After the FireEye and SolarWinds breaches, what’s your failsafe?

The security industry is reverberating with news of the FireEye breach and the announcement that the U.S. Treasury Department, DHS and potentially several other government agencies, were hacked due (in part, at least) to a supply chain attack on SolarWinds.

These breaches are reminders that nobody is immune to risk or being hacked. I’ve no doubt that both FireEye and SolarWinds take security very seriously, but every company is subject to the same reality: Compromise is inevitable.

The way I judge these events is not by whether someone is hacked, but by how much effort the adversary needed to expend to turn a compromise into a meaningful breach. We’ve heard FireEye put effort and execution into the protection of sensitive tools and accesses, forcing the Russians to put stunning effort into a breach.

Run a red-team security program, see how well you stack up and learn from your mistakes.

More evidence of FireEye’s dedication to security can be seen by the speed with which its moved to publish countermeasure tools. While the Solarwinds breach has had stunning immediate fallout, I’ll reserve opining about SolarWinds until we learn details of the whole event, because while a breach that traverses the supply should be exceedingly rare, they’ll never be stopped entirely.

All this is to say, this news isn’t surprising to me. Security organizations are a top adversarial target, and I would expect a nation-state like Russia to go to great lengths to impede FireEye’s ability to protect its customers. FireEye has trusted relationships with many enterprise organizations, which makes it a juicy target for espionage activities. SolarWinds, with its lengthy list of government and large enterprise customers, is a desirable target for an adversary looking to maximize its efforts.

SolarWinds' hackers gained access to multiple federal agencies.

Image Credits: David Wolpoff

Hack Solarwinds once, and Russia gains access to many of its prized customers. This isn’t the first time a nation-state adversary has gone through the supply chain. Nor is it likely to be the last.

For security leaders, this is a good opportunity to reflect on their reliance and trust in technology solutions. These breaches are reminders of unseen risk debt: Organizations have a huge amount of potential harm built up through their providers that typically isn’t adequately hedged against.

People need to ask the question, “What happens when my MSSP, security vendor or any tech vendor is compromised?” Don’t look at the Solarwinds hack in isolation. Look at every one of your vendors that can push updates into your environment.

No single tool can be relied on to never fail.

You need to expect that FireEye, SolarWinds and every other vendor in your environment will eventually get compromised. When failures occur, you need to know: “Will the remainder of my plans be sufficient, and will my organization be resilient?”

What’s your backup plan when this fails? Will you even know?

If your security program is critically dependent on FireEye (Read: It’s the primary security platform), then your security program is dependent on FireEye implementing, executing and auditing its own program, and you and your management need to be okay with that.

Often, organizations purchase a single security solution to cover multiple functions, like their VPN, firewall, monitoring solution and network segmentation device. But then you have a single point of failure. If the box stops working (or is hacked), everything fails.

From a structural standpoint, it’s hard to have something like SolarWinds be a point of compromise and not have wide-reaching effects. But if you trusted Solarwind’s Orion platform to talk to and integrate with everything in your environment, then you took the risk that a breach like this wouldn’t happen. When I think about utilizing any tool (or service) one question I always ask is, “When this thing fails, or is hacked, how will I know and what will I do?”

Sometimes the answer might be as simple as, “That’s an insurance-level event,” but more often I’m thinking about other ways to get some signal to the defenders. In this case, when Solarwinds is the vector, will something else in my stack still give me an indication that my network is spewing traffic to Russia?

Architecting a resilient security program isn’t easy; in fact, it’s a really hard problem to solve. No product or vendor is perfect, that’s been proven time and again. You need to have controls layered on top of each other. Run through “what happens” scenarios. Organizations focusing on defense in depth, and defending forward, will be in a more resilient position. How many failures does it take for a hacker to get to the goods? It should take more than one mishap for critical data to end up in Russia’s hands.

It’s critical to think in terms of probability and likelihood and put controls in place to prevent accidental changes to baseline security. Least privilege should be the default, and lots of segmenting should prevent rapid lateral motion. Monitoring and alerting should trigger responses, and if any wild deviations occur, the fail safes should activate. Run a red-team security program, see how well you stack up and learn from your mistakes.

Much was made of the security impacts of the FireEye breach. In reality, Russia already has tools commensurate to those taken from FireEye. So while pundits might like to make a big story out of the tools themselves, this is not likely to be reminiscent of other leaks, such as those of NSA tools in 2017.

The exploits released from the NSA were remarkable and immediately useful for adversaries to use, and those exploits were responsible for temporarily increased risk the industry experienced after the Shadow Brokers hack  —  it wasn’t the rootkits and malware (which were what was stolen at FireEye). In the FireEye case, since it appears there were no zero-days or exploits taken, I don’t expect that breach to cause significant shockwaves.

Breaches of this magnitude are going to happen. If they’re something your organization needs to be resilient against, then it’s best to be prepared for them.

Talking tech’s exodus, Twitter’s labels, and Medium’s next moves with founder Ev Williams

Earlier today, we had the chance to talk with Twitter and Medium cofounder Ev Williams, along with operator-turned investor James Joaquin, who helps oversee the day-to-day of the mission-focused venture firm they separately cofounded six years ago, Obvious Ventures.

We collectively discussed lot of venture-y things, some of which we’ll publish next week, so stayed tuned. In the meantime, we spent some time talking specifically with Williams about both Twitter and Medium and some of the day’s biggest headlines. Following are some excerpts from that chat, lightly edited for length and clarity.

TC: A lot of tech CEOs have been saying goodbye to San Francisco in 2020. Do you think the trend is attracting too much attention or perhaps not enough?

