I'm Karri the Linear CEO who is involved in this. I posted this on Twitter but several points in this post are not true:
On Friday we had an internal policy violation that affected three companies.
- I have 7 Linear investors now confirming they were contacted with the same solicitation in the past months. I have screenshots. So the violations (so far) stopped on Friday, but started months ago.
- I have heard from close to 10 companies who had this happen to them months or years ago.
- They also did not answer my request of sharing how many of our investors were affected and also hasn’t tried to make any amends during this whole time
- The issue is not resolved. This blog post or Henry never gave me any concrete information, actions, or promised this wouldn’t happen again.
- At this point, as I haven’t received any assurances that this is not the case, I have to assume our cap table and other information has been free for all within Carta entities to be used however they can, at least months, maybe the past 4 years with no real controls in place.
I'd compare this to security incident. I've told them and expect them to do a full investigation and a post-mortem what data has been exposed, who was affected, how it was possible and what will be done in the future to prevent it.
It’s a bit sad that he doesn’t even attempt introspection on employees having any access to customer data whatsoever. I fully understand this is a normal situation, and that every function will puke all over the suggestion that they can do their jobs without access to customer data. But they can. It’s more difficult, yes. But it’s possible (I know, I’ve run this way in the past). Particularly in Carta’s business this should be on the table — zero internal access to the data. Period.
It's not that hard to suggest access monitoring, isolate routine aggregate metrics and occasional needs, and have a process around other reasons why you'd need to run some more detailed analysis. You don't need the separation to be absolute on day 1, just known, discussed, and gradually limited to need-to-know.
Almost everyone in every line of business believes that having policies against accessing customer data, but no technical controls over it, is good enough. The number of firms that have systematically removed there own access to customer data is extremely small.
Google is a stellar example of a company where there are strong technical safeguards against employees accessing customer data without a business purpose.
> Facebook employees were granted user data access in order to "cut away the red tape that slowed down engineers," the book said. "There was nothing but the goodwill of the employees themselves to stop them from abusing their access to users' private information."
> In a presentation to Zuckerberg and the company's top executives, [CSO] Stamos said engineers had abused the access "nearly every month," the book said. At the time, more than 16,000 employees had access to users' private data, the book said.
> Stamos suggested tightening access to fewer than 5,000 employees and fewer than 100 for particularly sensitive information such as passwords. He proposed requiring employees to submit formal requests for access to private data but received pushback from executives. Zuckerberg said changes on the matter were "a top priority" and tasked Stamos with finding a solution and giving an update in a year, the book said.
When I was there to work on the main front end (hack/js) you ran a copy as you made changes to it. It had full access to real data. But if you tampered with access control logic in it or otherwise read other users (vs your own or a test user) it would get flagged and you get fired. Happen fairly often.
Yeah that is not even remotely good enough. Processes running under the authority of individual engineers cannot have access to user data. Processes with access to user data can only run reviewed and committed code with verified production builds. There can't be user data just laying around on hosts were unix superuser permissions can be used to access it.
I hope you never have control over people's data. Being good at catching people after the fact is not the same as being good about securing the data in the first place. Seriously, if you had important information that was leaked, it's kind of irrelevant whether the person who leaked it got fired. You still face the consequences either way.
I work in an environment where we're trying to troubleshoot production data problems...without access to the data. It's a royal pain, but a necessary one.
It's a pity that Henry Ward is handling this issue so poorly, and lacking the necessary transparency.
The hard truth is that Carta sits on a potentially huge source of revenues (secondary market), and therefore it is very tempting to "screw" existing customers in order to multiply its income. Easier to go public (IPO), or be acquired, when you have a "growth" story.
> It's a pity that Henry Ward is handling this issue so poorly, and lacking the necessary transparency.
This feels like a CEO who has been able to put a spin on things and control the narrative in small circles (his board, his staff, his peers, his friends) that he thought he could do the same in the court of public opinion.
But the public doesn’t care if Henry likes them and their jobs don’t depend on agreeing with him. The usual tactics of putting on a big smile and explaining it away aren’t working, and he keeps digging deeper with his usual bag of reality-distortion tricks that just don’t work on public audiences.
And the important detail is that the secondary revenue source only exists if startups keep trusting them with their cap table data - I don't know how hard it would be to migrate providers with cap table info but I guess we will hear about it in the next few days/weeks.
Seems like this behavior is systemic, deliberate and approved by management. [1]
With that in mind, it's highly unlikely this incident is limited to 3 companies, more likely that's the number of companies who have gone public.
I don't understand why he feels the need to misrepresent their policy here, either he's knowingly lying, or much worse, doesn't even know what's happening in his own company.
