Good afternoon! In today's edition, we asked a group of experts to think about the BNPL experience and consider what they thought would benefit the space. Questions or comments? Send us a note at braintrust@protocol.com

Safwan ZaheerHundredX

Managing director at HundredX

Banks and fintech firms that provide BNPL will need to balance the following elements to build profitable BNPL businesses:

• Focus on profitable market segments. In market segments where the use of financing a purchase is high, average loan size is also high — ideally greater than $1,500 — and default rates are low (less than 10%). A retail ecommerce segment where average loan is less than $400 and competition is high is not the best segment for a BNPL provider, especially a new play, to enter.
• Improve pricing strategies (for pricing arbitrage). Create micro segments of customers and find ways to price each customer segment differently based on risk profiles. Finding pricing arbitrage opportunities using customer data is one way to build a profitable BNPL loan portfolio.
• Focus on providing higher approval rates. Improve underwriting by using alternative data, such as mobile phone usage, utility, rent payments, behavioral data, and bank account cash flow, along with attributes provided by credit bureau data. In some market segments, BNPL players will need to provide greater than 75% to 85% approval rates to be a successful and viable player, especially in the dental and elective health care segment.
• Offer a mix of installment lending products. Offering only a mono-line BNPL product (four or six biweekly, interest-free) is not a good strategy. BNPL players should offer a mix of installment lending products, such as same-as-cash, no-interest-no-down, other promotional products, leases, interest-bearing flexible short- and long-term loan offers, etc; each of these have different profitability performance. Offering a diversity of products to customers is one way for BNPL players to ensure business is profitable
• Offer other banking products (besides BNPL). Add other financial services products, such as credit cards, savings account, wealth and investment tools, and even crypto to the mix. Cross-sell these products to customers, ideally when the need has been identified and customers presented with a prequalified offer by leveraging data collected through BNPL usage behavior. BNPL providers will need to build a comprehensive road map of additional products to offer to customers if they are a BNPL-only provider.

Matthias KnechtBillie

Co-founder & managing director at Billie

I believe the B2B BNPL payment experience in particular needs a major revamp. To activate the payment option "purchase on invoice" — by far the most popular payment method in many countries — business customers often have to go through a time-consuming process. In the first step, they have to apply for their desired credit limit manually by email or phone and provide proof of identity and creditworthiness to the merchant. The second step is to wait for the merchant's finance department to decide on the requested limit. This process can take anywhere from a few days to a week since everything is handled manually.

In 2022, we are talking about a payment experience for business customers that is stuck in the 1990s. Why? Because most retailers are working with in-house developed solutions that in many ways don't allow them to meet the modern shopping experience demands we've all adopted from our personal lives. This is what we at Billie want to change.

​Sunil SinghTallied

CEO at Tallied

Fundamentally we need to recognize that this is not a lending product. It's more commercially driven, used by merchants and providers to drive sales. With credit cards, a consumer’s rights and recourse are well laid out. There have been regulations for decades. Consumer harm is limited because there are good guardrails around it.

BNPL came up so quickly and drove so much volume, especially amid the frenzy during COVID-19. A lot of consumers don't even know what they're getting into, and so consumer harm potential is high. To make BNPL a sustainable long-term product category, consumer education and standardized disclosures will be key. Let them know that they are essentially stacking up debt and how it impacts their credit history if they’re not able to make payments, for example.

From the merchant side, there's a tremendous amount of data that is captured and nobody knows how BNPL providers are using it to market or to build their models. It's kind of a black box. So consumers and BNPL partners need greater transparency. Increasingly, merchants, some of whom are paying more than the interchange fee, are realizing they’d be better served if there were more of a relationship, and thus insights, with consumers to offer discounts and promotions. Ultimately, we may see BNPL get integrated into an existing product category, one being a credit card. So if you had a $5,000 bill and bought $1,000 worth of home improvement items at Home Depot, that $1,000 from your statement would convert into a BNPL installment payment over six months versus paying down your monthly bill.

Natasha ZurnamerOptty

CEO at Optty

"Buy now, pay later" is well positioned to boom as consumers look for solutions to provide genuine relief during difficult economic times. BNPL companies should consider the following value propositions to better serve consumers. These include:

• Longer duration of payment plans, offering consumers choice to extend the payment intervals and even pay a small additional fee to be able to pay off in smaller increments over a longer period of time.
• Payment timing selection, allowing a customer to plan payments with income pay cycles to better manage their cash flow.
• Payment deferment to provide a small relief window on the timing of an upcoming payment in difficult times.
• Loyalty programs including cross-brand loyalty like petrol (gas) and travel discounts, frequent-flyer points, and more.

In these current times, BNPLs like Klarna and Afterpay offer consumers the ability to manage their plans with options to defer and notify on a return to extend the payment window to accommodate time for the items to be refunded. It is this relief that creates loyalty to the payment method. Opportunities for promotions exclusive to the BNPL payment method also offer merchants the opportunity to provide meaningful discounts to consumers, all supported by the BNPL provider. Promotions including "fourth payment free" are key drivers in difficult economic times and provide a 25% discount to consumers, which is highly appealing.

It is my belief that consumers will be open to paying small fees for longer payment windows, especially during peak season like Christmas, all driven by their desire to smooth their cash flow and buy the items of choice.

