It is very hard to get genuine transparency on what VCs look for when making an investment. Some investors share their investment criteria, but rarely how they have assessed opportunities against those criteria.

The only public domain investment memo I have found is by Roelof Botha recommending that Sequoia make a seed investment in Youtube1. Roelof has supported some of the most exceptional companies over the past decade including Youtube (I think one of his first), Instagram, Tumblr, Evernote, Square, MongoDB and others. It is a rare opportunity to see how such an accomplished investor thought about the opportunity behind closed doors and communicated his thoughts to the partnership.

Introduction

In 3 succinct paragraphs Roelof articulates his primary theses that underpin why he thinks YouTube is a compelling opportunity. The most fundamental of these is his hypothesis that Youtube can become the ‘primary outlet of user-generated video content.’ This is supported by calling out several ‘strong veins’ (macro trends) that Youtube taps into2.

Roelof lets his simple thesis and supporting macro trends stand for themselves. He doesn’t feel the need to defend these foundational premises or articulate them further to the partnership. This concise thesis, articulated in 9 lines, seems obvious in hindsight but at the time video was basically non-existent on the web.

Deal

Roelof lays out the shell of an investment in a single sentence: $1M followed by a $4M Series A for ~30% of the company post Series A. It is interesting that Sequoia intended to traunch the investment contingent on the company achieving 5 ‘specific milestones’ spanning business planning, product, customer acquisition, and hiring.

Assuming Sequoia maintained ~30% ownership in the company through the Series B, Roelof returned ~$480M on a cumulate investment of <$10M between writing this memo on September 2nd, 2005 and the sale to Google on October 9th, 2006 for $1.6B.

Competition

Roelof indicates his position on the company’s top priority over the next 3-6 months: focusing on product development to ‘increase [YouTube’s] defensibility.’ This would likely have translated into his key priority when he joined the board. Documenting this in the memo can be valuable in solidify the investor’s perspective, and also to ensure the investor’s perspective is aligned with the founders and his partnership at the time of the investment.

Hiring Plan

Roelof also calls out finding executive talent to support the founders as an area for the partnership to help: ‘I would appreciate any ideas on potential candidates for either role.’ He also hints at management as an item for discussion as a team: ‘My preference would be to launch a search immediately.’ In this way, Roelof keys up conversation for the Monday meeting, and turns the memo from being an essay of personal thoughts to a collective document detailing the partnership’s priorities.

Key Risks

This is the longest section of the memo, comprising 50% of the 3 pages. This section could also be titled monetization, as Roelof primarily assesses if YouTube could reach the scale to generate meaningful ad revenue. Roelof breaks out the key risks across the following 5 subcategories, almost all of which are relevant when thinking about any opportunity:

  1. Competition and Defensibility
  2. Revenue Model
  3. Scalability
  4. Balancing Growth
  5. Exit

Roelof again makes it clear that defensibility should be the primary focus: ‘The company needs to remain laser focused on improving the user experience …’

The ‘Revenue Model’ section is the only place in the memo when Roelof uses the word ‘believe’: ‘I believe that YouTube has a clear advertising revenue opportunity.’

He makes it clear to the partnership that the revenue model is still unclear and raises questions for the rest of the partnership to consider, again, teeing up topics for discussion on Monday: ‘can the company develop attractive products that are not intrusive to the consumer experience?’

In the rest of the ‘Revenue Model’ section Roelof lays out 3 different bottom up market sizings based on the 4 key revenue levers in sees in the business3. Roelof notes that he intends to make sure the company carefully tests these levers over the coming months. Again, Roelof’s investment memo for the team likely translated closely into his key priorities for the board post-investment.

In the ‘Exit’ section Roelof succinctly states that: ‘we cannot point to many high comparable exit valuations.’ Unknown exit opportunities doesn’t deter him from recommending an investment though, nor does he feel the need to further articulate his thesis.

Recommendation

Roelof updates his partnership on how Sequoia is positioned relative to other VCs (‘pole position’). Despite being pole position, Roelof doesn’t want to wait around the hoop.

He tells the partnership he would ‘like to give the company our decision on Monday.’ The memo is dated September 2nd, 2005, which was a Friday, so the partnership likely had the weekend to review the memo.

