Square buys $170 million worth of Bitcoin
Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at firstname.lastname@example.org or email@example.com.
On Thursday, California Gov. Gavin Newsom signed into law a bill that makes phone calls from California’s prisons free of charge. The new law places the cost of calls not on incarcerated people — or the people receiving calls from them — but on the state’s Department of Corrections and Rehabilitation.
California is the second state after Connecticut and the biggest state by far to institute such a law, which is a direct shot at the $1.4 billion prison telecom industry. For years prison telecom companies have maintained rates that “can be unjustly and unreasonably high, thereby impeding the ability of inmates and their loved ones to maintain vital connections,” the FCC said in 2020.
Prison reform advocates argue the new California law will have a hugely positive impact on the families of incarcerated people in California — and potentially other states that follow California's lead.
"From a public policy perspective, we should be wanting people to stay connected to their social networks, to their families, to be able to start looking for employment if they are close to getting out," said state Sen. Josh Becker, who sponsored the bill, SB 1008. "But we have a very perverse system, which inhibits that and actually throws many families into debt."
For years, the high cost of prison phone calls has sapped money from low-income families with incarcerated loved ones. According to a 2015 report by the Ella Baker Center for Human Rights, 34% of families go into debt in their attempt to maintain contact with loved ones inside through phone calls and visitations. The impact is disproportionately felt by women of color, because of the corresponding disproportionate number of men of color in America’s prisons.
Now, with the governor's blessing, "the simple cost of a call is never going to impair their ability to tell their children they love them or help their partner problem-solve a parenting situation,” said Bianca Tylek, executive director of Worth Rises, a prison reform organization, which was a key player in advocating for the bill.
The new law covers the 93,000 incarcerated people in the state's prison system, and Becker hopes future legislation will extend free calls into California's city and county jails, as well.
In addition to making calls free to users, the law prohibits local agencies from “receiving revenue for the provision of communication services to persons in its custody." The law also charges the state’s utility commission with ensuring service does not fall below standard, now that calls are free. Proponents of the law say the policy change will cost California about $12 million annually, but that is a small fraction of the $14.2 billion budget for the state’s corrections department.
In recent years, the Federal Communications Commission has tried to clamp down on the astronomical costs charged by prison telecom providers including slashing fees and capping rates at 21 cents per minute for interstate calls in 2013. More recently, the FCC adopted a rule to prevent prison phone companies from seizing pre-paid funds from users, after one prison telecom giant, GTL, was found to have seized $121 million in customer funds. Other local governments have notched their own victories in the fight against sky-high prison call rates. In 2019, New York became the first major city jail system to make calls free. In 2020, San Francisco also made phone calls from its jails free and announced a policy change that would "permanently stop generating revenue from incarcerated people and their families through phone calls."
But advocates are hopeful that California's law will set an example for other state governments, because of the sheer size of its prison population. “California has a much bigger system, and what it does matters to the rest of the corrections community,” Tylek said. “It will be a huge trendsetter for everyone else.”
Rohit Chopra arrived as director of the Consumer Financial Protection Bureau one year ago today. True to his reputation as an aggressive watchdog from his time as an FTC commissioner and an earlier stint at the CFPB, he has pursued a busy agenda that’s setting up regulatory battles to come.
Chopra hasn't been afraid to challenge big banks or fintechs. His fight against banking’s so-called junk fees, for instance, won plaudits from both consumer-focused groups and fintech trade organizations.
All eyes in the fintech world are on open banking. The CFPB regulatory docket this fall includes a long-delayed rule-making effort to allow customers to more easily move their data between financial institutions. The effort is part of the Biden administration’s goal to boost competition in markets.
The agency’s tactics and a growing list of priorities are prompting powerful pushback. The industry and Republican members of Congress are circling.
The agency seems to be gearing up for that possibility. American Banker reported that the CFPB launched an office this summer dedicated to responding to congressional requests. Crane, a former Treasury official, said document requests can eat up a lot of administrative resources: “It is a big exercise, but it seems he is preparing to handle it without distracting from his day job.” But there’s little question that Chopra’s second year in the job will be more challenging than his first.
A version of this story appeared in Protocol’s Fintech newsletter. Sign up here to get it in your inbox each morning.
What does SB 1162 require? Starting in January, employers with 15 or more workers will be required to disclose salary ranges in job postings, including on third-party sites. Companies with 100+ employees, including contractors, will have to report on mean and median wage data.
Who has to comply with SB 1162? Any 15-plus-person company with employees in California will be subject to the law — even if your HQ is elsewhere.
What if my employees are remote? The law doesn’t address remote work, and how this law applies to non-California workers who may want to know their role’s pay scale is still a “gray area,” said Rachel Conn, a San Francisco-based partner in the Labor and Employment group at the law firm Nixon Peabody.
Didn’t California companies with 100+ employees already have to report pay data? Yes! Private companies with 100 or more employees started reporting their annual pay data by sex and race/ethnicity last year.
Can companies get around this? After Colorado passed its pay transparency law, some companies tried to dodge the requirement to disclose pay ranges by excluding Colorado applicants in job ads.
Microsoft said Friday it's "working on an accelerated timeline" to provide a patch for two newly disclosed vulnerabilities affecting Exchange email servers, which the company acknowledged have been used in attacks on customers.
One of the vulnerabilities could enable remote execution of commands on a compromised server, prompting concern among security researchers about the potential for significant exploitation in coming days. The remote code execution vulnerability, which is being tracked by the identifier CVE-2022-41082, has similarities to the previously disclosed "ProxyShell" flaws. The new vulnerability was dubbed "ProxyNotShell" by researcher Kevin Beaumont, who was among the first to report seeing exploits of the bug in a series of tweets on Thursday.
Remote code execution vulnerabilities are considered a serious security risk due to the potential for attackers to take full control of a compromised system. Log4Shell, a critical vulnerability that was discovered in the Apache Log4j logging software component in December 2021, fell into the category of a remote code execution flaw.
The second vulnerability, which is being tracked at CVE-2022-41040, can be used by an attacker to trigger the remote code execution vulnerability, Microsoft said in a blog post. The vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019, according to Microsoft.
A limiting factor on the exploitability of either of the newly disclosed bugs is that an attacker would need to have successfully logged in to a vulnerable Exchange server that they were attempting to exploit, Microsoft said.