Sashank RishyasringaAxio

Co-founder and managing director at Axio

"Buy now, pay later" possess the incredible potential to empower customers to make aspirational purchases without impacting their finances. BNPL is fundamentally a consumer loan and should be presented with complete transparency as a credit product and not merely a payment product. This will help alleviate the confusion caused due to the mischaracterization of the product. Secondly, companies offering "pay later" should develop water-tight underwriting policies to lower risk and loss rates. Finally, as a multi-use credit offering, "pay later's" utility and value increase when the product is available across several brands and categories. Building a seamless sign-up experience and improving the ease of use would also increase the frequency of utilization by customers.

Dominique TetnowskiJuniper Research

Research analyst at Juniper Research

The most significant ways in which the BNPL market can develop largely revolve around the need for a more secure regulatory environment. Although the way in which the BNPL regulatory framework will look in the near future is fairly unclear, it is clear that any adjustments made will be in the best interest of consumers, and as a result, ensure the market develops securely. Regulators are focused on reducing the financial risk currently threatening consumer debt rates. Within each market, the forthcoming regulatory framework will depend on the existing maturity of legislative frameworks and the effectiveness of specific consumer protection regulations. All regulatory changes will not only further protect the consumer, but also strengthen the overall BNPL market, creating a sustainable framework in which BNPL providers can innovate and develop.

Outside of the regulatory landscape, vendors must utilize all monetization opportunities by tapping into markets outside of the typical ecommerce and retail. By providing payment offering in less-explored verticals, BNPL providers will be able to further diversify their portfolios as product offerings and innovation become increasingly limited within ecommerce. For example, the provision of BNPL services within the health care sector increases accessibility for those who may not have been able to afford the full cost upfront, which further benefits both the health care provider and the BNPL service provider. To ensure the payment solution is utilized to its full potential, it must not be limited to one vertical. This will also ensure BNPL can compete with credit more successfully.

Libor MichalekAffirm

President of technology and risk operations at Affirm

Every year, Americans pay $120 billion in credit card interest and fees. In fact, the average American, paying only the minimum, spends nearly $1,000 annually in interest on revolving credit card debt. BNPL is supposed to be different, yet too many BNPL players continue to rely on outdated anti-consumer practices like late and hidden fees to generate revenue.

In 11 years of existence, Affirm has never charged a single penny in late or hidden fees. Consumers never pay more than they agree to upfront when making a purchase with Affirm.

So how did we end up here, and how can others follow suit?

Affirm underwrites every transaction at the point of sale, and only extends credit to consumers we believe will pay us back. If a loan is underwritten properly, there’s no need to make up lost revenue with late fees that hurt consumers when they’re already struggling. Strong underwriting is especially important during difficult economic times. Without finely calibrated tools to assess a consumer’s creditworthiness, some lenders’ only option is to resort to reducing approval rates — limiting consumers’ options, harming merchant partners, and ultimately decreasing revenue for themselves.

Consumers shouldn’t have to pay late fees to compensate for providers’ poor underwriting, nor should they have to pay late fees to providers that don’t bother underwriting at all. It’s time for BNPL to do away with hidden fees, underwrite properly, and do what’s right for the consumer.

Good morning! Square’s parent company, Block, sells access to customers’ inboxes. A new Protocol investigation looks into how it does that, and why it probably isn’t violating any laws in the process.

Square’s data loophole

Have you ever received a promo email from your local coffee shop, bakery, or boutique and wondered, “How the hell did they get my info?” Square, the ubiquitous point-of-sale company, likely has something to do with it, as Protocol’s Ben Brody discovered in an investigation published today.

Square’s parent company, Block, sells access to customers’ inboxes, Ben reports, even if the only permission the customer gives is to get a receipt from a single transaction.

• After getting countless promotional emails to his work address, Ben discovered that a single transaction in which he used his work email was all it took for it to be “sucked into the machine inside Square that sells email marketing services to smaller businesses.”
• Through Square, sellers can pay for access to a mailing list that lets them reach out to customers whose info they never collected themselves, as long as those customers have made a purchase from that merchant in the past.

Square card readers are just about everywhere: The company handled more than 3 billion card payments in 2021 and kept 261 million consumer profiles. In other words, it’s pretty hard to avoid its marketing reach.

Legally, Square seems to be free and clear to do this. Because it acts as a service provider to buyers, it doesn’t have many privacy obligations.

• Its main limitation is that service providers aren’t supposed to reuse data for their own purposes.
• But Square has found a loophole around that: In a separate privacy statement just for merchants, the company says that, when it’s selling marketing services, it actually stops being a service provider.

Though the company probably isn’t violating any laws — Ben was, after much effort, able to figure out how to wipe his info from Square’s marketing system — the high-friction, unintuitive process is nothing to be proud of. At the very least, it violates consumer expectations.

• “It is often surprising to people,” Hayley Tsukayama, senior legislative activist at the Electronic Frontier Foundation, told Ben. “and surprising is never good when it comes to privacy.”

Read more: Square sells access to your inbox. No one seems to know if the law cares.

Online banks’ high-yield bet

While interest rates for borrowing have shot up considerably this year, savings accounts offered by online banks are seeing their own rate hikes, Protocol’s Ryan Deffenbaugh writes.

The typical annual percentage yield on high-yield online savings accounts broke 2% this month for the first time since 2019. That’s a stark contrast from the average rate on all savings accounts, which has barely budged at 0.16%, with some of the larger banks only offering 0.01%.

Online accounts often offer better interest rates, Ken Tumin, founder of DepositAccounts.com and a senior analyst at LendingTree, told Ryan.

