Saturday, September 2, 2017

Can We Learn Anything From Juicero?

At the risk of over-generalizing, I would think that in the security community most have long since fully internalized that

  1. it is all about managing risk
  2. 1 is hard
Now we have a new, and very public example of a risk management failure: Juicero, which ceased operations yesterday, costing at least 18 investors at least $118.5 million. 

There has been snark flying around about crafty, greedy venture capitalists deploying their collective foot-guns. I am more interested in looked at it as a risk management failure. I have at least one question, and possibly three.
  1. Do investment organizations talk to each other?
  2. If so, under what circumstances?
  3. If so, in this particular case, was groupthink part of the problem?

The Setup

Juicero was based around the idea that a high-margin kitchen appliance would make money in and of itself (especially if businesses were charged as much as $1,200), and sales of produce packs for $5 to $8 would lead to further profits. A useful analogy might be computer printer vendors, which today are basically in the ink and toner business (plug "printer ink costs more than gold" into your favorite search engine) back in the days when the printers themselves also turned a nice profit.

Bloomberg had a good roundup of the problem Juicero was having in April: Silicon Valley’s $400 Juicer May Be Feeling the Squeeze, including 
One of the most lavishly funded gadget startups in Silicon Valley last year was Juicero Inc. It makes a juice machine. The product was an unlikely pick for top technology investors, but they were drawn to the idea of an internet-connected device that transforms single-serving packets of chopped fruits and vegetables into a refreshing and healthy beverage. 
 ...
Juicero has managed to find a niche at high-end hotels and restaurants. Workers from seven businesses that own Juicero machines said they like the product because the disposable packs can be discarded with minimal cleanup. All seven said they didn’t know Juicero packs could be squeezed by hand. In Bloomberg’s squeeze tests, hands did the job quicker, but the device was slightly more thorough. Reporters were able to wring 7.5 ounces of juice in a minute and a half. The machine yielded 8 ounces in about two minutes.
and much more. Including a mention that sales of produce packs would be limited to owners of the machine.

The threat is that there is nothing to prevent the purchase of a single machine, then doing a bit of hand pressing where multiple machines might be required to handle peak loads in a juice bar without hand pressing. Groups could club together to buy a single machine, then all the produce packs they jointly wanted for hand pressing. Resales of produce packs are possible, etc. People are clever.

You can think of it as protocol design failure. Authentication did not provide the security that the creators of the business model and investors thought it did. This was a rather too-obvious failure on the part of Juicero, and we have an indication that it was in fact known by them. Again, from Bloomberg (really, go read that article):
Juicero declined to comment. A person close to the company said Juicero is aware the packs can be squeezed by hand but that most people would prefer to use the machine because the process is more consistent and less messy. The device also reads a QR code printed on the back of each produce pack and checks the source against an online database to ensure the contents haven’t expired or been recalled, the person said. The expiration date is also printed on the pack.
I don't know that there is anything preventing the machine owner from also verifying that it hasn't hasn't been recalled as well, before sharing, reselling, or whatever. Assuming that a re-seller even cared, which seems an unwarranted assumption.

Who Lost Money?

Bloomberg mentions Kleiner Perkins Caufield & Byers, Alphabet, and Doug Chertok (presmbly through Vast Ventures).

According to TechCrunch the funding rounds were
  • Apr, 2016 $28M / Series C
  • Mar, 2016 $70M / Series B (lead investor Artis Ventures)
  • Apr, 2014 $16.5M / Series A
  • Oct, 2013 $4M / Seed
That is $118.5 million. In that Series B round were 17 investors
  1. Abstract Ventures
  2. Acre Venture Partners
  3. AGO Partners
  4. Artis Ventures (AV)
  5. Bryant Stibel Investments
  6. Campbell Soup Company
  7. Campfire Capital
  8. First Beverage Group
  9. GV
  10. Haas Portman
  11. Interplay Ventures
  12. Kevin W. Tung
  13. Kleiner Perkins Caufield & Byers
  14. Melo7 Tech Partners LLC
  15. Thrive Capital
  16. Two Sigma Ventures
  17. Vast Ventures
Two of these were already mentioned by Bloomberg, but Alphabet (investment amount unknown) was not. So at least 18 investors were involved. I would expect Alphabet (as the parent of Google it is more than a VC), and Campbell Soup Company to have strong risk management teams. And any organization which exists purely to return profit on investment obviously should as well.

Yet we see a widespread failure.

A Comparison to Banking

Banks exist to manage risk for their customers: stuffing money under the mattress doesn't scale. And they cannot survive (without government bailouts, if they are large enough, and the circumstances dire enough) without functional internal risk management. They don't compete on the security front. Given the requirements of automated clearing, etc., they mitigate shared risks by sharing information about them.

Having no experience with one, I have no idea if venture capital organizations talk to each other about risk 
  • at all, 
  • only in the case of a group with a lead investor, 
  • occasionally, or
  • commonly.
It seems likely that whatever communication exists may be informal, dictated entirely by circumstance. But only by knowing those circumstances will it possible to answer my original question(s):
  1. Do investment organizations talk to each other?
  2. If so, under what circumstances?
  3. If so, in this particular case, was groupthink part of the problem?
It seems quite possible to me that answers might become available.

I hope so, because otherwise the only people who will gain useful knowledge from this are the investors who lost money. People in the general security community gain no insight on when to advocate for new lines of communication, with whatever warning of the risk of groupthink might be indicated by the Juicero example, etc. Tech, as a whole, has a very short memory for what has presented security problems in the past. But security workers still have a professional obligation to at least try