Oxbotica raises $47M to deploy its autonomous vehicle software in industrial applications

While the world continues to await the arrival of safe, reliable and cost-effective self-driving cars, one of the pioneers in the world of autonomous vehicle software has raised some substantial funding to double down on what it sees as a more immediate opportunity: providing technology to industrial companies to build off-road applications.

Oxbotica, the Oxford, England startup that builds what it calls “universal autonomy” — flexible technology that it says can power the navigation, perception, user interfaces, fleet management and other features needed to run self-driving vehicles in multiple environments, regardless of the hardware being used — has picked up $47 million in a Series B round of funding from an interesting mix of strategic and financial investors.

Led by bp ventures, the investing arm of oil and gas giant bp, the round also includes BGF, safety equipment maker Halma, pension fund HostPlus, IP Group, Tencent, Venture Science and funds advised by Doxa Partners.

Oxbotica said it plans to use the capital to fuel a raft of upcoming deployments — several that will be coming online this year, according to its CEO — for clients in areas like mining, port logistics and more, with its lead investor bp an indication of the size of its customers and the kinds of projects that are in its sights.

The question, CEO Ozgur Tohumcu said in an interview, is “Where is the autonomy needed today? If you go to mines or ports, you can see vehicles in use already,” he said. “We see a huge transformation happening in the industrial domain.”

The funding and focus on industry are interesting turns for Oxbotica. The startup has been around since about 2014, originally as a spinout from Oxford University co-founded by academics Paul Newman and Ingmar Posner — Newman remains at the startup as its CTO, while Posner remains an AI professor at Oxford.

Oxbotica has been associated with a number of high-profile projects — early on, it provided sensor technology for Nasa’s Mars Rover, for example.

Over time, it has streamlined what it does to two main platforms that it calls Selenium and Caesium, covering respectively navigation, mapping, perception, machine learning, data export and related technology; and fleet management.

Newman says that what makes Oxbotica stand out from other autonomous software providers is that its systems are lighter and easier to use.

“Where we are good is in edge compute,” he said. “Our radar-based maps are 10 megabytes to cover a kilometer rather than hundreds of megabytes… Our business plan is to build a horizontal software platform like Microsoft’s.” That may underplay the efficiency of what it’s building, however: Oxbotica also has worked out how to efficiently transfer the enormous data loads associated with autonomous systems, and is working with companies like Cisco to bring these online.

In recent years Oxbotica has been synonymous with some of the more notable on-road self-driving schemes in the U.K. But, as you would expect with autonomous car projects, not everything has panned out as expected.

A self-driving pilot Oxbotica kicked off with London-based car service Addison Lee in 2018 projected that it would have its first cars on the road by 2021. That project was quietly shut down, however, when Addison Lee was sold on by Carlyle last year and the company abandoned costly moonshots. Another effort, the publicly backed Project Endeavour to build autonomous car systems across towns in England, appears to still be in progress.

Addison Lee and Oxbotica ink self-driving deal, will offer autonomous car services in London by 2021

The turn to industrial customers, Newman said, is coming alongside those more ambitious, larger-scale applications. “Industrial autonomy for off-road refineries, ports and airports happens on the way to on-road autonomy,” he said, with the focus firmly remaining on providing software that can be used with different hardware. “We’ve always had this vision of ‘no atoms, just software,’ ” he said. “There is nothing special about the road. Our point is to be agnostic, to make sure it works on any hardware platform.”

It may claim to have always been interested in hardware- and application-agnostic autonomy, but these days it’s being joined by others that have tried the other route and have decided to follow the Oxbotica strategy instead. They include FiveAI, another hyped autonomous startup out of the U.K. that originally wanted to build its own fleet of self-driving vehicles but instead last year pivoted to providing its software technology on a B2B basis for other hardware makers.

Oxbotica has now raised about $80 million to date, and it’s not disclosing its valuation but is optimistic that the coming year — with deployments and other new partnerships — will bear out that it’s doing just fine in the current market.

“bp ventures are delighted to invest in Oxbotica – we believe its software could accelerate the market for autonomous vehicles,” said Erin Hallock, bp ventures managing partner, in a statement. “Helping to accelerate the global revolution in mobility is at the heart of bp’s strategy to become an integrated energy company focused on delivering solutions for customers.”

