Regulation and the Tech Industry

Azeem Azhar has a great post up about the brewing conversation about regulation and the tech industry.

There are two main points that stand out to me:

1) In digital systems, ML/AI and data network effects create feedback loops that enable the biggest companies to keep getting better, faster:

and, 2) Regulation favors large incumbents over smaller challengers:

"Regulation is complicated. Dealing with it means dealing with lawyers, hiring compliance people, changing your product roadmap, building new code. Regulation raises barriers to entry. The most regulated industries, finance and health, have seen the deep consolidation and weak flow of new entrants for decades. Regulation favours the large."

This has created a conundrum. The instinct is to apply thorough and tough regulations to solve for #1. But the chances are, doing so will only reinforce the lead that the big companies have, as per #2.

A good example is the GDPR privacy regime in Europe. As reported in the WSJ (paywall), the advent of GDPR has increased the market power of the big ad players (Google and FB), because they have the best ability to capture user consents and to implement complex compliance procedures:

“GDPR has tended to hand power to the big platforms because they have the ability to collect and process the data,” says Mark Read, CEO of advertising giant WPP PLC. It has “entrenched the interests of the incumbent, and made it harder for smaller ad-tech companies, who ironically tend to be European.”

The solution, we have long argued at USV, is to give simply increase data portability and interoperability. In other words, don't add burdensome regulation that startups can't comply with. And don't break up the tech companies, break up the data. And the simplest way to break up the data is to give users a right to access it in a programmable way. This is what the proposed ACCESS Act would do. I talked about this previously in the Adversarial Interoperability post, where I also showed this diagram:

What this shows, is that throughout the history of computing, what has broken the monopoly power of each era's dominant firm is the emergence of an "open" technology on top. Open source systems like Linux and open standards like HTTP.

Today, the set of open standards that need to be cultivated are cryptonetworks, cryptocurrencies and blockchains. These are the standards that make it possible to re-architect the data economy, including giving more control to individuals and removing it from companies. By design, crypto protocols replace certain things that companies do with things that any group of computers can do, like this:

So, the ultimate point we have been making is that if you're worried about the problems with the tech economy, one of the solution paths is through crypto.

That brings us back to regulation, and the current state of play around the regulation of cryptoassets globally. The situation we are in right now is such that within the US, there is a lot of regulatory uncertainty, and as a result, a slowing of the crypto economy. Whereas outside of the US (particularly in Asia), the crypto economy is booming -- not just tokens, but exchanges, wallets, and other infrastructure.

Because of all this, I worry that not only do we have the potential to miss one of the most important solution vectors to some of the issues facing the tech industry, but at the same time we (meaning the United States) may also be missing the opportunity to play a leading role in what has the potential to become one of the next major economic and technical platforms.


Digital Bearer Assets

I spent time over the past few days with several entrepreneurs who are building crypto or "web 3" applications well outside of the financial space. One of the takeaways for me was of the important role that digital "bearer" assets will play in creating new experiences in web 3.

By bearer assets, I mean that you just show up with them, and they are respected sight unseen by whatever applications are expecting them. Every time I start thinking about this concept, I am reminded of the bearer bonds in the movie Die Hard:

For example: a device that has Helium data credits loaded on it can present itself anywhere on the Helium Network, and it will start working. No user account, no credit card, no contract -- just show up holding the token and it will "just work".

Or, take a subscription that is issued as an NFT on the Ethereum blockchain using the Unlock protocol. I show up with a compatible key and I can see the content. If I give (or sell) the key to you, you can see it.

Or, imagine decrypting content in a Zcash-based application using a Zcash viewing key. Anyone who has a key can see the content, whether it's a blog post, an email, or a private message.

And of course, this is how it is with Bitcoin. He/she who has the keys (and can sign the transaction) has the assets. No account required.

I think of all of this as a shift from account-based experiences (web2) to digital signature based experiences (web3).

Digital signatures create bearer digital assets. They travel around freely, are transferable, and they are not tied to traditional web2 accounts. Rather than the account (as represented by a login, or a credit card, or a contract) have permissions, digital assets (secured by digital signatures and private keys) have permissions.

I believe that this will enable vastly superior user experiences over time.


Broadening Access

I spent the morning today at MTA headquarters, judging the "Accessibility" category of the NYC Transit Tech Lab competition, organized by the Partnership for NYC. Here is the view from the 20th floor of MTA HQ at Bowling Green:

Ostensibly, the theme of the day was accessibility in the sense of things that could improve the transit experience for people with disabilities and impairments of various kinds. This is, of course, a critical goal for every piece of public infrastructure, and is particularly important when it comes to transportation.

But what I quickly realized is that nearly every company that presented was not just increasing accessibility in that sense, but rather in a much broader sense -- making the system more sensible, legible and usable for everyone.

