SpaceX is Days Away From a Major Milestone for the Falcon 9 Rocket

This Tuesday’s planned launch of the Hispasat 30W-6 from Kennedy Space Center will be a landmark for Elon Musk’s SpaceX. If everything goes according to plan, it will be the 50th time the company’s Falcon 9 rocket successfully heads into the stratosphere since its inaugural flight in June 2010.

According to Ars Technica’s Eric Berger, who highlighted the imminent landmark, the Falcon 9 should make it to 50 launches faster than some comparable programs. The United Launch Alliance Atlas V rocket took nine years and seven months to hit that mark, while the space shuttle program launched 50 times in its first 11 years and 5 months.

Get Data Sheet, Fortune’s technology newsletter.

Of course, not every Falcon 9 mission has been a success. The rocket’s 19th attempted launch, a space station resupply mission, failed in June 2015. And a particularly embarrassing launchpad explosion destroyed an expensive satellite, partly underwritten by Facebook, in the fall of 2016.

But 2017 was a banner year for the company, with a record 18 Falcon 9 launches, and no major launch mishaps. This year is also off to a good start, with three successful Falcon 9 launches. One of those missions ended with the reported loss of the secretive Zuma satellite, but SpaceX has maintained that wasn’t its fault. On top of that, the long-awaited Falcon Heavy launched successfully in early February.

Assuming Tuesday’s launch is similarly uneventful, SpaceX’s 2018 will be jam-packed. Around a dozen Falcon 9 launches and two commercial Falcon Heavy launches are already scheduled, but there are other payloads waiting, yet still unscheduled. SpaceX is aiming to open a new launch facility in south Texas before the end of the year, so things could get downright hectic.

Drunk New Jersey Man Accidentally Takes 300-Mile, $1,600 Uber Ride

New Jersey native Kenny Bachman got more than he bargained for when he climbed into an Uber last Friday, after a night of partying with friends in Morgantown, West Virginia. Bachman was staying on the campus of West Virginia University, and thought he had summoned a car to take him there.

But Bachman apparently blacked out, and when he came to, he was instead halfway back to New Jersey.

“I just woke up,” Bachman told NJ.com, “And I’m thinking, ‘Why the f—- am I in the car next to some random ass dude I don’t even know?”

Bachman had little choice but to complete the 300-mile ride. But when they arrived at his home in Gloucester County, he saw the total: $1,635.93.

Get Data Sheet, Fortune’s technology newsletter.

Any 300-mile Uber ride would probably be pricey, but Bachman’s was especially steep because he accidentally ordered an UberXL, and because surge pricing was in effect, nearly doubling the fee.

Bachman initially contested the fare, claiming to NJ.com that he would never have requested a ride all the way home, and alleging that the Uber driver must have tampered with his phone.

It’s not hard to imagine, though, how an impaired customer might mistakenly summon an Uber to take them “home” to New Jersey using the Saved Places feature, without having to manually input the (wrong) address. That may be what Uber, which confirmed the ride occurred to NJ.com, explained to Bachman – after he spoke with the company, he reportedly decided to accept the fare.

Equifax breach could be most costly in corporate history

NEW YORK/TORONTO (Reuters) – Equifax Inc (EFX.N) said it expects costs related to its massive 2017 data breach to surge by $275 million this year, suggesting the incident at the credit reporting bureau could turn out to be the most costly hack in corporate history.

FILE PHOTO: Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia, U.S., September 8, 2017. REUTERS/Tami Chappell/File Photo

The projection, which was disclosed on a Friday morning earnings conference call, is on top of $164 million in pretax costs posted in the second half of 2017. That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance.

“It looks like this will be the most expensive data breach in history,” said Larry Ponemon, chairman of Ponemon Institute, a research group that tracks costs of cyber attacks.

Total costs of the breach, which compromised sensitive data of some 247 million consumers, could be“well over $600 million,” after including costs to resolve government investigations into the incident and civil lawsuits against the firm, he said.

