Posts from Web/Tech

Heartbleed: What Is The Correct Response?

My friend Stephen emailed me and said he’s changing all of his passwords in the wake of the Heartbleed bug.

I thought about that and wondered to myself “what is the appropriate response to this?”. So I thought I’d blog about it today and generate a discussion. I am sure I will learn something from it. And hopefully all of us will.

Is the correct response, as Stephen suggests, to change passwords on every site and app you have a stored password for? Is that even possible? What about that podcasting service I signed up for eight years ago? I can’t even recall what is is called anymore.

Or is it correct to respond to password change requests from the services that recommend that? I just did that on a bunch of services that notified me via email that I should do that.

Or is it correct to scour the Internet for suggestions, like this post on Mashable, and follow their advice?

Or is this the time we should all move to 1password, or something like that, to manage our passwords?

If you use two factor auth, as I do on many services, does that mean you don’t need to change those passwords?

There are a ton of super smart and technical folks who read this blog. What are you doing and what would you recommend we all do?

Hypercard – Way Too Early

I have always loved the name of my friend Howard Morgan‘s now dormant blog - Way Too Early.

Some ideas are just way too early. And one of them was Apple’s Hypercard, which was a Mac application that came with a built in programming language. The interface was a series of cards that were mini apps inside of the Hypercard application. I built a few Hypercard based applications in the late 80s and early 90s as I was winding up my programming “career”.

But as I look around the mobile landscape, I see cards everywhere. Benedict Evans wrote a good post about this trend a few weeks ago. Google is pushing cards as a UI inside Android and their Google Now UI is the best example of that. Twitter has had cards inside of Tweets for several years now, although I wish they would display them by default in my timeline. The Facebook mobile UI looks like a series of cards, although you can’t really do anything with them, yet. And, of course, my favorite example are theKik Cards that are mini mobie web apps that run inside of Kik’s messenger. I’ve blogged about them a number of times here at AVC as Kik is a USV portfolio company.

It feels like the Hypercard metaphor has arrived as the atomic unit of content in mobile, both inside of native apps and, if Kik is going in the right direction (I think they are), as the default mobile web atomic unit (cards instead of pages).

The problem with the native app environment is that there are things you cannot do inside of a card without violating Apple’s and Google’s terms of service. If Facebook wanted their cards to allow the purchase of music or video natively in the card, well that would not be possible in the current regime.

On the mobile web, that is different. You can do anything you want in a browser, even if that browser is on iOS or Android. That’s a legacy of the desktop web and it’s a damn good thing. Innovation happens best when there are few if any limitations on what you can do as a developer.

So keep your eye on cards. I think Apple was on to something important from a UI and usability perspective thirty years ago when they started building Hypercard. It is now coming to life again on mobile and I think this will be the most interesting battle ground on mobile in the years to come.

The Behavior Of Your Users Normally Doesn’t Change Overnight

A few weeks ago the traffic coming to the new usv.com dropped off by 20 or 30% week over week. Brian and Nick were wondering if it was related to the new design we rolled out at the end of January. They decided to take a deep dive into our analytics to see what was going on.

I told them it had to be some sort of plumbing issue. Something that was hooked up to usv.com must have gotten unhooked. Because I have rarely seen the behavior of an entire user base change drastically overnight because of something like a redesign. Change can come pretty quickly, but in my experience it is months not weeks or days for something to drastically change in your user base resulting from a subtle product change/tweak.

They noticed in the analytics that front page views were steady but traffic to the article pages was off by a lot. I suggested that something in our twitter plumbing was off. And sure enough, we figured out that the autoposting of popular articles on usv.com to this twitter handle was broken (it is actually an RSS issue that is being fixed today).

I tell this story because we all encounter this sort of thing along the way of building and launching and growing a product. We make tweaks and something changes right away. That immediate change is usually related to something that brought traffic (google, twitter, rss, email, appstore) and not a design change. More gradual changes (up or down) are usually because of design changes.

There’s a difference between these two kinds of effects and it is important to understand that.

Lightweight Engagement Gestures

I was on vacation with my friend John and he asked me how I used the favorite button on Twitter. I told him it is a way to tell people that I’ve seen the tweet when I do not want to reply.