In the last paragraph Roelof clearly lays out why he recommends an investment:

  1. Great team
  2. The growth of user-generated content with video as the next step
  3. Early indication of video ad potential based on diligence

Abstracting a level higher we can group these under: management, market, and monetization.

It is easy for VCs to operate in silos, but throughout the memo Roelof emphasizes Sequoia’s collective role in evaluating the opportunity and supporting the company by using ‘we.’ In this section, when articulating his final perspective based on the analysis, Roelof switches to the first person subjective: ‘I recommend that we proceed with the financing as proposed.’

He ends by reiterating the team’s immediate focuses post investment: ‘we need to surround the company with management talent’4.

Final Observations

It’s particularly interesting that through the memorandum Roelof doesn’t appear to try and sell the opportunity to the partnership. The memo doesn’t have a section titled ‘upside’ or ‘opportunity,’ and he clearly calls out what he doesn’t know. Between the section on key risks and competition, over 50% of the memo focuses on discussing areas of concerns. The team likely already agreed on the macro trends that could support a mass market UGC video platform, which allowed them to focus their diligence and debate on whether or not YouTube could monetize and if management was the team to build the product.


  1. Roelof included the investment memorandum as part of testimony in the Viacom vs. Youtube (Google) case. I found the case on Scribd here.

  2. These are user-generated content, online advertising, proliferation of inexpensive digital video capture devices, and continued broadband adoption.

  3. It’s funny to play monday morning quarterback and think about how wildly small Roelof’s bull case of 30M video views per day was given that YouTube passed 4B in January 2012.

  4. The memo has the following backup material: 1) Investment summary 2) Competitive analysis 3) Technology overview 4) Team bios 5) Company presentation 6) Company metrics. The investment summary seems to be a 1 page document written in advance of the full investment memorandum. The document is likely an early set of bullet points on the opportunity so the rest of the team knows about the company early in the diligence process. The investment summary may also be a consistent framework that the teams uses to analyze any opportunity and provide rigor. In the supporting materials on ‘Competition,’ Roelof walks through each of the subcategories listed in the memo in more depth, including any public traction and exits. The remaining 4 sections of additional content are information provided by the team.

Ever since reading about how a security firm in california was able to find the exact location of any user on Tinder through a technique called mobile traffic proxying, I have wanted to try and examine my own mobile traffic.

Last Friday, I started by installing the popular proxy app Charles and followed other developers intructions to enable SSL proxying.

Up and running, I poked around the traffic of several social apps. Interestingly, Snapchat is still on Google App Engine and the name of their API server is: https://feelinsonice-hrd.appspot.com. I guess time will tell if they will be feelin..so..nice after turning down Facebook’s $3B acquisition offer!

I also checked out Kluck’s app (Kluck is a pseudonym and you can see the FAQ for why I chose not to disclose the name). Kluck has raised over $5M in venture capital, is highly ranked in the app store, has publicly claimed to have 10M+ users, and hundreds of millions of social interactions.

The first thing that jumped out when proxying Kluck’s traffic between the app and main API was that the the API included my last-seen location, with up to 5 decimal places of precision! I immediately wondered if Kluck just returned my location, or could I see anyone?

I proceeded to visit a series of other user’s profiles, including total strangers. In every instance, Kluck returned the user’s location.

To verify if the data was also accurate, I had two friends quickly load up the app on their phone. When I visited their profiles and proxied the responses, I could pinpoint their exact locations to the office block in mid-town NYC and the entrance to the Montreal airport respectively.

I alerted Kluck to this early Friday, and by mid-Saturday, their management team followed up articulating they had fixed the API and it no longer exposed users’ location (you can read their message here).

Kluck isn’t the only app to expose sensitive user data, nor is it even the first to expose geodata.

On the mobile web, it is harder than ever for users to see the data services communicate on their behalf. On desktop, tools like Chrome’s Inspect Element come with the browser and make it comparatively simple for everyone to see the requests a page makes. On mobile, apps don’t come with data inspection tools for the curious. There isn’t a 3rd party service for verifying that API’s don’t expose sensitive information. And tools like Charles cost $50 and take time to set up.