Five, the self-driving startup, raises $41M and pivots into B2B, away from building its own fleet

Read more:


{virtual} VSM DevCon returns in March

What is value stream management? Why do I need to do it? How do I get started?

Questions like these and more will be answered at the second {virtual} VSM DevCon, taking place on March 10 in a fast-paced, one-day educational format.

Value stream management enables organizations to find the areas of inefficiency, bottlenecks and actions that don’t deliver value to customers and the organization. It has been called the crown atop DevOps that finally brings IT and the business together.

According to a February 2020 Forrester report, “Value stream management takes over where application lifecycle management leaves off.” The report states: “Practicing value stream management (VSM) allows companies to turn their Agile-plus-DevOps environments into real digital business drivers. With VSM, organizations implementing Agile-plus-DevOps will better understand the value they deliver and the efficiencies they gain.”

General keynote talks by Dave West of (“Value Stream Management and Scrum — Friends or Enemies?”) and David Messinger of Topcoder (“Modern VSM in the Gig Economy”) highlight the event. Lance Knight, COO of ConnectALL, will deliver the industry keynote (“Value Trumps Flow.”).

VSM DevCon this year will also feature a workshop from value stream consultant Steve Pereira (“The 4×4 Method of Value Stream Traction”) in which he will show the four key maps an organization should implement to get the most uptake around value stream management.

Along with the sessions, {virtual} VSM DevCon will provide attendees with access to some of value stream solution providers, to learn about the tools available on the market to begin or enhance your value stream journey.

The post {virtual} VSM DevCon returns in March appeared first on SD Times.

Read more:


OpenAI’s DALL-E creates plausible images of literally anything you ask it to

OpenAI’s latest strange yet fascinating creation is DALL-E, which by way of hasty summary might be called “GPT-3 for images.” It creates illustrations, photos, renders or whatever method you prefer, of anything you can intelligibly describe, from “a cat wearing a bow tie” to “a daikon radish in a tutu walking a dog.” But don’t write stock photography and illustration’s obituaries just yet.

As usual, OpenAI’s description of its invention is quite readable and not overly technical. But it bears a bit of contextualizing.

What researchers created with GPT-3 was an AI that, given a prompt, would attempt to generate a plausible version of what it describes. So if you say “a story about a child who finds a witch in the woods,” it will try to write one — and if you hit the button again, it will write it again, differently. And again, and again, and again.

Some of these attempts will be better than others; indeed, some will be barely coherent while others may be nearly indistinguishable from something written by a human. But it doesn’t output garbage or serious grammatical errors, which makes it suitable for a variety of tasks, as startups and researchers are exploring right now.

DALL-E (a combination of Dali and WALL-E) takes this concept one further. Turning text into images has been done for years by AI agents, with varying but steadily increasing success. In this case the agent uses the language understanding and context provided by GPT-3 and its underlying structure to create a plausible image that matches a prompt.

As OpenAI puts it:

GPT-3 showed that language can be used to instruct a large neural network to perform a variety of text generation tasks. Image GPT showed that the same type of neural network can also be used to generate images with high fidelity. We extend these findings to show that manipulating visual concepts through language is now within reach.

What they mean is that an image generator of this type can be manipulated naturally, simply by telling it what to do. Sure, you could dig into its guts and find the token that represents color, and decode its pathways so you can activate and change them, the way you might stimulate the neurons of a real brain. But you wouldn’t do that when asking your staff illustrator to make something blue rather than green. You just say, “a blue car” instead of “a green car” and they get it.

So it is with DALL-E, which understands these prompts and rarely fails in any serious way, although it must be said that even when looking at the best of a hundred or a thousand attempts, many images it generates are more than a little… off. Of which later.

In the OpenAI post, the researchers give copious interactive examples of how the system can be told to do minor variations of the same idea, and the result is plausible and often quite good. The truth is these systems can be very fragile, as they admit DALL-E is in some ways, and saying “a green leather purse shaped like a pentagon” may produce what’s expected but “a blue suede purse shaped like a pentagon” might produce nightmare fuel. Why? It’s hard to say, given the black-box nature of these systems.

