electronic/India/Internet/journalist/lawsuit/online rights/Politics/reporter/Security/spokesperson/Startups/Transportation by

Cory Doctorow doesn’t like censorship. He especially doesn’t like his own work being censored.

Anyone who knows Doctorow knows his popular tech and culture blog Boing Boing, and anyone who reads Boing Boing knows Doctorow and his cohort of bloggers. The part-blogger, part special advisor at the online rights group Electronic Frontier Foundation, has written for years on topics of technology, hacking, security research, online digital rights, and censorship and its intersection with free speech and expression.

Yet, this week it looked like his own free speech and expression could have been under threat.

Doctorow revealed in a blog post on Friday that scooter startup Bird sent him a legal threat, accusing him of copyright infringement and that his blog post encourages “illegal conduct.”

In its letter to Doctorow, Bird demanded that he “immediately take[s] down this offensive blog.”

Doctorow declined, published the legal threat, and fired back with a rebuttal letter from the EFF accusing the scooter startup of making “baseless legal threats” in an attempt to “suppress coverage that it dislikes.”

The whole debacle started after Doctorow wrote about about how Bird’s many abandoned scooters can be easily converted into a “personal scooter” by swapping out its innards with a plug-and-play converter kit. Citing an initial write-up by Hackaday, these scooters can have “all recovery and payment components permanently disabled” using the converter kit, available for purchase from China on eBay for about $30.

In fact, Doctorow’s blog post was only two paragraphs long and, though didn’t link to the eBay listing directly, did cite the hacker who wrote about it in the first place — bringing interesting things to the masses in bitesize form in in true Boing Boing fashion.

Bird didn’t like this much, and senior counsel Linda Kwak sent the letter — which the EFF published today — claiming that Doctorow’s blog post was “promoting the sale/use of an illegal product that is solely designed to circumvent the copyright protections of Bird’s proprietary technology, as described in greater detail below, as well as promoting illegal activity in general by encouraging the vandalism and misappropriation of Bird property.” The letter also falsely stated that Doctorow’s blog post “provides links to a website where such Infringing Product may be purchased,” given that the post at no point links to the purchasable eBay converter kit.

EFF senior attorney Kit Walsh fired back. “Our client has no obligation to, and will not, comply with your request to remove the article,” she wrote. “Bird may not be pleased that the technology exists to modify the scooters that it deploys, but it should not make baseless legal threats to silence reporting on that technology.”

The three-page rebuttal says Bird used incorrectly cited legal statutes to substantiate its demands for Boing Boing to pull down the blog post. The letter added that unplugging and discarding a motherboard containing unwanted code within the scooter isn’t an act of circumventing as it doesn’t bypass or modify Bird’s code — which copyright law says is illegal.

As Doctorow himself put it in his blog post Friday: “If motherboard swaps were circumvention, then selling someone a screwdriver could be an offense punishable by a five year prison sentence and a $500,000 fine.”

In an email to TechCrunch, Doctorow said that legal threats “are no fun.”

AUSTIN, TX – MARCH 10: Journalist Cory Doctorow speaks onstage at “Snowden 2.0: A Field Report from the NSA Archives” during the 2014 SXSW Music, Film + Interactive Festival at Austin Convention Center on March 10, 2014 in Austin, Texas. (Photo by Travis P Ball/Getty Images for SXSW)

“We’re a small, shoestring operation, and even though this particular threat is one that we have very deep expertise on, it’s still chilling when a company with millions in the bank sends a threat — even a bogus one like this — to you,” he said.

The EFF’s response also said that Doctorow’s freedom of speech “does not in fact impinge on any of Bird’s rights,” adding that Bird should not send takedown notices to journalists using “meritless legal claims,” the letter said.

“So, in a sense, it doesn’t matter whether Bird is right or wrong when it claims that it’s illegal to convert a Bird scooter to a personal scooter,” said Walsh in a separate blog post. “Either way, Boing Boing was free to report on it,” she added.

What’s bizarre is why Bird targeted Doctorow and, apparently nobody else — so far.

TechCrunch reached out to several people who wrote about and were involved with blog posts and write-ups about the Bird converter kit kit. Of those who responded, all said that they had not received a legal demand from Bird.

We asked Bird why it sent the letter, and if this was a one-off letter or if Bird had sent similar legal demands to others. When reached, a Bird spokesperson did not comment on the record.

All too often, companies send legal threats and demands to try to silence work or findings that they find critical, often using misinterpreted, incorrect or vague legal statutes to get things pulled off from the internet. Some companies have been more successful than others, despite an increase in awareness and bug bounties, and a general willingness to fix security issues before they inevitably become public.

Now Bird becomes the latest in a long list of companies that have threatened reporters or security researchers, alongside companies like drone maker DJI, which in 2017 threatened a security researcher trying to report a bug in good faith, and spam operator River City, which sued a security researcher who found the spammer’s exposed servers and a reporter who wrote about it. Most recently, password manager maker Keeper sued a security reporter claiming allegedly defamatory remarks over a security flaw in one of its products. The case was eventually dropped but not before over 50 experts, advocates, and journalist (including this reporter) signed onto a letter calling for companies to stop using legal threats to stifle — and silence security researcher.

That effort resulted in several companies — notably LinkedIn and Tesla — to double down on their protection of security researchers by changing their vulnerability disclosure rules to promise that the companies will not seek to prosecute hackers acting in good-faith.

But some companies have bucked that trend and have taken a more hostile, aggressive — and regressive — approach to security researchers and reporters.

“Bird Scooters and other dockless transport are hugely controversial right now, thanks in large part to a ‘move-fast, break-things’ approach to regulation, and it’s not surprising that they would want to control the debate,” said Doctorow.

“But to my mind, this kind of bullying speaks volumes about the overall character of the company,” he said.

News Source = techcrunch.com

Go to Top