EW: I moved away from the Bay Area a little over a year ago, with my family to New York. I’d lived in San Francisco for 20 years, and I had never lived in New York, and thought, ‘Why not go? Now seems like a good time.’ Turns out I was wrong. [Laughs.] It was a very bad time to move to New York. So I was there for for six months, and quickly came back to California, which is a great place to be in a world where you’re not going into bars and restaurants and seeing people.

TC: You moved when COVID took hold?

EW: Yes. In March, Manhattan suddenly seemed not ideal. So now I’m on the peninsula.

I’m from San Francisco. It was really, for me, just honestly looking for a change. But an enabling factor that could be common in many of these cases is the fact that I no longer have to be in the office in San Francisco every day, [whereas] for most of 20 years [beforehand], all my work life was in an office in San Francisco, generally with a company I had started, so I thought it was important to be there.

This was pre COVID and remote work. But remote work was becoming more common. And I noticed in 2018 or so, with this massive number of companies that were in San Francisco —  startups and large public companies and pre IPO companies — the competition for talent had gotten more extreme than it had ever been. So it got me —  along with a lot of founders and CEOs — thinking about maybe the advantage of hiring locally and having everybody in the same office [was a pro] that was starting to get outweighed by the cons. . . And, of course, the tools and technology that make remote work possible were getting better all the time.

TC: Given that you cofounded Twitter, I have to ask about this presidential transition that is maybe, finally happening. In January, Donald Trump will lose the privileges he enjoyed as president. Given the amount of disinformation he has published routinely, do you think Twitter should have cracked down on him sooner? How would you rate its handling of a president who really tested its boundaries in every way?

EW: I think what Twitter has done especially recently is a pretty good solution. I mean, I don’t agree with the the notion or that he should have been removed altogether a long time ago. Having the visibility, literally seeing, what what the President is thinking at any given moment, as ludicrous as it is, is helpful.

What he would be doing if he didn’t have Twitter is unclear, but he’d be doing something to get his message out there. And what the company has done most recently with the warnings on his tweets or blocking them is great. It’s providing more information. It’s kind of ‘buyer beware’ about this information. And it’s a bolder step than any platform had done previously. It’s a good version of an in between where previously [people would] talk about just kicking people off, [and] allowing freedom of speech.

TC: You started Blogger, then Twitter, then Medium. As someone who has spent much of your career  focused on content and distribution, do you have any other thoughts about what more Twitter or other platforms could be doing [to tackle disinformation]? Because there is going to be somebody who comes along again with the same autocratic tendencies.

EW: I think all of society gets more information savvy — that’s one hope over the long term. It wasn’t that long ago that if something was in “media,” it was accepted as true. And now I think everyone’s skeptical. We’ve learned that that’s not necessarily the case and certainly not online.

Unfortunately, we’re now at the point where a lot of people have lost faith in everything published or shared anywhere. But I think that’s a step along the evolution of just getting more media savvy and knowing that sources really matter, and as we build both better tools, things will get better.

TC: Speaking of content platforms, Medium charges $50 per year for users to access an unlimited amount of articles from individual writers and poets. Have you said how many subscribers the platform now has?

EW: We haven’t given a precise number, but I can tell you it’s in the high hundreds of thousands. It’s been a been a couple years now, and I’m a very firm believer in the model — not only that people will pay for quality information, but that it’s just a much healthier model for publishers, be they individuals or companies, because it creates that feedback loop of ‘quality gets rewarded.’

If people aren’t getting value, they unsubscribe, and that isn’t the case with an advertising model. If people click, you keep making money, and you can kind of keep tricking people or keep appealing to lowest-common-denominator impulses. There were a couple of decades where the mantra was ‘No one will pay for content on the internet,’ which obviously seems silly now. But that was that was the established belief for such a long time.

TC: Do you ever think you should have charged from the outset? I  sometimes wonder if it’s harder to throw on the switch afterward.

EW: Yes, and no. When we first switched to this model in 2017, we created a subscription, but the vast majority of content was — and actually still is — outside of the paywall. And our model is different than most because it’s a platform, and we don’t own the content, and we have an agreement with our creators that they can publish behind the paywall if they want, and we will pay them if they do that. But they can also publish outside the paywall if they’re not interested in making money and want maximum reach. And those those models are actually very complimentary because the scale of the platform brings a lot of people in through the top of the funnel.

Scale is really important for most businesses, but for a paywall, it’s especially important because people have to be visiting with enough frequency to actually hit the paywall and be motivated to pay.

TC: Out of curiosity, what do you make of Substack, a startup that invites writers to create their own newsletters using a subscription model and then takes a cut of their revenue in exchange for a host of back end services.

EW: There’s a bit of a creator renaissance going on right now that is part of a bigger wave of a people being willing to pay for quality information, and independent writers and thinkers actually breaking out on their own and building brands and followings. And I think we’re going to see more of that.

TC: Medium has raised $132 million over the years. Will you raise more? Where do you want to take the platform in the next 12 to 24 months?

EW: We’re not yet not yet profitable, so I anticipate that we will raise more money.

There’s a very big business to be built here. While more and more people are willing to pay for content way, I don’t think that means that most people will subscribe to dozens of sources, whether they’re websites with paywalls or newsletters. If you look at how basically every media category has evolved, a lot of them have gone through this shift from free to paid, at least at the higher end of the market. That includes music, television, and even games. And at the high end, there tend to be players who own a large part of the market, and I think that comes down to offering the best consumer value proposition — one that gives people lots of optionality, lots of personalization, and lots of value for one price.

I think that the same thing is going to play out in this area, and for the subscription that’s able to reach critical mass, that’s a multi-billion dollar business. And that’s what we’re aiming to build.

Nana nabs $6M for an online academy and marketplace dedicated to appliance repair

A lot of the focus in online education — and, let’s face it, education overall — has been about professional development for knowledge workers, education for K-12 and how best to deliver cost-effective, engaging higher learning to those in college and beyond. But in what might be a sign of the times, today a startup that’s focused on e-learning and the subsequent job market for a completely different end of the spectrum — home services — is announcing some funding to continue building out its business in earnest.

