Technology

Didi Chuxing, Chinalargest ride-hailing firm, is rolling out new security systems one month after a female customer was raped and murdered by a driver, the second such fatality on its Hitch service this year.

Today the company said it introduced a number of new safety features which include random biometric ID testing for drivers (in addition to a selfie-based log-in each day) and the introduction of an SOS button within Dididriver app which connects directly to police. Didi said that SOS feature is tied into &a streamlined critical response process& — which includes &a special police response team& set up to assist with issues on the Didi service — and there are fatigue and tiredness alerts for drivers.

Earlier this month, Didi added a safety center featuring guidelines and help, and updated the SOS button within the passenger app so it goes directly to the police rather than customer support agents. The company also startedtrialing an on-route audio recording function for its Express and Premier services.

DidiCEO and chairwoman earlier said that it plans to prioritize user safety over growth.

The company faced strong criticism after it emerged that its own systems had been at fault in both murders. For the first fatality, the driver who committed the murder bypassed Dididriver authentication system (using an account belonging to his father) while a sexual harassment complaint lodged against the account before the incident was not followed up on.

The second murder showed further problems. The driverhad been flagged to Didisafety team just one day before the murder after afemale passenger complained that he had requested her to ride in the front seat and then followed her for some time after she left his vehicle. Yet, thesafety center representative who handled the complaint had not followed company policy of initiating an investigation within two hours.

Didifired two executives following the second murder — the general manager for Hitch and the companyvice president of customer services — and it suspended the Hitch servicefor the second time this year.

China instituted new regulations around ride-sharing last month which included tasking provinces and autonomous regions with setting up passenger safety committees and ensuring that incidents are investigated promptly.

Rival Meituan, which raised $4 billion from an IPO in Hong Konglast week, entered the ride-hailing space earlier this year. The company has been keen to battle Didi but, perhaps sensing the difficulty of the moment, it suspended plans to expand beyondNanjing and Shanghai and into more parts of China.

Didi has been without a strong direct competitor since it reached a deal to acquire UberChina-based service two years ago.

Google has respondedto blowback about a privacy hostile change it made this week, which removes user agency by automating Chrome browser sign-ins, by rowing back slightly — saying it will give users the ability to disable this linking of web-based sign-in with browser-based sign-in in a forthcoming update (Chrome 70), due mid next month.

The update to Chrome 69 means users are automatically logged into the browser when they are signed into another Google service, giving them no option to keep these digital identities separate.

Now Google is saying there will be an option to prevent it pinning your Chrome browsing to your Google account — but you&ll have to wait about a month to get it.

And of course for the millions of web users who never touch default settings being automatically signed into Googlebrowser when they are using another Google service like Gmail or YouTube will be the new normal.

Matthew Green, a cryptography professor at Johns Hopkins, flagged the change in a critical blog postat the weekend — entitled Why I&m done with Chrome — arguing that the new &forced login& feature blurs the previously strong barrier between &never logged in& and &signed in&, and thus erodes user trust.

Prior to the Chrome 69 update, users had to actively opt in to linking their web-based and browser-based IDs. But Googlechange flips that switch — making the default setting hostile to privacy by folding a Chrome userbrowsing activity into their Google identity.

In its blog post Google claims that being signed in to Chrome does not meanChrome sync gets turned on.

So itbasically saying that despite it auto-linking your Chrome browsing and (Google) web-based activity itnot automatically copying your browsing data to its own servers, where it would then be able to derive all sorts of fresh linked intel about you for its ad-targeting purposes.

&Users who want data like their browsing history, passwords, and bookmarks available on other devices must take additional action, such asturning onsync,& writes Chrome product manager Zach Koch.

But in his blog post, Green is also highly critical of GoogleUI around Chrome sync — dubbing it a dark pattern, and pointing out that itnow all too easy for a user to accidentally send Google a massive personal data dump — because, in a fell swoop, the company &has transformed the question of consenting to data upload from somethingaffirmativethat I actually had to put effort into — entering my Google credentials and signing into Chrome — into something I can now do with a single accidental click&.

&The fact of the matter is that I&d never even heard of Chrome&sync& option — for the simple reason that up until September 2018, I had never logged into Chrome. Now I&m forced to learn these new terms, and hope that the Chrome team keeps promises to keep all of my data local as the barriers between &signed in& and ¬ signed in& are gradually eroded away,& Green also wrote.

Hence his decision to dump Chrome. (Other browsers are certainly available, though Chrome accounts for by far the biggest chunk of global browser usage.)

Responding to what Koch colorlessly terms &feedback& about the controversial changes, he says Google is going to &better communicate our changes&.

&We&re updating our UIs to better communicate a usersync state,& he writes. &We want to be clearer about your sign-in state and whether or not you&re syncing data to your Google Account.&

His explanation for Google flipping the default to be privacy hostile (rather than user affirmative) is to claim that &we think sign-in consistency will help many of our users&, saying Google has &received feedback from users on shared devices that they were confused about Chromesign-in state&.

