UK’s Online Safety Bill falls short on protecting speech and tackling harms, warns committee

Another UK parliamentary committee has weighed in on the government’s controversial plan to regulate Internet content with a broadbrush focus on ‘safety’.

The Digital, Culture, Media and Sport (DCMS) Committee, warned in detailed report today that it has “urgent concerns” the draft legislation “neither adequately protects freedom of expression nor is clear and robust enough to tackle the various types of illegal and harmful content on user-to-user and search services”.

Among the committee’s myriad worries are how fuzzily the bill defines different types of harms, such as illegal content — and  designations of harms — with MPs calling out the government’s failure to include more detail in the bill itself, making it harder to judge impact as key components (like Codes of Practice) will follow via secondary legislation so aren’t yet on the table.

That general vagueness, combined with the complexities related to the choice for a “duty of care” approach — which the report notes in fact breaks down into several specific duties (vis-a-vis illegal content; content that poses a risk to children; and, for a subset of high risk P2P services, content that poses a risk to adults) — means the proposed framework may not be able to achieve the sought for “comprehensive safety regime”, in the committee’s view.

The bill also creates risks for freedom of expression, per the committee — which has recommended the government incorporates a balancing test for the regulator, Ofcom, to assess whether platforms have “duly balanced their freedom of expression obligations with their decision making”.

The risk of platforms responding to sudden, ill-defined liability around broad swathes of content by over-removing speech — leading to a chilling impact on freedom of expression in the UK — is one of the many criticisms raised against the bill which the committee appears to be picking up on.

It suggests the government reframes definitions of harmful content and relevant safety duties to bring the bill in line with international human rights law — in order to try to safeguard against the risk of over-removal by providing “minimum standards against which a provider’s actions, systems and processes to tackle harm, including automated or algorithmic content moderation, should be judged”.

Even on child safety — a core issue UK ministers have repeatedly pinned to the legislation — the committee flags “weaknesses” in the bill that they assert mean the proposed regime “does not map adequately onto the reality of the problem”.

They have called for the government to go further in this area, urging the bill to be expanded to cover “technically legal” practices, such as breadcrumbing (aka “where perpetrators deliberately subvert the thresholds of criminal activity and for content removal by a service provide”) — citing witness testimony which suggests the practice, while not in fact illegal, “nonetheless forms part of the sequence for online CSEA [child sexual exploitation and abuse]”.

Similarly, the committee suggests the bill needs to go further to protect women and girls against types of online violence and abuse specifically directed at them (such as “tech-enabled ‘nudifying’ of women and deepfake pornography”).

On Ofcom’s powers of investigation of platforms, the committee argues they need to be further strengthened — urging amendments to give the regulator the power to “conduct confidential auditing or vetting of a service’s systems to assess the operation and outputs in practice”; and to “request generic information about how ‘content is disseminated by means of a service'”, with MPs further suggesting the bill should provide more specific detail about the types of data Ofcom can request from platforms (presumably to avoid the risk of platforms seeking to evade effective oversight).

However — on enforcement — the committee has concerns in the other direction and is worried over a lack of clarity over how Ofcom’s (set to be) very substantial powers may be used against platforms.

It has recommended a series of tweaks, such as making clear these powers only apply to in-scope services.

MPs are also calling for a redrafting of the use of so-called “technology notices” — which will enable the regulator to mandate the use of new technology (following “persistent and prevalent” failings of the duty of care) — saying the scope and application of this power should be “more tightly” defined, and more practical information provided on the actions required to bring providers into compliance, as well as more detail on how Ofcom will test whether the use of such power is proportionate.

Here the committee flags issues of potential business disruption. It also suggests the government take time to evaluate whether these powers are “appropriately future-proofed given the advent of technology like VPNs and DNS over HTTPs”.

Other recommendations in the report include a call for the bill to contain more clarity on the subject of redress and judicial review.

The committee also warns against the government creating a dedicated joint committee to oversee online safety and digital regulation, arguing that parliamentary scrutiny is “best serviced by the existing, independent, cross-party select committees and evidenced by the work we have done and will continue to do in this area”.

It remains to be seen how much notice the government takes of the committee’s recommendations. Although the secretary of state for digital, Nadine Dorries, has previously suggested she is open to taking on board parliamentary feedback to the sweeping package of legislation.

The report, by the DCMS Committee, follows earlier recommendations — in December — by a parliamentary joint committee focused on scrutinizing the bill which also warned that the draft legislation risked falling short of the government’s safety aims.