Equifax on Thursday reported fourth-quarter profit that topped Wall Street forecasts and disclosed that it uncovered an additional 2.4 million people whose data was stolen in the attack.

Its shares rose nearly 4 percent to $115.82 on Friday on the higher-than-expected earnings. They have lost about a quarter of their value since Equifax disclosed the incident in early September.

Equifax said in September that hackers had stolen personally identifiable information of U.S., UK and Canadian consumers, including names, Social Security numbers, birth dates, addresses driver’s license and credit card numbers.

That disclosure prompted outrage from politicians and consumer advocates around the world, a string of government probes into company and the departure of top executives.

Equifax warned in regulatory filing on Thursday that further analysis could identify more consumers or additional types of data stolen in the hack.

This year’s costs include technology and security upgrades, legal fees and free identity theft services to consumers whose data was stolen, the company said in a conference call.

Reporting by John McCrank in New York and Jim Finkle in Toronto; Editing by Chizu Nomiyama and Meredith Mazzilli

U.S. Congress to vote on allowing spectrum auction for 5G networks

WASHINGTON (Reuters) – Republican and Democratic lawmakers have reached agreement to allow for the sale of spectrum to speed up the introduction of next-generation 5G wireless networks, congressional leaders said on Friday.

FILE PHOTO: Chairman Ajit Pai speaks ahead of the vote on the repeal of so called net neutrality rules at the Federal Communications Commission in Washington, U.S., December 14, 2017. REUTERS/Aaron P. Bernstein

The U.S. House of Representatives will vote on the measure on Tuesday, leaders in both parties said.

Federal Communications Commission chairman Ajit Pai on Monday said the regulator plans new auctions of high-band spectrum starting later this year for 5G networks to improve internet services across the United States.

Wireless carriers have spent billions of dollars acquiring spectrum and beginning to develop and test 5G networks, which are expected to be at least 100 times faster than 4G networks and cut latency to less than one thousandth of a second from one hundredth of a second in 4G, the FCC has said.

Pai said he plans to hold an auction of spectrum in the 28 GHz band in November, followed immediately by an auction of spectrum in the 24 GHz band, but must first get congressional approval by May 13 to proceed.

The bill unveiled on Friday includes a technical fix to allow the auction to proceed to allow the FCC to deposit upfront payments from spectrum bidders with the U.S. Treasury. Under current law, the FCC must deposit such payments with private banks in interest-bearing accounts, but regulations make that impossible.

The bill“puts consumers first and solidifies the nation’s critical telecommunications infrastructure, giving the U.S. a global edge in the race to 5G and improving internet services,” Senators John Thune, a Republican, Bill Nelson, a Democrat, and Representatives Greg Walden, a Republican, and Democrat Frank Pallone said in a statement.

The bill includes new provisions to identify more spectrum for private sector use and reduces bureaucratic hurdles connected with building wireless networks, lawmakers said.

Verizon Communications Inc has announced it will begin its first 5G commercial rollout in Sacramento, California, this year. AT&T Inc said its first 5G commercial launches in Atlanta, Dallas and Waco, Texas, later this year.

The bill authorizes funds to address a shortfall to relocate TV broadcasters who are relocating on the spectrum after the 2017 low-band spectrum auction. The FCC and law enforcement will be better able to protect consumers from fraudulent telephone calls, according to the bill.

The biggest issue it sidesteps is so-called net neutrality. Republicans have urged Democrats to negotiate to enshrine some internet protections in the law, but set limits on the FCC’s ability to regulate internet providers. Democrats argue that net neutrality rules inacted in 2015 should remain in place.

Reporting by David Shepardson; editing by Grant McCool

Chrome's WebUSB Feature Leaves Some Yubikeys Vulnerable to Attack

There’s no better way to protect yourself from the universal scourge of phishing attacks than with a hardware token like a Yubikey, which stymies attackers even if you accidentally hand them your username and password. But while Yubikey manufacturer Yubico describes its product as “unphishable,” a pair of researchers has proven the company wrong, with a technique that allows clever phishers to sidestep even Yubico’s last bastion of login protection.