Image Credits: OpenAI

But DALL-E is remarkably robust to such changes, and reliably produces pretty much whatever you ask for. A torus of guacamole, a sphere of zebra; a large blue block sitting on a small red block; a front view of a happy capybara, an isometric view of a sad capybara; and so on and so forth. You can play with all the examples at the post.

It also exhibited some unintended but useful behaviors, using intuitive logic to understand requests like asking it to make multiple sketches of the same (non-existent) cat, with the original on top and the sketch on the bottom. No special coding here: “We did not anticipate that this capability would emerge, and made no modifications to the neural network or training procedure to encourage it.” This is fine.

Here are a few ways GPT-3 can go wrong

Interestingly, another new system from OpenAI, CLIP, was used in conjunction with DALL-E to understand and rank the images in question, though it’s a little more technical and harder to understand. You can read about CLIP here.

The implications of this capability are many and various, so much so that I won’t attempt to go into them here. Even OpenAI punts:

In the future, we plan to analyze how models like DALL·E relate to societal issues like economic impact on certain work processes and professions, the potential for bias in the model outputs, and the longer term ethical challenges implied by this technology.

Right now, like GPT-3, this technology is amazing and yet difficult to make clear predictions regarding.

Notably, very little of what it produces seems truly “final” — that is to say, I couldn’t tell it to make a lead image for anything I’ve written lately and expect it to put out something I could use without modification. Even a brief inspection reveals all kinds of AI weirdness (Janelle Shane’s specialty), and while these rough edges will certainly be buffed off in time, it’s far from safe, the way GPT-3 text can’t just be sent out unedited in place of human writing.

It helps to generate many and pick the top few, as the following collection shows:

AI-generated illustrations of radishes walking dogs.

The top eight out of a total of X generated, with X increasing to the right. Image Credits: OpenAI

That’s not to detract from OpenAI’s accomplishment here. This is fabulously interesting and powerful work, and like the company’s other projects it will no doubt develop into something even more fabulous and interesting before long.

OthersideAI raises $2.6M to let GPT-3 write your emails for you

Read more:


SD Times Open-Source Project of the Week: Smart Argument Suites

Earlier this week LinkedIn announced the open sourcing of Smart Argument Suite, a new Python tool designed to help users pass arguments through the command line interface and consume them in a “human-friendly” way. According to the company, while there are plenty of open source projects that offer CLI argument parsing, they don’t deal with the producer side.

“Passing the arguments through the CLI becomes a producer and consumer problem: on the workflow generation side, you need to produce a set of arguments which are passed to the CLI to launch the jobs; on the other side, the launched jobs would consume the arguments passed from the CLI,” Jun Jia and Alice Wu, senior staff software engineers at LinkedIn, wrote in a post.

The principles of the Smart Argument Suite are:

It should be simple. The suite makes it as easy as defining an argument container object and passing it through a function call. 
It should be safe. The tool has a verifiable and testable systematic process with certain safety guarantees.
It should be human-friendly. According to the team, the tool should be easy for humans to inspect or debug on the serialized form. 
It should be extensible. Users should be able to extend the support to the argument container classes if desired. 

“It’s a very common scenario that an AI solution involves composing different jobs, such as data processing and model training or evaluation, into workflows and then submitting them to an orchestration engine for execution. At large companies such as LinkedIn, there may be hundreds of thousands of such executions per day, submitted and executed by multiple teams and engineers,” Jia and Wu wrote. “Any improvements in the tools used by machine learning engineers lead to significant improvements in productivity, which highlights the need for robust productivity infrastructure to support machine learning engineers.”

The solution has been released to PyPl and tested with LinkedIn’s other open-source AI solutions including GDMIx and DeText. 

Going forward, the team plans to add escaping to make the serialization safer and expand beyond the language boundaries. 

The post SD Times Open-Source Project of the Week: Smart Argument Suites appeared first on SD Times.

Read more:


Sentry launches new application monitoring features for JavaScript developers

Application monitoring company Sentry has announced Release Health capabilities are now available by default in its JavaScript SDK. The company’s Release Health insights is designed to provide teams with error and performance monitoring so that they can get actionable data and resolve errors and issues quickly. 