The company released details on a mitigation that can be used to block the attack patterns for the vulnerabilities that've been observed so far.
"At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems," the company said in its blog post.
One researcher told Protocol on Thursday that exploitation of the vulnerability is expected to escalate in the next few days. Exchange "is a juicy target for threat actors to exploit" because its servers must be connected directly to the internet, and are a key function for many businesses as email can't be turned off without causing a major disruption, said Travis Smith, vice president of malware threat research at cybersecurity vendor Qualys.
Microsoft said in its post that customers of Exchange Online won't need to take action in response to the new vulnerabilities. Beaumont disputed that, saying in a tweet that for Exchange Online customers, "if you migrated and kept a hybrid server (a requirement until very recently) you are impacted."
Beaumont also said that his testing has found that to meet the requirement of being an authenticated user for exploiting ProxyNotShell, "this can be any email user," which is "pretty risky." Already, exploitation of the vulnerabilities "has been happening for at least one month in the wild," he said in a tweet.
The vulnerabilities were initially disclosed by researchers at cybersecurity vendor GTSC.
Google is stepping up its push for open video formats: The company plans to force hardware manufacturers to support the AV1 video codec if they want to run Android 14 on their mobile devices, according to comments left in recent commits to the Android Open Source Project (AOSP) that were first spotted by Esper senior technical editor Mishaal Rahman.
According to those AOSP comments, the next version of Google’s Android Compatibility Definition document will require hardware makers to support AV1 for both tablets and phones. Previously, devices only had to support VP8 and VP9, two open codecs that are predecessors of AV1.
Google has yet to publicly release the compatibility requirements for Android 14; the company is expected to release a beta version of Android 14 in April 2023. Google did not immediately respond to a request for comment.
AV1 is a royalty-free video codec spearheaded by the Alliance for Open Media, which counts Google, Amazon, Netflix, and others among its members. Google has been a major supporter of AV1, and has been requiring Android TV device makers to support the codec since last year, as Protocol was first to report two years ago.
Google has also been using YouTube to grow the adoption of AV1. The video service now re-encodes all of its videos in AV1, and has been pushing companies like Roku to support the codec for its living room devices.
AV1 support on mobile has been uneven, however, in part because Qualcomm has yet to add hardware decoding capabilities for the codec to its chipsets. As a result, Google is giving device makers the option to rely on software decoding of AV1 video streams, according to Rahman.
Google’s mandate of AV1 support on Android is just one piece of a broader push for open media formats. The company is also looking to establish royalty-free alternatives to Dolby Atmos and Dolby Vision, as Protocol was first to report last week.
A troubling new vulnerability affecting Microsoft Exchange email servers has been disclosed by researchers, though details are still emerging on the severity and exploitability of the flaw.
The vulnerability, disclosed by researchers at cybersecurity vendor GTSC, could enable remote execution of commands on a compromised server, according to the company. It appears to be a "zero-day" vulnerability, which means it was not disclosed to the software vendor before spreading in the wild and before a patch could be created.
Trend Micro said Thursday that the vulnerability was submitted to Microsoft via its Zero Day Initiative program. On Friday, Microsoft said it’s “working on an accelerated timeline” to provide a patch for two newly disclosed vulnerabilities affecting Exchange email servers, including the remote code execution flaw disclosed by GTSC.
Researcher Kevin Beaumont, who was among the first to discuss GTSC's findings in a series of tweets Thursday, said he is aware of the vulnerability being "actively exploited in the wild" and that he "can confirm significant numbers of Exchange servers have been backdoored."
Remote code execution vulnerabilities are considered a serious security risk due to the potential for attackers to take full control of a compromised system. Log4Shell, a critical vulnerability that was discovered in the Apache Log4j logging software component in December 2021, fell into the category of a remote code execution flaw.
Travis Smith, vice president of malware threat research at cybersecurity vendor Qualys, told Protocol that he expects exploitation of the vulnerability to escalate in the next few days. Exchange servers must be connected directly to the internet and are a key function for many businesses since email can't be turned off without causing a major disruption, Smith noted. For those reasons, Exchange "is a juicy target for threat actors to exploit," he said in an email.
On Thursday, the initial reaction among security researchers was that it wasn't clear from GTSC's original disclosure whether this was in fact a brand-new, zero-day vulnerability in Microsoft Exchange, or if it might just be a new version of a previously disclosed vulnerability known as "ProxyShell." Beaumont noted in a blog post that a key portion of the exploit process detailed by the vendor "looks exactly like ProxyShell," which was disclosed in 2021.
However, GTSC subsequently updated its blog post, making it clear that the vulnerability affected Exchange servers that had already been patched with the latest updates. As a result, "an exploitation using Proxyshell vulnerability was impossible," the researchers said in the blog post update.
John Hammond, a well-known researcher at cybersecurity vendor Huntress, tweeted that the update makes clear that this "is in fact a new 0-day" remote code execution vulnerability.
Mike Parkin, a senior technical engineer at Vulcan Cyber, told Protocol that he had reached the same conclusion.
The fact that the compromised system was up to date before it was breached "indicates the attack leveraged a new vulnerability, not the one that was previously known," Parkin said in an email. Still, GTSC "hasn't released many details, so we are having to extrapolate from what they have said," he said.
Correction: This story was updated on Sept. 29, 2022, to correct the description of ProxyShell.
The gas-powered vehicle ban dominoes have begun to fall.
New York Gov. Kathy Hochul announced on Thursday that the state will follow California’s lead in banning the sale of new gas- or diesel-powered cars beginning in 2035. Like the Golden State, New York has also set interim targets: 35% of new cars sold must be zero-emissions by 2026, and 68% by 2030.
The plan is still not quite finalized, though. Hochul directed the state’s Department of Environmental Conservation to implement the new rules, and it will still have to hold a public hearing and open comment period before finalizing them.
This comes just a month after California threw down the gauntlet and restricted future internal combustion vehicle sales. Given that more than a dozen states — including New York — have adopted California's previous tailpipe standards, it was likely at least some of those states would follow the Golden State's lead on zero-emissions vehicle sales. New York is the first state to do so, though others such as Massachusetts, Washington, and Virginia are likely to follow suit in the near future.
