Trading places
Carta tries to make an exchange.
Name this company:
X1 runs an internet service that asks people to share a bunch of private information with it. There are lots of ways X might do this: It could help them answer sensitive questions about their health, for example, or it could make it easier for them to manage complex spreadsheets about their finances. Though this sounds like a hard thing to convince people to do—“hi, we’re a new startup, please type your most important secrets into this box”—all it really takes is a creative design, a quirky commercial, or a buzzy partnership, and thousands of people will connect their email accounts, sync their credit card purchases, and stream by-the-minute vital signs directly from their wrists into some anonymous corporate cloud. X did this better than most, and convinced a lot of people to share things with it.
Next, X makes a big show about how much they care about their customer’s privacy. "When you use our services," X might say, "you’re trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control." The assurances work. People feel good about X; X isn’t evil; X is committed to its customers.
But then, after X has collected lots of private data, X sells it. But it doesn’t sell it directly—that would make X seem like a liar, because of everything it said about privacy and trust and responsibility. Selling data might also violate X’s own terms of service, though X is careful about the promises it makes. “We don’t share customers’ personal information without their consent”, its privacy policies could say, “but we do provide that information to our affiliates and other trusted businesses or persons.”
So, instead of selling data outright, X builds a kind of matchmaking service that allows third parties to transact with its customers. These third parties submit bids to X about the kinds of people they might want to sell something to or buy something from. When X gets a bid, it looks through all the secret information that its customers shared with it—information about their finances, or health, or whatever—to see who might be most interested in what the third party is offering. X sends all of the good matches an enticing email about the third party’s proposal. “We have a firm offer we thought you might like to see,” X tells them. Though X takes a cut of the transaction, it says its goals are more noble than that: It wants to make markets more effective, more efficient, and more useful.
So who is X?
I mean, obviously, it’s Carta, which was the main character in Silicon Valley last week after getting exposed for running exactly this business. To quickly recap, Carta is the most popular way for startups to manage their capitalization tables, which are complex—and confidential—legal documents that keep track of who owns company shares and on what terms.2 Startups struggle to manage these documents on their own; if you pay Carta a modest annual fee, they’ll do it for you.
The data in these documents, however, represents another opportunity, for both Carta and its customers. The market for startup shares is illiquid and opaque—if you are an investor, it’s difficult to buy shares in hot private companies because there you don’t know who might be selling and at what price; if you’re an employee or an investor that owns shares in a startup, you don’t have an open market to sell them on. As a result, private companies’ shares trade on decentralized secondary markets that are more akin to Facebook Marketplace than Fidelity—they’re like auction houses for collectibles, where the marketplace only knows about the occasional shares that are listed on their exchange.
Because of its successful capitalization table business, Carta has access to much more complete market data—they know exactly who owns shares in thousands of startups, and what they paid for them. In theory, they could use that data to create a more efficient marketplace that’s better for everyone—better for buyers, who get more reliable prices; better for sellers, who get easier access to liquidity; and better for Carta, who can take a cut of every transaction. So, three years ago, Carta created exactly this sort of exchange, under the banner of exactly this sort of mission.
(Carta)X
This week, almost overnight, Carta shut it down.
The marketplace, called CartaX, was undone by one bad email exchange. Sometime recently, a third party reached out to Carta to buy shares in Linear, a popular startup that builds issue-tracking software. Linear is (was?) a Carta customer, so Carta looked through Linear’s capitalization table, found some shareholders who might be interested in selling, and sent them an enticing email about the third party’s proposal. “I’m reaching out because we have a firm buy order,” Carta said, “but might be willing to flex higher.” One of those emails was forwarded to Linear’s CEO, who, quite reasonably, did not like it, and posted about it on Twitter and LinkedIn.
Silicon Valley went berserk. Part of the problem was about control: Startup boards typically want to approve secondary stock transactions like the one that Carta was trying to facilitate. By directly reaching out to shareholders instead of Linear’s board, Carta was undermining Linear’s ability to control who buys and sells its shares.
The bigger problem, however, was about trust. Carta’s customers trusted it with highly sensitive data, and Carta used it to make money. Even if the Carta’s terms of service technically allow them to do it,3 the exchange breaks the spirit of Carta’s promise to “earn [their] customers’ trust through every decision that we make.”
The lesson from all of this, it seems, is the obvious and ethical one: Don’t sell your customers’ secrets! You might get sued! And even if you don’t, people will be very upset, it will go horribly wrong, and you will have to shut down the entire business.