I use it in two primary ways. To signal that I saw and liked a tweet. And to signal that I saw a tweet to the person who sent it. The two are different only in that in the second case, I probably did not like the tweet but I still wanted to acknowledge it.

I really like super lightweight engagement gestures. I am bombarded by stuff coming at me all the time. So if I can acknoweledge something publicly without having to do much work, I get a huge amount of value from that.

Bumping on usv.com and upvoting on disqus are like that too. Because the identity of the bumber and the upvoter are on display publicly, they are an efficient way to signal that you saw it and liked it.

I am going to try to upvote more on disqus. As I reply less and less in the comments, I need to upvote more and more. I will make an effort to do that.

Feature Friday: Google Maps Shortlinks

In the google maps android app, if you search for a place, you can click the share icon and send that location to anyone via a wide assortment of apps. I did that last night and emailed this to myself.

Buvette

http://goo.gl/maps/7dzMz

I absolutely love this feature and use it all the time. I email places to people, I kik places to people, I text places to people, I tweet places to people.

But for the life of me, I cannot figure out how to do this on the web. When I locate a place on Google Maps on the web and select Share, the only option I get is to share the place via Google+ which is the one way I would not want to share it.

Does anyone know how to locate a place on Google Maps on the web, pin it, and then share it out via a shortlink in email or otherwise?

I am sorry for turning back to back feature fridays into Google Apps help requests, but I love these features and then they go and change them on me and I can’t figure out how to get them back.

The Mutual Company

I remember a time when I was growing up when many of the savings banks and insurance companies were mutual companies. A mutual company is one where the customers own the company, more or less. It seems like the concept lost favor and many of these banks and insurance mutual companies were “demutualized” in the 80s and 90s. I don’t really profess to understand all the reasons and history behind mutualization and demutualization. I suspect some of you may know a lot more than me about this stuff.

I started thinking about mutual companies after reading Joe Nocera’s column in the New York Times which was based on his read of Jaron Lanier’s “Who Owns the Future?

Joe asks in the title “Will Digital Networks Ruin Us?” and here is the money quote:

the value of these new companies comes from us. “Instagram isn’t worth a billion dollars just because those 13 employees are extraordinary,” he writes. “Instead, its value comes from the millions of users who contribute to the network without being paid for it.” He adds, “Networks need a great number of people to participate in them to generate significant value. But when they have them, only a small number of people get paid. This has the net effect of centralizing wealth and limiting overall economic growth.” Thus, in Lanier’s view, is income inequality also partly a consequence of the digital economy.

At USV we invest in digital networks, so this is a fundamental question that we think about a lot. We would not want to be investing in something that “will ruin us” and we don’t think we are investing in something ruinous. But we do talk about this issue all the time.

I will come back to the mutual company thing in a bit, but first I want to say that Joe and Jaron are leaving out the notion of consumer surplus in their analysis. The newspaper costs money. Twitter is free. In a world where “we” create the newspaper instead of the NY Times Company creating it, the newspaper can and will be free. That is happening all over the place, because of the efficiency of digital networks, and the result is a large amout of consumer surplus that is landing in all of our laps.

But maybe that is not enough. Maybe the creators of these networks ought to mutualize so that their users, who are creating the value, can participate in the upside. We have not seen anyone do this to date. We have talked to a number of startups and networks about the idea. We have not seen any takers yet. But we will continue to have the conversation because this is worth trying and seeing how it would turn out. The result could be a much more sustainable and lasting network. Something for everyone to think about this morning.

UPDATE: My partner Brad wrote a long and thoughtful comment on usv.com about Joe’s column. You can read it here.

New Outlets & New Voices

The greatest thing about blogging is that it has opened up so many new voices and new outlets. 

Just in the past few weeks, we have two new outlets, both from WSJ veterans.

The All Things D team has flown the coop and has resurfaced as Recode. The formula seems to be pretty similar to All Things D, the team is intact (at least it looks so to my untrained eye) and the format is familiar. They will do a big conference to anchor the whole thing. At least right now, it seems that the only things that have really changed here are the URL, the color scheme, and the ownership structure. But a new home and a new ownership structure may open up possibilities that they could not pursue in the past. We will see about that.