“We had to wait for California to take a step because there’s some federal requirements that California had to go first — that’s the only time we’re letting them go first,” Hochul said at a press conference, in reference to a Clean Air Act provision that allows California alone to set its own vehicle emissions standards. A policy quirk allows other states to adopt those standards, but not to lead the way.
In addition to the gas-powered car sales ban, Hochul also announced that the state will invest $10 million in its existing Drive Clean Rebate program to encourage New Yorkers to purchase EVs. The program offers a point-of-sale rebate of up to $2,000 off a car’s sticker price, and can be combined with federal rebates like the $7,500 tax credit on new EVs. In its five years of existence, the program has handed out $92 million in rebates statewide, according to a press release. The state is also making $5.75 million available to local governments to transition their fleets to zero-emission vehicles and install public EV chargers and hydrogen fueling stations.
New York, along with 49 other states plus Puerto Rico and Washington, D.C., also had its EV charging plan approved by the Biden administration. That will unlock some of the $175 million in funding for EV charging set aside for the state as part of the bipartisan infrastructure law. Building out charging infrastructure could help make it that much easier for the state to meet its zero-emissions vehicle sales mandate.
In an unopposed motion filed Thursday, the plaintiffs in the ongoing legal battle, NetChoice and the Computer & Communications Industry Association, asked the court to "preserve the status quo" until the Supreme Court has a chance to review the issues raised in the case. The Texas law aims to prohibit online platforms from moderating content on the basis of viewpoint, a limitation that tech companies argue infringes on their First Amendment rights and conflicts with broad authority they have under Section 230 to moderate content.
This is not the first time NetChoice and CCIA have sought to block the law. Earlier this year, the 5th Circuit lifted an injunction on the same law, though its decision on the underlying case between tech groups and the state of Texas was still pending at the time. The tech groups argued that the 5th Circuit's actions would wreak havoc on companies operating in Texas and pushed for the Supreme Court to add the case to its shadow docket and re-institute the block on the law. Weeks later, the Supreme Court obliged, with a majority voting in NetChoice and CCIA's favor.
But the 5th Circuit decision earlier this month put the law back in play. In their motion, NetChoice and CCIA noted that even the three conservative justices who voted to keep the law in effect in May said that HB 20 "concerns issues of great importance that will plainly merit the [Supreme] Court’s review." The plaintiffs are asking the court to block the law from being implemented until the justices have had a chance to conduct that review.
That chance may come sooner rather than later: While the 5th Circuit gave the Texas social media law a green light, the 11th Circuit blocked a similar law in Florida earlier this year. That circuit split has created a rare opportunity for the Supreme Court to decide on issues related to online speech and the First Amendment rights of private platforms once and for all. Earlier this month, Florida filed a petition with the court asking it to take up its case surrounding SB 7072, a law that would limit tech platforms' ability to moderate certain political speech. Now, both sides of the debate are awaiting an answer as to whether they'll have a chance to fight it out in the highest court.
Until the Supreme Court provides that answer, though, NetChoice and CCIA are arguing that the 5th circuit shouldn't allow a disruptive — if not outright disastrous — law for so many businesses to go into effect. "If Supreme Court review was 'plainly merit[ed]' even before this circuit split," the motion reads, "it certainly is now."
Correction: An earlier version of this story incorrectly stated that NetChoice and CCIA filed a motion with the Supreme Court. They filed with the 5th Circuit.
Sometimes a major "hack" isn't really a hack at all, such as with some breaches caused by the mishandling of APIs.
The latest such breach attributed to negligence with APIs, or application programming interfaces that are used for exchanging data across applications, is the massive theft of customer data from Australian telecom Optus.
First disclosed by Optus on Sept. 22, the data exposed in the breach of 9.8 million customer records includes driver's licenses, passports, and Medicare ID numbers, in addition to names, phone numbers, and email addresses.
Optus has attempted to characterize the cyberattack as "sophisticated," but according to Australian Minister for Cybersecurity Clare O'Neil, it was actually just a "basic" attack. Optus “effectively left the window open” for customer data to be stolen, she said.
The incident reportedly started with the attacker accessing an API server that was not protected with any type of authentication. In other words, the attacker didn't even have to log in. Anyone from the internet could have theoretically done the same thing, said Filip Verloy, technical evangelist at Noname Security, a vendor that offers API security products.
"This should be a wake-up call for a lot of organizations about how easy it was to get this data," said Nick Rago, field CTO at another API security vendor, Salt Security.
The use of APIs has grown widely as companies of all sorts have morphed into software providers, with API services enabling much of the key functionality for modern apps and websites.
Optus executives have not denied that an API was leveraged by the attacker to steal the customer records, according to reports. Protocol has reached out to the company for comment.
Based on the information that has come out so far, it appears that the API in question was actually "doing exactly what it was meant to do" when it called up the Optus customer records, Rago said. That means the API wasn't "hacked" in any sense of the word, but was just used for an unintended purpose, he said — what's sometimes referred to as an "API abuse" attack.
It's likely that Optus just didn't know about the existence or functionality of this particular API, according to Rago. It would appear there was a "lack of visibility and a lack of governance, in terms of not knowing this API existed in the first place and why it was exposed in this manner," he said
In general, it's recommended that businesses take a "layered security" approach to protecting APIs, using a firewall or API security product, identity authentication, authorization for governing access to data, and encryption for sensitive personal data, said Yotam Segev, co-founder and CEO of data security vendor Cyera. "It appears that Optus failed on every front," Segev said.
By way of analogy, even if the front door of your house was left open or broken into, you could still have a locker inside of your house to protect your sensitive documents, said Anshu Sharma, co-founder and CEO of data privacy technology vendor Skyflow. "Even if the bad guys get in, they won't get your [sensitive] data," he said. But it appears that Optus did not have this type of capability, either.
The neobank MoneyLion charged service members excessive fees for loans and often refused to cancel paid memberships, according to a lawsuit filed Thursday by the Consumer Financial Protection Bureau.
The CFPB is accusing MoneyLion of violating the Military Lending Act by charging above a 36% rate cap on loans to service members and their families, through a combination of interest rates and monthly membership fees.