Two weeks ago, in a little-noticed presentation at the Offensive Con security conference in Berlin, security researchers Markus Vervier and Michele Orrù detailed a method that exploits a new and obscure feature of Google’s Chrome browser to potentially bypass the account protections of any victim using the Yubikey Neo, one of the most popular of the so-called Universal Two-Factor, or U2F, tokens that security experts recommend as the strongest form of protection against phishing attacks.

With a sufficiently convincing phishing site and a feature in Chrome known as WebUSB, a hacker could both trick a victim into typing in their username and password—as with all phishing schemes—and then also send a query directly from their malicious website to the victim’s Yubikey, using the response it provides to unlock that person’s account. (A disclaimer: WIRED partners with Yubico to give free Yubikeys to subscribers. According to Vervier and Orrù, the model WIRED offers is not susceptible to their attack.)

Vervier and Orrù, who work for the security consultancy X41, are careful to note that their technique doesn’t demonstrate a flaw in Yubico’s products so much as a very unintended byproduct of Chrome’s WebUSB feature, which the browser added just last year. “U2F is technically not broken, but it’s still phishable, which many people thought was impossible,” says Vervier. “It’s a great example of how new interfaces allow ways to attack technology that were believed to be unbreakable.”

When WIRED reached out to Google, security product manager Christian Brand responded that the company became aware of the researchers’ attack after their Offensive Con presentation. While Google considers the attack an edge case, the company is working with U2F standards body the FIDO Alliance to fix the problem. “We are always appreciative of researchers’ work to help protect our users,” Brand wrote in a statement. “We will have a short term mitigation in place in the upcoming version of Chrome, and we’re working closely with the FIDO Alliance to develop a longer-term solution as well. We aren’t aware of any evidence that the vulnerability has been exploited.”

Beware WebUSB

Let’s be clear: Vervier and Orrù’s findings don’t change the fact that adding two-factor authentication remains one of the most basic and crucial steps to protecting your sensitive accounts, and a U2F token like a Yubikey is the most secure form of that protection you can use. Even two-factor authentication methods like text messages or Google Authenticator still rely on temporary codes that the user enters when they log in; a convincing phishing site can simply trick you into handing over those codes along with your username and password. A U2F token like the Yubikey instead performs an authentication handshake with a website that not only proves to a website that it’s your unique key, but requires that the website prove its identity too, preventing lookalike sites from stealing credentials.

But a crack in those safeguards may have appeared last year when Chrome added WebUSB, a feature that allows websites to directly connect to USB devices, from VR headsets to 3-D printers. Vervier and Orrù found that they could code a website to connect to the Yubikey Neo with that WebUSB feature, instead of with the usual Chrome API for U2F that it’s designed to use. In doing so, they could circumvent the checks that the browser performs before querying the Yubikey—the checks that confirm that websites are the ones they claimed to be.

That could enable, the researchers warn, a “man-in-the-middle” attack. If a victim logs into a fake Google site, the phishing site passes on their username and password to the real Google login page. Then the spoofed site passes back Google’s request for the user’s U2F token and collects the Yubikey’s unique answer, all via WebUSB. When that answer is then presented to the real Google site, the attackers gain access to the victim’s account.

“The browser developers put a proper API in place that makes careful use of whatever U2F token is in the computer,” says Joern Schneeweisz, a security researcher for Recurity Labs who reviewed Vervier and Orrù’s findings. “And then they put in another feature that subverts all the security they’d put in place.”

A Sophisticated Phish

The attack Vervier and Orrù imagine isn’t exactly easy to pull off, and would likely only be used by sophisticated hackers targeting high-value accounts. Aside from first requiring that a phishing site trick a victim into typing in their username and password as usual, the phishing site would also have to ask the user’s permission to enable WebUSB access to their Yubikey, and then tap the physical button on the key. But all of that could be achieved by phishers who trick users with a prompt requiring them to “update” their U2F token, or some other scam. After all, the only change from the usual login process would be that one added permissions prompt. “You could come up with a pretty plausible pretext,” says Orrù. “The user only has to click once.”

