How much do security breaches affect startups? Jenna Wortham and Nicole Perloth from The New York Times investigated that question yesterday in their article titled “When Start-Ups Don’t Lock the Doors.” If you have a few minutes, it’s worth reading, but I think they missed a few points.
They began by saying that signing up users and raising money are usually a startup’s top two priorities. True. They also said that data security is usually much further down on the list, especially in the early stages. That’s also true. What I disagree with is the overall tone and some of the examples they used.
First of all, the tone of the article seemed to be based on the following pretense: users care if their information is compromised due to a security breach of an app or service they use. Because of inadequate encryption and protection of personal information, the following startups (number of mentions in parentheses) were covered in this order: Tinder (2), Kickstarter (2), WhatsApp (8), Snapchat (5), ThirdLove (1), Blippy (1).
It’s becoming increasingly obvious that Americans in particular don’t care as much about the security of their personal data as perhaps they should, and to a lesser extent than their European counterparts. Following CES in January, I participated in a Google Hangout on 2014 technology trends with Re/code’s Kara Swisher, Farhad Manjoo, then of The Wall Street Journal, and Kevin Delaney and Christopher Mims of Quartz. During the discussion on data privacy and storage, Christopher Mims said, “There’s a weird dichotomy where we are enraged that the government has our data but don’t care that Google does, which is where the government got it from in the first place.” That’s just my point. I think a lot of us who stay informed about security issues and care about our personal data assume that the average app user shares our concerns. They don’t. Whether they just don’t care or don’t understand, as I believe is the case with the majority of baby boomers and many generation X’ers, the perceived effects and the actual effects of data breaches on user retention are often at odds.
WhatsApp and Snapchat were mentioned thirteen times in the article, compared to a collective six mentions of the other companies, so it’s fair to say they were the focus. Some of the thoughts on WhatsApp were accurate, including the claim that after being acquired by Facebook, WhatsApp has been criticized for having lax encryption and protection of personal data. (It’s worth mentioning that WhatsApp claims Ukrainian co-founder Jan Koum’s childhood living under an abusive communist government and in constant fear of secret police led to a strong focus on security.) “Jay Nancarrow, a Facebook spokesman, said one of the first things Facebook planned to do after the WhatsApp deal closed was conduct an intense security audit of WhatsApp and its messaging service,” Wortham and Perloth reported. The problem with that statement is it implies that if WhatsApp begins losing its user base, it will be because of their lax security.
To the contrary, many, including myself, believe that if and when WhatsApp’s user base rapidly begins declining, it will be less because of the recent security reports and more because of its newfound affiliation with Facebook, which itself has a history of user distrust. I can’t stress how important including that point it is. It’s the difference between linking a loss of users to a security breach as opposed to a Facebook acquisition.
The other company that was highlighted throughout the article is Snapchat. Everything Wortham and Perloth said about Snapchat was true and they included an interesting point about Wickr, “a competitive service that uses secure encryption and does not store customer information on its servers,” that was conceived after the Snapchat breaches. However, I think there was a missed opportunity to articulate the extent to which Snapchat’s breaches highlighted a point I covered earlier – how little the average user actually cares about the privacy of their data. Sure, there was tons of media coverage and it was an opportunity for analysts to get some air time discussing whether or not it would ruin Snapchat’s multi-billion dollar valuation, but the average Snapchat user didn’t seem to care, because they probably didn’t even hear about it. In fact, as Wortham and Perloth pointed out, its user base has grown since.
Overall, I thought that Wortham and Perloth’s article covered many important points, including the fact that data security often doesn’t make a startup’s Top Ten Priorities list, but I do think there were a few misconceptions and missed opportunities. When it comes to data security, I think people who are truly passionate about it, a group consisting largely of journalists and startup founders, tend to carry a misconception that their views are shared by the masses. Particularly in America, there is plenty of evidence to the contrary and countless examples of companies who have been unaffected by lax security policies.