He will continue to serve as Technology Advisor to CEO Satya Nadella and others, the company said.
Gates will dedicate more time to his philanthropic endeavors he said in a personal Linkedin post, Gates noted that he stepped down from the board of Berkshire Hathaway as well.
Sofie Kodner (@KodSof) is a former newsletter producer at Protocol, based in San Francisco. Previously, she was a reporter with Bay Area public radio station KALW. Send her an email at sofie@protocol.com.
President Joe Biden on Friday will sign an order to implement the details of an agreement with the EU, including new privacy protections for the bloc's citizens that authorities hope will finally regularize data flows between the two continents.
The new measures, which include a set of two binding appeals for Europeans who believe their data has been improperly collected by the U.S. intelligence community, could be the crucial step necessary to replace Privacy Shield — a prior attempt to protect the legal status of information that companies move across the Atlantic. The new program is bound to face judicial scrutiny, however.
European courts struck down the Privacy Shield framework in 2020, causing a scramble as firms tried to keep trillions of dollars in digital commerce flowing while having fewer clear legal foundations for the data flows. EU lawmakers have often wanted to protect those huge volumes of business, and many in the bloc look skeptically both at mass U.S. government surveillance and the lack of national data protection laws.
Those concerns prompted the downfall of Privacy Shield as well as an earlier approach in 2015 that Privacy Shield was designed to replace. Max Schrems, the Austrian privacy campaigner behind both cases, scoffed at the new approach the U.S. and EU announced in March they had agreed to, and indicated he would again challenge any EU move that blesses data flows under the new terms.
Friday's order will give Europeans the ability to appeal to a civil liberties official within the Office of the Director of National Intelligence, and then to a new "court" set up by the attorney general and staffed by outside experts who have protections against removal.
While Privacy Shield also allowed appeals to an official within the State Department, administration officials who briefed the media on condition of anonymity said they hope the new approach would be seen as providing both more independence and more authority over the intelligence community.
The order also purports to require new safeguards in the U.S. intelligence community's vast surveillance apparatus, which has often pushed the boundaries of the law with help from tech companies while facing little accountability.
David Hatfield has stepped down as co-CEO of cloud security vendor Lacework but will remain on the company's board of directors, Protocol has learned.
The change is effective immediately, said Jay Parikh, who had been Lacework's second co-CEO and was previously Facebook's vice president of engineering. With the change, Parikh is now the sole chief executive of the privately held company, a prominent up-and-coming player in cloud security that last year achieved a valuation of $8.3 billion.
Lacework planned to inform employees of the change on Tuesday. Hatfield, who previously served as president at Pure Storage, leaves Lacework's executive leadership a few months shy of his second year with the company.
As part of the co-CEO model, Hatfield, who goes by the nickname "Hat," focused on business operations and expansion at Lacework, which has raised $1.85 billion in funding. Hatfield joined Lacework as CEO and chairman in early 2021. He could not immediately be reached Tuesday.
Parikh joined as co-CEO in mid-2021, and has focused on product and engineering for the company. The two have known each other for two decades, having previously worked at the same time at Akamai Technologies.
In an interview with Protocol, Parikh characterized the move as planned and amicable, prompted by conversations between "Hat, myself, and the board" that led to the conclusion that the co-CEO model was no longer the best fit for the company. Lacework's executive leadership and board have been "looking at where the business is and what it needs to get to the next level," and have determined that "unifying the company" under a single CEO made the most sense right now, Parikh said.
When it comes to Lacework's product and sales strategy and its relationships with customers, partners, and the big public cloud platforms, the move should help with "making sure that's all unified [around] one set of priorities with one focus," he said.
Parikh said he doesn't believe Hatfield has "any immediate plan to go jump into anything full-time anytime soon." Hatfield is "still going to be spending a good amount of time" on Lacework, Parikh told Protocol.
Lacework CEO Jay Parikh
Image: Lacework
Founded in 2014, Lacework offers a "data-driven" service that aims to stand out in the fast-growing cloud security market by collecting and analyzing data from across a customer's cloud environments. The goal is to to provide customers with crucial security insights, such as which threats to prioritize for action, the company has said.
The company raised a $525 million funding round in January 2021, followed by an additional $1.3 billion in funding in November 2021 that brought with it the $8.3 billion valuation. Lacework touted that round as "the largest funding round in security industry history," and the company ranks at No. 3 in terms of the biggest valuations for privately held security companies, according to CB Insights.
Lacework is also notable for having been just the third company to be incubated out of Sutter Hill Ventures, following a model that was used to launch Pure Storage and Snowflake. The Lacework platform supports AWS, Google Cloud, and Microsoft Azure, as well as Kubernetes environments.
In May, Lacework disclosed that it had laid off 20% of its staff, in response to what the co-CEOs then described as a "seismic shift" in "both the public and private markets." The company had previously reported having more than 1,000 employees as of March, and did not immediately have a figure available for its current employee count on Tuesday.
Prior to Lacework, Hatfield had previously spent nearly seven years as president at Pure Storage followed by 16 months as its vice chair, according to his LinkedIn. He joined the company as president in 2013, a few years into its founding, and stayed on through its initial public offering and its first several years as a public company.
While there are no plans to directly replace Hatfield at Lacework, given the unification of the CEO duties under Parikh's leadership, the company does plan to hire a chief revenue officer in the near future, Parikh said.
Ultimately, Lacework's leadership is focusing on making moves that will set it up "to be successful over 10, 20 years — we're not building this to be a transaction," Parikh said.
California’s new pay transparency law, SB 1162, promises to shake up compensation in the tech industry by requiring employers in the state to list pay scales in job ads and reveal pay information to both the state and to current employees. We spoke with Susan Alban, operating partner and chief people officer at Renegade Partners, and compensation consultant Ashish Raina to learn how.
