Executives have called the headset a first in a new line of premium devices.
Meta's Quest Pro headset will cost a whopping $1,500.
Meta has taken the wraps off its next VR headset. The Quest Pro, which was previously known as Project Cambria, promises higher fidelity, mixed reality, and face and eye tracking for $1,500, a significant premium over its past consumer-focused headsets. The device will be available in the U.S. and 21 other countries later this month, company executives announced at the Meta Connect developer conference Tuesday.
The headset is equipped with RGB cameras for mixed-reality experiences that combine VR elements with a color video pass-through view of the real world. The Quest Pro also uses more advanced optics, including pancake lenses, which offer higher visual fidelity than the company’s Quest 2 device.
Face- and eye-tracking sensors make it possible to more realistically animate the facial expressions of people wearing the headset, and a new set of controllers with built-in sensors and more advanced tactile feedback should make for a better gameplay experience. The Quest Pro also features a more open design meant to allow people to multitask and glance at their desk. Optional add-ons to block out external light will be sold both by Meta as well as third-party vendors, according to company spokespeople.
The Quest Pro is being positioned by Meta as a first in a line of new high-end devices that will be released alongside the consumer Quest VR headsets. Over time, some of the features that debuted in the Quest Pro may find their way to the consumer line, while others will likely be exclusive to more expensive devices for some time.
Mark Zuckerberg told Protocol earlier this year that the Quest Pro was built for work use cases, and the company announced partnerships with Adobe, Autodesk, and Microsoft to bring support for work-related tools to the headset.
However, Meta CTO Andrew Bosworth told Protocol last week that the Quest Pro is more geared toward prosumers than the enterprise; Meta is only selling the device through retail channels for the time being, but the company announced plans to launch new business subscription plans next year to target.
Meta executives also used Tuesday’s event to highlight some of the success the company has seen in VR thus far. This included the fact that one in three apps distributed via Quest’s official app store now generates at least seven-figure revenues, while 33 apps and games have grossed over $10 million in revenue.
In a sign that Meta wants to keep investing in content itself as well, the company announced Tuesday that it had acquired three additional VR development studios. The company is currently in a legal battle with the FTC, which wants to prevent Meta’s proposed acquisition of VR fitness startup Within Unlimited.
Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.
Microsoft's latest platform for pushing Xbox gaming is an unconventional one: Meta's Quest 2 VR headset.
Using its cloud gaming technology, Microsoft says it will let VR users stream Xbox games to a virtual screen inside of a virtual environment rendered by the Quest, similar to how you might watch a livestream, Netflix, or other 2D content in VR. The integration doesn't have a planned release date yet, but it will be available to subscribers of Microsoft's Xbox Game Pass Ultimate subscription, which costs $15 a month and includes access to Xbox Cloud Gaming.
The partnership between the two tech giants was announced Tuesday at the Meta Connect developer conference keynote, where CEO Mark Zuckerberg detailed the company's new $1,500 Quest Pro headset and scores of other product updates, new features, and far-out plans related to its metaverse ambitions. It extends beyond Game Pass and cloud gaming, too, and also includes integrations for Microsoft Teams, Windows 365, and Office apps on the Quest platform.
Additionally, Microsoft and Meta are making some of their software platforms and products interoperable. For instance, the two companies say you'll be able to launch Teams meetings from inside the enterprise-focused platform Horizon Workrooms, Meta's in-beta platform for conducting work meetings in VR. You'll also be able to use your Meta avatars within Teams on Quest devices.
"We think that this cross-device, cross-screen experience will be the foundation of the virtual office of the future," Zuckerberg said during the keynote.
Meta is adding three new virtual reality game developers to its growing Oculus Studios division, the in-house creative team responsible for courting developers to build new software for VR devices. The acquisitions were announced as part of the company's keynote during the Meta Connect conference.
Joining Meta's internal development roster is Iron Man VR developer Camouflaj, Wilson's Heart developer Twisted Pixel, and Armature Studio, the team behind the successful port of Capcom's Resident Evil 4 for the Meta Quest 2. (According to UploadVR, an FTC complaint earlier this year disclosed the Twisted Pixel acquisition, but Meta had not formally announced it until Tuesday.)
While Meta spent the early years after acquiring Oculus paying outside developers to develop games for its headsets, the company has over the last few years begun acquiring more of these studios and giving the teams resources to build new games. The spending spree started in 2019 when Meta acquired Beat Saber developer Beat Games.
Meta followed up that acquisition with Asgard’s Wrath developer Sanzaru Games in 2020, Lone Echo developer Ready at Dawn that same year, Onward developer Downpour Interactive in 2021, Population: One developer BigBox VR in 2021, and Supernatural developer Within Unlimited last fall. The aggressive acquisition strategy over the course of just two years led critics to question whether Meta was having an anticompetitive effect on the VR software market given that it also enjoys a roughly 90% market share of the VR headset market.
In July, the FTC sued Meta to stop its acquisition of Within, alleging the deal would limit competition and give Meta a monopoly on VR fitness apps. (Supernatural is marketed as a gamified VR fitness app, while many fans of Beat Saber also use the game as a cardio exercise.) The FTC last week slimmed down its complaint by removing some of its allegations, but the case is ongoing.
In addition to its new studio acquisitions, Meta also announced that Camouflaj's Iron Man VR, which was originally released for Sony's competing VR platform in 2020, would be arriving on the Quest 2 on Nov. 3. Popular indie game Among Us is also getting a VR variant releasing on the Quest 2 on Nov. 10. According to Meta, consumers have spent more than $1.5 billion on the Quest store to date.
The Department of Labor on Tuesday proposed a rule that would classify more gig workers as employees, not independent contractors. The rule offers hope for labor activists seeking employee status, and would be a blow to the gig-work model companies such as Uber and Lyft have relied on.
"The Department believes this proposal will help protect workers from misclassification while at the same time recognizing that independent contractors serve an important role in our economy and providing a consistent approach for those businesses that engage (or wish to engage) independent contractors," the document reads.