Jessica Lessin, one of the top tech journalists at the WSJ over the past ten years, launched The Information in December. I am not a fan of paywalls and barriers to the free flow of content and information and so I am not a subscriber or a reader and I don't plan to link to anything behind a paywall. But this is an ambitious experiment and an attempt to make a challenging business model work in the tech news sector. As I told Jessica in a private email last month, I am happy to be proven wrong about the paywall business model and there is nobody I would rather see prove me wrong than her.

But maybe more exciting to me is the proliferation of new voices that I am seeing out there. One of the driving factors is the emergence of Medium as a blogging platform that is home to many of these new voices. Every day I seem to find a new blogger on usv.com who has written something interesting on Medium. 

But it isn't just Medium that is hosting great content. You can still find great stuff on old platforms, like the one that Ev built before Twitter and Medium – Blogger. This post from Duncan Anderson on the important trends in mobile is on Blogger.

As far as I can tell, there has never been more diversity and quality of content than there is right now. And the reason for that is the printing press of our times, the cms in the cloud, is just getting better and better, easier and easier, and cheaper and cheaper. I will continue to do my part in feeding the blogosphere and I hope and expect that usv.com will continue to be a good filter for those who are interested in the intersection of technology, startups, policy, and capital markets. With all of these new voices and new outlets emerging, we need filters and discovery more than ever.

Video of the Week: Bruce Schneier and Eben Moglen

By any measure, 2013 will go down as the year we all saw the dark side of the Internet revolution, courtesy of Edward Snowden. So I think it’s fitting to showcase Eben Moglen’s conversation with Bruce Schneier as the final video of the week of 2013. This is long (90mins) but worth watching. Eben and Bruce are two of the leading intellectuals on the important subjects of trust, identity, privacy, and the Internet.

Guest Post: Nick Grossman – Winning on Trust

This is a post Nick did around his User First keynote. It's great and I wanted to feature it to the AVC community today. The comments thread at the end is also running on Nick's blog and at usv.com so you will see commingled comments from all three places.

—————————————————–

"It is trust, more than money, that makes the world go round."
— Joseph Stiglitz, In No One We Trust

The week before last, I visited Yahoo! to give the keynote talk at their User First conference, which brought together big companies (Google, Facebook, etc), startups (big ones like USV portfolio company CloudFlare and lots of way smaller ones), academics, and digital rights advocates (such as Rebecca MacKinnon, whose recent book Consent of the Networked is an important read) to talk about the relevance of human/digital rights issues to the management of web applications.

I was there to speak to the investor perspective — why and how we think about the idea of “user first” as we make and manage investments in this space.

First, I want to point out a few things that might not be obvious to folks who aren’t regulars in conversations about digital rights, or human rights in the context of information & communication services.  First, there has been substantial work done (at the UN, among other places) to establish a set of norms at the intersection of business and human rights.  Here is the UN’s guiding document on the subject. Second, in terms of digital rights, the majority of the conversation is about two issues: freedom of expression/censorship and privacy/surveillance.  And third, it’s important to note that the conversation about digital rights isn’t just about the state ensuring that platforms respect user rights, but it’s equally about the platforms ensuring that the state does.

The slides are also available on Speakerdeck, but don’t make much sense without narration, so here is the annotated version:

As more and more of our activities, online and in the real world, are mediated by third parties (telecom, internet and application companies in particular), they become the stewards of our speech and our information.  

Increasingly, how much we trust them in that role will become a differentiating feature and a point of competition among platforms.

A little background on who I am:

I work at Union Square Ventures — we are investors in internet and mobile companies that build social applications.  I also have academic affiliations at the MIT Media Lab in the Center for Civic Media, which studies how people use media and technology to engage in civic issues, and at the Berkman Center for Internet & Society at Harvard Law School which studies tech & internet policy.  And my background is working in the “open government” space at organizations like OpenPlans and Code for America, with a focus on open data, open standards, and open source software.

So, to start out: a guiding idea is that the internet (as we know it today) is not just an open, amorphous mass of random peer-to-peer communications.  It’s actually a collection of highly architected experiences:

Whether it’s the governance structure of an open source project, the set of interactions that are possible on social platforms like Twitter and Tumblr, or the web-enabled real-world interactions that are a result of Craigslist, Airbnb, and Sidecar, much of the innovation and entrepreneurial activity in the web and mobile space has been about experimenting with architectures of collaboration.