Startups will adopt pay bands earlier. Five or 10 years ago, it wasn’t unusual for 50-person companies to be operating without a “career ladder” or “career architecture” with compensation bands for different job functions and levels, Alban said.
Companies may find other ways to differentiate pay in order to compete for the best talent. The law only requires companies to disclose base pay, not stock, bonuses, or benefits.
The law might provide a little more incentive for companies to hire outside of California, but not much. The law on its own is unlikely to have a major effect on where companies hire, but it adds more administrative headache to California employers.
Big companies are likely to comply more readily than startups. An online job search shows companies like Google, Salesforce, and Twitter listing pay ranges in ads. Some listings cite the Colorado law explicitly.
Pour one out for the Lightning cable.
The European Parliament voted in favor of new charging standards that will require all phones, tablets, and cameras sold in the European Union to be USB-C-ready by 2024. The mandate will extend to laptops in 2026.
The rule — which was introduced in June — passed 602-13, while eight members abstaining from voting. That reflects an overwhelming desire to make the average person's life easier (goodbye, cluttered junk drawer) as well as cut down on pernicious e-waste. While the decision means that ports such as micro-USB will fall by the wayside, Apple's Lightning port is also slated to go the way of the dinosaur.
The company's iPad and various MacBooks rely on USB-C charging. But Apple has held steadfastly to the technology for the iPhone, rolling out its most recent iteration of the phone with a Lightning rather than a USB-C port. The iPhone was the bestselling phone in the EU last year, with Apple capturing 34% of the smartphone market.
The European Council needs to sign off on the legislation before it officially goes into law. But that prospect looks likely. After that, the clock to USB-C hegemony begins counting down. The timing could work out well for Apple at least; the company releases a new iPhone every year in September. With the mandate likely to take effect in fall 2024, it means next year's iPhone could well be the last one to feature a Lightning port — unless Apple decides to just get the switch over with, something the company is reportedly considering.
The company could also make a USB-C version of the iPhone for the EU and a Lightning version for everyone else, of course, but that seems unlikely given the logistical hurdles. The iPhone could also go totally portless for charging, though that would be a much more radical leap.
As written, the rule would allow electronics without a USB-C port to continue being sold as long as they are "placed on the market before the date of application," according to a press release announcing the vote. Regardless, if you're a Lightning stan, uh, you should consider snapping up an iPhone 14 sooner than later.
Cutting down on e-waste is a sneaky climate policy. The Global E-Waste Monitor put out by the United Nations showed that nearly 54 million tons of e-waste piled up in 2020, a number that could rise to almost 75 million tons by the end of this decade. That's a local environmental concern given the toxic chemicals and components. But it's also a huge waste of emissions. More than two-thirds of the carbon pollution tied to electronics is emitted in the manufacturing process.
Cutting down on the number of charging cables produced (and trashed) is a relatively modest way to cut down on e-waste. Stronger policies that favor right-to-repair as well as companies working harder to stave off forced obsolescence could also offer a pathway to reduce the amount of electronic churn. Improving e-waste recycling is yet another avenue to cut down on trash; the Global E-Waste Monitor found only 17.4% of electronic trash is currently recycled. Apple and other tech companies have touted moving toward a circular economy as central to their sustainability goals. While the EU's USB-C mandate alone won't make that transition magically happen, it could spur further innovation and serve as a reminder of all the work that remains to be done.
Carbon dioxide removal service buyers and sellers are focused on one metric: $100 per ton. It’s one of Frontier’s stated criteria that the fund uses to evaluate its advance purchases. In a survey of the long-duration carbon removal community, CarbonPlan found that stakeholders are focused on the $100 benchmark. The Department of Energy even announced that it would be investing in carbon removal research to bring the cost of the technology down to $100 per ton.
Where did that number come from? In short, it’s the cost per ton of removal services that it would take for the CDR industry to reach commercial viability. It’s based on a handful of factors.
So far, no one has come anywhere close to reaching that target. Currently, most carbon removal services cost well above $100 per ton, although the Inflation Reduction Act’s updated 45Q tax credit of up to $180 per ton for direct air capture could help some startups get closer to achieving that target.
“$100 per ton is an extremely ambitious 10-year target, likely probably more of a 15- to 20-year target,” Talati said. But she thinks it’s “important to be ambitious,” and “there’s a lot of momentum around CDR and getting these technologies to scale.”
The world could have to remove billions of tons of carbon pollution per year from the atmosphere by midcentury depending on how fast emissions fall in the interim. That makes the momentum behind scaling CDR all the more important.
A version of this story appeared in Protocol’s Climate newsletter. Sign up here to get it in your inbox twice a week.
When Google announced the closure of its Stadia cloud gaming platform last week, the news was delivered at roughly the same time to employees, partners, and players on Thursday morning. Within hours, it had become clear that Stadia’s shutdown, planned for next January, would involve more than just refunding consumer purchases and quietly bowing out.
Now developers are scrambling to salvage planned projects, migrate players to other platforms, and figure out whether they’re still owed money from Google before the search giant puts Stadia out to pasture for good.
Stadia’s shutdown came as a surprise. Scores of indie game makers, not typically bound by the conservative norms of corporate PR, took to Twitter to explain their frustrations upon learning of the shutdown from news articles and a terse five-paragraph blog post from Stadia chief Phil Harrison.
It wasn’t just indies caught off guard. Google’s Stadia announcement kicked off a wave of uncertain responses from major third-party partners, including Bungie, CD Projekt Red, and Ubisoft. The consensus: We’re looking into it.