Nana, which runs a free academy to teach people how to fix appliances, and then gives students the option of becoming a part of its own marketplace to connect them to people needing repairs — has picked up $6 million.

The seed round is being led by Shripriya Mahesh of Spero Ventures, and Next Play Ventures (ex-LinkedIn CEO Jeff Weiner’s new fund), Lachy Groom, Scott Belsky, Geoff Donaker of Burst Capital, and Michael Staton of Learn Capital are among those also participating.

Nana has now raised $10.7 million, with past backers including Alpha Bridge Ventures, Bob Lee, and the Uber Syndicate, an investment vehicle to back Uber alums in new ventures. Founder and CEO David Zamir is not actually an Uber alum, but one of his first employees, VP of Engineering Oliver Nicholas, is an early Uber engineer, and the company has also found a lot of traction of Uber drivers this year, after many found themselves out of work after the chilling effect that the pandemic had on ridesharing.

Nana — full name Nana Technologies (and not to be confused with Nana Technology, tech built for older adults) — is partly a labor/future of work play, partly an educational play, partly a tech/IoT play, and partly an ecological play, in the eyes of Zamir, who himself trained as an appliance repairperson, running his own successful business in the Bay Area before pivoting it into a training platform and marketplace.

“There are 5.9 million tons of municipal solid waste [which includes lots of electronics like washing machines, blenders and everything in between] in the U.S.,” he said in an interview, “and only 50% of that is capable of getting recycled. We’re in a vicious cycle with appliances, and it’s partly because there aren’t enough people with the knowledge to repair them. But what if you had the liquidity to do that? We’re talking about creating jobs, but also saving the environment.”

Nana’s proposition starts with free lessons to fix a range of appliances — currently, dishwashers, refrigerators, ovens, stoves, washers and dryers — and their typical breakdown/poor performance issues to anyone who wants to know how to repair them. These classes are available to anyone — an individual simply interested in learning how to fix a machine, but more likely someone looking to pick up a skill and then use it to make some money.

Once you take and pass a course — currently remote — you have the option (but not requirement) to register on Nana’s platform to become a repair person who picks up jobs through it to get jobs fixing that particular issue. Nana already has partnerships with major appliance and warranty companies including GE, Miele, Samsung, Assurant, Cinch and First American Home Warranty, so this is how it gets most of its work in, but it also accepts direct requests from consumers for repair of dishwashers, refrigerators, ovens, stoves, washers and dryers.

Over time, Zamir said, the plan is not just to take in jobs and send out technicians to fix things in an Uber-style dispatch service — but to expand it to fit the kinds of next-generation appliances that are being built today, with IoT diagnostic monitoring and helping also to integrate these appliances into connected homes. It also seems to be slowly expanding into other home services too, alongside appliance repair (which remains its main business).

Nana has to date registered hundreds of technicians in 12 markets across the U.S. and said it expects to expand to 20 markets by the end of 2021.

Nana has an unlikely founder story that speaks to how so much of the tech world is still about hustle and finding opportunities in the margins.

Founder and CEO David Zamir hails from Israel, but unlike many of the transplants you may come across from there to the Bay Area tech world, he’s not a tech guy by education, training or work experience. He used to run clothing stores in Tel Aviv and vaguely liked the idea of being involved in a tech business at some point — Israel loves to call itself “startup nation” and so that bug is bound to bite even those who don’t study computer science or engineering — but he didn’t know what to do or where to begin.

“The clothing business didn’t make much money,” he said. So after a period Zamir and his American wife decided to move to the U.S. and try their luck there.

While initially based on the east coast near her family and wondering about what kind of job to pursue, Zamir spoke with a friend of his in Toronto who was an working as an independent tradesperson fixing appliances, and the friend suggested this as an option, at least for a while.

“So I hopped on an airplane to shadow my friend,” he recalled. “The lightbulb went off. I thought, I should do this in San Francisco,” where he had been wanting to move to crack in to the tech world, somehow. “I thought that I’d start with fixing appliances while I figured out how to find my way into tech.”

That turned into more than a temporary income stopgap, of course. After finding that his business taking off, Zamir saw that technology would be the avenue to growing it.

He was helped in part to build the idea and the business through his grit. Josh Elman, the famous tech investor, complained about a broken dryer back in April, and asked the Twitter hive mind whether he should get a new one or go through the pain of fixing it. Someone flagged the question to Zamir, who reached out and connected Elman with one of Nana’s online teaching technicians. Twelve hours later, Elman’s drier was diagnosed (by Elman), on its way to getting fixed, and Elman signed on as an advisor to the company.

Move fast and fix things

The world of tech is all about building new things and solving problems, with “breaking” being more synonymous with disruption (=”good”) and fearlessness (see: Facebook’s old mantra to its early employees to move fast and break things). But behind that, there is an interesting disconnect between the tech version of “broken” and objects that are actually “broken” in the real world.

Many of us these days find using apps and other digital interfaces second-nature, but most of us would have no idea how to repair or work with much more basic electronic systems. And nor do most of us want to. More often than not, we give up on it, decide it’s not worth fixing, and click on Amazon et al. to get a new shiny object.

Looked at on a wider scale, this is actually a big problem.

Electronics can be recycled, but in reality only about half the materials can be usefully reused. Meanwhile, Nana estimates that the appliance repair market is a $4 billion opportunity, with some 80 million appliances in need to being serviced annually in the US. But currently there are only some 31,000 trained technicians in the market. Nana estimates that to meet the demand of growing numbers, an additional 28,000 new technicians will be needed by 2025.

