How Weak Business Models Destroy Everything We Fight For

In 2020, Zoom acqui-hired the privacy company Keybase and put their service on development freeze. Why? Because Keybase had no business model. Mozilla and Tor both had to layoff employees due to underfunding and even everybody’s darling Signal deserves serious questioning where their financial path is heading. We, the privacy and tech community, need to talk more about money.

May 6, 2021 • Written by David

For a TLDR read titles only

Software Is Bloody Expensive - Someone Has to Pay

Software != Only Development

When thinking of software and its costs, we quickly think of Development. And we might also know that development is a rabbit hole in itself, ranging from software development to user experience, to web development, etc…

Some might even think of other areas such as Server Costs or Customer Support, but usually that is where we stop thinking about money. We rarely grasp what the true cost behind software is. And how could we? Few of us run a company and get a look behind-the-scenes. And let’s be honest: typical companies are not known for being transparent.

But being a co-founder myself, I want to share a short overview of areas which are just as big of a rabbit-hole as development: Marketing, Accessibility, Public Relations, Project Management, People Management, Accounting, Legal and Funding.

My point with this is: Software costs money. A lot of it. You gotta pay lawyers, pay accountants, pay employees, pay for marketing (hopefully ethical), etc, etc, etc…

Always Ask “Who Pays?”

But who pays for all of this? That is such a critical question to ask in order to understand where a company stands and where it is heading.

Things Start Simple But Get Expensive Fast

And before we move on, let me be clear: all of these costs do not have to be covered from the get-go. It usually starts out simple, that is also the beauty of it: one person developing a nifty piece of software used by a few people. But as soon as it gets bigger, things become more complicated and especially more expensive.

How To Evaluate A Healthy Privacy Company

First Ask: Who Finances the “Start-Up”?

The “Start-Up” is the period where you turn an idea into a working product. You still have tons of uncertainties: Prototypes will fail, iterations and pivots will occur, and then maybe it will work out. Or you might just fail as so many have before you.

To increase you odds in this challenging phase you need time (= money). When you can experiment for a longer period, chances of success will increase, but never guarantee it. Remember, every success story has survivorship bias attached to it.

Tackling Funding Is Not Fun, Especially For Developers

Being a developer myself, I know us creators just want to dive into code and do something we can see for real. Not “waste” our limited time on the boring topic of money.

The first nine months after quitting my job in order to co-found Safing was primarily spent on writing a business plan, applying for grants and creating a plan how we could personally finance ourselves for the next 2 years. God I’m happy that draining time is over. It was super boring and super exhausting.

So yes, I understand everybody who just wants to skip that process altogether, but that approach will often come back to bite you later. Which leads us to the most common way of funding startups nowadays:

Be Alarmed When Venture Capital Is Involved

Venture Capital. “Angel” Investors. Enabling the “next big thing”. You get money and guidance, all in turn for a few percent. Fun and great deal, right? But here is the sad truth:

Investors Do Not Care About Privacy Or Business Models

Investors care about multiplying their money. They do not care about your product, your users or their privacy. And they certainly do not care about your business model.

I love Jonas Downey’s words on the topic:

Any company that “doesn’t have a business model yet” actually has a business model — they just haven’t said it out loud. They’re gambling that they can give away a service for free, grow it to absurd usage numbers, and then turn on the money faucet later, through ads, acquisitions, or some other approach.
It’s the same story every time. Facebook did this. Twitter did it. Medium did it. And we all keep falling for it.

Investors have no incentive to make founders care about business models. “Care about it later, for now just grow”. This toxic structure is why most venture backed companies end up being acquired by Big Tech. This happened when Zoom acquired Keybase in 2020, and see for yourself how much they care for Keybase.

Even Minority Investors Can Force A Sell-Out

And there is another dark side to Venture Capital: If the founder(s) own 95% of the company and only have one minority investor of 5%, chances are still high that the investor can force them to sell the whole company when a buyer is found. This right is implemented via legal clauses when the investor gets on board. These clauses are wide-spread among Venture Capital, so be wary.

And yes, founders who sign such a document share the blame too, in the end, they also signed that document. But this often happens early-on, when founders still are inexperienced while the investor assures them everything is “standard procedure and just a safety precaution”.

I know there are positive sides to investors as well, but giving away this level of control is a non-option for true privacy companies.

Self-Financing Is Great For Privacy

When founders pocket the early stages themselves, this is amazing for users. It usually means they are in full control and do not have to bow to the whims of an investor. They can even do extra-ordinary things like Plausible, who gives back 5% of their revenue to open source and the environment. They are independent. They are in control.

Naturally, self-financing is not always an option as this requires some degree of privilege (next to the determination). Such as having savings, cutting down on spendings and/or having resourceful and generous friends & family. These different factors are often combined to make ends meet.