The proposed rule offers a test to check whether workers are employees or contractors, lowering the bar for employee classification. It would check factors such as how much control the employer has over the worker, whether the worker has opportunities to increase their earnings, and whether the work is an integral part of the employer's business. Companies are often required to provide benefits such as overtime pay or health insurance to employees but not independent contractors.
"While there is a lot of uncertainty around how federal and States will handle this latest proposal, its a clear blow to the gig economy and a near-term concern for the likes of Uber and Lyft," Wedbush analyst Daniel Ives wrote in a note to investors.
Uber, Lyft, DoorDash, Instacart, and other gig economy companies have spent millions in the political fight to continue classifying gig workers as contractors. They spent more than $200 million campaigning to pass Proposition 22, which let the companies retain contractor status for their workers in California.
As the U.S. government scrambles to pull the semiconductor rug out from under China’s AI ecosystem, some AI researchers in the country are shrugging it off.
“Nvidia will lose a lot of [market share] in their high-end GPU graphic cards, but a lot of the startups in China making those AI acceleration cards will get orders,” according to an AI researcher and professor at a prestigious scientific university in Beijing who I spoke with via video chat this week. (The researcher asked not to be named for fear of political retribution.)
In China, where AI engineers and other developers are accustomed to technical workarounds to circumvent censors and other blockades, there may be some wiggle room to counteract U.S. export controls by building AI accelerator cards intended for more specific tasks, the researcher said.
Nvidia’s strengths have been in “very general-purpose GPUs that can handle [many] types of computations, like for gaming and computing.”
But building accelerators is not so difficult, the researcher said. “Just making accelerating cards is a lot easier because you just need to handle very few specific types of computations. So when the U.S. government shut Nvidia out of China, it actually [benefited] those startups in China.”
And as giants in China like Huawei open new chip fabs there, people familiar with the nuts and bolts of hardware for AI say there’s still lots of room for innovation in AI accelerators.
A version of this story first appeared in the Protocol Enterprise newsletter: sign up here.
Ready to party like it’s 2019? Tech industry holiday parties are back like they haven’t been since before the pandemic, with some companies bringing in ice skating rinks, juggling lessons, and big-name entertainers.
As companies tighten their belts, this year’s parties won’t be exactly what they were in the Before Times — even Sundar Pichai warned Googlers to “try not to go over the top” this year — but some teams are still going all out.
This year’s biggest tech company holiday parties will be half the size that they were before the pandemic, according to Non Plus Ultra, the venue and events company that hosted Meta’s lavish 2019 Game of Thrones-themed year-end bash. (This year, Meta’s holiday parties will “likely happen on a team by team basis depending on office/site/location,” spokesperson Tracy Clayton told me.)
Salesloft, a 915-person sales software maker, is spending “well over seven figures” on its three holiday parties, which will be the company’s first IRL year-end celebrations since before the pandemic, according to VP of people Katie Cox Branham.
Companies this year are split between in-person bashes and taking a more virtual approach with mailed gifts, according to Phoenix Anna Porcelli, VP of sales at Convene.
Then there are the companies that won’t be doing much at all. Deque Systems, a digital accessibility company, hasn’t had a virtual or IRL holiday party in a decade, according to Glenda Sims, Deque’s chief information accessibility officer.
Affirm is testing a bonus rewards program for its "buy now, pay later" product, Fast Company confirmed, addressing a major gap between the short-term payment plans and conventional credit cards. CEO Max Levchin first teased the idea in the company's fourth-quarter earnings call in August.
“One of the key preferences driving features of modern consumer payments is rewards,” Levchin said, according to a Seeking Alpha transcript. “It is one of the most common theoretical objections to BNPL versus credit cards. We can stop the debate.”
Though "buy now, pay later" companies are hesitant to liken themselves directly to credit cards, they are ostensibly the sector’s most significant emerging competitor. Companies in the space began launching card products in an attempt to be customers’ first choice at checkout, whether that’s online or in person. Affirm’s card, Debit+, launched in 2021 and allows customers to split purchases over $100 into installment payments. Affirm also allows customers to use it similarly to a debit card and pay for products with one lump sum deducted from a checking account.
Now the company is justifying the “+” in “Debit+” by adding more bonus features. The company’s beta rewards structure will give customers one point for every dollar paid, though the company told Fast Company that may change as they continue to test the feature. Customers will be able to cash in on points the next time they take out one of Affirm’s loans and receive a discount.
"Buy now, pay later" companies’ success in 2021 was built largely on their traction with younger consumers, who are less likely to have a credit card than older cohorts. Surveys have shown Gen Z and younger Millennials to be distinctly wary of accumulating credit card debt, in some cases leading to sparser credit histories than generations prior. This means they're not only behaviorally averse to credit, but also often struggle to qualify for credit products when they apply.
Yet surveys have also shown that this generation of users still want the perks that come with credit. Because of this, Fitch Ratings analysts suggested that a segment of the demographic actually use the cards to pay off their "buy now, pay later" loans. Rolling out bonus features is a play at solidifying their loyalty and warding off competition with other credit products.
While Affirm’s bonus structure is unique among major pay-later companies, Afterpay has a program that rewards users for on-time payments. Klarna also has a similar program that also rewards users for spending with BNPL, but applies to any purchase tracked through the app rather than only purchases made with the company’s card. Several smaller BNPL companies like Perpay also have rewards programs that provide incentives for spending with their products.
Correction: This story was updated on Oct. 7, 2022, to clarify the launch date for Debit+.
President Joe Biden on Friday will sign an order to implement the details of an agreement with the EU, including new privacy protections for the bloc's citizens that authorities hope will finally regularize data flows between the two continents.
The new measures, which include a set of two binding appeals for Europeans who believe their data has been improperly collected by the U.S. intelligence community, could be the crucial step necessary to replace Privacy Shield — a prior attempt to protect the legal status of information that companies move across the Atlantic. The new program is bound to face judicial scrutiny, however.
