Apple, the FBI, and Security

Posted on

The dispute between Apple and the FBI is a much closer question than it is being framed as in most of the tech press. In large part this is because the dispute itself is being serially mischaracterized by both Apple supporters and detractors.

Apple supporters are, in my estimation, too easily conflating the security issues at hand with the more fundamental debate about encryption; detractors are trivializing the significance of the FBI’s request by suggesting they simply want Apple to unlock the phone.

My goal with this piece is to, in as plain language as possible, lay out the issues at hand, give a framework to think about them, and explain why I am ultimately supporting Apple’s decision.

Three Debates

The first thing to understand about the issue at hand is that there are three separate debates going on: the issue at hand, the encryption debate, and the PR battle. To understand the issue it is necessary to separate them, but to figure out which side may win it is equally critical to understand how they relate to each other.

The Issue At Hand

As I laid out last week, iPhones running iOS 8 or later have all of their contents encrypted on-disk with very strong encryption that is practically unbreakable. Therefore, the most realistic way to get access to the contents of the iPhone in question in this case is to brute force — i.e. try every possible combination — the passcode on the device. This passcode, in conjunction with the iPhone’s unique ID key (UID) that is embedded at manufacture and unknown by Apple, forms a “key” that unlocks the contents of the drive.

Given that this is an obvious way to break into an iPhone, Apple has instituted a number of software-based protections against brute force attacks, specifically a (user-selected) option to delete the contents of the disk after 10 failed passcode entries1 and a five-second delay between passcode entries. In addition, the passcode must be entered on the device’s touchscreen.

The FBI is asking Apple to remove these limitations: allow more than 10 passcode tries, remove the five-second delay (there would still be an 80-millisecond delay if the computation is done on the device due to a hardware limitation), and allow passcodes to be entered by a separate device instead of a human finger. The FBI cannot do this themselves because removing this limitation would require the installation of a new version of iOS, which itself requires its own key that is known only to Apple.

Moreover, the FBI is insisting that this is a one-time ask for one device: Apple would be able to use the device’s Unique Device Identifier (UDID), which is different than the aforementioned UID and is known to Apple (and anyone else with the device), to ensure the custom version of iOS could only run on the device in question. In fact, the FBI is even offering to let Apple install the custom version of iOS themselves to ensure it does not leave Apple’s campus.

The Encryption Debate

What the FBI is not asking in this case is that Apple defeat the device’s on-disk encryption, and for good reason: as I noted above the iPhone’s on-disk encryption is practically unbreakable. Small wonder that when, in 2014 with the debut of iOS 8, Apple extended this encryption to all of an iPhone’s data, law enforcement agencies everywhere were aghast. FBI Director James Comey, in an October 2014 speech at the Brookings Institute stated:

Encryption isn’t just a technical feature; it’s a marketing pitch. But it will have very serious consequences for law enforcement and national security agencies at all levels. Sophisticated criminals will come to count on these means of evading detection. It’s the equivalent of a closet that can’t be opened. A safe that can’t be cracked. And my question is, at what cost?…

Cyber adversaries will exploit any vulnerability they find. But it makes more sense to address any security risks by developing intercept solutions during the design phase, rather than resorting to a patchwork solution when law enforcement comes knocking after the fact. And with sophisticated encryption, there might be no solution, leaving the government at a dead end—all in the name of privacy and network security.

“Intercept solutions during the design phase” entail the creation of a so-called “golden key”: a built-in solution to an encryption algorithm that is independent of the user’s passcode. Basically, Comey has for a few years now been agitating for Apple’s on-disk encryption be designed like a TSA-compliant luggage lock: it opens with either the owner’s passcode or with a universal key owned by a government agency.

This is an unacceptable outcome that has to date been rightly rejected by Congress. While a “golden key” can not, contrary to conventional wisdom, be guessed, it can be stolen (much like the TSA luggage key has been). Worse, once said key is stolen, every single device governed by said key would be vulnerable without anyone knowing any better: that includes not only devices that hold personal details, but also corporate secrets, classified information, in short, nearly everything of value that underpins the United States economy. And no one would know when and if the data was being stolen.

Again, though, while Comey and the FBI have been the most outspoken advocates of this destructive golden key, that is not an issue in this current case. If it were, my support of Apple would be unequivocal, because a golden key is an issue where there is simply no compromise.

The PR Battle

Before I engage in such consideration, it’s important to acknowledge the PR aspect of this case: this is where details like the fact Apple helped the FBI bypass the passcode on non-encrypted iPhones goes, along with the fact that San Bernardino County, under direction from the FBI, reset the iCloud password associated with the iPhone in question. That’s not to say that PR doesn’t matter, but none of the surrounding details have anything to do with the substance of the question at hand: is Apple right to resist the FBI’s request to weaken software-based security measures (which do not entail breaking encryption)?

Three Contexts

As is the case with many contentious questions, the correct answer depends on the context with which you evaluate the problem.

The Technology Industry’s Perspective

Apple’s opposition to the FBI’s request, and the support they have received from most major technology companies, is completely understandable.

First off, complying with this order would be a burden (the degree of said burden will be the critical factor on which the court’s decision will turn). Apple would need to design a new version of iOS, figure out a way to secure said version to ensure it doesn’t become widely available, and develop an infrastructure to deal with the inevitable flood of requests from law enforcement agencies seeking similar assistance to the FBI. It is not simply an issue of “unlocking” an iPhone: it is far more complex and dangerous than that.

Secondly, Apple’s ability to resist government pressure in foreign countries — particularly China — will be severely compromised should Apple be forced to acquiesce in this case.

Third, as much as it clearly irked Apple when the FBI framed the company’s opposition as a “marketing stunt,” there is no disputing the fact that the company has made privacy and security a core part of the iPhone value proposition. Forcing the company to actively undo its own security measures certainly works against that proposition.