The government published the draft Online Safety bill back in May 2021 — setting out a long-trailed plan to impose a duty of care on Internet platforms with the aim of protecting users from a swathe of harms, whether related to (already illegal) content such as terrorist propaganda, child sexual abuse material and hate speech, through more broadly problematic but not necessarily illegal content such as bullying or content promoting eating disorders or suicide (which may create disproportionate risks for younger users of social media platforms).

Speaking to the joint committee in November, Dorries predicted the legislation will usher in a systemic change to Internet culture — telling MPs and peers it will create “huge, huge” change to how Internet platforms operate.

The bill, which is still making its way through parliament, targets a broad range of Internet platforms and envisages enforcing safety-focused governance standards via regulated Codes of Conduct, overseen by Ofcom in an expanded role — including with incoming powers to issue substantial penalties for breaches.

The sweeping scope of the regulation — the intent for the law to target not just illegal content spreading online but stuff that falls into more of a grey area where restrictions risk impinging on freedom of expression and speech — mean the proposal has attracted huge criticism from civil liberties and digital rights groups, as well as from businesses concerned about liability and the compliance burden.

In parallel, the government has been stepping up attacks on platforms’ use of end-to-end encryption — deploying rhetoric that seeks to imply robust security is a barrier to catching pedophiles (see, for example, the government’s recently unveiled NoPlaceToHide PR to try to turn the public against E2E encryption). So critics are also concerned that ministers are trying to subvert Internet security and privacy by recasting good practices as barriers to a goal imposing ‘child safety’ through mass digital surveillance.

On that front, in recent months, the Home Office has also been splashing a little taxpayer cash to try to foster the development of technologies which could be applied to E2EE systems to scan for child sexual abuse material — which it claims could offer a middle ground between robust security and law enforcement’s data access requirements.

Critics of the bill already argue that using a trumped up claim of child ‘protection’ as a populist lever to push for the removal of the strongest security and privacy protections from all Internet users — simultaneously encouraging a cottage industry of commercial providers to spring up and tout ‘child protection’ surveillance services for sale — is a lot closer to gaslighting than safeguarding, however.

Zooming back out, there is also plenty of concern over the risk of the UK over regulating its digital economy.

And of the bill becoming a parliamentary “hobby horse” for every type of online grievance, as one former minister of state put it — with the potential for complex and poorly defined content regulation to end up as a disproportionate burden on UK startups vs tech giants like Facebook whose self-serving algorithms and content moderation fuelled calls for Internet regulation in the first place, as well as being hugely harmful to UK Internet users’ human rights.


WTF is .xyz?

If you’ve visited a crypto company’s website recently, you’ve probably visited a URL ending in “.xyz” instead of its cheugier counterpart, .com. From fintech Block, formerly known as Square, to venture firm Paradigm, to blockchain startups like Mirror, .xyz has become the go-to URL ending for many web3 companies. But what does it mean, and why has it caught on in the web3 space?

.xyz, released to the public in 2014, first surged in popularity one year later when Google parent Alphabet decided to use it for their rebranded website. The internet behemoth had run into an increasingly widespread problem — the .com URLs for their brand were already taken, with BMW’s fleet management division using and American Broadcasting Corporation at

So Alphabet decided to open up shop at, which presented an “unlimited branding opportunity” for its “futuristic company,” Daniel Negari, .xyz’s 30-year-old founder and CEO, told TechCrunch in an email. Now, .xyz may be one of the top five top-level domains (TLDs) in the world by traffic, according to the company’s own DNS data.

.xyz was created to “provide users around the world competition and choice when it comes to their domain name,” and is “the first truly generic domain extension with no inherent meaning,” according to Negari. While .com was meant for commercial use, .net for networks and .org for organizations, Negari envisioned .xyz as the TLD choice for users who felt they did not fit neatly into one of these categories or wanted to stand out. 

“I firmly believe the market has adopted our mantra of “for every website everywhere,” Negari said. “Our mantra of openness and inclusion for everyone and everything has bled through into a community of creative thinkers that has embraced .xyz as their domain.”

How .xyz met web3

Negari is an active crypto investor with “numerous” investments in the space, including Gemini, MoonPay and BlockFi, he said. Because of his interest in crypto, he reached out to Ethereum Name Service (ENS) creator Nick Johnson to pitch him a collaboration.

“That historic collaboration allowed early adopters to use a .xyz domain as their wallet address,” Negari said.

.xyz founder and CEO Daniel Negari

.xyz founder and CEO Daniel Negari Image Credits: XYZ

ENS allows users to create a universal nickname for all their crypto addresses, providing a searchable database to make crypto wallets and transactions, which otherwise reside on a variety of different platforms, more easily accessible. Users can now create profiles to share their social media handles or other personal information in ENS using its native .eth domain or on a .xyz domain.

