Werd I/O

Known is my second open source startup. I've spent over a decade working with free and open source software, and have been producing it in a startup context for most of that time. I've had a lot of time to think about the realities of doing this.

I believe that free and open source software is important for both social and technical reasons. In this post, I'd like to explore the implications for running an end-user open source software project from a startup business perspective.

What is free and open source software?

First, let's back up a second and talk about "free software". This was defined by Richard Stallman as giving you the following four freedoms:

• The freedom to run the program as you wish, for any purpose (freedom 0).
• The freedom to study how the program works, and change it so it does your computing as you wish (freedom 1). Access to the source code is a precondition for this.
• The freedom to redistribute copies so you can help your neighbor (freedom 2).
• The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

Note that "free" refers to "freedom", and doesn't necessarily mean "free of cost". However, this is not immediately obvious to newcomers. "Open source", in contrast, is purely a development methodology rather than a social movement. Because of that, and because the wording is unambiguous, I prefer to use this term. There's a lot of disagreement on this, and my preference shouldn't be construed as me prescribing this for other people.

Why is free and open source software desirable?

Free and open source infrastructure software - things like Linux, the Apache Web Server, OpenSSL and so on - have allowed for highly functional server stacks that aren't limited to a single vendor. Here's a slightly unfair way of looking at it: while Windows Server and similar products are Lunchables, where the whole stack is made by the same group of people, Linux is a picnic, with lots of individual ingredients provided by different organizations that add up to a richer whole. Each ingredient does one thing really well; the jam is really good jam, the cheese is awesome cheese. And because everyone gets the list of ingredients for each item in the picnic, you know that the jam and the cheese don't contain any nasty surprises. With the Lunchables, not so much.

Maybe my analogy needs work. But while free and open source software is particularly suitable for infrastructure software, it has broad implications for end-user software, too.

By end-user software, I mean products that non-technical people will use directly. WordPress is probably the best example: 23% of the web is made up of WordPress sites. Elgg, the social networking platform I founded, is another. Ghost is another, more recent example. And finally, Piwik, the self-hosted web analytics library, is one more.

What if I told you that only one of those projects was a traditional tech startup? And it's probably not the one you're thinking of.

The structure of open source startups

A common misconception is that Automattic, the company founded by WordPress cofounder Matt Mullenweg, is also the company behind WordPress. It's not. WordPress is a non-profit foundation, while Automattic provides the hosted WordPress.com service, as well as anti-spam tools, analytics and other centralized functionality.

Ghost, which was founded by an ex-Automattic employee, is also a not-for-profit organization. John O'Nolan explained his rationale for this in a blog post, where he clearly backs the social movement side of free and open source software:

The point of Open Source is to promote furthering technology for the entire world by not locking down software with patents and charging millions for them. The point of Open Source is that shared technology is better than closed technology because it has so many more people working on it. The point of Open Source is that the software you create benefits not just yourself, but many others - and in return you receive the same.

[...] I wanted to make it completely clear that Ghost is about making great software. I own 0% of the company. Hannah owns 0% of the company. According to our legal documents of incorporation, neither of us can pay ourselves enormous tax-free dividends. Just normal, taxable salaries.

Elgg, the open source social networking platform I cofounded, is also now a non-profit foundation.

Piwik, meanwhile, is a startup, albeit one that was founded significantly later than the project. They're a distributed company, with headquarters in New Zealand and Poland.

Why end-user projects are different to infrastructure projects

Over 80% of Linux kernel patches are written by corporations that use Linux, either as part of the infrastructure that serves their products (e.g. at companies like IBM), or as part of Linux-based end-user projects like embedded devices and Android phones.

By definition, end-user projects are the product, rather than a building block that becomes part of the product. There are far fewer levels of stakeholders downstream from the project to contribute to it, both monetarily and in terms of code patches.

This, however, is not to say that there are far fewer stakeholders overall. For example, there are plenty of people who use WordPress - it powers 23% of the web, remember? There are hosting service providers, web shops, and consumer users who depend on the software. This may represent a less technically-savvy base of people, but it may also be greater in terms of raw numbers.

Creating a self-sustaining project clearly demands a different strategy - particularly if the open source project is going to serve as the core of a startup.

What startups need

Startups need to be more than self-sustaining: their engine is scalable revenue.

In other words, revenue for a startup needs to have several properties:

• It needs to be recurring
• It needs to be able to grow non-linearly with the team (in other words, revenue isn't tightly bound to team size)
• It needs to be subject to experimentation (the startup needs to have freedom to run experiments around pricing, features, angle, and virtually every aspect of their business)

Where is the intersection between this and the four freedoms we discussed at the beginning? That's where an open source startup needs to operate.