European courts struck down the Privacy Shield framework in 2020, causing a scramble as firms tried to keep trillions of dollars in digital commerce flowing while having fewer clear legal foundations for the data flows. EU lawmakers have often wanted to protect those huge volumes of business, and many in the bloc look skeptically both at mass U.S. government surveillance and the lack of national data protection laws.
Those concerns prompted the downfall of Privacy Shield as well as an earlier approach in 2015 that Privacy Shield was designed to replace. Max Schrems, the Austrian privacy campaigner behind both cases, scoffed at the new approach the U.S. and EU announced in March they had agreed to, and indicated he would again challenge any EU move that blesses data flows under the new terms.
Friday's order will give Europeans the ability to appeal to a civil liberties official within the Office of the Director of National Intelligence, and then to a new "court" set up by the attorney general and staffed by outside experts who have protections against removal.
While Privacy Shield also allowed appeals to an official within the State Department, administration officials who briefed the media on condition of anonymity said they hope the new approach would be seen as providing both more independence and more authority over the intelligence community.
The order also purports to require new safeguards in the U.S. intelligence community's vast surveillance apparatus, which has often pushed the boundaries of the law with help from tech companies while facing little accountability.
David Hatfield has stepped down as co-CEO of cloud security vendor Lacework but will remain on the company's board of directors, Protocol has learned.
The change is effective immediately, said Jay Parikh, who had been Lacework's second co-CEO and was previously Facebook's vice president of engineering. With the change, Parikh is now the sole chief executive of the privately held company, a prominent up-and-coming player in cloud security that last year achieved a valuation of $8.3 billion.
Lacework planned to inform employees of the change on Tuesday. Hatfield, who previously served as president at Pure Storage, leaves Lacework's executive leadership a few months shy of his second year with the company.
As part of the co-CEO model, Hatfield, who goes by the nickname "Hat," focused on business operations and expansion at Lacework, which has raised $1.85 billion in funding. Hatfield joined Lacework as CEO and chairman in early 2021. He could not immediately be reached Tuesday.
Parikh joined as co-CEO in mid-2021, and has focused on product and engineering for the company. The two have known each other for two decades, having previously worked at the same time at Akamai Technologies.
In an interview with Protocol, Parikh characterized the move as planned and amicable, prompted by conversations between "Hat, myself, and the board" that led to the conclusion that the co-CEO model was no longer the best fit for the company. Lacework's executive leadership and board have been "looking at where the business is and what it needs to get to the next level," and have determined that "unifying the company" under a single CEO made the most sense right now, Parikh said.
When it comes to Lacework's product and sales strategy and its relationships with customers, partners, and the big public cloud platforms, the move should help with "making sure that's all unified [around] one set of priorities with one focus," he said.
Parikh said he doesn't believe Hatfield has "any immediate plan to go jump into anything full-time anytime soon." Hatfield is "still going to be spending a good amount of time" on Lacework, Parikh told Protocol.
Lacework CEO Jay Parikh Image: Lacework
Founded in 2014, Lacework offers a "data-driven" service that aims to stand out in the fast-growing cloud security market by collecting and analyzing data from across a customer's cloud environments. The goal is to to provide customers with crucial security insights, such as which threats to prioritize for action, the company has said.
The company raised a $525 million funding round in January 2021, followed by an additional $1.3 billion in funding in November 2021 that brought with it the $8.3 billion valuation. Lacework touted that round as "the largest funding round in security industry history," and the company ranks at No. 3 in terms of the biggest valuations for privately held security companies, according to CB Insights.
Lacework is also notable for having been just the third company to be incubated out of Sutter Hill Ventures, following a model that was used to launch Pure Storage and Snowflake. The Lacework platform supports AWS, Google Cloud, and Microsoft Azure, as well as Kubernetes environments.
In May, Lacework disclosed that it had laid off 20% of its staff, in response to what the co-CEOs then described as a "seismic shift" in "both the public and private markets." The company had previously reported having more than 1,000 employees as of March, and did not immediately have a figure available for its current employee count on Tuesday.
Prior to Lacework, Hatfield had previously spent nearly seven years as president at Pure Storage followed by 16 months as its vice chair, according to his LinkedIn. He joined the company as president in 2013, a few years into its founding, and stayed on through its initial public offering and its first several years as a public company.
While there are no plans to directly replace Hatfield at Lacework, given the unification of the CEO duties under Parikh's leadership, the company does plan to hire a chief revenue officer in the near future, Parikh said.
Ultimately, Lacework's leadership is focusing on making moves that will set it up "to be successful over 10, 20 years — we're not building this to be a transaction," Parikh said.
California’s new pay transparency law, SB 1162, promises to shake up compensation in the tech industry by requiring employers in the state to list pay scales in job ads and reveal pay information to both the state and to current employees. We spoke with Susan Alban, operating partner and chief people officer at Renegade Partners, and compensation consultant Ashish Raina to learn how.
Startups will adopt pay bands earlier. Five or 10 years ago, it wasn’t unusual for 50-person companies to be operating without a “career ladder” or “career architecture” with compensation bands for different job functions and levels, Alban said.
Companies may find other ways to differentiate pay in order to compete for the best talent. The law only requires companies to disclose base pay, not stock, bonuses, or benefits.
The law might provide a little more incentive for companies to hire outside of California, but not much. The law on its own is unlikely to have a major effect on where companies hire, but it adds more administrative headache to California employers.
Big companies are likely to comply more readily than startups. An online job search shows companies like Google, Salesforce, and Twitter listing pay ranges in ads. Some listings cite the Colorado law explicitly.
Pour one out for the Lightning cable.
The European Parliament voted in favor of new charging standards that will require all phones, tablets, and cameras sold in the European Union to be USB-C-ready by 2024. The mandate will extend to laptops in 2026.
