Facebook’s latest privacy debacle stirs up more regulatory interest from lawmakers

Facebook’s late Friday disclosure that a data analytics company with ties to the Trump campaign improperly obtained — and then failed to destroy — the private data of 50 million users is generating more unwanted attention from politicians, some of whom were already beating the drums of regulation in the company’s direction.

On Saturday morning, Facebook dove into the semantics of its disclosure, arguing against wording in the New York Times story the company was attempting to get out in front of that referred to the incident as a breach. Most of this happened on the Twitter account of Facebook chief security officer Alex Stamos before Stamos took down his tweets and the gist of the conversation made its way into an update to Facebook’s official post.

“People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked,” the added language argued.

I have deleted my Tweets on Cambridge Analytica, not because they were factually incorrect but because I should have done a better job weighing in.

— Alex Stamos (@alexstamos) March 17, 2018

While the language is up for debate, lawmakers don’t appear to be looking kindly on Facebook’s arguably legitimate effort to sidestep data breach notification laws that, were this a proper hack, could have required the company to disclose that it lost track of the data of 50 million users, only 270,000 of which consented to data sharing to the third party app involved. (In April of 2015, Facebook changed its policy, shutting down the API that shared friends data with third-party Facebook apps that they did not consent to sharing in the first place.)

While most lawmakers and politicians haven’t crafted formal statements yet (expect a landslide of those on Monday), a few are weighing in. Minnesota Senator Amy Klobuchar calling for Facebook’s chief executive — and not just its counsel — to appear before the Senate Judiciary committee.

Facebook breach: This is a major breach that must be investigated. It’s clear these platforms can’t police themselves. I've called for more transparency & accountability for online political ads. They say “trust us.” Mark Zuckerberg needs to testify before Senate Judiciary.

— Amy Klobuchar (@amyklobuchar) March 17, 2018

Senator Mark Warner, a prominent figure in tech’s role in enabling Russian interference in the 2016 U.S. election, used the incident to call attention to a piece of bipartisan legislation called the Honest Ads Act, designed to “prevent foreign interference in future elections and improve the transparency of online political advertisements.”

“This is more evidence that the online political advertising market is essentially the Wild West,” Warner said in a statement. “Whether it’s allowing Russians to purchase political ads, or extensive micro-targeting based on ill-gotten user data, it’s clear that, left unregulated, this market will continue to be prone to deception and lacking in transparency.”

That call for transparency was echoed Saturday by Massachusetts Attorney General Maura Healey who announced that her office would be launching an investigation into the situation. “Massachusetts residents deserve answers immediately from Facebook and Cambridge Analytica,” Healey tweeted. TechCrunch has reached out to Healey’s office for additional information.

On Cambridge Analytica’s side, it looks possible that the company may have violated Federal Election Commission laws forbidding foreign participation in domestic U.S. elections. The FEC enforces a “broad prohibition on foreign national activity in connection with elections in the United States.”

“Now is a time of reckoning for all tech and internet companies to truly consider their impact on democracies worldwide,” said Nuala O’Connor, President of the Center for Democracy & Technology. “Internet users in the U.S. are left incredibly vulnerable to this sort of abuse because of the lack of comprehensive data protection and privacy laws, which leaves this data unprotected.”

Just what lawmakers intend to do about big tech’s latest privacy debacle will be more clear come Monday, but the chorus calling for regulation is likely to grow louder from here on out.

YouTube is reportedly introducing your kids to conspiracy theories, too

In a recent appearance by YouTube CEO Susan Wojcicki at the South by Southwest Festival, she suggested that YouTube is countering the conspiracy-related videos that have been spreading like wildfire on the platform — including videos telling viewers that high school senior and Parkland, Fl. survivor David Hogg is an actor.

Specifically, Wojcicki outlined YouTube’s plans to add “information cues,” including links to Wikipedia pages that debunk garbage content for viewers if they choose to learn more. (Somewhat strangely, no one at YouTube had told Wikipedia about this plan.)

Either way, the platform is going to have do much better than that, suggests a new Business Insider report that says YouTube Kids has a huge problem with conspiracy videos, too. To wit, the three-year-old, ostensibly kid-friendly version of YouTube is showing its young viewers videos that preach the nonsensical, including “that the world is flat, that the moon landing was faked, and that the planet is ruled by reptile-human hybrids,” according to BI’s own first-hand findings.

In fact, when BI searched for “UFO” on YouTube Kids, one of the top videos to appear was a nearly five-hour-long lecture by professional conspiracy theorist David Icke, who covers everything in the clip from “reptile human bloodlines,” to the Freemasons, who he credits with building the Statue of Liberty, Las Vegas, Christianity, and Islam, among other things. (The Freemasons also killed President John Kennedy, he tells viewers.).

Business Insider says YouTube removed the videos from YouTube Kids after its editorial team contacted the company. YouTube also issued the following statement: “The YouTube Kids app is home to a wide variety of content that includes enriching and entertaining videos for families. This content is screened using human trained systems. That being said, no system is perfect and sometimes we miss the mark. When we do, we take immediate action to block the videos or, as necessary, channels from appearing in the app. We will continue to work to improve the YouTube Kids app experience.”

It’s further worth noting that parents are empowered with additional controls that allow them to block videos or channels they don’t like, at least in most of the world. (Parents in Europe, the Middle East, and Africa, are still waiting on this feature.) They can also turn search on or off, depending on how much access they want to give their kids.

The company says, too, that of the videos cited by BI, on average they had a little more than 100 total views.

That’s not going to be good enough for many parents, who want to be able to trust YouTube Kids wholeheartedly. Hunter Walk, a venture capitalist who previously led product at YouTube and has a young daughter, may have summed it up best in a tweet that he published earlier this afternoon, writing that “when you create and market an app to kids, the level of care and custodial responsibility you need to take is 100x usual. Clean it up or shut it down pls.”