Services

One of the first things you learn as a startup founder is that professional services should be avoided, because they're not recurring, and they're not scalable. By professional services in this context I mean customizations, consultancy contracts and so on. They're clearly tightly bound to the size of your team. It can be interesting to offer these services in the beginning in order to learn more about your market, but you need to be careful, because it will stunt your ability to grow quickly.

This isn't to say that it will completely stunt your ability to grow. After all, professional services are the classic open source business model: offer consultancy and support. It's essentially what Red Hat has made its billions on (at the time of writing its market capitalization is $12.77B). But it flies in the face of the startup model where you build something that will rapidly expand.

So let's look at Automattic, which was valued at $1.16B after a round of funding last year. How have they grown?

While Automattic isn't directly responsible for the WordPress open source project, it is directly responsible for the WordPress.com hosted version. The bulk of its revenue comes from premium subscriptions. It does also provide a professional services "VIP" offering for high-value customers. To augment its income, it created an advertising network, and the company was actually founded to provide anti-spam services.

It's a smart mix: a lot of people don't have the expertise or resources to maintain code on their own servers (by way of example, around 10% of Known sites are self-hosted, while the other 90% are on our service). But even if they do, they can certainly use the Akismet anti-spam service, and because Automattic employs many members of the core WordPress team, high-value customers like the New York Times can use their expertise to get the best possible performance out of the platform. Perhaps most importantly, running a service allows platform developers to more quickly learn from its users.

By providing services to self-hosters, Automattic avoids a common pitfall with open source startups, where the most engaged users - the people who really, really care about running the project, and the principles behind it - are the ones who bypass the company entirely. The freedom of the WordPress open source project is not compromised, and all of the services are additive to the overall WordPress ecosystem. Anything that helps WordPress helps the company, and vice versa.

While Ghost is a non-profit, it provides similar services to WordPress.com. Similarly, Piwik Pro is a hosting service for Piwik. And, of course, WithKnown.com is a hosted platform for our open source Known software. (You should try it!)

Free as in free

While the principles of freedom that underly free and open source software are strong and important, it's also fair to say that many people choose it because it's cheaper. Freedom from lock-in also implies a freedom from recurring license costs. WordPress is arguably so popular today because its competitor, Moveable Type, decided to impose a licensing charge a decade ago, prompting a mass exodus.

It's hard to charge for end-user software, whether it's open source or not. Non-free platforms tend to get away with this by running advertising - and in fact, even WordPress.com runs ads on free sites for non-logged-in site visitors. A lot of open source campaigners are also pro-privacy, and don't believe in the invasive tracking that modern targeted advertising typically uses. Yet, at the same time, they often won't pay to use a platform, which obviously leaves the startup in an interesting bind.

Of course, if a platform is free and open source, you have a choice of where to run it. WordPress.com isn't the only place where you can get a hosted WordPress blog, so if you don't like their advertising policies, you don't have to use them. It could be argued that choice gives Automattic an ethical get-out clause: if you don't want advertising, go ahead and host your blog elsewhere or pay a subscription fee. When we ran a customer survey a few weeks ago, a fair proportion wanted us to run ads on the platform. So far, we have chosen not to do this.

Free software is a social movement, which is sometimes seen as being in line with anti-capitalist movements. If you have chosen to run a startup, you are probably a capitalist: you've chosen the route of revenue growth and creating business value. I believe that this is compatible with having strong social values (which I believe I do), but many people disagree. Ultimately, as a founder, you have to accept that you won't be able please everybody, and you have to be able to pay the people who work for you. Luckily, with open source software, everyone who runs the platform has a choice about who to run it with.

There is power in a movement

I do think that making your software open source gives your users more control and power, while allowing you to build a high value, scaleable business. It also more easily allows you to create an ecosystem around your software, allowing other people and companies to make money out of it too (potentially leading to even stronger growth). The trick is being aware of what open source entails, and what the implications are for your business, but you can absolutely build a high-growth, ethical business. We're on our way.

I enjoyed this episode of This Week in Startups with USV's Fred Wilson. It's a fairly candid conversation from this year's Launch Festival, and Fred comes across as having both integrity and a very practical approach to investing in startups.

The story that jumps out at me is that of Tumblr's acquisition by Yahoo!. There are two important details: the first is that Tumblr's initial investment round was less than a million dollars. The second is Fred's disclosure that the acquisition happened at a time when Tumblr had spent a lot of money on growth, and would have to either raise a huge round to make up the shortfall, significantly diluting the existing shareholders in the process, or raise unrealistic amounts of revenue. So selling to Yahoo! for $1.1 billion made sense for them.