Donation Based Models Can Work, But Come With Their Limits

The concept behind it is great: Give away something for free and hope enough people are enthusiastic enough to donate or even make monthly pledges. This is good for privacy as the project depends on the people, so in turn it is incentivized to serve the people.

Sadly, I see projects aiming for this business model failing time and time again, because they cannot get enough people to care and pay. It is disheartening to see every time.

But on the other side it also works! As an example, a lot of privacy respecting operating systems - such as elementary OS, GrapheneOS, CalyxOS, … - finance themselves with this model.

Donations Do Not Scale Together With Users

But the limitation I see with donations as a business model is that it does not scale. It works well when many of your users are enthusiasts. But as the project reaches more and more adoption, the less enthusiastic the new users will be. To them, this is just an everyday tool which is taken for granted. This points towards the sad truth that the amount of donors does not scale with the amount of users. Even Tor, a big player in the scene, had to recently lay off more than a third of their team due to underfunding.

WikiPedia also has to remind their users regularly with big page banners, that their service needs to be financed somehow. And kudos to them for being in the business for so long!

Grants Work In Favor of Privacy Too, But Are A Gamble

When a company funds itself with grants, this is usually good for users too - the founders remain independent. But there are downsides too:

Applications Are Burdensome, Uncertain And Have Strings Attached

Every grant starts with a demanding application process. A lot of effort has to be put into the application, describing in a lot of detail what one plans to do with the money. After handing it in, you have to wait for months before receiving a result. And when a result finally comes in, it is very normal to get the grant denied without any explanation at all. You are left in the dark and can only guess what went wrong. And what do you do now? Invest another month to write applications for a chance at a grant?

And even if you get accepted, there are still plenty of strings attached. Next to completing the promised development you have to document everything in detail and hand in regular reports to update the granter of your process. Additionally, there often is no flexibility to change course and there are tight restrictions on how the money can and cannot be spent. With most grants you can solely fund development, but no marketing or back office activities. Or you might not even be able to pay salaries but only spend money on licensing or outsourcing.

I Encourage This Path, But Be Understanding When Folks Are Hesitant

This is the path we took and I do recommend wherever possible. I am super thankful grants enabled us to stay independent and fund our journey so far - but it does come with a cost of having additional, mundane work. We definitely were lucky too. If an evaluator got up on the wrong foot on the wrong day, things might have turned out very different. I fully understand every founder frustrated with having one application denied after the other - without meaningful feedback one can learn from.

Second Ask: How Will the Company Scale Financially?

If the project overcame this first obstacle of financing the “Start-Up” period and remained independent - big, big kudos to them! This is the perfect foundation to create the privacy respecting tech alternatives our societies so desperately need. We have had enough of Google, of Facebook, of Big Tech. But how can we users identify which project will remain user-serving and which might cave in to data exploitation?

Re-Inspect the Areas And Their Costs

We need to go back to the listed areas and have a look at what costs the company should expect when they 10x or 100x their user base. Which costs will explode alongside the user growth and which will remain kind of the same?

Some Costs Will Stay Static

With software that runs locally, Development will remain rather fixed. A great example of this is uBlock Origin, which has multiplied its users over the years but still manages the day to day as before. In short, Gorhill serving Internet citizens with an amazing community.

There are many other areas that might remain static and hit a roof as well, but it greatly depends on the specific project. Also note, we personally have not reached that phase yet so I cannot speak from experience. Nevertheless, the more important thing is to identify the cost-intensive areas:

Identify Areas Where Costs Will Scale Too

So what if a product 100x their user base. A VPN Service will naturally need more servers. But also more employees in Development to handle the growing infrastructure. As a result, People Managament and Project Management must scale too. Support and Accounting will also need more attention. And so on. The nice thing with a VPN Service is, that they will 100x their revenue too, since it is very natural for users to pay for VPN services.

With other services only few costs scale together with the increased user base. Take an operating system, like GrapheneOS an example. The only costs that must scale is distribution (Server Costs). It will help if other areas scale too, but is not really necessary.

Does Their Business Model Scale Accordingly?

So after identifying the crucial cost points now comes the most important question: Is the business model set up to scale financially too? A business model that charges users scales very naturally. A business model built on grants, donations or your own funds, can work in cases like GrapheneOS, but not so well for others like Signal.