According to the company, this is especially important as front-end developer popularity and business significance increases. Sentry reports nearly 70% of developers are using JavaScript to create rich user experiences. 

“Code is increasingly becoming the center of every customer experience, and when it fails, business fails,” said Milin Desai, CEO, Sentry. “With Sentry for JavaScript, application monitoring is more than just a failsafe for frontend development — extending Release Health capabilities to JavaScript projects is key to helping developers understand how each release is performing and what’s required to deploy more frequently.”

Release Health provides early warning into software releases, and with the latest update JavaScript developers can now capture session data to see crashes by session and user as well as how many users are leveraging the latest release. Sessions are defined by a page view, refresh and multiple browser tabs. 

In addition, the JavaScript SDK will now notify users about how many new issues are associated with their latest release. 

The update also enables users to trace page loads, poor-performing APIs calls, slow database queries, related errors, and identify where errors were introduced. Other updates include the company’s Discover tool that allows users to detect the root cause of an issue, and WebAssembly support. 

The post Sentry launches new application monitoring features for JavaScript developers appeared first on SD Times.

Read more:


Silicon Valley Bank just made an even bigger push into wealth management

SVB Financial Group agreed today to buy Boston Private Financial Holdings in Boston for $900 million in cash and stock.

It’s a big deal for SVB, which has earned a reputation over its 37-year history as a bank that’s friendly to startups, as well as venture and private equity investors. Boston Private, founded in 1987, has roughly $16.3 billion in assets under management, compared with SVB Asset Management’s $1.4 billion in related assets.

SVB, which formed its wealth advisory business in 2011, has been pushing more aggressively into wealth management for several years, hiring Yvonne Butler, who’d previously led wealth strategies at Capital One, in the middle of 2018.

Butler has since been adding members to the bank’s wealth management team, telling Business Insider last year of the job that “I see my job primarily as a retention strategy . . .Clients are already here. We’ve helped them grow their fund or business — and I see our role as private bank and wealth advisory as retaining.”

Underscoring SVB’s bid to strengthen its relationship with wealthy individuals who already have business dealings with the bank, Greg Becker, its president and CEO, said today in a release about the new tie-up: “Our clients rely on us to help increase the probability of their success — both in their business and personal lives.”

Butler will lead the combined private banking and wealth management business with Anthony DeChellis, who has been the CEO of Boston Private for the last two years. DeChellis joined the outfit after a short stint as president of the crowdfunding platform OurCrowd and before that, as the CEO of Credit Suisse Private Banking (Americas) for more than seven years.

As part of the deal, Boston Private shareholders will receive 0.0228 shares of SVB common stock and $2.10 of cash for each of their shares.

Bank stocks were generally battered in 2020, but as the Boston Globe notes, SVB’s stock is up more than 60% over the past three years because of its focus on the tech world, while Boston Private’s shares have fallen by 45%.

Read more:


Samsung’s next Unpacked event is January 14

Stop me if you’ve heard this one before. Samsung’s next flagship is set to debut January 14. The company just confirmed earlier rumors surrounding the date for its next Unpacked event (virtually, of course). This one sports the name, “Welcome to the Everyday Epic.”

“Over the past year, mobile technology has taken center stage in everyday life as people are working remotely and spending more time at home,” the company writes. “The accelerated transition to a mobile-first world brings with it the need for devices that can transform everyday life into an extraordinary experience.”

The event’s timing is an interesting artifact of 2021’s wacky show scheduling, with the COVID-19 pandemic still very much being front of mind. Past Unpackeds were generally timed around Mobile World Congress. That show has been delayed until the summer, however, in hopes of returning to an in-person event. So Samsung has opted to kickstart sales a month or so earlier this year.

In fact, the event is a mere days after CES. Gone are the days a gadget journalist could take a few days to decompress after the year’s biggest hardware show. It also, perhaps, doesn’t bode well for Samsung’s announcements during CES itself (though the electronics giant has more than enough divisions to keep its presence at the show interesting).