The FBI’s Perspective

All that said, technologists do their case a disservice by dismissing the FBI’s position out of hand. The fact of the matter is that privacy of information is not an absolute: the Fourth Amendment both prohibits “unreasonable searches and seizures” and affirms an exception for warrants “upon probable cause”. Needless to say, the FBI has pretty damn compelling probable cause in this case,2 and I don’t doubt that future requests along these lines will be accompanied by warrants as well.

Moreover, while it’s true the FBI and other law enforcement agencies have access to more information than ever before, both thanks to cloud services and also the expansion of the Communications Assistance for Law Enforcement Act (CALEA), which compels carriers and ISPs to provide the government with the capability to intercept communications, there very well may be information on devices that are never transmitted (or that is encrypted upon transmission).

More broadly, while I argued an absolutists’ position above with regards to encryption, that is because absolutism is the only option: data is either securely encrypted or it’s not.3 Given that, one can certainly make the argument that given the inescapable reality that some amount of data will be “dark” because of encryption, it behooves the technology industry to cooperate on all requests that don’t entail compromising on something (encryption) that, by definition, cannot be compromised on. To put it another way, I can sympathize with law enforcement’s irritation that the position of companies like Apple when it comes to security leaves no room for the FBI’s enforcement of a different type of security: that of the public at large.

The U.S. Perspective

That noted, the FBI’s position itself is more limited than they themselves likely realize: the FBI is primarily concerned with domestic crimes, and their perspective is that of an investigator seeking to uncover a secret.

However, the United States does not exist in a vacuum: there are plenty of entities that would like nothing more than to uncover American secrets, whether those be on the individual level (compromising information, identity, credit cards, etc.), corporate level (trade secrets, financial information, strategic documents, etc.), or government level (military information, government communications, counter-espionage, etc.). Moreover, given the fact the United States is the richest country in the world with the largest economy, powered by corporations overwhelmingly based on intellectual property, defended by the largest and most sophisticated military in the world, the United States collectively has by far the most to gain from strong security. This is why people like Michael Hayden, former director of the NSA — no civil liberties ideologue, to say the least! — say the FBI is wrong. From USA Today:

“Look, I used to run the NSA, OK?” Hayden told USA TODAY’s weekly video newsmaker series. “Back doors are good. Please, please, Lord, put back doors in, because I and a whole bunch of other talented security services around the world — even though that back door was not intended for me — that back door will make it easier for me to do what I want to do, which is to penetrate.

“But when you step back and look at the whole question of American security and safety writ large, we are a safer, more secure nation without back doors,” he says. With them, “a lot of other people would take advantage of it.”

The fact that weaker security helps the FBI doesn’t change the fact that the United States has more to lose from weaker security than any other country on earth. By far.

Winning the Security Game

There’s one more way to look at the question of security in the context of the United States broadly. Consider a sports analogy: in a game like basketball you need to play both defense and offense; the FBI, given their responsibilities, is primarily concerned with offense — uncovering secrets. However, the agency’s haste to score buckets has the effect of weakening the United States’ defense.

This is particularly unnecessary because the United States already has the best offense in the world! Consider the iPhone in question: the fact of the matter is that the data could be extracted without Apple’s help.

  • The first potential method would be to leverage a zero-day exploit that would allow the device to run code that is not signed by Apple;4 in other words, it is almost certainly possible that someone other than Apple could install the necessary software to bypass the 10 passcode entry limitation (the National Security Agency [NSA] is widely thought to possess several zero day exploits)
  • The second potential method would be to extract the data from the memory chips, and then de-cap the phone’s processor to uncover the device’s unknown UID and the algorithm used to encrypt the data, and then conduct a brute force attack on the passcode using a separate computer designed to do just that5

Both of these processes are hugely difficult and expensive, which means they can only realistically be done by agencies with massive resources. Like, for example, the NSA — which is a big advantage for the United States. If there is strong security everywhere (i.e. everyone has the same defensive capability), then the country with the biggest advantage is the country with the most resources to overcome that security (i.e. not everyone has the same offensive capability). To lower the bar when it comes to defense is to give up one of the United States’ biggest strategic advantages.

Note what I have not discussed in this article: privacy. In fact, I do agree that there are significant privacy concerns around the FBI’s insistence that Apple explicitly weaken iPhone security, and I would personally lean towards the privacy side of the debate when it comes to the privacy-security tradeoff.

That said, as I articulated above, I understand the FBI’s concerns about going dark, and the agency could hardly have picked a more compelling example to make their case for tech company cooperation.6 I am not surprised that a majority of Americans say Apple “Should unlock the terror suspect’s iPhone.”

That is why it is critical to make the argument that the FBI’s request weakens security by compelling something much deeper than merely “unlocking an iPhone.” In other words, given the context of the United States as a whole, an argument for privacy and an argument for security are not a tradeoff at all, but rather two paths to the same outcome: stronger, not weaker iPhones.7

  1. Specifically, the “key” for the disk is deleted, meaning the content is encrypted forever 

  2. Not to mention the explicit permission of San Bernardino County, the owner of the phone in question 

  3. It’s math: just as 2 + 2 can only equal 4, data is secure from everyone or no one 

  4. We know these exist: they are the foundation of jailbreaks 

  5. Which, thanks to Bitcoin, are cheaper than ever before 

  6. That this case is being leveraged is certainly not an accident  

  7. One final point: Apple may lose, and that will be ok. This case is a close one, and such an outcome — facilitated brute force attacks — may prove to be the compromise that brings law enforcement to peace with encryption. That would be the hope anyways, because legislation limiting encryption would be a devastating outcome for everyone. One hopes Apple’s resistance in this case doesn’t lay the groundwork for an even worse outcome in the future 

Zenefits and Regulation

Posted on

From BuzzFeed:

Parker Conrad has resigned as CEO of Zenefits, following a number of regulatory compliance failures at the richly valued human resources startup he co-founded, according to an email sent to employees on Monday.