YouTube has been reluctant to tinker with is recommendation algorithm because its “main objective is to keep you consuming YouTube videos for as long as possible” Wired noted this past week. (Crazy theories are apparently quite sticky). Wired also reported that despite a recent uproar about all the conspiracy theory content, YouTube still doesn’t have clear rules around when whether these videos violate its community guidelines, which cover bullying, hate speech, graphic violence, and sexually explicit content.

Wojcicki said during her festival appearance that “People can still watch the videos, but then they have access to additional information.”

Hopefully, as it evolves, YouTube will come up with a more sophisticated solution to the spread of misinformation, especially when it comes to its younger viewers. The scale of this particular issue may comparatively small. But as it is, this editor doesn’t allow her kids to watch YouTube Kids without strict supervision for fear of what they might see. At this point, we’d be surprised if parents at YouTube did otherwise.

The Cambridge Analytica Debacle is not a Facebook “Data Breach.” Maybe It Should Be.

On March 16, we learned that Facebook will be suspending Strategic Communications Laboratories (SCL) and its offshoot Cambridge Analytica. According to Facebook, a University of Cambridge professor Aleksandr Kogan was using Facebook Login in his “research app,” collecting data about its users, and passing it on to Cambridge Analytica, a third party. Cambridge Analytica, in turn, obtained personal information belonging to as many as 50 million Facebook users, through Kogan’s app, and without any express authorization from Facebook. This personal information was subsequently used to target voters and sway public opinion, in ways that benefited the then presidential candidate Trump.

In response to accusations that this constituted a data breach, Paul Grewal, Deputy General Counsel for Facebook claimed that –

“The claim that this is a data breach is completely false. Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”

Technically speaking, this assessment is probably correct. There was no unauthorized external hacking involved, meaning that Facebook databases were not breached by an outside malicious actor. At the same time, this approach misses the point entirely in terms of user privacy and security. It should not matter for a company like Facebook whether their users’ personal information was forcefully obtained through brute-force, or whether Facebook’s personnel were manipulated to hand in that information to malicious and untrustworthy party.

Image: Bryce Durbin/TechCrunch

The cliché goes that humans are the weakest link in cybersecurity, and potentially even the leading cause for the majority of cybersecurity incidents in recent years. This debacle demonstrates that cliché to its full extent. But there is a deeper question here – why are our current data breach notification laws creating this dichotomy between active breaches, where hackers penetrate a database and obtain valuable data, and passive breaches, where humans are being tricked into passing that data into unauthorized hands? After all, the result is the same – users’ private data is compromised.

Other than empowering State Attorney Generals to investigate and pursue legal action against violating companies, the primary purpose of data breach notification laws is to ensure that if personal information belonging to platform users and service consumers is compromised, then the target of the breach is under obligation to duly notify any person whose data has been leaked. But our current data breach notification system is broken. A good analogy is to say that tn the case of Facebook, these laws only take into account the cybersecurity “walls” surrounding Facebook’s databases, because they only recognize the security perimeter above the surface. What these laws fail to understand, is that there are tunnels underneath the surface accessing Facebook’s databases, where personal information is being extracted from almost unrestrictedly. If our current laws are unable to characterize similar incidents as data breaches, then they are missing their purpose.

There should be no material difference if the personal information was obtained through a breach or through manipulating and exploiting Facebook’s data ecosystem. The result is the same – user personal information in unauthorized hands. The users should have the right to know, and potentially pursue legal action against Facebook and other involved parties. The distinction currently drawn by data breach notification laws between active and passive breaches should be abandoned, because it provides an incentive for malicious actors to obtain personal data through social engineering, rather than through hacking.

Just as we expect from companies to invest in cybersecurity to prevent future breaches, we should also expect that they ensure that personal information is shared with thoroughly vetted and trusted parties. The best way to achieve this goal is through direct regulation – amending any data breach related laws to accommodate that. Unfortunately, the tech industry has long resisted such regulation, and created the appearance that its own self-regulation would solve the problem. This has not been effective, since tech companies do not have the incentive to follow their own regulations, and these self-regulations only come after a crises of the Cambridge Analytica sort have already occurred. This creates a reality where users’ data is vulnerable, and companies do not seem to take any preventative measures in response.

This is a call to amend our current data breach notification laws to encompass personal data obtained through social engineering as a recognized form of data breach. That would not necessarily mean that companies would be under obligation report every personal data leak, but that they will have to employ measures to prevent manipulation techniques from gaining access to personal information, and if such techniques are occasionally successful, that they notify users and consumers in due course, and that appropriate legal action is authorized to ensure compliance. It is up to states to make this happen, because the boilerplate corporate “we care about your privacy” announcements are not working.

Qualcomm’s war may be over, but the casualties are just starting to be calculated

The epic battle between Qualcomm and Broadcom seems to have reached its armistice, with President Trump using the power of CFIUS to block the transaction this past week, ending what would have been the largest tech M&A transaction of all time.

It may be all quiet on the semiconductor front, but Qualcomm and Broadcom will now need to find a path forward to win the peace and secure access to the coming 5G wireless market. Qualcomm faces a daunting number of challenges, including a potential takeover battle waged by the spurned son of its founder. Broadcom will have to find a new path to use acquisitions to continue its growth.

As with any war though, the damage from this conflict isn’t exclusive to the two enemy combatants. The future of corporate governance and shareholder autonomy is now being reevaluated in light of the actions used by Qualcomm in its defense against Broadcom’s hostile takeover. In addition, America’s openness to foreign investment is increasingly under scrutiny.

Qualcomm picks up the pieces

Hostile takeovers are always going to be damaging affairs, no matter the outcome. The most important mandate for any board of directors — and particularly for the boards of technology companies — is to identify long-term threats and opportunities facing a company, and guide the executive team toward the best possible outcome for shareholders. Hostile takeovers are firefighting affairs — the discussions of the board are jolted from roadmaps, strategy, and vision to the minute-by-minute tactics of defending the company from marauding invaders.