There has been a great deal of backlash against venture capital in data ownership circles over the last year. Certainly, VC money gravitates towards a certain kind of company strategy, where designing for extremely rapid growth is a hallmark, and a profitable exit - either to IPO or acquisition - is desired. Rapid, sustainable growth is very difficult to achieve without a budget. It also overwhelmingly leads to strategies like revenue through advertising, where user growth isn't hampered by having to pay to use a service. Advertising is often criticized for requiring people to give up some personal privacy so that advertisements can be more targeted, and therefore more valuable to the service.

I think it's worth considering that services like Tumblr, Twitter and Facebook have also connected us and become a part of the cultural landscape in ways that wouldn't have been possible if people had needed to pay for them. Assuming that everyone should pay for a service is not realistic if you want to build a global community. Again, a resource-strapped startup is also more likely to see slower growth than one with millions of dollars in the bank: their box of tricks is necessarily more limited.

If you're opposed to this kind of financing, it's worth asking: would you pay for Tumblr, or Twitter, or Facebook? If not, why not? How many services do you actually pay for?

Venture capital isn't the only way. Notably, O'Reilly Alpha Tech Ventures created Indie.vc in order to explore a more revenue-centric funding model (and I hope more will follow). But I do think VC is a legitimate funding tactic for a particular kind of highly-available, free-to-use mass-market tool, and it seems to me that whether it has a detrimental effect on a startup's service has more to do with the individuals at the startup, and the personalities of the VC investors they choose, than the model as a whole.

In today's climate, it's important that we secure communications with our servers. For example, if you're on open wifi (at a coffee shop, for example, or at a conference), it's trivial to steal the unsecured logins of the people around you. Using secured connections also helps protect against people monitoring your communications further up the chain, at an infrastructure level. In the era of the Snowden revelations, protecting your privacy is an obviously good idea - but there is also an immediate practical value in preventing people from stealing your passwords and credit card details, too. Security is so important that Google recently said that they would rank secure sites higher in their index.

But it's so hard to implement that today, most peoples' websites are nowhere near secure - and it's the technology's fault.

First, let's talk about secure websites work.

Here's a summary version.

When you visit a secure website, your browser and the site's web server discuss which secure encryption protocols and algorithms they both support. The server also sends your browser a security certificate, which contains the website address, as well as details about a central certificate signing authority that can verify that the certificate is authentic. The certificate is cryptographically signed by the digital signing authority. Every browser comes with the cryptographic keys of all the major certificate signing authorities, which it uses to verify the certificate's authenticity. Only once the secure protocols have been chosen and the certificate is verified as being both authentic and for this website does the page load.

Even the summary is kind of technical, so if your eyes glazed over, just take away these two things:

1. Secure websites are only accessible if they have been certified by one of a handful of central organizations, and the certificates contain the address of the website they pertain to.
2. There are lots of different algorithms that can be used to secure the traffic between your web browser and the website, and some of them are more secure than others.

So how do I secure my website?

Let's back up a little bit. Here's how a lot of people create their websites:

1. Sign up with WordPress.com or Squarespace (or Known Pro, of course!)
2. Pay for a custom domain name

If they've chosen to self-host, here's how most individuals create their websites:

1. Sign up for a shared host like Dreamhost or Fasthosts
2. Click on their server control panel to install WordPress or Known

I mean, it could be easier, but it's short of being an ordeal, right?

Meanwhile, here's what you have to do if you want to install a secure certificate to make sure your self-hosted website uses encrypted connections:

1. Log into your server using an SSH terminal
2. On the command line, create a certificate signing request by following the command-line instructions for your particular web server
3. Specify a cryptographic key of appropriate length (don't know what that is? too bad)
4. Enter your address details on the command line
5. Open the certificate signing request file
6. Copy and paste the contents
7. Go to a certificate authority website
8. Click to buy a certificate for your domain
9. Paste your certificate signing request
10. Download the certificate and what are called the certificate chain files, which describe to the browser how to validate the certificate
11. Install them on your server, probably using command line tools
12. Make sure your server is set to use strong encryption algorithms in its configuration files
13. Check your website's security score to see how well you did

To be fair, some hosts, like DreamHost, take care of many of these steps for you. But it's still not easy.

And as far as using SSL on custom domains on managed services like WordPress.com and SquareSpace? Here's the truth: you can't.

Why SSL is hard for custom domains on managed services

Remember when I said that the certificates were issued for a domain? Multi-domain certificates can also be bought, but in all cases, the domains have to be specified at the point when you buy the certificate. If you already know you have 50 domains that you want to secure, then that's great - but if you're providing a service where you know you want to secure domains you will host in the future, you're stuck. You would need to request and buy a new certificate for every new domain, or do it in batches.

Because each certificate needs to be separately requested and installed, this is a hard process to automate. To make matters worse, most virtualized server environments - for example, Amazon Elastic Beanstalk - only support one SSL certificate per instance. That means you've literally got to set up a new clone of an application environment every time you want to support a new SSL domain.

That's unsustainable, and because most services like WordPress.com and SquareSpace use these kinds of virtualized environments so they can add and remove servers to cope with changing demand, they have trouble supporting secure websites for their custom domain users.

We need security, so it needs to be easier to deploy

Security is vital. A clue that it isn't easy enough are those website security scores: a letter grade for your website that describes how secure it is. I've seen engineers ooh and aah at sites that managed an A+ grade.

If we want everyone to use this kind of security, it needs to be totally brainless. Trusted encryption needs to be there by default in every web server and adding new domains programmatically needs to be simple.

The certificates are also difficult because they are trusted by central authorities - which themselves need to be trusted. Not only is the secure web cumbersome to maintain, it's actually potentially insecure. We have certificates to prevent against man in the middle attacks, but maybe there's an alternative? Could the blockchain help, for example?

There's no dispute that you should secure your site, and you should strive to use secure sites. But it's difficult. You'll note that at the time of writing, I haven't secured my own site yet (although the Known service does use secure connections). I don't think the existing technology is cutting it, and to protect all of our security, we need to find something new.

"The thing about alternative people," a coworker once said to me, many jobs ago, "is that they act like the mainstream isn't good enough for them. It's like they're saying they're better than us." He was talking about a receptionist at our office, who was kind of off-kilter, but not at all unprofessional. He didn't like her.

I think about this conversation a lot.

I like "alternative people". With all due respect to everyone else, they're my favorites. For me, the people who are off at an angle to the rest of the world are the most interesting. People who think differently and see things differently are more likely to arrive at solutions and ideas that everyone else can't. They're opinionated. They make more interesting art. They're better engineers. They find new ways to live. They don't give a shit about fashion or traditional success, or whether challenging the status quo is offensive. They are, by definition, more creative, because they're not following the herd.

I look up to them. For one thing, I do kind of think that mainstream culture isn't good enough. It shouldn't be good enough for any of us. Traditional ideas around things like gender roles and sexuality have a potent power to oppress; correspondingly, choosing not to adhere to them, or to give them respect solely for being incumbent, is a kind of empowerment.

As Winnie Lim wrote in a wonderful piece recently:

It takes courage to be ourselves, it takes a lot of hard work and self-awareness. But we are continually building a world that other people live in, that means at every step of the road, we need to continually ask ourselves, what kind of world do we want our kids to live in? Do we want a world where they have to disown their beautiful personalities just to fit in our idea of what it takes to succeed? That it is celebrated that we spend our formative years disowning who we are?

The thing that bugged me most of all about my colleague's comment is that we are all "alternative people". at least to some extent, with individual desires, histories, interests, skills and contexts, which bind together to help us become who we are. Our lives are unique tapestries woven from those threads. For everything we have in common as humans, there is so much variation between us, too, and I don't think there should ever be pressure to present as "normal". None of us are normal; we all reveal our true selves to different degrees. That's awesome.

People are amazing. The only reason to try and homogenize them is so you can dehumanize them: make neat little demographic groups that allow you to sell to them, or count them, or process them, or some combination of all three. It's an abstracted model of the world for marketing purposes, and it shouldn't be how we interact with each other in real life.

Facebook is, in many ways, like my old coworker. By insisting on legal names, they are saying that we all should present ourselves using one set of rules, regarless of our desires and contexts. What's good enough for upper middle class white kids from Palo Alto, the thinking goes, should be good enough for everyone else. The same goes for the kinds of content you can post, or how you want your profile to look.

But look: if you want the page that represents you to the world to spin around and have pink sparkles with a Carly Rae Jepson song that autoplays on load, why shouldn't you have that? It's your profile. Here's a hint: your social profile design is optimized for advertising and site engagement, not your own self-representation. Here's a follow-on question: why can't you post breastfeeding photos on Facebook? Could it be that advertisers object?

The world is much richer than the things that sell ads, but this isn't just a post about why an independent web is a good idea (although it is).

I'm lucky to have friends who very much are themselves, and who believe in diversity and not just tolerance, but proactive kindness. I'm lucky that I was raised by people who shun traditional norms and have spent their lives thinking about better, fairer ways to live. Collectively, they're my role models and my inspirations. And more than anything, I hate the idea that it might be acceptable to judge someone who - like so many of the people that I love - has chosen to present themselves as different to you.

Being different is, in my world, something to be celebrated. Cherished, even. It's what makes us human. Correspondingly, to force someone to deny their identity is to deny them a piece of their humanity. As entrepreneurs, as citizens, engineers, designers, businesspeople, whatever we are - let's maybe try not to do that.