At the same time, the move to automation in many skilled labor jobs is putting people out of work: research from the Brookings Institution estimates that some 30 million people will lose their jobs in coming years because of it.

The idea here is that a platform like Nana can help some of those people retrain to fill the gap for appliance technicians, while at the same time extending the life of people’s appliances in a less painful way — putting less stuff into landfill — while at the same time expanding knowledge for anyone who cares for it.

Zamir said that Nana was named after his mother, who raised David as a single parent after his father passed away, a reference to working hard and being practical.

That sentimentality seems to motivate him in a bigger way, too: Zamir himself is a guy with a lot of heart and emotion vested into the concept of his startup. When I told him an anecdote of how our dishwasher broke down earlier this year and both a customer service rep from the maker (Siemens) and a separate repair person advised me to replace it, he got visibly agitated over our video call, as if the subject was something political or significantly more graver than a story about a dishwasher.

“I am not a supporter of what they told you,” he said in an angry voice. “It’s really upsetting me.” (I calmed him down a little, I think, when I told him that myself I uninstalled the broken dishwasher and installed the new one myself, because Covid.)

Zamir said that there are no plans to charge for its academy courses, nor to tie people into signing up with Nana to work once they take the courses. The fact that it provides a lot of inbound jobs attracts enough turnover — between 40% and 60% of those taking courses stay on to work when they took in-person classes, and for now the online figures are between 15% and 35%.

“It’s still early days,” he said, “but we’re finding the take up impressive… Most want to participate in the marketplace.” He says that there are other call-out services where they could register but the tech that Nana has built makes its system more efficient, and that means better returns.

All of this has played well with those who have become Nana’s investors. People like Jeff Weiner — who in his time as CEO of LinkedIn led the company to acquire Lynda as part of a bigger emphasis on the importance of skills training and education — see the opportunity and need to provide an equivalent platform not just for knowledge workers but those who have more manual jobs, too.

“We are excited by Nana’s vision of providing training, access and opportunity for rewarding, satisfying work while also filling a critical gap in our economy,” said Shripriya Mahesh of Spero Ventures, in a statement. “Nana has created a new, scalable approach to giving people the agency, tools and support systems they need to build new skills and pursue fulfilling work opportunities.”

The round was oversubscribed in the end, and Nana shouldn’t find it too hard to raise again if it sticks to its plan and the market continues to grow as it has. That does not seem to be the motivation for Zamir, though.

“We just think it’s super important to build Nana for the people,” he said.

Europe eyeing limits on how big tech can use data and bundle apps — reports

European lawmakers are considering new rules for Internet giants that could include forcing them to share data with smaller rivals and/or put narrow limits on how they can use data in a bid to level the digital playing field.

Other ideas in the mix are a ban on dominant platforms favoring their own services or forcing users to sign up to a bundle of services, according to draft regulatory proposals leaked to the press.

The FT and Reuters both report seeing drafts of the forthcoming Digital Services Act (DSA) — which EU lawmakers are expected to introduce before the end of the year.

Their reports suggest there could be major restrictions on key digital infrastructure such as Apple’s iOS App Store and the Android Google Play store, as well as potentially limits on how ecommerce behemoth Amazon could use the data of merchants selling on its platform — something the Commission is already investigating.

A Commission spokesperson declined to confirm or deny anything in the two reports, saying it does not comment on leaks or comments by others.

“We remain committed to presenting the DSA still this year,” he added.

Per the Financial Times, the leaked draft states: “Gatekeepers shall not use data received from business users for advertising services for any other purpose other than advertising service.”

Its report suggests tech giants will be shocked by the scale of regulations coming down the pipe — noting 30 paragraphs of prohibitions or obligations — with the caveat that the proposal remains at an early stage, meaning big tech lobbyists still have everything to play for.

On bundling, lawmakers are eyeing rules that would mean dominant platforms must let users uninstall any pre-loaded apps — as well as looking at barring them from harming rivals by giving preferential treatment to their own services, according to the reports.

“Gatekeepers shall not pre-install exclusively their own applications nor require from any third party operating system developers or hardware manufacturers to pre-install exclusively gatekeepers’ own application,” per Reuters, quoting the draft it’s seen.

The Commission’s experience of antitrust complaints against Google seems likely to be a factor informing these elements — given a string of EU enforcements against the likes of Google Shopping and Android in recent years have generated headlines but failed to move the competitive needle nor satisfy complainants, even as fresh complaints about Google keep coming.

Per Reuters the draft rules would also subject gatekeeper platforms to annual audits of their advertising metrics and reporting practices.

Platforms’ self-serving transparency remains a much complained about facet of how these giants currently operate — making efforts to hold them accountable over things like content take-down performance doomed to fuzzy failure.

The Commission’s public consultation on the DSA was launched in June — and closed on September 8.

In a lengthy response earlier this month, Google lobbied against ex ante rules for platform giants, urging regulators to instead modernise existing frameworks where any gaps are found rather than imposing tougher requirements on tech giants.

Should there be ex ante rules the adtech giant pushed lawmakers not to single out any particular business models — while also urging against an “overly simplistic” definition of ‘gatekeeper’ platforms.

Facebook has also been ploughing effort into lobbying commissioners ahead of the DSA proposal — seeking to frame the discussion in key risk areas for its business model, such as around privacy and data portability.

In May, CEO Mark Zuckerberg made time for a livestreamed debate run by a big tech-backed policy ‘think tank’ CERRE — appearing alongside Thierry Breton, the Commission VP for the internal market. The Facebook CEO warned about ‘Cambridge Analytica-style’ privacy risks if too much data portability is enforced, while the commissioner warned Facebook to pay its taxes or expect to be regulated.