.xyz has continued to find ways to collaborate with ENS and work with the crypto community. It announced this week that it launched its “” service, allowing users to search individual ENS profiles simply by adding “.xyz” to the end of their .eth name rather than having to go to the ENS database to look them up, Negari said. 

By allowing cryptocurrency holders to buy domains in their preferred names using Ethereum, ENS has creatively monetized users’ desire to leverage the internet as an identity-building tool. Shopify CEO Tobi Lütke, for example, bought the ENS domain name tobi.eth earlier this month for 30 ether, equivalent to more than $120,000 at the time of the transaction.

Although .xyz domains currently fall under the purview of the DNS system, managed by internet regulatory authority ICANN, several parties are now working to develop a decentralized alternative to this system to underpin web3, TechCrunch’s Amanda Silberling reported. .xyz’s strategy to align itself proactively with web3 companies could present a host of new monetization opportunities based on identity and ownership in a decentralized web as this generation of internet users stakes new claims on domains.

.xyz runs a blog where it highlights companies, many of them web3 native, that have chosen to use its domain name ending, and cites reasons why. 

Some of them opted to use it for simple logistical reasons. Defi platform Matcha said that using the .xyz web extension gave it many more naming options, and Ethereum data tool Dune chose .xyz because it allowed for a more concise web address. 

Its domains, available to anyone who wants to purchase them, also tend to be more affordable compared to their alternatives. To that end, .xyz launched a class of domains known as 1.111B, which are 6- to 9-digit numerical domains available for 99 cents each year, Negari said.

Beyond its convenience and accessibility, some web3 builders see .xyz as a symbolic representation of their ambitions to build a new internet.

“We chose .xyz because it symbolizes decentralization and the new wave of Web3 applications,” Réka, the founder of decentralized autonomous organization Agora DAO, wrote

Negari agrees that .xyz’s cultural significance may be one of its most important attributes, as it represents the next generation of online innovation after the .com era. 

“The community is made up of hundreds of thousands to millions of individuals and small businesses who are actively breaking away from the status quo to take a stand for the future,” Negari said. “You do not have to be a non-profit organization or a commercial registrant – you can be whatever and whoever you want.”

Cloudflare blocked a massive 2 Tbps DDoS attack

Cloudflare says it has blocked a distributed denial-of-service (DDoS) attack that peaked at just under 2 Tbps, making it one of the largest ever recorded.

The internet company said in a blog post that the attack was launched from approximately 15,000 bots running a variant of the original Mirai code on exploited Internet of Things (IoT) devices and unpatched GitLab instances.

The DDoS attack comes just two weeks after Rapid7 warned of a GitLab vulnerability — rated a full 10.0 on the CVSS severity scale — that could be exploited to allow an attacker to remotely run code, like botnet malware, on an affected server. Rapid7 found that at least half of the 60,000 internet-facing GitLab instances remain unpatched, and warned that it expected “exploitation to increase” as details of the bug became public.

The company wasn’t wrong; Cloudflare said it blocked the massive DDoS attack just one week later. From its analysis of the attack, Cloudflare believes that it was a multi-vector attack that combined both DNS amplification attacks along with UDP floods.

Cloudflare says the attack, which lasted less than a minute, was the largest it had witnessed to date. It comes just a month after Microsoft said it mitigated a “record-breaking” 2.4 Tbps DDoS attack targeting one of its Azure customers in Europe.

While Cloudflare mitigated the attack in seconds, it warns that it has witnessed multiple terabit-strong DDoS attacks last month, adding that this is unlikely a trend that’s going to slow down any time soon.

“Another key finding from our Q3 DDoS Trends report was that network-layer DDoS attacks actually increased by 44% quarter-over-quarter,” said Omer Yoachimik, product manager at Cloudflare. “While the fourth quarter is not over yet, we have, again, seen multiple terabit-strong attacks that targeted Cloudflare customers.”

Rapid7 has urged GitLab users to the latest version of GitLab as soon as possible. “In addition, ideally, GitLab should not be an internet-facing service,” the company added. “If you need to access your GitLab from the internet, consider placing it behind a VPN.”

Facebook, WhatsApp and Instagram are slowly returning. Why did they disappear to begin with?

Facebook’s day-long outage is by far its longest and most extreme in years. At around 9 a.m. PDT on the U.S. West Coast — where the social giant is headquartered — Facebook, WhatsApp, Instagram and Facebook Messenger seemed to vanish from the internet.