Couple this with his trainwreck Twitter reply blaming the victim for clout chasing after bringing to light a serious invasion of privacy. [2]
This is precisely the issue. Why try to spin this at all? There must be something preventing him from simply "fixing the glitch" and everyone moving on: it's obviously money.
The impression I get is that Carta is not a viable business on its current (any?) valuation without this angle. Which then means no one in their right mind should be dealing with them.
after working at big G for a while I'll always believe things are much simpler and less thought out than anyone ever thinks.
here I think you hit the nail on the head: the giveaway is the tweet, he had the situation handled already. Jumping to that reaction about jobs, just because 20 tweets downthread the dudes like "we talked but I still don't like it", betrayed an understanding of this as "keeping 4,000 people employed."
Have been watching this unfold over twitter the past couple days and all I can think to say is that Carta really, really needs to hire a communications director. This situation is really not that terrible (Carta is trying to monetize via secondary markets, customers were not aware), and could easily be served via one of two options:
1 - divest from secondary markets, apologize, immediately highlight what’s next and how this will be remedied
2 - inform customers this is Carta’s way forward and accept losing some customers to make a lot more money on secondary markets
These are both equally acceptable in light of these events. What’s not acceptable is your CEO ranting on twitter and Medium pretending nothing’s happening, that it’s a one-off event when there’s evidence to the contrary, and attacking the customers who brought this to light.
This is 100x more applicable when the customer is someone like Linear which is a huge thought leader and one of SV’s golden children at the moment, and your market is other startups who will likely have shared investors, shared networks etc.
Carta have both their original cap table management business, and a ~5 year old secondary liquidity business (CartaX). They pitch their liquidity business as opt-in.
However, they have been using private cap table data to approach company investors about secondary sales, without company approval.
From Linear CEO, who's 70+ year old family member was approached to sell their shares:
Aha! That might explain the very strong sense of déjà vu I gotDéjà vu when reading this. I thought for a second either I had a screw loose, or there was a glitch in the Matrix.
Yeah, that's no good. What it tells me is that they don't care enough about it for it to be a problem for them until someone raises a stink about it, and I'm pretty sure I'm getting a whiff of it right now. How's that old saying go? "When a fish stinks, it stinks from the head?" Yeah...
> Visits to San Francisco’s infamous Gold Club, indecent exposure and NSFW conversations at company events, executives sexually harassing staff and a toxic boys’ club culture: Those are just some of the allegations brought against Carta, a San Francisco company valued at $8.5 billion late last year.
I'm old enough to understand when you find this many ways at this length to not say the simple thing, its not because you're being transparent. Despite the length.
The tweet about 4,000 employees losing their jobs due to clout chaser or whatever gave me two thoughts:
- 4,000 employees?!!??!
- it is likely they had already internalized all this as "that's what we do to keep the company running".
If the cause of an issue hasn't been attributed to a business process, then I haven't dug deep enough.
I'm not familiar with this particular incident, but nothing in the post is giving me the confidence that the business process which led to this situation has been identified. Sounds like they haven't dug deep enough
Related yesterday: Carta CEO's response to the unsolicited outreach to their customers' investors (twitter.com/henrysward) 198 points by alsodumb 23 hours ago | 96 comments | https://news.ycombinator.com/item?id=38897363
He also goes on length to explain how they manage customer data, and yet at no point indicates how the sales employee managed to get a company's cap table info. Sure, all humans capable of accessing cap tables are tracked and audited, but what's the point if anybody can self-accept a request to access the data.
The truth is, had Karri enrolled Linear in CartaX, or if the investor Karri mentioned had his public info online, Carta would have done everything they can to brush this incident off. Karri provided irrefutable evidence that showed that the only way this could have happened is by a breach on Carta's side, and Henry had no option other than first calling it a one time incident, then saying it's an incident limited to three customers, and then personally attacking Karri and trying to gaslight him with a passive-aggressive response.
I have options on Carta from a prior employer that are going to expire in a few months because there's no buyer for them. If Carta is looking for some shares to trade without the owner's consent I wholeheartedly volunteer.
You probably know this, but commonly you can exercise options and keep the underlying shares past the original option expiry date. (Of course, you need the cash—and confidence in the business—to do this!)
The problem is that after paying the strike price to exercise and the subsequent taxes I'd be underwater based on their current FMV so it doesn't make sense to exercise them. Plus I have very little confidence left in the business.
Lawsuit, subpoenas, discovery. Someone is going to sue and all the truth will come out. I love when CEOs write stuff like this because you have them nailed if you find out differently.