Specifically, there was a single theme that came through from nearly every team: taking an invisible or analog signal, and making it digital. As simple as that.

I can't link to the actual companies yet, as they haven't been announced, but the kinds of signals that were being turned digital included: electrical signals emanating from infrastructure like elevators and escalators to monitor conditions & outages; voice announcements sent over the PA system; and contextual and wayfinding information from signs and other physical objects, such as buses and trains.

In each case, there is a valuable signal -- valuable for people with disabilities yes, but really everyone -- that is not at all captured digitally. And in each case, a system that manages to capture that signal and provide it in digital form. Once it's digital, it can be used for anything: apps, alerts & notifications, analytics, compliance, etc. Once it's digital, it's accessible.

A major part of USV's Thesis 3.0 is "Broadening Access" and this can come in many forms. What I realized today is that the simple act of capturing an analog or real-world signal and making it digital is a powerful act of broadening access in and of itself.


Adversarial Interoperability

As I make my way through the various predictions & reflections that accompany the new year, one stands out: the EFF's 2019 Year In Review, entitled "Dodging Bullets on the Path to a Decentralized Future". I have long been disappointed that there have seemed to be two separate and parallel conversations going on: the "traditional" digital rights / internet freedom community talking about "re-decentralizing the web" and the blockchain/crypto community working on the same thing. I like the EFF's recent work because they are connecting the two conversations, and their year in review is a good place to start on that.

A key link in the EFF review is to Cory Doctorow's work on Adversarial Interoperability, which studies the history of interoperability of technical systems and all of the commercial, legal and policy battles that haven ensued because of it.

In this post in the Adversarial Interoperability series, Cory details the different kinds of interoperability and the dynamics around them. His mantra is "Fix the Internet, not the Tech Companies" and I couldn't agree more.

I believe, and we have said at USV many times, that driving interoperability is the best and most effective way to limit the power of big tech companies, and that in today's environment we should focus on "breaking up the data, not the companies.".

When I talk to regulators, lawmakers and policymakers, I often use this diagram (credit to Placeholder for the underlying graphic):

Which shows that from a historical perspective, these "open" or "interoperability" technologies have been the driver in breaking up each era's dominant monopoly.

It's the same today, and Cory's and EFF's excellent work on the subject adds a lot of depth to the analysis.


Running the USV analyst application process using Ziggeo, FormAssembly and Airtable

We are in the middle of our 2018 Analyst hiring process at USV.  For the last several hiring cycles, USV has had an open process where anyone can apply.  I actually wrote about it back in 2011, right before I joined, remarking at the high quality of applicants that the process produced. That is still the case today.  In this year's Analyst application produced 326 applicants, of remarkable accomplishment.  Albert has been writing updates about the process on the USV blog.  At this point, we have reviewed all of the applications, and are working towards a second round of interviews with semi-finalists. What I'll cover here is how we've managed the process this time. For the past 3 cycles we have solicited video responses as part of the application process, powered by Ziggeo.  Having video in the application process has really worked for us.  Even with short videos (our were 30 and 60 seconds, respectively), you can get a good sense of a person's manner of speaking, sense of confidence, thoughtfulness, etc.  While it doesn't tell the whole story, it's been a very helpful signal for us over the years. The first time, we used a custom web application that Oliver from Ziggeo helped us build (source code here).  The second time, we re-used that codebase with some modifications.  This time, we tried to make it even more simple, using only off-the-shelf tools. What we ended up with was a combination of FormAssembly for the form itself (because FormAssembly supports Ziggeo integration) Ziggeo for the videos, and Airtable for the ultimate data storage and workflow management. FormAssembly made it easy to build the form, including nice features like letting applicants save a partially-completed form and come back to it later.  The form looked like this:

Ziggeo made it really easy to capture the video.  Note the embedded video recorder in the form above, which looks like this when you fire it up:

For our internal process of reviewing applications, we needed something else, which is where Airtable comes in. For those who don't know Airtable, it's basically a hybrid spreadsheet / database, with handy aspects of each.  It's like a spreadsheet in that it's really easy to update the schema and edit data.  It's like a database in that you get persistent records that are linkable with one another (a feature that we didn't use here but we make lots of use of elsewhere internally), and that has a great API. There's not an automatic way to move records from FormAssembly to Airtable, so we just did CSV export/import.  Ultimately, we ended up with a view like this, where we could review applicants one-by-one and then comment/score/sort/etc:

You can see a stripped-down version of the Airtable we used for the process here. All in all, this setup worked great.  It took zero coding to build, had a really modest number of errors or mishaps, and handled our workflow well. There are, of course, a few things that could have been better.  Top of the list would be direct Ziggeo support within Airtable.  Airtable has a feature where you can expose a form that will collect data directly into a table in Airtable.  Ideally, you'd be able to have a "video" type form element that would embed a Ziggeo recorder directly in the Airtable form.  Then, on the back end, it would be great if you could view those videos directly in Airtable, rather than clicking out to a link -- imagine the screenshot above, but with embedded video players rather than links.  I suspect a lot of people use Airtable for applicant tracking, and I'm sure this kind of video support would be popular.  Another would be automated connectivity between FormAssembly and Airtable, maybe via Zapier. So, that's what we did.  Remarkably easy to manage this time around -- thank you to all the teams out there building the tools that make this kind of thing easier by the day.