David Sacks, the chief operating officer, who formerly was an executive at PayPal and Yammer, is taking over as CEO. Zenefits also named Joshua Stein, a former federal prosecutor who is a vice president of legal affairs at the company, as its chief compliance officer. Sacks attributed Conrad’s departure to compliance failures by the startup.

“The fact is that many of our internal processes, controls, and actions around compliance have been inadequate, and some decisions have just been plain wrong,” Sacks said in the email. “As a result, Parker has resigned.”

I haven’t written about Zenefits before now, although the business model certainly is intriguing: the startup offers HR software-as-a-service for free and makes money by acting as an insurance broker for some number of companies using its service. In other words, the product is effectively a lead generation tool.

What Went Right — And Wrong

It’s easy-to-see why the company was so attractive to venture capitalists: Conrad and team created a unique two-sided offering in which Zenefits had an asymmetric advantage in both markets it competed in. On the product side the company was competing with paid solutions with the price of free; on the brokerage size the company could both forego expensive professional agents on the ground in favor of a call center model and explore different marketing channels beyond the ultra-expensive market for insurance keywords on Google.

However, even in a call center agents needed to be licensed, and Conrad’s resignation came on the heels of a series of BuzzFeed reports about the company’s failure to ensure that was the case. The event that reportedly led to Conrad’s effective firing was also about licensing, specifically the discovery of a Zenefits-created program that helped Zenefits’ brokers cheat on the California licensing process (which required a user to be logged in to the training program for 52 hours).

However, the company’s troubles aren’t just regulatory: between August and September Zeneifts $4.5 billion valuation suffered a 48% markdown by Fidelity, mere months after the mutual-fund giant invested in the company, and in November the Wall Street Journal reported that the company was falling well short of its revenue goals and suffering from high turnover and poor morale. Andreessen Horowitz, which counts Zenefits as its largest investment, may have a stated preference for founder CEOs, but I suspect the venture firm wasn’t particularly broken up about having such a clear-cut rationale for showing Conrad the door.

Zenefits Versus Uber

In the wake of Conrad’s departure there has been a bit of a meme about Silicon Valley needing to clean up its “move fast and break things” mentality, with most such think-pieces tying Zenefits screwups to Uber’s well-documented run-ins with regulators.

In fact, I made a connection between the two startups on Exponent over a year ago: at the time Uber was in hot water for comments made by Emil Michaels about threatening a journalist (which I condemned), but I noted that the ride-sharing company by necessity had a certain level of scrappiness given the challenges it faced with regulators on the ground. And, as an example of how regulation could run amok, I discussed the fact that Zenefits had been banned in Utah because of its practice of giving away software for free in order to drum up insurance business, which was deemed an illegal rebate (the Utah law was later changed).

I think that Utah episode is a useful way to understand why it is that, despite my having compared Zenefits and Uber a year ago, I don’t think today’s Uber comparisons hold water: specifically, just as is the case with regulations themselves, the validity and viability of “violating” them all comes down to context.

Thinking About Regulation

Here’s how I would think about dealing with regulations, using Zenefits’ prior experience in Utah, along with Uber, as an example:

  • Is the regulation unambiguous? Utah claimed that Zenefits’ offering of free software was the same thing as an insurance broker offering a rebate, which is absolutely not clear and would need to be litigated. Similarly, while Uber competes with taxis, the vast majority of laws deal with cars that are hailed from the street or from a central dispatcher, not coordination between two independent actors via an app.

  • Is the regulation business-critical? Zenefits entire model depends on offering the software for free, which makes it worth the risk of litigating the regulation; same thing with Uber’s skirting of taxi-specific regulations.

  • Is there a user-benefit to testing the regulation? The entire point of Zenefits’ model is that it provides significant consumer surplus to its users and thus places the company in a superior position to sell insurance. Similarly, Uber provides a superior experience with much better liquidity than taxis.

  • Is there recourse to adverse regulatory action? When Zenefits was banned in Utah the startup, in large part thanks to support from the active Twitter accounts of Andreessen Horowitz, mobilized much of the startup community in protest; this was particularly effective given Utah’s preexisting efforts to position itself as a startup-friendly state. Uber is especially effective on this point: the company famously mobilizes its users to put political pressure on regulators and elected officials (or, in the case of China, appeals to the leadership’s stated goals of fostering innovation)

  • Is it right? This is the fuzziest yet most important question, and frankly, it’s hard for any startup to answer honestly. Still, these examples are helpful: Zenefits arguably helps small businesses get started by offering a critical product for free; similarly, Uber takes cars off the road, reduces drunk driving, driver discrimination, etc.

In contrast, note how Zenefits’ recent licensing violations fail every single test:

  • The regulations around needing a license to sell insurance are unambiguous
  • Zenefits’ core value proposition would not be affected by ensuring its salespeople were licensed
  • Users did not benefit from Zenefits’ violating these regulations
  • Zenefits’ has no recourse should regulators sanction these violations
  • It very well may be the case that licensing regulations are busywork, but not by abiding them isn’t “right”; it’s pure convenience

In other words, these recent Zenefits’ violations are straight up bad business and emblematic of bad judgment; add on the company’s poor performance and internal strife and it seems clear Conrad’s exit was justified.

Incentives

It seems likely the aforementioned poor performance and these violations were interconnected: a company missing its revenue targets is one that is much more tempted to break the rules, and the creation of a tool specifically designed to skirt an unambiguous regulation speaks to the warping effect of Zenefits’ growth imperative.

Moreover, Zenefits was primed to get this wrong: as clever as Zenefits’ model may have been on paper, it is always problematic when a company’s money-making apparatus is misaligned with its product focus. Either executives are focused on the product and provide too little oversight to the money-making side of things, leading to a bending of the rules in the drive to reach arbitrary goals, or executives focus too much on making money, and the product suffers.