More recently, Facebook’s head of global policy has sought to link European SMEs’ post-COVID-19 economic recovery prospects to Facebook’s continued exploitation of people’s data via its ad platform — tacitly warning EU lawmakers against closing down its privacy-hostile business model.

Such lobbying may be falling on deaf ears, though. Earlier this month Breton, told the FT the feeling among Brussels’ lawmakers is that platforms have got ‘too big to care’ — hence the conviction that new rules are needed to enforce higher standards.

Breton said then that lawmakers are considering a rating system to allow the public and stakeholders to assess companies’ behaviour in areas such as tax compliance and how quickly they take down illegal content.

He suggested a blacklist of activities could be applied to dominant platforms with a sliding scale of penalties for non-compliance — up to and including the separation of some operations, according to the FT’s report.

He also committed to not removing the current limited liability platforms have around content published on their platforms, saying: “The safe harbour of the liability exemption will stay. That’s something that’s accepted by everyone.”

In another signal of looming intent earlier this month, the Commission said it’s time to move beyond self-regulatory approaches to tackling problem content like disinformation — though it’s yet to flesh out its policy plan in that area. In June it also suggested it’s eyeing binding transparency requirements related to online hate speech, saying platforms’ own reporting is still too patchy.

Spain’s top court rejects Glovo’s classification of couriers as self-employed

Glovo, a Spain-based delivery platform startup, is facing legal disruption in its home market after the country’s Supreme Court ruled against its classification of delivery couriers as ‘autonomous’ (i.e. self employed) — finding riders are instead in a laboural relationship with the platform.

It’s the latest in a string of legal rulings around the classification of Glovo riders in the country in recent years, some of which it has won. Although more recently momentum has been in the opposite direction, with a High Court decision late last year that also judged riders to be workers.

Today the country’s Supreme Court also refused to refer a preliminary question to Europe’s top court, arguing the defining characteristics of its contracts with riders concur, so it’s not clear where Glovo’s appeal can go next. A second ground for appeal was rejected for a formal compliance reason, per a judiciary press release (in Spanish).

In the PR — ahead of the release of the full judgement — the judiciary branch writes that the Plenary of the Fourth Chamber of the Supreme Court maintains Glovo is “not a mere intermediary in the contracting of services between businesses and distributors”.

“It is a company that provides delivery and courier services, setting the essential conditions for the provision of said service. And it is the owner of the essential assets to carry out the activity. For this, it uses delivery people who do not have their own and autonomous business organization, who provide their service inserted in the employer’s work organization,” it adds (via Google Translate).

We’ve reached out to Glovo with questions about how it intends to respond to the ruling.

In a statement reported by El Mundo it has called for policymakers to update regulation around gig worker platforms, writing: “Glovo respects the judgment of the Supreme Court and awaits the definition of an adequate regulatory framework by the Government and Europe.”

At the EU level, the bloc’s lawmakers have signalled an awareness of concerns about conditions for gig workers.

Setting out an ‘Agenda‘ for her five year term late last year, Commission president Ursula von der Leyen said she would look at ways of improving the labour conditions of platform workers — although her suggested policy focus was a pretty soft one, of “skills and education”. So Europe’s courts may end up doing the heavy lifting on gig worker rights.

One key question is how viable is the ‘on-demand delivery’ model if the full cost of labor moves onto the balance sheet? It would certainly change the unit economics in markets where platforms can’t legally sidestep the costs of employing the thousands of humans they rely on to move packets around. (Hence some of these startups are shelling out on R&D to replace human riders with delivery drones/robots.)

In Glovo’s case, the company was in the news last week after it announced the sale (for $272M) of its LatAm business to German rival Delivery Hero — further concentrating its operations in the European market, after it exited the Middle East at the start of this year.

Last year it told us it was focused on trying to achieve profitability in 2021. Any such push would be complicated by requirements to reclassify large numbers of delivery riders as workers. So the Supreme Court ruling looks like it could have major implications for Glovo’s business.

Amsterdam ejects Airbnb el at from three central districts in latest p2p platform limits

Another brick in the wall for vacation rental platforms: Amsterdam is booting Airbnb and other such platforms from three districts in the city’s old center from July 1, further tightening its rules for such services.

In other districts in the famous city of canals, vacation rentals will only be permitted with a permit from next Wednesday, still for a maximum of 30 nights per year.

The latest tightening of the city’s rules on Airbnb and similar platforms comes after a period of consultation with residents and organizations which city authorities say drew 780 responses — a full 75% of which supported banning the platforms from operating in the three central districts.

The three districts where vacation rentals on platforms such as Airbnb are prohibited from next Wednesday are: Burgwallen-Oude Zijde, Burgwallen-Nieuwe Zijde and the Grachtengordel-Zuid.

“This [consultation] indicates that the subject is very much alive among Amsterdammers. What is striking is that no less than 75% are in favor of a ban on holiday rentals in the three districts, said deputy mayor Laurens Ivens in a press release [translated from Dutch using DeepL].

Furthermore, Ivens said the consultation exercise showed some support for a citywide ban on such platforms. However current pan-EU rules — notable the European Services Directive — limit how cities can respond to public sentiment against such services. Hence Amsterdam applying the ban to specific districts where it has been able to confirm tourism leads to major disruption.

The legal cover afforded to vacation platforms operating in the region by the European Services Directive has show itself to be robust to challenge, after Europe’s top court ruled in December that Airbnb is an online intermediation service. A French tourism association had sought to argue the platform should rather be required to comply with real estate regulations.

Ivens said Amsterdam will conduct another tourism review in two years — and may add more districts to the ban list if it finds similar problems have migrated there.

These are by no means the first restrictions the city has put on vacation rental platforms. Back in 2018 it tightened a cap on the number of nights properties can be rented, squeezing it from 60 nights to 30 per year.