The rule — which was introduced in June — passed 602-13, while eight members abstaining from voting. That reflects an overwhelming desire to make the average person's life easier (goodbye, cluttered junk drawer) as well as cut down on pernicious e-waste. While the decision means that ports such as micro-USB will fall by the wayside, Apple's Lightning port is also slated to go the way of the dinosaur.
The company's iPad and various MacBooks rely on USB-C charging. But Apple has held steadfastly to the technology for the iPhone, rolling out its most recent iteration of the phone with a Lightning rather than a USB-C port. The iPhone was the bestselling phone in the EU last year, with Apple capturing 34% of the smartphone market.
The European Council needs to sign off on the legislation before it officially goes into law. But that prospect looks likely. After that, the clock to USB-C hegemony begins counting down. The timing could work out well for Apple at least; the company releases a new iPhone every year in September. With the mandate likely to take effect in fall 2024, it means next year's iPhone could well be the last one to feature a Lightning port — unless Apple decides to just get the switch over with, something the company is reportedly considering.
The company could also make a USB-C version of the iPhone for the EU and a Lightning version for everyone else, of course, but that seems unlikely given the logistical hurdles. The iPhone could also go totally portless for charging, though that would be a much more radical leap.
As written, the rule would allow electronics without a USB-C port to continue being sold as long as they are "placed on the market before the date of application," according to a press release announcing the vote. Regardless, if you're a Lightning stan, uh, you should consider snapping up an iPhone 14 sooner than later.
Cutting down on e-waste is a sneaky climate policy. The Global E-Waste Monitor put out by the United Nations showed that nearly 54 million tons of e-waste piled up in 2020, a number that could rise to almost 75 million tons by the end of this decade. That's a local environmental concern given the toxic chemicals and components. But it's also a huge waste of emissions. More than two-thirds of the carbon pollution tied to electronics is emitted in the manufacturing process.
Cutting down on the number of charging cables produced (and trashed) is a relatively modest way to cut down on e-waste. Stronger policies that favor right-to-repair as well as companies working harder to stave off forced obsolescence could also offer a pathway to reduce the amount of electronic churn. Improving e-waste recycling is yet another avenue to cut down on trash; the Global E-Waste Monitor found only 17.4% of electronic trash is currently recycled. Apple and other tech companies have touted moving toward a circular economy as central to their sustainability goals. While the EU's USB-C mandate alone won't make that transition magically happen, it could spur further innovation and serve as a reminder of all the work that remains to be done.
Carbon dioxide removal service buyers and sellers are focused on one metric: $100 per ton. It’s one of Frontier’s stated criteria that the fund uses to evaluate its advance purchases. In a survey of the long-duration carbon removal community, CarbonPlan found that stakeholders are focused on the $100 benchmark. The Department of Energy even announced that it would be investing in carbon removal research to bring the cost of the technology down to $100 per ton.
Where did that number come from? In short, it’s the cost per ton of removal services that it would take for the CDR industry to reach commercial viability. It’s based on a handful of factors.
So far, no one has come anywhere close to reaching that target. Currently, most carbon removal services cost well above $100 per ton, although the Inflation Reduction Act’s updated 45Q tax credit of up to $180 per ton for direct air capture could help some startups get closer to achieving that target.
“$100 per ton is an extremely ambitious 10-year target, likely probably more of a 15- to 20-year target,” Talati said. But she thinks it’s “important to be ambitious,” and “there’s a lot of momentum around CDR and getting these technologies to scale.”
The world could have to remove billions of tons of carbon pollution per year from the atmosphere by midcentury depending on how fast emissions fall in the interim. That makes the momentum behind scaling CDR all the more important.
A version of this story appeared in Protocol’s Climate newsletter. Sign up here to get it in your inbox twice a week.
When Google announced the closure of its Stadia cloud gaming platform last week, the news was delivered at roughly the same time to employees, partners, and players on Thursday morning. Within hours, it had become clear that Stadia’s shutdown, planned for next January, would involve more than just refunding consumer purchases and quietly bowing out.
Now developers are scrambling to salvage planned projects, migrate players to other platforms, and figure out whether they’re still owed money from Google before the search giant puts Stadia out to pasture for good.
Stadia’s shutdown came as a surprise. Scores of indie game makers, not typically bound by the conservative norms of corporate PR, took to Twitter to explain their frustrations upon learning of the shutdown from news articles and a terse five-paragraph blog post from Stadia chief Phil Harrison.
It wasn’t just indies caught off guard. Google’s Stadia announcement kicked off a wave of uncertain responses from major third-party partners, including Bungie, CD Projekt Red, and Ubisoft. The consensus: We’re looking into it.
It’s not clear why Google axed Stadia now, and why it did so with little to no warning for any of the various parties that invested time, money, and other resources into the platform over the last three years.
It’s perhaps too early to draw broader conclusions about Stadia’s closure, what it could mean for cloud gaming as a whole, and whether the platform’s demise is the nail in the coffin for Google’s gaming ambitions. But Google’s sloppy handling of the announcement and Stadia’s stunning failure is evidence that even the largest, most experienced companies can find themselves lost in the woods when trying to crack such a notoriously difficult set of problems.
Cloud gaming is still available on platforms operated by Microsoft, Nvidia, and — for the time being — Amazon, too. But developing games is costly, difficult, and multidisciplinary work that takes years, and streaming those games over the cloud has yet to be accomplished in a sustainable fashion with an attractive business model. Google found this out the hard way, and let’s hope Stadia’s shutdown provides the road map that helps keep its competitors alive.
A version of this story appeared in Protocol’s Entertainment newsletter. Sign up here to get it in your inbox three times a week.
Trading of Twitter shares was briefly halted midday as CNBC and Bloomberg reported that Elon Musk now plans to go through with his deal to buy Twitter for $54.20 a share. The news was later confirmed.