Vervier and Orrù note that their technique would only work with U2F keys that offer protocols for connecting to a browser other than the usual way U2F tokens communicate with a computer, known as the Human Interface Device or HID, which isn’t vulnerable to the attack. The Yubikey Neo, for instance, can also connect via the CCID interface used by smartcard readers, offering another avenue of exploitation, but the Yubikey Nano, 4 Series, and the original, cheaper Yubikey aren’t vulnerable, they say—nor, based on their testing, were the Feitian keys recommended by Google for its locked-down Advanced Protection setting.

“This sounds like an assumption was made by Chrome that all U2F is HID, which doesn’t hold for the Neo, whereas Yubico made an assumption that USB will never be accessible by web pages directly,” explains Jonathan Rudenberg, an independent security researcher who has focused on U2F implementations in the past. The combination of those two assumptions adds up to a significant security vulnerability.

A Larger Problem

A long-term fix could take the form of tweaks to Chrome to block WebUSB connections to certain devices like the Yubikey Neo. But the problem could go much further than Yubikeys alone, potentially exposing a whole new class of devices to unexpected interactions with websites. Vervier and Orrù say they believe smartcard authentication systems could also be vulnerable, for instance, though they haven’t yet tested them.

“Google should have never shipped WebUSB in its current form,” says Rudenberg. “Users cannot be expected to understand the security implications of exposing their USB devices to potentially malicious code…I don’t think this is the last time that we’ll see WebUSB used to break things.” Rudenberg went so far as to quickly code a Chrome extension that disables WebUSB, which he recommends everyone install and use until they have a reason to enable the feature. Rudenberg says there’s no other easy way to disable the feature.

When WIRED reached out to Yubico for comment, spokesperson Ronnie Manning essentially placed the blame on Google’s browser. “Per the U2F protocol, the security key is not responsible for doing that verification” of the origin of authentication requests, Manning said in a statement. “In fact, they cannot do so effectively as they would have to rely on data passed by the browser, and if the browser is not trustworthy, neither is the data.”

Manning also noted that Chrome could give users the option to turn off WebUSB, or blacklist vulnerable devices like the Yubikey Neo. But he adds that “unless such a blacklist is complete and perfect, issues like this are possible with the current WebUSB implementation.”

As for Vervier and Orrù themselves, they say concerned Yubikey users should disable WebUSB, and that IT administrators should even consider setting a policy blocking it for all their employees. And they suggest a simpler solution, too: That users remain wary online, and think twice about where they enter their passwords. Despite Yubico’s “unphishable” marketing, it’s no substitute for some healthy skepticism.

Phishing License

Why Etsy’s Stock Jumped 24% Amid Some Complaints From Sellers and Buyers

Artisan craft marketplace Etsy has had its ups and downs since going public almost three years ago, but new CEO Josh Silverman appears to have convinced investors that sales are on track for solid growth in 2018.

Etsy’s stock price jumped as much as 24% in midday trading on Wednesday, and has now more than doubled from a year ago, thanks to Silverman’s turnaround strategy that got the company out of Amazon’s long shadow. Silverman, a veteran of eBay’s (ebay) Shopping.com site, has emphasized simple improvements like adding “best seller” badges and site-wide sales for Labor Day and Cyber Monday last year, as well as deeper changes that improved customer searches using artificial intelligence and machine learning with a program Etsy calls “Context Specific Search ranking.”

The results pleased Wall Street. Etsy reported solid fourth quarter results on Tuesday evening, including sales on the site increasing 15% to $1 billion—the company’s first billion dollar quarter ever—while Etsy’s own revenue, which includes its cut of the sales plus other services it sells, increased 21% to $136 million. Earnings per share of 36 cents reversed a loss of 19 cents per share last year and beat Wall Street’s expectations of just 13 cents (though the latest quarter included a one-time benefit from the new tax law).