“MoneyLion targeted military families by illegally extracting fees and making it difficult to cancel monthly subscriptions,” CFPB Director Rohit Chopra said in a statement announcing the lawsuit. “Companies are breaking the law when they require monthly membership fees to obtain loans and then create barriers to canceling those memberships.”
MoneyLion went public last year through a SPAC deal and is worth about $227 million after its shares fell almost 18% today. Ahead of its public debut, the company's leadership disclosed that it had received investigative demands from the CFPB related to its membership model.
The company did not immediately respond to a request for comment Thursday.
The lawsuit cites a pair of personal loan products, including one focused on credit building, that require a membership for access, with recurring fees between $19.99 and $29 each month.
The CFPB said that MoneyLion refused customers’ requests to cancel memberships if they had outstanding loan balances. The company also refused to cancel memberships even after the loan was paid off if the customer still owed previous membership fees, according to the agency.
Through the lawsuit, the CFPB is seeking monetary relief for customers, an "end to MoneyLion's unlawful practices," and a civil money penalty.
The lawsuit is the fourth enforcement action the CFPB has taken related to the Military Lending Act in the past two years, the agency said.
Google is shutting down its Stadia cloud gaming service, nearly three years after its launch and roughly 18 months since the company shut down its internal game development division.
In a blog post, Stadia chief Phil Harrison said the platform "hasn't gained the traction with users that we expected so we’ve made the difficult decision to begin winding down our Stadia streaming service."
Harrison wrote that the company intends to refund all Stadia purchases, including hardware purchases of Stadia controller and Chromecast bundles through the Google Store and all software through the Stadia store, and plans to do so by January. After January 18, 2023, the service will become unavailable, the blog post reads. Harrison noted that this isn't the end of the road for Google's gaming ambitions, and the company intends to apply the technology learnings elsewhere.
"The underlying technology platform that powers Stadia has been proven at scale and transcends gaming. We see clear opportunities to apply this technology across other parts of Google like YouTube, Google Play, and our Augmented Reality (AR) efforts — as well as make it available to our industry partners, which aligns with where we see the future of gaming headed," he wrote. "We remain deeply committed to gaming, and we will continue to invest in new tools, technologies and platforms that power the success of developers, industry partners, cloud customers and creators."
Amazon announced pay raises and the rollout of new benefit programs to warehouse employees Wednesday. But one of those products may pose increased risks to the company’s most precarious workers: the expanded rollout of Amazon’s Anytime Pay Program.
The program, first announced in October 2020, allows employees to access a portion of their checks in advance of a regular pay date. Such products are typically referred to as “earned-wage access” and position themselves as a lower-fee and thus less predatory alternative to payday loans. Amazon is using Wisely, a product offered by payroll company ADP, for the service.
Employees load their wages in advance onto a Visa debit card and are then able to use that card wherever Visa cards are accepted, or can withdraw cash at some ATMs. When Amazon first rolled out the program to some workers, those workers could obtain up to 50% of their paycheck in advance. Now, more workers have access to the program, and can cash out on 70% of their paycheck in advance by transferring funds to their Wisely Pay Visa card.
The benefits for low-wage workers are obvious: Having access to wages in advance of payday can be helpful in handling unexpected expenses, particularly when an employee lives paycheck to paycheck. And, as has been well-covered, most Amazon warehouse workers don’t make enough money to have ample emergency savings, despite the company’s campaigning about a livable minimum wage and Wednesday’s pay increase.
But earned-wage access products also carry risks for consumers. The products are not currently regulated as loans, due to a Trump-era CFPB advisory opinion that carved out a special exemption for earned-wage access should providers fit certain criteria, like not charging fees. Wisely claims to offer earned-wage access “at no cost,” so it fits these requirements and hence is exempt from regulatory disclosures required of credit cards or payday loans.
However, the fine print of Wisely’s terms and conditions say there are some fees associated with the card: They just aren’t mandatory charges. The company charges $5.95 should customers want to load an additional $20 to $500 out of their own checking account onto the cards, for example, and says that fees may be charged at certain ATMs where the card is used. It then says that users should log in to their account to see a list of other applicable fees.
Consumer groups asked the CFPB to review its oversight of these types of products last fall, because they fear fees could harm consumers who aren’t expecting them. The CFPB also revoked a special regulatory exemption for Payactiv to experiment with earned-wage access products, signaling the agency will soon tighten regulations on these types of products.
ADP's partner bank, Fifth Third Bank, has run into trouble with the CFPB before. The bureau sued Fifth Third in 2020 for automatically enrolling customers in products they did not consent to and opening unauthorized accounts. According to a press release, this was implicitly encouraged because employees of the bank were subject to ambitious sales goals.
ADP and Fifth Third Bank did not respond to requests for comment.
This story was updated to reflect that Amazon later responded to a request for comment.
More pay transparency is coming to California. The Golden State is joining New York City, Colorado, and Washington in requiring employers to disclose pay ranges in job ads.
Gov. Gavin Newsom signed Senate Bill 1162 into law on Tuesday, according to statements from the California Legislative Women’s Caucus and the TechEquity Collaborative.
Under the law, employers with 15 or more workers will be required to include pay ranges in job postings, and those with 100 or more employees or contractors will have to report median and mean hourly pay rates by job category and “each combination of race, ethnicity, and sex.”
“This is a big moment for California workers, especially women and people of color who have long been impacted by systemic inequities that have left them earning far less than their colleagues,” said state Sen. Monique Limón (D-Santa Barbara) in a statement. Limón introduced the bill in February.
The TechEquity Collaborative’s chief programs officer, Samantha Gordon, praised the law in a statement as “an important step in equalizing the playing field for the 1.9 million contractors, temps, vendors, and contingent workers” in California.
The bill received pushback from the California Chamber of Commerce and the Society for Human Resources Management. The chamber called the bill a “job killer” because the pay reports were going to be published online, but that provision was later removed from the bill, SHRM noted earlier this month.
“You are grouping together workers in very broad categories, as broad as ‘professionals,’” CalChamber policy advocate Ashley Hoffman said in a chamber podcast. “If you think of a hospital, that would encompass nurses, but it would also encompass someone who just graduated college and starting in your HR department. It’s truly a broad category.”