Case Study: Signal

A short disclaimer: Signal Messenger is amazing. It is open source, is a breeze to use, limits meta-data collection and has top-notch cryptography. I use it almost every day. Signal also responds firmly to jury subpoenas and has the balls to pick a fight with Cellebrite. I respect Signal a lot.
I am not here to take take away anything from all the amazing work they do, but I am here to highlight their business model which might become or already is a serious threat.

image displays a chain with many strong links (no meta-data, security, usability) but still breaking at its weak link (business-model))

The Initial $50M Gave Signal the Freedom to Not Worry About Money

In the beginning of 2018, Signal Foundation (as well as Signal Messenger LLC) was formed with an initial $50 Million donation coated as a “loan” from Brian Acton, who got his capital from creating and scaling WhatsApp which was later sold to Facebook. This funding increased to around 100M dollars by the end of 2018. This points out how expensive such an undertaking is.

In Turn, They Could Focus On Rock-Solid Technology

This is an amazing situation to be in. Signal could immediately self-pocket the “Start-Up” phase. They could hire skillful employees to get the privacy, cryptography, security and UX aspects of their modern messenger right. On that frontier, Signal is top notch.

But This Freedom Also Fosters Negligence

The other side to this amazing, worry-free environment is that it allows project leaders to be negligent. Just as in venture capital, they can focus on the “fun” technical parts while procrastinating the money to “later”.

Their Official Business Model Does Not Seem to Work Long-Term

So how does Signal fare when it comes to Financial Scalability? Officially, Signal’s business model is “Donations and Grants”. A recent mention of this was by Brian Acton on Indian Television. (at ~7:00 he talks about business models).

But there are serious hints towards that not being the full story. My impression is that Signal is not equipped to finance their next 5 years of expected growth on donations alone.

Their Bandwidth Costs Are Immense And Were Multiplied With Video Features

In his recent TV interview, Brian Acton compares Signal’s model to WikiPedia - and true, they also run on donations. But from a technical cost perspective he is comparing apples and oranges. While WikiPedia has to host static content which only changes semi-regularly; Signal has to cover the bandwidth of all their users sharing images with their friends, as well as regular video or even group video calls. From a cost perspective, hosting video calls is multiple leagues above serving and caching static content.

We Have No Insight Into Their Donations

This alone does not automatically mean Signal’s business model does not work. I am certain quite a few people will donate to Signal regularly. But as of today, there is no way of knowing how many donations they actually receive, let alone who the large donors are which Brian mentions they are cultivating.
Transparency is key, and here Signal sadly is not open about their current state.

MobileCoin Hints Towards A Lack of Funding Too

Earlier this year, Signal announced plans to implement cryptocurrency payments into its messenger via MobileCoin. This stirred a lot of worry and uncertainty within the community.

The short summary is: Joshua Goldbard, the CEO of MobileCoin, mentions that he started MobileCoin to fund Signal. Moxie Marlinspike, co-founder and CTO of Signal is their MobileCoin’s advisor. This hints towards him feeling the same way; that Signal needs an additional financial path to stay afloat.

Everybody Makes Mistakes, But Since The Cat Is Out of The Bag Things Remain Unclear

The additional worry comes from Signal’s secrecy around this initiative. Both before, but especially after the community found out. Goldbard has been dodging valid questions and a lot of things remain unclear: What are the financial affiliations between Marlinspike and MobileCoin? How will MobileCoin and Signal tackle the heavy regulatory requirements when implementing such a feature? Why does Signal need this in the first place?

In Summary, I Am Disappointed, But Doom Is Not Set In Stone

To wrap up Signal’s financial situation: Signal successfully and independently overcame the “Start-Up” phase and is currently a great alternative to big-tech messengers; enabling users around the globe to enjoy privacy in their day to day communications.

However, the financial longevity of Signal is highly unclear. We are not doomed yet, they can still adapt and pivot to a sustainable model. But in one way or the other, Signal has the responsibility to monetize their messenger. We cannot do that for them. But we can carry on having these conversations.

Continue Evaluating Privacy Services In All Aspects

The privacy and tech community has immense power. We are the early adopters, we are the ones who ask the hard questions and we are the ones who accelerate a service by recommending it to our friends and family.

We Already Hold Companies Accountable

We have intense discussions on the security, cryptography or privacy of a product. We inspect meta-data collection and advocate for trustless designs. We urge companies to remove themselves from the trust equation, so they do not build a kingdom where the current or next king has the power to become an evil dictator. We also care about jurisdiction and take a look at applicable law.

We Have the Power To Change

I am not claiming that we carry the full burden, since founders and project leaders have a lot of responsibility too. But us asking all these questions is powerful. Our demand for something to be open source is so impactful that most privacy services start out open or follow suit like Threema did.

Add Business Model Questions to Your Interrogation Toolkit

This is my closing ask: that we as a community talk more about how companies fund themselves. Where does the money come from? What is the business model? Who pays? Bombard project owners with these questions. Hold them accountable.

By having these conversations we can create an environment where it becomes just as natural for a privacy project to be open about their money, as it is to be open source.

May 6, 2021 • Written by David


Discover the Portmaster Open Source. Free Forever.