Web & mobile technologies are giving us the opportunity to experiment with how we organize ourselves, for work, for pleasure and for community.  And that in that experimentation, there are lots and lots of choices being made about the rules of engagement.  (for example, the slide above comes from an MIT study that looked at which kinds of social ties — close, clustered ones, or farther, weaker ones — were most effective in changing health behavior).

At USV, we view this as part of a broader macro shift from bureaucratic hierarchies to networks, and that the networked model of organizing is fundamentally transformative across sectors and industries.

One big opportunities, as this shift occurs, it to reveal the abundance around us.  

I first heard this phrasing from Zipcar founder Robin Chase and it really stuck with me.  It’s as if many of the things we’ve been searching for — whether it’s an answer to a question, an asthma inhaler in a time of emergency, a ride across town, someone to talk to, or a snowblower — are actually right there, ambient in the air around us, but it’s previously not been possible to see them or connect them.  

That is changing, and this change has the potential to help us solve problems that have previously been out of reach.  Which is good, because for as much progress we’ve made, there are still big problems out there to tackle:

For a (relatively) trivial one, this is what most California freeways look like every day.  In much of the world, our transportation systems are inefficient and broken.

…and this is what Shanghai looked like last week as a 500-mile wide smog cloud, with 20x the established limit for toxicity, rolled in for a visit.  We obviously don’t have our shit together if things like this can happen.

…and we have tons to figure out when it comes to affordable and accessible health care (not the least of which is how to build an insurance marketplace website).

…and education is getting worse and worse (for younger grades) and more and more expensive (for college).  There’s no question that the supply / demand balance is out of whack, and not taking into account the abundance that is around us.

So: these are all serious issues confronting global society (and the ones I mentioned here are just a small fraction of them at that).  

All of these issues can and should benefit from our newfound opportunity to re-architect our services, transactions, information flows, and relationships with one another, built around the idea that we can now surface connections, efficiencies, information, and opportunities that we simply couldn’t before we were all connected.

But… in order to do that, the first thing we need to do is architect a system of trust — one that nurtures community, ensures safety, and takes into account balances between various risks, opportunities, rights and responsibilities.

Initially, that meant figuring out how to get “peers” in the network to trust each other — the classic example being Ebay’s buyer and seller ratings which pioneered the idea of peer-to-peer commerce. Before then, the idea of transacting (using real money!) with a stranger on the internet seemed preposterous.

Recently, the conversation has shifted to building trust with the public, especially in the context of regulation, as peer-to-peer services intersect more and more with the real world (for example, Airbnb, Uber, and the peer-to-peer ride sharing companies and their associated regulatory challenges over the past three years).

Now, a third dimension is emerging: trust with the platform. As more and more of our activities move onto web and mobile platforms, and these platforms take on increasing governance and stewardship roles, we need to trust that they are doing it in good faith and backed by fair policies.  That trust is essential to success.

image

In terms of network & community governance, platforms establish policies that take into account issues like privacy, enforcement of rules (both public laws and network-level policies), freedom of expression and the freedom to associate & organize, and transparency & access to data (both regarding the policies and activities of the platform, and re: the data you produce as a participant in the community).

When you think about it, you realize that these are very much the same issues that governments grapple with in developing public policy, and that web platforms actually look a lot like governments.

Which makes sense, because both in the case of governments and web-enabled networks, the central task is to build an architecture around which other activity happens.  You build the roads and the other essential public infrastructure, and then you set the ground rules which enable the community and economy to function.

Of course, there is a major difference: web networks are not governments, and are not bound by all the requirements & responsibilities of public institutions.  They are free to create their own rules of engagement, which you agree to when you decide to participate (or not) in that community.

This is both a plus and a minus, when it comes to user rights — the major plus being that web platforms are competitive with each other.  So that when there are substantive differences in the way platforms make and enforce rules, those differences can be the basis for user choice (e.g., it’s easier to move from Facebook to Google than it is to move from the US to Canada).

I would like to put some extra emphasis on the issue of data, since it’s growing so quickly and has been so much at the forefront of the public conversation over the past year.

We are generating — and sharing — more data than we ever have before.  