According to Forbes, SHRM argued that pay transparency would increase compression between newer and more experienced employees and could deter candidates from applying before learning about other fringe benefits.
SB 1162 doesn’t make clear how the law applies to companies that employ workers remotely.
Cost-cutting in tech is officially hitting the industry’s titans. After years of ruthless staffing up, both Meta and Google have told some employees to find new jobs within the company or leave, according to a report in The Wall Street Journal.
These actions at Meta, via departmental reorganizations, have affected a “significant number” of employees. Cuts aren’t unexpected, a Meta spokesperson pointed out: Mark Zuckerberg told investors on the company’s July earnings call that he planned to “steadily reduce head count” over the coming year, and that “many teams are going to shrink so we can shift energy to other areas.”
The changes reported out of Google have apparently hit around half of the employees of the company’s 100-plus-employee startup incubator, Area 120, where a number of projects have been canceled. Google didn’t immediately return Protocol’s request for comment, but Sundar Pichai has spoken publicly about plans to cut costs, slow hiring, and make the company 20% more productive. On Friday, he reportedly told employees at an all-hands meeting that announcing job cuts to the whole company was “not a scalable way to do it,” but that he would “try and notify the company of the more important updates,” CNBC reported.
To find out what this all means for Big Tech and the rest of the industry, I spoke with Colleen McCreary, Nolan Church, and Steve Cadigan — three people-leaders who have led HR at companies like Credit Karma, DoorDash, Carta, and LinkedIn.
Moves like these are common in Big Tech. Giving employees 60 days to find another role is a “pretty normal big-company proposition,” said McCreary, the chief people, places, and publicity officer at Credit Karma. “Projects get spun up, projects get wound down.”
Big Tech has plenty of reasons to keep job cuts quiet.
For at least eight years, big tech companies have been hoarding talent — both from startups and from each other — as a competitive strategy, said Church.
One thing we know: More performance management is coming. McCreary said she gets a call from a CEO or head of HR “once a week” on how to do a layoff — but she’s also “hearing a lot more about, ‘How do you do performance management?’”
Calendly, the $3 billion scheduling startup that everyone likes to periodically fight about, has made its first acquisition: Prelude, a startup specializing in the hiring process. Prelude is specifically geared toward scheduling job interviews or other types of recruitment-related meetings.
"What makes this acquisition especially exciting is that it accelerates our vision to holistically solve external scheduling challenges for individuals and teams in companies of all sizes, from SMB to enterprise," CEO Tope Awotona wrote in a blog post announcing the acquisition.
Calendly has been focused on companies, not just individual users, for the past few years now. It released a group meeting feature to help teams schedule across time zones back in December 2021. The Prelude acquisition shows Calendly's interest in the HR software space and hints at its desire to build out other specific use cases. Awotona told TechCrunch that this is unlikely to be its last acquisition or its only dive into catering to specific industries.
Celsius Network CEO Alex Mashinsky resigned from the embattled cryptocurrency lender Tuesday morning. The lender is in the middle of bankruptcy proceedings after pausing withdrawals in June.
“I regret that my continued role as CEO has become an increasing distraction, and I am very sorry about the difficult financial circumstances members of our community are facing,” the resignation letter reads.
In a press release, Mashinsky added that he “will continue to maintain [his] focus on working to help the community unite behind a plan that will provide the best outcome for all creditors.”
Celsius said it had named CFO Chris Ferraro its chief restructuring officer and interim CEO Tuesday. Ferraro joined the company in March and became CFO in July, according to his LinkedIn profile. He previously spent 18 years in various roles at JPMorgan Chase.
Celsius became emblematic of the crypto liquidity crisis earlier this summer, leading it to pause all transactions in June. A rogue employee had also leaked thousands of users’ email addresses, adding to suspicions about the company’s stability. Another lender, Voyager, also filed for bankruptcy amid market turmoil in the same period after hedge fund Three Arrows Capital defaulted on a loan.
Several leaked reports in recent weeks showed that Celsius was plotting risky actions to save the company with Mashinsky at the helm. A leaked call showed that, rather than returning customers' assets, the company considered selling customers a new token representing their debt as a form of IOU. The call also revealed that employee assets would be returned on the same timeline as customers'. A customer leaked the audio, saying it was sent to her by an unnamed Celsius employee.
In the leaked call, CTO Guillermo Bodnar also said the company was creating a transaction management system. The company had been using an Excel spreadsheet before to track assets.
Meanwhile, the CEL token faced a short squeeze, largely organized by supporters on Twitter. The currency jumped 300% from its price after the transaction pause, despite reports suggesting that the lender was likely insolvent. Cryptic messages from Mashinsky and his wife Krissy — including a picture of Krissy Mashinsky wearing short-shorts — were interpreted by some as support for the squeeze.
Update: This story has been updated to include Celsius's comment about Chris Ferraro's appointment as interim CEO.
Brett Harrison announced on Twitter Tuesday morning that he would be stepping down from his role as president of FTX US and moving to an advisory role. He said he will continue working in the industry.
Harrison assumed the role with FTX just 16 months ago. Previously, he worked as an operations manager of multiple technology groups at Citadel Securities and as a developer at Headlands Technology. Harrison and FTX CEO Sam Bankman-Fried overlapped at Jane Street between 2014 and 2017, when Harrison led systems trading technology and Bankman-Fried was a cryptocurrency trader. FTX has not responded to requests for comment as to why he is leaving the firm, though Bankman-Fried told Bloomberg the announcement would not have been made so publicly if FTX hadn't known in advance.
During his tenure at FTX, Harrison saw the trading platform grow from three to over 100 employees, build a U.S. brokerage, and acquire multiple other crypto firms including LedgerX and Embed. “I don’t doubt my experiences in this role will be among the most cherished of my career,” he said in a tweet.
The departure may be part of a broader theme of executive churn in crypto exchanges’ U.S. affiliates. Binance, the world’s largest exchange by trading volume, has also suffered management churn with its U.S. affiliate, Binance.US.
In order to shield the exchanges from scrutiny in other countries and to ensure regulatory compliance with U.S. law, both exchanges have created separate American affiliates responsible for domestic licensing, data storage, and currency trading. International scrutiny of both platforms has accelerated in the past two years, putting considerable pressure on executives who must defend the companies’ practices in the U.S. and convince lawmakers there is no risk of influence or control from foreign operators. However, Bankman-Fried himself has typically represented FTX before Congress — while Binance CEO Changpeng Zhao has not, instead leaving U.S. executives to manage D.C. relationships.
