Losing their independence was from the beginning the most likely outcome of building something that's hard to monetize like Keybase on the VC funding model. FWIW, I doubt Keybase offering a paid plan would have raised revenue that's significant compared to their burn, so Chris was probably right to not spend resources figuring out a paid offering. For raising their next round, having $5K in revenue from a paid plan few people buy might well have been worse than having $0.
The VC funding model is terrible for most open source projects. With a few exceptions, you end up with an acquisition that ends or repurposes the project, or an Open Core project. And a VC-funded Open Core project will end up trying as hard as it can to have everyone need to buy the paid version, since that's clearly the way to optimize revenue and eventually the slippery slope will get you there. I don't blame folks for taking VC; it was easy to get, and there aren't a lot of alternative funding models that can pay the multiple fulltime staff that might be required to create what one wants to create.
I don't think VC funding as it currently exists is consistent with running an open source company according to my values, which is why we're not taking venture funding for Zulip. Obviously, being scrappy, applying for NSF grants, and spending my own money have very real downsides both personally and for our growth, especially when every competitor has VC funding, but it also means that I can ensure Zulip continues existing as a real open source project for the long run.
Don't founders often have the ability to overrule and make their own decisions?
Chris is already financially independent from the OKCupid sale, he could have open sourced the server code and/or reduced the overall burn to pivot to paid accounts.
Though the weird Stellar wallet addition implied some vision/product issues anyway.
Of course it's easy and probably unfair for me to say these things as an outsider with limited information and no real stake, it's definitely possible I'm wrong about important details that would change my mind. It'd be interesting to hear from Chris, but the sale probably restricts public communication?
This reminds me a little about the OKC sale actually, they had a blog post about why charging for dating sites made them worse that they took down after selling to match (they used to do cool analysis and publish them as blog posts, most of the details ended up in the book a different cofounder published called Dataclysm). That's more understandable to me though since I think it was their first exit.
Reading about Zulip - didn't you get bought by Dropbox before being open source? Is your current situation a lucky outcome - or was it a condition of the sale?
[Edit] - To clarify since there are downvotes, my questions aren’t rhetorical - they’re genuinely asking.
The power depends on the board structure and the ownership. But even if a founder owns 51% of the company, and so in theory can do anything, they still have an obligation to do right by the minority shareholders. This is generally known as fiduciary duty, and is a complex area of law. Here's a short summary: https://www.nolo.com/legal-encyclopedia/fiduciary-responsibi...
In a case like this, a founder can't just give away the source code. They'd have to believe that doing so was in the best interests of the company. And unless they wanted to risk a lawsuit, they'd have to persuade the shareholders of that too.
>they still have an obligation to do right by the minority shareholders
Fiduciary duty is extremely rare to be the subject of a suit against a, let's say, CEO. It's a complex area of law because it isn't actually a law, nor specified anywhere, and not a requirement for corporate existence. So, it's a set of court decisions that future cases are built upon, but in general a house of cards in that it could be invalidated by a) legislation; and b) adverse rulings at any level of a suit.
It's a myth that the only purpose of executives is to maximize profit for the shareholders. It's a canard. PBCs are a counterfactual here, full stop.
C-level executives are appointed and removed by the board. The board is appointed and removed by the shareholders. Yes, technically, executives are not required to act in the shareholders interests by law. But they are often appointed with the specific instruction to act in the shareholders' best interests, and can be removed from office for not doing that.
From my experience being a CEO and reporting to a board, trying to act in anything other than the shareholder's best interests would be... problematic, shall we say. I would need to be very convincing that what I was doing was in the best long-term interests of the organisation. Or have a board who agreed with the "not maximising shareholder value" goal.
It's only technically a myth that the only purpose of executives is to maximise profit for shareholders. That's definitely the most common instruction from the board, often implicit rather than explicit, and not doing that will get you into trouble in most situations. That trouble may not be a law suit, more probably just being summarily dismissed.
I agree with you that maximizing profit as the sole metric is a myth, which is perhaps why I didn't mention it.
However, in practice if one has taken $10m from investors looking for a big payday, one can't just do any old thing. Doing something sufficiently contrary to the interests of minority shareholders could certainly result in a lawsuit. Could the shareholders win? Who knows! As you say, it's a murky area. But winning in that case isn't what matters. The lawsuit will tie the company up for years, forcing significant spending. And if they include the CEO in the lawsuit, it will mean personal expense and an enormous headache. So in practice, the Keybase execs couldn't just say, "Fuck it, we won't sell to Zoom, everything is open source now." Not without talking it through with the investors, anyhow.
>Doing something sufficiently contrary to the interests of minority shareholders could certainly result in a lawsuit.