Another odd change this year is the fact that you can already reserve the S21, sight unseen. There’s little doubt it will be a solid phone, though there are plenty of questions around how the company will up the ante in the era of flagging smartphone sales. The leaks so far have been kind of underwhelming, though Samsung’s usually got a couple of fun surprises up its sleeve.

We’ve already seen enough of the Galaxy Buds Pro that they don’t qualify as a surprise, exactly. But the company has a solid enough track record with earbuds that there’s reason to be excited. The AirPods Pro competitors are are said to be priced at a reasonable $199.

Samsung hasn’t announced the Galaxy S21 yet, but you can already reserve one

Read more:


Report finds chaos engineering can significantly decrease MTTR and increase availability

A new report revealed those who have successfully implemented chaos engineering have 99.9% or higher availability and greatly improved their mean time to resolution (MTTR). 

Gremlin’s inaugural 2021 State of Chaos Engineering report found 23% of teams who frequently run chaos engineering projects had a MTTR of under 1 hour, and 60% under 12 hours.

Gartner echoed similar sentiments about the report’s availability finding by predicting that by 2023, 80% of organizations that use chaos engineering practices as part of SRE initiatives will reduce their MTTR by 90%.

According to Gremlin’s report, the highest availability groups commonly utilized autoscaling, load balancers, backups, select rollouts of deployments, and monitoring with health checks. 

Found outages before they become failures
Chaos engineering in serverless environments is more useful than you’d think
To build resilient systems, embrace the chaos

The most common way to monitor standard uptime was synthetic monitoring, however, many organizations reported they use multiple methods and metrics. 

In the report, Gremlin also found that chaos engineering has seen much greater adoption recently, and that the practice has matured tremendously since its inception 12 years ago. 

“The diversity of teams using Chaos Engineering is also growing. What began as an engineering practice was quickly adopted by SRE teams, and now many platform, infrastructure, operations, and application development teams are adopting the practice to improve the reliability of their applications,” the report stated. 

While it’s still an emerging practice, the majority of respondents (60%) said that they ran at least one chaos engineering attack and more than 60% of respondents have run chaos against Kubernetes. 

The most commonly run experiments reflected the top failures that companies experience, with network attacks such as latency injection at the top. 

However, some companies are not adopting chaos engineering mostly due to lack of awareness, experience, and time at 80%. Less than 10% of people said that it was because of fear of something going wrong.

“It’s true that in practicing Chaos Engineering we are injecting failure into systems, but using modern methods that follow scientific principles, and methodically isolating experiments to a single service, we can be intentional about the practice and not disrupt customer experiences,” the report stated. “We believe the next stage of Chaos Engineering involves opening up this important testing process to a broader audience and to making it easier to safely experiment in more environments.”

The post Report finds chaos engineering can significantly decrease MTTR and increase availability appeared first on SD Times.

Read more:


SaaS backup: A more scalable way to ingest cloud app data

It’s probably not surprising that, according to a 2018 Gartner survey about SaaS migration, 97% of respondents said their organization had already deployed at least one SaaS application. Today, a significant number of cloud applications have been elevated to the status of ‘critical-business system’ in just about every enterprise. These are systems that the business cannot effectively operate without. Systems that are used to either inform or to directly take really important action.

 It’s no wonder cloud applications like CRM, Support, ERP or e-commerce tools, have become prime targets for DataOps teams looking for answers about what and why certain things are happening. After all, think about how much business data converges in a CRM system – particularly when it’s integrated with other business systems. It’s a mastered data goldmine!

DataOps teams often identify a high-value target application, like a CRM system, and then explore ways to capture and ingest data from the application via the system’s APIs. In the case of, say, Salesforce, they might explore the Change Data Capture and Bulk APIs. Various teams with different data consumption needs might then use these APIs to capture data for their particular use case, inevitably leading to exponential growth in data copies and compliance exposure. (After all, how do you enforce GDPR or WORM compliance for data replicas tucked away God knows where?!). 

When they encounter API limitations or even application performance issues, DataOps teams then start to replicate data into nearby data lakes. This enables them to create centralized consumption points for the SaaS data outside of the application. Here, storage costs are more favorable and access is ubiquitous. Here, teams typically take a deep breath and start a more organized process for requirements gathering, beginning with the question of “who needs what data and why?”