Analysts also cheered Etsy’s forecast for 2018, including overall sales on the site increasing 14% to 16% to as much as $3.8 billion and its own revenue growing 21% to 23% to as much as $543 million. Analysts had forecast Etsy’s 2018 revenue would hit only $519 million.

Get Data Sheet, Fortune’s technology newsletter.

Silverman explained the improvements that led to last year’s growing sales, while also offering more ideas that will boost growth this year. “There’s still much work to do to improve the shipping experience on Etsy and this will be an area of strong focus in 2018,” he told analysts on a call on Tuesday.

Still, there were complaints from some sellers and buyers last year that Etsy was losing its identity as a craft marketplace focused on individual artisans amid all the changes. Silverman said the latest results were proof that, on the whole, his strategy was working for most.

“You know as a platform our job is to make the experience better for all of our buyers and sellers,” he said. “On any given day, there will be individual winners and losers because that’s the nature of the marketplace–you know, is the product that a particular seller is selling, is it in fashion or not, how is it resonating with the marketplace, that’s up to each of our sellers.”

Under prior CEO Chad Dickerson, Etsy stumbled in the face of growing pressure from Amazon (amzn), which introduced its own handmade craft-oriented platform just a few months after Etsy went public. Dickerson was pushed out last May after a disastrous first quarter that led to layoffs

Further improvements at Etsy this year will come from giving sellers better data analytics tools, making it easier for buyers to have items shipped quickly, and further optimizing search results, among other initiatives, Silverman said. The company will also look at hosting more site-wide events with discounting, though Etsy (etsy) doesn’t want to become known as a discount site, he said.

In many cases, “these are things that are perhaps best practices already used in other parts of the web that we haven’t yet adopted,” Silverman said. “We also want to make sure that we’re stretching ourselves and we’re thinking about bolder bigger events.”

Pinterest hires former Google executive as its first COO

(Reuters) – Photo pin-up website Pinterest on Tuesday appointed Francoise Brougher, a former executive at Alphabet Inc, as its first chief operating officer.

Brougher, most recently the business lead at Square Inc, will be responsible for supervising Pinterest’s operations around the world and will lead its sales.

Brougher, whose appointment is effective March 12, will be based out of Pinterest’s headquarters in San Francisco and report to Chief Executive Officer Ben Silbermann.

The first COO announcement is part of the maturation of a company as it nears an initial public offering.

Pinterest has more than 200 million monthly active users worldwide collecting and pinning photos related to cooking, designing, travel and other interests on its website.

The company, backed by Andreessen Horowitz, Fidelity Investments and Goldman Sachs among others, has a market valuation of more than $12 billion.

Reporting by Heather Somerville in San Francisco and Laharee Chatterjee in Bengaluru; Editing by Maju Samuel

Supreme Court wrestles with Microsoft data privacy fight

WASHINGTON (Reuters) – Supreme Court justices on Tuesday wrestled with Microsoft Corp’s dispute with the U.S. Justice Department over whether prosecutors can force technology companies to hand over data stored overseas, with some signaling support for the government and others urging Congress to pass a law to resolve the issue.

Chief Justice John Roberts and Justice Samuel Alito, both conservatives, hinted during an hour-long argument in the case at support for the Justice Department’s stance that because Microsoft is based in the United States it was obligated to turn over data sought by prosecutors in a U.S. warrant.

As the nine justices grappled with the technological complexities of email data storage, liberals Ruth Bader Ginsburg and Sonia Sotomayor questioned whether the court needed to act in the data privacy case in light of Congress now considering bipartisan legislation that would resolve the legal issue.

A ruling is due by the end of June.

“Wouldn’t it be wiser to say let’s leave things as they are. If Congress wants to regulate this ‘Brave New World,’ let them do it,” Ginsburg said.

Alito agreed that Congress should act but added that “in the interim, something’s got to be done.”

