A recent iOS scandal demonstrated how invasive a malicious SDK can be, and how much damage it can do to the privacy of the user.  This can happen without the user, or even the app developer, knowing or agreeing to it.  We don’t use SDK’s and here’s why.

When you build an app, 3rd party SDKs are incredibly attractive.  Import a Google library into your project, add a few lines of code, and things just start working. It’s that easy, and the utility is HUGE for the developer.  Install Twitter’s Fabric.io and you get an email every time your app crashes on someone’s device with all the details you need to fix it.  Throw in Yahoo’s Flurry and see how people use the app in real time, which screens they like, where interest drops off, how and when they use the app, etc.  If you’re marketing your app, use Facebook’s developer SDK to be able to track ad clicks all the way through the app store to app install, and even pay only when the app is installed.  All of these SDKs are bundled with SaaS platforms that store all the data, do all the processing, and visualize the data to make it instantly actionable.

But notice a pattern?  Look who is buying up app analytics startups.  It’s all of the huge names in tech, but not the SaaS providers like SAP, IBM or SalesForce.  It’s data companies whose value lies in the insight their content provides them.  These ad/analytics/tracking SDKs give them eyeballs into the pockets of the end user: your users, or you.  They don’t know what you’ve just put on their phone, and how would they considering it is probably only stated in the terms of use (hopefully).  When the developer writes 3 lines of code, the SDK has all the permissions of the app itself.  And the data it collects sits on the 3rd party server, not yours.  For all intended purposes it now belongs to them.

Get Facebook’s SDK up and running with 3 lines of code.

Recently, Apple blocked over 150 apps from the app store at once.  They all had an SDK in common, from a Chinese ad network named Youmi.  That SDK was accessing and reporting sensitive information such as user emails and device IDs back to the SDK provider Youmi. Apple usually has stringent app checks to catch this type of app behavior.  However it appears Youmi was able to fool the examiners.  I think that similar to the way VW diesels were able to sense that they were in a test environment and reduce emissions, Youmi was able to sense the Apple testing environment and shut down the malicious activities.  However that’s just conjecture.  What is not conjecture is that Youmi stole extremely sensitive user data without users, or even the developers, knowing that it was happening.  In general as a user, the only way to find out which SDKs you’ve “opted-in” to is to read the privacy agreement, terms of use, EULA, etc. of every app you have installed.

While Youmi was obviously not a reputable partner, their actions are bringing the behavior of other more reputable SDKs into the spotlight.  Since it is now clear that we don’t know exactly what they are doing, it is also clear that we shouldn’t necessarily trust them.  Avoiding them makes things extremely difficult for developers.  The other options are certainly not as refined. ACRA for example allows you to catch crashes and run analytics using your own servers, but can take a good bit of tooling to get it running.  We searched for paid SaaS solutions that would allow us the agility and insight of Google, Twitter or Yahoo while keeping it within our own silo, but came up empty handed.  If you build a privacy-aware, SaaS app analytics platform, we’ll be your first customers.  Call us!  Perhaps the Youmi scandal means we won’t be the only one, but it will be the users of those 150 kicked apps that decide what the consequences are.

-dawud
@d4wud

Getting your startup formation and legal structure done right is so important. Failure here will be expensive, make your slim chances at success even worse, and can even be fatal to an otherwise great business.  This is about what we’ve learned so far at TwoSense.

The TL;DR advice is to ask startups slightly ahead of you what they did and who they recommend, and bill by the hour if it’s not straight forward work.

When you launch a startup, there are so many decisions that become immediately prescient.  If you’re technical or non-legal like we are, these are all decisions that you probably have never considered before, but you have to make them immediately none the less. Which form should you choose to create the entity?  There are so many options: DBA, LLC, C Corp, S Corp, B Corp, etc.  Should you form locally or in Delaware (NY offers you the first 10 years tax free for example)?   How much equity do you assign to the founders?  How do you structure that equity? How do you deal with IP? There are some great resources out there from experienced entrepreneurs (e.g. Sam Altman’s startup class, I highly recommend all of it), but any variation from the standard in your configuration (e.g. a partner who is a foreign national) opens up questions that are difficult to answer definitively without a legal background.