Musk sent a letter to Twitter with his proposal to buy the company, according to an SEC filing. Twitter said it has received the letter and intends to close the deal at the originally agreed-upon price of $54.20 a share.
Musk and Twitter have been in a legal battle to push the Tesla CEO to buy Twitter since July, when Musk filed to back out of his proposed $44 billion acquisition. Musk tried to walk out of the deal based on allegations that Twitter was misstating the number of bots and spam accounts on the platform, which Twitter rejected. A trial in the case is scheduled to begin on Oct. 17.
The news coincidentally broke just as Twitter employees were near the start of a three-hour meeting to plan its 2023 strategy, according to reporter Casey Newton. "I am sitting on 2023 company wide strategy readouts and I guess we are going to collectively ignore what’s going on," Twitter employee Rumman Chowdhury tweeted.
Twitter shares jumped 15% on the news before being halted.
The U.S. is set to unveil a fresh set of policies Thursday aimed at choking off China’s access to advanced chip manufacturing technology and the chips themselves, according to a person familiar with the matter.
Thursday’s planned announcement will articulate and expand upon the Biden administration’s early efforts to impede China’s military establishment and domestic surveillance apparatus from obtaining technology related to computing that is largely focused on AI applications. Those efforts to date have included notification letters to chip companies and tool makers advising them of new limits on sales. The administration’s goal is to use a broad range of policies, including export controls, a potential executive order, and the foreign direct product rule, among other methods.
The Commerce Department declined to comment. The White House did not respond to a request for comment. Reuters and The New York Times reported earlier Monday that the announcement was set for this week, but did not specify a day.
The Biden administration’s strategy around China’s access to American chip technology has begun to take shape following the appointment of several key White House officials and the confirmation of Commerce Department Undersecretary for the Bureau of Industry and Security Alan Estevez in March. The BIS is responsible for American export controls.
The administration’s plans include blocking Chinese businesses, government research labs, and others from purchasing products that use American-made tech, The New York Times reported. Expanding the use of the foreign direct product rule to block Chinese entities from buying certain chips is only one element of the strategy, the newspaper said.
Protocol reported in August that the Biden administration plans to roll out export control rules on semiconductor manufacturing equipment that is capable of making chips with fin field-effect transistors, or FinFETs. FinFET loosely refers to the shape of the transistor, which is sometimes referred to as the 14-nanometer manufacturing process. Thursday’s announcement is expected to include export controls on chipmaking tools.
In late August, Nvidia and AMD disclosed they had received notification letters from the Commerce Department ordering them to halt sales of chips designed for artificial intelligence computing. Neither company disclosed the technical limits the administration imposed on the AI chips, but Nvidia CEO Jensen Huang said it was a combination of computing horsepower and a “specific level of inter-chip connection bandwidth.”
Beyond the logic chips made by Nvidia and AMD for AI applications, the Biden administration has also considered blocking several types of memory, according to two people familiar with the administration’s thinking. High-bandwidth memory (which is useful for training large AI models) and flash were among the memory technologies under consideration, the people said.
Administration officials had been briefed by several memory manufacturers about establishing specific thresholds for flash and high-bandwidth memory, according to another person familiar with the discussions. It wasn’t immediately clear what, if any, export controls or other measures would apply to memory in Thursday’s announcement.
Correction: An earlier version of this story misstated the date of Alan Estevez's confirmation and the month in which Nvidia and AMD disclosed notification letters. This story was updated on Oct. 4, 2022.
Companies like Meta and Lyft have stopped hiring for the year, and that’s music to the ears of other tech companies that are still staffing up. Much of talent sourcing still takes place on LinkedIn, but many recruiters have found their own techniques to use the service more efficiently. We asked LinkedIn’s VP of talent acquisition and three outside recruiters for their best LinkedIn hacks for sourcing talent.
When reaching out, short and sweet is key. When sending a connection request, executive recruiter Darrell Rosenstein said he rarely sends more than three sentences or 150 characters.
Focus on skills, not pedigree. Erin Scruggs, VP of talent acquisition at LinkedIn, said skills — which candidates can list on their profiles — are the “future currency” of recruiting, particularly in a tight labor market.
Post content to your company LinkedIn page to build a recruiting brand. Particularly for lesser-known startups, content can offer a glimpse into your company culture and personality.
Try LinkedIn’s “best-kept secret”: affinity groups. Paige Scott, who leads the Asset Management practice at the recruiting firm Kingsley Gate Partners in San Francisco, said groups are one of her favorite LinkedIn features for reaching candidates.
Kim Kardashian broke the internet, and according to the Securities and Exchange Commission, she also broke the securities laws.
The SEC announced Monday that the mega-influencer, reality TV star, and billionaire businesswoman will pay $1.26 million to resolve allegations she touted EMAX tokens on Instagram without disclosing she was being paid for it. Kardashian, who the SEC said "also agreed to not promote any crypto asset securities for three years," did not admit wrongdoing.
The SEC also said she had received $250,000 for her post on the token from EthereumMax. Her fine represents the payment, plus interest and a $1 million penalty.
SEC Chair Gary Gensler took the opportunity of the settlement announcement to tweet that the case showed "when celebrities / influencers endorse investment opps, including crypto asset securities, it doesn’t mean those investment products are right for all investors."
On Thursday, California Gov. Gavin Newsom signed into law a bill that makes phone calls from California’s prisons free of charge. The new law places the cost of calls not on incarcerated people — or the people receiving calls from them — but on the state’s Department of Corrections and Rehabilitation.
California is the second state after Connecticut and the biggest state by far to institute such a law, which is a direct shot at the $1.4 billion prison telecom industry. For years prison telecom companies have maintained rates that “can be unjustly and unreasonably high, thereby impeding the ability of inmates and their loved ones to maintain vital connections,” the FCC said in 2020.
Prison reform advocates argue the new California law will have a hugely positive impact on the families of incarcerated people in California — and potentially other states that follow California's lead.