Yet despite such restrictions city authorities note tourist rental of homes has experienced “strong growth” in recent years, with 1 in 15 homes in Amsterdam being offered online. It also said that the supply of homes on the various platforms has increased fivefold — amounting to around 25,000 advertisements per month.

Due to this increase, tourist rental has an increasingly negative impact on the quality of life in various Amsterdam neighborhoods, the council writes in a press release.

The permit system which is also being brought in is intended to aid enforcement of tighter rules — with stipulations that a house must be inhabited; and that the maximum of 30 nights per year can only be rented to a maximum of four people. The council has also made it mandatory for those renting homes on vacation rental platforms to report to the municipality every time the house is rented, so will be building up its own dataset on how these platforms are being used.

Additional changes to Amsterdam’s housing regulations also include higher fines for repeat offender landlords, such as if they rent a property without a permit or violate the maximum number of nights for holiday rentals.

The city has also put limits on conversions, stipulating that only properties larger than 100 m2 may be converted into two or more smaller homes — a provision that seems aimed at landlords who try to maximize holiday rental income by turning a single larger property into two or more smaller flats, and thereby reducing suitable housing stock for larger families.

After early skirmishes between cities and vacation rental platforms related to the collection of tourist taxes, access to data remains an ongoing bone of contention — with cities pressing platforms to share data in order that they can enforce tighter regulations. Platforms, meanwhile, have a clear commercial incentive to avoid such transparency.

In 2018, for example, city officials in Amsterdam called for Airbnb to share “specific rental data with authorities — who is renting out for how long, and to how many people”.

We’ve asked Airbnb to confirm what data it shares with the city now.

The European Commission has sought to play a mediating role here, announcing earlier this year it had secured agreement with p2p rental platforms Airbnb,, Expedia Group and Tripadvisor to share limited pan-EU data — and saying it wanted to encourage “balanced” development of the sector while noting concerns that such platforms put unsustainable pressure on local communities.

The initial pan-EU data points the platforms agreed to share are number of nights booked and number of guests, aggregated at the level of “municipalities.” A second phase of the arrangement will see platforms share data on the number of properties rented and the proportion that are full property rentals vs rooms in occupied properties.

However the Commission is also in the process of updating the rules around digital services, via the forthcoming Digital Services Act. So it’s possible it could propose specific data access obligations on vacation rental platforms.

We reached out to the Commission to ask if it’s considering updates in this area and will update this report with any response.

Ten EU cities — including Amsterdam — penned an open letter last year, calling on the Commission to introduce “strong legal obligations for platforms to cooperate with us in registration-schemes and in supplying rental-data per house that is advertised on their platforms”. So the regional pressure for better platform governance is loud and clear.

Playbook, a creator platform focused on fitness, raises $3 million in seed

Playbook, aiming to be the Patreon of fitness content, announced the close of a $3 million seed round from several notable angels today. The investor roster includes Giphy founder Alex Chung, StyleSeat founder Melody McCloskey, EventBrite cofounder Renaud Visage, Seventh Generation founder John Replogle, former head of growth at Uber Ed Baker, former head of product at Uber Daniel Graf, Product Hunt founder Ryan Hoover, Bird head of growth Brendan O’Driscoll and Uphonest Capital.

In the wake of the coronavirus pandemic and social distancing, the fitness space has gone through a transformation. Peloton has surged, Classpass has pseudo-pivoted, and traditional gyms have struggled to find their groove in this new world.

Playbook looked to these fitness ventures, as well as broader entertainment communities, to model its business. The company offers consumers an unlimited subscription for either $15/month or $99/year to consume as much fitness content as they’d like.

But Playbook isn’t really built with a focus on the end user, but rather starts from the premise of giving creators the tools they need to foster their own community of users. The startup focuses the vast majority of its energy on offering creators a space where they can create and monetize their content on their own terms.

The startup, cofounded by Jeff Krahel, Michael Wojcieszek, and Kasper Odegaard, takes a 20 percent cut of customer fees, with the rest going to creators in two different forms. The first is based on the creator’s own community that they bring to the platform via a custom link, in which case the creator owns the economics there. This means that, even if a user wanders from their original creator on the platform to another, the original creator still gets an 80 percent cut from that user. For users that are brought on to the platform by Playbook, and then select a creator’s content, Playbook pays out the creator based on seconds watched.

“Our focus is really on the creator and their community,” said Krahel. “Consumers don’t switch between creators very much. In fact, less than 50 percent of consumers switch. They’re often very dedicated to their creator. So we look at this more as a Patreon in terms of the business, where we want to give the best tools to the creator who is going to deeply engage with their community and monetize their content and social distribution.”

Interestingly, Playbook isn’t just focused on getting fit. The app, with more than 150 trainers on the platform, also has content around sports training, whether it be for conditioning or working on technique within various sports.

The company has locked in some high-powered creators, including Magnus Lydgback, trainer to Gal Gadot and Ben Affleck, Don Saladino, trainer to Ryan Reynolds and Blake Lively, Boss Everline, trainer to Kevin Hart, Hannah Bower, trainer and well-known fit-mom, and yoga and meditation influencer Morgan Tyler.

Playbook says it has a waitlist of several thousand creators that want onto its platform. The company looks for a few things when onboarding a new creator, namely an existing community of followers (on Instagram or YouTube or wherever) and an existing library of content. That’s not to say that new trainers can’t join the platform, but these are two signals that could help close the deal.

Playbook says it’s seeing 140 percent new creator account growth in 2020.

Playbook also offers an onboarding guide for creators, similar to the Etsy Seller Handbook, to offer a variety of example videos, best practices, and other tactics for success.

Of existing creators, women make up 60 percent of the pool and 15 percent of creators are people of color. Internally, around a quarter of employees for Playbook are women.