Several other crypto firms have seen high-profile departures recently amid the industry's "crypto winter." Celsius CEO Alex Mashinsky also resigned Tuesday in the middle of that company's bankruptcy proceedings, and Kraken CEO Jesse Powell stepped down last week.
Harrison said he will continue working in the cryptocurrency industry after his departure. The industry is “at a crossroads,” he said, voicing his concern about large companies entering the market. His goal, according to the Twitter thread, will be “removing technological barriers to full participation in and maturation of global crypto markets, both centralized and decentralized.”
Russia set up a sprawling and sophisticated network of websites impersonating mainstream media outlets, which it used to spread anti-Ukrainian messaging that was amplified via fake social media accounts, Meta has found. In a new report published Tuesday, Meta called it Russia’s “largest and most complex” influence operation since the war in Ukraine began.
According to the report, between June and September, Russian agents set up more than 60 websites that spoofed actual news sites, including those of The Guardian and German publishers Der Spiegel and Bild. (Disclosure: Bild and Protocol are both owned by Axel Springer.) The sites, which primarily targeted users in Germany, France, Italy, Ukraine, and the U.K., were meticulous imitations of the real thing, borrowing not just the format and design of the actual news sites, but in some cases also the photos and bylines of real reporters.
The Russian actors used these sites and fake online petitions to push false narratives — including that Ukraine had staged the murder of civilians in Bucha — and then promoted their work on Facebook, Instagram, YouTube, Telegram, Twitter, Change.org, Avaaz, “and even LiveJournal,” the report reads. All told, Facebook and Instagram removed nearly 2,000 accounts, more than 700 pages, and one group, and detected some $105,000 in advertising. As Facebook and Instagram worked to shut the network down, more websites continued popping up.
“This suggests a persistence and a continued investment in the cross-internet activity,” David Agranovich, Meta’s director of global threat disruption, said on a call with reporters. In some cases, the posts were boosted by official Russian diplomatic pages.
But while the network of websites was developed with care, the fake accounts were more of a "smash-and-grab," the report said. Many of them were detected by the company’s automated systems, before Meta even began its investigation. “It presents as a really unusual combination of sophistication and brute force,” Agranovich said.
In addition to the Russian network, Meta also detected a Chinese influence operation targeting the U.S. and Czechia. While less expansive than the Russian network, the Chinese operation was noteworthy, Meta executives said, for the way it tried to stake out both sides of contentious topics, like gun rights and abortion access. “While it failed, it’s important, because it’s a new direction for Chinese influence operations,” said Ben Nimmo, Meta’s global information operations threat intelligence lead.
Meta has shared its findings with other companies that were targeted by these information networks, as well as with governments and law enforcement. The company is also making the list of fake domains public “to enable further research,” Agranovich said.
Meta’s report comes one day after Google researchers said pro-Russian hackers are coordinating with the Russian military to carry out cyberattacks in connection with the war in Ukraine. “We have never previously observed such a volume of cyberattacks, variety of threat actors, and coordination of effort within the same several months,” the Google report read, according to The Wall Street Journal.
In some ways, the Russian playbook now mirrors the one it used in the run-up to the 2016 election, when Russia's Internet Research Agency created phony news sites that focused on race relations and other heated topics in the U.S., then pushed them on U.S. social media. But the intricate impersonations of actual news sites demonstrates a new level of investment by the Russians.
And yet, Agranovich said one encouraging sign was the relative lack of traction Russia’s information operation got on Facebook and Instagram this time. “They were kind of throwing everything at the wall and not a lot of it’s sticking,” he said. But he cautioned, “That doesn’t mean we can say mission accomplished.”
Eight states, led by California and New York, have taken legal action against Nexo highlighting growing concerns about companies that offer unregistered crypto lending products.
The states are accusing Nexo of allowing consumers to deposit crypto assets in exchange for interest as high as 36% without registering its products as securities and providing material information to customers.
The “aggressive enforcement efforts against unregistered interest-bearing cryptocurrency accounts” are aimed at enforcing “investor protections under the law, including adequate disclosure of the risk involved,” Clothilde Hewlett, commissioner of the California Department of Financial Protection and Innovation, said in a statement.
More than 18,000 California residents have signed up for Nexo’s Earn Interest Product accounts, which collectively hold total investments of at least $174 million, according to the California “desist and refrain order.”
The California legal move comes shortly after the crypto industry won a significant victory in the state when Gov. Gavin Newsom vetoed a bill that would have required crypto companies to get a state license. The proposal passed overwhelmingly in the California Assembly and Senate.
The New York attorney general’s office said Nexo “failed to register and misrepresented to investors that they are a licensed and registered platform.”
“Cryptocurrency platforms are not exceptional; they must register to operate just like other investment platforms,” Attorney General Letitia James said in a statement. “Nexo violated the law and investors’ trust by falsely claiming that it is a licensed and registered platform.”
Nexo also faces legal challenges in Washington, Maryland, South Carolina, Oklahoma, Vermont, and Kentucky, according to a California DFPI representative.
Nexo said in a statement that the company has been “working with U.S. federal and state regulators and understand their urge, given the current market turmoil and bankruptcies of companies offering similar products, to fulfill their mandates of investor protection by examining past behavior of providers of earn interest products."
“Nexo has always been dedicated to running a sustainable and compliant business and welcomed, even proactively sought, regulatory clarity,” the company said, adding that it has “voluntarily ceased” signing up new U.S. clients for the Earn Interest Product.
Nexo described itself as “a very different provider” of such products,” noting that “it did not engage in uncollateralized loans, had no exposure to luna/UST, did not have to be bailed out or needed to resort to any withdrawal restrictions.”
Put a few key words into a tool like Midjourney, Stable Diffusion, or DALL-E and it’s easy to see why the whimsical (and often wacky) images have captured investors’ imagination. An AI-generated artwork even recently won an art competition at the Colorado State Fair, a result that didn’t go over well among more traditional artists. It’s become disruptive enough that this week Getty announced a ban of AI-generated images on its platform, following similar moves by some online art communities.