X(.company)
Or, you’ll become the fourth most valuable company in the world? Because X is also Google?4 Like:
Google runs a search service that asks people to share a bunch of private information with it. Google makes a big show about how much they care about their customers’ privacy. "When you use our services," Google literally says, "you’re trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control." People feel good about Google; Google isn’t evil; Google says it’s committed to its customers.
But then, after Google collects lots of private data, Google sells it. Not directly—Google says that it does “not share your personal information” without consent, though it’s careful about the promises that it makes. “We provide personal information to our affiliates and other trusted businesses or persons,” the privacy policy says.
Instead, Google sells its customers’ data through an advertising auction house that matches third party sellers with Google customers. These third parties submit bids about the kinds of people they might want to sell something to, and Google looks through all the secret information that its customers shared with it to see who might be most interested in what the third party is offering. Google sends all the good matches an ad—and sometimes puts an enticing email directly in their inbox—about the third party’s proposal. “We have a firm offer for a deal we thought you might like to see,” Google is basically saying, every time it shows an ad. Though Google takes a cut of the transaction, it says its goals are more noble than that: It wants to make markets more effective, more efficient, and more useful.
Of course, some people get upset about Google doing this, and search engines like DuckDuckGo exist to give people an alternative to Google. But relatively few people use DuckDuckGo, and we’ve all kind of collectively accepted that it’s ok for Google, and hundreds of other companies, to sell private information about us on advertising exchanges.
Is Carta really that different?5 Though nobody disputes that Carta was wrong to sell around Linear’s board, why is Google’s matchmaking business seen as a fundamentally legitimate one, and Carta’s as fundamentally unethical?
Both collect data through a kind of sleight of hand, by providing an adjacent—and independently useful—service that convinces customers to share information with them. Both are marketplaces where those customers remain anonymous to third parties unless the customers opt in to third parties’ proposed transactions. Both exchanges are built on extremely sensitive data, and it’s at least arguable that Google search histories are more sensitive than capitalization tables.6 Both have more information than any one buyer or seller, but there’s not any real evidence that either uses that advantage to front-run trades or manipulate prices.
The difference, it seems, is actually mostly in the optics of how the exchanges are run—and specifically, in the optics of how involved people are in running them. I get a little creeped out when Google serves me a highly-targeted ad about the thing I was just talking about. But I would probably call the FBI if I got an email from Jack Cantwell, Search Client Specialist, saying that he’s been reviewing my internet records and wanted to let me know that he has a firm sell order for two Guts World Tour tickets from a Google client that I might be interested in.7 Though Google the company is basically doing the exact same thing in both cases, Jack the person is not. And when it comes to privacy and trust, we don’t seem to mind putting all of our secrets in some faraway company’s filing cabinets. But we very much mind when someone at that company opens them.
Which makes me wonder—had Carta’s emails been automated notifications about new buy orders, would the story have blown up the way it did? Usually, people like real emails from other people more than they like marketing emails from DoNotReply@buynow.com.8 But they probably don’t like emails from other people when those emails are about stuff they thought was private. We want those emails to be from machines, sent discreetly and automatically. We want our ads to be delivered to us by an algorithm, not by Jack.
The irony in all of this is that Carta’s emails may well have been exactly that. The personalized touches in most cold outreach emails are just a sales tactic to hide the fact that they’re automated, templatized to appear handwritten, and sent out by thousands.9 The emails Linear’s shareholders got could have been triggered by a bid for shares, generated by some email marketing tool that made them look like they were written by a senior member of the “Investor Coverage Team,” and shotgunned out to the Linear shareholders who were programmatically determined to be likely buyers. Though those emails still would’ve been a mistake—they should’ve gone to Linear’s board, not its shareholders—the issue then would’ve probably been more about how CartaX is careless with customer data, and less about how CartaX is unethical and shouldn’t exist. But now, because the emails seemed to come from a sales rep prospecting through companies’ capitalization tables looking for deals, Axios is asking questions about rogue employees, systemic accessing of cap table information, and investigations and audits.
For better or for worse, privacy and trust are probably like that. It matters how they look as much as how they work. The difference between Google and Carta may not be so much in how they manage their exchanges, but in how they manage how their appearances. Carta was careless last week, and changed how people saw CartaX because of it. Now, they’re killing CartaX, in hopes of saving how people see Carta.
An eye for an eye. It’s fitting, I guess, that that’s the final exchange on CartaX. It always was about the optics.
Carta, again
I'm neither qualified nor organized enough to have a list of startup laws, but if I were, the first law would be “your startup won't make it to step two.”