Legal representation can be really, really expensive, sometimes up to $1200 an hour.  That’s a big investment to make before you’ve tested product-market fit….not exactly in line with the “be lean and fail fast” mantra.  Services like LegalZoom can do all the forms and filing for you, but at the end of the day you’re signing documents the intricacies of which you don’t completely understand.  You also don’t understand the repercussions of those details, some of which can be fatal for the future of the startup.  At TwoSense, we decided to go with LegalZoom at the beginning, while doing enough research to ensure that we weren’t committing any of the fatal errors, and hoping to be able to iron out the issues later when we were better funded.  We formed a DE LLC that could easily be converted to a C Corp pre-investment.  This worked out for us so far, but in retrospect it could have gone poorly.

A new option in the legal landscape are a la carte legal service platforms like LegalHero.  You list the legal issue at hand, and lawyers and firms bid in a reverse-auction to be the ones to resolve it.   The advantage is that you get to see the span of pricing, and get a fixed price for work instead of hourly billing.  Our advice is to remove the min and max outliers (highest and lowest bids) from the selection, but that’s entirely up to you.  Friends of ours work with someone they found through an a la carte service and are very happy with the result. However, at TwoSense we found that for complex issues, the legal team on the other end is not motivated to explain things to you, because they are not billing hourly.  If you’re founding a startup, you’re probably a control freak like me, and signing something that you don’t completely understand is out of the question. We worked with a great lawyer, and I think the issue was not with the individual, or the platform per se, but rather with the billing method for the complexity of the issue.  We were essentially trying to get something for nothing.

One alternative is to go with the larger firms which are institutional startup wheelhouses, such as Gunderson, WSGR, Cooley, etc..  For most of us, paying $1,200 an hour isn’t an option. Luckily, many of them have a VC-like model of offering reduced rates or payment deferral plans. They take some of the risk with the startup. They risk making a loss or not being able to collect deferred bills should the startup fail in the hopes that some of their crop will make it to a funding round. The lifetime revenue of those few will pay for the losses of the others and then some.  These are great options, but be wary of deferral periods that come due close to when you plan to raise as any delay means you may have to pay a huge bill out of your own pocket.  Also watch out for deals that involve the legal firm taking equity.  Equity is your most precious resource.  As our current legal team puts it, they don’t take equity because “we don’t want equity in companies that are willing to give it up, and the ones that won’t give us equity are the ones we would want a piece of.”  In my experience, a warm intro goes a long way to sweeten the deal and the better the intro, the sweeter the deal. Intros from existing clients seem to get the best results.  Some of the best deals also come with a vetting process beyond the intro.  One such program which I personally really like is the QuickLaunch program from WilmerHale.  It combines a prix fixe for formation but an hourly rate with a rebate and cost deferral plan after that. I know I said watch out for flat rates, but while formation is complex for you, they’ve seen it all before and if you back out after formation they make a loss, so the motivation to put man-hours into keeping you happy is given.

Don’t underestimate legal costs. 15% of our budget is set aside for lawyers.

Another issue is once you have an intro and get an offer, how do you vet the team in terms of their legal skills?  Their websites are no use, they all say the same thing and claim to be the best in every area, and there is no “Yelp of legal services” for startups (good pain point, maybe there’s room for disruption here?).  You’re also probably not an expert and not really equipped to judge experts.  What we did was take the most complex issue we had that needed solving, present it to each team and play dumb.  While you may have no idea what the best solution is, seeing what most firms’ proposals have in common tells you a lot about what needs to be done, and the depth of their proposal and recommendation hints at their experience.  You can also bounce recommendations from one firm off of another and gauge the reaction.  Also, get letters of engagement from several firms and tell each of them what the others offered.  Using these offers as social proof can get you movement, and creating a bidding war is always in your favor. Keep in mind that if you’re successful, the price you pay now will probably not make a difference, but having a legal team that knows the ropes might.

The biggest factor in our decision was talking to other entrepreneurs and learning from their mistakes.  In the end we went with Dentons through a referral from an advisor and angel who is also a seasoned entrepreneur.  He had been through the works before finding someone he liked, and we followed his advice and are happy with the result.  It isn’t necessarily the legal firm that we’re happy with, but the partner that we interact with that was important to us.  And you found him through another entrepreneur.  As a disclaimer, I’d like to point out that this is a report of our experience, and we are not out of the woods yet.  It has been a tough journey to get to where we are though, and I wanted to share what we’ve learned from our mistakes so far.  So, if you have someone with more experience than us who is giving you contrary advice, keep that in mind and go with your gut.

-dg
@d4wud