This incentive problem is especially problematic for companies operating in regulatory gray areas: it requires a lot of judgment to determine that pushing the limits in Utah is worth the risk but blatantly breaking licensing rules isn’t, but incentives have a funny way of ensuring that judgment calls always come down on one side or the other.

The Problem with Regulations

I know that some of you think this argument is gibberish: companies should follow the law as plainly understood and try to change regulation through the legislature, city council, etc. Making judgment calls based on context is a recipe for anarchy.

I (unsurprisingly) disagree for several reasons:

  • Regulations are one of the most effective moats incumbents have because they already have the infrastructure and revenue streams to deal with them
  • Regulatory capture, in which incumbents have overdue influence on what the regulations actually say and do, is very much a real thing and inevitable the longer a regulation is on the books
  • Politicians and regulators respond to political pressure, which comes from mobilized constituents; this, by extension, requires an actual product providing actual consumer benefit, not a powerpoint presentation

We are living in a time when technologies like the smartphone and the Internet are fundamentally changing what is possible, what is dangerous (or not), and incumbents in industries everywhere are threatened and heavily incentivized to exercise their influence on governments struggling to keep up with the pace of change. The last thing we need is companies voluntarily tying their own hands about something that is “right” simply because it’s legally gray.

But, on the flip side, regulatory risk is a real thing, and companies operating in this area must have more judgement and better execution and only choose battles worth fighting. Conrad failed on all three counts, and I suspect it may ultimately doom the company he started.

The Reality of Missing Out

Posted on

When it comes to ad-supported services, pundits everywhere are fond of the adage “If you’re not the customer you’re the product”. It’s interesting, though, how quickly that adage is forgotten when it comes to evaluating the viability of said services.

Twitter is a perfect example. In response to my piece How Facebook Squashed Twitter I got a whole host of responses along the lines of this from John Gruber:1

I have argued for years that the fundamental problem is that Twitter is compared to Facebook, and it shouldn’t be. Facebook appeals to billions of people. “Most people”, it’s fair to say. Twitter appeals to hundreds of millions of people. That’s amazing, and there’s tremendous value in that — but it’s no Facebook. Cramming extra features into Twitter will never make it as popular as Facebook — it will only dilute what it is that makes Twitter as popular and useful as it is.

From a user’s perspective, I completely agree. But remember the adage: it’s the customers that matter, and from an advertiser’s perspective Facebook and Twitter are absolutely comparable, which is the root of the problem for the latter. Digital advertising is becoming a rather simple proposition: Facebook, Google, or don’t bother.

Consumer Service Carnage

Last Friday LinkedIn suffered one of the worst days the stock market has ever seen, plummeting 40% despite the fact the company beat expectations for both revenue and adjusted earnings; the slide was prompted by significantly lower guidance than investors expected.

The issue for LinkedIn is that a company’s stock price is not a scorecard;2 rather it is the market’s estimate of a company’s future earnings, and the ratio to which the stock price varies from current earnings is the degree to which investors expect said earnings to grow. In the case of LinkedIn, the company’s relatively mature core business serving recruiters continues to do well; that’s why the company beat estimates. That market, though, has a natural limit, which means growth must be found elsewhere, and LinkedIn hoped that elsewhere would be in advertising. The lower-than-expected estimates and shuttering of Lead Accelerator, LinkedIn’s off-site advertising program (which follows on the heels of LinkedIn’s previous decision to end display advertising), suggested that said growth may not materialize.

Yelp, meanwhile, was only down 11% yesterday after releasing earnings (and issuing guidance) that weren’t that terrible.3 The company’s big hit came last summer when the stock plummeted 28% in a single day on, you guessed it, a lower-than-expected forecast, based in part on Yelp’s decision to end its brand advertising program.

Yahoo’s core business, meanwhile, is practically worthless as revenues and earnings continue to decline, and the aforementioned Twitter has seen its valuation slump below $10 billion; both are in stark contrast to the companies each has traditionally been associated with: Google is worth $460 billion (and was briefly the most valuable company in the world) and Facebook is worth $267 billion.

The reason for such a stark bifurcation is, ultimately, all about the “customer”: the advertiser actually buying the ads that underlie all of these “free” consumer services.

A Brief History of Analog Advertising

Newspapers are the oldest tool in the advertiser’s chest, and were for many years the only one. This wasn’t a problem because newspapers had the magical ability to expand or contract based on how much advertising was sold for a particular day; from a business perspective, editorial has always been filler.

For the first half of the 20th century, U.S. aggregate newspaper revenue growth roughly tracked GDP, which is what you would expect given that advertising has always been around 1.2% of economic activity for as long as such things have been tracked. In the second half of the century, though, the rate of growth for newspapers slowed just a bit, thanks to the advent of first radio and then television.

Both radio and television advertising had distinct advantages relative to newspaper advertising, both in terms of storytelling and especially their effectiveness in capturing potential consumers’ attention. Still, while newspapers were no longer capturing all of the advertising dollars, they still grew nicely because both radio and television had three important limitations:

  • Because both radio and television were programmed temporally, there was limited advertising inventory; thus, as you would expect in any situation where supply is scarce, prices were significantly higher
  • It was much more expensive to produce an effective radio or television advertising slot relative to a newspaper ad
  • It was difficult to measure the return-on-investment of radio and television advertising; newspapers weren’t that much better, although things like coupons could be tracked more closely

Ultimately, advertisers (known as “brand managers” in the consumer-packaged goods industry, which pioneered these techniques) developed strategies that leveraged all three mediums, plus on-the-spot promotions at retailers, to move customers “down the funnel”:

stratechery Year One - 269

TV and radio were particularly effective at building awareness — making customers aware that your product existed — and also at building brand affinity — the subconscious preference for your product over a competing product at the moment of purchase. Newspapers, meanwhile, were useful when it came to “consideration”: helping consumers decide to buy the product they were now aware of (coupons were very useful here). Finally, brand managers spent a lot of time and money on their relationships with retailers to help pull consumers through the funnel to conversion, with the vague hope that said consumers would prove to be loyal.