• Along with using high-yield rates as a way to attract new customers away from traditional banks, online banks that offer high-yield accounts typically don’t have expensive branch networks to maintain.
• Online-only banks are also moving faster than traditional players in response to increasing interest rates. Goldman's Marcus savings account is at 2.35%, and LendingClub is listing 3.12%. At least nine online banks offer accounts with rates higher than 3%, according to DepositAccounts. Apple is getting in the high-yield game, too.
• “It starts becoming easier to justify moving your money to an online bank versus brick-and-mortar,” Tumin said.

But getting customers to abandon their old bank for an online one can be difficult. A survey by Bankrate found the average American has kept the same savings account for almost 17 years, often due to convenience.

• Because of this, big banks are keeping their rates low simply because they can, Ron Shevlin, chief research officer for Cornerstone Advisors, told Ryan.
• While a small number of customers are willing to move funds around to maximize their returns, the vast majority aren’t.

The small group seeking maximum returns may make all the difference to online banks, Shevlin said. Only time will tell if high rates are enough to make that group bigger. And because online bank rates often closely trail Fed rate increases, rates may still have room to grow.

Read more: High-yield online savings accounts are making a comeback.

​Reaching net zero equitably

Carbon dioxide removal is vital to reaching net zero. But doing so in an equitable way is crucial. That’s why Carbon Direct, a company that helps others manage their emissions, hired Christian Braneon as its first head of climate justice, Protocol’s Michelle Ma writes.

Deploying carbon removal at scale has the potential to negatively impact local communities and ecosystems. The best way to mitigate this is by involving communities early in the process, Braneon told Michelle.

• Low-income countries are already being impacted by the climate crisis they had little role in causing. Carbon removal could balance the scales.
• “Carbon dioxide removal presents an opportunity for wealthy nations to remove legacy emissions they’ve already put in the atmosphere and help society avert these climate change impacts that will disproportionately affect low-income countries.”

Braneon’s biggest concern is that, if carbon removal is done too hastily, there could be “unintended consequences.” That points to the need for a new model of community engagement.

• “We don’t get to decide what community benefits are,” Braneon told Michelle. “The community tells us what they perceive as benefits. And then we work with them to come up with solutions that help achieve those benefits and create equitable outcomes.”

Braneon wants clients to understand that making a positive impact is about more than just pulling carbon from the air. By taking this role at Carbon Direct, he hopes other carbon capture removal understand that, too.

Read more: Carbon Direct just hired its first head of climate justice. Here’s why that matters.

A MESSAGE FROM CAPITAL ONE SOFTWARE

Many business leaders aren’t sure where to begin when it comes to migrating to the cloud. To help organizations adapt to this revolution, Capital One launched Capital One Software, a new enterprise B2B software business focused on providing cloud and data management solutions.

Learn more

People are talking

Brad Gerstner, CEO of long-term Meta shareholder Altimeter Capital Management, said the company needs to rein in spending on its metaverse investments:

• “Meta has drifted into the land of excess — too many people, too many ideas, too little urgency. Meta needs to get its mojo back.”

Michael Gronager, CEO at Chainalysis, sees the crypto industry’s challenges as an opportunity for the company to better work with regulators:

• “The hard part is to create the regulatory technology that enables these technologies to work with low risk or less risk. That's kind of the foundation of Chainalysis.”

FBI director Christopher Wray said charges against Chinese intelligence officers are an example of China's efforts to gain an advantage over U.S. tech companies:

• "We also see a coordinated effort across the Chinese government to lie, cheat, and steal their way into unfairly dominating entire technology sectors, putting competing U.S. companies out of business.”

And Intel CEO Pat Gelsinger isn’t too surprised by the U.S. chip restrictions against China:

• “I viewed this geopolitically as inevitable.”

Making moves

Green Dot fired Dan Henry as its CEO, replacing him with chief financial and operating officer George Gresham.

EK Chung joined reddit as its VP of user experience. Chung has 12 years of UX experience at Google, Microsoft, and Yahoo.

Bill Harris, founding CEO of Paypal and former CEO of Intuit, is launching Nirvana Money, a credit card and money management product for “middle-income Americans.”

Paul Foley is the new head of brand protection at ecommerce company StockX. Foley held similar roles at Nike and Converse.

Ritwik Tewar is joining Aledade as its chief technology officer. Tewar is the former senior director of engineering at Meta.

In other news

FTX will pay about $6 million to its account holders impacted by a phishing incident from a third-party website. But CEO Sam Bankman-Fried said in a tweet that the compensation is a “one-time thing.”

Telehealth startup Cerebral is cutting 20% of its staff as it restructures operations to match customer demand.

The FTC has ordered alcohol-delivery service Drizly, and its CEO James Cory Rellas, to boost the company's security after a breach exposed the data of roughly 2.5 million customers.

Here’s a close look at TSMC from the FT, exploring how the Taiwanese chipmaker got caught in the middle of the U.S.-China chip war.

Apple is raising the prices of several of its subscription services, including Apple Music, Apple TV+, and the Apple One subscription bundle.

Funding given to Black startup founders has declined. They raised $187 million in Q3, down from the $1.1 billion they received in the same period of 2021.

Marqeta is rolling out a suite of new tools meant to help businesses offer more banking services. The company already helps businesses issue cards to their customers.

WhatsApp suffered a big outage overnight, its first major failure since last fall.

NASA’s asteroid problem

NASA has proven that it knows how to successfully smack an asteroid off course, should one come hurtling toward earth. The problem is, the agency doesn’t always see them coming. NASA estimates that it tracks only around 40% of asteroids large enough to do real damage if they were to hit Earth. And in order for it to deploy an asteroid-whacking satellite, the agency would need to know years, not months or weeks, in advance when another rock is speeding our way.