Someone chooses not to invest and you can convince a judge they would have if not for Carta. Could make all sorts of theoretical arguments on damage amounts. Only matters is what you convince the judge.
This is not how damages work.
While the last sentence is kind of correct it also can be applied to anything, making it pointless. Ie you can equally say "Carta could make all sorts of theoretical arguments your lawsuit is bogus, only matters is what you convince a judge".
In this case there is literally centuries of precedent that will be followed or the judge will be overturned easily.
I have no idea why you are doubling down on a thing you appear to not know a lot about rather than just admit you don't know. You dont learn things this way and you don't look better to anyone who reads the comment.
My company got nailed by a judge in rural NY because someone suing us convinced him. The damages were absurd for the situation and based upon insane logic. Was cheaper to pay the judgement than appeal. Not sure why you think your know more than me considering I paid it.
It was a complex situation regarding a fintech SaaS and to appeal high enough to a court with actual expertise that’s not going to railroad us could have cost a lot. Plus our time and the chance the damages get worse.
All these legal eagles who think the courts operate with strict precision have no idea how things actually work. Hope everyone who has some glorified view of reality gets to actually pay for this beautiful system out of their own pocket.
The root issue is that your cap table is a key piece of information and guarded zealously. If Carta is letting sales and marketing people access it, there is definitely a backdoor where connected people are using it for inside information - deciding who to invest and not invest in, inside information on competing VC firms, and likely actionable intel about acquisitions and corporate VC useful for insider trading.
Carta has a honeypot of extremely sensitive information. If they are loose on who has access and for what purpose, then I find it almost certain that well connected VCs are getting information out. Something like this going on for so long will have a paper trail. Given the money at stake it's likely someone is going to get the subpoena power and figure it all out.
Seems like a stretch of the imagination. VC funding is already bone-dry so there are about 1000 different reasons not to get funding as it is. VCs are only investing in strong conviction plays. I'm skeptical that an investor would have strong enough conviction to want to fund you and then back out if you use Carta and put that in writing as the sole reason for not investing.
Even then the onus is pretty big for demonstrating damages for lost opportunity rather than direct financial losses. For example if you called your broker to put in a trade and they missed it and the stock 10x the next day, your SOL even though there is a theoretical missed financial windfall. its a different story if you asked them to close a position, they didn't and then you lost money since the latter actually has tangible losses as opposed to missed theoretical gains.
40k cap tables of VC backed companies in a variety of industries and verticals is valuable. If you sat in a room with this data for a few days I'm sure any smart person could think of interesting ways to monetize it. I believe this has occurred at Carta and the truth will come out, to Carta's detriment.
What problem would an open-source version of Carta solve? We use Carta and overall it's pretty good aside from the [very] disturbing problem reported here.
Carta ensures we have a clear record of equity positions in the company and correctly process standard types of transactions like distinguishing between ISO and NSO shares or correctly handle employees leaving that are important for regulatory compliance. We have to delegate certain types of transactions like changes to the employee share pool to our attorney. So it's not just a calculator. If you mess up these things it can expose you to shareholder lawsuits or problems with tax authorities.
That said I'm very interested in the specific details and how Carta resolves this issue. "Rogue employee" has been used as a convenient excuse in the past.
Not disagreeing with this premise, but if Carta were implemented the same way with open source, nothing about Carta being open would have stopped the events from unfolding. It was a cultural and behavioral decision to abuse the platform's trust that way, not a technology one.
Where CartaX and the cap table business converge is
if we match a trade in the marketplace, we go to the
company and ask if they will allow it.
Meaning: the company does not give permission or know that CartaX is trading in the company.
Asking the company about a pending trade means that two people who want to make the trade will be very disappointed, and will likely publicly complain that the company is blocking them, throwing doubt on the company.
This in turn forces the company to approve the transaction and permit the market, notwithstanding the adverse incentive effects on options/grants. Any approval of one transaction would raise scrutiny on any denials. Even the opportunity to bail cuts against the notion that people are in the same boat together.
A good company doesn't just "do no evil". A good company ensures its interests are completely aligned with their customers, so there will be no forces pushing them to take advantage of their customers.
Does Carta still have a free tier? I've used it and I didn't pay for it so at some point it must have. Back then, I simply input information as investor_1, founder_1. There's no reason to give that data to Carta. Anyone that asked, I gave them the mapping.
after reading some more details i'm confused why this is a big deal - creating deal flow for the secondary market involves connecting buyers and sellers and then requesting approval from the board. the board can exercise ROFR if they don't approve the sale. the customer feels betrayed because they didn't get their permission to connect buyers and sellers?
It's a breach of client confidentiality. The cap table is confidential customer data and they are handing that over to their sales team to hunt for business.