What looks like an interesting art tool has become a prime feeding ground for investors. Investor interest has been nearly overwhelming for Poly’s Abhay Agarwal, who is building a “DALL-E for design assets” company. “It has literally been like dropping yourself into the Ganga River and fully being bathed in it,” Agarwal said of the interest. He’s already had over 80 meetings with VCs and is only halfway done following YC’s Demo Day.
The hype wave is similar to GPT-3, a generative AI text tool with an API that businesses can build off of. The problem is that investors can easily fall into the trap of thinking the two generative models are the same.
Just because it’s magical doesn’t mean it can magic away its shortcomings. As Charlie Warzel pointed out in a smart piece, “What feels like magic is actually incredibly complicated and ethically fraught.”
Creating a future for generative AI startups won’t be as easy as painting a picture of the opportunity. Founders and investors will have to both take responsibility for understanding the shortcomings of generative AI and solving them. It takes more than “hustling and flipping when you see a quick opportunity to leverage an open-source technology,” said Agarwal. Instead, he argued technologists need to become stewards of the technology and build it for whatever business application is needed. For Poly, that means creating and training its models around textures and design elements so that it can responsibly tailor the model in a way that allows it to build a business. “I don't believe that once a model was released into the open-source public that somehow that means that everybody can jump on that and start using it for whatever use case,” Agarwal said.
A version of this story appeared in Protocol's Pipeline newsletter. Sign up here to get it in your inbox every Saturday.
We know there’s no such thing as a free lunch. Still, the idea that many corporate benefits aren’t always a benefit recently touched a nerve on Twitter.
The tweet came from Jessica Rose, a developer relations advocate, founder of a meetup series for programmers and aspiring programmers and co-founder of Trans*Code, a hacker org devoted to drawing attention to transgender issues and opportunities.
Rose’s “hard no” was to those so-called benefits that have been around since time immemorial (or at least since the dot-com era). “Don't give me food or hammocks or video games, just let me work remotely or go home on time,” said Rose.
'Don’t touch me'
The tweet thread was full of varied responses, but the paradox of unlimited vacation was the clear favorite. “Wow, people are just so suspicious about unlimited paid time off,” Rose told Protocol when we caught up with her to ask about the tweet.
Other workers balked at in-office massages (“don’t touch me”), free booze, open-plan offices (did anyone in the history of the world ever call this a benefit?), fitness rooms, nap rooms, escape rooms (really any rooms), and something called “blameless retrospectives.” Um, what?
If employees are going to be suspicious of whatever perks you offer, why offer any perks at all?
“So I'm aware of how wonderfully spoiled it is to complain about perks being given out in some kinds of tech workplaces,” said Rose. “I'm the most unimpressed by ‘perks’ which either directly undermine employment rights (like unlimited paid time off can do in some regions) or are intended to throw work/life balance out of kilter in the workplace's favor.”
Unlimited or flexible vacation time can work, but it helps when the culture is one where people are encouraged to take time off and experts agree that mandatory minimums go a long way in helping create that kind of culture.
Your best interests or mine? Why can’t it be both? ¯\_(ツ)_/¯
A director of engineering at Google who formerly worked at Microsoft and Zillow called employer-sponsored coaching an anti-perk. “I’ll spring for a coach who is looking out for my best interests, not the company’s, thanks,” she said, adding, “I know I am lucky to be offered this, but it always feels like a trap.”
There’s good reason to be at least a little wary of these programs. Last year Protocol reported that when tech companies work with coaching programs like BetterUp and Bravely the conversations themselves are confidential, but the company often receives aggregated reports on the issues workers are expressing in general, the topics they’re discussing, what's going well for them at work, and what's not.
When Protocol spoke to Twilio’s VP of talent management Andrew Wilhelms about the company's coaching partnership, Wilhelms explained that BetterUp provides a set of Twilio-specific priorities to coaches and Twilio can update those priorities and goals based on what kind of culture change the company needs to see.
This might feel overly controlling, or it might be a great way to help change a company’s culture for the better, especially if a majority of employees are feeling stressed and burned out and are more likely to tell this to a coach than their manager. Twilio told Protocol that 99% of the employees who used the coaching service last year said the sessions were a valuable use of their time, and that 94% said the sessions made them more effective at their job.
“Thoughtful, meaningful perks can benefit both employers and team members, by helping keep their team members happy and hopefully keep them in their role for longer,” Rose said.
Free SunChips < values-based work culture
What your 'perks' say about your corporate culture
Some “anti-perks” are just common decency and respect, such as believing your employees are telling the truth when they call in sick. In response to Rose’s prompt, one senior system admin pointed out a job listing that offers an “honor-based sick leave policy” in addition to its “commitment to an open, inclusive and diverse work culture.”
And think twice about listing your game room in your job description, tweeted a product designer from Miro:
“When they advertise a ping-pong table in the job listing, it's a huge 🚩 for me. And I love ping-pong. If a silly perk like this [is] such a relevant part of your benefits package, that says a lot about what the company values, and likely its culture."
A version of this story appeared in Protocol's Workplace newsletter. Sign up here to get it in your inbox three times a week.
To protect against cybersecurity vulnerabilities and exploitation of Americans’ data, President Joe Biden signed an executive order on Sept. 15 directing the Committee on Foreign Investment in the United States, or CFIUS (pronounced “sif-ee-us” by foreign investment watchers), to consider scrutinizing foreign investments through the lens of national security risks.
“Everybody recognizes the need to protect U.S. national security. But as Congress and the administration consider new tools, like an outbound investment review regime, it is critical that they get real input from the business community and be precise in what they’re trying to cover,” Rory Murphy, vice president of Government Affairs at the US-China Business Council, told Protocol yesterday.
The oft-stated mission of ensuring U.S. leadership in emerging tech is at the heart of this potential shift. During a press briefing, a senior administration official listed a “handful of priority emerging and critical technologies, like semiconductors, quantum technologies, biotechnology, and artificial intelligence, as well as supply chain considerations” as areas where investment reviews could happen.
The elephant in the room here is China, a country “of special concern” that has tech strategies that many in U.S. government believe threaten U.S. leadership in areas related to national security.