A MESSAGE FROM CAPITAL ONE SOFTWARE

The flexibility of the cloud helps companies like Capital One unlock access to their data with performance that can scale instantly. But this flexibility and scale can also create a unique challenge for organizations and users who are not proficient in cloud optimization.

Learn more

Thoughts, questions, tips? Send them to sourcecode@protocol.com, or our tips line, tips@protocol.com. Enjoy your day, see you tomorrow.

In mid-2021, Renee Shah received a tip in her text messages, the kind that just about any venture investor would love to get.

“You can’t miss this deal,” the message read. "The 'Justice League of security' is spinning out of Google.”

Today, that group of former Googlers is better known as the founding team of Chainguard. But true to its billing, the startup is on a daunting mission, aiming to make a big dent in one of the most intractable areas of cybersecurity today.

Over the course of its first year, Chainguard has emerged as one of the most promising players in the effort to curtail the massive security risks of the software supply chain, industry experts told Protocol.

It’s an issue of some urgency: A growing number of attacks seek to use the software development process itself as a vehicle for delivering malicious code into a commercial application, in order to compromise the organizations that use the software, as occurred in the widely felt SolarWinds breach of 2020.

Chainguard stands out thanks to a unique product strategy and strong appeal among developers, as well as the deep experience of the founding team in open-source software and security. That included a combined 35 years at Google working on initiatives such as Kubernetes, the dominant system used in container-based software development, and related open-source projects.

Chainguard's goal "is really to try to make the software development life cycle and software supply chain secure by default," said co-founder and CEO Dan Lorenc, "because that's the only way it will actually get secure."

Chainguard’s products can be used to secure the software supply chain for cloud-native applications in Kubernetes at a more fundamental level than other vendors, according to third-party experts and the company’s founders.

While Chainguard doesn't yet address the whole problem of software supply chain security, "they're solving a really big chunk of it," said Katie Norton, a senior research analyst at IDC.

Still, the company's ultimate goal is to secure the entire software development process, Chainguard's four founders told Protocol in recent interviews.

Supply chain insecurity

Shah, a partner at Amplify Partners, was destined to get an early glimpse of the plans for Chainguard.

Even before getting the “Justice League” tip, Shah had coincidentally just set up a meeting with Lorenc, then a Google engineer, who was a leader of a fast-growing open-source project called Sigstore that would become part of the basis for Chainguard’s products. Amplify went on to lead the startup’s seed round of funding, and Chainguard has now raised $55 million in total funding and has 52 people on staff.

Not only do the Chainguard founders bring uncommon expertise on software supply chain security, but "they are so great at building products that developers really want," Shah said.

If there's such a thing as a superpower in cybersecurity, getting developers to care about a security tool is probably it. For most developers, security is "last on their list," according to Lorenc.

Once a largely obscure concern, the security of the software supply chain became a top priority across the U.S. government and C-suite in the fallout from the SolarWinds breach. The Russia-linked attack, which poisoned a SolarWinds application with malicious code that was then widely distributed across its customer base, was discovered in December 2020.

In response, a deluge of security tools has come to market, many of them geared toward scanning software for vulnerable components.

Such tools do have their uses in reducing software supply chain risk. Chainguard comes at the problem from a different angle, however.

"We're starting all the way back to square one," said Kim Lewandowski, co-founder and head of product at Chainguard. That has included taking the unorthodox step of providing secure building blocks for software, endowing applications with the most secure baseline possible without creating extra work for developers.

Specifically, Chainguard offers its own container base images — files that serve as the foundation of a cloud-native application — which the company says will ship without any known vulnerabilities. This is an advantage because many of the open-source options that are popular with developers come with a large number of bugs from the start.

The company recently took the additional step of creating its own flavor of Linux, dubbed "Wolfi," that is now supporting its secure-by-default container images. Customers of Chainguard get container base images with enterprise-friendly features such as a service-level agreement, which promises any future vulnerabilities that are found will be patched in an agreed-upon timeframe.

Underpinning Chainguard’s products is Sigstore, which Lorenc had co-created while at Google and had generated strong interest from developers as an open-source project. The tool makes it easier for software makers to do what's known as "code signing," a way of proving the authenticity of a piece of software.

The Chainguard images are all digitally signed and include a software bill of materials, which provides transparency into the software's components. Chainguard has also begun manually curating a feed of vulnerability information for customers to help with vulnerability management.

Deploying secure software

At the other end of the chain, the company provides greater transparency into application code, while automatically ensuring that only trusted software is being deployed out to customers.

With its Enforce product, Chainguard provides visibility into code that's being deployed to "production" Kubernetes environments, which is the final step that makes the software available to users.

Having this greater transparency can provide an understanding of the security posture of code that's being deployed. For instance, Enforce can determine what code has been signed (such as through using Sigstore) and can therefore be trusted for deployment to users.

The tool can also determine which software packages included in the code feature a software bill of materials, which can offer further specifics around whether any vulnerable components are being used. Enforce ultimately enables better asset management for software teams, since it "gives you a real-time view of what's running in your production systems," Lewandowski said.

"And so once you get a picture of how scary things might be, then you can start enforcing different types of policies on it," she said.

For instance, a customer could prevent an untrusted container image from getting deployed into a production environment. Or, Enforce could be used to block deployment of a software component with a newly discovered vulnerability — a capability that would prove very handy after the discovery of a critical vulnerability such as last year's flaw in the widely used Apache Log4j component.

An expanding threat

With supply chain attacks, the opportunity to "compromise one, compromise many," by implanting malicious code in a single piece of software destined for a large customer base, has proven highly appealing for hackers.