&We think these UI changes help prevent users from inadvertently performing searches or navigating to websites that could be saved to a different usersynced account,& he also writes.

Though, as Green points out, making more people sign in to Chrome (rather than fewer) is a fuzzy sort of fix for an account ‘pollution& issue.

Chromeflipped switch also now means users have to take Googleword for it that it won&t suddenly auto sync their data to its own servers — say by making another opaque change, in the future, to further automate the harvesting of users& personal data.

Privacy policies that can just be unilaterally rewritten at any point, without obtaining fresh consent from the user, aren&t worth the pixels they&re claiming to be inked in.

Letalso not forget this is the same company that, back in 2012, combined around 60 separate privacy policies into a single overarching policy and Google account covering multiple, distinct web products — thereby, also in a fell swoop, collapsing multiple user identities which, prior to then, people had been able to maintain (to try to control what Google knew about them).

Googlepush where privacy is concerned is pretty clearly one way — away from individual agency and control, and towards it being able to join up ever more personal data dots which its ad-targeting business can use.

With the Chrome update the company has rubbed out yet another privacy firewall for users wanting to fight its amassing of conglomerate profiles of their online activity.

And even with the after-the-fact switch thatbeing announced now (and only after a critical backlash), which from next month will let settings pros disable the default Chrome auto-link, the companygeneral direction of travel does not respect user agency at all. Quite the opposite.

Google seems to be trying to make consent itself an after thought — i.e. for the few who know to poke around in the settings. Instead of what it should be: An affirmative, baked in by design to ensure privacy is available for everyone.

Googlepush to erode privacy looks likely to bring it problems in Europe, where a tough new regional data protection framework makes privacy by design and default mandatory.

Failure to comply with this element of the GDPR can attract fines as large as 2% of a companyglobal annual turnover — which would not be a trivial sum for a company as revenue-heavy as Alphabet.

And, as others have pointed out, Google making a major change to how Chrome handles sign-ins does not look like business as usual for the product. So the company would have been well advised to have carried out a privacy impact assessment — to ensure the changes itmaking were compliant with GDPR.

We&ve asked Google whether it carried out a data protection impact assessment (DPIA) ahead of pushing out the change to sign-ins on Chrome 69 and will update this report with any response. Or whether ithandling sign-ins differently in the EU (which does not seem to be the case).

We&ve also asked if it will commit to making anyDPIA for Chrome public.

A spokesman acknowledged receipt of our questions but at the time of writing the company had not sent any answers.

Thereanother potentially problematic issue for Google here too, vis-a-vis GDPR, because according to Kochblog post it is not currently clearing Google auth cookies when cookies are cleared by the user.

He writes that it will&change this behavior that so all cookies are deleted and you will be signed out&. But thatgoing to take about a month.

In the meanwhile a user action (clearing cookies) is not resulting in Google clearing all cookies — which looks like a pretty clear violation of EU privacy rules, albeit temporarily (if itgoing to fix it next month).

We also asked Google about its failure to clear all cookies.

Safe to say, Googleprivacy hostile actions look sure to attract closescrutiny in the EU where privacy is a fundamental right.

But the company is also set to face questions on the topic in a Senate committee hearing today — and is expected to acknowledge that it has made &mistakes& on privacy issues, according to documents seen by Reuters.

Though it will also apparently claim it has &learned, and improved our robust privacy program&.

Certain Chrome users would probably take a very different view.

Instana, an application performance monitoring (APM) service with a focus on modern containerized services, today announced that it has raised a $30 million Series C funding round. The round was led by Meritech Capital, with participation from existing investor Accel. This brings Instana total funding to $57 million.

The company, which counts the likes of Audi, Edmunds.com, Yahoo Japan and Franklin American Mortgage as its customers, considers itself an APM 3.0 player. It argues that its solution is far lighter than those of older players like New Relic and AppDynamics (which sold to Cisco hours before it was supposed to go public). Those solutions,the company says, weren&t built for modern software organizations (though I&m sure they would dispute that).

What really makes Instanastand out is its ability to automatically discover and monitor the ever-changing infrastructure that makes up a modern application, especially when it comes to running containerized microservices. The service automatically catalogs all of the endpoints that make up a serviceinfrastructure, and then monitors them. Italso worth noting that the company says that it can offer far more granular metrics that its competitors.

Instanasays that its annual sales grew 600 percent over the course of the last year, something that surely attracted this new investment.

&Monitoring containerized microservice applications has become a critical requirement for todaydigitalenterprises,& said Meritech CapitalAlex Kurland. &Instana is packed with industry veterans who understand the APM industry, as well as the paradigm shifts now occurring in agile software development. Meritech is excited to partner with Instana as they continue to disrupt one of the largest and most important markets with their automated APM experience.&

The company plans to use the new funding to fulfill the demand for its service and expand its product line.