It’s not clear why Google axed Stadia now, and why it did so with little to no warning for any of the various parties that invested time, money, and other resources into the platform over the last three years.
It’s perhaps too early to draw broader conclusions about Stadia’s closure, what it could mean for cloud gaming as a whole, and whether the platform’s demise is the nail in the coffin for Google’s gaming ambitions. But Google’s sloppy handling of the announcement and Stadia’s stunning failure is evidence that even the largest, most experienced companies can find themselves lost in the woods when trying to crack such a notoriously difficult set of problems.
Cloud gaming is still available on platforms operated by Microsoft, Nvidia, and — for the time being — Amazon, too. But developing games is costly, difficult, and multidisciplinary work that takes years, and streaming those games over the cloud has yet to be accomplished in a sustainable fashion with an attractive business model. Google found this out the hard way, and let’s hope Stadia’s shutdown provides the road map that helps keep its competitors alive.
A version of this story appeared in Protocol’s Entertainment newsletter. Sign up here to get it in your inbox three times a week.
Trading of Twitter shares was briefly halted midday as CNBC and Bloomberg reported that Elon Musk now plans to go through with his deal to buy Twitter for $54.20 a share. The news was later confirmed.
Musk sent a letter to Twitter with his proposal to buy the company, according to an SEC filing. Twitter said it has received the letter and intends to close the deal at the originally agreed-upon price of $54.20 a share.
Musk and Twitter have been in a legal battle to push the Tesla CEO to buy Twitter since July, when Musk filed to back out of his proposed $44 billion acquisition. Musk tried to walk out of the deal based on allegations that Twitter was misstating the number of bots and spam accounts on the platform, which Twitter rejected. A trial in the case is scheduled to begin on Oct. 17.
The news coincidentally broke just as Twitter employees were near the start of a three-hour meeting to plan its 2023 strategy, according to reporter Casey Newton. "I am sitting on 2023 company wide strategy readouts and I guess we are going to collectively ignore what’s going on," Twitter employee Rumman Chowdhury tweeted.
Twitter shares jumped 15% on the news before being halted.
The U.S. is set to unveil a fresh set of policies Thursday aimed at choking off China’s access to advanced chip manufacturing technology and the chips themselves, according to a person familiar with the matter.
Thursday’s planned announcement will articulate and expand upon the Biden administration’s early efforts to impede China’s military establishment and domestic surveillance apparatus from obtaining technology related to computing that is largely focused on AI applications. Those efforts to date have included notification letters to chip companies and tool makers advising them of new limits on sales. The administration’s goal is to use a broad range of policies, including export controls, a potential executive order, and the foreign direct product rule, among other methods.
The Commerce Department declined to comment. The White House did not respond to a request for comment. Reuters and The New York Times reported earlier Monday that the announcement was set for this week, but did not specify a day.
The Biden administration’s strategy around China’s access to American chip technology has begun to take shape following the appointment of several key White House officials and the confirmation of Commerce Department Undersecretary for the Bureau of Industry and Security Alan Estevez in March. The BIS is responsible for American export controls.
The administration’s plans include blocking Chinese businesses, government research labs, and others from purchasing products that use American-made tech, The New York Times reported. Expanding the use of the foreign direct product rule to block Chinese entities from buying certain chips is only one element of the strategy, the newspaper said.
Protocol reported in August that the Biden administration plans to roll out export control rules on semiconductor manufacturing equipment that is capable of making chips with fin field-effect transistors, or FinFETs. FinFET loosely refers to the shape of the transistor, which is sometimes referred to as the 14-nanometer manufacturing process. Thursday’s announcement is expected to include export controls on chipmaking tools.
In late August, Nvidia and AMD disclosed they had received notification letters from the Commerce Department ordering them to halt sales of chips designed for artificial intelligence computing. Neither company disclosed the technical limits the administration imposed on the AI chips, but Nvidia CEO Jensen Huang said it was a combination of computing horsepower and a “specific level of inter-chip connection bandwidth.”
Beyond the logic chips made by Nvidia and AMD for AI applications, the Biden administration has also considered blocking several types of memory, according to two people familiar with the administration’s thinking. High-bandwidth memory (which is useful for training large AI models) and flash were among the memory technologies under consideration, the people said.
Administration officials had been briefed by several memory manufacturers about establishing specific thresholds for flash and high-bandwidth memory, according to another person familiar with the discussions. It wasn’t immediately clear what, if any, export controls or other measures would apply to memory in Thursday’s announcement.
Correction: An earlier version of this story misstated the date of Alan Estevez's confirmation and the month in which Nvidia and AMD disclosed notification letters. This story was updated on Oct. 4, 2022.
Companies like Meta and Lyft have stopped hiring for the year, and that’s music to the ears of other tech companies that are still staffing up. Much of talent sourcing still takes place on LinkedIn, but many recruiters have found their own techniques to use the service more efficiently. We asked LinkedIn’s VP of talent acquisition and three outside recruiters for their best LinkedIn hacks for sourcing talent.
When reaching out, short and sweet is key. When sending a connection request, executive recruiter Darrell Rosenstein said he rarely sends more than three sentences or 150 characters.
Focus on skills, not pedigree. Erin Scruggs, VP of talent acquisition at LinkedIn, said skills — which candidates can list on their profiles — are the “future currency” of recruiting, particularly in a tight labor market.
Post content to your company LinkedIn page to build a recruiting brand. Particularly for lesser-known startups, content can offer a glimpse into your company culture and personality.
Try LinkedIn’s “best-kept secret”: affinity groups. Paige Scott, who leads the Asset Management practice at the recruiting firm Kingsley Gate Partners in San Francisco, said groups are one of her favorite LinkedIn features for reaching candidates.
Kim Kardashian broke the internet, and according to the Securities and Exchange Commission, she also broke the securities laws.