While the SolarWinds breach affected numerous U.S. federal agencies and thousands of companies, overall attacks against the software supply chain are up as well, surging 300% in 2021 from the prior year, according to a report from Aqua Security.

At the same time, more businesses now have their own internal software supply chains to worry about, as companies of all stripes have begun developing their own software. The widespread use of vulnerability-prone open-source software has only compounded the risks.

Securing the software supply chain is very different from securing employee accounts, or protecting an organization's data. Even calling it the supply chain security “problem” is almost a misnomer, Lorenc said, because in reality “it’s like 37 problems, all rolled into one.”

It's going to take real change from developers, and lots of them, to cause a shift here.

"It's not something a CISO can just buy and bolt on at the end of the [development process], and somehow secure all the steps before that," he said. "It's going to take real change from developers, and lots of them, to cause a shift here."

Google, of course, is a good place to gain expertise on open-source software, developer tools, and cybersecurity. Or to be a pioneer in those areas, as has been the case with Chainguard's four co-founders, who’ve had a hand in many of the notable projects at Google over the past decade.

A sampling of their work at Google: Lorenc launched a popular tool for running Kubernetes container orchestration locally (Minikube), while Lewandowski co-created a trailblazing supply chain security framework, known as SLSA.

CTO Matthew Moore, meanwhile, co-founded the Google Container Registry and led an open-source project to enable serverless containers in Kubernetes environments (Knative), while co-founder Ville Aikas was an early member on the Kubernetes project itself.

With the focus on Sigstore, following the tech industry playbook of building enterprise products on top of open source is one part of the equation for Chainguard. And “having the main authors of open-source projects, on the team that's commercializing that open source, is extremely important,” Shah said.

But the Chainguard founding team also realized that when it comes to the software supply chain problem, the group is well positioned overall, Lewandowski said: "We know this space. We can help people here."

Fixing the foundation

Years before the SolarWinds breach, Santiago Torres-Arias had already been researching the issue of software supply chain security.

Torres-Arias was among the academic researchers who helped to develop in-toto, a federally backed framework for securing software supply chains that likely would have made a difference in mitigating the SolarWinds attack, had it been implemented.

Now that the world is paying attention to software supply chain security, Torres-Arias, an assistant professor at Purdue University, told Protocol he sees a different problem cropping up: There are a huge number of vendors claiming to have the answer, and they really don't.

"It's a complex and nuanced problem. You can't just install this one thing" and secure the software supply chain, he said.

Instead, the solution needs to be built into the supply chain itself, "from the ground up," Torres-Arias said. Chainguard’s container base images make it one of the very few vendors that gets that, he said.

Vendor claims about "shifting left" to bring security earlier in the software development process have been abundant lately. But releasing a new flavor of Linux to make software as secure as possible from the get-go? That's "not something you'll find other companies trying to do," Torres-Arias said.

While many vendors enable remediation of security issues that've been discovered, it's often difficult for developers to actually make the fixes, IDC's Norton said.

Chainguard, she said, stands apart by allowing development teams to "start with a clean slate, which is way easier than having to go back and fix a bunch of stuff."

The rest of the chain

It's no accident that Chainguard has begun with securing "the first and last links" in the software supply chain, said Moore, the company's CTO and co-founder. The goal is for the two products to serve as a strong foundation before the company sets out to work its way through the rest of the supply chain, he said.

The vision is to cover the entire chain over time, and the company is still determining where to go next, both in terms of covering new areas and expanding its existing products, the Chainguard founders said.

"This is going to be a long process of chipping away and fixing things," Moore said. "There's a lot of links in the chain, and they all need to be strong."

For example, midway through the chain, code is converted into an executable program, in what's known as the "build" phase. Investigators believe the initial compromise of SolarWinds was during this phase.

The running theme for Chainguard, however, will be on making it easier for development teams to do the right things in security and harder to do the wrong things, the founders said.

Still, while the development of new software has largely shifted to cloud-native technologies such as containers, many existing applications continue to rely on older technologies such as mainframes, Norton noted.

"There are so many legacy applications that exist, which these newer applications are often built on top of, or connected to," she said. "In the big picture, [legacy applications] also need to be addressed in terms of security."

Focus on developers

But for the development of new software, or updates to existing software in Kubernetes environments, Chainguard has a lot to offer, particularly since the startup is so developer-oriented, Norton said. IDC research has shown that catering to developer needs is "incredibly important" for addressing this issue, she said. Today, to really get supply chain security tools adopted within an organization, "they need to be designed with the developer in mind."

Chainguard's founders say they've modeled the company itself as a developer tools provider, with its products meant to blend into the existing software development process. It's an approach that has been hugely successful for another developer security vendor, Snyk, which ranks at No. 2 among the top-valued private cybersecurity vendors with a valuation of $8.6 billion, according to CB Insights.

For Chainguard, the founders say the aim is to make developers more productive, not less. For instance, Enforce automatically monitors running applications and can notify developers if an app falls out of compliance, sparing them from manual analysis.

Going forward, some accountability for securing software may also end up falling on developers, whether they like it or not. The much-discussed idea of merging DevOps with security — to form a "DevSecOps" approach, where security is a shared responsibility across functions — is one indicator of this trend.

Still, most developers are not security experts, don't want to be, and are mainly under pressure to push out new software. And so for the developer, Aikas said, "security is something that you shouldn't really have to worry about. That's something we should be able to handle for you."

Chainguard has focused on working closely with a small number of customers so far, and will be more aggressive about looking to expand its customer base in 2023, Lewandowski said.

