I'm Karri the Linear CEO who is involved in this. I posted this on Twitter but several points in this post are not true:<p><pre><code> On Friday we had an internal policy violation that affected three companies.
</code></pre>
- I have 7 Linear investors now confirming they were contacted with the same solicitation in the past months. I have screenshots. So the violations (so far) stopped on Friday, but started months ago.<p>- I have heard from close to 10 companies who had this happen to them months or years ago.<p>- They also did not answer my request of sharing how many of our investors were affected and also hasn’t tried to make any amends during this whole time<p>- The issue is not resolved. This blog post or Henry never gave me any concrete information, actions, or promised this wouldn’t happen again.<p>- At this point, as I haven’t received any assurances that this is not the case, I have to assume our cap table and other information has been free for all within Carta entities to be used however they can, at least months, maybe the past 4 years with no real controls in place.<p>I'd compare this to security incident. I've told them and expect them to do a full investigation and a post-mortem what data has been exposed, who was affected, how it was possible and what will be done in the future to prevent it.
It’s a bit sad that he doesn’t even attempt introspection on employees having any access to customer data whatsoever. I fully understand this is a normal situation, and that every function will puke all over the suggestion that they can do their jobs without access to customer data. But they can. It’s more difficult, yes. But it’s possible (I know, I’ve run this way in the past). Particularly in Carta’s business this should be on the table — zero internal access to the data. Period.
It's a pity that Henry Ward is handling this issue so poorly, and lacking the necessary transparency.<p>The hard truth is that Carta sits on a potentially huge source of revenues (secondary market), and therefore it is very tempting to "screw" existing customers in order to multiply its income. Easier to go public (IPO), or be acquired, when you have a "growth" story.
Seems like this behavior is systemic, deliberate and approved by management. [1]<p>With that in mind, it's highly unlikely this incident is limited to 3 companies, more likely that's the number of companies who have gone public.<p>I don't understand why he feels the need to misrepresent their policy here, either he's knowingly lying, or much worse, doesn't even know what's happening in his own company.<p>Couple this with his trainwreck Twitter reply blaming the victim for clout chasing after bringing to light a serious invasion of privacy. [2]<p>What a mess.<p>[1] <a href="https://twitter.com/paulg/status/1356643841659572227" rel="nofollow">https://twitter.com/paulg/status/1356643841659572227</a><p>[2] <a href="https://twitter.com/henrysward/status/1743794996732735679" rel="nofollow">https://twitter.com/henrysward/status/1743794996732735679</a>
Have been watching this unfold over twitter the past couple days and all I can think to say is that Carta really, really needs to hire a communications director. This situation is really not that terrible (Carta is trying to monetize via secondary markets, customers were not aware), and could easily be served via one of two options:<p>1 - divest from secondary markets, apologize, immediately highlight what’s next and how this will be remedied<p>2 - inform customers this is Carta’s way forward and accept losing some customers to make a lot more money on secondary markets<p>These are both equally acceptable in light of these events. What’s not acceptable is your CEO ranting on twitter and Medium pretending nothing’s happening, that it’s a one-off event when there’s evidence to the contrary, and attacking the customers who brought this to light.<p>This is 100x more applicable when the customer is someone like Linear which is a huge thought leader and one of SV’s golden children at the moment, and your market is other startups who will likely have shared investors, shared networks etc.