Qualcomm should be directing its attention to strategy, but it faces additional wars on nearly every front. It’s fighting shareholders for its future, fighting Apple and Huawei over its revenues, fighting China over its acquisition of NXP, and now potentially fighting its founder’s son from a private takeover attempt.

Many of Qualcomm’s shareholders see the company’s performance as disappointing. While its stock has fluctuated over the past six years, today’s share price is essentially flat from where it stood in January of 2012. Compare that to Broadcom, which in the same timeframe has seen an increase of about 740%, and the PHLX Semiconductor Sector index, a basket index of the industry, which has seen its value increase by about 280%.

Unsurprisingly, shareholders were enticed by the opportunity to suddenly realize a 35% premium on their shares with Broadcom’s $82-a-share offer. Unlike Qualcomm’s board, shareholders were very interested in accepting Broadcom’s offer. In fact, we now know that Qualcomm’s board knew that it has lost the battle against Broadcom with its own shareholders during the acquisition process. As Bloomberg reported this week:

The votes started to come in on Friday, March 2. By Sunday it was clear that Qualcomm’s defense had failed.

Four of the six directors Broadcom had nominated were polling so far ahead of their Qualcomm peers that the race was effectively over, according to data viewed by Bloomberg. The remaining two were winning by less substantial margins. Making it worse, Mollenkopf and Jacobs, the architects of Qualcomm’s standalone plan, had received some of the fewest votes.

Inside the Qualcomm camp, the mood was bleak; assuming the trend continued, the board would lose control of the company at the shareholder meeting.

Broadcom’s message was one of quiet confidence. The company knew it had won, one person close to the discussions said. At that point, the person said, it was just a question of by how many votes, and who was going to leave the board.

Broadcom was winning the battle with shareholders, so Qualcomm’s board shifted to a terrain far more favorable to it: Washington bureaucrats. From the same Bloomberg report, “Federal lobbying disclosures for 2017 showing that Qualcomm spent $8.3 million, or roughly 100 times the $85,000 Broadcom spent…” These weren’t regulators; these were friends.

In late January, Qualcomm’s board submitted a preliminary, voluntary, and confidential notice to CFIUS asking for a review of Broadcom’s potential board coup. When Broadcom attempted to redomicile to the United States to avoid CFIUS purview (as it would no longer be a foreign company but a domestic one after it redomiciled), the government’s anger was palpable and sealed the company’s fate. The board’s original outreach to CFIUS precipitated the sequence of events that led to Trump’s block this past week.

Qualcomm’s board won the war, but it is still facing a rebellion from its own bosses. The board will be up for election unopposed this week at the company’s delayed shareholders meeting. Perhaps taking a page from tomorrow’s Russian presidential election, some shareholders are withholding their votes from the board slate to show their displeasure with the entire saga. From the Wall Street journal, “Institutional Shareholder Services Inc., an influential proxy-advisory firm, … in a note to investors late Wednesday, stood by its original recommendation that shareholders vote for four Broadcom nominees for Qualcomm’s 11-person board, even though the votes won’t count.”

That shareholder meeting will no doubt be eventful. While the board and the company’s execs will argue that they have a strategy moving forward, they confront two other ongoing firefighting challenges and one new one that could be another round of bruising internecine warfare.

Qualcomm is still in the midst of its $44 billion NXP acquisition, which continues to wait on Chinese regulatory approval. The timeline for that approval is still unclear, but even when Qualcomm does receive it, the company will still have to close the deal and actually implement the transaction. That will take significant time and energy.

Even more complicated is the continuing fight with Apple and Huawei over Qualcomm’s IP licensing revenue. Licensing revenue is crucial for Qualcomm, and the litigation around the fight will force the board to continue monitoring the day-to-day legal tactics of the company rather than focus on a longer-term vision of how to work with the largest smartphone producer in the world to generate profits.

On top of those two challenges, another takeover attempt could potentially exhaust the board further. Yesterday, Qualcomm’s board voted to remove board member Paul Jacobs, who is the son of Qualcomm’s founder and the company’s former chief executive from 2005 to 2014. He had been demoted from executive chairman to director just last week. As the New York Times noted, “The split, which means no member of the Jacobs family will be involved at the top echelons of Qualcomm for the first time in 33 years, was not friendly.”

According to reports, Jacobs is attempting to raise more than $100 billion to buy the company, potentially leveraging SoftBank’s Vision Fund in the process. SoftBank, of course, is a Japanese company, and the Vision Fund has significant capital from foreign countries including Saudi Arabia and the United Arab Emirates. Even more ironically, Qualcomm is an investor in the Vision Fund.

Jacobs is following in the footsteps of Michael Dell who bought the eponymous tech company back in 2013 in a take-private transaction worth $24 billion. Can Jacobs even raise the required amount of capital, four times more than Dell? Will Qualcomm be forced to run back to the Trump administration in order to avoid a “foreign” takeover of the firm yet again, this time by the son of the company’s founder?

My guess — fairly weakly held — is that the answers are yes and no. Jacobs will find the money, and the board won’t fight a distinguished former executive — even if Jacobs was running seriously behind in shareholder approval in the Broadcom fight. We will learn more in the coming weeks, but expect more strategic actions here (maybe from Intel) as well.

Broadcom regroups

Despite its very public failure, Broadcom is in a much stronger position coming out of this battle. It beat analyst estimates this week for its Q1 earnings, and has seen impressive growth in its wireless communications segment, which were up 88% year-over-year. It also managed to lower expenses, which helped drive an increase in gross margin to 64.8% (aren’t fabless and patents awesome?)

Broadcom continues to deliver strong results, but the big question post-Qualcomm is really what’s next? Qualcomm was the single most important chip company that might have been available for purchase (Intel is out of Broadcom’s league). While it plans to continue to redomicile to the U.S., which should allow it to get back into the acquisition game in America, Broadcom may struggle in the coming years to find the kinds of accretive acquisitions that can keep its growth on the trajectory it has been on over the past few years.