I suppose, but does it? Ever? Not to be antagonistic but your entire paragraph is a hypothetical which is substituting for anything from the real world, which leads me to believe that it's either not a risk at all, or such a small risk as to be invisible and still effectively not a risk. I mean, I'm sure we would have heard some cautionary tales by now!
What sort of examples are you finding yourself unable to Google for? There are plenty of lawsuits out there for breaching the rights of minority shareholders. Mostly with public companies, but private companies too.
If you're specifically asking about VC-vs-founder lawsuits, I think we don't see many of those because everybody has strong incentives not to let it get to that stage. Founders really want to keep on good terms with VCs. VCs want to be seen as pro-founder. Their incentives are generally aligned right up until things start going south.
And once we get to the on-the-brink-of-failure stage, the VCs hold all the cards. Any continued investment requires the VCs to at least approve. If a founder ever might want to do something venture-backed again, they need to stay in their VC's good graces. If the investors don't have majority control, they at least have board seats and the ability to disrupt any deals or other actions the CEO might make against their interests, both internally and by threatening deal partners. The CEO also probably can't afford a lawsuit either with the company's funds or on their own.
So I don't think we see the cautionary tales because few who have been selected by investors and spent years dancing to their tune turn out contrary enough to set those relationships on fire when it doesn't really get them anything.
Can you clarify your statement about the PBCs? I can't figure out if you're saying they are a good thing, or just a theatrical performance.
I am curious because B-corps have been popularized in the recent years, but when I looked into what B-corps are, it seems to me those are just bogus certificates that aren't doing any good, except enriching the people who print certificates for these types of corporations.
I don't really know whether I am right or wrong here, but I weren't able to find anything that actually makes a B corp different than any other. Would love to hear your thoughts.
I think they're a good thing that disproves the conventional wisdom that corporations are "required" to act only in the profit interests of shareholders, that share price is the only measure of executive performance.
Going further, I believe this canard is promoted by greedy assholes as justification for their bullying of "nicer" people who might have a more holistic view of corporate behavior, something which bullies are psychologically incapable. These people would call PBCs theatrical, "hey bro, good for you!" on par with starting a nonprofit.
I don't know a lot about B-corps so I'm generally talking out of my ass, but it seems like a "hey we tried" get out of jail card if they decide to shed it, which they can always do. If they don't wind up shedding it, do they go for PBC? Overall, maybe it's good for setting expectations, but since there's no legal committment involved I don't see much more to think about it.
I think it's less about the power relationship, exactly, and more about the way VC-funded companies are setup to be run. As part of raising a round, you prepare a business plan that involves aggressively spending the money over a couple years. You're committed both internally and to your board to execute that plan, and it's cognitively difficult to do something different as there's social pressure to do so (and one of your VC's greatest sources of power over you is they're the reference for your next fundraising round).
The result is that your company has planned to run out of money with potentially a multi-million dollar annual burn rate in two years. If as those two years are approaching, the company and/or market situation don't support raising more capital and the company isn't close to profitable, the momentum of that burn rate applies a great deal of pressure for a sale, destructive layoff, or total change in goals to "anything that improves the bottom line".
Also, the search for a story to help raise your next round can have a big effect on companies -- my view is most of Dropbox's problems when I was there (2012-2014) resulted from the search for a totally new business bigger than Dropbox Business that could justify a bigger valuation than $10B starving more obvious investments (Carousel, the now-dead photo sharing app, at one point had ~10x the engineering resources of Dropbox Business).
> Reading about Zulip - didn't you get bought by Dropbox before being open source? Is your current situation a lucky outcome - or was it a condition of the sale?
It's an extremely lucky outcome. There's a combination of factor that made this possible:
* Dropbox leadership prioritized doing the right thing by their users, and so we were able to get permission from both leadership and legal. I'm sure my personal position as a leader at the company who had a personal relationship with the people who had approve it made a difference (Though Luke Faraone made a big difference by asking legal if we could and inviting me to the meeting!). But I think Dropbox deserves a lot of credit, because they spend significant time from expensive resources (legal, etc.) making this happen, and I don't know of many companies that would ever do that.
* Our users were big fans, enough so that 10 of them flew to Dropbox HQ for a week to help us do the technical work required to do an open source release with all 10,000 commits of history intact and with a scripted installation process. This was essential to Zulip being usable after that release.
Thank you - I really appreciate the detailed answer.
I think I have a better understanding of how the incentives to cooperate would be hard to overcome even if you technically have the power as a founder (and even if you’re already financially independent).
The personal experience was also interesting - thanks!
> Though the weird Stellar wallet addition implied some vision/product issues anyway.
Stellar integration was weird indeed, but it blended really nicely into the chat, and it would totally work for Keybase if there was an easier way to cash in / cash out. That said, any cryptocurrency would do the job, but if this particular one helps monetize the product, why not?