Uber UK launches Work Hub for drivers to find other gig jobs during COVID-19

Uber UK has launched a Work Hub for drivers to view a selection of temporary work opportunities with other companies as a way to supplement pandemic-hit ride-hailing earnings during the coronavirus crisis.

The Work Hub sits within the Uber driver app and displays offers of work from third party providers — including jobs that involve using a car to make deliveries — offering alternative gigs to drivers whose earnings have been affected by weak demand for ride-hailing during the COVID-19 pandemic.

The ride-hailing giant rolled out a similar feature in the US back in April, offering drivers there the ability to respond to job postings from around a dozen other companies, as well as the ability to receive orders through other Uber units: Eats, Freight and Works.

The UK flavor of the feature has fewer external suppliers (three at launch) — and seemingly no other internal Uber work gigs on offer.

From today, Uber said UK drivers can access “thousands” of “temporary job postings” and “flexible earning opportunities” with other companies — initially delivery firms Hermes and Yodel.

The recruiter, Adecco Group, is also offering temp work via the UK Work Hub for drivers.

“We’ll continue to add new partnerships and listings to the Work Hub as we find more opportunities for you, so check the Driver app regularly for updates,” Uber adds in a blog post announcing the launch.

The company has previously emailed UK drivers encouraging them to sign up for delivery work with the online supermarket Ocado, as demand for grocery delivery has surged during the COVID-19 pandemic.

But it’s now made this signposting more formal, via the Work Hub — and says the “thousands” of jobs are additional to any Ocado opportunities it had already emailed to UK drivers.

It’s not clear why Uber UK is not offering drivers the ability to pick up Uber Eats orders to tide themselves over.

However the Eats vs Uber ride-hailing labor force in the country likely has relatively little overlap, with cycle and motorbike couriers dominating UK Eats deliveries. Additionally, no UK cities keen to encourage extra cars to hit the streets right now — so Uber may have multiple reasons not to want to cross those streams in Europe.

“Drivers are doing essential work to keep our communities moving as we fight this virus, but with fewer trips happening they need more ways to earn. With the Work Hub, drivers can find these additional earning opportunities with other companies, working flexibly around driving on the Uber app if they choose to do so,” said Jamie Heywood, Uber’s regional GM for Northern and Eastern Europe, in a statement.

The Work Hub initiative generally looks intended to encourage drivers to supplement (pandemic-hit) Uber earnings with other gig jobs. And — cynics might say — discourage an essential platform workforce from looking elsewhere for permanent work.

Uber will need its pool of drivers to be there still, owning a car and available for gig work, when normalcy returns if it’s ride-hailing business is to bounce back.

Aside from the US and the UK, other markets where Uber has already launched the Work Hub for drivers are Australia, Chile, Costa Rica, Canada, Mexico, Portugal and South Africa.

While the feature has been born in a crisis, Uber had already made moves into the broader temp work space — launching a shift finder app, called Uber Works, in Chicago last year. And the company told us it sees longer term opportunity for the Work Hub, as a vehicle to broaden the type of earning opportunities it can put in front of drivers, saying the initiative will continue to evolve.

On-demand storage startup MakeSpace picks up another $55M

Sheltering-in-place and working from home curing COVID-19 has driven many of us to reorganize and de-clutter our living environments, and today one of the startups that is capitalizing on that trend is announcing a large round of funding to continue its growth. MakeSpace, an on-demand storage company that makes it easy to order, store and retrieve your physical belongings (also providing the muscle — that is, people — to help you do it), has closed a $55 million round — $45 million in equity funding and $10 million in debt — led by Iron Mountain, an existing investor and strategic partner whose primary focus is storage for larger businesses.

The funding is notable in part because of its size, but also because of the fact that it has happened at all.

On-demand storage startups have sprung up all over the world, hopeful that their new take on an antiquated, fragmented and valuable ($38 billion annually spent on storage) market would lead to big returns in a brave, new, Uberified world. But in reality, we’ve seen a lot of ups and downs, with various startups merging, closing, transferring and trying to pivot in the process. That’s left a consolidated space with fewer, hopefully better capitalised and better organised, competitors remaining. (Another biggie in this area is Clutter, backed by SoftBank and others, which has also been on a consolidation play as part of its growth.)

MakeSpace looks like it’s making a successful play to be in that group. This is a Series E for the startup — with other investors in the round including 8VC, Upfront Ventures, Maywic Select Investments, Ten Eighty, Provenio Capital, and CX Collective — and co-founder and CEO Rahul Gandhi said was at “a premium” to the valuation MakeSpace had in the last round of funding (a Series D that closed last year), without confirming either the previous or current numbers.

For some more context, PitchBook details what seems to have been a rollercoaster of valuations for the startup, which if accurate underscore some of those obvious challenges in this market. Update: Gandhi confirmed that the startup has now raised about $150 million and the valuation is higher than that.

MakeSpace itself has hit a number of milestones that point to its own growth. Last year, it added 20 new markets, bringing the total to 31 in North America, and doing so in a cost-effictive way. While one of the biggest costs (and stumbling blocks) for storage services to date has been grappling with building real estate businesses, MakeSpace has leaned on the infrastructure of its strategic investor Iron Mountain to bypass that challenge (and reduce those associated costs).

Gandhi said that it’s been outpacing “even our strongest forecasts,” with growth north of 30% on its targets, and he said the company has tens of thousands of customers using its service, which is priced in tiers starting at $69/month.

And while you might assume that a lack of house moving might mean less activity for storage companies, it seems the opposite is the case: MakeSpace and others like it have been designated “essential services” and its services have been in demand for people who are looking at their living spaces — and the prospect of spending significantly more time in them doing more than just watching Netflix, eating and sleeping — with new eyes. And ditto small businesses that are moving out of premises, even temporarily, or needing to rejig their environments because of distancing rules.