The SEC announced Monday that the mega-influencer, reality TV star, and billionaire businesswoman will pay $1.26 million to resolve allegations she touted EMAX tokens on Instagram without disclosing she was being paid for it. Kardashian, who the SEC said "also agreed to not promote any crypto asset securities for three years," did not admit wrongdoing.
The SEC also said she had received $250,000 for her post on the token from EthereumMax. Her fine represents the payment, plus interest and a $1 million penalty.
SEC Chair Gary Gensler took the opportunity of the settlement announcement to tweet that the case showed "when celebrities / influencers endorse investment opps, including crypto asset securities, it doesn’t mean those investment products are right for all investors."
On Thursday, California Gov. Gavin Newsom signed into law a bill that makes phone calls from California’s prisons free of charge. The new law places the cost of calls not on incarcerated people — or the people receiving calls from them — but on the state’s Department of Corrections and Rehabilitation.
California is the second state after Connecticut and the biggest state by far to institute such a law, which is a direct shot at the $1.4 billion prison telecom industry. For years prison telecom companies have maintained rates that “can be unjustly and unreasonably high, thereby impeding the ability of inmates and their loved ones to maintain vital connections,” the FCC said in 2020.
Prison reform advocates argue the new California law will have a hugely positive impact on the families of incarcerated people in California — and potentially other states that follow California's lead.
"From a public policy perspective, we should be wanting people to stay connected to their social networks, to their families, to be able to start looking for employment if they are close to getting out," said state Sen. Josh Becker, who sponsored the bill, SB 1008. "But we have a very perverse system, which inhibits that and actually throws many families into debt."
For years, the high cost of prison phone calls has sapped money from low-income families with incarcerated loved ones. According to a 2015 report by the Ella Baker Center for Human Rights, 34% of families go into debt in their attempt to maintain contact with loved ones inside through phone calls and visitations. The impact is disproportionately felt by women of color, because of the corresponding disproportionate number of men of color in America’s prisons.
Now, with the governor's blessing, "the simple cost of a call is never going to impair their ability to tell their children they love them or help their partner problem-solve a parenting situation,” said Bianca Tylek, executive director of Worth Rises, a prison reform organization, which was a key player in advocating for the bill.
The new law covers the 93,000 incarcerated people in the state's prison system, and Becker hopes future legislation will extend free calls into California's city and county jails, as well.
In addition to making calls free to users, the law prohibits local agencies from “receiving revenue for the provision of communication services to persons in its custody." The law also charges the state’s utility commission with ensuring service does not fall below standard, now that calls are free. Proponents of the law say the policy change will cost California about $12 million annually, but that is a small fraction of the $14.2 billion budget for the state’s corrections department.
In recent years, the Federal Communications Commission has tried to clamp down on the astronomical costs charged by prison telecom providers including slashing fees and capping rates at 21 cents per minute for interstate calls in 2013. More recently, the FCC adopted a rule to prevent prison phone companies from seizing pre-paid funds from users, after one prison telecom giant, GTL, was found to have seized $121 million in customer funds. Other local governments have notched their own victories in the fight against sky-high prison call rates. In 2019, New York became the first major city jail system to make calls free. In 2020, San Francisco also made phone calls from its jails free and announced a policy change that would "permanently stop generating revenue from incarcerated people and their families through phone calls."
But advocates are hopeful that California's law will set an example for other state governments, because of the sheer size of its prison population. “California has a much bigger system, and what it does matters to the rest of the corrections community,” Tylek said. “It will be a huge trendsetter for everyone else.”
Rohit Chopra arrived as director of the Consumer Financial Protection Bureau one year ago today. True to his reputation as an aggressive watchdog from his time as an FTC commissioner and an earlier stint at the CFPB, he has pursued a busy agenda that’s setting up regulatory battles to come.
Chopra hasn't been afraid to challenge big banks or fintechs. His fight against banking’s so-called junk fees, for instance, won plaudits from both consumer-focused groups and fintech trade organizations.
All eyes in the fintech world are on open banking. The CFPB regulatory docket this fall includes a long-delayed rule-making effort to allow customers to more easily move their data between financial institutions. The effort is part of the Biden administration’s goal to boost competition in markets.
The agency’s tactics and a growing list of priorities are prompting powerful pushback. The industry and Republican members of Congress are circling.
The agency seems to be gearing up for that possibility. American Banker reported that the CFPB launched an office this summer dedicated to responding to congressional requests. Crane, a former Treasury official, said document requests can eat up a lot of administrative resources: “It is a big exercise, but it seems he is preparing to handle it without distracting from his day job.” But there’s little question that Chopra’s second year in the job will be more challenging than his first.
A version of this story appeared in Protocol’s Fintech newsletter. Sign up here to get it in your inbox each morning.
What does SB 1162 require? Starting in January, employers with 15 or more workers will be required to disclose salary ranges in job postings, including on third-party sites. Companies with 100+ employees, including contractors, will have to report on mean and median wage data.
Who has to comply with SB 1162? Any 15-plus-person company with employees in California will be subject to the law — even if your HQ is elsewhere.
What if my employees are remote? The law doesn’t address remote work, and how this law applies to non-California workers who may want to know their role’s pay scale is still a “gray area,” said Rachel Conn, a San Francisco-based partner in the Labor and Employment group at the law firm Nixon Peabody.
Didn’t California companies with 100+ employees already have to report pay data? Yes! Private companies with 100 or more employees started reporting their annual pay data by sex and race/ethnicity last year.
Can companies get around this? After Colorado passed its pay transparency law, some companies tried to dodge the requirement to disclose pay ranges by excluding Colorado applicants in job ads.