Shareholder power wanes?

The biggest questions coming out of the Qualcomm / Broadcom spat is not related to the companies themselves, but the entire intellectual edifice of shareholder rights and the framework used by American companies to conduct corporate governance.

Qualcomm’s board of directors took extraordinary steps to block the Broadcom acquisition. They unilaterally went to Washington to get an injunction not on a deal — which had never been consummated between the two companies — but to block Broadcom from replacing its board of directors in a standard shareholder vote. This is a very important distinction: Qualcomm’s board saw the direction shareholders wanted to go, and essentially decided to just ignore the election process entirely.

From Dealpolitik columnist Ronald Barusch:

This change threatens over three decades of a carefully balanced governance system. Since the Delaware Supreme Court approved the use of the poison-pill takeover defense in 1985, the courts have basically blessed the following tradeoff: On the one hand, corporate directors can fight tooth and nail to stop a deal and the courts will give only limited scrutiny to defensive tactics.

However, the board is strictly limited in any moves to interfere with shareholders’ ability to replace directors and force a company to change course that way. In the vernacular of a leading Delaware case, a “just say no” defense doesn’t mean “just say never.” A bidder with enough patience who can convince a target’s shareholders to change directors has a path at least toward cooperation on resolving regulatory impediments to a deal.

This is a unique case as Barusch notes, but at what point can boards use every method at their disposal to prevent their own shareholders — the people they have a fiduciary duty to represent — from taking charge of the company? This past week presents one of the most complex examples to date, and it wouldn’t surprise me if a shareholder decides to attempt a legal attack on Qualcomm.

The other side of the potential waning of power for shareholders is CFIUS itself. The Trump administration ended a potential deal for a company that shareholders were widely in favor of. Where do the rights of shareholders to realize a return on their equity end and the right of America as a nation to control national security technology start?

We are on new terrain, and there are no clear answers here. In many ways, it depends on what happens over the next few years of the Trump administration. If there are more blocks like what we saw this week, we could see a radical change in the corporate calculus that would have a long-term negative effect on the value of some American companies.

Hostile takeovers may be incredible drama for writers like yours truly, but they have enormous consequences for companies and the employees who work at them. Qualcomm is going to have to shore up its support with a whole host of stakeholders in the coming months (while dealing with a potential take-private fight), while Broadcom needs to find its next strategy for further growth. All of us are going to have to deal with new uncertainty around the power of shareholders to shape the destiny of their companies. The war is over, but the aftermath and its consequences have just begun.

The rise of experiential commerce

“$43 million and the only thing you can buy in it is a coffee.”

So said Samsung’s Senior Director of Store Development Michael Koch about the company’s flagship Manhattan “popup”—Samsung 837—though “popup” is an understated description for a 56,000 square-foot cavern with interactive art, virtual reality, lounge areas, a recording studio, and a three-story 96-screen display wall. The most shocking thing about it isn’t what’s there, but what Koch, who led the project, says about the place:

“I don’t want you to buy anything in it.”

This may seem antithetical to the purpose of a “store,” but it captures a critical understanding – experience is the core to the future of commerce.

Experiences Everywhere

So what is experiential commerce, and what does it look like?

Red Bull really did give this guy wings.

The takeover of experiential commerce is a figure with a thousand faces. It’s in the long-run transformation of stores into showrooms. It’s in Airbnb CEO Brian Chesky’s ambitions that the company’s Experiences platform will stand alongside home rentals as a core part of the business. It’s in Red Bull spending $65 million to drop an Austrian daredevil out of a space balloon and livestream it to millions of viewers on YouTube. It’s in American summer vacation spending rising by $10 billion, or 12.5%, in 2017.

You have to buy tickets to San Francisco’s Color Factory – which markets itself as 12,000 square feet of “color experiences” – months ahead of time, and escape rooms have swept the nation.

This must be the submarine that Ringo was talking about.

Explaining Experiential Commerce’s Rise

It wasn’t always like this. The status quo historically focused on functionality. Marketing and brand-building stressed a product’s uses—this brand works well to clean your clothes or iron out wrinkles, or this cream will reduce age lines if you wear it daily.

A brick-and-mortar store was product testing, warehousing, and distribution rolled into one. You walk into a Payless to try the shoes on; the customer service associate strolls into the back to get that sneaker in your size; you pay for it at the counter and walk out with it. Above all, however, the store was the place you went to buy the thing. You’re meant to go inside and walk out with something or the store and its salesfolk have not done their job properly. Analysts would judge success on metrics such as ‘sales per square foot’ in each store.


Hell hath no fury like a hand wrinkled before its time.

Now Payless is bankrupt, and Allbirds is doubling revenue to $100 million in 2018. The status quo is done. Why? Because technological and logistical advances made it possible for it to change and consumer preferences made it desirable for it to change.

The growth of e-commerce infrastructure (Stripe, AWS, Shopify, etc) and fulfilment networks has lessened the need for distribution and warehousing to take place in a store. E-commerce’s share of industrial real estate increased from 5% to 20% between 2013 and 2017; warehouse space is growing at double the rate of office space. Amazon fulfilled 2 billion orders on behalf of marketplace sellers in 2016. With delivery by drones and other autonomous vehicles still to hit the mainstream, innovation on distribution is hardly finished.

Online reviewing and free shipping/returns has lessened the need for product testing in a store—you know that the sneakers are good sneakers because 238 people reviewed them for an average rating of 4.7/5 stars; even if they turn out to be awful, you know you can send them back with zero cost and minimal inconvenience.

Consumer preferences have changed for a number of reasons. In large part this shift is a generational one, which means, yes, we have to talk about millennials (I’m an ancient borderline millennial at 33).