The outage continued through market close, with the company’s stock dropping around 5% below its opening price on Monday. By midafternoon, services were beginning to resume after Facebook reportedly dispatched a team to its Santa Clara data center to “manually reset” the company’s servers.

But what makes the outage unique is just how extremely offline Facebook was.

In the morning, Facebook sent a brief tweet to apologize that “some people are having trouble accessing our apps and products.” Then, reports emerged that the outage was affecting not just its users, but the company itself. Employees were reportedly unable to enter their office buildings, and staff called it a “snow day” — they couldn’t get any work done because the outage also affected internal collaboration apps.

Facebook hasn’t commented on the cause of the outage, though security experts said evidence pointed to a problem with the company’s network that cut off Facebook from the wider internet and also itself.

The first signs of trouble were around 8:50 a.m. PDT in California, according to John Graham-Cumming, CTO at networking giant Cloudflare, who said Facebook “disappeared from the internet in a flurry of BGP updates” over a two-minute window, referring to BGP, or Border Gateway Protocol, the system that networks use to figure out the fastest way to send data over the internet to another network.

The updates were specifically BGP route withdrawals. Essentially, Facebook had sent a message to the internet that it was closed for business, like closing the drawbridge of its castle. Without any routes into the network, Facebook was basically isolated from the rest of the internet, and because of the way Facebook’s network is structured, the route withdrawals also took out WhatsApp, Instagram, Facebook Messenger and everything inside its digital walls.

A few minutes after the BGP routes were withdrawn, users began to notice issues. Internet traffic that should have gone to Facebook essentially got lost on the internet and went nowhere, Rob Graham, founder of Errata Security, said in a tweet thread.

Users began to notice that their Facebook apps had stopped working and the websites weren’t loading and reported experiencing issues with DNS, or the domain name system, which is another critical part of how the internet works. DNS converts human-readable web addresses into machine-readable IP addresses to find where a web page is located on the internet. Without a way into Facebook’s servers, apps and browsers would keep kicking back what looked like DNS errors.

It’s not known exactly why the BGP routes were withdrawn. BGP, which has been around since the advent of the internet, can be manipulated and maliciously exploited in ways that can lead to massive outages.

What’s more likely is that a Facebook configuration update went terribly wrong and its failure cascaded throughout the internet. A now-deleted Reddit thread from a Facebook engineer described a BGP configuration error long before it was widely known.

But while the fix might be simple, the recovery may stretch from the next few hours into the following days because of how the internet works. Internet providers usually update their DNS records every few hours, but they can take several days to fully propagate.

“To the huge community of people and businesses around the world who depend on us: we’re sorry,” Facebook tweeted around 3:30 p.m. local time. “We’ve been working hard to restore access to our apps and services and are happy to report they are coming back online now. Thank you for bearing with us.”

NS1 brings open-source service NetBox to the cloud

New York City based startup NS1 got its start providing organizations with managed DNS services to help accelerate application delivery and reliability. With its new NetBox Cloud service that is being announced in preview today, NS1 is expanding its services into a new area beyond DNS. 

It can often be a challenging task for a network administrator in an enterprise to understand where all the networking infrastructure is and how it’s all supposed to be connected.  That’s a job for an emerging class of enterprise technology known as Infrastructure Resource Management (IRM) that NS1 is now jumping into. TechCrunch profiled NS1 in a wide-ranging EC-1 series last month. The company provides DNS as a service, for some of the biggest sites on the internet. DNS, or domain name system is about connecting IP addresses to domain names and NS1 has technology that helps organizations to intelligently optimize application traffic delivery. 

With its new NetBox Cloud service, NS1 is providing a managed service for NetBox which is a popular open source IRM tool that was initially built by developer Jeremy Stretch, while he was working at cloud provider DigitalOcean. Stretch joined NS1 as a distinguished engineer in April of this year, with NS1 now supporting the open source project.

Stretch recounted that at one point during his tenure at DigitalOcean he was using Microsoft Excel spreadsheets to track IP address management. Using a spreadsheet to track IP addresses doesn’t scale, so Stretch coded the initial version of NetBox in 2015 to address that need. Over the last several years, NetBox has expanded with additional capabilities that will now also help users of NS1’s NetBox Cloud service.

Stretch explained that Netbox’s role is primarily in modelling network infrastructure in an approach that provides what he referred to as a “source of truth” for network infrastructure. The basic idea is to enable organizations to model their desired state of their networks and then from that point they can draw in monitoring to verify that the operational state is the same as the desired state. 

“So the idea of this source of truth is that it is the actual documented authoritative record of what is supposed to be configured on the network,” Stretch said.