I wanna say we don't know. Has there ever been an instance of any company getting their tranche(s) and saying FU to the VC, and there being any repercussions? It's a two- or three-level hypothetical, but I think it's worth exploring to give you a complete answer.
It is funny that Zoom was one of the companies that I flagged in my head as the worst (or rather, most dangerous) up-and-coming tech company and I considered Keybase one of the most promising up-and-coming tech companies.
Keybase solves a (to me) nontrivial problem: How to bring private keys into social media. Just a silly example: You don't use the same private-public key exchange in Whatsapp as you would use for your emails, or to sign your packages. It's a bit of the now infamous Dropbox situation: Most people can sign things with private keys and properly keep track of it, but they don't get around to doing it. It's only critical cases where the use is common (like signing packages). It took a long time even for HTTPS to become standard practise, though I guess the situation with your browser is a bit different.
I wrote Zoom off last year after the local webserver nonsense. Any company that can convince itself that is a good idea doesn't deserve my business. There's no path to redemption. Game over.
In the post Covid world I was forced to compromise a bit and I will join a Zoom call in a browser (when it works) or install the app on my phone if I have to. I trust iOS to not get totally owned by a rogue app more than anything else I have available. Although recently that's not an entirely safe bet either.
Keybase was not critical to my daily life so it will not hurt to get rid of it. It's about risk management. There are no upsides to Zoom and almost no upsides to Keybase (for me). With the growing list of downsides it's an easy choice to make.
It could be argued that acquiring a whole security-focused company is a signal they’re seriously reconsidering their approach to security and deserve a benefit of the doubt.
They also lied about having end-to-end encryption. The awful security practices could be chalked up to incompetence but the fact that they lied has taken it too far, in my opinion. I too have deleted by Keybase account because of this.
Zoom is, or was, collecting a list of running applications on machines. Keybase requires that you run it on multiple devices for security. It would be reasonable to expect that Zoom would love to embed such data harvesting in the Keybase client.
Do you have a reference for this? Were they confirmed to be sending the info to the server? I would note that it wouldn't be uncommon for a program like zoom to have the relevant api calls in it to allow the user share a specific app with the conference call.
Well, they are pitching this as bringing secure stuff to the masses. So it's arguably not all that inconsistent with what Chris etc have been saying about Keybase.
Honestly if at this point Zoom hasn't lost all credibility in your eyes I don't know what to say.
Zoom already has end to end encryption according to some of their other press releases and public statements (we know they don't), so why on earth would you believe this one?
I thought what I’d do was, I’d pretend I was one of those deaf-mutes.
I don't quite get the purpose though, why would I post something in public only for a group of people to be able to read it? Why not post it in a private chat then (encrypted, naturally)?
Sad. Very sad. It was such a great approach to associating GnuPG keys with social media. And their chat etc were also pretty cool. But Zoom is beyond the pale.
So what now? Maybe someone could clone the GitHub repos. And/or are GnuPG keyservers safe enough again?
For chat, Session looks most interesting. It's got the Signal messaging bits. Plus anonymity via the Loki onion network. And it's available for all platforms.
However, it's very new, and often buggy. And the Loki Foundation is Australian. So at some point they'll likely get pressured to backdoor stuff. And they probably won't be able to disclose that, unless someone leaks.
There's also Tox, where each user runs a Tor onion client. That's secure enough in Whonix. But the Whonix user base is miniscule, and I wouldn't trust an implementation in Windows. But then, maybe Session in Windows is too iffy as well.
Anyway, I'll be deleting my Keybase account, as soon as I've negotiated alternate comms with my contacts.
So, yeah. Zoom did bad stuff. But Keybase is designed so that all those things would obviously be detectable (Keybase client code is open source), and the ways in which the Server could mess with data are much restricted. If that spreads to Zoom, there's a chance it'd be a good service in a year or two.
PGP keyservers have a fundamental issue that demands a solution like CT logs or Keybase-style merkle trees.
The only way to prevent getting Loki backdoor issues would seem to be a development so clearly in-the-open, that any secretive addition of significant code/suspicious PR behavior is obvious.
Tor does not use Tor by default. It works with Tor, but that's it.
They are also kinda buying a social graph of mostly IT and security professionals, sprinkled with some journalists (and not the kind that usually does the "10 things" articles) and general tinfoil hats.
My tinfoil hat tells me this information could be somewhat valuable to their Chinese overlords...
I've seen some examples of GNOME keyring being required because it implements the freedesktop secrets standard (which I admit to knowing nothing of) where other secret managers do not. Presumably meaning there us no common interface, so we just pick the one that implements the spec. One example:
> I use Keybase to talk to my friend in China since it's one of the few services they don't block.