Digital Advertising 1.0

The first wave of digital advertising took square aim at the bottom of the funnel: the fact that computers log everything made it easy to demonstrate when an advertisement led directly to a purchase (or a click), and no company benefitted more than Google. Search ads were so effective because consumers were entering the purchase funnel already at the bottom: they already wanted insurance, or to travel, or a lawyer, so Google could charge a lot of money for the right to put an ad for precisely those services right in front of a guaranteed lead and collect every time said lead clicked.

Efforts to implement digital advertising further up the funnel were more mixed; retargeting ads that displayed items you looked at previously were the most blunt and probably most effective attempt to move customers through the consideration phase, even though said bluntness creeped a lot of people out. The top of the funnel, though, never really took off: it really wasn’t clear how to build awareness in a cost effective way on digital.

stratechery Year One - 270

There were two big problems with brand advertising on the Internet: first, there simply weren’t any good ad units. Banner ads were pale imitations of print ads, which themselves were inferior to more immersive media like radio and especially TV. Secondly, given the more speculative nature of brand advertising, it was much more cost effective to spread your bets over the maximum number of customers; in other words, it remained a better idea to spend your money on an immersive TV commercial that could be broadly targeted based on programming to a whole bunch of potential consumers at a single moment as opposed to spending much more time — which is money! — creating a whole bunch of banner ads that could be more finely targeted.

Today, though, that is beginning to change.

Digital Advertising 2.0

Facebook COO Sheryl Sandberg relayed a fascinating anecdote on Facebook’s most recent earnings call:

Leading up to Black Friday, Shop Direct, the UK’s second largest online retailer teased upcoming sales with a cinemagraph video to build awareness. They then retargeted people who saw the video with one day only deals. On Black Friday, they used our carousel and DPA ads to promote products people had shown interest in. They saw 20 times return on ad spend from this campaign, helping them achieve their biggest Black Friday and their most successful sales day ever.

What Sandberg is detailing here is really quite extraordinary: Facebook helped Shop Direct move customers through every part of the funnel: from awareness through Instagram video ads to consideration through retargeting and finally to conversion with dynamic product ads on Facebook (and, in the not too distant future, a direct customer relationship to build loyalty via Messenger).

stratechery Year One - 271

Google is promising something similar: awareness via properties like YouTube, consideration via DoubleClick, and conversion via AdSense.4 Just as importantly, both companies are promising that leveraging their respective platforms will provide benefits on both sides of the ROI equation: the return will be better given the two companies superior targeting capabilities and ability to measure conversion, and the investment will be smaller because you can manage your entire funnel from a single ad-buying interface.

Here’s the kicker, though, and the big difference from the era of analog advertising: the Facebook and Google platforms turn TV and radio’s disadvantages on their head:

  • Facebook and Google have the most inventory and are still growing in terms of both users and ad-load; there is no temporal limitation that works to the benefit of other properties (and Facebook in particular is ramping up efforts to advertise using Facebook data on non-Facebook properties)
  • It is cheaper to produce ads for only Facebook and Google instead of making something custom for every potential advertising platform
  • Facebook and Google have the best tracking, extending not only to digital purchases but increasingly to off-line purchases as well

Both companies, particularly Facebook, have dominant strategic positions; they are superior to other digital platforms on every single vector: effectiveness, reach, and ROI. Small wonder that the smaller players I listed above — LinkedIn, Yelp, Yahoo, Twitter — are all struggling.

The Implications of Winner-Takes-All

I have been arguing for a while that in the aggregate the tech sector is fine, and the state of advertising-based services is a perfect example of what I mean: taken as a basket the six companies in this article (Google, Facebook, Yahoo, Twitter, LinkedIn, and Yelp) are up 19% over the last year, even though the latter four companies are down a collective 53%; the fact that Google and Facebook are up a combined 31% more than makes up for it.

This makes sense: while advertising as a whole is a zero-sum game, there is a secular shift from not just print but also radio and TV to digital, which is why this basket of digital advertising companies is up. Digital, though, is subject to the effects of Aggregation Theory, a key component of which is winner-take-all dynamics, and Facebook and Google are indeed taking it all.

I expect this trend to accelerate: first, in digital advertising, it is exceptionally difficult to see anyone outside of Facebook and Google achieving meaningful growth, with the possible exception of Snapchat, which just signed a deal with Viacom that is very much inline with my analysis of the company in Old-Fashioned Snapchat and has a hold on the powerful teen demographic).5 Everyone else will have an uphill battle to show why they are worth advertisers’ time.

More broadly, the winner-take-all dynamics described by Aggregation Theory have inspired a powerful sense of FOMO (the Fear of Missing Out) amongst investors resulting in a host of unicorns intent on owning their respective industries; I think the recent chill in valuations and fundraising are about coming to terms with the fact that a lot of those unicorns are in the same boat as Facebook and Google’s advertising competitors: they have already missed out to the dominant player in their field (or, that their field was never viable to begin with).

In some respects it is tech’s own inequality story: the average and median company and startup will increasingly bifurcate. It’s not a bubble, it’s a rebalancing, and the winners are poised to be bigger and richer than anything we have seen before.

  1. Gruber wasn’t responding to my piece directly, but his writing is so concise I couldn’t help but use his response to a recent Walt Mossberg piece on Twitter; it’s perfectly representative of those responses I alluded to 

  2. A point consistently missed by far too many AAPL stockholders, at least the ones on Twitter and in my mailbox 

  3. The company missed on earnings but revenue beat and guidance was in-line 

  4. I’m more bullish on Facebook for reasons I explained in Peak Google and The Facebook Epoch and reiterated yesterday  

  5. This piece about how teens use Snapchat is great 

How Facebook Squashed Twitter

Posted on

The idea of a “smartphone” that could connect to the Internet and run applications was around long before 2007; Apple, though, was the first to put the entire package together, including the device, user interface, and interaction paradigm, which is why the first iPhone is considered the start date of the mobile revolution.