Millennials aren’t as materialistic as previous generations: an Eventbrite study conducted by Harris Poll in 2014 found that 78% of them would prefer to spend money on a desirable experience or event over a desirable object. Since self-report is an iffy foundation to rest that argument on—I regularly report preferring to spend money on gym visits to lavish desserts—the really eye-catching finding was that U.S. consumer expenditure on live events doubled between 1990 and 2010, when the first millennials turned 30.

It undoubtedly has something to do with social media, which has upended the conspicuous element of consumption. Why spend heaps of money on an expensive watch when you can spend that same heap on multiple photogenic meals and yoga classes that will do more for your Instagram follower and likes count? As my friend Deborah Weinswig puts it, “wellness is the new luxury.” You can only snap an item once, but a worthy lifestyle encapsulates hundreds of shareable moments.

Finally, the arrival of the sharing economy mean people who know how to navigate that space—read tech-savvy youth—don’t actually have to own as many things. When you can outsource your car with Uber and your closet with Rent the Runway, it’s possible to use more stuff while owning less stuff. These forces have combined to result in the experiential commerce boom we see today.

What Experiential Commerce Means for Business

Companies that will thrive in this environment understand that the appeal of a product or a brick-and-mortar spot has to go beyond functionality. The store has to be a place where consumers want to spend time, not just transact. This is not a new insight—Starbucks has spent years successfully charging customers 15-20x what they spend on a homemade coffee on the back of this idea. Starbucks CEO Howard Schultz once said that he wanted to make Starbucks the “third place” in people’s lives, after work and home. Hence the comfy chairs, free Wi-Fi, and effortful decor. Starbucks’ customers are fully aware of that price differential but continue to welcome this extortion because they like spending time there. And did I mention free Wi-Fi? Blue Bottle was also paying attention—add better coffee, subtract free Wi-Fi; and you have a 40-shop company Nestle is willing pay $500 million for.

The lesson is also seeping into the minds of companies that sell physical goods. Apple, which transformed retail with the Apple Store 17 years ago, now wants its locations to be more than just a place to interact with and purchase its products. At its most recent iPhone event, Apple SVP (and retail design demigod) Angela Ahrendts revealed a new retail concept called “Town Squares” that positions Apple locations as gathering places for local communities to attend concerts, workshops and more.

It’s not just giants like Samsung and Apple embracing experiences, however. Casper asks its potential customers to come take a nap in its showroom. Harry’s has set up a barbershop in Soho. b8ta functions as a gallery of tech gadgets that leans into letting you actually try them first. Glossier wants you to stroll by and check out their showroom, which an architectural correspondent described droolingly as “like something of a hybrid of a modern boudoir and a high-fashion funhouse.” One particularly quirky experience requires the customer to push a red button, upon which a gloved hand emerges through a hole and sprays Glossier You perfume on their wrist.

All Casper employees fill their bedroom walls with whimsical hand-drawn cartoons.

Unlike Starbucks, however, the goal is less direct than persuading someone to pay $5 for a cup of coffee. That’s a transaction, after all, which takes place in the same venue that the consumer spends time in. Instead, these new consumer brands want to use great brick-and-mortar experiences to court the consumer—come take a nap in my showroom, and when you need a new mattress two months down the line, you’ll choose Casper over Tuft & Needle. You probably won’t order in store, but you’ll go home and order it online…and that’s precisely the idea.

In such instances, brick and mortar becomes a kind of marketing or brand-building effort more than anything else. One way to think about it is as a very well-thought-out, multidimensional billboard.

Why Experiential Commerce Is Important

This consumer trend has consequences that go beyond Times Square and your mattress choices. Experiential commerce is speeding the decline of retail jobs and malls. It’s not hard for an optimist to find upside in less mall space in the U.S.—the country has 10x as much mall coverage per capita as Germany, and many would be happy to see that gap close if it meant more affordable housing or green space. On the other hand, while New Yorkers get to revel in Samsung 837’s digital opulence, would the company do something similar for Cleveland? If M&Ms can reach a million social-media citizens with a single smart Times Square billboard stunt, there’s no need to replicate it in Minneapolis.

If brands see brick and mortar as marketing expenses that drive affinity through foot traffic and exposure through social media, it might not make sense to set up shops in any but the most dense metropolises. That dynamic risks further driving economic vibrancy to the American coasts and urban centers.

Generally, though, experiential commerce’s moment is good news for the consumer. It has crossed over into goods commerce and imbued it with a services mentality, eliminating the pushy salesperson trying to get their commission. That change in attitude will lead to higher standards for CPG companies and more meaningful consumer-product interactions.

Given analysts’ fascination with the “retail apocalypse,” you’d think the capitalism doomsday clock had been set a few minutes from midnight. While it’s true that many retailers are dying at an accelerating rate, this trend doesn’t mark the end of retail so much as an inflection point in its nature. For retailers and brands that have spent decades perfecting the traditional brick-and-mortar experience, this shift isn’t welcomed with open arms. But embracing experiences is a surefire way to stay relevant—and in business—in today’s competitive retail environment.

VR, presence and the case of the missing killer app

Compelling virtual reality shipped to developers and consumers nearly two years ago. The first flagship headsets arrived from Oculus and HTC back in the spring of 2016, offering enough resolution, frame rate, field of view, latency mitigation and position-tracking to produce believable visual immersion.

But no one seems to know what to do with it. To date, no killer app has extended the promise of VR from a novelty to a sticky experience or utility that reaches beyond enthusiasts to resonate with the consumer center of mass.

This isn’t to say that great experiences don’t exist. Apps like Tilt Brush, Elite: Dangerous and Google Earth VR have earned rave reviews and plaudits from enthusiasts. But we have yet to see a household phenomenon like Halo or Lotus 1-2-3 — applications that single-handedly propelled their respective platforms to wide use. At CES 2018, one industry analyst referred to VR as “drawerware,” referring to the likelihood of headsets to be stuffed in a drawer after a few forays into jejune worlds.