Roberts appeared concerned that companies like Microsoft could enable customers to evade the reach of U.S. prosecutors by deliberately storing data overseas.

The case pits the interests of tech companies and privacy advocates in protecting customer data against the demands of law enforcement in gaining information vital to criminal and counterterrorism investigations.

It started with a 2013 warrant obtained by U.S. prosecutors for emails of a suspect in a drug trafficking investigation that were stored in Microsoft computer servers in Dublin. Microsoft challenged whether a domestic warrant covered data stored abroad. The Justice Department said prosecutors were entitled to the data because Microsoft is headquartered in the United States.

Microsoft President and Chief Legal Officer Brad Smith (R) and his lawyer Josh Rosenkranz make their way to the news media to make a statement outside of the U.S. Supreme Court in Washington, U.S., February 27, 2018. REUTERS/Leah Millis

The New York-based 2nd U.S. Circuit Court of Appeals in 2016 sided with Microsoft, handing a victory to tech firms that increasingly offer cloud computing services in which data is stored remotely. President Donald Trump’s administration appealed that ruling to the Supreme Court.

The appeals court said the emails were beyond the reach of domestic search warrants obtained under a 1986 U.S. law called the Stored Communications Act.

Bipartisan legislation has been introduced in Congress to update the 1986 statute, a move backed by both Microsoft and the administration. The measure would let U.S. judges issue warrants while giving companies an avenue to object if the request conflicts with foreign law. If Congress were to pass the bill before the Supreme Court rules, the case would likely become moot.

FILE PHOTO: A Microsoft logo is seen a day after Microsoft Corp’s $26.2 billion purchase of LinkedIn Corp, in Los Angeles, California, U.S., on June 14, 2016. REUTERS/Lucy Nicholson/File Photo

Senator Orrin Hatch, a Republican who has led the efforts to rework the law, was in the courtroom to hear Tuesday’s argument, and afterward noted that various justices had referred to the importance of Congress acting.

“Our bill, the Clarifying Lawful Overseas Use of Data (CLOUD) Act, would resolve the question currently before the Court in a way that balances consumer, law enforcement, and privacy interests. This commonsense legislation has the full-throated support of both law enforcement and the tech community and deserves swift enactment,” Hatch said in a statement afterward.

Globally dominant American tech companies have expressed concern that customers will go elsewhere if they think the U.S. government’s reach extends to data centers all around the world without changes being made to the law.

Microsoft, which has 100 data centers in 40 countries, was the first American company to challenge a domestic search warrant seeking data held outside the United States.

The Microsoft customer whose emails were sought told the company he was based in Ireland when he signed up for his account.

Other companies including IBM Corp, Amazon.com Inc, Apple Inc, Verizon Communications Inc and Alphabet Inc’s Google filed court papers backing Microsoft.

The administration has the support of 35 states led by Vermont.

Reporting by Lawrence Hurley and Dustin Volz; Editing by Will Dunham

Famed ‘Pivot’ Strategy of Startups May Not Work For GE

This article first appeared in Data Sheet, Fortune’s daily newsletter on the top tech news. Sign up here.

While I was out last week Fortune published my feature on Eric Ries, author of the wildly popular book for entrepreneurs , The Lean Startup. Ries is a whirling dervish of the startup and innovation world. He’s an author, speaker, coach, consultant, and even CEO of an ambitious if quixotic startup of his own, the Long-Term Stock Exchange, which aims to combat short-termism on Wall Street.

Ries is a prophet in Silicon Valley, and his first book is its Bible. The thrust of my feature is the 39-year-old’s pivot to helping big companies find their inner startup and the book he has published as their field manual, The Startup Way. Ries and his teachings have been valuable to numerous companies—P&G and ING have had promising successes—and his work is an inspiration to a veritable cottage industry of innovation consultants.