I think the vital question is why was keybase not blocked?
Maybe it was owned by someone high-up in China. That is why maybe Chris Coyne refused funding. It was free to just to onboard maximum number of users. Seems like "users" where the products that bought value to keybase.
I am glad you mentioned China. Many people are too afraid to acknowledge the reality of that authoritarian country, for fear of reprisal from liberal do-gooders.
"Zoom is based in California’s Silicon Valley, but it owns three companies in China that develop its software. The Citizen Lab said the structure allowed the company to lower its development costs, but added “this arrangement may make Zoom responsive to pressure from Chinese authorities.”"
The implication is that China is hostile and leverages their power to censor/collect communication information from companies and their people without checks on this power.
They are aggressive in stealing IP from other companies and blocking software they can't control. They have history of wielding their power to pressure organizations to deny or ignore aspects of their history that they dislike (Taiwan, Cultural Revolution) and they pressure companies to hand over PII on people they find to be political threats without due process.
This is not a country you want to be a steward of an encryption identity standard.
Isn't the US actually at least as bad if not worse? Thanks to Edward Snowden we know without speculation that the US "is hostile and leverages their power to censor/collect communication information from companies and their people without checks on this power" (ok, supposedly there is secret judges that secretly check on this power, but that doesn't really do any good does it?). The USA also "pressure companies to hand over PII on people they find to be political threats without due process" (so called "National Security Letters").
The just get disappeared into Belmarsh and extradited to who knows where for telling the truth about the US military murdering civilians including journalists from a helicopter gunship.
Criticisms were/are made against NSA surveillances and in the case where government tried to silence such criticism (Snowden), opinions that support Snowden's actions were made and published, even made into books and movies, without repercussion. Bloggers that support Edward Snowden did not disappear. Movie directors and screenwriters are not made pariah by their industry or sent to Guantanamo.
This sort of whataboutism does not surprise me but it's getting tiring when made repeatedly in disguise of intelligent discourse. It's dishonest because the difference is blatant.
I think that while both countries have the technology to facilitate censorship and oppression, the US is much more careful about how they do it. China isn't afraid to use their control over information to assist the oppression of Uighurs in 're-education' camps for example.
I don't think it's true that Zoom has its "entire dev team in China"; doing some research myself reveals Zoom definitely has engineering operations in the US[0][1].
I'm not disagreeing with you on the implications of having engineering teams in China, I think you would like to put that paragraph in your original post to give some context.
The vast majority of the Zoom software development team is based out of companies in China.
They do have support people in the US and a handful of non-support engineering which is why I said thanks and immediately updated the comment to say "majority" instead of "entire" since it's more correct.
That technicality is less relevant to the main point of the argument.
As of January 2020, they had 2,532 full-time employees. Of those, 1,396 were in the US and 1,136 were in international locations. Within the 1,136 is "more than 700" employees in R&D in China.[1]
A LinkedIn search for "engineer" working for "Zoom Video Communications" in location "United States" shows up 558 results.[2]
Their entire management team is in the US, and of their 17 data centres, only 1 is in China.[3][4]
If the original claim was "100% of the dev team is in China", and the reality is "only 80% of the dev team is in China", then that'd be a 20% factual error, mathematically speaking.
Or would it be a 25% error, i think it would make most sense to calculate the error-difference in relation to the actual value instead of in relation to the erroneous value.
Haha. Do you also calculate levenshtein distance from true to false and say false isn't entirely false but a bit of true? And is it almost factually correct to say that 10 equals 8?
> And is it almost factually correct to say that 10 equals 8?
I mean, from a certain point of view, why not? If you're thinking in terms of 1, they're wildly different. If you're thinking in terms of 1,000,000,000,000, they might as well both equal 0.
> We also operate research and development centers in
China, employing more than 700 employees as of January 31, 2020.
You can find more stories from last year talking about that was how Zoom had such a large engineering staff, is that it was cheaper for them to pay for R&D in china than in the US[0].
Not even that. All encrypted traffic in china needs to be decryptable by CCP. Which means if your call in zoom was routed to one of their China servers, then CCP has access to it.
That is on top of the fact that Zoom encryption is weak af.
(And before we get whataboutism concerning {insert other country's wiretapping laws}, wiretapping through an independent judiciary is fundamentally different than via rubber stamp)
"China" isn't a race, it's a multi-ethnic state with laws that heavily restrict communication. It's relevant to bring up in a thread about building encrypted communication technology.
Now they've lost their independence and they're owned by a communication company that has [edit: the majority of] its dev team in China.
I use Keybase to talk to my friend in China since it's one of the few services they don't block.
This is a pretty disappointing outcome.