But because AI is intertwined with all industries and the technologies they use, AI deals could be subject to excessive review if a CFIUS rule is written too broadly. “How AI is defined will be important in determining what types of transactions are covered,” Murphy said.
A version of this story appeared in Friday's Enterprise newsletter. Sign up here to get it in your inbox each morning.
This year is on track to be a record for global electric vehicle adoption. EVs are expected to make up 13% of light duty vehicle sales, and the world is on track to hit a 2030 milepost en route to net zero by mid-century. Yet the road ahead is far from smooth in other industries.
In 2021, EV sales doubled and made up 9% of the car market by the year’s end. This year's surge is due to more being sold in European and Chinese markets, according to the new installment of the International Energy Agency’s Tracking Clean Energy Progress report released this week. However, the report notes that “electric vehicles are not yet a global phenomenon” and sales in the Global South have lagged due to both high sticker prices and a charging infrastructure deficit. (Exported gas-powered cars are also keeping many emerging countries stuck on fossil fuels.)
The IEA’s scenario for reaching net zero by 2050 sets out a milestone of EVs making up 60% of new car sales by 2030, with more than 300 million EVs on the road by that point. To reach that goal, EVs as a share of new car sales will have to increase by roughly 6% annually for the rest of the decade, which the IEA finds is doable.
Yet the report found that progress is insufficient in 53 of the 55 elements of the energy system. (Outside EV adoption, only lighting is on track.) Of those, 30 received an assessment of “more efforts needed,” and 23 are “not on track.” Take energy efficiency, for example. The report found the rate of improvement in energy intensity — which it dubs the “single largest measure to avoid energy demand” in the IEA net zero scenario — needs to at least double by 2030.
Despite the lack of progress, there are reasons to think the sectors lagging behind EV adoption and lighting are in for a boost. The report flags the Inflation Reduction Act and the European Union’s RePowerEU plan as promising policy developments that should add momentum to the energy transition. And new clean infrastructure and technologies are on the horizon, suggesting that progress for even hard-to-decarbonize areas like heavy industry is likely to accelerate.
That includes the growing interest and financing for green hydrogen as well as a particularly promising 2021 green steel pilot project. The IEA also noted that 2022 is likely to see a new record for renewable electricity capacity added to the grid, with roughly 340 gigawatts coming online.
“This reaffirms my belief that today’s global energy crisis can be a turning point towards a cleaner, more affordable, and more secure energy system,” said IEA executive director Fatih Birol about the report’s findings. “But this new IEA analysis shows the need for greater and sustained efforts across a range of technologies and sectors to ensure the world can meet its energy and climate goals.”
The popularity of VAs has grown dramatically over the past couple of years. And we’re not talking about virtual assistant tech; we’re talking about real people.
Who needs a virtual assistant the most? Laith Masarweh, who founded and runs the virtual assistant company Assistantly, told me that people just getting their businesses off the ground — those he called “solo-prenuers” — need one most often.
And what can they do for you? Masarweh broke down the responsibilities for virtual assistants into about five different categories: administrative operations, sales, marketing, social media, and more “niche” areas of expertise.
Masarweh added that if you’re going to hire a VA, make sure you treat them as part of the team. “I hire as if I was hiring an employee,” he said.
A version of this story appeared in Friday's Source Code. Sign up here to get it in your inbox each morning.
Apple called its employees back to the office as the company’s three-day-per-week hybrid schedule finally began in early September. Many tech companies have eased up on requiring office work, making Apple somewhat of an outlier when it comes to RTO.
Another outlier, Google, has been in hybrid mode since April, reportedly leading to outbreaks of COVID-19 at the office. Yet for all the talk about Google’s three-day-a-week RTO policy, two workers who spoke to Protocol anonymously say it’s not much of a mandate. An employee and a contractor both told Protocol that the hybrid policy doesn’t seem to be imposed across the board.
“The impression I have is that it’s basically not enforced,” the employee said. The Google contractor said attendance varied across different teams, noting that while some of their teammates go to the office three days a week, most only go in once. (Neither Google nor Apple returned emails inquiring about how their hybrid policies are enforced.)
Sundar Pichai’s plan to make Google “20% more efficient” may lead nervous workers to choose to go to the office more often. (An August survey found that CBRE tenants were “evenly split” on whether a recession would drive more workers to the office out of anxiety for their job security.)
As of now, most companies’ hybrid requirements are only enforced as a “very soft mandate,” said Brian Kropp, distinguished VP of research at Gartner. About half of companies with a hybrid mandate are tracking office attendance, Kropp said, but even those that are doing so “have no real plans to fire people for not coming to the office, as long as they’re getting their work done.”
More than 40% of HR leaders surveyed by Gartner last month said they weren’t tracking office attendance. Thirty-five percent said they were gathering attendance data from key fob or badge swipes, while 22% said managers were tracking their teams’ attendance. Another 10% said employees were self-reporting their attendance.
Companies that selectively enforce attendance requirements may wind up with unfair outcomes, Kropp said.
“If you have a mandated set of days where you have to come to the office, but it’s unevenly enforced across the company, then you run into issues of fairness,” Kropp said. “That just creates more variability across the company, which then creates more risk as well in terms of that inconsistency.”
And while flexibility puts companies at an advantage when it comes to competing for talent, it also requires more sophisticated management, Kropp said. “The question you should really be asking is: Does our managerial population, on average, have the capability to manage much more flexibility, or not?” Kropp said. “If the answer is ‘yes, they do,’ you should push for as much flexibility as you can.”
To run high-performing teams in a flexible environment, managers need to be “half social worker, half engineer,” Kropp said. That means more empathy and more capacity for planning and organization.
While companies may seem settled into their hybrid ways of working, many leaders are leaving policies open to change with time rather than overcommitting themselves. The world is unpredictable, as we’ve learned in the last 2.5 years. “A lot of these executives — the way that they’re framing it now is, ‘This is our hybrid strategy for now, and it could evolve and could change,’” Kropp said.
Amazon falls into that category. As Andy Jassy put it at the Code Conference on Wednesday, Amazon doesn’t have a plan to force employees back to the office: “We’re going to proceed adaptively as we learn.”
A version of this story appeared in Protocol's Workplace newsletter. Sign up here to get it in your inbox three times a week.