Context:<p>Carta have both their original cap table management business, and a ~5 year old secondary liquidity business (CartaX). They pitch their liquidity business as opt-in.<p>However, they have been using private cap table data to approach company investors about secondary sales, without company approval.<p>From Linear CEO, who's 70+ year old family member was approached to sell their shares:<p>- <a href="https://twitter.com/karrisaarinen/status/1743398553500971331" rel="nofollow">https://twitter.com/karrisaarinen/status/1743398553500971331</a><p>- <a href="https://twitter.com/karrisaarinen/status/1743824345334714587" rel="nofollow">https://twitter.com/karrisaarinen/status/1743824345334714587</a><p>Carta CEO's initial response, blaming the customer:<p>- <a href="https://twitter.com/henrysward/status/1743794996732735679" rel="nofollow">https://twitter.com/henrysward/status/1743794996732735679</a><p>Carta claims it was a one-time incident, but:<p>Paul Graham sounded the alarm in 2021<p>- <a href="https://twitter.com/MarwanRefaat/status/1357820073918910464" rel="nofollow">https://twitter.com/MarwanRefaat/status/1357820073918910464</a><p>Mitchell Hashimoto says it happened to them in 2019<p>- <a href="https://twitter.com/mitchellh/status/1744123473751155154" rel="nofollow">https://twitter.com/mitchellh/status/1744123473751155154</a><p>Carta's ESOP template does not include transfer restrictions, something very standard in agreements but clearly in CartaX's favor.<p>- <a href="https://twitter.com/tiffdukecull/status/1743428292164853846" rel="nofollow">https://twitter.com/tiffdukecull/status/1743428292164853846</a><p>Edit: A good summary of Carta's conflict of interest.<p>- <a href="https://twitter.com/haridigresses/status/1744135421192208520" rel="nofollow">https://twitter.com/haridigresses/status/1744135421192208520</a>
No initiation of an outside audit. No resignation of the CEO. No firing of the CEO by the board.<p>The question all this raises is, of course, what <i>else</i> are they doing that hasn't come out yet.
This lukewarm "mea culpa" does not sound very convincing.<p>It seems like somebody got caught with their hand in the cookie jar and is suddenly "shocked and appalled."<p>A one-time, accidental "internal breach of protocol" breached what should be an iron-clad firewall? Okay.
I'm old enough to understand when you find this many ways at this length to not say the simple thing, its not because you're being transparent. Despite the length.<p>The tweet about 4,000 employees losing their jobs due to clout chaser or whatever gave me two thoughts:<p>- 4,000 employees?!!??!<p>- it is likely they had already internalized all this as "that's what we do to keep the company running".
I live by the following rule:<p>If the cause of an issue hasn't been attributed to a business process, then I haven't dug deep enough.<p>I'm not familiar with this particular incident, but nothing in the post is giving me the confidence that the business process which led to this situation has been identified. Sounds like they haven't dug deep enough
Related yesterday: Carta CEO's response to the unsolicited outreach to their customers' investors (twitter.com/henrysward) 198 points by alsodumb 23 hours ago | 96 comments | <a href="https://news.ycombinator.com/item?id=38897363">https://news.ycombinator.com/item?id=38897363</a>
Henry is obviously trying his best to pin this entire thing on an employee as a one-time incident that happened this Friday.<p>Yet, he doesn't do anything to address the concerns that similar things happened to many other companies, even before Friday: <a href="https://x.com/karrisaarinen/status/1743743570371321978?s=20" rel="nofollow">https://x.com/karrisaarinen/status/1743743570371321978?s=20</a><p>He also goes on length to explain how they manage customer data, and yet at no point indicates how the sales employee managed to get a company's cap table info. Sure, all humans capable of accessing cap tables are tracked and audited, but what's the point if anybody can self-accept a request to access the data.<p>The truth is, had Karri enrolled Linear in CartaX, or if the investor Karri mentioned had his public info online, Carta would have done everything they can to brush this incident off. Karri provided irrefutable evidence that showed that the only way this could have happened is by a breach on Carta's side, and Henry had no option other than first calling it a one time incident, then saying it's an incident limited to three customers, and then personally attacking Karri and trying to gaslight him with a passive-aggressive response.<p>Edit: Here is Karri's (Linear CEO) response to the blogpost with more evidence that this happened well before Friday: <a href="https://x.com/karrisaarinen/status/1744155886132826234?s=20" rel="nofollow">https://x.com/karrisaarinen/status/1744155886132826234?s=20</a>
It's not reasonable to trust companies, especially Silicon Valley startups.<p>They just have no idea about ethics or how to create an ethical company.