"From a public policy perspective, we should be wanting people to stay connected to their social networks, to their families, to be able to start looking for employment if they are close to getting out," said state Sen. Josh Becker, who sponsored the bill, SB 1008. "But we have a very perverse system, which inhibits that and actually throws many families into debt."
For years, the high cost of prison phone calls has sapped money from low-income families with incarcerated loved ones. According to a 2015 report by the Ella Baker Center for Human Rights, 34% of families go into debt in their attempt to maintain contact with loved ones inside through phone calls and visitations. The impact is disproportionately felt by women of color, because of the corresponding disproportionate number of men of color in America’s prisons.
Now, with the governor's blessing, "the simple cost of a call is never going to impair their ability to tell their children they love them or help their partner problem-solve a parenting situation,” said Bianca Tylek, executive director of Worth Rises, a prison reform organization, which was a key player in advocating for the bill.
The new law covers the 93,000 incarcerated people in the state's prison system, and Becker hopes future legislation will extend free calls into California's city and county jails, as well.
In addition to making calls free to users, the law prohibits local agencies from “receiving revenue for the provision of communication services to persons in its custody." The law also charges the state’s utility commission with ensuring service does not fall below standard, now that calls are free. Proponents of the law say the policy change will cost California about $12 million annually, but that is a small fraction of the $14.2 billion budget for the state’s corrections department.
In recent years, the Federal Communications Commission has tried to clamp down on the astronomical costs charged by prison telecom providers including slashing fees and capping rates at 21 cents per minute for interstate calls in 2013. More recently, the FCC adopted a rule to prevent prison phone companies from seizing pre-paid funds from users, after one prison telecom giant, GTL, was found to have seized $121 million in customer funds. Other local governments have notched their own victories in the fight against sky-high prison call rates. In 2019, New York became the first major city jail system to make calls free. In 2020, San Francisco also made phone calls from its jails free and announced a policy change that would "permanently stop generating revenue from incarcerated people and their families through phone calls."
But advocates are hopeful that California's law will set an example for other state governments, because of the sheer size of its prison population. “California has a much bigger system, and what it does matters to the rest of the corrections community,” Tylek said. “It will be a huge trendsetter for everyone else.”
Rohit Chopra arrived as director of the Consumer Financial Protection Bureau one year ago today. True to his reputation as an aggressive watchdog from his time as an FTC commissioner and an earlier stint at the CFPB, he has pursued a busy agenda that’s setting up regulatory battles to come.
Chopra hasn't been afraid to challenge big banks or fintechs. His fight against banking’s so-called junk fees, for instance, won plaudits from both consumer-focused groups and fintech trade organizations.
All eyes in the fintech world are on open banking. The CFPB regulatory docket this fall includes a long-delayed rule-making effort to allow customers to more easily move their data between financial institutions. The effort is part of the Biden administration’s goal to boost competition in markets.
The agency’s tactics and a growing list of priorities are prompting powerful pushback. The industry and Republican members of Congress are circling.
The agency seems to be gearing up for that possibility. American Banker reported that the CFPB launched an office this summer dedicated to responding to congressional requests. Crane, a former Treasury official, said document requests can eat up a lot of administrative resources: “It is a big exercise, but it seems he is preparing to handle it without distracting from his day job.” But there’s little question that Chopra’s second year in the job will be more challenging than his first.
A version of this story appeared in Protocol’s Fintech newsletter. Sign up here to get it in your inbox each morning.
What does SB 1162 require? Starting in January, employers with 15 or more workers will be required to disclose salary ranges in job postings, including on third-party sites. Companies with 100+ employees, including contractors, will have to report on mean and median wage data.
Who has to comply with SB 1162? Any 15-plus-person company with employees in California will be subject to the law — even if your HQ is elsewhere.
What if my employees are remote? The law doesn’t address remote work, and how this law applies to non-California workers who may want to know their role’s pay scale is still a “gray area,” said Rachel Conn, a San Francisco-based partner in the Labor and Employment group at the law firm Nixon Peabody.
Didn’t California companies with 100+ employees already have to report pay data? Yes! Private companies with 100 or more employees started reporting their annual pay data by sex and race/ethnicity last year.
Can companies get around this? After Colorado passed its pay transparency law, some companies tried to dodge the requirement to disclose pay ranges by excluding Colorado applicants in job ads.
Microsoft said Friday it's "working on an accelerated timeline" to provide a patch for two newly disclosed vulnerabilities affecting Exchange email servers, which the company acknowledged have been used in attacks on customers.
One of the vulnerabilities could enable remote execution of commands on a compromised server, prompting concern among security researchers about the potential for significant exploitation in coming days. The remote code execution vulnerability, which is being tracked by the identifier CVE-2022-41082, has similarities to the previously disclosed "ProxyShell" flaws. The new vulnerability was dubbed "ProxyNotShell" by researcher Kevin Beaumont, who was among the first to report seeing exploits of the bug in a series of tweets on Thursday.
Remote code execution vulnerabilities are considered a serious security risk due to the potential for attackers to take full control of a compromised system. Log4Shell, a critical vulnerability that was discovered in the Apache Log4j logging software component in December 2021, fell into the category of a remote code execution flaw.
The second vulnerability, which is being tracked at CVE-2022-41040, can be used by an attacker to trigger the remote code execution vulnerability, Microsoft said in a blog post. The vulnerabilities affect Microsoft Exchange Server 2013, 2016, and 2019, according to Microsoft.
A limiting factor on the exploitability of either of the newly disclosed bugs is that an attacker would need to have successfully logged in to a vulnerable Exchange server that they were attempting to exploit, Microsoft said.
The company released details on a mitigation that can be used to block the attack patterns for the vulnerabilities that've been observed so far.
"At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems," the company said in its blog post.
One researcher told Protocol on Thursday that exploitation of the vulnerability is expected to escalate in the next few days. Exchange "is a juicy target for threat actors to exploit" because its servers must be connected directly to the internet, and are a key function for many businesses as email can't be turned off without causing a major disruption, said Travis Smith, vice president of malware threat research at cybersecurity vendor Qualys.