Similarly, the idea of a feed of information developed over many years; blogs were based on the format, and RSS allowed users to compile multiple news sources into a single stream. However, the introduction of Twitter in March of 2006, along with the Facebook News Feed, in September 2006, were the two seminal products that brought all the essential components together: users, content, and a place to read. I would argue it’s a date that is just as significant.

Today, having a feed that users willingly return to day-after-day is the foundation of successful mobile advertising companies, especially Facebook. As I noted back in 2013 the feed allows for an advertising unit that is actually superior to anything found on the desktop: users have no choice but to at least visually engage with whatever is dominating the screen of the mobile device that is the center of their lives.

In fact, I would argue that the feed is so important that its development — or lack thereof — is the core reason why Facebook has soared over the last ten years, while Twitter has slumped after a beginning that suggested the exact opposite sort of outcome.

Twitter’s 2009 Slowdown

In their 2013 S-1 Twitter released user numbers that only went back to Q1 2010; the best estimate of growth between 2006 and 2010 is found by looking at 3rd-party services reports on traffic to Twitter.com. The numbers, at least for the first three years, are very impressive. This is from comScore:1

Screen Shot 2016-01-26 at 7.08.36 PM

However, later that year something surprising happened: Twitter’s growth dramatically decelerated. Here’s a chart of Nielsen data:23

Screen Shot 2016-01-26 at 7.13.46 PM

That summer produced the first set of stories that have since come to dominate the Twitter narrative: Twitter’s Phenomenal Growth Suddenly Stops, Has Twitter Peaked?, Is Twitter in Trouble, Twitter’s Growth: Has It Peaked?, Twitter’s Global Growth Flattens. In retrospect, the answer is yes: as noted, Twitter reported user numbers starting in 2010 that never came close to the hockey stick growth the company enjoyed from 2006 to 2009.

So what happened?

Facebook Versus Twitter

The counterpoint to Twitter’s declining growth numbers was, as noted, Facebook. While the company always had a big head start on the desktop, the story was quite a bit different in mobile. In the first quarter of 2009 Facebook only had 35 million active users on mobile, barely more than Twitter’s 30 million active user base (which was predominantly mobile) a year later. However, the trajectory from those starting points couldn’t be more different:

Screen Shot 2016-01-26 at 9.10.49 PM

I suspect the dramatic difference in Facebook and Twitter’s growth was due to three factors:

  • Facebook always had an inherent advantage over Twitter in that its network, at least in the beginning, was based on networks that already existed in the offline world, namely, people you already knew. That made the service immediately approachable and useful for basically everyone. Twitter, on the other hand, was more about following people you didn’t know based on your interests. This theoretically applied to everyone as well, but uncovering those interests and building an appropriate list of people to follow had to be done from scratch.

  • As any product moves down the diffusion curve from early adopters to the mass market, the marginal willingness of each new user to go through the effort of introducing said product into their daily life decreases: early adopters will jump through all kinds of hoops to take advantage of the product’s utility, but the 100 millionth user, to pick a number, is a lot less willing to go through the trouble. In retrospect it seems clear that in 2009 Twitter reached that marginal user: the service had tremendous visibility, but it was simply not worth the effort to get started for an increasing number of people.

  • Facebook, meanwhile, continued to add to the variety of posts available to their algorithmically generated feed.4 Yes, the early adopters who had gone to the trouble to tune their feed complained, but the real beneficiaries were users who didn’t want to go to the trouble of making sure they saw something interesting — whether related to friends and family or not — whenever they visited Facebook. And, starting in 2009, those users had even less motivation to get Twitter working: Facebook was good enough.

It’s easy to pontificate on how Twitter and Facebook are fundamentally different services, or to argue that Twitter’s interest graph is potentially more valuable than Facebook’s social graph. Ultimately, though, the two services, along with every other form of media, are competing for the same scarce resource: attention. And, as of 2009, not only was it easier to get started with Facebook, but it was also more likely that the service had enough interesting content to ensure most users had no desire to look for something better.

The rise of mobile accentuated this difference. I wrote in The Facebook Epoch:

Mobile is a great market. It is the greatest market the tech industry, or any industry for that matter, has ever seen, and the reason why is best seen by contrasting mobile with the PC: first, while PCs were on every desk and in every home, mobile is in every pocket of a huge percentage of the world’s population. The sheer numbers triple or quadruple the size, and the separation is increasing. Secondly, though, while using a PC required intent, the use of mobile devices occupies all of the available time around intent. It is only when we’re doing something specific that we aren’t using our phones, and the empty spaces of our lives are far greater than anyone imagined.

When it comes to “the empty spaces” most people don’t want to do work, but work is exactly what Twitter required. You had to know what you were interested in, know who to follow based on those interests, and then, to top it all off, you had to pick out the parts that you were interested in from a stream of unfiltered tweets; Facebook, in contrast, did the work for you.

The Attention Market

I have been a fierce critic of Twitter the company ever since they released their S-1, writing at the time that the service had strong monetization prospects but a real user growth problem. Accordingly, I criticized the service for what I perceived as a failure to evolve the product, culminating in a call for a change in leadership last spring; a few months later, consistent with my belief that evolving the product was the key to growth, I made the case for Jack Dorsey to be CEO.

When that happened, and when Twitter released a new product — Moments — that finally abandoned the chronological timeline, I was thrilled, exulting in Twitter’s Moment:

I think, though, it’s time for a new prediction: that the summer of 2015 will be seen as the low point for Twitter, and that this week in particular will mark the start of something new and valuable. Crucially, the reasons why are directly related to why I was bearish for so long: the product, the CEO, and the stock.