NetBox has continued to grow over the years as a popular open source tool, but it hasn’t been particularly accessible to enterprises that required commercial support to get started, or that wanted a managed service. The goal with the new service is to make it easier for organizations of any size to get started with NetBox to better manage their networks.

NS1 co-founder and CEO Kris Beevers told TechCrunch that while Stretch has done a solid job of building the NetBox open source community, there hasn’t been a commercial service for NetBox. Beevers said that while NetBox has had broad adoption as an open source effort, in his view there are a lot of enterprises that will want commercial support and a managed service.

One key theme that Beevers reiterated time and again in the Extra Crunch EC-1 series is that NS1 is very experimental as a business, and that same theme holds true for NetBox. The primary objective for the initial beta release of the NetBox Cloud is all about figuring out exactly who is trying to adopt the technology and learning what challenges commercial users will face. Fundamentally, Beevers said that NS1 will be actively iterating on NetBox Cloud to make sure it addresses the things that enterprises care about.

“From the NS1 point of view, this is just such a compelling open source product and community and we want to drive barriers to adoption as low as we possibly can,” Beevers said.

NS1 was founded in 2013 and has raised $118.4 million in funding, including a $40 million Series D which the company closed in July 2020.

A DNS outage just took down a large chunk of the internet

A large chunk of the internet dropped offline on Thursday. Some of the most popular sites, apps and services on the internet were down, including UPS and FedEx (which have since come back online), Airbnb, Fidelity, and others are reporting Steam, LastPass, and the PlayStation Network are all experiencing downtime.

Many other websites around the world are also affected, including media outlets in Europe.

What appears to be the cause is an outage at Akamai, an internet security giant that provides networking and content delivery services to companies. At around 11am ET, Akamai reported an issue with its Edge DNS, a service that’s designed to keep websites, apps and services running smoothly and securely.

DNS services are critically important to how the internet works, so when things go wrong or there’s an outage, it can cause a knock-on effect to all of the customer websites and services that rely on it.

Akamai said it was “actively investigating the issue,” but when reached a spokesperson would not say if its outage was the cause of the disruption to other sites and services that are currently offline. Akamai would not say what caused the issue but that it was already in recovery.

“We have implemented a fix for this issue, and based on current observations, the service is resuming normal operations. We will continue to monitor to ensure that the impact has been fully mitigated,” Akamai told TechCrunch.

It’s not the first time we’ve seen an outage this big. Last year Cloudflare, which also provides networking services to companies around the world, had a similar outage following a bug that caused major sites to stop loading, including Shopify, Discord and Politico. In November, Amazon’s cloud service also stumbled, which prevented it updating its own status page during the downtime. Online workspace startup Notion also had a high-profile outage this year, forcing the company to turn to Twitter to ask for help.

DNSFilter secures $30M Series A to step up fight against DNS-based threats

DNSFilter, an artificial intelligence startup that provides DNS protection to enterprises, has secured $30 million in Series A funding from Insight Partners.

DNSFilter, as its name suggests, offers DNS-based web content filtering and threat protection. Unlike the majority of its competitors, which includes the likes of Palo Alto Networks and Webroot, the startup uses proprietary AI technology to continuously scan billions of domains daily, identifying anomalies and potential vectors for malware, ransomware, phishing, and fraud. 

“Most of our competitors either rent or lease a database from some third party,” Ken Carnesi, co-founder and CEO of DNSFilter tells TechCrunch. “We do that in-house, and it’s through artificial intelligence that’s scanning these pages in real-time.” 

The company, which counts the likes of Lenovo, Newegg, and Nvidia among its 14,000 customers, claims this industry-first technology catches threats an average of five days before competitors and is capable of identifying 76% of domain-based threats. By the end of 2021, DNSFilter says it will block more than 1.1 million threats daily.

DNSFilter has seen rapid growth over the past 12 months as a result of the mass shift to remote working and the increase in cyber threats and ransomware attacks that followed. The startup saw eightfold growth in customer activity, doubled its global headcount to just over 50 employees, and partnered with Canadian software house N-Able to push into the lucrative channel market.  

“DNSFilter’s rapid growth and efficient customer acquisition are a testament to the benefits and ease of use compared to incumbents,” Thomas Krane, principal at Insight Partners, who has been appointed as a director on DNSFilter’s board. “The traditional model of top-down, hardware-centric network security is disappearing in favor of solutions that readily plug in at the device level and can cater to highly distributed workforces”

Prior to this latest funding round, which was also backed by Arthur Ventures (the lead investor in DNSFilter’s seed round), CrowdStrike co-founder and former chief technology officer  Dmitri Alperovitch also joined DNSFilter’s board of directors. 