Everywhere we go, on the internet and in the real world, we are leaving a trail of breadcrumbs that can mined for lots of purposes.  For our own good (e.g., restaurant recommendations, personal health insights), for social purposes (crowdsourced traffic reports, donating data to cancer research), for commercial purposes (ad targeting & retargeting, financing free content), and for nefarious purposes (spying, identity theft).

One distinguishing idea within all of this is the difference between data sharing that we opt into and data sharing that happens to us.  Certain web services (for example USV portfolio company Foursquare, highlighted above) make a business out of giving people a reason to share their data; getting them to buy into the idea that there’s a trade going on here — my data now for something of value (to me, to my friends, to the world) later.  It’s proving true that lots of people will gladly make that trade, given an understanding of what’s happening and what the benefits (and risks) are.

Convincing someone to share their data with you (and with others on your platform) is an exercise in establishing trust.

And my feeling is that the companies that best establish that trust, and best demonstrate that they can stand behind it, are going to be the ultimate winners.

I think about this a lot in the context of health.  There is so much to gain by sharing and collecting our health data.  

And If we don’t get this right (“this” being the sensitive matter of handling personal data), we miss out on the opportunity to do really important things.

And there is no shortage of startups working to: a) help you extract this data (see 23andme), b) help you share this data (see Consent to Research and John Wilbanks’ excellent TED talk on sharing our health data), and c) building tools on top of this data (see NYU Med Center’s virtual microscope project).

We are pushing the boundaries of what data people are willing to share, and testing the waters of who they’re willing to share it with.

Which brings us back to the idea of competition, and why winning on trust is the future.

We are just just just scratching the surface of understanding whether and how to trust the applications we work with.

EFF’s Who Has Your Back report ranks major tech & communications firms on their user protection policies.  The aptly-titled Terms of Service; Didn’t Read breaks down tech company Terms of Service and grades them using a crowdsourced process.  And, most effectively (for me at least), the Google Play store lists the data access requests for each new application you install (“you need my location, and you’re a flashlight??”).

You might be saying: “that’s nice, but most people don’t pay any attention to this stuff”.

That may be true now, but I expect it to change, as we deal with more and more sensitive data in more parts of our lives, and as more companies and institutions betray the trust they’ve established with their users.

There is no shortage of #fail here, but we can suffice for now with two recent examples:

Instagram’s 2012 TOS update snafu caught users by surprise (who owns my photographs?), and this summer’s NSA surveillance revelations have caused a major dent in US tech firms’ credibility, both at home and especially abroad (not to mention what it’s done to the credibility of the US gov’t itself).

So… how can web and mobile companies win on trust?

We’re starting to see some early indications:

Notice the major spike in traffic for the privacy-oriented search engine, USV portfolio company, DuckDuckGo, around June of 2013, marked by [I] on the graph.

Some companies, like Tumblr, are experimenting with bringing more transparency to their policy document and terms of service.  Tumblr’s TOS include “plain english” summaries, and all changes are tracked on Github.

And of course, lots of tech companies are beginning to publish transparency reports — at the very least, starting to shine some light on the extent to which, and the manner in which, they comply with government-issued requests for user data.  Here are Google’s, Yahoo’s and Twitter’s.

There are juicier stories of platforms going to bat for their users, most recently Twitter fighting the Manhattan DA in court to protect an Occupy protester’s data (a fight they ultimately lost), and secure email provider Lavabit shutting down altogether rather than hand over user data to US authorities in the context of the Snowden investigation.

And this will no doubt continue be a common theme, as web and mobile companies to more and more for more of us.

And, I should note — none of this is to say that web and mobile companies shouldn’t comply with lawful data requests from government; they should, and they do.  But they also need to realize that it’s not always clear-cut, that they have an opportunity (and in many cases a responsibility) to think about the user rights implications of their policies and their procedures when dealing with these kinds of situations.

Finally: this is a huge issue for startups.

I recently heard security researcher Morgan Marquis-Boire remark that “any web startup with user traction has a chance of receiving a government data request approaching 1”.  But that’s not what startups are thinking about when they are shipping their first product and going after their first users.  They’re worried about product market fit, not what community management policies they’ll have, how they’ll respond when law enforcement comes knocking, or how they’ll manage their terms of service as they grow.

But, assuming they do get traction and the users come, these questions of governance and trust will become central to their success.

(side note: comments on this post are combined with this post on nickgrossman.is and this thread on usv.com, as an experiment)