I am no stranger to issues of data security. My personal information has been exposed on the internet in several instances in the past, by my (former) payroll provider, by the Federal Government, even by a prominent hospital--and those are merely the institutions whose poor programming practices I discovered inadvertently, let alone the inevitable few who deliberately hid the fact that they had exposed massive amounts of data. All of these breaches were annoying and disturbing to say the least, but fortunately none of them had a material impact on my life due to the exposure of the information itself. (All three, on the other hand, had a definitively negative impact due to the way that the breaches were handled by the respective perpetrators.) Therefore, when I say that I am upset about the latest breach to take place involving my confidential information, I mean that I am really, truly, upset. Not only was the disclosure handled improperly as per usual, but I have suffered an irreparable loss, and there is nothing I can do about it--except perhaps to file a lawsuit.
Unfortunately, filing a lawsuit in this particular case is an option even less attractive than usual. That is because the organization responsible for exposing my data is the immensely powerful venture capital firm of Kleiner Perkins Caulfield & Byers (KPCB)--the same firm recently written up for its new "green" energy pursuits in The New York Times Magazine, and the source of funding, according to its own web site, for "such household names as Amazon, Sun, Genentech, Intuit, Verisign and Google." Not only does KPCB have very good lawyers; it has lawyers on retainer at practically every major law firm in Silicon Valley, and if it doesn't, then at least one of its portfolio companies does. Conflict checks alone make it virtually impossible to find an attorney who would be willing to take on the firm in a substantive battle. Yet as is often the case with legal issues, there's absolutely no doubt that what transpired was wrong, and here, KPCB is responsible.
What transpired was made very clear on December 3, 2008 when Michael Arrington, publisher of the popular Silicon Valley blog TechCrunch, wrote an article entitled, "588 Kleiner Perkins iFund Applications Accidentally Published To Web." The article described how a former contractor of KPCB had deliberately exported the entire iFund applicant database to a text file, which was then made available on a public web server. The file comprised applications from companies (such as my own) looking to obtain funding for their software ideas, all of which were designed to take advantage of the many new technologies embedded in Apple's iPhone. In addition to the product proposals, the file also contained information about gross income for private companies and individuals, as well as contact information. In violation of California law, KPCB notified no one--though it did place another lawyer on retainer.
Just as an individual's Social Security Number, date of birth, and credit card number are all intended to be kept confidential and can easily be abused once in the public domain to the point where an individual's "identity" is rendered worthless, so too can a company's business plan be subjected to similar abuses in the high-stakes world of institutional fundraising. By publishing the plans of several hundred companies, KPCB's errant vendor all but extinguished the chances of those companies receiving funding for those ideas, whether from KPCB or any other firm. It also guaranteed that everyone in the database would be receiving even more e-mail spam than usual; within minutes, we received a sales pitch from a particularly unscrupulous recruiter.
Within minutes of Michael Arrington's article coming out, commenters both on his own blog and on the YCombinator "Hacker News" community site began discussing it. On each site, my name was singled out. On the Hacker News site, my idea was even copied directly out of the database file and pasted for everyone to see, after which it was voted by members to be one of the best, if not the best, submission in the entire database. Under any other circumstances I would have been pleased, but in this case, I was less so.
Luckily, the idea I submitted to the KPCB iFund on behalf of my company was not actually my best idea ever--judging by the metric of popularity alone, that would be the "Universal Face Book," which probably has something to do with the reason why my name was singled out--but this new concept was also not a bad idea, and it certainly did not deserve any less consideration than any other confidential business plan submitted to a venture capital firm. Upon confronting the KPCB partner in charge of the iFund in the esteemed firm's lobby in Menlo Park (which took place only after insisting that I be permitted to speak with someone, and waiting for approximately an hour while a maintenance man attempted to determine why the computerized front door would, on occasion, hold the entire office staff hostage, partners and guests included), I was referred to the firm's recently-hired counsel for the matter.
Oddly, one of the arguments put forth by KPCB's attorney was that my idea was, in fact, so unremarkable (read "bad") that it didn't matter whether it was protected or not, because it was so obvious in the first place. (Despite its apparent obviousness, it still had not been created by anyone at the time of the incident.) KPCB's lawyer made several other severely flawed arguments, including the mistaken assertion that TechCrunch, VentureBeat, and Hacker News were "extremely obscure" web sites that did not represent any real attention being paid to the matter, but that KBCP would stoop so low as to discriminate between ideas "worthy" of confidentiality and those that are not just goes to show how much the firm has fallen out of touch with the needs of entrepreneurs.
The firm's lawyer also made sure to point a very direct finger at KPCB's former vendor as the guilty party. While it's certainly true that the vendor should be held partially liable, the argument that KPCB lacks any liability whatsoever does not hold up. The database vendor was, after all, hired by KPCB, which means that KPCB was directly responsible for ensuring that it could adequately protect sensitive information. (Of course, if KPCB never considered the submissions to be sensitive material, then it would speak volumes about why such a tiny, irresponsible vendor was seen to have been an adequate choice in the first place.)
It is shocking, in any event, that a firm as wealthy and prominent as KPCB would have outsourced their information systems to anyone at all. With the number of skilled engineers in Silicon Valley and its track record in funding high-tech companies, one might think that of all the businesses in the world, KPCB could afford to hire its own database specialist and eliminate the risk that its most valuable intellectual property might be seen by snooping eyes outside the firm. Even more outrageous is that fact that even now, KPCB is still outsourcing the iFund application web site, except to a different third-party, salesforce.com. Whatever mistakes its former vendor made, KPCB's inability to properly prioritize the importance of data, both then and now, is crystal clear.
Furthermore, what KPCB's lawyer forgot to mention while searching for scapegoats is that aside from the database vendor, a third culprit actually does deserve some of the blame: Michael Arrington, the publisher of TechCrunch. Responsible journalists know that their job is to report the news, not create it, or make existing news worse. With issues of computer security, this means that without exception, flaws must be reported only after they have been sufficiently addressed to eliminate any needless risk resulting from publicity. Yet, rather than wait, Arrington leapt at the opportunity to fan the flames, linking not once but twice to copies of the exposed database in his news story, both before it was taken down from the original server where it had been posted, and before it had been removed from Google's cache. This shameless display of opportunism is nothing less than despicable, especially coming from someone who fancies himself a serious reporter, as it hurt everyone in that database. (It also opened TechCrunch to significant legal liability.)
The sad moral for entrepreneurs here seems to be that one of the top firms in Silicon Valley is not worthy of its status--not to mention the fact that Michael Arrington's TechCrunch never was. The arrogance displayed by KPCB in its handling of the situation is frankly staggering, moreso than the narrow-minded hauteur demonstrated by your average venture capital firm. The last I heard, KPCB is demanding that I promise on behalf of my company not to take legal action against them, in exchange for which they will offer the possibility of meeting with me once again about my business, but of course without any guarantee of funding. This means that should they decline to offer funding, which is the most likely scenario, I will be left with nothing more than a dead idea and an apology from a sole KPCB partner who wasn't even involved in the mess.
This stalemate will likely continue for some time, for having had plenty of opportunity in the past to mortgage my morals for personal gain, and having failed to do so, I see no reason to start now. So, Kleiner Perkins Caulfield & Byers, let this be a warning to you. As I've said before, I just might sue you, and I just might not. What matters is that if you treat entrepreneurs like dirt, which you do despite all claims to the contrary, people will find out--and when that happens, my hypothetical possibility of a lawsuit will be the least of your worries.
Follow Aaron Greenspan on Twitter: www.twitter.com/thinkcomp