Hewlett Packard Enterprise and Block (the parent company of Square) are among Chainguard's customers. Block has adopted Enforce in place of several homegrown and open-source software supply chain security tools it had been using, according to a customer case study released Monday by Chainguard.

Ultimately, Chainguard is committed to making good on its goal of securing the whole software supply chain, and is not looking for a quick exit, the founders told Protocol. "We'll be here for a while," Lorenc said.

Without a doubt, the company's strategy of trying to fix the software supply chain down to its core, rather than with a "bolt-on" solution, is a “harder road to take," he said. "But if you're going to do this, you might as well do it right."

This story was updated to clarify how Chainguard ships its container base images.

When COVID-19 forced Compass Coffee to close down its Washington, D.C.–area shops, the roastery’s owners turned to email to stay in touch with customers. They knew just the tool: The company was already all in on Square. Compass co-founder Michael Haft had even taken a glass-blowing class from Jim McKelvey, who co-founded the service.

“It’s always just been a great point-of-sale system — very intuitive for our baristas, very easy for customers,” Haft said. To his delight, Haft discovered that Square also gave Compass the potential to reach out to both a small number of its most loyal customers as well as many, many would-be local coffee sippers. Now, he pays $200 per month for access to a list of at least 15,000 email addresses of his more casual customers in Square’s directory, he said, which is “absolutely” a huge multiple of the ones Compass collected itself.

I was speaking with Haft because I’ve been receiving Compass marketing messages at my work email address — as I have been from fruit stands, an artisanal butcher, and a cheesemonger, plus a Korean bowl spot I run to for dinner too often and the boutique where I bought a set of cloth napkins the color of autumn leaves last year. It’s a record of my bougiest shopping habits, and as marketing goes, most of the messages are more appealing than what I get from major mainstream retailers that don’t use Square.

Here’s the thing though: I can’t remember ever having checked out at any of these merchants using my work email address, much less using it to sign up for marketing. A search of my account didn’t turn up any records. Annoyed with the most insistent emailers, I reached out to the sellers who reached out to me — except, as a reporter rather than as a customer — to figure out what was going on.

I wanted to know how all these merchants had gotten my professional contact info. What I discovered was both unsurprising in today’s world of relentless online marketing and aggressive consumer data sharing, and also a bit disquieting. It also had less to do with these small shops than I might have expected: Square’s parent company, Block, was selling access to customers’ inboxes, even if all we do is elect to receive a receipt from a single transaction (more on that below).

Privacy experts said selling marketing information in this way clearly falls short of best privacy practices. And while it doesn’t appear to violate data protection laws, the practice is walking a fine line.

“They’re trying to solve for a lot of different nuances whilst trying to serve their objective and their merchant objective, which is keeping as many people opted in as possible,” said Sucharita Kodali, a vice president and retail analyst at Forrester.

Experts also told Protocol the situation seems to highlight how Block, as well as other payment processors and fintech platforms, operate in a bit of a privacy gray zone. Sometimes that gray zone leaves no one in charge of consumers’ data rights, and sometimes it means the companies, deep within their terms of service, have legal loopholes that give them room to use our information in ways we might not expect.

‘Surprising is never good’

My work inbox’s collision with Square-powered marketing seemingly began in June, when I had a receipt for a small processing fee related to obtaining a press pass sent to it. I paid with a personal card, and that transaction added my work address to my existing Square profile, which was in turn already linked with that card. That was all it took. Even though I’ve never used that particular card at most of the businesses now emailing me, and I don’t get any other receipts sent to my work email, the address was circulated to marketing lists far and wide.

Once it became part of my profile, the email address was sucked into the machine inside Square that sells email marketing services to smaller businesses, like Haft’s, that want to keep in touch with their customers. As Haft discovered, Square provides those merchants the ability to manage their campaigns. It also takes its vast store of contact information — which a close reading of its terms of service reveals it collects from consumers who want a receipt sent to them — and gives smaller businesses access to those email and text inboxes. That includes the ability to reach out to customers whose details the sellers never collected themselves. All Square needs is for the targeted customer to have made a purchase at some point from the merchant that wants to send that ad.

Hence the state of my inbox.

That advertising network is indeed huge. Square’s ubiquitous card scanners and checkout consoles are first among equals in the fintech revolution that made it so most small businesses could easily afford to take credit card payments. Block disclosed in securities filings that it handled more than 3 billion card payments in 2021 and kept 261 million consumer profiles — a major increase from more than 2 billion payments and 210 million profiles in 2020. It serves everyone from parents running a local bake sale for the PTA to regional chains like Compass.

A spokesperson for Square said in a statement that the company “helps sellers connect with their buyers and offer an easier, faster checkout experience by saving buyer contact information, so buyers don’t need to re-type their email address every time they wish to receive receipts,” adding that it “reminds consumers of these options in every receipt.” In other words, Square says its system is really all just about customer convenience — making sure you get payment receipts with minimal friction.

For a while, I ignored being a small part of that marketing edifice. Being alive in 2022 requires a certain tolerance for getting hit with ads, even from businesses you may not have given your information to in the first place. I spent some time quietly annoyed with the more persistent local shops. Friends and Protocol colleagues reported facing similar problems with Square, though, so — remembering that consumers are generally supposed to have the ability to delete our data under Europe’s GDPR, California privacy law, and other state approaches — I decided to purge my work address from my profile and, if I could, opt out of the marketing.

It wasn’t easy. As a tech policy reporter, I’m probably more used to chasing down and exercising my privacy options than most users, but Block had hidden the options behind multiple verification prompts and nested them within seemingly unrelated menus like a credit card preferences screen.