I clicked on the link thinking it was about parasitic extraction and capacitance tables; referred to as "cap tables" in industry for circuit design. I was very disappointed.
I knew it was capital tables, but I do think we’re the only people in this thread who have absolutely no idea what’s going on. Sure sounds scandalous though.
I still have no idea what the company is. (Is it an accounting consulting?) There's a post up there with the context, but I lack context for understanding most of it.
But, anyway, it's not an interesting optimization algorithm that limits all kinds of values in all kinds of ways, so I'm not digging any further either.
(And yeah, I know what capitalization tables are too. I even have had to build ingestion software for some once. That shortening of the name is really confusing, but looks like it's standard.)
Ironic to see tech bros be all riled up about misuse of their own data while playing fast and loose with customer data has been the norm and is considered normal practice.
Every one of their websites has multiple trackers that have access to the whole page’s JS context and the vendor could have the same “policy violation” and impact their customers (being generous and assuming that stalking customers isn’t the primary policy to begin with).
A complete tangent, but I didn’t hear a single mention of accounting. Not on the financial side nor more importantly, the managerial side.
This industry is literally just throwing darts at a wall.
Capitalization is just one kind of account. What does it have to do with employee effectiveness?
The very services offered here are not giving good information to administrators about how a company is actually functioning.
Everyone is focused on looking at the rear view mirror when they focus on financial accounting. EBITDA is a nonsensical metric for internal accounting. Managerial accounting is forward looking and must be done in order to make proper financial projections.
Take a look at the financial projections from 2021 and 2022. They are completely detached from reality. This is obviously why the entire industry had layoffs. The chickens came back to the roosts as investor realized the projections were bogus. Yes, cash flow is king, but again, that’s historical information. You cannot make meaningful predictions in this manner!
Productivity plummets when you take half your engineers and make them part of the interview and hiring process. Then it takes at least 6 months for a new hire to be productive, to understand the code base, to understand the domain of the product and how it fits into the market.
Like, either go back to waterfall if you want administrators to handle all of the non-engineering because you absolutely need engineers who are aware of the domain.
Have you ever seen a spec that was fully fleshed out and didn’t require developers to fill in a lot of blanks? What kind of employee is better at filling in those blanks than those that have been around for awhile and understand why the product exists?
> Capitalization is just one kind of account. What does it have to do with employee effectiveness?
If you want to have a company with shares, and sell them to investors, you need to keep track of who owns your company. As you get bigger, it becomes painful to keep track of in Excel. And there's a lot of regulatory requirements to meet, too.
Keeping track of your cap table is useful and required. I'm not sure why a vendor of cap table software stumbling opens a discussion of why accounting today is (allegedly) not very useful.
We can use cap table data to help us improve the software or customer experience.
You’re right! For example in the above I interpreted it as a service they offered, not as a means of improving their own product. There were a few more instances where I misread it as a service being offered and not for internal means.
So yes, too far of a tangent. I was acting as if they were offering services meant to improve the internal processes of other companies and that cap tables have basically nothing to do with that.
As for managerial accounting, have you ever seen it in practice at a tech company? Has a manager ever tried to measure the cost of rapidly expanding a workforce? Or the cost of excessive meetings? Or the cost of poor architectural decisions? Or the cost of moving from one perfectly acceptable programming language or frame to another, more trendy option? Or the cost of having multiple programming languages across the organization?
If you read financial reportings you will consistently find internal accounting practice based completely on financial accounting. And EBITDA is a very questionable metric for financial reporting over GAAP. There’s a trade off with accounting. Is there a level of detail where it cost more than it saves? I’d say the tech industry as a whole is very far from that point. There’s basically no detail and no understanding from administration about the actual state of the business.
Berkshire Hathaway has been so successful because they don't give a shit about Wall Street projections and actually go and talk to management and walk the floors of the factory.
The tech industry relies completely on moon shots.
Massive digressions! But yes, I completely mistook parts of the article and was clearly more interested in standing on a soap box!
- I have heard from close to 10 companies who had this happen to them months or years ago.
- They also did not answer my request of sharing how many of our investors were affected and also hasn’t tried to make any amends during this whole time
- The issue is not resolved. This blog post or Henry never gave me any concrete information, actions, or promised this wouldn’t happen again.
- At this point, as I haven’t received any assurances that this is not the case, I have to assume our cap table and other information has been free for all within Carta entities to be used however they can, at least months, maybe the past 4 years with no real controls in place.
I'd compare this to security incident. I've told them and expect them to do a full investigation and a post-mortem what data has been exposed, who was affected, how it was possible and what will be done in the future to prevent it.