That said, it might not be clear for some time if concepts like “pivoting” and “minimum viable product” can ever move the needle for big companies. (Buzzwordery meets cliché in a Ries-inspired firm that’s actually called Moves The Needle, which boasts: “We are innovation architects.”) Ries’s primary example in his new book is GE, where he was deeply embedded and coached at the highest levels.

Ries says he is “cautiously optimistic” about GE. He might be the only one. When I read The Wall Street Journal’s impressive reporting on GE’s yes-man culture, I couldn’t help but wonder if the tens of thousands of workers trained in lean-startup methods and hundreds of projects that followed its techniques were part of the “success theater” the paper describes.

Incidentally, The Startup Way is making less of a dent in the world than its predecessor. According to Nielsen Bookscan, which measures only U.S. physical book sales, seven-year-old The Lean Startup sold three times as many books last week than The Startup Way, which came out in October. The Lean Startup is ranked No. 1,832 of all books on Amazon, a phenomenal ranking for such an old book; its heavily promoted successor is at No. 10,028.

***

My vacation reading: Anyone who writes should read this lovely and erudite essay by Amy Chozick of The New York TimesThe Economist competently sums up a thesis we at Fortune have been hammering for a year, that Chinese tech companies no longer are copycats—and that Silicon Valley has been arrogantly slow to figure this out … Onetime Time writer Joshua Cooper Ramo, supposedly an expert on Asian affairs, ought to pick up the haunting novel Pachinko, by Min Jin Lee. It’d be impossible to read it and not understand how Koreans feel about Japan … This stunning narrative in New York magazine about a young ex-Air Force linguist accused of disclosing top-secret information is all the more powerful for not having pointed out the central irony of the crime for which its subject will soon stand trial.

EU plans new tax for tech giants up to 5 percent of gross revenues

BRUSSELS (Reuters) – The European Commission wants to tax large digital companies’ revenues based on where their users are located rather than where they are headquartered at a common rate between 1 and 5 percent, a draft Commission document showed.

The proposal, seen by Reuters, aims at increasing the tax bill of firms like Amazon [AMZN.O], Google [GOOGL.O] and Facebook [FB.O] that are accused by large EU states of paying too little by re-routing their EU profits to low-tax countries such as Luxembourg and Ireland.

The plan resembles a French proposal on an equalization tax that was supported by several big EU states. However, it is likely to face opposition from small countries that fear becoming less attractive to multinational firms.

The document says the tax should be applied to companies with revenues above 750 million euros ($922 million) worldwide and with EU digital revenues of at least 10 million euros a year.

The proposal is subject to changes before its publication which is expected in the second half of March. Some of the key figures on rates and thresholds are in brackets, showing that work is still ongoing to define the final numbers.

Firms selling user-targeted online ads, such as Google, or providing advertisement space on the internet, such as Facebook, Twitter or Instagram, would be subject to the tax, the document said, citing these companies.

Digital marketplaces such as Amazon and gig economy giants such as Airbnb and Uber also fall under the scope of the draft proposal, the Commission said.

Online media, streaming services like Netflix, online gaming, cloud computing or IT services would instead be exempt from the tax.

The levy would be raised in the EU countries where users are located, rather than where companies are headquartered, reducing the appeal of smaller low-tax states.

“This would entail additional reporting requirements so that the tax authorities of member states can calculate how much tax is due in their jurisdiction,” the document said.

In the case of online advertisers, the tax should be levied “where the advertisement is displayed” and “where the users having supplied the data which is being sold are located.”

For online shopping, the tax would be collected in countries “where the user paying for being able to access the platform (or to conclude a transaction within the platform) is located,” the document said.

The levy would be calculated on the “aggregated gross revenues” of a business and should have a single EU rate “in the region of 1-5 percent.” It would be possible to deduct this tax as a cost from national corporate taxes.

The tax would be a temporary measure that would be applied only until a more comprehensive solution to fair digital taxation is approved, the Commission said.

The long-term solution would entail the adoption of new rules on a “digital permanent establishment”.

The proposal, once finalised, would need the approval of all EU states.

Editing by Matthew Mpoke Bigg