Microsoft said in its post that customers of Exchange Online won't need to take action in response to the new vulnerabilities. Beaumont disputed that, saying in a tweet that for Exchange Online customers, "if you migrated and kept a hybrid server (a requirement until very recently) you are impacted."
Beaumont also said that his testing has found that to meet the requirement of being an authenticated user for exploiting ProxyNotShell, "this can be any email user," which is "pretty risky." Already, exploitation of the vulnerabilities "has been happening for at least one month in the wild," he said in a tweet.
The vulnerabilities were initially disclosed by researchers at cybersecurity vendor GTSC.
Google is stepping up its push for open video formats: The company plans to force hardware manufacturers to support the AV1 video codec if they want to run Android 14 on their mobile devices, according to comments left in recent commits to the Android Open Source Project (AOSP) that were first spotted by Esper senior technical editor Mishaal Rahman.
According to those AOSP comments, the next version of Google’s Android Compatibility Definition document will require hardware makers to support AV1 for both tablets and phones. Previously, devices only had to support VP8 and VP9, two open codecs that are predecessors of AV1.
Google has yet to publicly release the compatibility requirements for Android 14; the company is expected to release a beta version of Android 14 in April 2023. Google did not immediately respond to a request for comment.
AV1 is a royalty-free video codec spearheaded by the Alliance for Open Media, which counts Google, Amazon, Netflix, and others among its members. Google has been a major supporter of AV1, and has been requiring Android TV device makers to support the codec since last year, as Protocol was first to report two years ago.
Google has also been using YouTube to grow the adoption of AV1. The video service now re-encodes all of its videos in AV1, and has been pushing companies like Roku to support the codec for its living room devices.
AV1 support on mobile has been uneven, however, in part because Qualcomm has yet to add hardware decoding capabilities for the codec to its chipsets. As a result, Google is giving device makers the option to rely on software decoding of AV1 video streams, according to Rahman.
Google’s mandate of AV1 support on Android is just one piece of a broader push for open media formats. The company is also looking to establish royalty-free alternatives to Dolby Atmos and Dolby Vision, as Protocol was first to report last week.
A troubling new vulnerability affecting Microsoft Exchange email servers has been disclosed by researchers, though details are still emerging on the severity and exploitability of the flaw.
The vulnerability, disclosed by researchers at cybersecurity vendor GTSC, could enable remote execution of commands on a compromised server, according to the company. It appears to be a "zero-day" vulnerability, which means it was not disclosed to the software vendor before spreading in the wild and before a patch could be created.
Trend Micro said Thursday that the vulnerability was submitted to Microsoft via its Zero Day Initiative program. On Friday, Microsoft said it’s “working on an accelerated timeline” to provide a patch for two newly disclosed vulnerabilities affecting Exchange email servers, including the remote code execution flaw disclosed by GTSC.
Researcher Kevin Beaumont, who was among the first to discuss GTSC's findings in a series of tweets Thursday, said he is aware of the vulnerability being "actively exploited in the wild" and that he "can confirm significant numbers of Exchange servers have been backdoored."
Remote code execution vulnerabilities are considered a serious security risk due to the potential for attackers to take full control of a compromised system. Log4Shell, a critical vulnerability that was discovered in the Apache Log4j logging software component in December 2021, fell into the category of a remote code execution flaw.
Travis Smith, vice president of malware threat research at cybersecurity vendor Qualys, told Protocol that he expects exploitation of the vulnerability to escalate in the next few days. Exchange servers must be connected directly to the internet and are a key function for many businesses since email can't be turned off without causing a major disruption, Smith noted. For those reasons, Exchange "is a juicy target for threat actors to exploit," he said in an email.
On Thursday, the initial reaction among security researchers was that it wasn't clear from GTSC's original disclosure whether this was in fact a brand-new, zero-day vulnerability in Microsoft Exchange, or if it might just be a new version of a previously disclosed vulnerability known as "ProxyShell." Beaumont noted in a blog post that a key portion of the exploit process detailed by the vendor "looks exactly like ProxyShell," which was disclosed in 2021.
However, GTSC subsequently updated its blog post, making it clear that the vulnerability affected Exchange servers that had already been patched with the latest updates. As a result, "an exploitation using Proxyshell vulnerability was impossible," the researchers said in the blog post update.
John Hammond, a well-known researcher at cybersecurity vendor Huntress, tweeted that the update makes clear that this "is in fact a new 0-day" remote code execution vulnerability.
Mike Parkin, a senior technical engineer at Vulcan Cyber, told Protocol that he had reached the same conclusion.
The fact that the compromised system was up to date before it was breached "indicates the attack leveraged a new vulnerability, not the one that was previously known," Parkin said in an email. Still, GTSC "hasn't released many details, so we are having to extrapolate from what they have said," he said.
Correction: This story was updated on Sept. 29, 2022, to correct the description of ProxyShell.
The gas-powered vehicle ban dominoes have begun to fall.
New York Gov. Kathy Hochul announced on Thursday that the state will follow California’s lead in banning the sale of new gas- or diesel-powered cars beginning in 2035. Like the Golden State, New York has also set interim targets: 35% of new cars sold must be zero-emissions by 2026, and 68% by 2030.
The plan is still not quite finalized, though. Hochul directed the state’s Department of Environmental Conservation to implement the new rules, and it will still have to hold a public hearing and open comment period before finalizing them.
This comes just a month after California threw down the gauntlet and restricted future internal combustion vehicle sales. Given that more than a dozen states — including New York — have adopted California's previous tailpipe standards, it was likely at least some of those states would follow the Golden State's lead on zero-emissions vehicle sales. New York is the first state to do so, though others such as Massachusetts, Washington, and Virginia are likely to follow suit in the near future.