The weakest link

We have spent a fair bit of time over the past year working on security at USV and across the USV portfolio.  Anyone who has spent time working on personal or corporate security -- and in particular information security, knows that there are a million ways in, and you're never "finished". Fred wrote a bit about his experience last year, and we had an issue yesterday with Albert's phone:

Thanks to everyone who has been helping me recover from a Twitter account takeover based on an unauthorized SIM switch on my phone

— Albert Wenger (@albertwenger) January 11, 2018

The way we have been thinking about it is in terms of "the weakest link".  It is critical to have your most important accounts (primary email, banking, crypto, etc) secured well, but it's also important to work your way down the line to other accounts and entry points.  The lesson being that attackers will seek the weakest point and work from there. One of weakest points in personal security is the phone -- cell carriers are notoriously bad at security, and attacks like phone porting and SIM swapping are common.  For that reason, it's important to move away from using SMS as a second factor backup wherever possible, and instead moving to apps like Google Authenticator, or to hardware-based 2FA using Yubikeys or similar. Another weak point is personal email, or old email accounts.  It's easy to forget about old accounts that you used back in the day, but those can be problematic, especially if they are linked to other accounts, and if 2fA is non-existent or tied to SMS. So, by all means, start with the most important accounts.  But don't stop there -- keep sussing out weakest link. For more resources on personal information security, see this excellent guide by EFF (written in the context of surveillance, but applicable to all attack vectors).


For web platforms considering a token strategy: cryptocurrency vs. dollars?

A lot of founders / teams have been asking if they should be adopting a cryptocurrency strategy.  This is understandable given the frenzy of fundraising recently and the ongoing dialogue about the potential for cryptocurrencies as an alternative business model for web platforms. As "traditional" web & mobile platforms explore this option, there are a few important considerations (esp given the risk in this model): 1) What is the advantage of using a cryptocurrency instead of traditional money?  Answers could be: programmability, international exchange, earnability, etc. 2) Could I use an existing cryptocurrency (e.g., zCash) instead of launching my own? 3) From a revenue / value perspective, is there a model for value creation independent of funds that could be raised in an ICO?  e.g., are you just looking to raise short-term funds an alternate to an equity round, or is there a real value theory of cryptocurrency running inside your application? 4) Could you imagine such a cryptocurrency spanning beyond the borders of your own application?  Generally speaking, if there's a more use = more value theory (i.e., "fat protocols"), there's an incentive to go broad to increase use. 5) What is the model for internal economics around the cryptocurrency?  E.g., how would people earn it, and how would they spend it, within the ecosystem? I'll follow up with more on these in a future post, in particular #5, as I believe that is the most fundamental question.


The Next Web Amsterdam: Purpose, Mission & Strategy

Last month, I went to the (most beautiful city in the world) Amsterdam, to speak at The Next Web Conference.  I did two talks, one at a sub-event focused on tech & social issues, on the topic of Data & Power, which I will post when it comes online, and a main stage talk on the topic of Purpose, Mission & Strategy -- how to connect the three to align efforts within a company. In the talk, I take examples from throughout our portfolio of how leaders define and communicate their purpose, within their organizations and externally, and then use that to make tough strategic calls.  For example, I wrote last week about how Cloudflare is fighting hard against patent trolls, and how deciding to do that is not just a narrow corporate decision, but a tough strategic call that draws from the company's sense of purpose and mission (frankly, I explain that example much better in the post than I did in the talk). For another example, Brian Armstrong from Coinbase just posted their long-term strategy yesterday, and this another example I discuss in the talk. I've been impressed by how Coinbase's efforts are aligned internally, and by the way Brian has connected the company's purpose and the strategy. You can watch the whole video (about 25 min) here: And you can see the slides here: This was my first time giving this talk, so of course there are things I'd tune for take two.  I would in particular like to thank the awesome folks at Praytell who hosted me for a dry run of the talk and gave me great feedback and questions.  And of course I would like to thank all of the USV leaders who, over the years, have shared their stories, which were the foundation of the talk.  