The emails Square generates are “one of my biggest pet peeves,” Megan Gray, a Washington, D.C.-based privacy lawyer who formerly worked at DuckDuckGo and the Federal Trade Commission, said of Square’s privacy practices.

For instance, when I signed in (as prompted) with my phone, I had to enter a code that was texted to me, navigate to a menu on credit cards — not the menu about emails — then confirm the information on my card, and then “unlink” the address from my account.

Eventually, I also discovered I could go to the login page and, instead of using my phone, click the link at the bottom that reads, “Sign in with email.” Following that process and then going to the “notifications” section allows you to opt out of receiving automatic receipts, messages from individual businesses, or marketing as a whole (in my case, from more than 100 businesses).

Most consumers have too much “shit to do” to take advantage of such a convoluted system for opting out, Gray said.

“We have to go grocery shopping. We need to pick up the kids,” she said. “The dog vomited on the carpet. We do not have time or bandwidth to figure all of this out because it is not intuitive.”

Even after I figured out how to opt out of the emails en masse, I encountered challenges. At one point, I went back through the cell phone login to make sure I hadn’t missed anything. I saw that Square claimed, in the section that was devoted specifically to contact info, not to even know an email address for me, even though it was sending me ads there. I thought I might be able to exercise some control if I added my address there specifically. When I again followed the verification prompts, however, the system told me that the address already existed on another profile. I apparently had two separate profiles: one tied to my cell phone and one tied to my work email address. There might even be a third tied to my personal email address. All of these profiles had all my info somewhere in them. It’s just that Square objected when I tried to confirm those details across profiles. If this seems head-spinning, that’s how it all felt.

I apparently had two separate profiles: one tied to my cell phone and one tied to my work email address. Screenshot: Ben Brody/Protocol

“It’s so odd that I can’t imagine why they might make it work this way,” said Harry Brignull, an expert in digital design techniques that nudge consumers toward particular actions, often known as dark patterns. Brignull said he couldn’t rule out sloppy programming, but noted that the checkout features in-store tend to be “pretty slick.”

“I’d be willing to bet that they already know how to design things very, very well in order to make money,” he added.

Square said that, unless buyers link up their profiles, the company keeps them separate “to protect user information.”

Good service?

Privacy experts largely said Block probably isn’t violating the law — specifically, California’s privacy rules, which act as a de facto national standard. After all, I did eventually find a way to access my info, correct it, and delete it. I also found I could opt out of the marketing emails after a lot of digging. Square anonymizes email addresses when allowing a business to target consumers whose information the merchants didn’t collect. That could just be a way for Square to keep a tight grip on valuable information about its merchants’ consumers, much as Facebook and Google do when selling insights based on data they keep in-house. It also means Square is staying on the right side of existing California law that regulates sharing of consumer data.

Still, the experts said the high-friction, unintuitive process was nothing the company should be proud of. Some of them also noted that the way Square takes in customer data on behalf of small merchants and then quietly uses that same data to power a marketing platform seems to at least violate consumers’ expectations.

“It is often surprising to people — and surprising is never good when it comes to privacy,” said Hayley Tsukayama, senior legislative activist at the Electronic Frontier Foundation.

In an FAQ about its standing under California law, Square says it “acts primarily as a service provider” when it comes to everyday buyers. That means it has fewer privacy obligations because, as it facilitates payments, it’s just carrying out whatever directives the actual customer-facing merchant asked for. In most cases, however, those small, local retailers are themselves exempt from California law, meaning that Square gets to collect information on hundreds of millions of transactions while consumers get very few rights from any of the firms they deal with.

In addition, the main limitation placed on service providers in California is they’re not supposed to reuse the data for their own operations — which is exactly what Square appears to be doing. That seems to be why, in a separate privacy statement aimed only at merchants who use Square, the company says that, when it’s selling marketing services, the company actually stops being a service provider. Square said it also stops being a service provider much earlier, when it is merely sending customers receipts that they’ve asked for. That seems to be how the company justifies reusing that data: Although consumers might opt in to get a tallied list of charges from the businesses they’re actually buying something from, Square actually offered to send those receipts under its own initiative, donning a legal label that then allowed it to reuse the data for any purpose, including marketing.

Square, in its statement, said it complies with all requirements stipulated under California’s privacy law and “continually evaluates ways to make our tools easier to use for both sellers and buyers.”

At one point, though, the company did seem aware it was playing in a new area, full of questions.

“We often bring things into the world that are novel, and how regulatory frameworks or legal principles will apply to them is not always clear,” Dana Wagner, then general counsel at Square, said to Bloomberg Law back in 2016. “And sometimes institutions or regulators or other members of the industry find that a little terrifying.”

“There are certainly companies that do play in the gray area to their advantage,” Tsukayama said. “It is just a model that was not contemplated” when regulation was crafted. She described Square’s position as being in “a weird, in-between-y area.”

But the company’s model — both providing infrastructure for small businesses and also selling marketing back to those businesses — is increasingly common, especially after COVID-19. Toast, which powers a lot of restaurant ordering, similarly sells marketing.

Hot water

Ultimately, Haft of Compass Coffee said when his business started to send more marketing through Square during the pandemic, it helped keep in touch but initially put off some customers. He eventually scaled back, focusing more on birthday promotions, which offer free drinks and tend to get opened by the majority of those who receive them. Open rates have since shot up, and even though individual retailers’ messages do include unsubscribe buttons, opt-out rates have decreased to a quarter of what they were when he started.