Related. Others?<p><i>Linear CEO alleges Carta mishandled sensitive cap table data</i> - <a href="https://news.ycombinator.com/item?id=38899001">https://news.ycombinator.com/item?id=38899001</a> - Jan 2024 (36 comments)<p><i>Carta CEO's response to the unsolicited outreach to their customers' investors</i> - <a href="https://news.ycombinator.com/item?id=38897363">https://news.ycombinator.com/item?id=38897363</a> - Jan 2024 (95 comments)<p><i>Carta doing unsolicited tender offer outreach to their customers' investors</i> - <a href="https://news.ycombinator.com/item?id=38886915">https://news.ycombinator.com/item?id=38886915</a> - Jan 2024 (75 comments)
I have options on Carta from a prior employer that are going to expire in a few months because there's no buyer for them. If Carta is looking for some shares to trade without the owner's consent I wholeheartedly volunteer.
Lawsuit, subpoenas, discovery. Someone is going to sue and all the truth will come out. I love when CEOs write stuff like this because you have them nailed if you find out differently.
hmm:<p><pre><code> Where CartaX and the cap table business converge is
if we match a trade in the marketplace, we go to the
company and ask if they will allow it.
</code></pre>
Meaning: the company does not give permission or know that CartaX is trading in the company.<p>Asking the company about a pending trade means that two people who want to make the trade will be very disappointed, and will likely publicly complain that the company is blocking them, throwing doubt on the company.<p>This in turn forces the company to approve the transaction and permit the market, notwithstanding the adverse incentive effects on options/grants. Any approval of one transaction would raise scrutiny on any denials. Even the opportunity to bail cuts against the notion that people are in the same boat together.<p>A good company doesn't just "do no evil". A good company ensures its interests are completely aligned with their customers, so there will be no forces pushing them to take advantage of their customers.
Does Carta still have a free tier? I've used it and I didn't pay for it so at some point it must have. Back then, I simply input information as investor_1, founder_1. There's no reason to give that data to Carta. Anyone that asked, I gave them the mapping.
Some of the arguments are public: <a href="https://twitter.com/karrisaarinen/status/1743824345334714587" rel="nofollow">https://twitter.com/karrisaarinen/status/1743824345334714587</a>
after reading some more details i'm confused why this is a big deal - creating deal flow for the secondary market involves connecting buyers and sellers and then requesting approval from the board. the board can exercise ROFR if they don't approve the sale. the customer feels betrayed because they didn't get their permission to connect buyers and sellers?
I clicked on the link thinking it was about parasitic extraction and capacitance tables; referred to as "cap tables" in industry for circuit design. I was very disappointed.
Ironic to see tech bros be all riled up about misuse of their own data while playing fast and loose with customer data has been the norm and is considered normal practice.<p>Every one of their websites has multiple trackers that have access to the whole page’s JS context and the vendor could have the same “policy violation” and impact their customers (being generous and assuming that stalking customers isn’t the primary policy to begin with).
honestly, also this was a very poorly written message.<p>"I will think about this and come back with more thoughts in the coming months."<p>"I’m sorry for scaring everybody about this."<p>what?
A complete tangent, but I didn’t hear a single mention of accounting. Not on the financial side nor more importantly, the managerial side.<p>This industry is literally just throwing darts at a wall.<p>Capitalization is just one kind of account. What does it have to do with employee effectiveness?<p>The very services offered here are not giving good information to administrators about how a company is actually functioning.<p>Everyone is focused on looking at the rear view mirror when they focus on financial accounting. EBITDA is a nonsensical metric for internal accounting. Managerial accounting is forward looking and must be done in order to make proper financial projections.<p>Take a look at the financial projections from 2021 and 2022. They are completely detached from reality. This is obviously why the entire industry had layoffs. The chickens came back to the roosts as investor realized the projections were bogus. Yes, cash flow is king, but again, that’s historical information. You cannot make meaningful predictions in this manner!<p>Productivity plummets when you take half your engineers and make them part of the interview and hiring process. Then it takes at least 6 months for a new hire to be productive, to understand the code base, to understand the domain of the product and how it fits into the market.<p>Like, either go back to waterfall if you want administrators to handle all of the non-engineering because you absolutely need engineers who are aware of the domain.<p>Have you <i>ever</i> seen a spec that was fully fleshed out and didn’t require developers to fill in a <i>lot</i> of blanks? What kind of employee is better at filling in those blanks than those that have been around for awhile and understand why the product exists?