Regulating source code

As more areas of our economy become computerized and move online, more and more of what regulators need to understand will be in the source code. For example, take the VW emissions scandal:

These days, cars are an order of magnitude more complex, making it easier for manufacturers to hide cheats among the 100 million lines of code that make up a modern, premium-class vehicle. In 2015, regulators realized that diesel Volkswagens and Audis were emitting several times the legal limit of nitrogen oxides (NOx) during real-world driving tests. But one problem regulators confronted was that they couldn’t point to specific code that allowed the cars to do this. They could prove the symptom (high emissions on the road), but they didn’t have concrete evidence of the cause (code that circumvented US and EU standards).

Part of the challenge here is not just the volume of code, but the way it's delivered: in the case of most consumer devices, code is compiled to binary, for competitive and copyright reasons.  So, in the case of the VW scandal, researchers had to reverse-engineer the cheating, by looking at outputs and by studying firmware images. By contrast, with cryptocurrencies and blockchains, everything is open source, by definition.  If you're curious about how the bitcoin, or ethereum, or tezos networks work, you can not only read the white papers, but you can examine the source code. Because the value of cryptocurrency networks is embedded in the token, there is no longer a commercial incentive to obscure the source code -- indeed, doing so would be detrimental to the value of the network, as no one would trust a system they can't introspect. This may seem like a minor detail now, but I suspect it will become an important differentiator over time, and we'll begin to see widespread commercial and regulatory expectations for open source code over time.


Aligning purpose and strategy: Cloudflare goes nuclear on patent troll

Last week, I was in Amsterdam at the Next Web conference, giving a talk about "Purpose, Mission and Strategy" -- how companies can strengthen the connection between these to align efforts and make tough calls more easily (will post video when it comes online).  From that talk:

The idea here being that there are tough, tough calls to be made every day, whether that's what feature to prioritize, who to hire, what market to enter, what policies to enact, or whether to back down in the face of conflict or stand up and fight. When I think about the connection between purpose, values and strategy, one of the companies that always stands out most brightly is Cloudflare.  Anyone who operates a website or app probably knows Cloudflare but regular folks may not -- they provide performance and security services for millions of websites, and currently handle over 10% of global internet traffic.  Sitting in that privileged position, they must have a strong sense of their purpose and values, and strong backbone when it comes to living up to those. This comes up in all kinds of ways.  For example, it was recently revealed that Cloudflare had been fighting an FBI national security letter, under gag order since 2013, and even after the NSL was rescinded and no data was handed over, they continued to fight for the right to be transparent about the process:

"Early in the litigation, the FBI rescinded the NSL in July 2013 and withdrew the request for information. So no customer information was ever disclosed by Cloudflare pursuant to this NSL. Even though the request for information was no longer at issue, the NSL’s gag order remained. For nearly four years, Cloudflare has pursued its legal rights to be transparent about this request despite the threat of criminal liability."

I call that dedication to purpose and values.  At the USV CEO summit a few weeks ago, Cloudflare CEO Matthew Prince made the comment that one way to "tell the story" of your company, both internally and externally, is to talk about things that you do or did, that others wouldn't.  In this case, the story is that Cloudflare is willing to stand up and fight, even when it's well beyond their short-term corporate interests. Today, this is playing out again in the context of patent trolls.  Those outside the tech industry might not be aware of the detrimental impact of this activity on the tech ecosystem and startups in particular.  In a nutshell, these Non-Practicing Entities (NPEs), aka "trolls", will buy the rights to patents purely for the purpose of shaking down operating companies for settlements.  The claims are almost always specious, and the strategy is to get startups to settle for just below the cost of litigating.  Pay me to go away.  It's a huge problem: at best an expensive distraction and at worst a company-killing scenario. That's why I am so proud to see that Cloudflare, in the face of an assertion from a patent troll, has decided not to settle, but instead is standing up to fight.  And they are not just doing the bare minimum, they are going fucking nuclear.   Rather than do what many or most companies would do, just to get the troll to go away, they are standing up, not just for themselves, but for the whole ecosystem. For more on the story, first read this, and then this.  Cloudflare is not only going to litigate this case the full distance, but are also:

  • crowdfunding research to invalidate **all** of blackbirds patents

  • investigating blackbird's business operations to expose some of the opaque and untoward inner-workings

  • filing ethics complaints in IL and MA regarding the unusual and likely unethical structure of blackbird (more detail in the posts)

To tie this back to purpose and mission, here is Matthew's take on why they are digging in here:

"Cloudflare’s mission has always been to help build a better Internet. So it won’t be surprising to frequent readers of this blog that Cloudflare isn’t interested in a short term and narrow resolution of our own interests. We’re not going to reach a settlement that would pay tens of thousands of dollars to Blackbird to avoid millions in legal fees. That would only allow patent trolls to keep playing their game and preying upon other innovative companies that share our interest in making the Internet work better, especially newer and more vulnerable companies."

Kudos to Cloudflare for standing up here and doing more than they need to.  If more companies follow their lead, we stand a chance to make a dent in this issue.