Quite clearly that was wrong: the stock is down 38.38% since I wrote that article, including a 4.6% drop yesterday in the wake of a significant shake-up in the executive suite. As I wrote in the Stratechery Daily Update yesterday, I actually don’t think said shake-up is particularly surprising: if the point of bringing in Dorsey was to overhaul the product then it’s hardly a shock that the head of product and engineering from the previous regime are headed out the door. Still, there’s no question that the company is at an even lower point than they were last fall, but, perhaps there is still room for optimism?

I don’t think so.5 Unfortunately for Twitter the attention market of 2016 is far different than it was back in 2009. When Dorsey states that he wants Twitter to “become the first thing everyone in the world checks to start their day and the first thing people turn to when they want to share ideas, commentary, or simply what’s happening”, he is no longer trying to capture an entirely new market, but rather to steal that market from well-established competitors, particularly Facebook, but also services like Snapchat, Instagram, and the messaging services, all of which have feeds of their own. And Facebook in particular has undergone its own evolution. I wrote in Facebook and the Feed:

Facebook is compelling for the content it surfaces, regardless of who surfaces it. And, if the latter is the case, then Facebook’s engagement moat is less its network effects than it is that for almost a billion users Facebook is their most essential digital habit: their door to the Internet.

Or, to put it in Twitter terms, Facebook has developed its own interest graph that is far more powerful and effective and easier-to-use than Twitter’s ever was. Yes, Twitter still owns niches like NBA Twitter, and news hounds like myself (and most of you reading this article) will continue to find it essential, but for nearly everyone else in the world6 it is Facebook that is the first thing people check, not just in the morning but in all of the empty spaces of their lives. In short, it’s not simply that Twitter needs to convince users to give the service a second-chance, something that is already far more difficult than getting users to sign up for the first time; it’s that even if the service magically had the perfect on-boarding experience leading to the perfect algorithmically-driven feed, it’s not clear why the users it needs7 would bother looking up from their Facebook feeds.

In other words, my error last fall was not a misguided belief that Moments was a step in the right direction, or that Dorsey was the right person to overhaul Twitter’s product. Rather, I failed to appreciate not just then but in every single post I’ve written about Twitter that anything the company might do can’t make up for the failure to evolve in those critical few years when the attention unlocked by mobile was up for grabs.8

  1. Via Business Insider  

  2. via The Daily Mail  

  3. The number of visitors reported aren’t very consistent between the various 3rd-party services, but the trends are the same for all of them 

  4. This originally stated: “Facebook, meanwhile, in 2009 made perhaps the most significant change to their service since the introduction of the News Feed, and I don’t think it’s a coincidence that said change is roughly correlated with Twitter’s slowdown in growth: the News Feed added items beyond friends and family status updates, and it switched from being chronological to being algorithmic.” In fact, Facebook’s feed was algorithmically based from the beginning 

  5. With the caveat that I am wary of over-reacting in an attempt to compensate for getting this one wrong 

  6. Outside of China 

  7. I explained why Twitter needs more users here and here  

  8. So what should Twitter do now? Well, there is value there: Twitter occupies outsized influence when it comes to news in particular, and also specific niches like live events, African Americans, Japan (especially relative to Facebook), etc. That is certainly worth something to someone, but it’s hard to see the growth opportunities. The company’s user base is likely what it is, and any evaluations should be based on estimates of just how much revenue the company can extract from said user base (and, it should be noted, Twitter has done an excellent job of exactly that.

    In addition, there are very fundamental questions about the long-term viability of a public-oriented service that allows anonymity. Twitter abuse is a real issue that has driven away users. I address this issue here  

The FANG Playbook

Posted on

Jim Cramer, who coined the “FANG” acronym as a descriptor for the high-flying Facebook, Amazon, Netflix, and Google group of tech stocks that have dramatically outperformed the market, made clear yesterday that his endorsement wasn’t necessarily connected to the underlying companies:

A note on these stocks. I picked them largely because over the years they have become anointed by a group of go-go managers, meaning managers who like to be affiliated with the stocks of companies with the most momentum. I by no means have said “buy these stocks” because they represent great value. What I have been saying is that because of the scarcity of actual high-growth stocks these have become default names that managers naturally gravitate to.

It’s not an unreasonable position: the demand for growth in a low-interest-rate environment flooded with capital, plus a healthy dose of FOMO (Fear of Missing Out) has certainly played a role in the rise of unicorns; it makes sense that the same dynamics would play out in the stock market as well. It’s also a position that has had the good fortune of being right: in 2015 the FANG group accounted for more than the entire return of the S&P 500.1

In fact, though, Cramer was more right than he apparently knows: the performance of the FANG group is entirely justified because of the underlying companies, or, to be more precise, because the underlying companies are following the exact same playbook. Sometimes the market does get it right.2

The State of FANG

Each of the FANG companies is in a similar position in their respective industries: they haven’t so much disrupted incumbents as they have subsumed them:

  • Facebook: The late David Carr, who first broke the news about Facebook’s Instant Articles initiative back in 2014, worried that “media companies would essentially be serfs in a kingdom that Facebook owns.” However, as I noted in The Facebook Reckoning, publishers already are. Facebook’s status as the Internet’s home page means that publishers have no choice but to accommodate themselves to the social network, whether that be Instant Articles or an increased focus on video.

  • Amazon: While the biggest driver of Amazon’s increased valuation has almost certainly been AWS, the e-commerce side of the business continues to grow like gangbusters as well, taking over half of every additional dollar spent by U.S. consumers online, and a quarter of all retail growth online or off. The vast majority of those sales are actually from 3rd-party merchants using Amazon as a discovery and fulfillment platform, but these merchants’ market power relative to Amazon is not unlike publishers relative to Facebook, because Amazon.com is where the buyers are.