As web usage increasingly moves from desktop to mobile both companies and users need to work together to ensure that we can maintain a reasonable expectation of privacy. One click immediate authorization of our contacts, location etc. at the time of app install shouldn’t undermine this, nor should the barriers that inhibit users holding companies honest keep them from establishing the best norms. And users, for our part, need to be increasingly vigilant to the authorizations they quickly grant and forget.

End Notes: Thanks to @baygross, @DNFriedman, and Akshay for valuable input on the post.

FAQ

  1. What is the actual name of the company? I have chosen not to disclose this because the case for increased vigilance of the part of companies and users against exposing sensitive user data isn’t improved. Disclosing the name of the company helps with media attention for the issue, but doesn’t benefit the company and they moved swiftly to fix the issue.

  2. When did you alert Kluck? I sent an email to support and management on Friday, April 25th

  3. When was a fix communicated? Saturday, April 26th

  4. What is proxying? Effectively, you setup your laptop to share its internet connection and have your phone access the internet through that proxied wireless network. The charles proxy app then runs on your laptop, and monitors all traffic coming into and out of your phone, exposing it as plaintext for simple examination.

  5. How precise was the data? The location data was precise to 5 decimal places (~1 metre).

  6. What does this vulnerability allow one to do? Access the last recorded location of a subset of users who had the app installed on their phone and had authorized Kluck to use their location

  7. Is this real time? No, it is the last location Kluck recorded. This could have been the last time they opened the app, or the last time Kluck passively collected it.

  8. Had these users checked in? They hadn’t. They had willingly granted Kluck access to their location at the time of install, and the app then periodically updated it in the background.

  9. Is this specific to Kluck? No, Tinder and other apps have had similar flaws exposed.

  10. Did anybody exploit this? I don’t know

Shopify and Etsy have both built large merchant e-commerce brands over the past decade, but have pursued different strategies. Shopify built SaaS software for hosting your own e-commerce operation, and over the years has focused on growing up market with bigger brands. Etsy built a marketplace where the long-tail of creators could sell and buy goods from each other. Both companies publicize some of their data, and it is interesting to analyze and compare a variety of KPIs over the past few years.

GMV

  • In 2013, for the first time ever, sales across all Shopify stores exceeded Etsy ($1.68B vs. $1.34B)
  • Shopify has managed to maintain 100%+ year-on-year GMV growth through the platform
  • Etsy annual GMV growth has slowed to ~50% in 2013

Average Price per Item

  • The average item costs ~$20 on Etsy, where as the average order on Shopify is ~$75
  • Even assuming 2 items per order, the average item on Shopify is ~$38, almost 2x that on Etsy

Shopify KPIs

  • Shopify has likely managed to maintain strong GMV growth by growing up market with stores
  • Sales across Shopify stores has grown faster than the total number of Shopify stores
  • Average sales per store therefore increased 2.32x over the last 5 years to ~$20k per store in 2013 vs. ~$8k in 2009
  • Order growth has exceeded customer growth, resulting in more orders per customer
  • Estimating Shopify’s key revenue drivers to be a $75 MRR per store and 1% of GMV profit from their merchant processing, we ballpark $90MM in 2013 revenue. Now this is likely overstated because not all 81k stores in 2013 would have paid 12 months of software fees. Taking the MRR from 2012 and adding 2013 GMV revenue we get a lower bound estimate of $55MM

Etsy KPIs

  • Etsy’s ability to optimize conversion for sellers (because they design the entire platform) has improved purchase conversion over time
  • Sales per thousand views has grown 2.88x since 2008, up from $22.74 in 2008 to $65.57 in 2013
  • Etsy surpassed the prior year’s December peak sales in Jul ‘09, Sep ‘10, Aug ‘11, Aug ‘12, and Nov ‘13
  • Estimating Etsy’s key revenue drivers to be a $0.20 fee on items sold and 1% of GMV profit from their merchant processing, we ballpark $20MM in 2013 revenue
  • Year-on-year monthly GMV growth has declined from ~120% in January ‘09 (Jan ‘09 GMV was 220% of Jan ‘08) to less than 50%

Data

  • You can download all the data I compiled here
  • The Etsy data is compiled from their monthly weather reports. December 2013 sales for Etsy are estimates since the company hasn’t published a report since November, 2013 (quiet period?).
  • The Shopify data is compiled from their 2013, 2012, 2011, and 2010. 2009 data was backed out of the 2010 infographic.