Carnesi said the addition of Alperovitch to the board will help the company get its technology into the hands of enterprise customers. “He’s helping us to shape the product to be a good fit for enterprise organizations, which is something that we’re doing as part of this round — shifting focus to be primarily mid-market and enterprise,” he said.

The company also recently added former CrowdStrike vice president Jen Ayers as its chief operating officer. “She used to manage their entire managed threat hunting team, so she’s definitely coming on for the security side of things as we build out our domain intelligence team further,” Carnesi said.

With its newly-raised funds, DNSFilter will further expand its headcount, with plans to add more than 80 new employees globally over the next 12 months.

“There’s a lot more that we can do for security via DNS, and we haven’t really started on that yet,” Carnesi said. “We plan to do things that people won’t believe were possible via DNS.”

The company, which acquired Web Shrinker in 2018, also expects there to be more acquisitions on the cards going forward. “There are some potential companies that we’d be looking to acquire to speed up our advancement in certain areas,” Carnesi said.

Extra Crunch roundup: NS1 EC-1, Pakistan’s tech ecosystem, SPACs bonanza

Did you see the viral videos of yesterday’s flooding in New York City subways?

In one, riders waded through brown, waist-deep water; another video showed a cascade rushing down a flight of stairs to a subway platform where passengers waited for a train.

Infrastructure doesn’t attract much attention until it fails. Domain name services (DNS), the system that directs readers to when they say or speak it into their web browser, are much the same way.

For the latest entry in a series of longform articles that explore the inner workings of notable startups, we looked at NS1, an internet infrastructure company best known for its software-defined DNS.

Since its founding in 2013, NS1 has raised more than $100 million to build an engineering team and robust product portfolio that’s expanded to include DDI, which helps companies manage internal networks.

If you’re curious about how NS1 transformed “a slumbering and dreary yet reliable aspect of the internet” into “a strategic moat and an enterprise win” in just eight years, read on.

Full Extra Crunch articles are only available to members.
Use discount code ECFriday to save 20% off a one- or two-year subscription.

Part 1: Origin story: how three engineers decided to rebuild the internet’s core addressing system.

Part 2: Product development and roadmap: experimentation, open-source efforts and expanding beyond DNS.

Part 3: Competitive landscape: a look at the broader internet infrastructure market.

Part 4: Customer development: how their top competitor’s stumble became “the gift that kept on giving.”

Thanks very much for reading Extra Crunch — have a great weekend!

Walter Thompson
Senior Editor, TechCrunch

Startups have never had it so good

Alex Wilhelm and Anna Heim didn’t mince words in today’s Exchange.

“The venture capital market is racing ahead, foot on the gas, middle finger out the window, hair on fire.”

That’s their hot take after analyzing the Q2 data released so far about how much money VCs deployed across the globe between April and the end of June.

Leaning on data from CB Insights, Crunchbase News and FactSet, Alex and Anna walk through the data from the U.S. and a few other regions — and promise deeper regional dives next week.

What I learned the hard way from naming 30+ startups

Image of a pink toy dinosaur holding a name tag on a yellow background.

Image Credits: Juj Winn (opens in a new window) / Getty Images

If you’re starting a company, choosing a name can feel like a fraught choice. But actually, as long as you follow some basic guidelines, it shouldn’t lead to paralysis.

“The truth is that business names fall on a bell curve — you have a small number of outliers that actively contribute to your success and a small number of outliers that actively impair your ability to succeed,” Drew Beechler, who’s named more than 30 software startups, writes in a guest column. “The vast majority, though, fall somewhere in the middle in their impact on your business.”

Nextdoor’s SPAC investor deck paints a picture of sizable scale and sticky users

American Suburban Neighborhood Tilt-shift Aerial Photo

Image Credits: jhorrocks / Getty Images

The SPAC parade continued apace this week as Nextdoor announced it would go public via a blank-check company, with the community social network making its pitch based on scale, claiming users in one in three U.S. households.

Alex Wilhelm unpacks Nextdoor’s “clear-eyed look into [its] financial performance in both historical terms and in terms of what it might accomplish in the future,” noting that “our usual mockery of SPAC charts mostly doesn’t apply.”

Pakistan’s growing tech ecosystem is finally taking off

Image of the Karachi, Pakistan, skyline.

Image Credits: shan.shihan (opens in a new window)/ Getty Images

So far this year, startups in Pakistan are on track to raise more than in the previous five years combined, according to Mikal Khoso, an early-stage investor at Wavemaker Partners.