Meanwhile in a parallel world, IT teams implement data backup strategies for those same cloud applications. If something bad happens (say, data corruption), these critical business systems need to be rapidly recovered and brought back online to keep the business going. Here, standard practice is to take snapshots of data at regular increments either through DIY scripts or with SaaS backup tools. In most scenarios, the backup data is put in cold storage because… well, that’s what you do with data replicas whose sole purpose is to act as an ‘insurance policy’ in case something goes wrong.

 With all of these teams trying to consume the same data in the same organization, it makes sense that costs and maintenance cycles quickly spiral out of control. For every TB of production data, ESG identified that another 9 TB of secondary data is typically generated – rapidly offsetting any cost savings due to ever-decreasing storage costs on public clouds.  

So why are we inflicting this 9X+ data multiplier on ourselves?

One reason is convenience. It’s just easier to walk up, grab what we need and walk away. But convenience can often come at the cost of quality, security and risk: how you do you the data you are grabbing is the best possible dataset the organization has on a particularly entity? This question is particularly important in organizations that have strong data mastering initiatives. If your replicas contain sensitive data that you are tucking away in some generally unknown place, are you expanding the attack surface area for the organization? Are there governance or compliance regulations that your data may fall under?

Another reason is because “we’ve always done it this way.” The status quo of thinking about backup data as an insurance policy that is separate and unrelated to SaaS data ingestion for other scenarios, reaches back before the days of SaaS applications themselves – when data backup and ingestion were two separate motions done on the database level.

How we do things is just as important as doing them in the first place. And changing HOW we do things is hard. It starts with the realization that the status quo no longer applies. In this case, the realization that cloud applications allow for fundamentally different data consumption patterns – and that backup tools can be the perfect hat trick to take back ownership and control of your cloud application data, and to re-use backed up data for all other data consumption needs across our organizations.  

The post SaaS backup: A more scalable way to ingest cloud app data appeared first on SD Times.

Read more:


NSO used real people’s location data to pitch its contact-tracing tech, researchers say

Spyware maker NSO Group used real phone location data on thousands of unsuspecting people when it demonstrated its new COVID-19 contact-tracing system to governments and journalists, researchers have concluded.

NSO, a private intelligence company best known for developing and selling governments access to its Pegasus spyware, went on the charm offensive earlier this year to pitch its contact-tracing system, dubbed Fleming, aimed at helping governments track the spread of COVID-19. Fleming is designed to allow governments to feed location data from cell phone companies to visualize and track the spread of the virus. NSO gave several news outlets each a demo of Fleming, which NSO says helps governments make public health decisions “without compromising individual privacy.”

But in May, a security researcher told TechCrunch that he found an exposed database storing thousands of location data points used by NSO to demonstrate how Fleming works — the same demo seen by reporters weeks earlier.

TechCrunch reported the apparent security lapse to NSO, which quickly secured the database, but said that the location data was “not based on real and genuine data.”

NSO’s claim that the location data wasn’t real differed from reports in Israeli media, which said NSO had used phone location data obtained from advertising platforms, known as data brokers, to “train” the system. Academic and privacy expert Tehilla Shwartz Altshuler, who was also given a demo of Fleming, said NSO told her that the data was obtained from data brokers, which sell access to vast troves of aggregate location data collected from the apps installed on millions of phones.

TechCrunch asked researchers at Forensic Architecture, an academic unit at Goldsmiths, University of London that studies and examines human rights abuses, to investigate. The researchers published their findings on Wednesday, concluding that the exposed data was likely based on real phone location data.

The researchers said if the data is real, then NSO “violated the privacy” of 32,000 individuals across Rwanda, Israel, Bahrain, Saudi Arabia and the United Arab Emirates — countries that are reportedly customers of NSO’s spyware.

The researchers analyzed a sample of the exposed phone location data by looking for patterns they expected to see with real people’s location data, such as a concentration of people in major cities and by measuring the time it took for individuals to travel from one place to another. The researchers also found spatial irregularities that would be associated with real data, such as star-like patterns that are caused by a phone trying to accurately pinpoint its location when the line of sight to the satellite is obstructed by tall buildings.