We’ve talked about this a few times before:
It’s not uncommon, in early stage fundraising decks, for founders to pitch their first product as a stepping stone to a bigger one. We’ll start with building a simple alerting service for monitoring when your brand gets mentioned on social media, they might say, but we’ll use the data we collect to build an AI-powered ad platform. We’ll launch as a data catalog, and use that as a wedge to expand into our true vision as an end-to-end data lifecycle management application. We’ll begin an office leasing agency, but eventually harness the energy of we to elevate the world’s consciousness.
This doesn’t work, I said, because most “companies spend their entire lives trying to finish part one.” The wedge is usually hard enough to build on its own. Step two is often the mirage on the horizon of step one’s infinite desert.
Carta proved the premise wrong—but still proved the theory right? Since its founding in 2013, Carta’s capitalization table product was supposed to step one. “Building the Nasdaq for private markets” was the real goal, and the marketplace was step two.
Somewhat remarkably, Carta actually found the end of its desert. They built a capitalization table business that makes $250 million a year, and is (was?) the clear market leader. They were poised, it seemed, to make the exchange.
But step two was undone by step one’s success. Though the capitalization table business was a great economic and informational launchpad for the CartaX, it was an anchor for the brand. Customers felt betrayed by the marketplace, because they saw it as a violation of what they believed Carta stood for. And Carta couldn’t trade a $250 million business for a $3 million one—which was CartaX’s revenue—no matter its potential. For CartaX, the only thing worse than step one failing was step one succeeding.
For other startups, the lesson, then, is still the same: Don’t plan on making it to step two. If you want to build an exchange, build an exchange. If you want to build a back office capitalization table management business, build a back office capitalization table management business. But if you only want to build the latter so that you can eventually build the former, don’t. Because if you walk through the desert long enough to reach the end of it, you’ll have evolved into something that can only survive in the sand.
There are lots of dumb things about Elon Musk renaming Twitter, but one of the more annoying ones is that “X” no longer works a generic variable.
In a very simple world, a capitalization table would say something like, Steve Jobs owns 50 percent of Apple, Steve Wozniak owns 25 percent, Mike Markkula owns 25 percent minus three shares, and Ronald Wayne owes three shares (bummer). But in reality, capitalization tables are far more confusing than that. Even for small startups, they can contain hundreds of shareholders, multiple classes of shares that all have different voting rights and strike prices, and complex vesting schedules that define when employees have the right to buy shares and which employees have exercised those rights. It’s messy, legally complicated, and, because employees are constantly vesting and exercising shares, very dynamic. Managing all that is hard, and Carta does it all for you. (And, in my experience, does a genuinely good job of it. Mode was a happy Carta customer for years.)
I mean, how can Carta not be allowed to do this, their terms of service don’t even mention Linear.
Well, Google is Google LLC, Google LLC is owned by Alphabet, and X is x.company, a division of Google LLC. I don’t know. I’m talking about Google Search.
To be clear, my point here isn’t that Google or Carta are either right or wrong. I just find it curious that they’re treated so differently for doing such similar things.
If you were a lawyer at SpaceX, which would you pay more to keep private? The full details of SpaceX’s entire cap table, or Elon Musk’s search history? The answer has gotta be the second one.
This is not a real email; do not reply to this email.
For example, if you’ve get Mode or ThoughtSpot marketing emails, you might get an email from about a webinar we’re hosting on Tuesday. But it’s a trick! It’s not actually from me!
As usual, a thoughtful piece.
I'm not at all clear that Carta did anything wrong (and I'm not sure what the latest in the story is to-date since it's being partially told in multiple venues and I don't use Twitter) and I'm not sure we'll ever know because I doubt either Linear or Carta want to lay all their cards on the table.
But, if *all* CartaX was doing is *connecting* potential buyers and sellers to facilitate a potential trade, and then the board would still ultimately have to bless the trade, so what? I don't know, however, if this is all they were doing. But I'm pretty sure most investor agreements prohibit direct 3rd party sales without a board blessing or option to buy the shares first (and yes, I'm sure most startups probably don't want to have to use their cash buy vested options or angel shares back at the current price).
I think the startup ecosystem is overwhelmingly skewed to favor founders and non-employee investors - and *maybe* that's ok since those groups have the most at risk. But I'm definitely in favor of an ecosystem where minor shareholders (i.e. employees with vested shares) can liquidate easily if there is a buyer. Right now stock options for employees - vested or not - are basically like holding lottery tickets. Most of the time they aren't ever going to be worth anything.
I think a practical different between Google and Carta is also that it’s 2024. I’m not so sure if Google was getting off the ground right now that some of Google’s behavior wouldn’t be perceived like Cartas. But we are used to Google and have used free gmail accounts for years - and we kind of know the price of free is the currency of our personal data. This being said when I start paying for something I very much expect privacy for my data - which could be another of Cartas problems.