Microsoft said Friday it's "working on an accelerated timeline" to provide a patch for two newly disclosed vulnerabilities affecting Exchange email servers, which the company acknowledged have been used in attacks on customers.
One of the vulnerabilities could enable remote execution of commands on a compromised server, prompting concern among security researchers about the potential for significant exploitation in coming days. The remote code execution vulnerability, which is being tracked by the identifier CVE-2022-41082, has similarities to the previously disclosed "ProxyShell" flaws. The new vulnerability was dubbed "ProxyNotShell" by researcher Kevin Beaumont, who was among the first to report seeing exploits of the bug in a series of tweets on Thursday.
Remote code execution vulnerabilities are considered a serious security risk due to the potential for attackers to take full control of a compromised system. Log4Shell, a critical vulnerability that was discovered in the Apache Log4j logging software component in December 2021, fell into the category of a remote code execution flaw.
The second vulnerability, which is being tracked at CVE-2022-41040, can be used by an attacker to trigger the remote code execution vulnerability, Microsoft said in a blog post. The vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019, according to Microsoft.
A limiting factor on the exploitability of either of the newly disclosed bugs is that an attacker would need to have successfully logged in to a vulnerable Exchange server that they were attempting to exploit, Microsoft said.
The company released details on a mitigation that can be used to block the attack patterns for the vulnerabilities that've been observed so far.
"At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems," the company said in its blog post.
One researcher told Protocol on Thursday that exploitation of the vulnerability is expected to escalate in the next few days. Exchange "is a juicy target for threat actors to exploit" because its servers must be connected directly to the internet, and are a key function for many businesses as email can't be turned off without causing a major disruption, said Travis Smith, vice president of malware threat research at cybersecurity vendor Qualys.
Microsoft said in its post that customers of Exchange Online won't need to take action in response to the new vulnerabilities. Beaumont disputed that, saying in a tweet that for Exchange Online customers, "if you migrated and kept a hybrid server (a requirement until very recently) you are impacted."
Beaumont also said that his testing has found that to meet the requirement of being an authenticated user for exploiting ProxyNotShell, "this can be any email user," which is "pretty risky." Already, exploitation of the vulnerabilities "has been happening for at least one month in the wild," he said in a tweet.
The vulnerabilities were initially disclosed by researchers at cybersecurity vendor GTSC.
Google is stepping up its push for open video formats: The company plans to force hardware manufacturers to support the AV1 video codec if they want to run Android 14 on their mobile devices, according to comments left in recent commits to the Android Open Source Project (AOSP) that were first spotted by Esper senior technical editor Mishaal Rahman.
According to those AOSP comments, the next version of Google’s Android Compatibility Definition document will require hardware makers to support AV1 for both tablets and phones. Previously, devices only had to support VP8 and VP9, two open codecs that are predecessors of AV1.
Google has yet to publicly release the compatibility requirements for Android 14; the company is expected to release a beta version of Android 14 in April 2023. Google did not immediately respond to a request for comment.
AV1 is a royalty-free video codec spearheaded by the Alliance for Open Media, which counts Google, Amazon, Netflix, and others among its members. Google has been a major supporter of AV1, and has been requiring Android TV device makers to support the codec since last year, as Protocol was first to report two years ago.
Google has also been using YouTube to grow the adoption of AV1. The video service now re-encodes all of its videos in AV1, and has been pushing companies like Roku to support the codec for its living room devices.
AV1 support on mobile has been uneven, however, in part because Qualcomm has yet to add hardware decoding capabilities for the codec to its chipsets. As a result, Google is giving device makers the option to rely on software decoding of AV1 video streams, according to Rahman.
Google’s mandate of AV1 support on Android is just one piece of a broader push for open media formats. The company is also looking to establish royalty-free alternatives to Dolby Atmos and Dolby Vision, as Protocol was first to report last week.
A troubling new vulnerability affecting Microsoft Exchange email servers has been disclosed by researchers, though details are still emerging on the severity and exploitability of the flaw.
The vulnerability, disclosed by researchers at cybersecurity vendor GTSC, could enable remote execution of commands on a compromised server, according to the company. It appears to be a "zero-day" vulnerability, which means it was not disclosed to the software vendor before spreading in the wild and before a patch could be created.
Trend Micro said Thursday that the vulnerability was submitted to Microsoft via its Zero Day Initiative program. On Friday, Microsoft said it’s “working on an accelerated timeline” to provide a patch for two newly disclosed vulnerabilities affecting Exchange email servers, including the remote code execution flaw disclosed by GTSC.
Researcher Kevin Beaumont, who was among the first to discuss GTSC's findings in a series of tweets Thursday, said he is aware of the vulnerability being "actively exploited in the wild" and that he "can confirm significant numbers of Exchange servers have been backdoored."
Remote code execution vulnerabilities are considered a serious security risk due to the potential for attackers to take full control of a compromised system. Log4Shell, a critical vulnerability that was discovered in the Apache Log4j logging software component in December 2021, fell into the category of a remote code execution flaw.
Travis Smith, vice president of malware threat research at cybersecurity vendor Qualys, told Protocol that he expects exploitation of the vulnerability to escalate in the next few days. Exchange servers must be connected directly to the internet and are a key function for many businesses since email can't be turned off without causing a major disruption, Smith noted. For those reasons, Exchange "is a juicy target for threat actors to exploit," he said in an email.
On Thursday, the initial reaction among security researchers was that it wasn't clear from GTSC's original disclosure whether this was in fact a brand-new, zero-day vulnerability in Microsoft Exchange, or if it might just be a new version of a previously disclosed vulnerability known as "ProxyShell." Beaumont noted in a blog post that a key portion of the exploit process detailed by the vendor "looks exactly like ProxyShell," which was disclosed in 2021.