In an attempt to shed some light on the case of the missing VR killer app, I want to offer a few thoughts on why VR matters to users, and what that implies for entrepreneurs and investors interested in building or funding the VR killer app.

Why VR matters: Presence

Why is virtual reality valuable? In a word, presence: Immersion is the heart of the incremental value of VR versus existing platforms. Most forms of expressive media provide a third-person perspective of an experience, or convey sufficient information to help a user imagine a first-person perspective on their own.

When done right (6DoF tracking, room-scale movement, sufficiently high-resolution/FOV/low latency, spatial audio), virtual reality helps a user feel like they are really there. Rather than convey an impression of an experience, VR manipulates our visual and auditory senses (and soon our tactile sense) to transmit experience itself.

Presence is valuable in two ways

The idea that VR is valuable because it generates presence is well understood. But why does presence matter? What need does being there fill for users?

The quality of presence has clear intrinsic value. With few exceptions, subjective immersion is the best way to fully grasp what a certain experience is like. Being at the mountaintop generates the maximum degree of sensory throughput, and is a better way to understand the truth of your relationship to that place than watching a video of the mountain, which is better than seeing a picture of the mountain.

The objective fact of being somewhere matters as much or more than the subjective feeling of being there.

But presence also can have instrumental value, where being there is valuable in an objective sense. Being present at a meeting with a potential business partner sends a positive signal separate from the fidelity of your experience. Actually visiting the mountaintop can impress your friends, mattering beyond the sensation of being there.

Put another way, and borrowing the language of philosophy, it seems like we value presence for its experiential worth — being for the sake of experience — as well as for its ontological worth, or being for the sake of being. Another way to describe the ontological value of presence is authenticity. The philosopher Robert Nozick suggested as much in his refutation of ethical hedonism, employing the notion of the “experience machine” to suggest we care about more than our feelings. What this all means is that for many kinds of experience, the objective fact of being somewhere matters as much or more than the subjective feeling of being there.

VR’s killer app will deliver both types of presence value

How does identifying the two ways that presence drives user value help us imagine the use case that a VR killer app might address?

First, it illuminates why many first-order VR applications may not be suited for adoption by a non-enthusiast audience. When examining some of the typical mass market use cases forwarded by VR aficionados — enterprise or personal telepresence, virtual tourism and travel, virtual attendance at sports and entertainment events, virtual social environments and rec rooms — it seems clear that authenticity matters a great deal to consumers of these experiences, meaning that simply porting them to VR may not be compelling beyond an initial sense of novelty.

I believe that the value of ontological presence is largely driven by social norms. As and when the quality of VR experience converges on metaphysically “real” experience, those norms will evolve. Perhaps our children will label us “substratist” for claiming that hanging out in VR is less satisfying than visiting in person. But with regards to the next generation or two of VR tech and applications, I’m not bullish on social VR experiences that merely replicate the ways we interact in real life. By generating experiential presence without authenticity, they seem to fall into an uncanny valley somewhere between interactive video chat and in-person interaction.

It’s tempting to believe, then, that the VR killer app will skirt the issue of authenticity by solving for problems where the subjective feeling of presence, and not the objective fact of it, matters most — for example, virtual training for a factory worker, touring new construction homes for sale or checking out a car in a virtual showroom. VR is already finding fruitful use in the enterprise and select consumer applications. But when considering potential killer applications, the problem is that arenas of experience where experiential presence matters but authenticity does not usually aren’t important or frequently accessed parts of our life.

Ultimately, I think the first VR blockbuster will deliver both the experiential and ontological value of presence. In other words, VR’s killer app will generate a powerful feeling of being there for a compelling experience, in a way that also feels completely authentic.

Quality, accessibility and ecosystem maturity are probably the biggest practical barriers gating the VR killer app.

I believe that the experience in question will lack an analogue in the real world. In other words, the VR killer app won’t be a multiplayer simulation of New York City in the present day, or a virtual movie theater, or a virtual Giants Stadium where you can kick back in a box and watch the Super Bowl. The application that sells the mass market on virtual reality will be fully native to the platform, such that the only way to know what it is really like will be donning a headset and stepping inside.

An engaging VR experience that isn’t simulating something in the real world, but exists solely in its own right, can immerse a user in both senses of the word: After all, authenticity is implied when the virtual substrate is the only home for a certain experience. The real question is making the experience interesting or fun or cool enough that the feeling of presence is appealing, too.

Concluding thoughts

If it sounds like I’m describing a video game, I think I am, too. But video games are a focal use case for every VR headset in production. What’s missing?

Quality, accessibility and ecosystem maturity are probably the biggest practical barriers gating the VR killer app. The current generation of flagship headsets are cumbersome and expensive to set up and run. Though deep price cuts across flagship wearables powered sales of more than a million VR headsets in Q3 2017, and both Oculus and HTC moved hundreds of thousands of high-end, PC-based units, individual install bases remain low enough to deter AAA studios.

Bootstrapping a two-sided ecosystem — in the case of VR, headsets/users and content, with more of the former increasing the incentive to invest in the latter and vice versa — is never easy. But better technology is on the way: HTC recently announced the Vive Pro, sporting improved resolution, spatial audio and a wireless adapter to do away with clunky wires. Google, Samsung, Lenovo and Oculus are working on standalone headsets that run without a PC or smartphone under the hood. Dozens of startups are developing peripherals and software to improve the VR experience, from haptics that mimic touch to pupil tracking that enables realistic eye contact.

Each new iteration of core VR hardware is a rising tide that makes any VR application more appealing to users on the margin. But killer apps often emerge on imperfect versions of the platforms they bring to life. The charting function of Lotus 1-2-3 strained the limits of the early graphics hardware on x86 PCs, but until 1-2-3, no one knew that programmatic generation of charts and graphs was even possible.