What’s also notable about MakeSpace is how it organises its workforce. While many on-demand businesses today have scaled by using an army of contractors, and all the complexities that this brings into the equation with regards to employee protections and benefits, MakeSpace has hired only full-time people, using its own team and those employed by Iron Mountain.

“They can get wonderful packages and all the benefits and perks to keep employee base happy,” Gandhi said. “It makes it easier to scale up the business and in terms of the hiring capabilities to help us scale.”

For a company built out of tech DNA — which is the other side of the business, involving smart logistics planning and storage optimising, and of course building it into an interface that can be used easily by workers and customers — workforce scaling and real estate/warehouse expansion are two of the biggest challenges in building on-demand storage businesses to compete with the heavyweights in the market, which include Public Storage, Extra Space Storage and U-Haul.

For Iron Mountain, it gives the firm, which focuses on enterprise users, a way to share in the revenues from tapping into the consumer market (optimizing use of its storage warehouses) without the costs of trying to service it directly.

“It has been amazing to see what MakeSpace has accomplished in the past year alone, growing from 4 to 24 markets almost overnight, and adding another 7 in 2020. They have taken a unique approach to storage that answers the modern customer’s demand for convenience, using technology to enhance the service and grow at an immense scale,” said Deirdre Evens, EVP and GM of North America Records and Information Management at Iron Mountain, in a statement.

“Especially now, services such as MakeSpace are delivering vital solutions for customers and businesses. MakeSpace has proven itself as an industry leader, finding new ways to offer support and services for this challenging time.  We continue to be both proud and excited about our partnership with MakeSpace and the opportunity to leverage Iron Mountain’s storage and logistics expertise to further penetrate the fast growing valet consumer storage market.”

Gandhi acknowledged also that while Iron Mountain is an obvious acquirer longer-term, it remains a minority investor.

“It’s really key that we remain independent,” he added. “We understand the strength of what they bring to table but in order for this business to capture major market share we felt collectively it was important for it to remain that way. At some point that discussion [on a bigger stake or acquisition] may happen but for now we feel incredibly good about what they are bringing to the table.”

JustEat Takeaway $7.6B merger approved, pair pick up $756M in new funding

On the heels of Amazon getting approval from the competition authority to proceed with an investment leading a $575 million round for food delivery startup Deliveroo in the UK, two of Deliveroo’s biggest rivals got their own £6.2 billion merger approved, and they have subsequently picked up an extra $756 million to come out fighting.

Today, the competition watchdog in the UK officially gave a nod to the merger, originally valued at $10 billion but more currently valued at £6.2 billion, between UK’s JustEat and the Netherlands’ And along with that, the merged company announced that it had raised €700 million ($756 million) in new outside funding in the form of new shares and convertible bonds.

JustEat and Takeaway had already been respectively trading on the London and Netherlands stock exchanges — on LSE as ‘JET’ and on AMS as ‘TKWY’ — and they said they would use the capital and convertible bond issue to pay down debts, business development and other corporate purposes and potential acquisitions in what remains a very fragmented and crowded market for food delivery in Europe and elsewhere, despite the rapid scaling we’re seeing among some of the biggest players.

Specifically the pair said in their announcement that they would use the money to “partially pay down revolving credit facilities currently utilised by both Just Eat and, for general corporate purposes as well as to provide the Company with financial flexibility to act on strategic opportunities which may arise.”

The two also noted that the placement is conditional on the two getting successfully admitted to trade as a merged company. They’ve made the application for this and it is expected to become effective on April 27.

The Competition and Markets Authority, meanwhile, noted that its decision was influenced by the fact that had not been active in the UK market and “we are satisfied that there are no competition concerns.”

“Millions of people in the UK use online food platforms for takeaways and, where a merger could raise competition concerns, we have a duty to rigorously investigate whether customers could lose out. In this case, we carefully considered whether could have re-entered the UK market in future, giving people more choice,” it said. “It was important we investigated this properly, but after gathering additional evidence which indicates this deal will not reduce competition, it is also the right decision to now clear the merger.”

The moves cap of a turbulent nine months for the two companies, which announced their intention to merge last year to bulk up against pricey competition from Uber Eats, Deliveroo (which itself was getting a huge cash injection and support from the mighty Amazon) and more. After the two announced their intentions to come together, Prosus (the tech holdings of Naspers) also made a protracted, hostile bid for JustEat.

Online food delivery services have been a popular business in the world of tech: three-sided marketplaces bring together restaurants, consumers who would rather stay home but still want to eat restaurant food, and an army of delivery people who largely work as contractors to shuttle between the other two — but their growth has come at high costs.

Heavy competition between a number of firms, and the overall unit economics of on-demand services, have meant that all of them need large sums of cash to grow and often survive while they slowly inch towards profitability. (And those that cannot raise that cash often fall by the wayside or are swallowed up in larger consolidation plays for economy of scale.)

The big question is how the current climate is going to affect that general model. Stay-at-home orders have been a huge boost for businesses that cater to people making transactions virtually, or staying at home; and food delivery services check both of those boxes.

At least in the short term, that has spelled major opportunity for all of them, and the most optimistic believe that even if that outsized surge abates when some of our COVID-19 restrictions get relaxed, it will leave in its place a permanent shift among consumer and business behaviour.

For its part, the CMA noted that “millions” of people in the UK are using take-out services and that it is trying to be more flexible and efficient during COVID-19 to enable more services to people.

“During the COVID-19 outbreak, the CMA is working with businesses where it can to be flexible – for example, by recognising that there may be delays in providing the information it needs to conduct investigations,” it said. “However, it is also trying to complete investigations efficiently at this time, wherever possible, to provide businesses with certainty. In this case, the CMA was able to publish its final decision 26 days ahead of the statutory deadline.”