“The spatial ‘irregularities’ in our sample — a common signature of real mobile location tracks — further support our assessment that this is real data. Therefore, the dataset is most likely not ‘dummy’ nor computer generated data, but rather reflects the movement of actual individuals, possibly acquired from telecommunications carriers or a third-party source,” the researchers said.

The researchers built maps, graphs, and visualizations to explain their findings, while preserving the anonymity of the individuals whose location data was fed into NSO’s Fleming demo.

Gary Miller, a mobile network security expert and founder of cyber intelligence firm Exigent Media, reviewed some of the datasets and graphs, and concluded it was real phone location data.

Miller said the number of data points increased around population hubs. “If you take a scatter plot of cell phone locations at a given point in time, there will be consistency in the number of points in suburban versus urban locations,” he said. Miller also found evidence of people traveling together, which he said “looked consistent with real phone data.”

He also said that even “anonymized” location data sets can be used to tell a lot about a person, such as where they live and work, and who they visit. “One can learn a lot of details about individuals simply by looking at location movement patterns,” he said.

“If you add up all of the similarities it would be very difficult to conclude that this was not actual mobile network data,” he said.

A timeline of one person’s location data in Bahrain over a three-week period. Researchers say these red lines represent travel that seems plausible within the indicated time. (Image: Forensic Architecture/supplied)

John Scott-Railton, a senior researcher at Citizen Lab, said the data likely originated from phone apps that use a blend of direct GPS data, nearby Wi-Fi networks, and the phone’s in-built sensors to try to improve the quality of the location data. “But it’s never really perfect,” he said. “If you’re looking at advertising data — like the kind that you buy from a data broker — it would look a lot like this.”

Scott-Railton also said that using simulated data for a contact-tracing system would be “counterproductive,” as NSO would “want to train [Fleming] on data that is as real and representative as possible.”

“Based on what I saw, the analysis provided by Forensic Architecture is consistent with the previous statements by Tehilla Shwartz Altshuler,” said Scott-Railton, referring to the academic who said NSO told her that was based on real data.

“The whole situation paints a picture of a spyware company once more being cavalier with sensitive and potentially personal information,” he said.

NSO rejected the researchers’ findings.

“We have not seen the supposed examination and have to question how these conclusions were reached. Nevertheless, we stand by our previous response of May 6, 2020. The demo material was not based on real and genuine data related to infected COVID-19 individuals,” said an unnamed spokesperson. (NSO’s earlier statement made no reference to individuals with COVID-19.)

“As our last statement details, the data used for the demonstrations did not contain any personally identifiable information (PII). And, also as previously stated, this demo was a simulation based on obfuscated data. The Fleming system is a tool that analyzes data provided by end users to help healthcare decision-makers during this global pandemic. NSO does not collect any data for the system, nor does NSO have any access to collected data.”

NSO did not answer our specific questions, including where the data came from and how it was obtained. The company claims on its website that Fleming is “already being operated by countries around the world,” but declined to confirm or deny its government customers when asked.

Contact Us
Got a tip? Contact us securely using SecureDrop. Find out more here.

The Israeli spyware maker’s push into contact tracing has been seen as a way to repair its image, as the company battles a lawsuit in the United States that could see it reveal more about the governments that buy access to its Pegasus spyware.

NSO is currently embroiled in a lawsuit with Facebook-owned WhatsApp, which last year blamed NSO for exploiting an undisclosed vulnerability in WhatsApp to infect some 1,400 phones with Pegasus, including journalists and human rights defenders. NSO says it should be afforded legal immunity because it acts on behalf of governments. But Microsoft, Google, Cisco, and VMware filed an amicus brief this week in support of WhatsApp, and calling on the court to reject NSO’s claim to immunity.

The amicus brief came shortly after Citizen Lab found evidence that dozens of journalists were also targeted with Pegasus spyware by NSO customers, including Saudi Arabia and the United Arab Emirates. NSO disputed the findings.

A passwordless server run by spyware maker NSO sparks contact-tracing privacy concerns

Read more: