Dismantling A Dream: What Happens When Startups Fail
The emails from Know About It stopped coming at the end of March. A few weeks later, I received a message from the site: "What happened to KnowAbout.it?" the subject line read. Exactly what I'd been wondering.
The service, an aggregator of social media updates that promised to highlight any titillating posts I may have missed, had shut down.
My puzzlement over Know About It's disappearance gave way to even more questions: What happened to all my stuff? When I signed up, I'd given the site access to my Facebook and Twitter accounts, my social circle and my inbox. Was that information about me going to be deleted? Stored somewhere? Sold?
As it turns out, many of the entrepreneurs who create — and close — these sites are also hazy on the details concerning where our data goes when their dreams die. And that's troubling for anyone who's ever entrusted a site with personal information, whether it's party photos, snarky status updates, email addresses or location data.
"I hate to say that I'm sort of unsure where the information is," said the founder of a site that will go dark later this summer. Nearly 100,000 users shared their usernames, passwords and email addresses, among other information, with the company. "I know it's safe, but I personally don't have it. "
"It's an opaque situation," added the site's founder, who requested anonymity for fear of a damaged professional reputation. "I don't know how often people want to say exactly what happened."
We noisily celebrate the birth of a new web service by showering it with articles and attention, then often look the other way when it shuts down, letting it fade from memory and assuming the company will do the right thing with our data. Three quarters of all funded tech startups, including medical device and clean tech firms, as well as web companies, end in failure without returning investors' capital, according to Harvard Business School lecturer Shikhar Ghosh.
But while the site itself vanishes, our personal information isn't necessarily disappearing with it. Often, that data still lives on laptops belonging to people we've never heard of or is uploaded to sites we've never seen.
Several entrepreneurs said that after shuttering their sites, they had stored backups of databases filled with email addresses, usernames and encrypted passwords on their personal hard drives or computers. That's a far cry from the approach advocated by security experts, who recommend destroying any and all data.
Serial entrepreneur Chrys Bard admits that he kept user data collected from a past site on a hard drive that he has since misplaced.
"To be honest, I don't know what happened to the hard drive because I moved a lot and it's a pain to keep track of all that stuff," Bard said. "I think that everyone takes privacy and people's information pretty seriously, so even though an entrepreneur might have done things that are frowned upon, like downloading a data backup on a computer, people are sensitive to what that information means. When you're a startup, you gotta do what you gotta do to get off the ground."
The creator of a now-defunct social networking site that attracted more than 30,000 users now stores the users' email addresses and login information on his laptop. He has a single safeguard to ensure that the data doesn't fall into the wrong hands if the device is lost or stolen: The computer is password protected.
Sandeep Ayyappan, founder of news aggregator myCirqle, which closed in May, also said he planned on keeping the contact information his company collected. His rationale, one echoed by other startup CEOs, was "why not?" Saving the data is virtually free, and the information could come in handy in the future, he noted.
"I think part of what we've learned about this process is you never really know," Ayyappan said. "We don't know how things will shake out so you never know why you might want to or need to reach out to users again."
An alternate answer to "why not:" User information could be lost or stolen, giving a stranger access to tens of thousands of email addresses – or even more incriminating details -- that could be sold or spammed.
Cheryl Yeoh, co-founder and CEO of CityPockets, which announced plans to shut down this month, argues that shuttered sites lose claim to anything collected from their members. Users provide personal data in exchange for access to a service, and a startup should relinquish that data when it stops providing the service, she said. CityPockets has promised to erase all of its records by June 30.
"I think it's a violation of user privacy to continue storing email addresses if you tell users your service is shutting down," Yeoh said. "I sign up for a service, and if you're no longer providing that service, why should you keep my information?"
Just as websites have become easier to put up, they're now easier than ever to take down, and personal details can be forgotten as quickly as they were learned. Many startups store user information on remote servers rented from companies such as Amazon and Rackspace. Amazon begins securely deleting data from its servers the instant a company cancels its account, a spokeswoman confirmed.
When a site dies, all of its user data should die with it, argues Sophos security expert Chet Wisniewski. Once information is out of users' hands, however, the users may have little recourse to ensure it has been deleted.
"Once you've given information to people, it's up to them to decide what to do with it," Wisniewski said. "The most sensible thing is to securely destroy it all, but I have a sneaking suspicious that practice is uncommon."