    From a certain perspective this paradigm applies to AWS as well: the reason why AWS’s profitability increases along with growth is that Amazon achieves economies of scale, which is another way to say that AWS’s suppliers have no choice but to be squeezed in order to indirectly serve the customers they used to sell to directly

  • Netflix: The Internet — and Netflix — made fun of an NBC executive who claimed that “The reports of our death have been greatly exaggerated.” Here’s the thing, though: he’s right, in part thanks to Netflix. According to this February 2015 list, 42 past and present NBC shows are streamable on Netflix, for which the latter is certainly paying a material amount. Indeed, perhaps the most fascinating aspect of Netflix’s meteoric rise is the fact that the same content producers who are ultimately threatened in the battle for attention are increasingly unable to stop themselves from selling their content to Netflix: the streaming company has too many customers adding to a pile of content money that is too big to ignore.

  • Google: Google’s position is similar to Facebook’s: any business that wants to be discovered by potential customers has no choice but to follow the search company’s directives, whether that be cleaning up dubious SEO strategies, making their pages mobile-friendly, or soon, adopting Accelerated Mobile Pages. Every now and then someone, usually a set of publishers, tries to defy the search engine’s influence, only to come crawling back within weeks once traffic craters. The reality is that most people find most web pages through Google, which means Google calls the shots — and sells the most expensive advertising of all.

There is a clear pattern for all four companies: each controls, to varying degrees, the entry point for customers to the category in which they compete. This control of the customer entry point, by extension, gives each company power over the companies actually supplying what each company “sells”, whether that be content, goods, video, or life insurance.

How FANG Started

There are also striking similarities to how each FANG company started, particularly when it comes to the pre-existing resources each leveraged:

  • Facebook: Facebook didn’t launch to the world: it launched to Harvard only. In other words, Facebook started with a preexisting network and, for all intents and purposes, a preexisting infrastructure (Harvard-provided Internet access).3 What Zuckerberg added was an entry point that provided a much more effective and enjoyable way to tap into and connect with that network.

  • Amazon: Amazon’s roots were equally humble: the company sold only books and held no inventory; when an order was placed Amazon would order the book from pre-existing book distributors and then ship it on using pre-existing parcel shippers to the end user. What Jeff Bezos and team added was an entry point to a far more extensive selection of books than any offline bookstore could provide and lower prices to boot. Once you bought from Amazon, why would you buy anywhere else?

  • Netflix: Netflix’s also began with pre-existing assets: off-the-shelf DVDs and the U.S. Postal Service, providing a benefit similar to Amazon’s — a wide selection and delivery to your doorstep. It took a year to figure out the subscription model, which meant lower prices for heavy users and less stress about things like late fees for everyone, and Netflix slowly became the gateway to entertainment for more and more customers.

  • Google: Google didn’t create any of the pages accessible through its search engine, nor the means of accessing those pages (the browser). Rather, by basing its algorithm on the link (instead of content) it offered a dramatically more effective way to find exactly what you were looking for, making it the natural first stop for anyone looking for anything on the Internet.

None of the FANG companies created what most considered the most valuable pieces of their respective ecosystems; they simply made those pieces easier for consumers to access, so consumers increasingly discovered said pieces via the FANG home pages. And, given that Internet made distribution free, that meant the FANG companies were well on their way to having far more power and monetization potential than anyone realized.

FANG and Aggregation Theory

Last July I described the theoretical underpinning for this shift in power and monetization potential in Netflix and the Conservation of Attractive Profits. By owning the consumer entry point — the primary choke point — in each of their respective industries the FANG companies have been able to modularize and commoditize their suppliers, whether those be publishers, merchants and suppliers, content producers, or basically anyone who needs to be found on the Internet.

Over time, each of the FANG companies has leveraged their ownership of the customer relationship to expand their arena of control, whether that be by expanding their offerings like Amazon or integrating backwards into the previously valuable components of their ecosystem (Facebook owns their network completely, Netflix creates their own content, and Google increasingly monetizes by keeping people on Google properties). All of those moves, though, were predicated on owning the customer relationship.

Long-time readers know that I already summed up this phenomenon in Aggregation Theory, but in some respects I think my chosen name does this idea injustice: the word “theory” sounds abstract and disconnected from the real world, when in fact the elements of Aggregation Theory are not only very much real phenomena but also the connective tissue tying the FANG companies together.

Moreover, understanding where these companies started and how they grew fleshes out the advice I gave at the end of last week’s article Cars and the Future:

Startups looking to disrupt other decades or century old industries should take note: be patient, get your business model and core user base right, and wait for the fundamental changes wrought by the Internet and mobile to come to you.

Each of the FANG companies was technically innovative in their own way (especially Google, the exception that proves the rule), but each of them — like Uber, which that paragraph referenced — also depended to an incredible degree on products and infrastructure that already existed. The key to their now or future dominance was their proximity to customers, superior user experience, and new business models that simply weren’t possible before the Internet.

Note that none of these companies are “disruptors” in the Christensen sense. They are not offering low-margin good-enough products that appeal to customers who are over-served by incumbent companies. Rather, they are “aggregators” who start with the best customers and don’t really compete with incumbent companies, at least in the beginning. In fact, incumbents nearly universally benefit from the presence of aggregators, at least at first (publishers benefited from Facebook, merchants from Amazon, content makers from Netflix, web businesses of all types from Google). It is only when the aggregators’ consumer base becomes dominant that the inevitable squeeze on incumbents — specifically, on their profit margins — begins, and it is in the long-run irreversible.

That, Mr. Cramer, represents incredible value.

  1. I.e. without these four stocks the S&P 500 would have been significantly more than barely down for the year 

  2. Actually, I think in the long run, it almost always does. As legendary investor Benjamin Graham said, “In the short run, the market is a voting machine but in the long run, it is a weighing machine.” 

  3. Facemash, the “hot-or-not” app that Mark Zuckerberg built even before Facebook, even included pre-existing content (photos of students)