Haft said he’d found that his original marketing approach was certainly helpful, but came with downsides, including the fact that Square controls much of the stores’ relationship with their customers even though Compass had to deal with whatever reaction customers had to the messages.

“When you send an email that doesn’t land, you get a huge unsubscribe rate,” Haft said. “If you send out garbage, people, they hate you.”

Online banks are once again racing for savers’ cash.

Over the course of the Federal Reserve’s seven-month campaign of rate hikes, a common complaint from lawmakers and consumers alike is that rates are going up for borrowing — mortgages, credit cards, personal loans — but not savings accounts. That has changed quickly in the second half of this year, mostly at online banks.

The typical annual percentage yield on high-yield online savings accounts cracked 2% this month for the first time since 2019, according to an index kept by DepositAccounts.com. Rates have quadrupled since May.

The increases stand in contrast to standard savings accounts at brick-and-mortar banks. The average rate on all savings accounts has barely budged, at 0.16%, according to Bankrate. Some of the largest banks are offering only 0.01%.

Finally rising

At Ally Bank there is an offer for a 2.35% APY for a high-yield online savings account, plus a 1% cash bonus up to $500 for new accounts. Just five months ago, that same account paid 0.75% APY on deposits.

Ally, a 20th-century General Motors lender turned 21st-century online bank, explained last week to analysts that it needs to keep up.

“It’s been interesting to see some of the behaviors we’ve observed in the fourth quarter, in the direct banks and a couple of folks now paying in excess of 3%,” CEO Jeff Brown said on an Oct. 19 analyst call. “Frankly, that surprised us a little bit, just in terms of how aggressive some rate payers are being right there.”

It is not unusual for online accounts to offer better rates, noted Ken Tumin, founder of DepositAccounts.com and a senior analyst at LendingTree, which owns the site. The online banks that offer high-yield accounts mostly don’t have the expensive branch networks to maintain and need a way to win customers from incumbents.

But even online accounts shifted to offering comparatively slim rates during the pandemic when the Fed lowered interest rates. The DepositAccounts index fell to 0.45% APY in May 2021.

“For most of 2021, and even for online banks, the savings rates were at lower levels than the last time the Fed held rates near zero,” Tumin said.

Most banks don’t want deposits they can’t productively lend. And both online banks and traditional banks alike were awash with deposits during the pandemic, as spending slowed and government stimulus padded bank accounts. Those same factors caused lending to decrease, leaving banks with excess deposits.

It starts becoming easier to justify moving your money to an online bank versus brick-and-mortar.”

But that trend has changed course in the second half of this year, with loan demand growing and deposits decreasing. That has caused analysts to keep a close eye on rising deposit costs for banks. It is a balancing act. Increases in interest paid for deposits could cut into a bank’s net interest margin, the difference between its costs of deposits and interest earned on lending.

Online-only players are moving more quickly than traditional banks. Goldman's Marcus savings account is at 2.35% and LendingClub is at 2.85%. Apple is getting in the game, too, teaming up with Goldman to enter the market, promising a high-yield savings account for its Apple Card members, though the company has yet to advertise an APY.

But some big bank leaders told analysts in earnings calls earlier this month that the rate they pay on deposits tends to lag Fed hikes and could increase soon. “As rates continue to rise, we would expect deposit betas to continue to increase [and] customer migration from lower yielding to higher yielding deposit products to also increase,” Wells Fargo CFO Mike Santomassimo said on the bank’s Oct. 14 earnings call. Beta is the percent of interest increases that banks pass onto customers.

In the meantime, online banks could try to lure consumers through better rates. Banks are offering an average 0.21% APY on savings, according to FDIC data. Tumin noted that a 2.1% APY savings account could net a $200 annual difference for someone with $10,000 in their account — a much bigger gap than when rates were low last year.

“It starts becoming easier to justify moving your money to an online bank versus brick-and-mortar,” Tumin said.

Is it enough?

Banking customers and their deposits tend to be pretty sticky, however. A January survey by Bankrate found the average American has held onto the same savings account for nearly 17 years, with convenience among the top reasons why.

“For the big banks, or even just banks in general, they are not raising the rates for a very simple reason: They don’t have to,” said Ron Shevlin, chief research officer for Cornerstone Advisors, a banking research firm.

Shevlin said there is a group of customers who actively manage their savings account and are willing to move the funds — what he called hot deposits. But a larger group of U.S. banking customers don’t look to maximize returns on their deposits.

For the big banks, or even just banks in general, they are not raising the rates for a very simple reason: They don’t have to.”

People most often need some sort of trigger to leave their bank, he added — something like a bad customer service experience or an account-opening deal too good to pass up. “For some people, a higher rate can be a trigger,” Shevlin said. “But for a larger group, it just isn’t enough.”

What’s next

But even a small group of customers shifting to an online bank can make a difference for that company, Shevlin added. Time will tell if the current gap in rates between online banks and brick-and-mortar is enough to convince customers to make the switch.

That will be worth watching as LendingClub and SoFi — both fintech lenders turned chartered online banks — report earnings in the next two weeks.

Ally grew its customer base by 6% year-over-year, according to its earnings report, and said it is pacing for total annual deposit growth. But the firm’s leaders acknowledged to analysts that it expects the interest environment to stay competitive.

But gains in online savings account rates are still trailing the Fed’s overall increase, according to DepositAccounts data. So rates could keep growing.

“Back when the Fed was at 5.25% in 2006, 2007, we had online savings account rates as high as 5% to 6%,” Tumin said. “Online banking account rates often come close to the federal funds rate — and that will likely occur again over the next year.”