However, GTSC subsequently updated its blog post, making it clear that the vulnerability affected Exchange servers that had already been patched with the latest updates. As a result, "an exploitation using Proxyshell vulnerability was impossible," the researchers said in the blog post update.
John Hammond, a well-known researcher at cybersecurity vendor Huntress, tweeted that the update makes clear that this "is in fact a new 0-day" remote code execution vulnerability.
Mike Parkin, a senior technical engineer at Vulcan Cyber, told Protocol that he had reached the same conclusion.
The fact that the compromised system was up to date before it was breached "indicates the attack leveraged a new vulnerability, not the one that was previously known," Parkin said in an email. Still, GTSC "hasn't released many details, so we are having to extrapolate from what they have said," he said.
Correction: This story was updated on Sept. 29, 2022, to correct the description of ProxyShell.
The gas-powered vehicle ban dominoes have begun to fall.
New York Gov. Kathy Hochul announced on Thursday that the state will follow California’s lead in banning the sale of new gas- or diesel-powered cars beginning in 2035. Like the Golden State, New York has also set interim targets: 35% of new cars sold must be zero-emissions by 2026, and 68% by 2030.
The plan is still not quite finalized, though. Hochul directed the state’s Department of Environmental Conservation to implement the new rules, and it will still have to hold a public hearing and open comment period before finalizing them.
This comes just a month after California threw down the gauntlet and restricted future internal combustion vehicle sales. Given that more than a dozen states — including New York — have adopted California's previous tailpipe standards, it was likely at least some of those states would follow the Golden State's lead on zero-emissions vehicle sales. New York is the first state to do so, though others such as Massachusetts, Washington, and Virginia are likely to follow suit in the near future.
“We had to wait for California to take a step because there’s some federal requirements that California had to go first — that’s the only time we’re letting them go first,” Hochul said at a press conference, in reference to a Clean Air Act provision that allows California alone to set its own vehicle emissions standards. A policy quirk allows other states to adopt those standards, but not to lead the way.
In addition to the gas-powered car sales ban, Hochul also announced that the state will invest $10 million in its existing Drive Clean Rebate program to encourage New Yorkers to purchase EVs. The program offers a point-of-sale rebate of up to $2,000 off a car’s sticker price, and can be combined with federal rebates like the $7,500 tax credit on new EVs. In its five years of existence, the program has handed out $92 million in rebates statewide, according to a press release. The state is also making $5.75 million available to local governments to transition their fleets to zero-emission vehicles and install public EV chargers and hydrogen fueling stations.
New York, along with 49 other states plus Puerto Rico and Washington, D.C., also had its EV charging plan approved by the Biden administration. That will unlock some of the $175 million in funding for EV charging set aside for the state as part of the bipartisan infrastructure law. Building out charging infrastructure could help make it that much easier for the state to meet its zero-emissions vehicle sales mandate.
Tech industry groups are once again pleading with the 5th Circuit to block HB 20, Texas' on-again, off-again social media law, which the court recently allowed to take effect.
In an unopposed motion filed Thursday, the plaintiffs in the ongoing legal battle, NetChoice and the Computer & Communications Industry Association, asked the court to "preserve the status quo" until the Supreme Court has a chance to review the issues raised in the case. The Texas law aims to prohibit online platforms from moderating content on the basis of viewpoint, a limitation that tech companies argue infringes on their First Amendment rights and conflicts with broad authority they have under Section 230 to moderate content.
This is not the first time NetChoice and CCIA have sought to block the law. Earlier this year, the 5th Circuit lifted an injunction on the same law, though its decision on the underlying case between tech groups and the state of Texas was still pending at the time. The tech groups argued that the 5th Circuit's actions would wreak havoc on companies operating in Texas and pushed for the Supreme Court to add the case to its shadow docket and re-institute the block on the law. Weeks later, the Supreme Court obliged, with a majority voting in NetChoice and CCIA's favor.
But the 5th Circuit decision earlier this month put the law back in play. In their motion, NetChoice and CCIA noted that even the three conservative justices who voted to keep the law in effect in May said that HB 20 "concerns issues of great importance that will plainly merit the [Supreme] Court’s review." The plaintiffs are asking the court to block the law from being implemented until the justices have had a chance to conduct that review.
That chance may come sooner rather than later: While the 5th Circuit gave the Texas social media law a green light, the 11th Circuit blocked a similar law in Florida earlier this year. That circuit split has created a rare opportunity for the Supreme Court to decide on issues related to online speech and the First Amendment rights of private platforms once and for all. Earlier this month, Florida filed a petition with the court asking it to take up its case surrounding SB 7072, a law that would limit tech platforms' ability to moderate certain political speech. Now, both sides of the debate are awaiting an answer as to whether they'll have a chance to fight it out in the highest court.
Until the Supreme Court provides that answer, though, NetChoice and CCIA are arguing that the 5th circuit shouldn't allow a disruptive — if not outright disastrous — law for so many businesses to go into effect. "If Supreme Court review was 'plainly merit[ed]' even before this circuit split," the motion reads, "it certainly is now."
Correction: An earlier version of this story incorrectly stated that NetChoice and CCIA filed a motion with the Supreme Court. They filed with the 5th Circuit.
Sometimes a major "hack" isn't really a hack at all, such as with some breaches caused by the mishandling of APIs.
The latest such breach attributed to negligence with APIs, or application programming interfaces that are used for exchanging data across applications, is the massive theft of customer data from Australian telecom Optus.
First disclosed by Optus on Sept. 22, the data exposed in the breach of 9.8 million customer records includes driver's licenses, passports, and Medicare ID numbers, in addition to names, phone numbers, and email addresses.
Optus has attempted to characterize the cyberattack as "sophisticated," but according to Australian Minister for Cybersecurity Clare O'Neil, it was actually just a "basic" attack. Optus “effectively left the window open” for customer data to be stolen, she said.
The incident reportedly started with the attacker accessing an API server that was not protected with any type of authentication. In other words, the attacker didn't even have to log in. Anyone from the internet could have theoretically done the same thing, said Filip Verloy, technical evangelist at Noname Security, a vendor that offers API security products.
"This should be a wake-up call for a lot of organizations about how easy it was to get this data," said Nick Rago, field CTO at another API security vendor, Salt Security.
The use of APIs has grown widely as companies of all sorts have morphed into software providers, with API services enabling much of the key functionality for modern apps and websites.
Optus executives have not denied that an API was leveraged by the attacker to steal the customer records, according to reports. Protocol has reached out to the company for comment.
Based on the information that has come out so far, it appears that the API in question was actually "doing exactly what it was meant to do" when it called up the Optus customer records, Rago said. That means the API wasn't "hacked" in any sense of the word, but was just used for an unintended purpose, he said — what's sometimes referred to as an "API abuse" attack.
It's likely that Optus just didn't know about the existence or functionality of this particular API, according to Rago. It would appear there was a "lack of visibility and a lack of governance, in terms of not knowing this API existed in the first place and why it was exposed in this manner," he said
In general, it's recommended that businesses take a "layered security" approach to protecting APIs, using a firewall or API security product, identity authentication, authorization for governing access to data, and encryption for sensitive personal data, said Yotam Segev, co-founder and CEO of data security vendor Cyera. "It appears that Optus failed on every front," Segev said.
By way of analogy, even if the front door of your house was left open or broken into, you could still have a locker inside of your house to protect your sensitive documents, said Anshu Sharma, co-founder and CEO of data privacy technology vendor Skyflow. "Even if the bad guys get in, they won't get your [sensitive] data," he said. But it appears that Optus did not have this type of capability, either.
The neobank MoneyLion charged service members excessive fees for loans and often refused to cancel paid memberships, according to a lawsuit filed Thursday by the Consumer Financial Protection Bureau.
The CFPB is accusing MoneyLion of violating the Military Lending Act by charging above a 36% rate cap on loans to service members and their families, through a combination of interest rates and monthly membership fees.
“MoneyLion targeted military families by illegally extracting fees and making it difficult to cancel monthly subscriptions,” CFPB Director Rohit Chopra said in a statement announcing the lawsuit. “Companies are breaking the law when they require monthly membership fees to obtain loans and then create barriers to canceling those memberships.”
MoneyLion went public last year through a SPAC deal and is worth about $227 million after its shares fell almost 18% today. Ahead of its public debut, the company's leadership disclosed that it had received investigative demands from the CFPB related to its membership model.
The company did not immediately respond to a request for comment Thursday.
The lawsuit cites a pair of personal loan products, including one focused on credit building, that require a membership for access, with recurring fees between $19.99 and $29 each month.
The CFPB said that MoneyLion refused customers’ requests to cancel memberships if they had outstanding loan balances. The company also refused to cancel memberships even after the loan was paid off if the customer still owed previous membership fees, according to the agency.
Through the lawsuit, the CFPB is seeking monetary relief for customers, an "end to MoneyLion's unlawful practices," and a civil money penalty.
The lawsuit is the fourth enforcement action the CFPB has taken related to the Military Lending Act in the past two years, the agency said.
Google is shutting down its Stadia cloud gaming service, nearly three years after its launch and roughly 18 months since the company shut down its internal game development division.
In a blog post, Stadia chief Phil Harrison said the platform "hasn't gained the traction with users that we expected so we’ve made the difficult decision to begin winding down our Stadia streaming service."
Harrison wrote that the company intends to refund all Stadia purchases, including hardware purchases of Stadia controller and Chromecast bundles through the Google Store and all software through the Stadia store, and plans to do so by January. After January 18, 2023, the service will become unavailable, the blog post reads. Harrison noted that this isn't the end of the road for Google's gaming ambitions, and the company intends to apply the technology learnings elsewhere.
"The underlying technology platform that powers Stadia has been proven at scale and transcends gaming. We see clear opportunities to apply this technology across other parts of Google like YouTube, Google Play, and our Augmented Reality (AR) efforts — as well as make it available to our industry partners, which aligns with where we see the future of gaming headed," he wrote. "We remain deeply committed to gaming, and we will continue to invest in new tools, technologies and platforms that power the success of developers, industry partners, cloud customers and creators."
Amazon announced pay raises and the rollout of new benefit programs to warehouse employees Wednesday. But one of those products may pose increased risks to the company’s most precarious workers: the expanded rollout of Amazon’s Anytime Pay Program.
The program, first announced in October 2020, allows employees to access a portion of their checks in advance of a regular pay date. Such products are typically referred to as “earned-wage access” and position themselves as a lower-fee and thus less predatory alternative to payday loans. Amazon is using Wisely, a product offered by payroll company ADP, for the service.
Employees load their wages in advance onto a Visa debit card and are then able to use that card wherever Visa cards are accepted, or can withdraw cash at some ATMs. When Amazon first rolled out the program to some workers, those workers could obtain up to 50% of their paycheck in advance. Now, more workers have access to the program, and can cash out on 70% of their paycheck in advance by transferring funds to their Wisely Pay Visa card.
The benefits for low-wage workers are obvious: Having access to wages in advance of payday can be helpful in handling unexpected expenses, particularly when an employee lives paycheck to paycheck. And, as has been well-covered, most Amazon warehouse workers don’t make enough money to have ample emergency savings, despite the company’s campaigning about a livable minimum wage and Wednesday’s pay increase.
But earned-wage access products also carry risks for consumers. The products are not currently regulated as loans, due to a Trump-era CFPB advisory opinion that carved out a special exemption for earned-wage access should providers fit certain criteria, like not charging fees. Wisely claims to offer earned-wage access “at no cost,” so it fits these requirements and hence is exempt from regulatory disclosures required of credit cards or payday loans.
However, the fine print of Wisely’s terms and conditions say there are some fees associated with the card: They just aren’t mandatory charges. The company charges $5.95 should customers want to load an additional $20 to $500 out of their own checking account onto the cards, for example, and says that fees may be charged at certain ATMs where the card is used. It then says that users should log in to their account to see a list of other applicable fees.
Consumer groups asked the CFPB to review its oversight of these types of products last fall, because they fear fees could harm consumers who aren’t expecting them. The CFPB also revoked a special regulatory exemption for Payactiv to experiment with earned-wage access products, signaling the agency will soon tighten regulations on these types of products.
ADP's partner bank, Fifth Third Bank, has run into trouble with the CFPB before. The bureau sued Fifth Third in 2020 for automatically enrolling customers in products they did not consent to and opening unauthorized accounts. According to a press release, this was implicitly encouraged because employees of the bank were subject to ambitious sales goals.
ADP and Fifth Third Bank did not respond to requests for comment.
This story was updated to reflect that Amazon later responded to a request for comment.
More pay transparency is coming to California. The Golden State is joining New York City, Colorado, and Washington in requiring employers to disclose pay ranges in job ads.
Gov. Gavin Newsom signed Senate Bill 1162 into law on Tuesday, according to statements from the California Legislative Women’s Caucus and the TechEquity Collaborative.
Under the law, employers with 15 or more workers will be required to include pay ranges in job postings, and those with 100 or more employees or contractors will have to report median and mean hourly pay rates by job category and “each combination of race, ethnicity, and sex.”
“This is a big moment for California workers, especially women and people of color who have long been impacted by systemic inequities that have left them earning far less than their colleagues,” said state Sen. Monique Limón (D-Santa Barbara) in a statement. Limón introduced the bill in February.
The TechEquity Collaborative’s chief programs officer, Samantha Gordon, praised the law in a statement as “an important step in equalizing the playing field for the 1.9 million contractors, temps, vendors, and contingent workers” in California.
The bill received pushback from the California Chamber of Commerce and the Society for Human Resources Management. The chamber called the bill a “job killer” because the pay reports were going to be published online, but that provision was later removed from the bill, SHRM noted earlier this month.
“You are grouping together workers in very broad categories, as broad as ‘professionals,’” CalChamber policy advocate Ashley Hoffman said in a chamber podcast. “If you think of a hospital, that would encompass nurses, but it would also encompass someone who just graduated college and starting in your HR department. It’s truly a broad category.”
According to Forbes, SHRM argued that pay transparency would increase compression between newer and more experienced employees and could deter candidates from applying before learning about other fringe benefits.
SB 1162 doesn’t make clear how the law applies to companies that employ workers remotely.
Cost-cutting in tech is officially hitting the industry’s titans. After years of ruthless staffing up, both Meta and Google have told some employees to find new jobs within the company or leave, according to a report in The Wall Street Journal.
These actions at Meta, via departmental reorganizations, have affected a “significant number” of employees. Cuts aren’t unexpected, a Meta spokesperson pointed out: Mark Zuckerberg told investors on the company’s July earnings call that he planned to “steadily reduce head count” over the coming year, and that “many teams are going to shrink so we can shift energy to other areas.”
The changes reported out of Google have apparently hit around half of the employees of the company’s 100-plus-employee startup incubator, Area 120, where a number of projects have been canceled. Google didn’t immediately return Protocol’s request for comment, but Sundar Pichai has spoken publicly about plans to cut costs, slow hiring, and make the company 20% more productive. On Friday, he reportedly told employees at an all-hands meeting that announcing job cuts to the whole company was “not a scalable way to do it,” but that he would “try and notify the company of the more important updates,” CNBC reported.
To find out what this all means for Big Tech and the rest of the industry, I spoke with Colleen McCreary, Nolan Church, and Steve Cadigan — three people-leaders who have led HR at companies like Credit Karma, DoorDash, Carta, and LinkedIn.
Moves like these are common in Big Tech. Giving employees 60 days to find another role is a “pretty normal big-company proposition,” said McCreary, the chief people, places, and publicity officer at Credit Karma. “Projects get spun up, projects get wound down.”
Big Tech has plenty of reasons to keep job cuts quiet.
For at least eight years, big tech companies have been hoarding talent — both from startups and from each other — as a competitive strategy, said Church.
One thing we know: More performance management is coming. McCreary said she gets a call from a CEO or head of HR “once a week” on how to do a layoff — but she’s also “hearing a lot more about, ‘How do you do performance management?’”
Calendly, the $3 billion scheduling startup that everyone likes to periodically fight about, has made its first acquisition: Prelude, a startup specializing in the hiring process. Prelude is specifically geared toward scheduling job interviews or other types of recruitment-related meetings.
"What makes this acquisition especially exciting is that it accelerates our vision to holistically solve external scheduling challenges for individuals and teams in companies of all sizes, from SMB to enterprise," CEO Tope Awotona wrote in a blog post announcing the acquisition.
Calendly has been focused on companies, not just individual users, for the past few years now. It released a group meeting feature to help teams schedule across time zones back in December 2021. The Prelude acquisition shows Calendly's interest in the HR software space and hints at its desire to build out other specific use cases. Awotona told TechCrunch that this is unlikely to be its last acquisition or its only dive into catering to specific industries.