A killer app doesn’t need to be a perfect encapsulation of a new technology’s potential. All it needs to do is hint at the grand vision by providing a single, irresistible demonstration of value over the status quo.

In the case of VR, I’m not certain if that demonstration will occur on this generation of hardware or the next. But I believe it will be an experience that compares in intensity or joy or uniqueness to the best experiences we can access in reality. If you’re working on VR content or applications, consider this advice: Give us the ability to be present in a vision of the past, or a counterfactual world. Give us the feeling of life underwater or in space. Give us the sense of being present for an experience completely native to virtual reality, not merely an emulation of experiences we can already inhabit. Give us something real in its own right. That’s when the mass market will start to believe — and buy.

Amid the greatest NCAA basketball upset ever, a Twitter hero emerges

Happy Saturday, everyone! While many things in the world are very bad today, if you were on the Internet last night, you probably caught wind of a pretty cool historic moment in college basketball: UMBC — University of Maryland, Baltimore County — knocked off the overall number one seed in the annual NCAA men’s basketball championship tournament in an absolute landslide.

So, naturally, I absolutely had to find the tech angle here, and if you owned a smartphone, you probably saw a series of extremely excellent tweets from UMBC’s twitter account, which went absolutely ballistic last night. So, we wanted to recognize the other star of the show: UMBC’s twitter account. You probably would too if, as a 21-point underdog, beat what most consider the best team in the country. Most tweet compilations are not great, but this one is very great.

University of Virginia was absolutely crushed during the second half of the game after dominating the world of college basketball for the entire regular season and throughout the conference tournament on the way to the overall number one seed — a system in place where teams are placed in the tournament based on favorable matchups as a reward for their performance. The system is still ripe for upsets, and there have been a lot this year, but this one is arguably one of the biggest upsets of all time.

So, without further ado:

it's actually a chesapeake bay retriever, but we appreciate the love

— UMBC Athletics (@UMBCAthletics) March 17, 2018

Ahh we remember this game at Maryland in December….hopefully you enjoyed our game from your couch dude! pic.twitter.com/qwRC9zSQuE

— UMBC Athletics (@UMBCAthletics) March 17, 2018

We're just a 16 seed, happy to be here, also we're up 35-24 on No.1 Virginia with Jairus going to the line to shoot 3 ft with 15:52 left

— UMBC Athletics (@UMBCAthletics) March 17, 2018


— UMBC Athletics (@UMBCAthletics) March 17, 2018

We also beat UVA on twitter too btw

— UMBC Athletics (@UMBCAthletics) March 17, 2018


*we will not live tweet the replays, the guy running this has to sleep at some point https://t.co/DfHjirCd1K

— UMBC Athletics (@UMBCAthletics) March 17, 2018

We respect Wendy’s too much. Our staff goes there for nuggets and frostys once a week

— UMBC Athletics (@UMBCAthletics) March 17, 2018

I’m just a guy with a phone and a trusting boss

— UMBC Athletics (@UMBCAthletics) March 17, 2018

I’ll take a free dinner tbh, I’m hungry

— UMBC Athletics (@UMBCAthletics) March 17, 2018

We celebratin, he home sleepin

— UMBC Athletics (@UMBCAthletics) March 17, 2018

Twitter never takes a break

— UMBC Athletics (@UMBCAthletics) March 17, 2018

Alarming bucket of truth, that one. We’ll end with this one:

Happy March Madness, all! May fortune favor (the rest) of your brackets.

Late-blooming startups can still thrive

It seems like startup news is full of overnight success stories and sudden failures, like the scooter rental company that went from zero to a $300 million valuation in months or the blood-testing unicorn that went from billions to nearly naught.

But what about those other companies that mature more gradually? Is there such a thing as slow and successful in startup-land?

To contemplate that question, Crunchbase News set out to assemble a data set of top late-blooming startups. We looked at companies that were founded in or before 2010 that raised large amounts of capital after 2015, and we also looked at companies founded a least five years ago that raised large early-stage funds in the last year. (For more details on the rules we used to select the companies, check “Data Methods” at the end of the post.)

The exercise was a counterpoint to a data set we did a couple of weeks ago, looking at characteristics of the fastest growing startups by capital raised. For that list, we found plenty of similarities between members, including a preponderance of companies in a few hot sectors, many famous founders and a lot of cancer drug developers.

For the late bloomers, however, patterns were harder to pinpoint. The breakdown wasn’t too different from venture-backed companies overall. Slower-growing companies could come from major venture hubs as well as cities with smaller startup ecosystems. They could be in biotech, medical devices, mobile gaming or even meditation.

What we did find, however, was an interesting and inspiring collection of stories for those of us who’ve been toiling away at something for a long time, with hopes still of striking it big.

Pivots and patience

Even youthful startups have been known to make a major pivot or two. So it’s not surprising to see a lot of pivots among late bloomers that have had more time to tinker with their business models.

One that fits this mold is Headspace, provider of a popular meditation app. The company, founded in 2010 by a British-born Buddhist monk with a degree in circus arts, started as a meditation-focused events startup. But it turned out people wanted to build on their learning on their own time, so Headspace put together some online lessons. Today, Santa Monica-based Headspace has millions of users and has raised $75 million in venture funding.

For late bloomers, the pivot can mean going from a model with limited scalability to one that can attract a much wider audience. That’s the case with Headspace, which would have been limited in its events business to those who could physically show up. Its online model, with instant, global reach, turns the business into something venture investors can line up behind.

Sometimes your sector becomes hip

They say if you wait long enough, everything comes back in style. That mantra usually works as an excuse for hoarding ’80s clothes in the attic. But it also can apply to entrepreneurial companies, which may have launched years before their industry evolved into something venture investors were competing to back.