“We had to wait for California to take a step because there’s some federal requirements that California had to go first — that’s the only time we’re letting them go first,” Hochul said at a press conference, in reference to a Clean Air Act provision that allows California alone to set its own vehicle emissions standards. A policy quirk allows other states to adopt those standards, but not to lead the way.
In addition to the gas-powered car sales ban, Hochul also announced that the state will invest $10 million in its existing Drive Clean Rebate program to encourage New Yorkers to purchase EVs. The program offers a point-of-sale rebate of up to $2,000 off a car’s sticker price, and can be combined with federal rebates like the $7,500 tax credit on new EVs. In its five years of existence, the program has handed out $92 million in rebates statewide, according to a press release. The state is also making $5.75 million available to local governments to transition their fleets to zero-emission vehicles and install public EV chargers and hydrogen fueling stations.
New York, along with 49 other states plus Puerto Rico and Washington, D.C., also had its EV charging plan approved by the Biden administration. That will unlock some of the $175 million in funding for EV charging set aside for the state as part of the bipartisan infrastructure law. Building out charging infrastructure could help make it that much easier for the state to meet its zero-emissions vehicle sales mandate.
Tech industry groups are once again pleading with the 5th Circuit to block HB 20, Texas' on-again, off-again social media law, which the court recently allowed to take effect.
In an unopposed motion filed Thursday, the plaintiffs in the ongoing legal battle, NetChoice and the Computer & Communications Industry Association, asked the court to "preserve the status quo" until the Supreme Court has a chance to review the issues raised in the case. The Texas law aims to prohibit online platforms from moderating content on the basis of viewpoint, a limitation that tech companies argue infringes on their First Amendment rights and conflicts with broad authority they have under Section 230 to moderate content.
This is not the first time NetChoice and CCIA have sought to block the law. Earlier this year, the 5th Circuit lifted an injunction on the same law, though its decision on the underlying case between tech groups and the state of Texas was still pending at the time. The tech groups argued that the 5th Circuit's actions would wreak havoc on companies operating in Texas and pushed for the Supreme Court to add the case to its shadow docket and re-institute the block on the law. Weeks later, the Supreme Court obliged, with a majority voting in NetChoice and CCIA's favor.
But the 5th Circuit decision earlier this month put the law back in play. In their motion, NetChoice and CCIA noted that even the three conservative justices who voted to keep the law in effect in May said that HB 20 "concerns issues of great importance that will plainly merit the [Supreme] Court’s review." The plaintiffs are asking the court to block the law from being implemented until the justices have had a chance to conduct that review.
That chance may come sooner rather than later: While the 5th Circuit gave the Texas social media law a green light, the 11th Circuit blocked a similar law in Florida earlier this year. That circuit split has created a rare opportunity for the Supreme Court to decide on issues related to online speech and the First Amendment rights of private platforms once and for all. Earlier this month, Florida filed a petition with the court asking it to take up its case surrounding SB 7072, a law that would limit tech platforms' ability to moderate certain political speech. Now, both sides of the debate are awaiting an answer as to whether they'll have a chance to fight it out in the highest court.
Until the Supreme Court provides that answer, though, NetChoice and CCIA are arguing that the 5th circuit shouldn't allow a disruptive — if not outright disastrous — law for so many businesses to go into effect. "If Supreme Court review was 'plainly merit[ed]' even before this circuit split," the motion reads, "it certainly is now."
Correction: An earlier version of this story incorrectly stated that NetChoice and CCIA filed a motion with the Supreme Court. They filed with the 5th Circuit.
Sometimes a major "hack" isn't really a hack at all, such as with some breaches caused by the mishandling of APIs.
The latest such breach attributed to negligence with APIs, or application programming interfaces that are used for exchanging data across applications, is the massive theft of customer data from Australian telecom Optus.
First disclosed by Optus on Sept. 22, the data exposed in the breach of 9.8 million customer records includes driver's licenses, passports, and Medicare ID numbers, in addition to names, phone numbers, and email addresses.
Optus has attempted to characterize the cyberattack as "sophisticated," but according to Australian Minister for Cybersecurity Clare O'Neil, it was actually just a "basic" attack. Optus “effectively left the window open” for customer data to be stolen, she said.
The incident reportedly started with the attacker accessing an API server that was not protected with any type of authentication. In other words, the attacker didn't even have to log in. Anyone from the internet could have theoretically done the same thing, said Filip Verloy, technical evangelist at Noname Security, a vendor that offers API security products.
"This should be a wake-up call for a lot of organizations about how easy it was to get this data," said Nick Rago, field CTO at another API security vendor, Salt Security.
The use of APIs has grown widely as companies of all sorts have morphed into software providers, with API services enabling much of the key functionality for modern apps and websites.
Optus executives have not denied that an API was leveraged by the attacker to steal the customer records, according to reports. Protocol has reached out to the company for comment.
Based on the information that has come out so far, it appears that the API in question was actually "doing exactly what it was meant to do" when it called up the Optus customer records, Rago said. That means the API wasn't "hacked" in any sense of the word, but was just used for an unintended purpose, he said — what's sometimes referred to as an "API abuse" attack.
It's likely that Optus just didn't know about the existence or functionality of this particular API, according to Rago. It would appear there was a "lack of visibility and a lack of governance, in terms of not knowing this API existed in the first place and why it was exposed in this manner," he said
In general, it's recommended that businesses take a "layered security" approach to protecting APIs, using a firewall or API security product, identity authentication, authorization for governing access to data, and encryption for sensitive personal data, said Yotam Segev, co-founder and CEO of data security vendor Cyera. "It appears that Optus failed on every front," Segev said.
By way of analogy, even if the front door of your house was left open or broken into, you could still have a locker inside of your house to protect your sensitive documents, said Anshu Sharma, co-founder and CEO of data privacy technology vendor Skyflow. "Even if the bad guys get in, they won't get your [sensitive] data," he said. But it appears that Optus did not have this type of capability, either.