“Even more excitingly, a large portion of this capital is coming from international investors from across Asia, the Middle East and even famed investors from Silicon Valley,” he notes in a guest post for Extra Crunch.

He’s identified three factors that are fueling investor interest: rapidly expanding mobile connectivity, an improved security situation, and critical legal and regulatory changes that are making the country more startup- and VC-friendly.

Drawing a map of Pakistan’s tech ecosystem, Khoso identifies local companies trying to grab a slice of grocery delivery, e-commerce, ride-hailing and other sectors before examining the challenges still in place.

“The segments in Pakistan that are likely to attract the best entrepreneurs and most investor capital in the years to come will be fintech, e-commerce and edtech,” says Khoso.

Investors find European unicorns reluctant to join SPAC boom

The nonstop news of startups partnering up with SPACs in the United States had Alex Wilhelm and Anna Heim wondering if the blank-check boom expanded to other countries.

“Unicorns are hardly unique to the U.S. startup ecosystem,” they write. “Are we seeing similar SPAC interest in Europe?”

Anna and Alex talked to investors to see why — or why not — European startups would take the SPAC path to become a public company.

For successful AI projects, celebrate your graveyard and be prepared to fail fast

Image of an origami crane and several crumpled pieces of paper to represent success from failure.

Image Credits: Wachiwit (opens in a new window) / Getty Images

When you’ve invested a lot of time and energy in a project, it can be difficult to decide to shelve it — or worse, kill it.

But for AI projects, teams should be prepared to fail fast, Sandeep Uttamchandani, the chief data officer of Unravel Data, writes in a guest column.

“In order to fail fast, AI initiatives should be managed as a conversion funnel analogous to marketing and sales funnels,” he writes. “Projects start at the top of the five-stage funnel and can drop off at any stage, either to be temporarily put on ice or permanently suspended and added to the AI graveyard.”

Uttamchandani walks through the five stages of the funnel and offers suggestions for when to start digging a hole for your project in the graveyard.

Circle is a good example of why SPACs can be useful

Yes, we’re all a bit over-SPAC-ed at this point. It’s just been a nonstop torrent of startups linking up with blank-check companies.

But Circle, a Boston-based technology company that provides API-delivered financial services and a stablecoin, is just “the sort of business that is correct for a SPAC-led debut,” Alex Wilhelm writes in The Exchange.

“It could not go public in a traditional manner in its current state of maturity,” he writes.

“But a SPAC can get it a huge slug of cash at a price that it has locked in, allowing it to complete its growth into corporate adulthood while public. A gamble, sure, but one that will be very fun to watch.”

Can advertising scale in VR?

Image of a person wearing a VR headset and two 3D orbs in front of his hands.

Image Credits: da-kuk (opens in a new window) / Getty Images

It’s not hard to imagine how advertising could be valuable in VR: billboards on streetscapes, magazine covers on newsstands, cereal boxes in virtual kitchens.

But Facebook’s stab at experimental VR ads didn’t last very long; after an onslaught of negative feedback from players, the test was quickly scuttled.

That said, VR advertising has a ton of untapped potential — but it’s going to take a minute to reach profitable scale.

Achieving digital transformation through RPA and process mining

concept of machine learning or digital transformation, wireframe hand pointing with key finger

Image Credits: Jackie Niam (opens in a new window) / Getty Images

“Robots are not coming to replace us,” Alp Uguray is quick to note in a guest column about robotic process automation. “They are coming to take over the repetitive, mundane and monotonous tasks that we’ve never been fond of.”

That’s the good news. But RPA is still in the early stages, despite rapid growth through IPOs, acquisitions and funding rounds.

“Adoption of RPA and process mining in your organization will define the operational excellence of your firm,” he writes. “If you are behind in this race, just think of how your enterprise can continue to compete with fully digital peers. Your organization won’t want to be in the back of this race.”

Demand Curve: 10 lies you’ve been told about marketing

Image of an advertiser speaking in front of a podium with a shadow of a long nose to represent lies.

Image Credits: Abscent84 (opens in a new window) / Getty Images

In a guest column, Nick Costelloe, the head of content for Demand Curve, notes that the content you stumble across in a Google search might not be “intentionally misleading,” it might not lead you in the right direction.

Here, he debunks 10 common myths about marketing — and offers suggestions for what to do instead.

5 fundraising imperatives for robotics startups

Image of a robot hand holding a fistful of cash to represent funding for robotics startups.

Image Credits: Paper Boat Creative (opens in a new window) / Getty Images

This guest post from three contributors from Next47, MassRobotics and Lux Capital looks at best practices for robotics startups looking to raise cash.