Take Vacasa, the vacation rental management provider. The company has been around since 2009, but it began raising VC just a couple of years ago amid a broad expansion of its staff and property portfolio. The Portland-based company has raised more than $140 million to date, all of it after 2016, and most in a $103 million October round led by technology growth investor Riverwood Capital.

CloudCraze, which was acquired by Salesforce earlier this week, also took a long time to take venture funding. The Chicago-based provider of business-to-business e-commerce software launched in 2009, but closed its first VC round in 2015, according to Crunchbase records. Prior to the acquisition, the company raised about $30 million, with most of that coming in just a year ago.

Meanwhile, some late bloomers have always been fashionable, just not necessarily as VC-funded companies. Untuckit, a clothing retailer that specializes in button-down shirts that look good untucked, had been building up its business since 2011, but closed its first venture round, a Series A led by VC firm Kleiner Perkins, last June.

Slow-growing venture-backed startups are still not that common

So yes, there is still capital available for those who wait. However, the truth of the matter is most companies that raise substantial sums of venture capital secure their initial seed rounds within a couple years of founding. Companies that chug along for five-plus years without a round and then scale up are comparatively rare.

That said, our data set, which looks at venture and seed funding, does not come close to capturing the full ecosystem of slow-growing startups. For one, many successful bootstrapped companies could raise venture funding but choose not to. And those who do eventually decide to take investment may look at other sources, like private equity, bank financing or even an IPO.

Additionally, the landscape is full of slow-growing startups that do make it, just not in a venture home run exit kind of way. Many stay local, thriving in the places they know best.

On the flip side, companies that wait a long time to take VC funding have also produced some really big exits.

Take Atlassian, the provider of workplace collaboration tools. Founded in 2002, the Australian company waited eight years to take its first VC financing, despite plentiful offers. It went public two years ago, and currently has a market valuation of nearly $14 billion.

The moral: Those who take it slow can still finish ahead.

Data methods

We primarily looked at companies founded in 2010 or earlier in the U.S. and Canada that raised a seed, Series A or Series B round sometime after the beginning of last year, and included some that first raised rounds in 2015 or later and went on to substantial fundraises. We also looked at companies founded in 2012 or earlier that raised a seed or Series A round after the beginning of last year and have raised $30 million or more to date. The list was culled further from there.

Trump campaign-linked data firm Cambridge Analytica reportedly collected info on 50M Facebook profiles

Facebook said on Thursday it had suspended a data analytics firm associated with the Trump campaign, but may have indeed greatly downplayed the scale of the data that firm actually had access to, according to a new report in The New York Times.

Cambridge Analytica had worked with University of Cambridge psychology professor named Dr. Aleksandr Kogan, who had developed an app called “thisisyourdigitallife” and obtained user information — which the Times is reporting scooped up information on profiles of as many as 50 million users. Late Friday, Facebook acknowledged that 270,000 people downloaded the app, which used Facebook Login and granted access to users’ geographic information. But just one person — with hundreds of friends — allowing access to a personal information through an app, circa 2014, may have had a much larger impact than it does today.

In the earlier stages of a company, it’s possible that policies are not rigorous enough and the guardrails on various APIs are not robust enough that this kind of information can just get out in the open without additional scrutiny, allowing firms to take advantage of those shortcomings. Facebook executives, on Twitter no less, were quick to be clear that this wasn’t a breach — though the argument is that it is, indeed, might not be considered a breach in the traditional sense of the word. But, here’s what Facebook chief security officer Alex Stamos said:

Update: Stamos deleted his Tweets. The above is a screenshot of his previous tweet. Here’s his explanation.

I have deleted my Tweets on Cambridge Analytica, not because they were factually incorrect but because I should have done a better job weighing in.

— Alex Stamos (@alexstamos) March 17, 2018

I'm going to step away from this one. I really care about privacy and security, as well as platform openness, freedom from censorship and stopping authoritarians who use the internet as a weapon. I just wish I was better about talking about these things in the reality of 2018.

— Alex Stamos (@alexstamos) March 17, 2018

Prior to deleting his tweets, Stamos posted a long thread that explained the nitty gritty of the situation, which is that around the time of the quiz, the Facebook API allowed developers to see a much wider swath of the data that’s available now. Those APIs were updated in 2015 to remove the ability to see that kind of friend data, a move Stamos said was “controversial” with app developers at the time. These policies in reality are constantly evolving and trying to hit a moving target, especially at the scale of Facebook with more than 2 billion monthly active users. That being said, Trump’s margin of victory in terms of the final vote counts in pivotal states was narrow, so information on the right 50 million people could have made a huge difference.

While Facebook was a publicly-traded company, with a fiduciary duty to its shareholders in 2014 to not have massive screwups and probably a lot more responsibility to keep this kind of information in check, it’s hardly alone in that respect. We’ve seen instances of those missing guardrails to access in many companies and used in many inappropriate ways, like Uber’s “god view” and Lyft’s own troubles. It’s definitely a different situation, but when a company is in growth mode, these kinds of guardrails might simply not be a high priority. That might be especially true when the data sets become increasingly large and simply managing them becomes a huge technical effort. Facebook had 1.39 billion monthly active users by the end of Q4 2014.

To be sure, It does not make the scale of this incident any less severe or important.

Facebook came out with a statement late Friday that it had suspended the account of Strategic Communication Laboratories and its political data analytics firm Cambridge Analytica. However it appears it still may have again downplayed the total scale of the data Kogan had acquired from Facebook users. The Times said it downplayed the scope of the leak and “questioned whether any data still remained out of its controls” throughout a week of inquiries.

This was unequivocally not a data breach. People chose to share their data with third party apps and if those third party apps did not follow the data agreements with us/users it is a violation. no systems were infiltrated, no passwords or information were stolen or hacked.

— Boz (@boztank) March 17, 2018

We reached out to Facebook for some additional information, and will update when we hear back. But for the time being Facebook executives seem to continue to follow a trend of explaining themselves on Twitter, so we’ll take that as the current statement for Facebook.