“There has never been a better time to pursue funding for robotics startups, but you are more likely to succeed if you build a fundraising strategy that is marked by the same sophistication and informed understanding you already bring to many other aspects of your new business,” the writers say.

Here, they lay out five strategies to ensure robotics startups get the funding they need.

Notion’s hours-long outage was caused by phishing complaints

Last week’s hours-long outage at online workspace startup Notion was caused by phishing complaints, according to the startup’s domain registrar.

Notion was offline for most of the morning on Friday, plunging its more than four million users into organization darkness because of what the company called a “very unusual DNS issue that occurred at the registry operator level.” With the company’s domain offline, users were unable to access their files, calendars, and documents.

Notion registered its domain name through, but all .so domains are managed by Hexonet, a company that helps connect Sonic, the .so top-level domain registry, with domain name registrars like

That complex web of interdependence is in large part what led to the communications failure that resulted in Notion falling offline for hours.

In an email to TechCrunch, spokesperson Jared Ewy said: “Hexonet received complaints about user-generated Notion pages connected to phishing. They informed about these reports, but we were unable to independently confirm them. Per its policies, Hexonet placed a temporary hold on Notion’s domain.”

“Noting the impact of this action, all teams worked together to restore service to Notion and its users. All three teams are now partnering on new protocols to ensure this type of incident does not happen again. The Notion team and their avid followers were responsive and a pleasure to work with throughout. We thank everyone for their patience and understanding,” said Ewy.

There are several threads on Reddit discussing concerns about Notion being used to host phishing sites, and security researchers have shown examples of Notion used in active phishing campaigns. A Notion employee said almost a year ago that Notion would “soon” move its domain to, which the company owns.

Notion’s outage is almost identical to what happened with Zoho in 2018, which like Notion, resorted to tweeting at its domain registrar after it blocked following complaints about phishing emails sent from Zoho-hosted email accounts.

It sounds like there’s no immediate danger of a repeat outage, but Notion did not return TechCrunch’s email over the weekend asking what it plans to do to prevent phishing on its platform in the future.

Read more:

A massive database of 8 billion Thai internet records leaks

Thailand’s largest cell network AIS has pulled a database offline that was spilling billions of real-time internet records on millions of Thai internet users.

Security researcher Justin Paine said in a blog post that he found the database, containing DNS queries and Netflow data, on the internet without a password. With access to this database, Paine said that anyone could “quickly paint a picture” about what an internet user (or their household) does in real-time.

Paine alerted AIS to the open database on May 13. But after not hearing back for a week, Paine reported the apparent security lapse to Thailand’s national computer emergency response team, known as ThaiCERT, which contacted AIS about the open database.

The database was inaccessible a short time later.

It’s not known who owns the database. Paine told TechCrunch that the kind of records found in the database can only come from someone who’s able to monitor internet traffic as it flows across the network. But there is no easy way to differentiate between if the database belongs to the internet provider — or one of its subsidiaries — or a large enterprise customer on AIS’ network. AIS spokespeople did not respond to our emails requesting comment.

DNS queries are a normal side-effect of using the internet. Every time you visit a website, the browser converts a web address into an IP address, which tells the browser where the web page lives on the internet. Although DNS queries don’t carry private messages, emails, or sensitive data like passwords, they can identify which websites you access and which apps you use.

But that could be a major problem for high-risk individuals, like journalists and activists, whose internet records could be used to identify their sources.

Thailand’s internet surveillance laws grant authorities sweeping access to internet user data. Thailand also has some of the strictest censorship laws in Asia, forbidding any kind of criticism against the Thai royal family, national security, and certain political issues. In 2017, the Thai military junta, which took power in a 2015 coup, narrowly backed down from banning Facebook across the country after the social network giant refused to censor certain users’ posts.

DNS query data can also be used to gain insights into a person’s internet activity.

Using the data, Paine showed how anyone with access to the database could learn a number of things from a single internet-connected house, such as the kind of devices they owned, which antivirus they ran, and which browsers they used, and which social media apps and websites they frequented. In households or offices, many people share one internet connection, making it far more difficult to trace internet activity back to a particular person.

Advertisers also find DNS data valuable for serving targeted ads.

Since a 2017 law allowed U.S. internet providers to sell internet records — like DNS queries and browsing histories — of their users, browser makers have pushed back by rolling out privacy-enhancing technologies that make it harder for internet and network providers to snoop.

One such technology, DNS over HTTPS — or DoH — encrypts DNS requests, making it far more difficult for internet or network providers to know which websites a customer is visiting or which apps they use.